it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix some ansible-lint complaints.

Browse source
This commit is contained in:
Andreas B. Mundt 2022-06-11 12:42:02 +02:00 committed by Andreas B. Mundt
parent c7030c9245
commit 2cf34e8e55
64 changed files with 357 additions and 297 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.kerberox
View file

@ -5,7 +5,7 @@
sudo cat /root/kadmin.pwd sudo cat /root/kadmin.pwd
## Then: ## Then:
cd /home/ansible/debian-lan/ cd /home/ansible/debian-lan/
ansible-playbook --ask-become-pass kerberox-client.yml ansible-playbook --ask-become-pass kerberox-client.yml
## Enter the 'BECOME' password and the kadmin password obtained above. ## Enter the 'BECOME' password and the kadmin password obtained above.

14
cloudbox.yml
View file

@ -4,12 +4,12 @@
- name: apply configuration to the cloudbox - name: apply configuration to the cloudbox
hosts: cloudboxes hosts: cloudboxes
remote_user: ansible remote_user: ansible
become: Yes become: true
vars: vars:
if_lan: "enp1s0" if_lan: "enp1s0"
ipaddr: "192.168.2.50/24" ipaddr: "192.168.2.50/24"
gateway: "192.168.2.1" gateway: "192.168.2.1"
DNS: "192.168.2.1" dns: "192.168.2.1"
ddns_domain: "something.ddnss.de" ddns_domain: "something.ddnss.de"
ddns_updkey: "138638.some.key.here.635620" ddns_updkey: "138638.some.key.here.635620"
## 'nc_download' and 'nc_checksum' are only ## 'nc_download' and 'nc_checksum' are only
@ -32,17 +32,16 @@
# - low-power # - low-power
- nextcloud - nextcloud
- nextcloud-upgrade - nextcloud-upgrade
- backup # - backup
## Hosts in the the 'only_nextcloud'-group are only upgraded:
## Hosts in the the 'only_nextcloud'-group are only upgraded:
- name: upgrade nextcloud only - name: upgrade nextcloud only
hosts: only_nextcloud hosts: only_nextcloud
remote_user: ansible remote_user: ansible
become: Yes become: true
vars: vars:
nc_dir: "/var/www/nextcloud" nc_dir: "/var/www/nextcloud"
nc_apps: nc_apps:
- calendar - calendar
- notes - notes
@ -51,4 +50,3 @@
roles: roles:
- up2date-debian - up2date-debian
- nextcloud-upgrade - nextcloud-upgrade

8
edubox.yml
View file

@ -23,7 +23,7 @@
- name: apply configuration to the edubox - name: apply configuration to the edubox
hosts: all # eduboxes hosts: all # eduboxes
remote_user: ansible remote_user: ansible
become: yes become: true
vars: vars:
contname: cont contname: cont
## User name for the user in the container: ## User name for the user in the container:
@ -52,19 +52,19 @@
- name: install apt-cacher-ng - name: install apt-cacher-ng
apt: apt:
name: apt-cacher-ng name: apt-cacher-ng
state: latest state: latest # noqa package-latest
- name: enable apt-cacher-ng - name: enable apt-cacher-ng
lineinfile: lineinfile:
path: /etc/apt/apt.conf.d/30proxy path: /etc/apt/apt.conf.d/30proxy
line: 'Acquire::http::Proxy "http://localhost:3142/";' line: 'Acquire::http::Proxy "http://localhost:3142/";'
create: yes create: true
- name: enable and start systemd-networkd on the host - name: enable and start systemd-networkd on the host
systemd: systemd:
name: systemd-networkd name: systemd-networkd
state: started state: started
enabled: yes enabled: true
roles: roles:
- up2date-debian - up2date-debian

2
host_vars/blackbox.yml
View file

@ -1,4 +1,4 @@
allow_download: True allow_download: true
backup_dirs_extra: backup_dirs_extra:
- /home - /home
backup_opts_extra: "" backup_opts_extra: ""

2
host_vars/bluebox.yml
View file

@ -1 +1 @@
allow_download: True allow_download: true

2
installbox.yml
View file

@ -6,7 +6,7 @@
- name: apply configuration to the installbox - name: apply configuration to the installbox
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
vars: vars:
## This interface provides the default route: ## This interface provides the default route:

8
kerberox-client.yml
View file

@ -4,7 +4,7 @@
- name: apply configuration to the machines - name: apply configuration to the machines
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
vars: vars:
extra_pkgs: extra_pkgs:
- webext-privacy-badger - webext-privacy-badger
@ -16,12 +16,12 @@
vars_prompt: vars_prompt:
- name: "kadmin_pwd" - name: "kadmin_pwd"
prompt: "Provide kadmin password to fetch kerberos keytab.\nLeave empty if done already" prompt: "Provide kadmin password to fetch kerberos keytab.\nLeave empty if done already"
private: yes private: true
roles: roles:
- up2date-debian - up2date-debian
- lan-client - lan-client
- kerberize - kerberize
## Choose either gnome or KDE: ## Choose either gnome or KDE:
#- gnome # - gnome
#- kde # - kde

10
kerberox.yml
View file

@ -5,7 +5,7 @@
- name: apply configuration to the kerberox server - name: apply configuration to the kerberox server
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
vars: vars:
## This interface provides the default route: ## This interface provides the default route:
@ -34,7 +34,7 @@
In case you would like to prepare a test user 'foo' and have In case you would like to prepare a test user 'foo' and have
not done so yet, provide foo's password here. Leave empty to not done so yet, provide foo's password here. Leave empty to
just continue just continue
private: yes private: true
pre_tasks: pre_tasks:
@ -50,7 +50,9 @@
- netboot-installer - netboot-installer
- dnsmasq - dnsmasq
- apt-cacher - apt-cacher
- { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool } - role: krb5-kdc-ldap
- { role: nfs-server, when: not run_in_installer|default(false)|bool } when: not run_in_installer|default(false)|bool
- role: nfs-server
when: not run_in_installer|default(false)|bool
- prepare4clients - prepare4clients
- kerberize - kerberize

4
kiosk.yml
View file

@ -4,7 +4,7 @@
- name: apply configuration to the machines - name: apply configuration to the machines
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
vars: vars:
auto_user: debi auto_user: debi
wifi_ssid: "YOUR SSID HERE" wifi_ssid: "YOUR SSID HERE"
@ -18,5 +18,5 @@
- up2date-debian - up2date-debian
## Choose either gnome or KDE: ## Choose either gnome or KDE:
- gnome - gnome
#- kde # - kde
- kiosk - kiosk

2
minimal-krb5.yml
View file

@ -4,7 +4,7 @@
- name: apply a minimal configuration with kerberos LAN integration - name: apply a minimal configuration with kerberos LAN integration
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
roles: roles:
- up2date-debian - up2date-debian
- lan-client - lan-client

2
minimal.yml
View file

@ -4,6 +4,6 @@
- name: apply a minimal configuration to the machine - name: apply a minimal configuration to the machine
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
roles: roles:
- up2date-debian - up2date-debian

14
roles/apt-cacher/tasks/main.yml
View file

@ -1,17 +1,17 @@
- name: install apt-cacher-ng package - name: install apt-cacher-ng package
apt: apt:
name: apt-cacher-ng name: apt-cacher-ng
state: latest state: latest # noqa package-latest
- name: enable apt-cacher-ng for localhost - name: enable apt-cacher-ng for localhost
copy: copy:
src: apt.conf src: apt.conf
dest: /etc/apt/apt.conf dest: /etc/apt/apt.conf
force: no force: false
mode: 0644
notify: "start apt-cacher-ng" notify: "start apt-cacher-ng"
when: not run_in_installer|default(false)|bool ## do not enable apt-cacher during installation when: not run_in_installer|default(false)|bool ## do not enable apt-cacher during installation
- name: check if preseeded installer is available - name: check if preseeded installer is available
stat: path={{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg stat: path={{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg
register: preseedcfg register: preseedcfg
@ -27,8 +27,8 @@
firewalld: firewalld:
zone: internal zone: internal
port: 3142/tcp port: 3142/tcp
permanent: yes permanent: true
immediate: yes immediate: true
state: enabled state: enabled
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -36,5 +36,5 @@
command: "firewall-offline-cmd --zone=internal --add-port=3142/tcp" command: "firewall-offline-cmd --zone=internal --add-port=3142/tcp"
when: run_in_installer|default(false)|bool when: run_in_installer|default(false)|bool
- name: flush handler to make apt-cacher available
- meta: flush_handlers meta: flush_handlers

2
roles/backup/handlers/main.yml
View file

@ -2,5 +2,5 @@
systemd: systemd:
name: backup.timer name: backup.timer
state: started state: started
enabled: True enabled: true
listen: "enable backup.timer" listen: "enable backup.timer"

5
roles/backup/tasks/main.yml
View file

@ -1,7 +1,7 @@
- name: install borg - name: install borg
apt: apt:
name: borgbackup name: borgbackup
state: latest state: latest # noqa package-latest
- name: check if borg password is available - name: check if borg password is available
stat: path="{{ borg_pwd_file }}" stat: path="{{ borg_pwd_file }}"
@ -9,7 +9,7 @@
- name: dump borg password - name: dump borg password
shell: echo -n "{{ borg_pwd }}" > "{{ borg_pwd_file }}" ; chmod 0600 "{{ borg_pwd_file }}" shell: echo -n "{{ borg_pwd }}" > "{{ borg_pwd_file }}" ; chmod 0600 "{{ borg_pwd_file }}"
no_log: True no_log: true
when: not borg.stat.exists when: not borg.stat.exists
- name: provide backup script - name: provide backup script
@ -22,6 +22,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}" dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items: with_items:
- backup.service - backup.service
- backup.timer - backup.timer

4
roles/ddns-update/handlers/main.yml
View file

@ -2,6 +2,6 @@
systemd: systemd:
name: ddns-update.timer name: ddns-update.timer
state: restarted state: restarted
daemon_reload: yes daemon_reload: true
enabled: yes enabled: true
listen: "enable ddns-update timer" listen: "enable ddns-update timer"

3
roles/ddns-update/tasks/main.yml
View file

@ -5,6 +5,7 @@
template: template:
src: ddns-update.conf.j2 src: ddns-update.conf.j2
dest: /etc/ddns-update/ddns-update.conf dest: /etc/ddns-update/ddns-update.conf
mode: 0644
- name: install ddns-update script - name: install ddns-update script
copy: copy:
@ -16,9 +17,11 @@
copy: copy:
src: ddns-update.service src: ddns-update.service
dest: /etc/systemd/system/ddns-update.service dest: /etc/systemd/system/ddns-update.service
mode: 0644
- name: install ddns-update.timer - name: install ddns-update.timer
copy: copy:
src: ddns-update.timer src: ddns-update.timer
dest: /etc/systemd/system/ddns-update.timer dest: /etc/systemd/system/ddns-update.timer
mode: 0644
notify: enable ddns-update timer notify: enable ddns-update timer

23
roles/dns-dhcp-tftp/tasks/main.yml
View file

@ -12,7 +12,7 @@
- isc-dhcp-server - isc-dhcp-server
- tftpd-hpa - tftpd-hpa
- bind9 - bind9
state: latest state: latest # noqa package-latest
## FIXME: preseeding seems to be ignored ## FIXME: preseeding seems to be ignored
- name: configure TFTP root directory - name: configure TFTP root directory
@ -22,7 +22,7 @@
replace: 'TFTP_DIRECTORY="/var/lib/tftpboot"' replace: 'TFTP_DIRECTORY="/var/lib/tftpboot"'
notify: restart tftpd-hpa notify: restart tftpd-hpa
- name: serve dhcp on LAN interface - name: serve dhcp on LAN interface
replace: replace:
path: /etc/default/isc-dhcp-server path: /etc/default/isc-dhcp-server
regexp: '^INTERFACESv4=".*"$' regexp: '^INTERFACESv4=".*"$'
@ -33,13 +33,15 @@
template: template:
src: dhcpd.conf.j2 src: dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf dest: /etc/dhcp/dhcpd.conf
backup: yes mode: 0644
backup: true
notify: restart isc-dhcp-server notify: restart isc-dhcp-server
- name: deploy config files for bind9 - name: deploy config files for bind9
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "/etc/bind/{{ item }}" dest: "/etc/bind/{{ item }}"
mode: 0644
loop: loop:
- db.intern - db.intern
- localzones - localzones
@ -49,6 +51,7 @@
template: template:
src: db.lan.j2 src: db.lan.j2
dest: "/etc/bind/db.{{ ipaddr_lan_threeoct }}" dest: "/etc/bind/db.{{ ipaddr_lan_threeoct }}"
mode: 0644
notify: restart bind notify: restart bind
- name: link zone files to writeable directory for DDNS - name: link zone files to writeable directory for DDNS
@ -71,6 +74,7 @@
template: template:
src: resolv.conf.j2 src: resolv.conf.j2
dest: /etc/resolv.conf dest: /etc/resolv.conf
mode: 0644
notify: restart isc-dhcp-server notify: restart isc-dhcp-server
## stop dhclient from overwriting /etc/resolv.conf: ## stop dhclient from overwriting /etc/resolv.conf:
@ -80,7 +84,7 @@
block: | block: |
supersede domain-search "{{ ansible_domain }}"; supersede domain-search "{{ ansible_domain }}";
supersede domain-name-servers 127.0.0.1; supersede domain-name-servers 127.0.0.1;
insertbefore: "#send dhcp-client-identifier.*" insertbefore: "#send dhcp-client-identifier.*"
notify: restart dhcp-client notify: restart dhcp-client
- name: generate rndc key - name: generate rndc key
@ -90,11 +94,10 @@
- name: copy rndc key - name: copy rndc key
copy: copy:
src: /etc/bind/rndc.key src: /etc/bind/rndc.key
dest: /etc/dhcp/ dest: /etc/dhcp/
owner: root owner: root
group: root group: root
mode: '0640' mode: 0640
remote_src: yes remote_src: true
notify: restart isc-dhcp-server notify: restart isc-dhcp-server

2
roles/dns-dhcp-tftp/templates/dhcpd.conf.j2
View file

@ -56,7 +56,7 @@ subnet {{ ipaddr_lan | ipaddr("network") }} netmask {{ ipaddr_lan | ipaddr("netm
} }
# No service will be given on this subnet, but declaring it helps the # No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology. # DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 { #subnet 10.152.187.0 netmask 255.255.255.0 {

4
roles/dnsmasq/tasks/main.yml
View file

@ -7,16 +7,18 @@
name: name:
- dnsmasq - dnsmasq
- resolvconf - resolvconf
state: latest state: latest # noqa package-latest
- name: configure dnsmasq dhcp - name: configure dnsmasq dhcp
template: template:
src: dnsmasq-dhcp.j2 src: dnsmasq-dhcp.j2
dest: /etc/dnsmasq.d/dnsmasq-dhcp dest: /etc/dnsmasq.d/dnsmasq-dhcp
mode: 0644
notify: "restart dnsmasq" notify: "restart dnsmasq"
- name: configure dnsmasq tftp - name: configure dnsmasq tftp
template: template:
src: dnsmasq-tftp-netboot-installer.j2 src: dnsmasq-tftp-netboot-installer.j2
dest: /etc/dnsmasq.d/tftp-netboot-installer dest: /etc/dnsmasq.d/tftp-netboot-installer
mode: 0644
notify: "restart dnsmasq" notify: "restart dnsmasq"

2
roles/educontainer/handlers/main.yml
View file

@ -2,6 +2,6 @@
systemd: systemd:
name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
state: restarted state: restarted
enabled: yes enabled: true
loop: "{{ containers }}" loop: "{{ containers }}"
listen: enable and restart containers listen: enable and restart containers

4
roles/educontainer/tasks/main.yml
View file

@ -2,8 +2,8 @@
## ##
## Port mapping to the host: ## Port mapping to the host:
## ##
## container 0: ssh → host port 10000, HTTP → 10100 ## container 0: ssh → host port 10000, HTTP → 10100
## container 1: ssh → host port 10001, HTTP → 10101 ## container 1: ssh → host port 10001, HTTP → 10101
## ... ... ... ## ... ... ...
## ##
## User '{{ contuser }}' in the sudo group. Password is '{{ contpwd }}'. ## User '{{ contuser }}' in the sudo group. Password is '{{ contpwd }}'.

45
roles/educontainer/tasks/setup.yml
View file

@ -5,7 +5,7 @@
name: name:
- systemd-container - systemd-container
- debootstrap - debootstrap
state: latest state: latest # noqa package-latest
- name: prepare machine directory - name: prepare machine directory
file: file:
@ -23,7 +23,7 @@
args: args:
chdir: /var/lib/machines/ chdir: /var/lib/machines/
creates: /var/lib/machines/{{ contname }}00 creates: /var/lib/machines/{{ contname }}00
environment: environment:
http_proxy: "{{ '' if run_in_installer|default(false) else 'http://localhost:3142' }}" http_proxy: "{{ '' if run_in_installer|default(false) else 'http://localhost:3142' }}"
notify: enable and restart containers notify: enable and restart containers
@ -31,7 +31,8 @@
copy: copy:
src: /etc/apt/sources.list src: /etc/apt/sources.list
dest: /var/lib/machines/{{ contname }}00/etc/apt/sources.list dest: /var/lib/machines/{{ contname }}00/etc/apt/sources.list
remote_src: yes mode: 0644
remote_src: true
- name: configure locale - name: configure locale
lineinfile: lineinfile:
@ -57,7 +58,7 @@
- name: provide {{ contuser }} user account - name: provide {{ contuser }} user account
command: command:
cmd: > cmd: >
chroot . sh -c '/usr/sbin/useradd -m -s /bin/bash chroot . sh -c '/usr/sbin/useradd -m -s /bin/bash
-c "User {{ contuser }},,," -G sudo {{ contuser }}' -c "User {{ contuser }},,," -G sudo {{ contuser }}'
args: args:
chdir: /var/lib/machines/{{ contname }}00 chdir: /var/lib/machines/{{ contname }}00
@ -89,6 +90,7 @@
file: file:
path: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item }} path: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item }}
state: directory state: directory
mode: 0755
loop: loop:
- multi-user.target.wants - multi-user.target.wants
- sockets.target.wants - sockets.target.wants
@ -100,13 +102,17 @@
src: /lib/systemd/system/{{ item.src }} src: /lib/systemd/system/{{ item.src }}
dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }} dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
state: link state: link
follow: False follow: false
force: yes force: true
loop: loop:
- { src: systemd-networkd.service, dest: dbus-org.freedesktop.network1.service } - src: systemd-networkd.service
- { src: systemd-networkd.service, dest: multi-user.target.wants/systemd-networkd.service } dest: dbus-org.freedesktop.network1.service
- { src: systemd-networkd.socket, dest: sockets.target.wants/systemd-networkd.socket } - src: systemd-networkd.service
- { src: systemd-networkd-wait-online.service, dest: network-online.target.wants/systemd-networkd-wait-online.service } dest: multi-user.target.wants/systemd-networkd.service
- src: systemd-networkd.socket
dest: sockets.target.wants/systemd-networkd.socket
- src: systemd-networkd-wait-online.service
dest: network-online.target.wants/systemd-networkd-wait-online.service
notify: enable and restart containers notify: enable and restart containers
- name: enable systemd-resolved in containers - name: enable systemd-resolved in containers
@ -114,11 +120,13 @@
src: /lib/systemd/system/{{ item.src }} src: /lib/systemd/system/{{ item.src }}
dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }} dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
state: link state: link
follow: False follow: false
force: yes force: true
loop: loop:
- { src: systemd-resolved.service, dest: dbus-org.freedesktop.resolve1.service } - src: systemd-resolved.service
- { src: systemd-resolved.service, dest: multi-user.target.wants/systemd-resolved.service } dest: dbus-org.freedesktop.resolve1.service
- src: systemd-resolved.service
dest: multi-user.target.wants/systemd-resolved.service
notify: enable and restart containers notify: enable and restart containers
######## ########
@ -126,7 +134,8 @@
copy: copy:
content: "# Avoid 'too many open files' error:" content: "# Avoid 'too many open files' error:"
dest: /etc/sysctl.d/inotify.conf dest: /etc/sysctl.d/inotify.conf
force: no mode: 0644
force: false
- name: fix too many open files error - name: fix too many open files error
sysctl: sysctl:
@ -146,11 +155,13 @@
file: file:
path: /etc/systemd/nspawn path: /etc/systemd/nspawn
state: directory state: directory
mode: 0755
- name: provide container configuration - name: provide container configuration
template: template:
src: contcfg.nspawn.j2 src: contcfg.nspawn.j2
dest: /etc/systemd/nspawn/{{ contname}}{{ "%02d" | format(item|int) }}.nspawn dest: /etc/systemd/nspawn/{{ contname }}{{ "%02d" | format(item|int) }}.nspawn
mode: 0644
loop: "{{ containers }}" loop: "{{ containers }}"
notify: enable and restart containers notify: enable and restart containers
@ -158,6 +169,7 @@
template: template:
src: hostname.j2 src: hostname.j2
dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hostname dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hostname
mode: 0644
loop: "{{ containers }}" loop: "{{ containers }}"
notify: enable and restart containers notify: enable and restart containers
@ -165,5 +177,6 @@
template: template:
src: hosts.j2 src: hosts.j2
dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hosts dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hosts
mode: 0644
loop: "{{ containers }}" loop: "{{ containers }}"
notify: enable and restart containers notify: enable and restart containers

18
roles/gnome/tasks/main.yml
View file

@ -1,5 +1,5 @@
#- name: gnome hibernate by default # - name: gnome hibernate by default
# apt: name=gnome-shell-extension-suspend-button state=latest # apt: name=gnome-shell-extension-suspend-button state=latest # noqa package-latest
- name: gnome desktop - name: gnome desktop
apt: apt:
@ -8,24 +8,32 @@
- cups - cups
- ssh-askpass-gnome - ssh-askpass-gnome
- gnome-shell-extension-dashtodock - gnome-shell-extension-dashtodock
state: latest state: latest # noqa package-latest
- name: make sure /etc/dconf/profile/ exists - name: make sure /etc/dconf/profile/ exists
file: path=/etc/dconf/profile/ state=directory recurse=yes file:
path: /etc/dconf/profile/
state: directory
recurse: true
- name: prepare for gnome customized defaults - name: prepare for gnome customized defaults
copy: copy:
src: user src: user
dest: /etc/dconf/profile/user dest: /etc/dconf/profile/user
mode: 0644
notify: update dconf notify: update dconf
- name: make sure /etc/dconf/db/local.d/ exists - name: make sure /etc/dconf/db/local.d/ exists
file: path=/etc/dconf/db/local.d/ state=directory recurse=yes file:
path: /etc/dconf/db/local.d/
state: directory
recurse: true
- name: modify gnome defaults - name: modify gnome defaults
copy: copy:
src: defaults src: defaults
dest: /etc/dconf/db/local.d/defaults dest: /etc/dconf/db/local.d/defaults
mode: 0644
notify: update dconf notify: update dconf
## Bug #698504 ## Bug #698504

4
roles/kde/tasks/main.yml
View file

@ -4,9 +4,9 @@
- task-kde-desktop - task-kde-desktop
- sddm-theme-debian-breeze - sddm-theme-debian-breeze
- cups - cups
state: latest state: latest # noqa package-latest
## Bug #698504 ## Bug #698504
- name: allow print job management - name: allow print job management
replace: replace:

23
roles/kiosk/handlers/main.yml
View file

@ -5,26 +5,15 @@
- name: reload NetworkManager - name: reload NetworkManager
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
systemd: systemd:
daemon_reload: yes daemon_reload: true
name: NetworkManager name: NetworkManager
state: reloaded state: reloaded
enabled: yes enabled: true
listen: reload NetworkManager listen: reload NetworkManager
# fails in installer with stretch, workaround below:
#- name: enable tmp.mount
# systemd:
# daemon_reload: yes
# name: tmp.mount
# enabled: yes
- name: make sure local-fs.target.wants exists
file: path=/etc/systemd/system/local-fs.target.wants/ state=directory
listen: enable tmp.mount
- name: enable tmp.mount - name: enable tmp.mount
file: systemd:
src: /etc/systemd/system/tmp.mount daemon_reload: true
dest: /etc/systemd/system/local-fs.target.wants/tmp.mount name: tmp.mount
state: link enabled: true
listen: enable tmp.mount listen: enable tmp.mount

35
roles/kiosk/tasks/main.yml
View file

@ -9,37 +9,40 @@
## gdm3: ## gdm3:
- name: enable auto login in gdm3 - name: enable auto login in gdm3
when: gdm3.stat.exists == true
lineinfile: lineinfile:
dest: /etc/gdm3/daemon.conf dest: /etc/gdm3/daemon.conf
insertafter: '^#\s*AutomaticLoginEnable = true' insertafter: '^#\s*AutomaticLoginEnable = true'
line: 'AutomaticLoginEnable = true' line: 'AutomaticLoginEnable = true'
when: gdm3.stat.exists
- name: auto login user in gdm3 - name: auto login user in gdm3
when: gdm3.stat.exists == true
lineinfile: lineinfile:
dest: /etc/gdm3/daemon.conf dest: /etc/gdm3/daemon.conf
insertafter: '^#\s*AutomaticLogin = ' insertafter: '^#\s*AutomaticLogin = '
line: 'AutomaticLogin = {{ auto_user }}' line: 'AutomaticLogin = {{ auto_user }}'
when: gdm3.stat.exists
## sddm/KDE: ## sddm/KDE:
- name: enable auto login in sddm - name: enable auto login in sddm
when: sddm.stat.exists == true when: sddm.stat.exists
template: template:
src: sddm.conf.j2 src: sddm.conf.j2
dest: /etc/sddm.conf dest: /etc/sddm.conf
mode: 0644
- name: kde global defaults - name: kde global defaults
when: sddm.stat.exists == true when: sddm.stat.exists
copy: copy:
src: kde5rc src: kde5rc
dest: /etc/kde5rc dest: /etc/kde5rc
mode: 0644
- name: modify kde screen lock - name: modify kde screen lock
when: sddm.stat.exists == true when: sddm.stat.exists
copy: copy:
src: kscreenlockerrc src: kscreenlockerrc
dest: /etc/xdg/kscreenlockerrc dest: /etc/xdg/kscreenlockerrc
mode: 0644
######## ########
@ -49,7 +52,7 @@
dest: /etc/default/grub dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=)""' regexp: '^(GRUB_CMDLINE_LINUX=)""'
line: '\1"video=SVIDEO-1:d"' line: '\1"video=SVIDEO-1:d"'
backrefs: yes backrefs: true
notify: update grub notify: update grub
- name: grub timeout - name: grub timeout
@ -57,7 +60,7 @@
dest: /etc/default/grub dest: /etc/default/grub
regexp: '^(GRUB_TIMEOUT=).*' regexp: '^(GRUB_TIMEOUT=).*'
line: '\g<1>1' line: '\g<1>1'
backrefs: yes backrefs: true
notify: update grub notify: update grub
- name: keyboard compose key - name: keyboard compose key
@ -65,7 +68,7 @@
dest: /etc/default/keyboard dest: /etc/default/keyboard
regexp: '^(XKBOPTIONS=).*' regexp: '^(XKBOPTIONS=).*'
line: '\1"compose:caps"' line: '\1"compose:caps"'
backrefs: yes backrefs: true
- name: hibernate when lid is closed - name: hibernate when lid is closed
lineinfile: lineinfile:
@ -74,9 +77,11 @@
line: 'HandleLidSwitch=hibernate' line: 'HandleLidSwitch=hibernate'
- name: tmp on tmpfs - name: tmp on tmpfs
shell: cp /usr/share/systemd/tmp.mount /etc/systemd/system/ copy:
args: src: /usr/share/systemd/tmp.mount
creates: /etc/systemd/system/tmp.mount dest: /etc/systemd/system/tmp.mount
mode: 0644
remote_src: true
notify: enable tmp.mount notify: enable tmp.mount
- name: mount tmpfs on /home/{{ auto_user }} - name: mount tmpfs on /home/{{ auto_user }}
@ -92,19 +97,19 @@
name: "{{ auto_user }}" name: "{{ auto_user }}"
comment: "Autologin Debian User,,," comment: "Autologin Debian User,,,"
shell: /bin/bash shell: /bin/bash
createhome: no createhome: false
password: '*' password: '*'
- name: check if NetworkManager is installed - name: check if NetworkManager is installed
stat: path=/etc/NetworkManager/system-connections stat: path=/etc/NetworkManager/system-connections
register: NetworkManager register: networkmanager
- name: add wifi config - name: add wifi config
when: NetworkManager.stat.exists == true
template: template:
src: wifi.j2 src: wifi.j2
dest: /etc/NetworkManager/system-connections/{{ wifi_ssid }} dest: /etc/NetworkManager/system-connections/{{ wifi_ssid }}
owner: root owner: root
group: root group: root
mode: '0600' mode: 0600
when: networkmanager.stat.exists
notify: reload NetworkManager notify: reload NetworkManager

2
roles/krb5-kdc-ldap/meta/main.yml
View file

@ -1,3 +1,3 @@
--- ---
dependencies: dependencies: # noqa meta-no-info
- role: ldap - role: ldap

24
roles/krb5-kdc-ldap/tasks/main.yml
View file

@ -1,7 +1,8 @@
## Install and configure krb5-kdc-ldap (if not done yet), ## Install and configure krb5-kdc-ldap (if not done yet),
## run most tasks only on krb5-kdc-ldap installation. ## run most tasks only on krb5-kdc-ldap installation.
--- ---
- fail: msg="The machine's domain must not be empty." - name: check that domain name is available
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0 when: ansible_domain | length == 0
- name: check if krb5kdc is already there - name: check if krb5kdc is already there
@ -12,19 +13,26 @@
template: template:
src: krb5.conf.j2 src: krb5.conf.j2
dest: /etc/krb5.conf dest: /etc/krb5.conf
mode: 0644
- name: make sure krb5kdc exists - name: make sure krb5kdc exists
file: path=/etc/krb5kdc state=directory recurse=yes file:
path: /etc/krb5kdc
state: directory
recurse: true
mode: 0755
- name: prepare kdc.conf - name: prepare kdc.conf
template: template:
src: kdc.conf.j2 src: kdc.conf.j2
dest: /etc/krb5kdc/kdc.conf dest: /etc/krb5kdc/kdc.conf
mode: 0644
- name: prepare kadm5.acl - name: prepare kadm5.acl
template: template:
src: kadm5.acl.j2 src: kadm5.acl.j2
dest: /etc/krb5kdc/kadm5.acl dest: /etc/krb5kdc/kadm5.acl
mode: 0644
notify: "restart krb5-admin-server" notify: "restart krb5-admin-server"
- name: install krb5-kdc-ldap and krb5-admin-server - name: install krb5-kdc-ldap and krb5-admin-server
@ -32,7 +40,7 @@
name: name:
- krb5-kdc-ldap - krb5-kdc-ldap
- krb5-admin-server - krb5-admin-server
state: latest state: latest # noqa package-latest
- name: prepare kerberos.openldap.ldif - name: prepare kerberos.openldap.ldif
shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif
@ -126,12 +134,12 @@
- "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}" - "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
state: exact state: exact
- name: prepare password for kdc - name: prepare password for kdc # noqa risky-shell-pipe
shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
no_log: true no_log: true
when: not krb5kdc.stat.exists when: not krb5kdc.stat.exists
- name: prepare password for kadmin - name: prepare password for kadmin # noqa risky-shell-pipe
shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
no_log: true no_log: true
when: not krb5kdc.stat.exists when: not krb5kdc.stat.exists
@ -196,7 +204,7 @@
replace: replace:
path: /etc/hosts path: /etc/hosts
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$" regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
replace: '\1 kerberos' replace: '\1 kerberos'
when: not krb5kdc.stat.exists when: not krb5kdc.stat.exists
######################## ########################
@ -212,8 +220,8 @@
firewalld: firewalld:
zone: internal zone: internal
service: "{{ item }}" service: "{{ item }}"
permanent: yes permanent: true
immediate: yes immediate: true
state: enabled state: enabled
with_items: with_items:
- kerberos - kerberos

2
roles/lan-client/defaults/main.yml
View file

@ -1,4 +1,4 @@
lan_homes: /home/lan lan_homes: /home/lan
basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}" basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
ldap_server: ldap ldap_server: ldap
krb_server: kerberos krb_server: kerberos

4
roles/lan-client/handlers/main.yml
View file

@ -4,12 +4,12 @@
- name: reload systemd - name: reload systemd
systemd: systemd:
daemon_reload: yes daemon_reload: true
listen: "reload systemd" listen: "reload systemd"
- name: restart rpc-gssd - name: restart rpc-gssd
systemd: systemd:
name: rpc-gssd name: rpc-gssd
daemon_reload: yes daemon_reload: true
state: restarted state: restarted
notify: "restart rpc-gssd" notify: "restart rpc-gssd"

7
roles/lan-client/tasks/main.yml
View file

@ -1,5 +1,6 @@
--- ---
- fail: msg="The machine's domain must not be empty." - name: check if domain name is available
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0 when: ansible_domain | length == 0
- name: preseed krb5-config realm - name: preseed krb5-config realm
@ -31,7 +32,7 @@
- sssd-krb5 - sssd-krb5
- sssd-ldap - sssd-ldap
- nfs-common - nfs-common
state: latest state: latest # noqa package-latest
- name: add URI to ldap.conf - name: add URI to ldap.conf
lineinfile: lineinfile:
@ -48,7 +49,7 @@
- name: enable pam_umask - name: enable pam_umask
lineinfile: lineinfile:
dest: /etc/pam.d/common-session dest: /etc/pam.d/common-session
line: "session optional pam_umask.so usergroups" line: "session optional pam_umask.so usergroups"
## oddjob-mkhomedir works only with sec=sys for the NFSv4 share ## oddjob-mkhomedir works only with sec=sys for the NFSv4 share

6
roles/ldap/defaults/main.yml
View file

@ -1,9 +1,9 @@
ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd chars=ascii_letters,digits length=32') }}" ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd chars=ascii_letters,digits length=32') }}"
ldap_admin_pwd_file: "/root/ldap-admin.pwd" ldap_admin_pwd_file: "/root/ldap-admin.pwd"
basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}" basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
TLSCertificateFile: "/etc/ssl/certs/ssl-cert-snakeoil.pem" certpub: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
TLSCertificateKeyFile: "/etc/ssl/private/ssl-cert-snakeoil.key" certpriv: "/etc/ssl/private/ssl-cert-snakeoil.key"
lan_homes: /home/lan lan_homes: /home/lan
min_id: 10000 min_id: 10000
max_id: 20000 max_id: 20000
ldapuser_gid: 8000 ldapuser_gid: 8000

4
roles/ldap/handlers/main.cfg Normal file
View file

@ -0,0 +1,4 @@
---
- name: restart slapd
systemd: name=slapd state=restarted
listen: restart slapd

7
roles/ldap/tasks/main.yml
View file

@ -1,6 +1,7 @@
## Install and configure slapd. ## Install and configure slapd.
--- ---
- fail: msg="The machine's domain must not be empty." - name: check if domain name is available
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0 when: ansible_domain | length == 0
- name: check if slapd is already set up - name: check if slapd is already set up
@ -87,6 +88,6 @@
firewalld: firewalld:
zone: internal zone: internal
service: ldap service: ldap
permanent: yes permanent: true
immediate: yes immediate: true
state: enabled state: enabled

26
roles/ldap/tasks/setup.yml
View file

@ -3,7 +3,7 @@
- name: preseed ldap domain - name: preseed ldap domain
debconf: debconf:
name: slapd name: slapd
question: slapd/domain question: slapd/domain
value: "{{ ansible_domain }}" value: "{{ ansible_domain }}"
vtype: string vtype: string
@ -24,7 +24,9 @@
no_log: true no_log: true
- name: dump admin password - name: dump admin password
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}" shell:
cmd: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
creates: "{{ ldap_admin_pwd_file }}"
no_log: true no_log: true
- name: install packages for LDAP - name: install packages for LDAP
@ -35,37 +37,35 @@
- ldapvi - ldapvi
- python3-ldap - python3-ldap
- ssl-cert - ssl-cert
state: latest state: latest # noqa package-latest
- name: add openldap to the ssl-cert group - name: add openldap to the ssl-cert group
user: user:
name: openldap name: openldap
groups: ssl-cert groups: ssl-cert
append: yes append: true
register: ssl_cert_group notify: restart slapd
- name: restart slapd
systemd: name=slapd state=restarted
when: ssl_cert_group.changed
- name: make initial slapd configuration available - name: make initial slapd configuration available
copy: copy:
src: slapd-config.ldif src: slapd-config.ldif
dest: /etc/ldap/slapd.d/ dest: /etc/ldap/slapd.d/
mode: 0644
- name: make slapd TLS configuration available - name: make slapd TLS configuration available
template: template:
src: slapd-TLS.ldif src: slapd-TLS.ldif
dest: /etc/ldap/slapd.d/ dest: /etc/ldap/slapd.d/
mode: 0644
- name: activate ppolicy schema - name: activate ppolicy schema
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif # noqa no-changed-when
- name: initialize slapd if it has just been installed - name: initialize slapd if it has just been installed
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif # noqa no-changed-when
- name: configure LDAP TLS - name: configure LDAP TLS
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif # noqa no-changed-when
- name: add URI to ldap.conf - name: add URI to ldap.conf
lineinfile: lineinfile:
@ -83,7 +83,7 @@
replace: replace:
path: /etc/ldap/ldap.conf path: /etc/ldap/ldap.conf
regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$" regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
replace: '#\1\nTLS_CACERT\t{{ TLSCertificateFile }}' replace: '#\1\nTLS_CACERT\t{{ certpub }}'
- name: enable pam-mkhomedir - name: enable pam-mkhomedir
command: pam-auth-update --enable mkhomedir command: pam-auth-update --enable mkhomedir

4
roles/ldap/templates/slapd-TLS.ldif
View file

@ -2,8 +2,8 @@
dn: cn=config dn: cn=config
changetype: modify changetype: modify
add: olcTLSCertificateFile add: olcTLSCertificateFile
olcTLSCertificateFile: {{ TLSCertificateFile }} olcTLSCertificateFile: {{ certpub }}
- -
add: olcTLSCertificateKeyFile add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: {{ TLSCertificateKeyFile }} olcTLSCertificateKeyFile: {{ certpriv }}
- -

2
roles/low-power/handlers/main.yml
View file

@ -1,5 +1,5 @@
- name: enable powertop timer - name: enable powertop timer
systemd: systemd:
name: powertop.timer name: powertop.timer
enabled: yes enabled: true
listen: "enable powertop timer" listen: "enable powertop timer"

4
roles/low-power/tasks/main.yml
View file

@ -1,5 +1,5 @@
- name: install some packages - name: install some packages
apt: name={{ item }} state=latest apt: name={{ item }} state=latest # noqa package-latest
with_items: with_items:
- powertop - powertop
@ -7,9 +7,11 @@
copy: copy:
src: powertop.service src: powertop.service
dest: /etc/systemd/system/powertop.service dest: /etc/systemd/system/powertop.service
mode: 0644
- name: install powertop.timer - name: install powertop.timer
copy: copy:
src: powertop.timer src: powertop.timer
dest: /etc/systemd/system/powertop.timer dest: /etc/systemd/system/powertop.timer
mode: 0644
notify: enable powertop timer notify: enable powertop timer

8
roles/netboot-installer/tasks/main.yml
View file

@ -2,6 +2,7 @@
file: file:
path: "{{ tftp_root }}/d-i/{{ di_dist }}" path: "{{ tftp_root }}/d-i/{{ di_dist }}"
state: directory state: directory
mode: 0755
- name: install di-netboot-assistant and installer package - name: install di-netboot-assistant and installer package
apt: apt:
@ -16,11 +17,12 @@
copy: copy:
src: /usr/share/doc/di-netboot-assistant/examples/preseed.cfg src: /usr/share/doc/di-netboot-assistant/examples/preseed.cfg
dest: "{{ tftp_root }}/d-i/{{ di_dist }}" dest: "{{ tftp_root }}/d-i/{{ di_dist }}"
force: no mode: 0644
remote_src: yes force: false
remote_src: true
- name: make the hostname resolvable from the LAN - name: make the hostname resolvable from the LAN
replace: replace:
path: /etc/hosts path: /etc/hosts
regexp: '^(127\.0\.1\.1.*)$' regexp: '^(127\.0\.1\.1.*)$'
replace: '#\1\n{{ ipaddr_lan | ipaddr("address") }} {{ ansible_hostname }}.{{ ansible_domain }} {{ ansible_hostname }}' replace: '#\1\n{{ ipaddr_lan | ipaddr("address") }} {{ ansible_hostname }}.{{ ansible_domain }} {{ ansible_hostname }}'

14
roles/nextcloud-upgrade/handlers/main.yml Normal file
View file

@ -0,0 +1,14 @@
---
## DB fixes (only on upgrade)
- name: add missing indices, columns and convert filecache
command: "{{ item }}"
args:
chdir: "{{ nc_dir }}"
warn: false
register: cmd_result
changed_when: cmd_result.stdout is search("updated successfully")
with_items:
- "sudo -u www-data php ./occ db:add-missing-indices"
- "sudo -u www-data php ./occ db:add-missing-columns"
- "sudo -u www-data php ./occ -n db:convert-filecache-bigint"
listen: update and fix data base

38
roles/nextcloud-upgrade/tasks/main.yml
View file

@ -1,18 +1,18 @@
--- ---
- name: check/run upgrade - name: check/run upgrade
command: sudo -u www-data php updater.phar --no-interaction command: sudo -u www-data php updater.phar --no-interaction
args: args:
chdir: "{{ nc_dir }}/updater" chdir: "{{ nc_dir }}/updater"
warn: False warn: false
register: upgrade_result register: upgrade_result
changed_when: upgrade_result.stdout is not search('Nothing to do.') changed_when: upgrade_result.stdout is not search('Nothing to do.')
notify: update and fix data base
- name: update apps - name: update apps
command: "sudo -u www-data php ./occ app:update --all" command: "sudo -u www-data php ./occ app:update --all"
args: args:
chdir: "{{ nc_dir }}" chdir: "{{ nc_dir }}"
warn: False warn: false
register: cmd_result register: cmd_result
changed_when: cmd_result.stdout | length > 0 changed_when: cmd_result.stdout | length > 0
@ -20,36 +20,8 @@
command: "sudo -u www-data php ./occ app:install {{ item }}" command: "sudo -u www-data php ./occ app:install {{ item }}"
args: args:
chdir: "{{ nc_dir }}" chdir: "{{ nc_dir }}"
warn: False warn: false
with_items: "{{ nc_apps }}" with_items: "{{ nc_apps }}"
register: cmd_result register: cmd_result
changed_when: cmd_result.stdout is not search('already installed') changed_when: cmd_result.stdout is not search('already installed')
failed_when: cmd_result.stdout is not search('already installed') and cmd_result.rc != 0 failed_when: cmd_result.stdout is not search('already installed') and cmd_result.rc != 0
## DB fixes (only on upgrade)
- name: add missing indices
command: "sudo -u www-data php ./occ db:add-missing-indices"
args:
chdir: "{{ nc_dir }}"
warn: False
register: cmd_result
changed_when: cmd_result.stdout is search('table updated successfully')
when: upgrade_result.changed | default(true)
- name: add missing columns
command: "sudo -u www-data php ./occ db:add-missing-columns"
args:
chdir: "{{ nc_dir }}"
warn: False
register: cmd_result
changed_when: cmd_result.stdout is search('table updated successfully')
when: upgrade_result.changed | default(true)
- name: convert filecache to bigint
command: "sudo -u www-data php ./occ -n db:convert-filecache-bigint"
args:
chdir: "{{ nc_dir }}"
warn: False
register: cmd_result
changed_when: cmd_result.stdout is not search('tables already up to date')
when: upgrade_result.changed | default(true)

2
roles/nextcloud/defaults/main.yml
View file

@ -4,4 +4,4 @@ nc_admin_pwd_file: "/root/nc-admin.pwd"
www_root: "/var/www" www_root: "/var/www"
nc_dir: "{{ www_root }}/nextcloud" nc_dir: "{{ www_root }}/nextcloud"
data_dir: "/var/nc-data" data_dir: "/var/nc-data"
allow_download: False allow_download: false

2
roles/nextcloud/handlers/main.yml
View file

@ -14,5 +14,5 @@
systemd: systemd:
name: nextcloudcron.timer name: nextcloudcron.timer
state: started state: started
enabled: True enabled: true
listen: "enable nextcloudcron.timer" listen: "enable nextcloudcron.timer"

58
roles/nextcloud/tasks/main.yml
View file

@ -5,8 +5,10 @@
register: nextcloud register: nextcloud
- name: check for nextcloud archive - name: check for nextcloud archive
local_action: stat path=nextcloud.tar.bz2 stat:
become: No path: nextcloud.tar.bz2
become: false
delegate_to: localhost
register: nc_archive register: nc_archive
when: not nextcloud.stat.exists when: not nextcloud.stat.exists
@ -45,7 +47,7 @@
- php-xml - php-xml
- php-zip - php-zip
- unzip - unzip
state: latest state: latest # noqa package-latest
- name: disable apache modules - name: disable apache modules
apache2_module: apache2_module:
@ -68,10 +70,10 @@
- http2 - http2
notify: "restart apache2" notify: "restart apache2"
- name: find php version - name: find php version # noqa risky-shell-pipe
shell: ls /etc/php/ | sort | tail -1 shell: ls /etc/php/ | sort | tail -1
register: php_ver register: php_ver
changed_when: False changed_when: false
- name: enable php-fpm conf - name: enable php-fpm conf
command: a2enconf php{{ php_ver.stdout }}-fpm command: a2enconf php{{ php_ver.stdout }}-fpm
@ -85,10 +87,14 @@
regexp: "{{ item.regex }}" regexp: "{{ item.regex }}"
replace: "{{ item.replace }}" replace: "{{ item.replace }}"
with_items: with_items:
- { regex: "^pm.max_children = .*$", replace: "pm.max_children = 10" } - regex: "^pm.max_children = .*$"
- { regex: "^pm.start_servers = .*$", replace: "pm.start_servers = 4" } replace: "pm.max_children = 10"
- { regex: "^pm.min_spare_servers = .*$", replace: "pm.min_spare_servers = 2" } - regex: "^pm.start_servers = .*$"
- { regex: "^pm.max_spare_servers = .*$", replace: "pm.max_spare_servers = 6" } replace: "pm.start_servers = 4"
- regex: "^pm.min_spare_servers = .*$"
replace: "pm.min_spare_servers = 2"
- regex: "^pm.max_spare_servers = .*$"
replace: "pm.max_spare_servers = 6"
notify: "restart php-fpm" notify: "restart php-fpm"
- name: increase php memory limit - name: increase php memory limit
@ -102,6 +108,7 @@
copy: copy:
src: nextcloud.conf src: nextcloud.conf
dest: /etc/apache2/sites-available/nextcloud.conf dest: /etc/apache2/sites-available/nextcloud.conf
mode: 0644
notify: "restart apache2" notify: "restart apache2"
- name: enable nextcloud site - name: enable nextcloud site
@ -123,6 +130,7 @@
file: file:
path: "{{ data_dir }}" path: "{{ data_dir }}"
state: directory state: directory
mode: 0770
owner: www-data owner: www-data
group: www-data group: www-data
@ -140,7 +148,7 @@
dest: "{{ www_root }}" dest: "{{ www_root }}"
owner: www-data owner: www-data
group: www-data group: www-data
remote_src: Yes remote_src: true
when: not nextcloud.stat.exists and run_in_installer|default(false)|bool when: not nextcloud.stat.exists and run_in_installer|default(false)|bool
- name: unpack provided nextcloud archive - name: unpack provided nextcloud archive
@ -184,19 +192,19 @@
--data-dir "{{ data_dir }}" --data-dir "{{ data_dir }}"
args: args:
chdir: "{{ nc_dir }}" chdir: "{{ nc_dir }}"
no_log: True no_log: true
when: not nextcloud.stat.exists when: not nextcloud.stat.exists
- name: dump nc-admin password - name: dump nc-admin password
shell: echo -n "{{ nc_admin_pwd }}" > "{{ nc_admin_pwd_file }}" ; chmod 0600 "{{ nc_admin_pwd_file }}" shell: echo -n "{{ nc_admin_pwd }}" > "{{ nc_admin_pwd_file }}" ; chmod 0600 "{{ nc_admin_pwd_file }}"
no_log: True no_log: true
when: not nextcloud.stat.exists when: not nextcloud.stat.exists
- name: enable APCu memcache - name: enable APCu memcache
command: sudo -u www-data php ./occ config:system:set memcache.local --value='\OC\Memcache\APCu' command: sudo -u www-data php ./occ config:system:set memcache.local --value='\OC\Memcache\APCu'
args: args:
chdir: "{{ nc_dir }}" chdir: "{{ nc_dir }}"
warn: False warn: false
when: not nextcloud.stat.exists when: not nextcloud.stat.exists
- name: enable acpu for nextcloud updates - name: enable acpu for nextcloud updates
@ -208,7 +216,7 @@
command: sudo -u www-data php ./occ config:system:set trusted_domains {{ item[0] }} --value='{{ item[1] }}' command: sudo -u www-data php ./occ config:system:set trusted_domains {{ item[0] }} --value='{{ item[1] }}'
args: args:
chdir: "{{ nc_dir }}" chdir: "{{ nc_dir }}"
warn: False warn: false
when: not nextcloud.stat.exists when: not nextcloud.stat.exists
loop: loop:
- [1, '192.168.*.*'] - [1, '192.168.*.*']
@ -220,6 +228,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}" dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items: with_items:
- nextcloudcron.service - nextcloudcron.service
- nextcloudcron.timer - nextcloudcron.timer
@ -229,8 +238,8 @@
firewalld: firewalld:
interface: "{{ ansible_default_ipv4.interface }}" interface: "{{ ansible_default_ipv4.interface }}"
zone: public zone: public
permanent: Yes permanent: true
immediate: Yes immediate: true
state: enabled state: enabled
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -242,8 +251,8 @@
firewalld: firewalld:
zone: public zone: public
service: https service: https
permanent: Yes permanent: true
immediate: Yes immediate: true
state: enabled state: enabled
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -257,7 +266,7 @@
- name: install libapache2-mod-auth-gssapi - name: install libapache2-mod-auth-gssapi
apt: apt:
name: libapache2-mod-auth-gssapi name: libapache2-mod-auth-gssapi
state: latest state: latest # noqa package-latest
when: "'kerberize' in role_names" when: "'kerberize' in role_names"
notify: "restart apache2" notify: "restart apache2"
@ -267,8 +276,8 @@
dest: /etc/krb5.keytab.http dest: /etc/krb5.keytab.http
group: www-data group: www-data
mode: "0640" mode: "0640"
remote_src: yes remote_src: true
force: no force: false
when: "'kerberize' in role_names" when: "'kerberize' in role_names"
notify: "restart apache2" notify: "restart apache2"
@ -276,6 +285,7 @@
copy: copy:
src: krb5-nextcloud.conf src: krb5-nextcloud.conf
dest: /etc/apache2/sites-available/krb5-nextcloud.conf dest: /etc/apache2/sites-available/krb5-nextcloud.conf
mode: 0644
when: "'kerberize' in role_names" when: "'kerberize' in role_names"
notify: "restart apache2" notify: "restart apache2"
@ -290,8 +300,8 @@
firewalld: firewalld:
zone: internal zone: internal
service: https service: https
permanent: Yes permanent: true
immediate: Yes immediate: true
state: enabled state: enabled
when: not run_in_installer|default(false)|bool and 'kerberize' in role_names when: not run_in_installer|default(false)|bool and 'kerberize' in role_names
@ -303,7 +313,7 @@
command: sudo -u www-data php ./occ config:system:set trusted_domains 2 --value='{{ ansible_hostname }}.{{ ansible_domain }}' command: sudo -u www-data php ./occ config:system:set trusted_domains 2 --value='{{ ansible_hostname }}.{{ ansible_domain }}'
args: args:
chdir: "{{ nc_dir }}" chdir: "{{ nc_dir }}"
warn: False warn: false
when: not nextcloud.stat.exists and 'kerberize' in role_names when: not nextcloud.stat.exists and 'kerberize' in role_names

2
roles/nfs-server/defaults/main.yml
View file

@ -1,5 +1,5 @@
export_root: /srv/nfs4 export_root: /srv/nfs4
lan_homes: /home/lan lan_homes: /home/lan
basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}" basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
min_id: 10000 min_id: 10000
min_id_sssd: 5000 min_id_sssd: 5000

14
roles/nfs-server/tasks/main.yml
View file

@ -1,6 +1,7 @@
## Install and configure nfs-server ## Install and configure nfs-server
--- ---
- fail: msg="The machine's domain must not be empty." - name: check if ansible domain is nonempty
fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0 when: ansible_domain | length == 0
- name: check if we are installing - name: check if we are installing
@ -11,7 +12,7 @@
apt: apt:
name: name:
- nfs-kernel-server - nfs-kernel-server
state: latest state: latest # noqa package-latest # noqa package-latest
- name: make sure the export paths exists - name: make sure the export paths exists
file: path={{ export_root }}/home/ state=directory recurse=yes file: path={{ export_root }}/home/ state=directory recurse=yes
@ -33,7 +34,7 @@
replace: replace:
path: /etc/hosts path: /etc/hosts
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$" regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
replace: '\1 nfs' replace: '\1 nfs'
when: not exports.stat.exists when: not exports.stat.exists
- name: check if there is a local kadmin - name: check if there is a local kadmin
@ -55,7 +56,7 @@
- sssd-krb5 - sssd-krb5
- sssd-ldap - sssd-ldap
- sssd-tools ## sss_cache -U -G - sssd-tools ## sss_cache -U -G
state: latest state: latest # noqa package-latest
when: kadmin.stat.exists when: kadmin.stat.exists
- name: provide identities from directory - name: provide identities from directory
@ -80,6 +81,7 @@
template: template:
src: dhcp-send-domain.j2 src: dhcp-send-domain.j2
dest: /etc/dnsmasq.d/dhcp-send-domain dest: /etc/dnsmasq.d/dhcp-send-domain
mode: 0644
notify: "restart dnsmasq" notify: "restart dnsmasq"
when: dnsmasq.stat.exists when: dnsmasq.stat.exists
@ -87,6 +89,6 @@
firewalld: firewalld:
zone: internal zone: internal
service: nfs service: nfs
permanent: yes permanent: true
immediate: yes immediate: true
state: enabled state: enabled

4
roles/prepare4clients/handlers/main.yml
View file

@ -1,7 +1,7 @@
- name: start git-repo - name: start git-repo
systemd: systemd:
daemon_reload: yes daemon_reload: true
name: git-repo name: git-repo
state: started state: started
enabled: yes enabled: true
listen: start git-repo listen: start git-repo

30
roles/prepare4clients/tasks/main.yml
View file

@ -1,13 +1,13 @@
- name: make sure ansible is available - name: make sure ansible is available
apt: apt:
name: ansible name: ansible
state: latest state: latest # noqa package-latest
- name: generate ssh key - name: generate ssh key
command: "su -l {{ ansible_user }} -c \"ssh-keygen -t rsa -f /home/{{ ansible_user }}/.ssh/id_rsa -P ''\"" command: "su -l {{ ansible_user }} -c \"ssh-keygen -t rsa -f /home/{{ ansible_user }}/.ssh/id_rsa -P ''\""
args: args:
creates: "/home/{{ ansible_user }}/.ssh/id_rsa" creates: "/home/{{ ansible_user }}/.ssh/id_rsa"
warn: False warn: false
- name: slurp public key - name: slurp public key
slurp: slurp:
@ -15,7 +15,8 @@
register: sshpubkey register: sshpubkey
# The following seems to be necessary to get rid of a newline: # The following seems to be necessary to get rid of a newline:
- set_fact: - name: define variable
set_fact:
sshpubkey: "{{ sshpubkey['content'] | b64decode | replace('\n', '') }}" sshpubkey: "{{ sshpubkey['content'] | b64decode | replace('\n', '') }}"
- name: enable backports in preseed file - name: enable backports in preseed file
@ -87,12 +88,15 @@
block: | block: |
# Use a temporary package cache during installation, install etckeeper. # Use a temporary package cache during installation, install etckeeper.
menuentry 'Debian stable (amd64) + temporary package cache' { menuentry 'Debian stable (amd64) + temporary package cache' {
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux mirror/http/proxy?=http://{{ ansible_hostname }}:3142/ pkgsel/include=etckeeper preseed/late_command="rm -fv /target/etc/apt/apt.conf" --- linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
mirror/http/proxy?=http://{{ ansible_hostname }}:3142/ pkgsel/include=etckeeper \
preseed/late_command="rm -fv /target/etc/apt/apt.conf" ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
} }
menuentry 'Debian {{ di_version }} (amd64) + preseed + kiosk.yml' { menuentry 'Debian {{ di_version }} (amd64) + preseed + kiosk.yml' {
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kiosk.yml --- linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kiosk.yml ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
} }
@ -128,7 +132,8 @@
insertbefore: EOF insertbefore: EOF
block: | block: |
menuentry 'Debian {{ di_version }} (amd64) + preseed + kerberox-client.yml' { menuentry 'Debian {{ di_version }} (amd64) + preseed + kerberox-client.yml' {
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kerberox-client.yml --- linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
auto=true priority=critical url=tftp://{{ ansible_hostname }} playbook=kerberox-client.yml ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
} }
marker: "# {mark} ANSIBLE MANAGED BLOCK kerberox-client" marker: "# {mark} ANSIBLE MANAGED BLOCK kerberox-client"
@ -161,13 +166,16 @@
block: | block: |
menuentry 'Debian {{ di_version }} (amd64) + preseed + sambox-client.yml' { menuentry 'Debian {{ di_version }} (amd64) + preseed + sambox-client.yml' {
regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac
linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical hostname=${oct4}${oct5}${oct6} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml --- linux /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux \
auto=true priority=critical hostname=${oct4}${oct5}${oct6} url=tftp://{{ ansible_hostname }} \
playbook=sambox-client.yml ---
initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz initrd /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
} }
menuentry 'Debian daily (amd64) + preseed + sambox-client.yml' { menuentry 'Debian daily (amd64) + preseed + sambox-client.yml' {
regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac
linux /d-i/n-a/daily/amd64/linux auto=true priority=critical hostname=${oct4}${oct5}${oct6} url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml --- linux /d-i/n-a/daily/amd64/linux auto=true priority=critical hostname=${oct4}${oct5}${oct6} \
url=tftp://{{ ansible_hostname }} playbook=sambox-client.yml ---
initrd /d-i/n-a/daily/amd64/initrd.gz initrd /d-i/n-a/daily/amd64/initrd.gz
} }
marker: "# {mark} ANSIBLE MANAGED BLOCK sambox-client" marker: "# {mark} ANSIBLE MANAGED BLOCK sambox-client"
@ -181,7 +189,7 @@
git: git:
repo: 'https://salsa.debian.org/andi/debian-lan-ansible.git' repo: 'https://salsa.debian.org/andi/debian-lan-ansible.git'
dest: "{{ repo_dir }}" dest: "{{ repo_dir }}"
update: no update: false
become_user: "{{ ansible_user }}" become_user: "{{ ansible_user }}"
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -189,6 +197,7 @@
template: template:
src: git-repo.j2 src: git-repo.j2
dest: "/etc/systemd/system/git-repo.service" dest: "/etc/systemd/system/git-repo.service"
mode: 0644
notify: start git-repo notify: start git-repo
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -197,7 +206,8 @@
- name: add clients to inventory - name: add clients to inventory
blockinfile: blockinfile:
dest: /etc/ansible/hosts dest: /etc/ansible/hosts
create: yes create: true
mode: 0644
block: | block: |
[kerberox-client] [kerberox-client]
{{ in_inventory }} {{ in_inventory }}

1
roles/samba-ldap/handlers/main.yml
View file

@ -5,4 +5,3 @@
- name: restart smbd - name: restart smbd
service: name=smbd state=restarted enabled=yes service: name=smbd state=restarted enabled=yes
listen: "restart smbd" listen: "restart smbd"

2
roles/samba-ldap/meta/main.yml
View file

@ -1,3 +1,3 @@
--- ---
dependencies: dependencies: # noqa meta-no-info
- role: ldap - role: ldap

20
roles/samba-ldap/tasks/main.yml
View file

@ -9,8 +9,7 @@
name: name:
- samba - samba
- sssd-ldap - sssd-ldap
state: latest state: latest # noqa package-latest
- name: provide identities from LDAP - name: provide identities from LDAP
template: template:
@ -19,8 +18,8 @@
mode: 0600 mode: 0600
notify: restart sssd notify: restart sssd
- meta: flush_handlers - name: flush all handlers
meta: flush_handlers
- name: prepare samba schema - name: prepare samba schema
command: cp /usr/share/doc/samba/examples/LDAP/samba.ldif /etc/ldap/schema/ command: cp /usr/share/doc/samba/examples/LDAP/samba.ldif /etc/ldap/schema/
@ -87,8 +86,8 @@
- name: slurp admin password for samba setup - name: slurp admin password for samba setup
slurp: slurp:
src: "{{ ldap_admin_pwd_file }}" src: "{{ ldap_admin_pwd_file }}"
register: ldap_admin_pwd register: ldap_admin_pwd
no_log: true no_log: true
when: not samba_ldap.stat.exists when: not samba_ldap.stat.exists
- name: make samba admin password available to smbd - name: make samba admin password available to smbd
@ -97,9 +96,10 @@
notify: restart smbd notify: restart smbd
when: not samba_ldap.stat.exists when: not samba_ldap.stat.exists
- meta: flush_handlers - name: flush all handlers
meta: flush_handlers
- name: add samba attributes to dummy user foo - name: add samba attributes to dummy user foo
command: command:
cmd: smbpasswd -s -a foo cmd: smbpasswd -s -a foo
stdin: "{{ foo_pwd }}\n{{ foo_pwd }}" stdin: "{{ foo_pwd }}\n{{ foo_pwd }}"
@ -111,8 +111,8 @@
firewalld: firewalld:
zone: internal zone: internal
service: "{{ item }}" service: "{{ item }}"
permanent: yes permanent: true
immediate: yes immediate: true
state: enabled state: enabled
with_items: with_items:
- samba - samba

2
roles/samba-ldap/templates/sssd.conf.j2
View file

@ -19,5 +19,5 @@ cache_credentials = true
min_id = {{ min_id_sssd }} min_id = {{ min_id_sssd }}
max_id = {{ max_id_sssd }} max_id = {{ max_id_sssd }}
## remove this after providing propper certificates: ## remove this after providing propper certificates:
ldap_tls_reqcert = allow ldap_tls_reqcert = allow

3
roles/smb-sshfs-client/handlers/main.yml
View file

@ -4,6 +4,5 @@
- name: reload systemd - name: reload systemd
systemd: systemd:
daemon_reload: yes daemon_reload: true
listen: "reload systemd" listen: "reload systemd"

12
roles/smb-sshfs-client/tasks/main.yml
View file

@ -3,10 +3,10 @@
apt: apt:
name: name:
- sssd-ldap - sssd-ldap
- libpam-mount - libpam-mount
- cifs-utils - cifs-utils
- sshfs - sshfs
state: latest state: latest # noqa package-latest
- name: add URI to ldap.conf - name: add URI to ldap.conf
lineinfile: lineinfile:
@ -23,7 +23,7 @@
- name: enable pam_umask - name: enable pam_umask
lineinfile: lineinfile:
dest: /etc/pam.d/common-session dest: /etc/pam.d/common-session
line: "session optional pam_umask.so usergroups" line: "session optional pam_umask.so usergroups"
- name: provide identities from directory - name: provide identities from directory
template: template:
@ -65,4 +65,6 @@
## gnome-keyring fails with sshfs: ## gnome-keyring fails with sshfs:
- name: disable gnome-keyring-daemon - name: disable gnome-keyring-daemon
command: dpkg-divert --divert /usr/bin/gnome-keyring-daemon.distrib --rename /usr/bin/gnome-keyring-daemon command:
cmd: dpkg-divert --divert /usr/bin/gnome-keyring-daemon.distrib --rename /usr/bin/gnome-keyring-daemon
creates: /usr/bin/gnome-keyring-daemon.distrib

6
roles/systemd-networkd-resolved/handlers/main.yml
View file

@ -1,14 +1,14 @@
- name: restart and enable systemd-networkd - name: restart and enable systemd-networkd
systemd: systemd:
name: systemd-networkd name: systemd-networkd
enabled: yes enabled: true
state: restarted state: restarted
daemon_reload: yes daemon_reload: true
listen: "start and enable systemd-networkd" listen: "start and enable systemd-networkd"
- name: start and enable systemd-resolved - name: start and enable systemd-resolved
systemd: systemd:
name: systemd-resolved name: systemd-resolved
enabled: yes enabled: true
state: started state: started
listen: "start and enable systemd-resolved" listen: "start and enable systemd-resolved"

15
roles/systemd-networkd-resolved/tasks/main.yml
View file

@ -7,19 +7,20 @@
copy: copy:
src: all-eth.network src: all-eth.network
dest: /etc/systemd/network/all-eth.network dest: /etc/systemd/network/all-eth.network
mode: 0644
notify: "start and enable systemd-networkd" notify: "start and enable systemd-networkd"
#- name: install static configuration for networkd # - name: install static configuration for networkd
# template: # template:
# src: 20-static.network.j2 # src: 20-static.network.j2
# dest: /etc/systemd/network/20-static.network # dest: /etc/systemd/network/20-static.network
# notify: "enable systemd-networkd" # notify: "enable systemd-networkd"
- name: enable local stub resolver - name: enable local stub resolver
file: file:
src: /run/systemd/resolve/stub-resolv.conf src: /run/systemd/resolve/stub-resolv.conf
dest: /etc/resolv.conf dest: /etc/resolv.conf
state: link state: link
follow: False follow: false
force: yes force: true
notify: "start and enable systemd-resolved" notify: "start and enable systemd-resolved"

2
roles/systemd-networkd-resolved/templates/20-static.network.j2
View file

@ -4,4 +4,4 @@ Name={{ if_lan }}
[Network] [Network]
Address={{ ipaddr }} Address={{ ipaddr }}
Gateway={{ gateway }} Gateway={{ gateway }}
DNS={{ DNS }} DNS={{ dns }}

20
roles/transparent-squid/tasks/main.yml
View file

@ -1,7 +1,7 @@
- name: install squid package - name: install squid package
apt: apt:
name: squid name: squid
state: latest state: latest # noqa package-latest
- name: configure squid extra lines - name: configure squid extra lines
lineinfile: lineinfile:
@ -9,11 +9,16 @@
line: "{{ item.line }}" line: "{{ item.line }}"
insertafter: "{{ item.insertafter }}" insertafter: "{{ item.insertafter }}"
with_items: with_items:
- { line: "http_access allow localnet", insertafter: "#http_access allow localnet" } - line: "http_access allow localnet"
- { line: "http_port 3129 intercept", insertafter: "http_port 3128" } insertafter: "#http_access allow localnet"
- { line: "maximum_object_size_in_memory 10240 KB", insertafter: "# maximum_object_size_in_memory" } - line: "http_port 3129 intercept"
- { line: "maximum_object_size 512 MB", insertafter: "# maximum_object_size" } insertafter: "http_port 3128"
- { line: "cache_dir aufs /var/spool/squid 20000 16 256", insertafter: "#cache_dir ufs /var/spool/squid" } - line: "maximum_object_size_in_memory 10240 KB"
insertafter: "# maximum_object_size_in_memory"
- line: "maximum_object_size 512 MB"
insertafter: "# maximum_object_size"
- line: "cache_dir aufs /var/spool/squid 20000 16 256"
insertafter: "#cache_dir ufs /var/spool/squid"
notify: "restart squid" notify: "restart squid"
- name: configure squid store IDs - name: configure squid store IDs
@ -29,6 +34,7 @@
copy: copy:
src: store_id_regex.conf src: store_id_regex.conf
dest: /etc/squid/store_id_regex.conf dest: /etc/squid/store_id_regex.conf
mode: 0644
notify: "restart squid" notify: "restart squid"
- name: configure squid as package cache - name: configure squid as package cache
@ -53,5 +59,5 @@
- name: redirect www traffic in shorewall - name: redirect www traffic in shorewall
lineinfile: lineinfile:
dest: /etc/shorewall/rules dest: /etc/shorewall/rules
line: "REDIRECT loc 3129 tcp www" line: "REDIRECT loc 3129 tcp www"
notify: "restart shorewall" notify: "restart shorewall"

14
roles/two-interface-firewalld/tasks/main.yml
View file

@ -2,13 +2,15 @@
template: template:
src: interfaces-static.j2 src: interfaces-static.j2
dest: /etc/network/interfaces.d/static dest: /etc/network/interfaces.d/static
mode: 0644
notify: "bring up LAN interface" notify: "bring up LAN interface"
- name: install firewalld package - name: install firewalld package
apt: name=firewalld state=latest apt: name=firewalld state=latest # noqa package-latest
notify: "start firewalld" notify: "start firewalld"
- meta: flush_handlers - name: flush all handlers
meta: flush_handlers
## Do not run the following in the installer: ## Do not run the following in the installer:
@ -17,7 +19,7 @@
firewalld: firewalld:
zone: public zone: public
interface: "{{ if_wan }}" interface: "{{ if_wan }}"
permanent: yes permanent: true
state: enabled state: enabled
immediate: true immediate: true
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -26,7 +28,7 @@
firewalld: firewalld:
zone: public zone: public
masquerade: 'yes' masquerade: 'yes'
permanent: yes permanent: true
state: enabled state: enabled
immediate: true immediate: true
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -35,7 +37,7 @@
firewalld: firewalld:
zone: internal zone: internal
interface: "{{ if_lan }}" interface: "{{ if_lan }}"
permanent: yes permanent: true
state: enabled state: enabled
immediate: true immediate: true
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
@ -44,7 +46,7 @@
firewalld: firewalld:
zone: internal zone: internal
service: "{{ item }}" service: "{{ item }}"
permanent: yes permanent: true
state: enabled state: enabled
immediate: true immediate: true
with_items: with_items:

15
roles/two-interface-shorewall/tasks/main.yml
View file

@ -2,10 +2,11 @@
template: template:
src: interfaces-static.j2 src: interfaces-static.j2
dest: /etc/network/interfaces.d/static dest: /etc/network/interfaces.d/static
mode: 0644
notify: restart networking notify: restart networking
- name: install shorewall packages - name: install shorewall packages
apt: name=shorewall state=latest apt: name=shorewall state=latest # noqa package-latest
- name: copy shorewall configuration - name: copy shorewall configuration
command: cp {{ item }} /etc/shorewall/ command: cp {{ item }} /etc/shorewall/
@ -24,7 +25,7 @@
- name: find files in /etc/shorewall/ - name: find files in /etc/shorewall/
find: find:
paths: /etc/shorewall/ paths: /etc/shorewall/
use_regex: yes use_regex: true
pattern: '.+[^~]$' pattern: '.+[^~]$'
contains: '.*(eth0|eth1).*' contains: '.*(eth0|eth1).*'
register: find_result register: find_result
@ -35,7 +36,7 @@
dest: "{{ item.path }}" dest: "{{ item.path }}"
regexp: 'eth0' regexp: 'eth0'
replace: "{{ if_wan }}" replace: "{{ if_wan }}"
backup: yes backup: true
with_items: "{{ find_result.files }}" with_items: "{{ find_result.files }}"
notify: restart shorewall notify: restart shorewall
@ -44,7 +45,7 @@
dest: "{{ item.path }}" dest: "{{ item.path }}"
regexp: 'eth1' regexp: 'eth1'
replace: "{{ if_lan }}" replace: "{{ if_lan }}"
backup: yes backup: true
with_items: "{{ find_result.files }}" with_items: "{{ find_result.files }}"
notify: restart shorewall notify: restart shorewall
@ -53,7 +54,7 @@
dest: /etc/shorewall/shorewall.conf dest: /etc/shorewall/shorewall.conf
regexp: 'IP_FORWARDING=Keep' regexp: 'IP_FORWARDING=Keep'
replace: 'IP_FORWARDING=Yes' replace: 'IP_FORWARDING=Yes'
backup: yes backup: true
notify: restart shorewall notify: restart shorewall
- name: configure shorewall policy - name: configure shorewall policy
@ -61,7 +62,7 @@
dest: /etc/shorewall/policy dest: /etc/shorewall/policy
regexp: 'loc(\s+)net(\s+)ACCEPT' regexp: 'loc(\s+)net(\s+)ACCEPT'
replace: 'loc\1all\2ACCEPT\n$FW\1all\2ACCEPT' replace: 'loc\1all\2ACCEPT\n$FW\1all\2ACCEPT'
backup: yes backup: true
notify: restart shorewall notify: restart shorewall
- name: configure shorewall rules - name: configure shorewall rules
@ -69,5 +70,5 @@
dest: /etc/shorewall/rules dest: /etc/shorewall/rules
regexp: '(SSH\(ACCEPT\)\s+)loc(\s+\$FW)' regexp: '(SSH\(ACCEPT\)\s+)loc(\s+\$FW)'
replace: '\1all\2' replace: '\1all\2'
backup: yes backup: true
notify: restart shorewall notify: restart shorewall

14
roles/up2date-debian/tasks/main.yml
View file

@ -2,36 +2,36 @@
- name: update apt package lists - name: update apt package lists
apt: apt:
update_cache: yes update_cache: true
cache_valid_time: 86400 cache_valid_time: 86400
- name: upgrade packages - name: upgrade packages
apt: apt:
upgrade: dist upgrade: dist
autoremove: yes autoremove: true
autoclean: yes autoclean: true
- name: install etckeeper - name: install etckeeper
apt: apt:
name: etckeeper name: etckeeper
state: latest state: latest # noqa package-latest
- name: install extra packages from stable - name: install extra packages from stable
apt: apt:
name: "{{ extra_pkgs }}" name: "{{ extra_pkgs }}"
state: latest state: latest # noqa package-latest
when: extra_pkgs|length when: extra_pkgs|length
- name: add {{ ansible_distribution_release }}-backports - name: add {{ ansible_distribution_release }}-backports
apt_repository: apt_repository:
repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main
state: present state: present
update_cache: yes update_cache: true
when: extra_pkgs_bpo|length when: extra_pkgs_bpo|length
- name: install extra packages from backports - name: install extra packages from backports
apt: apt:
name: "{{ extra_pkgs_bpo }}" name: "{{ extra_pkgs_bpo }}"
state: latest state: latest # noqa package-latest
default_release: "{{ ansible_distribution_release }}-backports" default_release: "{{ ansible_distribution_release }}-backports"
when: extra_pkgs_bpo|length when: extra_pkgs_bpo|length

2
roles/web-server/tasks/main.yml
View file

@ -1,5 +1,5 @@
- name: install some packages - name: install some packages
apt: name={{ item }} state=latest apt: name={{ item }} state=latest # noqa package-latest
with_items: with_items:
- unattended-upgrades - unattended-upgrades
- screen - screen

6
sambox-client.yml
View file

@ -4,7 +4,7 @@
- name: apply configuration to the machines - name: apply configuration to the machines
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
vars: vars:
extra_pkgs: extra_pkgs:
- webext-privacy-badger - webext-privacy-badger
@ -16,5 +16,5 @@
- up2date-debian - up2date-debian
- smb-sshfs-client - smb-sshfs-client
## Choose either gnome or KDE: ## Choose either gnome or KDE:
#- gnome # - gnome
#- kde # - kde

10
sambox.yml
View file

@ -1,13 +1,13 @@
--- ---
## This playbook deploys the sambox server. Add 'hostname=XXX' and 'domain=YYY' ## This playbook deploys the sambox server. Add 'hostname=XXX' and 'domain=YYY'
## to the installer boot parameters to set hostname and domain. ## to the installer boot parameters to set hostname and domain.
## ##
- name: apply configuration to the sambox server - name: apply configuration to the sambox server
hosts: all hosts: all
remote_user: ansible remote_user: ansible
become: yes become: true
vars: vars:
## This interface provides the default route: ## This interface provides the default route:
@ -22,11 +22,11 @@
ipaddr_lan_ptr: "{{ (ipaddr_lan | ipaddr('revdns')).split('.')[1:] | join('.') }}" ipaddr_lan_ptr: "{{ (ipaddr_lan | ipaddr('revdns')).split('.')[1:] | join('.') }}"
ipaddr_lan_ptr_threeoct: "{{ ipaddr_lan_ptr.split('.')[0:3] | join('.') }}" ipaddr_lan_ptr_threeoct: "{{ ipaddr_lan_ptr.split('.')[0:3] | join('.') }}"
dhcp_start: 192.168.0.50 dhcp_start: 192.168.0.50
dhcp_stop: 192.168.0.150 dhcp_stop: 192.168.0.150
in_inventory: 192.168.0.[50:150] in_inventory: 192.168.0.[50:150]
di_dist: "{{ ansible_distribution_release }}" di_dist: "{{ ansible_distribution_release }}"
di_version: 10 #"{{ ansible_distribution_major_version }}" di_version: 10 # "{{ ansible_distribution_major_version }}"
di_pkg: "debian-installer-{{ di_version }}-netboot-amd64" di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
ansible_user: ansible ansible_user: ansible
@ -40,7 +40,7 @@
In case you would like to prepare a test user 'foo' and have In case you would like to prepare a test user 'foo' and have
not done so yet, provide foo's password here. Leave empty to not done so yet, provide foo's password here. Leave empty to
just continue just continue
private: yes private: true
pre_tasks: pre_tasks: