Merge branch 'master' into Global_monitoring

3 years ago · 74c30b81df
parent b278b02bc2 3eb9536c7b
commit 74c30b81df
18 changed files with 173 additions and 32 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,5 +1,10 @@
 skip_list:
-  - '301'
+  - no-changed-when
+  - load-failure
+  - document-start

 warn_list:
  - experimental  # all rules tagged as experimental
+
+exclude_paths:
+- group_vars/all/vault.yml
--- a/.drone.yml
+++ b/.drone.yml
@ -4,16 +4,9 @@ type: docker
 name: check

 steps:
-  - name: yamllint
-    image: python:3.9-alpine
+  - name: ansible and yaml linting
+    pull: never
+    image: aurore-ansible-lint-image
    commands:
-      - pip install yamllint==1.25.0
-      - yamllint -c .yamllint.yml .
-
-  - name: ansible-lint
-    image: python:3.9-alpine
-    commands:
-      - apk add --no-cache gcc libc-dev libffi-dev openssl-dev
-      - pip install ansible-lint==4.3.7
      - ansible-lint
 ...
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,19 +0,0 @@
---
-image: python:3.9-alpine
-
-stages:
-  - lint
-
-yamllint:
-  stage: lint
-  script:
-    - pip install yamllint==1.25.0
-    - yamllint -c .yamllint.yml .
-
-ansible-lint:
-  stage: lint
-  script:
-    - apk add gcc libc-dev libffi-dev openssl-dev
-    - pip install ansible-lint==4.3.7
-    - ansible-lint *.yml
-...
--- a/.yamllint.yml
+++ b/.yamllint.yml
@ -6,6 +6,5 @@ rules:
    max: 120
    level: warning
  document-start:
-    ignore: |
-      /groups_var/all/vault.yml
+    ignore: group_vars/all/vault.yml
 ...
--- a/README.md
+++ b/README.md
@ -1,3 +1,5 @@
+[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
+
 # Recettes Ansible d'Aurore

 Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
--- a/deploy_postfix_non_mailhost.yml
+++ b/deploy_postfix_non_mailhost.yml
@ -0,0 +1,8 @@
+---
+# Deploy a correclty configured postfix on non mailhost servers
+- hosts: all,!unifi
+  vars:
+    local_network: 10.128.0.0/16
+    relay_host: proxy.adm.auro.re
+  roles:
+    - postfix_non_mailhost
--- a/docker-ansible-lint/Dockerfile
+++ b/docker-ansible-lint/Dockerfile
@ -0,0 +1,7 @@
+FROM python:3.9-alpine
+LABEL description="Aurore's docker image for ansible-lint"
+
+RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
+RUN pip install "yamllint>=1.26.0,<2.0"
+RUN pip install "ansible-lint==5.0.0"
+RUN pip install "ansible>=2.10,<2.11"
--- a/docker-ansible-lint/README.md
+++ b/docker-ansible-lint/README.md
@ -0,0 +1,18 @@
+# Ansible-lint image
+
+In order to build this image when a new version comes out, you need to
+1. ssh into the `drone.adm.auro.re` server
+2. git pull this repo to the lastest version
+3. optionally make the changes if it has not been done yet
+4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
+5. ???
+6. enjoy
+
+You can verify that the image was correclty built by running
+```
+# list the images present
+sudo docker image ls
+
+# run your image with an interactive shell
+sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
+```
--- a/roles/postfix_non_mailhost/handlers/main.yml
+++ b/roles/postfix_non_mailhost/handlers/main.yml
@ -0,0 +1,10 @@
+---
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+
+- name: reload postfix
+  service:
+    name: postfix
+    state: reloaded
--- a/roles/postfix_non_mailhost/tasks/main.yml
+++ b/roles/postfix_non_mailhost/tasks/main.yml
@ -0,0 +1,17 @@
+---
+- name: Install postfix
+  apt:
+    name: postfix
+    update_cache: true
+  register: result
+  retries: 3
+  until: result is succeeded
+
+- name: Configure postfix
+  template:
+    src: main.cf.j2
+    dest: /etc/postfix/main.cf
+    mode: 0644
+    owner: root
+    group: root
+  notify: restart postfix
--- a/roles/postfix_non_mailhost/templates/main.cf.j2
+++ b/roles/postfix_non_mailhost/templates/main.cf.j2
@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Template based on /usr/share/postfix/main.cf.debian
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# Send mail as user@{{ ansible_fqdn }}
+myhostname = {{ ansible_fqdn }}
+myorigin = $myhostname
+mydomain = $myhostname
+
+# Specify the trusted networks
+mynetworks = 127.0.0.0/8 {{ local_network }}
+
+# This host does not relay mail from untrusted networks
+relay_domains =
+
+# This is needed if no direct Internet access is available
+relayhost = {{ relay_host }}
--- a/utils/README.md
+++ b/utils/README.md
@ -0,0 +1,4 @@
+# Utils
+
+A repository of Ansible Playbooks that are useful, as little script or various
+utilities, but not used in production.
--- a/utils/logrotate.yml
+++ b/utils/logrotate.yml
--- a/utils/nuke_radius_dbs.yml
+++ b/utils/nuke_radius_dbs.yml
--- a/utils/re2o_mail_server.yml
+++ b/utils/re2o_mail_server.yml
@ -0,0 +1,13 @@
+---
+# Deploy Re2o mail service
+- hosts: mail.auro.re
+  vars:
+    service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
+    service_name: mail-server
+    service_version: aurore
+    service_config:
+      hostname: re2o-test.adm.auro.re  # use test instance for now, should be changed for prod!
+      username: service-user
+      password: "{{ vault_serviceuser_passwd }}"
+  roles:
+    - re2o-service
--- a/utils/reboot_needed_check.yml
+++ b/utils/reboot_needed_check.yml
@ -0,0 +1,31 @@
+#!/usr/bin/env ansible-playbook
+---
+# Check if a reboot is required by the installation of some packages (ie kernel)
+- hosts: localhost
+  tasks:
+    - name: Make sure local file exist but is empty  # weird hack, I know
+      copy:
+        dest: /tmp/ansible_dump_reboot_needed.txt
+        content: ""
+        force: true
+        mode: 0644
+
+- hosts: all,!unifi,!escalope.adm.auro.re,!loki.adm.auro.re,!viviane.adm.auro.re,!vpn-ovh.adm.auro.re
+  tasks:
+    # Register the output of the file /var/run/reboot-required.pkgs
+    - name: Register if boot is required
+      shell: if [ -e /var/run/reboot-required.pkgs ]; then cat /var/run/reboot-required.pkgs; fi
+      register: result
+
+    - name: DEBUG
+      debug:
+        msg: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
+      when: result.stdout is defined
+
+    # Add info line by line
+    - name: Dump all info into the local file
+      delegate_to: localhost
+      lineinfile:
+        path: /tmp/ansible_dump_reboot_needed.txt
+        line: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
+      when: result.stdout is defined
--- a/utils/upgrade.yml
+++ b/utils/upgrade.yml
--- a/utils/version_check.yml
+++ b/utils/version_check.yml
@ -0,0 +1,21 @@
+#!/usr/bin/env ansible-playbook
+---
+# Check for the distribution
+- hosts: localhost
+  tasks:
+    - name: Make sure local file exist but is empty  # weird hack, I know
+      copy:
+        dest: /tmp/ansible_dump_reboot_needed.txt
+        content: ""
+        force: true
+        mode: 0644
+
+- hosts: all,!unifi
+  tasks:
+    # Add info line by line
+    - name: Dump all info into the local file
+      delegate_to: localhost
+      lineinfile:
+        path: /tmp/ansible_dump_dist_version.txt
+        line: "[{{ ansible_facts['nodename'] }}] {{ ansible_fqdn }} : {{
+                ansible_distribution }} {{ ansible_distribution_version }}"