Merge branch 'refactor' into 'master'

Refactor

See merge request aurore/ansible!30

roles/baseconfig/tasks/apt-listchanges.yml

@@ -12,11 +12,20 @@
 
 # Send email when there is something new
 - name: Configure apt-listchanges
-  lineinfile:
+  ini_file:
-    dest: /etc/apt/listchanges.conf
+    path: /etc/apt/listchanges.conf
-    regexp: "^{{ item.key }}="
+    no_extra_spaces: true
-    line: "{{ item.value }}"
+    section: apt
-  with_dict:
+    option: "{{ item.option }}"
-    confirm: 'confirm=true'
+    value: "{{ item.value }}"
-    email_address: "email_address={{ monitoring_mail }}"
+    state: present
-    which: 'which=both'
+  loop:
+    - option: confirm
+      value: "true"
+
+    - option: email_address
+      value: "{{ monitoring_mail }}"
+
+    - option: which
+      value: both
+...

roles/baseconfig/tasks/main.yml

@@ -23,8 +23,8 @@
 # Pimp my server
 - name: Customize motd
   copy:
-    src: 'update-motd.d/00-logo'
+    src: update-motd.d/00-logo
-    dest: '/etc/update-motd.d/00-logo'
+    dest: /etc/update-motd.d/00-logo
     mode: 0755
 
 # Configure APT mirrors on Debian Stretch
@@ -33,8 +33,8 @@
     - ansible_distribution == 'Debian'
     - ansible_distribution_release == 'stretch'
   template:
-    src: 'apt/sources.list.j2'
+    src: apt/sources.list.j2
-    dest: '/etc/apt/sources.list'
+    dest: /etc/apt/sources.list
     mode: 0644
 
 # Patriotisme
@@ -50,8 +50,7 @@
     question: locales/default_environment_locale
     value: fr_FR.UTF-8
     vtype: select
-  notify:
+  notify: Reconfigure locales
-    - Reconfigure locales
 
 # Molly-Guard : prevent accidental shutdowns
 - include_tasks: molly-guard.yml
@@ -62,8 +61,8 @@
 # User skeleton
 - name: Configure user skeleton
   copy:
-    src: skel/{{ item.key }}
+    src: skel/dot_{{ item.key }}
-    dest: /etc/skel/{{ item.value }}
+    dest: /etc/skel/.{{ item.value }}
-  with_dict:
+  loop:
-    dot_zshrc: .zshrc
+    - zshrc
-    dot_zshrc.local: .zshrc.local
+    - zshrc.local

roles/basesecurity/tasks/main.yml

@@ -42,21 +42,45 @@
 - name: Install fail2ban
   apt:
     name: fail2ban
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
 
 - name: Configure fail2ban
-  template:
+  ini_file:
-    src: fail2ban/jail.d/local.conf.j2
+    path: /etc/fail2ban/jail.d/local.conf
-    dest: /etc/fail2ban/jail.d/local.conf
+    section: "{{ item.section }}"
-    mode: 0644
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    state: present
   notify: Restart fail2ban service
+  loop:
+    - section: DEFAULT
+      option: ignoreip
+      value: 10.128.0.254  # Whitelist bastion
+
+    - section: sshd
+      option: enabled
+      value: "true"
+
+    - section: sshd
+      option: bantime
+      value: 600
+
+    - section: sshd
+      option: findtime
+      value: 600
+
+    - section: sshd
+      option: maxretry
+      value: 5
 
 # See altered packages and configurations with `debsums -ca`
 - name: Install debsums
   apt:
     name: debsums
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded

roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2

@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-# Ban a host for 10mn
-# if it has failed 5 times during the last 10mn
-[sshd]
-enabled = true
-bantime  = 600
-findtime  = 600
-maxretry = 5
-
-# Whitelist bastion
-ignoreip = 10.128.0.254

roles/codimd/tasks/0_apt_dependencies.yml

@@ -2,8 +2,9 @@
 # For HTTPS apt
 - name: Install HTTPS apt
   apt:
-    name: apt-transport-https
     update_cache: true
+    name: apt-transport-https
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
@@ -12,19 +13,22 @@
   apt_key:
     url: https://dl.yarnpkg.com/debian/pubkey.gpg
     id: 1646B01B86E50310
+    state: present
   register: apt_key_result
   retries: 3
   until: apt_key_result is succeeded
 
 - name: Configure Yarn repository
   apt_repository:
-    repo: "deb https://dl.yarnpkg.com/debian/ stable main"
+    repo: deb https://dl.yarnpkg.com/debian/ stable main
+    state: present
 
 # Install CodiMD dependencies
 - name: Install required packages
   apt:
-    name: yarn
     update_cache: true
+    name: yarn
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded

roles/codimd/tasks/main.yml

@@ -47,8 +47,8 @@
 # Service file
 - name: Install CodiMD systemd unit
   template:
-    src: 'systemd/codimd.service.j2'
+    src: systemd/codimd.service.j2
-    dest: '/etc/systemd/system/codimd.service'
+    dest: /etc/systemd/system/codimd.service
     owner: root
     group: root
     mode: 0644

roles/dokuwiki/tasks/main.yml

@@ -22,8 +22,9 @@
 # Install
 - name: Install DokuWiki
   apt:
-    name: dokuwiki
     update_cache: true
+    name: dokuwiki
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded

roles/etherpad/tasks/main.yml

@@ -2,8 +2,9 @@
 # Install EtherPad dependencies
 - name: Install required packages
   apt:
-    name: curl
     update_cache: true
+    name: curl
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded

roles/ldap-client/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Reconfigure libnss-ldapd package
-  command: 'dpkg-reconfigure libnss-ldapd -f noninteractive'
+  command: dpkg-reconfigure libnss-ldapd -f noninteractive
 
 - name: Restart nslcd service
   service:

roles/ldap-client/tasks/0_install_ldap.yml

@@ -2,11 +2,12 @@
 # Install LDAP client packages
 - name: Install LDAP client packages
   apt:
+    update_cache: true
     name:
       - nslcd
       - libnss-ldapd
       - libpam-ldapd
-    update_cache: true
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
@@ -31,11 +32,11 @@
 - name: Configure NSS to use LDAP
   lineinfile:
     dest: /etc/nsswitch.conf
-    regexp: "^{{ item.key }}:"
+    regexp: "^{{ item }}:"
-    line: "{{ item.value }}"
+    line: "{{ item }}:         files ldap"
-  with_dict:
+  loop:
-    passwd: 'passwd:         files ldap'
+    - passwd
-    group: 'group:          files ldap'
+    - group
-    shadow: 'shadow:         files ldap'
+    - shadow
-    sudoers: 'sudoers:        files ldap'
+    - sudoers
   notify: Restart nslcd service

roles/ldap-client/tasks/1_group_security.yml

@@ -3,8 +3,9 @@
 - name: Filter SSH on groups
   lineinfile:
     dest: /etc/ssh/sshd_config
-    regexp: '^AllowGroups'
+    regexp: ^AllowGroups
-    line: "AllowGroups root sudoldap aurore ssh"
+    line: AllowGroups root sudoldap aurore ssh
+    state: present
 
 # To gain root access with ldap rights
 - name: Install SUDO package
@@ -19,13 +20,17 @@
 - name: Configure sudoers sudo group
   lineinfile:
     dest: /etc/sudoers
-    regexp: "^%{{ sudo_group }}"
+    regexp: ^%{{ sudo_group }}
     line: "%{{ sudo_group }} ALL=(ALL:ALL) ALL"
+    state: present
+    validate: /usr/sbin/visudo -cf %s
 
 # Set sudo location group
 - name: Configure sudoers sudo location group
   lineinfile:
     dest: /etc/sudoers
-    regexp: "^%{{ sudo_group_location }}"
+    regexp: ^%{{ sudo_group_location }}
     line: "%{{ sudo_group_location }} ALL=(ALL:ALL) ALL"
+    state: present
+    validate: /usr/sbin/visudo -cf %s
   when: sudo_group_location is defined

roles/ldap-client/tasks/2_userland_scripts.yml

@@ -3,9 +3,9 @@
 - name: Copy passwd and chsh scripts
   template:
     src: "{{ item }}.j2"
-    dest: "/usr/local/bin/{{ item }}"
+    dest: /usr/local/bin/{{ item }}
     mode: 0755
-  with_items:
+  loop:
     - chsh
     - passwd
 

roles/ldap-replica/tasks/main.yml

@@ -28,22 +28,26 @@
 
 # Cry a bit
 - name: Remove old data
-  file: path={{ item }} state=absent
+  file:
-  with_items:
+    path: "{{ item }}"
+    state: absent
+  loop:
     - /etc/ldap/slapd.d
     - /var/lib/ldap
 
 # Cry a lot
 - name: Recreate structure
-  file: path={{ item }} state=directory
+  file:
-  with_items:
+    path: "{{ item }}"
+    state: directory
+  loop:
     - /etc/ldap/slapd.d
     - /var/lib/ldap
 
 # Install schema as root
 # We can't do a `become_user` here
 - name: Install LDAP schema
-  command: 'slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d'
+  command: slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d
 
 # then fix permissions
 - name: Fix permissions
@@ -52,10 +56,12 @@
     owner: openldap
     group: openldap
     recurse: true
-  with_items:
+  loop:
-    - '/var/lib/ldap'
+    - /var/lib/ldap
-    - '/etc/ldap/slapd.d'
+    - /etc/ldap/slapd.d
 
 # Save the day
 - name: Start LDAP server
-  service: name=slapd state=started
+  service:
+    name: slapd
+    state: started

roles/matrix-appservice-discord/tasks/main.yml

@@ -44,8 +44,8 @@
 # Service file
 - name: Install matrix-appservice-discord systemd unit
   template:
-    src: 'systemd/matrix-appservice-discord.service.j2'
+    src: systemd/matrix-appservice-discord.service.j2
-    dest: '/etc/systemd/system/matrix-appservice-discord.service'
+    dest: /etc/systemd/system/matrix-appservice-discord.service
     owner: root
     group: root
     mode: 0644

roles/matrix-appservice-irc/tasks/main.yml

@@ -33,8 +33,8 @@
 # Service file
 - name: Install matrix-appservice-irc systemd unit
   template:
-    src: 'systemd/matrix-appservice-irc.service.j2'
+    src: systemd/matrix-appservice-irc.service.j2
-    dest: '/etc/systemd/system/matrix-appservice-irc.service'
+    dest: /etc/systemd/system/matrix-appservice-irc.service
     owner: root
     group: root
     mode: 0644

roles/matrix-appservice-webhooks/tasks/main.yml

@@ -33,8 +33,8 @@
 # Service file
 - name: Install matrix-appservice-webhooks systemd unit
   template:
-    src: 'systemd/matrix-appservice-webhooks.service.j2'
+    src: systemd/matrix-appservice-webhooks.service.j2
-    dest: '/etc/systemd/system/matrix-appservice-webhooks.service'
+    dest: /etc/systemd/system/matrix-appservice-webhooks.service
     owner: root
     group: root
     mode: 0644

roles/matrix-mxisd/tasks/main.yml

@@ -2,6 +2,7 @@
 - name: Install mxisd
   apt:
     deb: "{{ mxisd_deb }}"
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded

roles/matrix-riot/tasks/main.yml

@@ -2,8 +2,9 @@
 # Install HTTPS support for APT
 - name: Install apt-transport-https
   apt:
-    name: apt-transport-https
     update_cache: true
+    name: apt-transport-https
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
@@ -11,21 +12,24 @@
 # Add the repository into source list
 - name: Configure riot repository
   apt_repository:
-    repo: "deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main"
+    repo: deb https://riot.im/packages/debian/ {{ ansible_distribution_release }} main
+    state: present
 
 # Add the key
 - name: Configure the apt key
   apt_key:
     url: https://riot.im/packages/debian/repo-key.asc
     id: E019645248E8F4A1
+    state: present
   register: apt_key_result
   retries: 3
   until: apt_key_result is succeeded
 
 - name: Install riot-web
   apt:
-    name: riot-web
     update_cache: true
+    name: riot-web
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
@@ -43,6 +47,7 @@
 - name: Install nginx
   apt:
     name: nginx
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded

roles/matrix-synapse/tasks/main.yml

@@ -1,8 +1,9 @@
 ---
 - name: Install matrix-synapse
   apt:
-    name: matrix-synapse
     update_cache: true
+    name: matrix-synapse
+    state: present
     default_release: stretch-backports
   register: apt_result
   retries: 3

roles/nginx-reverse-proxy/tasks/main.yml

@@ -4,8 +4,9 @@
 # but also reduces the surface of attack
 - name: Install NGINX server
   apt:
-    name: nginx-light
     update_cache: true
+    name: nginx-light
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
@@ -13,8 +14,8 @@
 # Install proxy snippets
 - name: Configure NGINX proxy snippets
   template:
-    src: "nginx/snippets/{{ item }}.j2"
+    src: nginx/snippets/{{ item }}.j2
-    dest: "/etc/nginx/snippets/{{ item }}"
+    dest: /etc/nginx/snippets/{{ item }}
     mode: 0644
   loop:
     - proxy-common.conf
@@ -25,7 +26,7 @@
 - name: Configure NGINX sites
   template:
     src: nginx/nginx-sites-available.j2
-    dest: "/etc/nginx/sites-available/{{ item.name }}"
+    dest: /etc/nginx/sites-available/{{ item.name }}
     mode: 0644
   loop: "{{ reversed_proxy_subdomains }}"
   notify: Reload NGINX service
@@ -40,8 +41,8 @@
 # Activate sites
 - name: Activate sites
   file:
-    src: "/etc/nginx/sites-available/{{ item.name }}"
+    src: /etc/nginx/sites-available/{{ item.name }}
-    dest: "/etc/nginx/sites-enabled/{{ item.name }}"
+    dest: /etc/nginx/sites-enabled/{{ item.name }}
     state: link
   loop: "{{ reversed_proxy_subdomains }}"
   notify: Reload NGINX service

roles/nodejs/tasks/main.yml

@@ -10,11 +10,12 @@
 
 - name: Install required packages
   apt:
+    update_cache: true
     name:
       - nodejs
       - npm
       - build-essential  # To build npm packages
-    update_cache: true
+    state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded