diff --git a/.ansible-lint b/.ansible-lint index d03cb8f..a85e701 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,2 +1,7 @@ skip_list: - '301' + +warn_list: + - '305' # Use shell only when shell functionality is required + - '503' # Tasks that run when changed should likely be handlers + - experimental # all rules tagged as experimental diff --git a/base.yml b/base.yml index 5aee2d2..38ec360 100755 --- a/base.yml +++ b/base.yml @@ -10,3 +10,8 @@ - hosts: all,!unifi roles: - ldap_client + +# Install logrotate +- hosts: all,!unifi,!pve + roles: + - logrotate diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index 4659ba3..d68a483 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -2,10 +2,15 @@ certbot: domains: - auro.re + - chat.auro.re # cname to riot.auro.re - codimd.auro.re + - element.auro.re # cname to riot.auro.re + - ehterpad.auro.re # cname to pad.auro.re - grafana.auro.re + - hedgedoc.auro.re # cname to codimd.auro.re - pad.auro.re - passbolt.auro.re + - paste.auro.re # cname to privatebin.auro.re - phabricator.auro.re - privatebin.auro.re - riot.auro.re @@ -13,7 +18,7 @@ certbot: - status.auro.re - wiki.auro.re - www.auro.re - - zero.auro.re + - zero.auro.re # cname to privatebin.auro.re mail: tech.aurore@lists.crans.org certname: auro.re @@ -54,12 +59,12 @@ nginx: to: "10.128.0.150:8080" - from: chat.auro.re to: "10.128.0.150:8080" - + - from: codimd.auro.re to: "10.128.0.150:8081" - from: hedgedoc.auro.re to: "10.128.0.150:8081" - + - from: grafana.auro.re to: "10.128.0.150:8082" diff --git a/hosts b/hosts index ec09073..eec54a0 100644 --- a/hosts +++ b/hosts @@ -451,6 +451,13 @@ edc_pve gs_pve rives_pve +# every unifi +[unifi:children] +gs_unifi +edc_unifi +fleming_unifi +rives_unifi +pacaterie_unifi ############################################################################### # Groups by service diff --git a/logrotate.yml b/logrotate.yml new file mode 100755 index 0000000..8d3479e --- /dev/null +++ b/logrotate.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +# Playbook to run ONLY the logrotate role +# Install logrotate +- hosts: all,!unifi,!pve + roles: + - logrotate diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 1c91511..2455998 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -4,26 +4,28 @@ when: ansible_os_family == "Debian" apt: name: - - sudo - - molly-guard # prevent reboot - - ntp # network time sync - - apt # better than apt-get - - nano # for vulcain - - vim # better than nano - - emacs-nox # for maman - - htop # better than top - - zsh # to be able to ssh @erdnaxe - - fish # to motivate @edpibu - - oidentd # postgresql identification - - aptitude # nice to have for Ansible - acl # advanced ACL - - iotop # monitor i/o - - tree # create a graphical tree of files + - apt # better than apt-get + - aptitude # nice to have for Ansible - bash-completion # because bash + - curl # better than wget + - emacs-nox # for maman + - fish # to motivate @edpibu - git # code versioning + - htop # better than top + - iotop # monitor i/o - less # i like cats - - screen # Vulcain asked for this - lsb-release + - molly-guard # prevent reboot + - nano # for vulcain + - net-tools + - ntp # network time sync + - oidentd # postgresql identification + - screen # Vulcain asked for this + - sudo + - tree # create a graphical tree of files + - vim # better than nano + - zsh # to be able to ssh @erdnaxe update_cache: true register: apt_result retries: 3 @@ -92,13 +94,13 @@ apt: pkg: smartmontools state: absent - autoremove: yes + autoremove: true when: ansible_system_vendor == "QEMU" - name: Remove useless packages from the cache apt: - autoclean: yes + autoclean: true - name: Remove dependencies that are no longer required apt: - autoremove: yes + autoremove: true diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml new file mode 100644 index 0000000..82d2202 --- /dev/null +++ b/roles/certbot/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: Reload nginx + service: + name: nginx + state: reloaded + +- name: Generate certificates + command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index f29d557..cbce286 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -20,20 +20,6 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 - register: certbot_config - -- name: Stop services to allow certbot to generate a cert. - service: - name: nginx - state: stopped - when: certbot_config.changed - -- name: Generate new certificate if the configuration changed - shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" - when: certbot_config.changed - -- name: Restart services to allow certbot to generate a cert. - service: - name: nginx - state: started - when: certbot_config.changed + notify: + - Generate certificates + - Reload nginx diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml index b40b2b8..57d2d25 100644 --- a/roles/isc_dhcp_server/tasks/main.yml +++ b/roles/isc_dhcp_server/tasks/main.yml @@ -18,6 +18,7 @@ owner: re2o-services group: nogroup recurse: true + mode: 755 - name: Install isc-dhcp-server apt: @@ -101,7 +102,7 @@ when: is_aurore_host - name: force run dhcp re2o-service - shell: /var/local/re2o-services/dhcp/main.py --force + command: /var/local/re2o-services/dhcp/main.py --force - name: Ensure dhcpd is running service: diff --git a/roles/logrotate/handlers/main.yml b/roles/logrotate/handlers/main.yml new file mode 100644 index 0000000..a58c62e --- /dev/null +++ b/roles/logrotate/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload logrotate + service: + name: logrotate + state: reloaded diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml new file mode 100644 index 0000000..e76b591 --- /dev/null +++ b/roles/logrotate/tasks/main.yml @@ -0,0 +1,29 @@ +--- +# Install and configure logrotate + +# Install the apt package +- name: Install logrotate + apt: + name: + - logrotate + +# Copy the configuration and reload the service if it has changed +- name: Configure logrotate + template: + src: logrotate.d/rsyslog.j2 + dest: /etc/logrotate.d/rsyslog + owner: root + group: root + mode: "0644" + notify: reload logrotate + +# Make sure the service is enabled and started +- name: Enable logrotate service + service: + name: logrotate + enabled: true + state: started + +# Enforce new logrotate rules now +- name: Run logrotate now + command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2 new file mode 100644 index 0000000..beab470 --- /dev/null +++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2 @@ -0,0 +1,39 @@ +# {{ ansible_managed }} + +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 1 + daily + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +}