alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:92a4c728093423d3af774a5d625a1382ec0490bc
Branches Tags
alanorth:master
alanorth:alpine
...
compare: alanorth:95d00059788f4ba9f6a3b8f1d9c3c514072c3121
Branches Tags
alanorth:master
alanorth:alpine

4 Commits
92a4c72809 ... 95d0005978

Author SHA1 Message Date
Alan Orth
95d0005978
Add ansible-lint 2022-09-10 18:36:53 +03:00
Alan Orth
498766fdc4
Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
Alan Orth
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
Alan Orth
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
33 changed files with 559 additions and 303 deletions
Show Stats Expand all files Collapse all files

1
Pipfile
View File

@ -7,6 +7,7 @@ verify_ssl = true
[packages]
ansible = "*"
ansible-lint = "*"
[requires]
python_version = "3.10"

307
Pipfile.lock generated
View File

@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "317b86105eac498eb2ff0ec57bfeb1077ed615c3ee3895d07e72708f6366314f"
"sha256": "2422e2d1b897e5e036bfa5bb03973c181899742b53c49abcdcc428da8820ac4c"
},
"pipfile-spec": 6,
"requires": {
@ -18,11 +18,19 @@
"default": {
"ansible": {
"hashes": [
"sha256:20625109c4e9c79e9e23bff6d1e32a780d13935007369111261a7ddfd3cf75b1",
"sha256:bdaf2b2fd926ff189fbde2fefe7234733f32c36fc413033fa5d93945fbdc06a6"
"sha256:74f5c3bd7441dcdb7cace8a3c2a44b0be7002be346bf8137e5c67fd8ba743fd3",
"sha256:d5fa9fc15a8d45c8d5247a9645b0b48f995d735b12c4da655666d48506273526"
],
"index": "pypi",
"version": "==6.2.0"
"version": "==6.3.0"
},
"ansible-compat": {
"hashes": [
"sha256:676db8ec0449d1f07038625b8ebb8ceef5f8ad3a1af3ee82d4ed66b9b04cb6fa",
"sha256:ce69a67785ae96e8962794a47494339991a0ae242ab5dd14a76ee2137d09072e"
],
"markers": "python_version >= '3.8'",
"version": "==2.2.0"
},
"ansible-core": {
"hashes": [
@ -32,6 +40,59 @@
"markers": "python_version >= '3.8'",
"version": "==2.13.3"
},
"ansible-lint": {
"hashes": [
"sha256:ac8241d3ce1b161f0e052b44f0d226fbda7d8f318d4f24269de7f2b87e32ff6f",
"sha256:f4432c74c0f28b2870a188b4999592f6338042f30d0c6f4ee11b32440ca9ffe4"
],
"index": "pypi",
"version": "==6.5.2"
},
"attrs": {
"hashes": [
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"black": {
"hashes": [
"sha256:0a12e4e1353819af41df998b02c6742643cfef58282915f781d0e4dd7a200411",
"sha256:0ad827325a3a634bae88ae7747db1a395d5ee02cf05d9aa7a9bd77dfb10e940c",
"sha256:32a4b17f644fc288c6ee2bafdf5e3b045f4eff84693ac069d87b1a347d861497",
"sha256:3b2c25f8dea5e8444bdc6788a2f543e1fb01494e144480bc17f806178378005e",
"sha256:4a098a69a02596e1f2a58a2a1c8d5a05d5a74461af552b371e82f9fa4ada8342",
"sha256:5107ea36b2b61917956d018bd25129baf9ad1125e39324a9b18248d362156a27",
"sha256:53198e28a1fb865e9fe97f88220da2e44df6da82b18833b588b1883b16bb5d41",
"sha256:5594efbdc35426e35a7defa1ea1a1cb97c7dbd34c0e49af7fb593a36bd45edab",
"sha256:5b879eb439094751185d1cfdca43023bc6786bd3c60372462b6f051efa6281a5",
"sha256:78dd85caaab7c3153054756b9fe8c611efa63d9e7aecfa33e533060cb14b6d16",
"sha256:792f7eb540ba9a17e8656538701d3eb1afcb134e3b45b71f20b25c77a8db7e6e",
"sha256:8ce13ffed7e66dda0da3e0b2eb1bdfc83f5812f66e09aca2b0978593ed636b6c",
"sha256:a05da0430bd5ced89176db098567973be52ce175a55677436a271102d7eaa3fe",
"sha256:a983526af1bea1e4cf6768e649990f28ee4f4137266921c2c3cee8116ae42ec3",
"sha256:bc4d4123830a2d190e9cc42a2e43570f82ace35c3aeb26a512a2102bce5af7ec",
"sha256:c3a73f66b6d5ba7288cd5d6dad9b4c9b43f4e8a4b789a94bf5abfb878c663eb3",
"sha256:ce957f1d6b78a8a231b18e0dd2d94a33d2ba738cd88a7fe64f53f659eea49fdd",
"sha256:cea1b2542d4e2c02c332e83150e41e3ca80dc0fb8de20df3c5e98e242156222c",
"sha256:d2c21d439b2baf7aa80d6dd4e3659259be64c6f49dfd0f32091063db0e006db4",
"sha256:d839150f61d09e7217f52917259831fe2b689f5c8e5e32611736351b89bb2a90",
"sha256:dd82842bb272297503cbec1a2600b6bfb338dae017186f8f215c8958f8acf869",
"sha256:e8166b7bfe5dcb56d325385bd1d1e0f635f24aae14b3ae437102dedc0c186747",
"sha256:e981e20ec152dfb3e77418fb616077937378b322d7b26aa1ff87717fb18b4875"
],
"markers": "python_full_version >= '3.6.2'",
"version": "==22.8.0"
},
"bracex": {
"hashes": [
"sha256:351b7f20d56fb9ea91f9b9e9e7664db466eb234188c175fd943f8f755c807e73",
"sha256:e7b23fc8b2cd06d3dec0692baabecb249dda94e06a617901ff03a6c56fd71693"
],
"markers": "python_version >= '3.7'",
"version": "==2.3.post1"
},
"cffi": {
"hashes": [
"sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5",
@ -101,33 +162,68 @@
],
"version": "==1.15.1"
},
"click": {
"hashes": [
"sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e",
"sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48"
],
"markers": "python_version >= '3.7'",
"version": "==8.1.3"
},
"commonmark": {
"hashes": [
"sha256:452f9dc859be7f06631ddcb328b6919c67984aca654e5fefb3914d54691aed60",
"sha256:da2f38c92590f83de410ba1a3cbceafbc74fee9def35f9251ba9a971d6d66fd9"
],
"version": "==0.9.1"
},
"cryptography": {
"hashes": [
"sha256:190f82f3e87033821828f60787cfa42bff98404483577b591429ed99bed39d59",
"sha256:2be53f9f5505673eeda5f2736bea736c40f051a739bfae2f92d18aed1eb54596",
"sha256:30788e070800fec9bbcf9faa71ea6d8068f5136f60029759fd8c3efec3c9dcb3",
"sha256:3d41b965b3380f10e4611dbae366f6dc3cefc7c9ac4e8842a806b9672ae9add5",
"sha256:4c590ec31550a724ef893c50f9a97a0c14e9c851c85621c5650d699a7b88f7ab",
"sha256:549153378611c0cca1042f20fd9c5030d37a72f634c9326e225c9f666d472884",
"sha256:63f9c17c0e2474ccbebc9302ce2f07b55b3b3fcb211ded18a42d5764f5c10a82",
"sha256:6bc95ed67b6741b2607298f9ea4932ff157e570ef456ef7ff0ef4884a134cc4b",
"sha256:7099a8d55cd49b737ffc99c17de504f2257e3787e02abe6d1a6d136574873441",
"sha256:75976c217f10d48a8b5a8de3d70c454c249e4b91851f6838a4e48b8f41eb71aa",
"sha256:7bc997818309f56c0038a33b8da5c0bfbb3f1f067f315f9abd6fc07ad359398d",
"sha256:80f49023dd13ba35f7c34072fa17f604d2f19bf0989f292cedf7ab5770b87a0b",
"sha256:91ce48d35f4e3d3f1d83e29ef4a9267246e6a3be51864a5b7d2247d5086fa99a",
"sha256:a958c52505c8adf0d3822703078580d2c0456dd1d27fabfb6f76fe63d2971cd6",
"sha256:b62439d7cd1222f3da897e9a9fe53bbf5c104fff4d60893ad1355d4c14a24157",
"sha256:b7f8dd0d4c1f21759695c05a5ec8536c12f31611541f8904083f3dc582604280",
"sha256:d204833f3c8a33bbe11eda63a54b1aad7aa7456ed769a982f21ec599ba5fa282",
"sha256:e007f052ed10cc316df59bc90fbb7ff7950d7e2919c9757fd42a2b8ecf8a5f67",
"sha256:f2dcb0b3b63afb6df7fd94ec6fbddac81b5492513f7b0436210d390c14d46ee8",
"sha256:f721d1885ecae9078c3f6bbe8a88bc0786b6e749bf32ccec1ef2b18929a05046",
"sha256:f7a6de3e98771e183645181b3627e2563dcde3ce94a9e42a3f427d2255190327",
"sha256:f8c0a6e9e1dd3eb0414ba320f85da6b0dcbd543126e30fcc546e7372a7fbf3b9"
"sha256:0297ffc478bdd237f5ca3a7dc96fc0d315670bfa099c04dc3a4a2172008a405a",
"sha256:10d1f29d6292fc95acb597bacefd5b9e812099d75a6469004fd38ba5471a977f",
"sha256:16fa61e7481f4b77ef53991075de29fc5bacb582a1244046d2e8b4bb72ef66d0",
"sha256:194044c6b89a2f9f169df475cc167f6157eb9151cc69af8a2a163481d45cc407",
"sha256:1db3d807a14931fa317f96435695d9ec386be7b84b618cc61cfa5d08b0ae33d7",
"sha256:3261725c0ef84e7592597606f6583385fed2a5ec3909f43bc475ade9729a41d6",
"sha256:3b72c360427889b40f36dc214630e688c2fe03e16c162ef0aa41da7ab1455153",
"sha256:3e3a2599e640927089f932295a9a247fc40a5bdf69b0484532f530471a382750",
"sha256:3fc26e22840b77326a764ceb5f02ca2d342305fba08f002a8c1f139540cdfaad",
"sha256:5067ee7f2bce36b11d0e334abcd1ccf8c541fc0bbdaf57cdd511fdee53e879b6",
"sha256:52e7bee800ec869b4031093875279f1ff2ed12c1e2f74923e8f49c916afd1d3b",
"sha256:64760ba5331e3f1794d0bcaabc0d0c39e8c60bf67d09c93dc0e54189dfd7cfe5",
"sha256:765fa194a0f3372d83005ab83ab35d7c5526c4e22951e46059b8ac678b44fa5a",
"sha256:79473cf8a5cbc471979bd9378c9f425384980fcf2ab6534b18ed7d0d9843987d",
"sha256:896dd3a66959d3a5ddcfc140a53391f69ff1e8f25d93f0e2e7830c6de90ceb9d",
"sha256:89ed49784ba88c221756ff4d4755dbc03b3c8d2c5103f6d6b4f83a0fb1e85294",
"sha256:ac7e48f7e7261207d750fa7e55eac2d45f720027d5703cd9007e9b37bbb59ac0",
"sha256:ad7353f6ddf285aeadfaf79e5a6829110106ff8189391704c1d8801aa0bae45a",
"sha256:b0163a849b6f315bf52815e238bc2b2346604413fa7c1601eea84bcddb5fb9ac",
"sha256:b6c9b706316d7b5a137c35e14f4103e2115b088c412140fdbd5f87c73284df61",
"sha256:c2e5856248a416767322c8668ef1845ad46ee62629266f84a8f007a317141013",
"sha256:ca9f6784ea96b55ff41708b92c3f6aeaebde4c560308e5fbbd3173fbc466e94e",
"sha256:d1a5bd52d684e49a36582193e0b89ff267704cd4025abefb9e26803adeb3e5fb",
"sha256:d3971e2749a723e9084dd507584e2a2761f78ad2c638aa31e80bc7a15c9db4f9",
"sha256:d4ef6cc305394ed669d4d9eebf10d3a101059bdcf2669c366ec1d14e4fb227bd",
"sha256:d9e69ae01f99abe6ad646947bba8941e896cb3aa805be2597a0400e0764b5818"
],
"markers": "python_version >= '3.6'",
"version": "==37.0.4"
"version": "==38.0.1"
},
"enrich": {
"hashes": [
"sha256:0a2ab0d2931dff8947012602d1234d2a3ee002d9a355b5d70be6bf5466008893",
"sha256:f29b2c8c124b4dbd7c975ab5c3568f6c7a47938ea3b7d2106c8a3bd346545e4f"
],
"markers": "python_version >= '3.6'",
"version": "==1.2.7"
},
"filelock": {
"hashes": [
"sha256:55447caa666f2198c5b6b13a26d2084d26fa5b115c00d065664b2124680c4edc",
"sha256:617eb4e5eedc82fc5f47b6d61e4d11cb837c56cb4544e39081099fa17ad109d4"
],
"markers": "python_version >= '3.7'",
"version": "==3.8.0"
},
"jinja2": {
"hashes": [
@ -137,6 +233,14 @@
"markers": "python_version >= '3.7'",
"version": "==3.1.2"
},
"jsonschema": {
"hashes": [
"sha256:165059f076eff6971bae5b742fc029a7b4ef3f9bcf04c14e4776a7605de14b23",
"sha256:9e74b8f9738d6a946d70705dc692b74b5429cd0960d58e79ffecfc43b2221eb9"
],
"markers": "python_version >= '3.7'",
"version": "==4.16.0"
},
"markupsafe": {
"hashes": [
"sha256:0212a68688482dc52b2d45013df70d169f542b7394fc744c02a57374a4207003",
@ -183,6 +287,13 @@
"markers": "python_version >= '3.7'",
"version": "==2.1.1"
},
"mypy-extensions": {
"hashes": [
"sha256:090fedd75945a69ae91ce1303b5824f428daf5a028d2f6ab8a299250a846f15d",
"sha256:2d82818f5bb3e369420cb3c4060a7970edba416647068eb4c5343488a6c604a8"
],
"version": "==0.4.3"
},
"packaging": {
"hashes": [
"sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb",
@ -191,6 +302,22 @@
"markers": "python_version >= '3.6'",
"version": "==21.3"
},
"pathspec": {
"hashes": [
"sha256:46846318467efc4556ccfd27816e004270a9eeeeb4d062ce5e6fc7a87c573f93",
"sha256:7ace6161b621d31e7902eb6b5ae148d12cfd23f4a249b9ffb6b9fee12084323d"
],
"markers": "python_version >= '3.7'",
"version": "==0.10.1"
},
"platformdirs": {
"hashes": [
"sha256:027d8e83a2d7de06bbac4e5ef7e023c02b863d7ea5d079477e722bb41ab25788",
"sha256:58c8abb07dcb441e6ee4b11d8df0ac856038f944ab98b7be6b27b2a3c7feef19"
],
"markers": "python_version >= '3.7'",
"version": "==2.5.2"
},
"pycparser": {
"hashes": [
"sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9",
@ -199,6 +326,14 @@
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.21"
},
"pygments": {
"hashes": [
"sha256:56a8508ae95f98e2b9bdf93a6be5ae3f7d8af858b43e02c5a2ff083726be40c1",
"sha256:f643f331ab57ba3c9d89212ee4a2dabc6e94f117cf4eefde99a0574720d14c42"
],
"markers": "python_version >= '3.6'",
"version": "==2.13.0"
},
"pyparsing": {
"hashes": [
"sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb",
@ -207,6 +342,33 @@
"markers": "python_full_version >= '3.6.8'",
"version": "==3.0.9"
},
"pyrsistent": {
"hashes": [
"sha256:0e3e1fcc45199df76053026a51cc59ab2ea3fc7c094c6627e93b7b44cdae2c8c",
"sha256:1b34eedd6812bf4d33814fca1b66005805d3640ce53140ab8bbb1e2651b0d9bc",
"sha256:4ed6784ceac462a7d6fcb7e9b663e93b9a6fb373b7f43594f9ff68875788e01e",
"sha256:5d45866ececf4a5fff8742c25722da6d4c9e180daa7b405dc0a2a2790d668c26",
"sha256:636ce2dc235046ccd3d8c56a7ad54e99d5c1cd0ef07d9ae847306c91d11b5fec",
"sha256:6455fc599df93d1f60e1c5c4fe471499f08d190d57eca040c0ea182301321286",
"sha256:6bc66318fb7ee012071b2792024564973ecc80e9522842eb4e17743604b5e045",
"sha256:7bfe2388663fd18bd8ce7db2c91c7400bf3e1a9e8bd7d63bf7e77d39051b85ec",
"sha256:7ec335fc998faa4febe75cc5268a9eac0478b3f681602c1f27befaf2a1abe1d8",
"sha256:914474c9f1d93080338ace89cb2acee74f4f666fb0424896fcfb8d86058bf17c",
"sha256:b568f35ad53a7b07ed9b1b2bae09eb15cdd671a5ba5d2c66caee40dbf91c68ca",
"sha256:cdfd2c361b8a8e5d9499b9082b501c452ade8bbf42aef97ea04854f4a3f43b22",
"sha256:d1b96547410f76078eaf66d282ddca2e4baae8964364abb4f4dcdde855cd123a",
"sha256:d4d61f8b993a7255ba714df3aca52700f8125289f84f704cf80916517c46eb96",
"sha256:d7a096646eab884bf8bed965bad63ea327e0d0c38989fc83c5ea7b8a87037bfc",
"sha256:df46c854f490f81210870e509818b729db4488e1f30f2a1ce1698b2295a878d1",
"sha256:e24a828f57e0c337c8d8bb9f6b12f09dfdf0273da25fda9e314f0b684b415a07",
"sha256:e4f3149fd5eb9b285d6bfb54d2e5173f6a116fe19172686797c056672689daf6",
"sha256:e92a52c166426efbe0d1ec1332ee9119b6d32fc1f0bbfd55d5c1088070e7fc1b",
"sha256:f87cc2863ef33c709e237d4b5f4502a62a00fab450c9e020892e8e2ede5847f5",
"sha256:fd8da6d0124efa2f67d86fa70c851022f87c98e205f0594e1fae044e7119a5a6"
],
"markers": "python_version >= '3.7'",
"version": "==0.18.1"
},
"pyyaml": {
"hashes": [
"sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293",
@ -252,6 +414,97 @@
"sha256:d9b7907f055c3b3a2cfc56c914ffd940122915826ff5fb5b1de0c99778f4de98"
],
"version": "==0.8.1"
},
"rich": {
"hashes": [
"sha256:2eb4e6894cde1e017976d2975ac210ef515d7548bc595ba20e195fb9628acdeb",
"sha256:63a5c5ce3673d3d5fbbf23cd87e11ab84b6b451436f1b7f19ec54b6bc36ed7ca"
],
"markers": "python_full_version >= '3.6.3' and python_full_version < '4.0.0'",
"version": "==12.5.1"
},
"ruamel.yaml": {
"hashes": [
"sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7",
"sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"
],
"markers": "python_version >= '3'",
"version": "==0.17.21"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:066f886bc90cc2ce44df8b5f7acfc6a7e2b2e672713f027136464492b0c34d7c",
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1070ba9dd7f9370d0513d649420c3b362ac2d687fe78c6e888f5b12bf8bc7bee",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:1b4139a6ffbca8ef60fdaf9b33dec05143ba746a6f0ae0f9d11d38239211d335",
"sha256:210c8fcfeff90514b7133010bf14e3bad652c8efde6b20e00c43854bf94fa5a6",
"sha256:221eca6f35076c6ae472a531afa1c223b9c29377e62936f61bc8e6e8bdc5f9e7",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:61bc5e5ca632d95925907c569daa559ea194a4d16084ba86084be98ab1cec1c6",
"sha256:6e7be2c5bcb297f5b82fee9c665eb2eb7001d1050deaba8471842979293a80b0",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:77df077d32921ad46f34816a9a16e6356d8100374579bc35e15bab5d4e9377de",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d3c620a54748a3d4cf0bcfe623e388407c8e85a4b06b8188e126302bcab93ea8",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
],
"markers": "python_version < '3.11' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
},
"setuptools": {
"hashes": [
"sha256:2e24e0bec025f035a2e72cdd1961119f557d78ad331bb00ff82efb2ab8da8e82",
"sha256:7732871f4f7fa58fb6bdcaeadb0161b2bd046c85905dbaa066bdcbcc81953b57"
],
"markers": "python_version >= '3.7'",
"version": "==65.3.0"
},
"subprocess-tee": {
"hashes": [
"sha256:d34186c639aa7f8013b5dfba80e17f52589539137c9d9205f2ae1c1bd03549e1",
"sha256:ff5cced589a4b8ac973276ca1ba21bb6e3de600cde11a69947ff51f696efd577"
],
"markers": "python_version >= '3.6'",
"version": "==0.3.5"
},
"tomli": {
"hashes": [
"sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc",
"sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"
],
"markers": "python_full_version < '3.11.0a7'",
"version": "==2.0.1"
},
"wcmatch": {
"hashes": [
"sha256:ba4fc5558f8946bf1ffc7034b05b814d825d694112499c86035e0e4d398b6a67",
"sha256:dc7351e5a7f8bbf4c6828d51ad20c1770113f5f3fd3dfe2a03cfde2a63f03f98"
],
"markers": "python_version >= '3.7'",
"version": "==8.4"
},
"yamllint": {
"hashes": [
"sha256:e688324b58560ab68a1a3cff2c0a474e3fed371dfe8da5d1b9817b7df55039ce"
],
"markers": "python_version >= '3.6'",
"version": "==1.27.1"
}
},
"develop": {}

12
roles/common/handlers/main.yml
View File

@ -1,23 +1,23 @@
---
# file: roles/common/handlers/main.yml
# ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd
systemd: name={{ sshd_service_name }} state=reloaded
ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
- name: reload sysctl
command: sysctl -p /etc/sysctl.conf
- name: restart firewalld
systemd: name=firewalld state=restarted
ansible.builtin.systemd: name=firewalld state=restarted
- name: reload systemd
systemd: daemon_reload=yes
ansible.builtin.systemd: daemon_reload=yes
- name: restart nftables
systemd: name=nftables state=restarted
ansible.builtin.systemd: name=nftables state=restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
systemd: name=fail2ban state=restarted
ansible.builtin.systemd: name=fail2ban state=restarted

4
roles/common/tasks/cron-apt.yml
View File

@ -1,12 +1,12 @@
---
- name: Configure cron-apt (config)
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
- name: Configure cron-apt (security)
template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
# vim: set ts=2 sw=2:

10
roles/common/tasks/fail2ban.yml
View File

@ -1,25 +1,25 @@
---
- name: Configure fail2ban sshd filter
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
ansible.builtin.template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
notify: restart fail2ban
- name: Configure fail2ban nginx filter
when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters"
template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
ansible.builtin.template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
notify: restart fail2ban
- name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
ansible.builtin.file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override
template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
ansible.builtin.template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
notify:
- reload systemd
- restart fail2ban
- name: Start and enable fail2ban service
systemd: name=fail2ban state=started enabled=yes
ansible.builtin.systemd: name=fail2ban state=started enabled=yes
# vim: set sw=2 ts=2:

40
roles/common/tasks/firewall_Debian.yml
View File

@ -5,7 +5,7 @@
- block:
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('10', '<=')
set_fact:
ansible.builtin.set_fact:
debian_firewall_packages:
- firewalld
- tidy
@ -14,7 +14,7 @@
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
set_fact:
ansible.builtin.set_fact:
debian_firewall_packages:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
@ -23,26 +23,26 @@
- curl # for nftables update scripts
- name: Install firewall packages
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
ansible.builtin.apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
- name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=')
apt: pkg=iptables state=absent
ansible.builtin.apt: pkg=iptables state=absent
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755
ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=')
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
@ -55,7 +55,7 @@
- name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables'
@ -68,7 +68,7 @@
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
@ -78,7 +78,7 @@
- name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('10', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('10', '<=')
@ -89,7 +89,7 @@
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_major_version is version('10', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
@ -101,11 +101,11 @@
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('10', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('10', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
@ -113,7 +113,7 @@
- name: Copy Spamhaus nftables update scripts
when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
@ -121,7 +121,7 @@
- name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
@ -131,29 +131,29 @@
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
ansible.builtin.systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('10', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify:
- restart firewalld
- restart fail2ban
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
systemd: name={{ item }} state=started enabled=yes
ansible.builtin.systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')
systemd: name=nftables state=started enabled=yes
ansible.builtin.systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall

36
roles/common/tasks/firewall_Ubuntu.yml
View File

@ -6,7 +6,7 @@
- block:
- name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '<')
set_fact:
ansible.builtin.set_fact:
ubuntu_firewall_packages:
- firewalld
- tidy
@ -15,7 +15,7 @@
- name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=')
set_fact:
ansible.builtin.set_fact:
ubuntu_firewall_packages:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
@ -24,26 +24,26 @@
- curl # for nftables update scripts
- name: Install firewall packages
apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
ansible.builtin.apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
- name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=')
apt: pkg=ufw state=absent
ansible.builtin.apt: pkg=ufw state=absent
- name: Copy nftables.conf
when: ansible_distribution_version is version('20.04', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory
when: ansible_distribution_version is version('20.04', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755
ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
@ -56,7 +56,7 @@
- name: Copy firewalld public zone file
when: ansible_distribution_version is version('18.04', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_version is version('18.04', '<=')
@ -67,7 +67,7 @@
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
@ -79,11 +79,11 @@
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('18.04', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
@ -91,7 +91,7 @@
- name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
@ -99,7 +99,7 @@
- name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
@ -109,29 +109,29 @@
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
ansible.builtin.systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('18.04', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify:
- restart firewalld
- restart fail2ban
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=')
systemd: name={{ item }} state=started enabled=yes
ansible.builtin.systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
systemd: name=nftables state=started enabled=yes
ansible.builtin.systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall

22
roles/common/tasks/main.yml
View File

@ -1,54 +1,54 @@
---
- name: Import OS-specific variables
include_vars: "vars/{{ ansible_distribution }}.yml"
ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
tags: always
- name: Configure network time
import_tasks: ntp.yml
ansible.builtin.import_tasks: ntp.yml
tags: ntp
- name: Install common packages
include_tasks: packages_Debian.yml
ansible.builtin.include_tasks: packages_Debian.yml
when: ansible_distribution == 'Debian'
tags: packages
- name: Install common packages
include_tasks: packages_Ubuntu.yml
ansible.builtin.include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: packages
- name: Configure firewall
include_tasks: firewall_Debian.yml
ansible.builtin.include_tasks: firewall_Debian.yml
when: ansible_distribution == 'Debian'
tags: firewall
- name: Configure firewall
include_tasks: firewall_Ubuntu.yml
ansible.builtin.include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: firewall
- name: Configure secure shell daemon
import_tasks: sshd.yml
ansible.builtin.import_tasks: sshd.yml
tags: sshd
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host'
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
notify:
- reload sysctl
tags: sysctl
- name: Reconfigure /etc/rc.local
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
ansible.builtin.template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
- name: Set I/O scheduler
template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
tags: udev
- name: Copy admin SSH keys
import_tasks: ssh-keys.yml
ansible.builtin.import_tasks: ssh-keys.yml
tags: ssh-keys
# vim: set sw=2 ts=2:

6
roles/common/tasks/ntp.yml
View File

@ -14,14 +14,14 @@
- name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
(ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
apt: name=systemd-timesyncd state=present cache_valid_time=3600
ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
- name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd'
systemd: name=systemd-timesyncd state=started enabled=yes
ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=yes
- name: Uninstall ntp on modern Ubuntu/Debian
apt: name=ntp state=absent
ansible.builtin.apt: name=ntp state=absent
when: ansible_service_mgr == 'systemd'
# vim: set ts=2 sw=2:

13
roles/common/tasks/packages_Debian.yml
View File

@ -1,12 +1,13 @@
---
- block:
- name: Configure Debian packages
block:
- name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Set fact for base packages
set_fact:
ansible.builtin.set_fact:
base_packages:
- git
- git-lfs
@ -28,14 +29,14 @@
- lsof
- name: Install base packages
apt: name={{ base_packages }} state=present cache_valid_time=3600
ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
- name: Configure cron-apt
import_tasks: cron-apt.yml
ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
import_tasks: tarsnap.yml
ansible.builtin.import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

31
roles/common/tasks/packages_Ubuntu.yml
View File

@ -1,15 +1,16 @@
---
- block:
- name: Configure Ubuntu packages
block:
- name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Upgrade base OS
apt: upgrade=dist cache_valid_time=3600
ansible.builtin.apt: upgrade=dist cache_valid_time=3600
- name: Set Ubuntu base packages
set_fact:
ansible.builtin.set_fact:
ubuntu_base_packages:
- git
- git-lfs
@ -30,27 +31,27 @@
- lsof
- name: Install base packages
apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap
snap: name=lxd state=absent
community.general.snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove core18 snap
snap: name=core18 state=absent
community.general.snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove snapd snap
snap: name=snapd state=absent
community.general.snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Set fact for packages to remove (Ubuntu <= 18.04)
set_fact:
ansible.builtin.set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
@ -66,7 +67,7 @@
when: ansible_distribution_version is version('18.04', '<=')
- name: Set fact for packages to remove (Ubuntu 20.04)
set_fact:
ansible.builtin.set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
@ -78,10 +79,10 @@
when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages
apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
- name: Disable annoying Canonical spam in MOTD
file: path={{ item }} mode=0644 state=absent
ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+
@ -91,18 +92,18 @@
ignore_errors: yes
- name: Disable annoying Canonical spam in MOTD
systemd: name={{ item }} state=stopped enabled=no
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd'
loop:
- motd-news.service
- motd-news.timer
- name: Configure cron-apt
import_tasks: cron-apt.yml
ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
import_tasks: tarsnap.yml
ansible.builtin.import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

4
roles/common/tasks/ssh-keys.yml
View File

@ -1,9 +1,9 @@
---
- name: Zero .ssh/authorized_keys for provisioning user
file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
- name: Add public keys to authorized_keys
authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub

6
roles/common/tasks/sshd.yml
View File

@ -2,14 +2,14 @@
# SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Debian'
notify: reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
# ie with new ciphers supported etc.
- name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Ubuntu'
notify: reload sshd
@ -40,7 +40,7 @@
notify: reload sshd
- name: Remove DSA and ECDSA host keys
file: name=/etc/ssh/{{ item }} state=absent
ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
loop:
- ssh_host_dsa_key
- ssh_host_dsa_key.pub

10
roles/common/tasks/tarsnap.yml
View File

@ -1,24 +1,24 @@
---
- name: Add Tarsnap apt mirror
template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l'
- name: Add GPG key for Tarsnap
apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
ansible.builtin.apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key
- name: Update apt cache
apt:
ansible.builtin.apt:
update_cache: yes
when:
add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed
- name: Install tarsnap
apt: pkg=tarsnap cache_valid_time=3600
ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
- name: Copy tarsnaprc
copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
# vim: set sw=2 ts=2:

2
roles/mariadb/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
# file: roles/mariadb/defaults/main.yml
# ansible.builtin.file: roles/mariadb/defaults/main.yml
#
# Based on my running of mysqltuner.pl on a host with three WordPress databases
#

2
roles/mariadb/handlers/main.yml
View File

@ -1,5 +1,5 @@
---
- name: restart mariadb
systemd: name=mariadb state=restarted
ansible.builtin.systemd: name=mariadb state=restarted
# vim: set ts=2 sw=2:

18
roles/mariadb/tasks/main.yml
View File

@ -1,55 +1,55 @@
---
- name: Add GPG key for MariaDB repo
apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc
ansible.builtin.apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc
register: add_mariadb_apt_key
tags: mariadb, packages
- name: Add MariaDB 10.5 repo
template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644
ansible.builtin.template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644
register: add_mariadb_apt_repository
tags: mariadb, packages
- name: Update apt cache
apt:
ansible.builtin.apt:
update_cache: yes
when:
add_mariadb_apt_key is changed or
add_mariadb_apt_repository is changed
- name: Install mariadb-server
apt: name={{ item }} state=present cache_valid_time=3600
ansible.builtin.apt: name={{ item }} state=present cache_valid_time=3600
loop:
- mariadb-server
- python3-pymysql # for ansible
tags: mariadb, packages
- name: Create system my.cnf
template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644
ansible.builtin.template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644
notify:
- restart mariadb
tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
- name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
community.mysql.mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
loop:
- 127.0.0.1
- ::1
tags: mariadb
- name: Create .my.conf file with root credentials
template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600
ansible.builtin.template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600
tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s)
mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }}
community.mysql.mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }}
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined
tags: mariadb
- name: Create MariaDB user(s)
mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }}
community.mysql.mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }}
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined
tags: mariadb

4
roles/munin/handlers/main.yml
View File

@ -1,4 +1,4 @@
---
# file: roles/munin/handlers/main.yml
# ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node
systemd: name=munin-node state=restarted
ansible.builtin.systemd: name=munin-node state=restarted

4
roles/munin/tasks/main.yml
View File

@ -1,8 +1,8 @@
---
- name: Configure munin scraper
import_tasks: munin.yml
ansible.builtin.import_tasks: munin.yml
tags: munin
- name: Configure munin listener
import_tasks: munin-node.yml
ansible.builtin.import_tasks: munin-node.yml
tags: munin-node

10
roles/munin/tasks/munin-node.yml
View File

@ -1,25 +1,25 @@
---
- name: Install munin-node
apt: name=munin-node state=present
ansible.builtin.apt: name=munin-node state=present
tags: packages
# some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check
- name: Install munin-node deps
apt: name=libwww-perl state=present
ansible.builtin.apt: name=libwww-perl state=present
tags: packages
- name: Create munin-node.conf
template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
notify:
- restart munin-node
- name: Configure munin-node
shell: munin-node-configure --shell --families=contrib,auto | sh -x
ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
notify:
- restart munin-node
- name: Start munin-node
systemd: name=munin-node state=started enabled=true
ansible.builtin.systemd: name=munin-node state=started enabled=true
# vim: set ts=2 sw=2:

4
roles/munin/tasks/munin.yml
View File

@ -1,9 +1,9 @@
---
- name: Install munin package
apt: name=munin state=present
ansible.builtin.apt: name=munin state=present
tags: packages
- name: Create munin configuration file
template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
# vim: set ts=2 sw=2:

2
roles/nginx/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
# file: roles/nginx/defaults/main.yml
# ansible.builtin.file: roles/nginx/defaults/main.yml
# path config
nginx_confd_path: /etc/nginx/conf.d

2
roles/nginx/handlers/main.yml
View File

@ -1,5 +1,5 @@
---
- name: reload nginx
systemd: name=nginx state=reloaded
ansible.builtin.systemd: name=nginx state=reloaded
# vim: set ts=2 sw=2:

18
roles/nginx/tasks/letsencrypt.yml
View File

@ -4,12 +4,12 @@
# snap now.
- block:
- name: Remove certbot
apt:
ansible.builtin.apt:
name: certbot
state: absent
- name: Remove old certbot post and pre hooks for nginx
file:
ansible.builtin.file:
dest: "{{ item }}"
state: absent
with_items:
@ -17,12 +17,12 @@
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed
stat:
ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download acme.sh
get_url:
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700
@ -41,7 +41,7 @@
when: acme_download is changed
- name: Remove temporary acme.sh script
file:
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when: acme_install.rc is defined and acme_install.rc == 0
@ -51,7 +51,7 @@
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory
file:
ansible.builtin.file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
@ -59,7 +59,7 @@
mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs
template:
ansible.builtin.template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644
@ -67,7 +67,7 @@
group: root
- name: Copy systemd timer to renew Let's Encrypt certs
copy:
ansible.builtin.copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644
@ -76,7 +76,7 @@
# always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs
systemd:
ansible.builtin.systemd:
name: renew-letsencrypt.timer
state: started
enabled: yes

28
roles/nginx/tasks/main.yml
View File

@ -1,33 +1,33 @@
---
- name: Add nginx.org apt signing key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
register: add_nginx_apt_key
tags: nginx, packages
- name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
register: add_nginx_apt_repository
tags: nginx, packages
- name: Update apt cache
apt:
ansible.builtin.apt:
update_cache: yes
when:
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
- name: Install nginx
apt: pkg=nginx cache_valid_time=3600 state=present
ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
tags: nginx, packages
- name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
notify:
- reload nginx
tags: nginx
- name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
loop:
- extra-security.conf
- fastcgi_cache
@ -36,41 +36,41 @@
tags: nginx
- name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent
ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
tags: nginx
- name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
tags: nginx
- name: Configure nginx virtual hosts
include_tasks: vhosts.yml
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined
tags: nginx
- name: Configure WordPress
include_tasks: wordpress.yml
ansible.builtin.include_tasks: wordpress.yml
when: nginx_vhosts is defined
tags: wordpress
- name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
notify:
- reload nginx
tags: nginx
- name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
notify:
- reload nginx
tags: nginx
- name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes
ansible.builtin.systemd: name=nginx state=started enabled=yes
tags: nginx
- name: Configure Let's Encrypt
include_tasks: letsencrypt.yml
ansible.builtin.include_tasks: letsencrypt.yml
tags: letsencrypt
# vim: set ts=2 sw=2:

8
roles/nginx/tasks/vhosts.yml
View File

@ -2,18 +2,18 @@
- block:
- name: Configure https vhosts
template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}"
notify:
- reload nginx
- name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx
- name: Download 4096-bit RFC 7919 dhparams
get_url:
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
@ -22,7 +22,7 @@
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}"
tags: nginx

4
roles/nginx/tasks/wordpress.yml
View File

@ -2,12 +2,12 @@
- block:
- name: Install WordPress
git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
when: item.has_wordpress is defined and item.has_wordpress
loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
when: item.has_wordpress is defined and item.has_wordpress
loop: "{{ nginx_vhosts }}"
tags: wordpress

2
roles/php-fpm/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
# file: roles/php-fpm/defaults/main.yml
# ansible.builtin.file: roles/php-fpm/defaults/main.yml
# default is on, but turn it off because of protection in nginx vhosts
cgi_fix_pathinfo: 0

6
roles/php-fpm/handlers/main.yml
View File

@ -1,14 +1,14 @@
---
# For Ubuntu 18.04
- name: reload php7.2-fpm
systemd: name=php7.2-fpm state=reloaded
ansible.builtin.systemd: name=php7.2-fpm state=reloaded
# For Debian 10
- name: reload php7.3-fpm
systemd: name=php7.3-fpm state=reloaded
ansible.builtin.systemd: name=php7.3-fpm state=reloaded
# For Ubuntu 20.04
- name: reload php7.4-fpm
systemd: name=php7.4-fpm state=reloaded
ansible.builtin.systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2:

10
roles/php-fpm/tasks/Debian_10.yml
View File

@ -2,7 +2,7 @@
- block:
- name: Set php-fpm packages
set_fact:
ansible.builtin.set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
@ -11,22 +11,22 @@
- php-curl
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
ansible.builtin.template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.3-fpm
- name: Remove default www pool
file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
ansible.builtin.file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
notify: reload php7.3-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
ansible.builtin.template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.3-fpm
tags: php-fpm

10
roles/php-fpm/tasks/Ubuntu_18.04.yml
View File

@ -2,7 +2,7 @@
- block:
- name: Set php-fpm packages
set_fact:
ansible.builtin.set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
@ -11,22 +11,22 @@
- php-curl
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
ansible.builtin.template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.2-fpm
- name: Remove default www pool
file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
ansible.builtin.file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
notify: reload php7.2-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
ansible.builtin.template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.2-fpm
tags: php-fpm

10
roles/php-fpm/tasks/Ubuntu_20.04.yml
View File

@ -2,7 +2,7 @@
- block:
- name: Set php-fpm packages
set_fact:
ansible.builtin.set_fact:
php_fpm_packages:
- php7.4-fpm
# for WordPress
@ -12,22 +12,22 @@
- php7.4-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm
- name: Remove default www pool
file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm
tags: php-fpm

14
roles/php-fpm/tasks/main.yml
View File

@ -10,40 +10,40 @@
#
# See: https://stackoverflow.com/a/31896249
- name: Check if any vhost needs WordPress
set_fact:
ansible.builtin.set_fact:
install_php: True
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', True) | list | length > 0"
# Legacy, was only for Piwik, but leaving for now.
- name: Check if any vhost needs PHP
set_fact:
ansible.builtin.set_fact:
install_php: True
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', True) | list | length > 0"
# If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else.
- name: Set install_php to False
set_fact:
ansible.builtin.set_fact:
install_php: False
when: install_php is not defined
- name: Configure php-fpm on Ubuntu 18.04
include_tasks: Ubuntu_18.04.yml
ansible.builtin.include_tasks: Ubuntu_18.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php
tags: php-fpm
- name: Configure php-fpm on Debian 10
include_tasks: Debian_10.yml
ansible.builtin.include_tasks: Debian_10.yml
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php
tags: php-fpm
- name: Configure php-fpm on Ubuntu 20.04
include_tasks: Ubuntu_20.04.yml
ansible.builtin.include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php
tags: php-fpm
- name: Configure php-fpm on Debian 11
include_tasks: Ubuntu_20.04.yml
ansible.builtin.include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php
tags: php-fpm