diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..a1b4ba12 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,65 @@ +--- +name: Molecule +on: + - push + - pull_request + +env: + CI: true + +defaults: + run: + working-directory: 'constructorfleet.ansible-common' + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'constructorfleet.ansible-common' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.8' + + - name: Install test dependencies. + run: pip3 install yamllint + + - name: Lint code. + run: | + yamllint -f parsable . + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - centos7 + - centos8 +# - ubuntu2004 +# - ubuntu1804 + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'constructorfleet.ansible-common' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.8' + + - name: Install test dependencies. + run: python -m pip install ansible==5.1.0 "molecule[docker]" docker + + - name: Run Molecule tests. + run: python -m molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..ebb2023b --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,18 @@ +name: Publish Role to Ansible Galaxy +on: + release: + types: [ created ] +jobs: + publish: + name: Publish to Ansible Galaxy + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + - name: Publish Ansible role to Galaxy + uses: robertdebock/galaxy-action@1.2.0 + with: + galaxy_api_key: ${{ secrets.GALAXY_API_TOKEN }} + diff --git a/.github/workflows/tag-on-merge.yml b/.github/workflows/tag-on-merge.yml new file mode 100644 index 00000000..27ac7d0c --- /dev/null +++ b/.github/workflows/tag-on-merge.yml @@ -0,0 +1,24 @@ +name: Tag on Merge + +on: + push: + branches: [ main ] + +env: + CI: true + +jobs: + tag: + name: Tag Role + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + with: + path: "${{ github.repository }}" + - name: Bump version and push tag + uses: anothrNick/github-tag-action@1.36.0 + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + WITH_V: true + DEFAULT_BUMP: minor diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..4e0bbdfa --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +venv/ +.idea/ diff --git a/.yamllint b/.yamllint new file mode 100644 index 00000000..f4dc4c5e --- /dev/null +++ b/.yamllint @@ -0,0 +1,38 @@ +--- +extends: default + +ignore: | + .github/ + venv/ + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: enable + comments-indentation: enable + document-start: enable + empty-lines: + max: 1 + level: error + hyphens: + level: error + indentation: + spaces: 2 + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + check-keys: false diff --git a/README.md b/README.md index de1b3bd8..69665527 100644 --- a/README.md +++ b/README.md @@ -16,12 +16,10 @@ Deploy common configurations and packages to servers. - ## Requirements N/A - ## Role Variables #### defaults/main.yml @@ -88,7 +86,7 @@ N/A ``` - name: Deploy common server configurations hosts: all - become: True + become: true remote_user: root tasks: - include_role: diff --git a/common.yml b/common.yml index d650ab69..ddada869 100755 --- a/common.yml +++ b/common.yml @@ -1,8 +1,9 @@ --- + - name: Deploy common server configurations hosts: all remote_user: root - gather_facts: yes + gather_facts: true tasks: - import_role: diff --git a/defaults/main.yml b/defaults/main.yml index e0f9c7ba..72485e5a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,5 @@ --- + consoletty: serialtty: @@ -7,7 +8,7 @@ timezone: UTC ssh_users: {} ssh_groups: {} -common_enable_cockpit: False +common_enable_cockpit: false common_pkgs: [] diff --git a/fix-centos-user.yml b/fix-centos-user.yml index d332aab8..653c91b1 100644 --- a/fix-centos-user.yml +++ b/fix-centos-user.yml @@ -1,7 +1,9 @@ +--- + - name: fix root hosts: all remote_user: centos - become: True + become: true tasks: - import_role: name: common diff --git a/fix-ubuntu-user.yml b/fix-ubuntu-user.yml index 49908771..0e7e23a3 100644 --- a/fix-ubuntu-user.yml +++ b/fix-ubuntu-user.yml @@ -1,7 +1,9 @@ +--- + - name: fix root hosts: all remote_user: ubuntu - become: True + become: true tasks: - import_role: name: common diff --git a/handlers/main.yml b/handlers/main.yml index c4926481..3a4fda86 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,8 +1,9 @@ --- + - name: "restart_sshd" set_fact: - sshd_require_restart: True + sshd_require_restart: true - name: "update_grub_config" set_fact: - grub_require_rebuild: True + grub_require_rebuild: true diff --git a/meta/main.yml b/meta/main.yml index 645bf82f..463c39fb 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,43 +1,14 @@ galaxy_info: author: Alan Janis description: Deploy Common server configurations and packages + role_name: common + namespace: constructorfleet + issue_tracker_url: https://github.com/constructorfleet/ansible-common/issue/tracker - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 license: MIT min_ansible_version: 2.9 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - platforms: - name: Ubuntu versions: @@ -47,14 +18,8 @@ galaxy_info: galaxy_tags: - common - - wwt - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + - ssh + - serial-over-lan + - cockpit dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst new file mode 100644 index 00000000..d926ca25 --- /dev/null +++ b/molecule/default/INSTALL.rst @@ -0,0 +1,22 @@ +******* +Docker driver installation guide +******* + +Requirements +============ + +* Docker Engine + +Install +======= + +Please refer to the `Virtual environment`_ documentation for installation best +practices. If not using a virtual environment, please consider passing the +widely recommended `'--user' flag`_ when invoking ``pip``. + +.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ +.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site + +.. code-block:: bash + + $ python3 -m pip install 'molecule[docker]' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 00000000..582684d9 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,46 @@ +--- +- name: Converge + hosts: all + vars: + configure_ssh: false + storage_backend: NONE + host_is_container: true + enable_mdns_reflection: true + common_enable_cockpit: true + pre_tasks: + - name: Update apt cache. + ansible.builtin.apt: + update_cache: true + cache_valid_time: 600 + when: ansible_os_family == 'Debian' + + - name: Ensure Firewalld is installed. + ansible.builtin.package: + name: firewalld + state: present + when: ansible_os_family == 'RedHat' + + - name: Wait for systemd to complete initialization. # noqa 303 + ansible.builtin.command: systemctl is-system-running + register: systemctl_status + until: > + 'running' in systemctl_status.stdout or + 'degraded' in systemctl_status.stdout + retries: 30 + delay: 5 + when: ansible_service_mgr == 'systemd' + changed_when: false + failed_when: systemctl_status.rc > 1 + + - name: 'Restarting firewalld' + ansible.builtin.systemd: + name: firewalld + state: started + enabled: true + daemon_reload: true + when: ansible_os_family == 'RedHat' + + tasks: + - name: Run common role + ansible.builtin.include_role: + name: constructorfleet.common diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 00000000..900825ef --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,31 @@ +--- + +dependency: + name: galaxy + options: + ignore-certs: true + ignore-errors: true + role-file: molecule/default/requirements.yml +driver: + name: docker +platforms: + - name: "${MOLECULE_DISTRO:-centos7}" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} + options: + vvv: true +verifier: + name: ansible + options: + vvv: true + inventory: + all: + ceph: [] diff --git a/molecule/default/old.Dockerfile.j2 b/molecule/default/old.Dockerfile.j2 new file mode 100644 index 00000000..be65ecb3 --- /dev/null +++ b/molecule/default/old.Dockerfile.j2 @@ -0,0 +1,14 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean ; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all ; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all ; \ + elif [ $(command -v zypper) ]; ten zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a ; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates openssh-server ; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O ; fi \ No newline at end of file diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml new file mode 100644 index 00000000..aca7cd60 --- /dev/null +++ b/molecule/default/requirements.yml @@ -0,0 +1,7 @@ +--- + +roles: [] + +collections: + - name: ansible.posix + version: 1.3.0 diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 00000000..a6659d7a --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,38 @@ +--- + +- name: Verify + hosts: all + tasks: + - name: Create list of services to verify + ansible.builtin.set_fact: + services_to_verify: | + {%- set ns = namespace(services=[]) -%} + {%- if autoupdate_services is defined and autoupdate_services is sequence -%} + {%- set ns.services = ns.services + ([autoupdate_services] | flatten) -%} + {%- endif -%} + {%- if common_enable_cockpit is defined and common_enable_cockpit is true -%} + {%- set ns.services = ns.services + ([common_cockpit_service] | flatten) -%} + {%- endif -%} + {%- if enable_mdns_reflection | default(False) -%} + {%- set ns.services = ns.services + ['avahi-daemon.service'] -%} + {%- endif -%} + {{ ns.services }} + + - name: Get Systemd status + ansible.builtin.service_facts: + register: service_facts + + - name: Assert services are running + ansible.builtin.assert: + that: + - "{{ (service_facts.ansible_facts.services[service].state | default('error')) in ['running', 'started'] | default(False) }}" + success_msg: "Service {{ service }} is running" + fail_msg: "Service {{ service }} is not running: {{ service_facts | to_nice_yaml }}" + loop: '{{ services_to_verify }}' + loop_control: + loop_var: service + label: "{{ service }}" + + - name: Curl cockpit web ui + ansible.builtin.uri: + url: "http://localhost:9090" diff --git a/tasks/autoupdate.yml b/tasks/autoupdate.yml index c0079d76..3fa35c1a 100644 --- a/tasks/autoupdate.yml +++ b/tasks/autoupdate.yml @@ -1,9 +1,11 @@ --- + - name: "Common :: Disable Autoupdate Services" - service: + ansible.builtin.service: name: "{{ item }}" state: stopped - enabled: no + enabled: false loop: "{{ autoupdate_services }}" + ignore_errors: true when: - autoupdate_services is defined diff --git a/tasks/cloud_init.yml b/tasks/cloud_init.yml index 7a9b6908..0c8c08e4 100644 --- a/tasks/cloud_init.yml +++ b/tasks/cloud_init.yml @@ -1,10 +1,11 @@ --- + - name: Remove cloud-init config directory - file: + ansible.builtin.file: path: /etc/cloud state: absent - name: Remove cloud-init package if present - package: + ansible.builtin.package: name: cloud-init state: absent diff --git a/tasks/cockpit.yml b/tasks/cockpit.yml index fc1a2c8f..8e59ae4e 100644 --- a/tasks/cockpit.yml +++ b/tasks/cockpit.yml @@ -1,26 +1,28 @@ +--- -- name: "Configure Selinux and firewall rules for Cockpit [RedHat/CentOS]" - block: - - name: Disable SELinux - selinux: - state: "{{ common_selinux_state }}" - - name: Configure Firewalld allowed ports - firewalld: - service: "{{ item }}" - permanent: yes - immediate: yes - state: enabled - loop: "{{ common_cockpit_allowed_ports }}" - when: ansible_os_family == "RedHat" - +- name: Disable SELinux + ansible.posix.selinux: + state: "{{ common_selinux_state }}" + when: + - "'/etc/selinux/config' is exists" + - ansible_os_family == "RedHat" - name: Install cockpit packages - package: + ansible.builtin.package: name: "{{ common_cockpit_pkgs }}" state: present +- name: Configure Firewalld allowed ports + ansible.posix.firewalld: + service: "{{ item }}" + permanent: true + immediate: true + state: enabled + loop: "{{ common_cockpit_allowed_ports }}" + when: ansible_os_family == "RedHat" + - name: Enable and start cockpit service - service: + ansible.builtin.service: name: "{{ common_cockpit_service }}" state: started - enabled: True + enabled: true diff --git a/tasks/fix-login.yml b/tasks/fix-login.yml index 53f9241d..068ac034 100644 --- a/tasks/fix-login.yml +++ b/tasks/fix-login.yml @@ -1,12 +1,14 @@ --- + - name: fix root ssh login - replace: + ansible.builtin.replace: path: /root/.ssh/authorized_keys regexp: '^.*((?=ssh-rsa))' replace: '\1' - backup: yes + backup: true + - name: fix root ssh login - replace: + ansible.builtin.replace: path: /root/.ssh/authorized_keys regexp: '^no-port-forwarding.*$' - backup: yes + backup: true diff --git a/tasks/hostfile.yml b/tasks/hostfile.yml index 05840e04..ead60b5a 100644 --- a/tasks/hostfile.yml +++ b/tasks/hostfile.yml @@ -1,10 +1,12 @@ +--- + - name: "Gather facts for all ceph nodes" - setup: + ansible.builtin.setup: gather_subset: - network delegate_to: "{{ item }}" - delegate_facts: True - loop: "{{ groups['ceph'] }}" + delegate_facts: true + loop: "{{ groups['ceph'] | default([]) }}" run_once: true when: - ansible_lsb.id != "Raspbian" @@ -13,22 +15,24 @@ - hostvars[item]['ansible_default_ipv4'] is not defined - name: "Gather facts for all NFS Servers" - setup: + ansible.builtin.setup: gather_subset: - network delegate_to: "{{ item }}" - delegate_facts: True + delegate_facts: true run_once: true - loop: "{{ groups['nfsservers'] }}" + loop: "{{ groups['nfsservers'] | default([]) }}" when: - shared_storage is defined and shared_storage - storage_backend is defined and storage_backend == "nfs" - hostvars[item]['ansible_default_ipv4'] is not defined - name: Generate /etc/hosts template - template: + ansible.builtin.template: src: hostfile.j2 dest: /etc/hosts mode: 0755 owner: root group: root + when: + - host_is_container | default(False) is false diff --git a/tasks/main.yml b/tasks/main.yml index 4aaec9f3..c8705dd2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,7 @@ +--- + - name: include os specific vars - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution }}{{ ansible_distribution_major_version }}.yml" - "{{ ansible_distribution }}.yml" @@ -8,50 +10,52 @@ - always - name: "Install common system packages and python dependencies" - import_tasks: packages.yml + ansible.builtin.import_tasks: packages.yml tags: - common-packages - name: "Configure SSHd and root user" - import_tasks: ssh.yml + ansible.builtin.import_tasks: ssh.yml tags: - common-sshd + when: + - configure_ssh | default(True) - name: "Configure /etc/hosts" - import_tasks: hostfile.yml + ansible.builtin.import_tasks: hostfile.yml tags: - common-hostfile - name: "Configure system autoupdate parameters" - import_tasks: autoupdate.yml + ansible.builtin.import_tasks: autoupdate.yml tags: - common-autoupdate - name: "Remove cloud-init packages and config files" - import_tasks: cloud_init.yml + ansible.builtin.import_tasks: cloud_init.yml tags: - common-cloudinit - name: "Configure Local Users and Groups" - import_tasks: users.yml + ansible.builtin.import_tasks: users.yml when: not openldap_client_enable|default(false) tags: - common-users - name: "Configure Sudoers" - import_tasks: sudo.yml + ansible.builtin.import_tasks: sudo.yml tags: - common-sudoers - name: "Configure MDNS reflection / Avahi" - import_tasks: mdns_reflection.yml + ansible.builtin.import_tasks: mdns_reflection.yml when: - enable_mdns_reflection | default(False) tags: - common-mdns - name: "Configure Serial-over-LAN [Ubuntu]" - import_tasks: ubuntu-sol.yml + ansible.builtin.import_tasks: ubuntu-sol.yml when: - ansible_os_family == "Debian" - ansible_virtualization_role != "guest" @@ -61,7 +65,7 @@ - common-sol - name: "Configure Serial-over-LAN [RHEL/CentOS]" - import_tasks: redhat-sol.yml + ansible.builtin.import_tasks: redhat-sol.yml when: - ansible_os_family == "RedHat" - ansible_virtualization_role != "guest" @@ -71,19 +75,19 @@ - common-sol - name: "Configure Timezone Info" - timezone: + community.general.timezone: name: "{{ timezone }}" tags: - common-timezone - name: "Install Cockpit" - import_tasks: cockpit.yml + ansible.builtin.import_tasks: cockpit.yml tags: - common-cockpit - when: common_enable_cockpit|default(False) + when: common_enable_cockpit | default(False) - name: "Reboot host if grub config was updated" - reboot: + ansible.builtin.reboot: when: grub_require_rebuild | default(false) tags: - common-sol diff --git a/tasks/mdns_reflection.yml b/tasks/mdns_reflection.yml index 8968e446..12ec4149 100644 --- a/tasks/mdns_reflection.yml +++ b/tasks/mdns_reflection.yml @@ -1,14 +1,14 @@ --- - name: Install Avahi-Daemon package - package: + ansible.builtin.package: name: "{{ common_mdns_pkgs }}" state: present when: - enable_mdns_reflection | default(False) - name: Template Avahi-Daemon configuration - template: + ansible.builtin.template: dest: /etc/avahi/avahi-daemon.conf src: avahi-daemon.conf.j2 owner: root @@ -19,7 +19,7 @@ - enable_mdns_reflection | default(False) - name: Reload Avahi-Daemon configuration on change - systemd: + ansible.builtin.systemd: name: avahi-daemon.service state: restarted when: diff --git a/tasks/packages.yml b/tasks/packages.yml index eedafd94..65959771 100644 --- a/tasks/packages.yml +++ b/tasks/packages.yml @@ -1,5 +1,7 @@ +--- + - name: Install common packages - package: + ansible.builtin.package: name: '{{ common_pkgs }}' state: present when: @@ -7,7 +9,7 @@ - common_pkgs != None - name: "Uninstall any unwanted packages managed via OS package-manager" - package: + ansible.builtin.package: name: '{{ common_uninstall_pkgs }}' state: absent when: @@ -15,7 +17,7 @@ - common_uninstall_pkgs != None - name: "Install python requirements via Pip" - pip: + ansible.builtin.pip: name: "{{ common_python_pkgs }}" state: present when: diff --git a/tasks/redhat-sol.yml b/tasks/redhat-sol.yml index 8cd22f74..b96a7c6f 100644 --- a/tasks/redhat-sol.yml +++ b/tasks/redhat-sol.yml @@ -1,25 +1,25 @@ --- + - name: Update GRUB_CMDLINE_LINUX - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub state: present regexp: '^GRUB_CMDLINE_LINUX="((?!.*(console={{ serialtty }},[0-9]+n8))(.*)?)"$' line: 'GRUB_CMDLINE_LINUX="\1 console={{ serialtty }},115200n8"' - backrefs: yes + backrefs: true notify: "update_grub_config" - - name: Update GRUB_CMDLINE_LINUX - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub state: present regexp: '^GRUB_CMDLINE_LINUX="((?!.*(console={{ consoletty }}))(.*)?)"$' line: 'GRUB_CMDLINE_LINUX="\1 console={{ consoletty }}"' - backrefs: yes + backrefs: true notify: "update_grub_config" - name: Update GRUB_TERMINAL - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub state: present regexp: '^GRUB_TERMINAL=.*' @@ -27,7 +27,7 @@ notify: "update_grub_config" - name: Update GRUB_SERIAL_COMMAND - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub state: present regexp: '^GRUB_SERIAL_COMMAND=.*' @@ -37,5 +37,5 @@ - meta: flush_handlers - name: Rebuild Grub Config - command: "{{ grub_update_cmd }} -o {{ grub_config }}" + ansible.builtin.command: "{{ grub_update_cmd }} -o {{ grub_config }}" when: grub_require_rebuild | default(false) diff --git a/tasks/ssh.yml b/tasks/ssh.yml index d3769747..6f2cc267 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -1,6 +1,7 @@ --- + - name: create /var/run/sshd - file: + ansible.builtin.file: state: directory path: /var/run/sshd mode: 0755 @@ -8,7 +9,7 @@ - ansible_os_family == "Debian" - name: Copy sshd_config Template - template: + ansible.builtin.template: src: sshd_config.j2 dest: /etc/ssh/sshd_config owner: root @@ -19,33 +20,33 @@ - meta: flush_handlers - name: Restart ssh server - service: + ansible.builtin.service: name: "{{ ssh_service }}" state: restarted - enabled: yes + enabled: true register: ssh_started when: sshd_require_restart | default(false) - name: Verify the sshd service is listening - wait_for: + ansible.builtin.wait_for: host: localhost port: 22 delay: 5 when: ssh_started is changed - ignore_errors: yes + ignore_errors: true register: ssh_start_attempt - name: Get ssh journald logs if service does not appear to be up - shell: journalctl _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value {{ ssh_service }}.service` + ansible.builtin.shell: journalctl _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value {{ ssh_service }}.service` register: ssh_journal when: ssh_start_attempt.failed | default(false) -- fail: +- ansible.builtin.fail: msg: "{{ ssh_journal.stdout_lines }}" when: ssh_start_attempt.failed | default(false) - name: Ensure root .ssh directory exists - file: + ansible.builtin.file: path: /root/.ssh state: directory owner: root @@ -53,19 +54,19 @@ mode: 0700 - name: Generate root authorized_keys file - template: + ansible.builtin.template: src: root_authorized_keys.j2 dest: /root/.ssh/authorized_keys owner: root group: root mode: 0600 - backup: yes + backup: true when: - ssh_users is defined - ssh_users|length > 0 - name: Change root password - user: + ansible.builtin.user: name: root password: "{{ root_password | password_hash(salt=root_password_salt) }}" update_password: always diff --git a/tasks/sudo.yml b/tasks/sudo.yml index 14a32373..79d3a718 100644 --- a/tasks/sudo.yml +++ b/tasks/sudo.yml @@ -1,9 +1,10 @@ --- + - name: "Allow passwordless sudo for 'admin' group" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: '^%admin.*$' line: '%admin ALL=(ALL) NOPASSWD:ALL' state: present - backup: yes + backup: true validate: 'visudo -cf %s' diff --git a/tasks/ubuntu-sol.yml b/tasks/ubuntu-sol.yml index 421cbb3d..2a956f65 100755 --- a/tasks/ubuntu-sol.yml +++ b/tasks/ubuntu-sol.yml @@ -1,6 +1,7 @@ --- + - name: Update GRUB_CMDLINE_LINUX - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub state: present regexp: '^GRUB_CMDLINE_LINUX=.*' @@ -8,7 +9,7 @@ notify: "update_grub_config" - name: Update GRUB_TERMINAL - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub state: present regexp: '^GRUB_TERMINAL=.*' @@ -16,7 +17,7 @@ notify: "update_grub_config" - name: Update GRUB_SERIAL_COMMAND - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub state: present regexp: '^GRUB_SERIAL_COMMAND=.*' @@ -26,5 +27,5 @@ - meta: flush_handlers - name: Rebuild Grub Config - command: "{{ grub_update_cmd }} -o {{ grub_config }}" + ansible.builtin.command: "{{ grub_update_cmd }} -o {{ grub_config }}" when: grub_require_rebuild | default(false) diff --git a/tasks/users.yml b/tasks/users.yml index bee5acd0..a70102a8 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -1,5 +1,7 @@ +--- + - name: Create local user groups - group: + ansible.builtin.group: name: "{{ item.key }}" gid: "{{ item.value.gid | default(omit) }}" state: present @@ -9,8 +11,9 @@ when: - ssh_groups is defined - ssh_groups != None + - name: Create local user accounts - user: + ansible.builtin.user: name: "{{ item.key }}" shell: "{{ item.value.shell | default(omit) }}" group: "{{ item.value.gid | default(omit) }}" @@ -32,7 +35,7 @@ - ssh_users != None - name: Add user authorized keys - authorized_key: + ansible.posix.authorized_key: user: "{{ item.key }}" state: present key: "{{ item.value.pubkey }}" diff --git a/test.yml b/test.yml index e526f6d7..785fc342 100644 --- a/test.yml +++ b/test.yml @@ -1,4 +1,5 @@ --- + - hosts: localhost connection: local roles: diff --git a/tests/test.yml b/tests/test.yml index 31cf1ac3..35372a3a 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,4 +1,5 @@ --- + - hosts: localhost remote_user: root roles: diff --git a/vars/CentOS7.yml b/vars/CentOS7.yml index e01650ff..3b29129c 100644 --- a/vars/CentOS7.yml +++ b/vars/CentOS7.yml @@ -1,28 +1,27 @@ --- + common_pkgs: - ipmitool - freeipmi - zsh - screen + - firewalld - vim-enhanced - - python2-pip - python3-pip - sudo - tzdata -common_python_pkgs: +common_python_pkgs: [] grub_config: /boot/grub2/grub.cfg grub_update_cmd: /usr/sbin/grub2-mkconfig ssh_service: sshd - common_cockpit_pkgs: - cockpit - cockpit-composer - cockpit-doc - - cockpit-session-recording - cockpit-bridge - cockpit-dashboard - cockpit-packagekit diff --git a/vars/CentOS8.yml b/vars/CentOS8.yml index e429a79d..3fcb2e52 100644 --- a/vars/CentOS8.yml +++ b/vars/CentOS8.yml @@ -1,30 +1,29 @@ --- + common_pkgs: - ipmitool - freeipmi - zsh + - firewalld - screen - vim-enhanced - - python2-pip - python3-pip - sudo - tzdata -common_python_pkgs: +common_python_pkgs: [] grub_config: /boot/grub2/grub.cfg grub_update_cmd: /usr/sbin/grub2-mkconfig ssh_service: sshd - common_cockpit_pkgs: - cockpit - cockpit-composer - cockpit-doc - cockpit-session-recording - cockpit-bridge - - cockpit-dashboard - cockpit-packagekit - cockpit-podman - cockpit-machines diff --git a/vars/Debian.yml b/vars/Debian.yml index 907002ee..9658a5e8 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,4 +1,5 @@ --- + common_pkgs: - screen - vim @@ -13,9 +14,7 @@ common_pkgs: - sudo - tzdata -common_uninstall_pkgs: -# - python-setuptools -# - python3-setuptools +common_uninstall_pkgs: [] common_python_pkgs: - setuptools diff --git a/vars/RedHat.yml b/vars/RedHat.yml index edeb0026..f8d64930 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,23 +1,22 @@ --- + common_pkgs: - ipmitool - freeipmi - zsh - screen - vim-enhanced - - python2-pip - python3-pip - sudo - tzdata -common_python_pkgs: +common_python_pkgs: [] grub_config: /boot/grub2/grub.cfg grub_update_cmd: /usr/sbin/grub2-mkconfig ssh_service: sshd - common_cockpit_pkgs: - cockpit - cockpit-composer diff --git a/vars/Ubuntu.yml b/vars/Ubuntu.yml index 907002ee..9658a5e8 100644 --- a/vars/Ubuntu.yml +++ b/vars/Ubuntu.yml @@ -1,4 +1,5 @@ --- + common_pkgs: - screen - vim @@ -13,9 +14,7 @@ common_pkgs: - sudo - tzdata -common_uninstall_pkgs: -# - python-setuptools -# - python3-setuptools +common_uninstall_pkgs: [] common_python_pkgs: - setuptools diff --git a/vars/Ubuntu20.yml b/vars/Ubuntu20.yml index 9493fb0b..2177dc2d 100644 --- a/vars/Ubuntu20.yml +++ b/vars/Ubuntu20.yml @@ -1,3 +1,5 @@ +--- + common_pkgs: - screen - vim @@ -13,9 +15,7 @@ common_pkgs: - python3-apt - apt-utils -common_uninstall_pkgs: -# - python-setuptools -# - python3-setuptools +common_uninstall_pkgs: [] common_python_pkgs: - setuptools