From 02e4e7d48f49378e00fc8fa609ce1451588054fc Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 17 Jan 2021 12:12:53 +0100 Subject: [PATCH 01/22] Sort APT packages Signed-off-by: Yohann D'ANELLO --- roles/baseconfig/tasks/main.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 1c91511..f68155c 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -4,26 +4,26 @@ when: ansible_os_family == "Debian" apt: name: - - sudo - - molly-guard # prevent reboot - - ntp # network time sync - - apt # better than apt-get - - nano # for vulcain - - vim # better than nano - - emacs-nox # for maman - - htop # better than top - - zsh # to be able to ssh @erdnaxe - - fish # to motivate @edpibu - - oidentd # postgresql identification - - aptitude # nice to have for Ansible - acl # advanced ACL - - iotop # monitor i/o - - tree # create a graphical tree of files + - apt # better than apt-get + - aptitude # nice to have for Ansible - bash-completion # because bash + - emacs-nox # for maman + - fish # to motivate @edpibu - git # code versioning + - htop # better than top + - iotop # monitor i/o - less # i like cats - - screen # Vulcain asked for this - lsb-release + - molly-guard # prevent reboot + - nano # for vulcain + - ntp # network time sync + - oidentd # postgresql identification + - screen # Vulcain asked for this + - sudo + - tree # create a graphical tree of files + - vim # better than nano + - zsh # to be able to ssh @erdnaxe update_cache: true register: apt_result retries: 3 From 0364006062742dbad2a6f7dded687e522b7514cb Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 17 Jan 2021 12:13:30 +0100 Subject: [PATCH 02/22] Install curl and net-tools by default Signed-off-by: Yohann D'ANELLO --- roles/baseconfig/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index f68155c..4fa34c7 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -8,6 +8,7 @@ - apt # better than apt-get - aptitude # nice to have for Ansible - bash-completion # because bash + - curl # better than wget - emacs-nox # for maman - fish # to motivate @edpibu - git # code versioning @@ -17,6 +18,7 @@ - lsb-release - molly-guard # prevent reboot - nano # for vulcain + - net-tools - ntp # network time sync - oidentd # postgresql identification - screen # Vulcain asked for this From ee1726589a09555db05176a927c633d123a347b5 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 17:06:59 +0100 Subject: [PATCH 03/22] Linter should pass now! --- host_vars/proxy-ovh.adm.auro.re.yml | 4 ++-- roles/baseconfig/tasks/main.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index 4659ba3..37c50d2 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -54,12 +54,12 @@ nginx: to: "10.128.0.150:8080" - from: chat.auro.re to: "10.128.0.150:8080" - + - from: codimd.auro.re to: "10.128.0.150:8081" - from: hedgedoc.auro.re to: "10.128.0.150:8081" - + - from: grafana.auro.re to: "10.128.0.150:8082" diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 4fa34c7..2455998 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -94,13 +94,13 @@ apt: pkg: smartmontools state: absent - autoremove: yes + autoremove: true when: ansible_system_vendor == "QEMU" - name: Remove useless packages from the cache apt: - autoclean: yes + autoclean: true - name: Remove dependencies that are no longer required apt: - autoremove: yes + autoremove: true From 293a3855a18eb35a2d97928bd80f049754f498cc Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 17:10:55 +0100 Subject: [PATCH 04/22] Add the new CNAMES to the list of domains for certbot. No wonder it did work magicly... --- host_vars/proxy-ovh.adm.auro.re.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index 37c50d2..595e12c 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -2,10 +2,13 @@ certbot: domains: - auro.re + - chat.auro.re # cname to riot.auro.re - codimd.auro.re - grafana.auro.re + - hedgedoc.auro.re # cname to codimd.auro.re - pad.auro.re - passbolt.auro.re + - paste.auro.re # cname to privatebin.auro.re - phabricator.auro.re - privatebin.auro.re - riot.auro.re @@ -13,7 +16,7 @@ certbot: - status.auro.re - wiki.auro.re - www.auro.re - - zero.auro.re + - zero.auro.re # cname to privatebin.auro.re mail: tech.aurore@lists.crans.org certname: auro.re From facfe3c169810b4e4c1d81bae5b7c1a94f9f00f6 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 18:21:29 +0100 Subject: [PATCH 05/22] Attempt to fix ansible lint --- roles/isc_dhcp_server/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml index b40b2b8..57d2d25 100644 --- a/roles/isc_dhcp_server/tasks/main.yml +++ b/roles/isc_dhcp_server/tasks/main.yml @@ -18,6 +18,7 @@ owner: re2o-services group: nogroup recurse: true + mode: 755 - name: Install isc-dhcp-server apt: @@ -101,7 +102,7 @@ when: is_aurore_host - name: force run dhcp re2o-service - shell: /var/local/re2o-services/dhcp/main.py --force + command: /var/local/re2o-services/dhcp/main.py --force - name: Ensure dhcpd is running service: From 9e135e1dfd2fcb0bc9c7107f66c5131cf28ad704 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 23:49:29 +0100 Subject: [PATCH 06/22] Fix ansible lint v3 -- on the right branch this time! --- .ansible-lint | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index d03cb8f..a85e701 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,2 +1,7 @@ skip_list: - '301' + +warn_list: + - '305' # Use shell only when shell functionality is required + - '503' # Tasks that run when changed should likely be handlers + - experimental # all rules tagged as experimental From 4a57dad8a6091e6b65889d4d362d2461174fe681 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Tue, 19 Jan 2021 23:19:25 +0100 Subject: [PATCH 07/22] use handlers --- roles/certbot/handlers/main.yml | 8 ++++++++ roles/certbot/tasks/main.yml | 20 +++----------------- 2 files changed, 11 insertions(+), 17 deletions(-) create mode 100644 roles/certbot/handlers/main.yml diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml new file mode 100644 index 0000000..b8517e5 --- /dev/null +++ b/roles/certbot/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: Reload nginx + service: + name: nginx + state: reloaded + +- name: Generate certificates + shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index f29d557..cbce286 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -20,20 +20,6 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 - register: certbot_config - -- name: Stop services to allow certbot to generate a cert. - service: - name: nginx - state: stopped - when: certbot_config.changed - -- name: Generate new certificate if the configuration changed - shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" - when: certbot_config.changed - -- name: Restart services to allow certbot to generate a cert. - service: - name: nginx - state: started - when: certbot_config.changed + notify: + - Generate certificates + - Reload nginx From f0e3bd78c9cbd877c463de6230e65b3f0edcafca Mon Sep 17 00:00:00 2001 From: Otthorn Date: Tue, 19 Jan 2021 23:27:17 +0100 Subject: [PATCH 08/22] use command instead of shell when you don't need sh features (pipes, env, etc...) --- roles/certbot/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml index b8517e5..82d2202 100644 --- a/roles/certbot/handlers/main.yml +++ b/roles/certbot/handlers/main.yml @@ -5,4 +5,4 @@ state: reloaded - name: Generate certificates - shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" From 51681922aabd55587cc8f97b0e8bc02443ee63ef Mon Sep 17 00:00:00 2001 From: otthorn Date: Wed, 20 Jan 2021 17:01:49 +0100 Subject: [PATCH 09/22] Even more CNAMEs ! --- host_vars/proxy-ovh.adm.auro.re.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index 595e12c..d68a483 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -4,6 +4,8 @@ certbot: - auro.re - chat.auro.re # cname to riot.auro.re - codimd.auro.re + - element.auro.re # cname to riot.auro.re + - ehterpad.auro.re # cname to pad.auro.re - grafana.auro.re - hedgedoc.auro.re # cname to codimd.auro.re - pad.auro.re From ddd69e04c00c2e695f06bc2cd89a8a2df0f30f63 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:25:35 +0100 Subject: [PATCH 10/22] create logrotate role --- roles/logrotate/handlers/main.yml | 5 +++ roles/logrotate/tasks/main.yml | 25 +++++++++++++ .../templates/logrotate.d/rsyslog.j2 | 37 +++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 roles/logrotate/handlers/main.yml create mode 100644 roles/logrotate/tasks/main.yml create mode 100644 roles/logrotate/templates/logrotate.d/rsyslog.j2 diff --git a/roles/logrotate/handlers/main.yml b/roles/logrotate/handlers/main.yml new file mode 100644 index 0000000..a58c62e --- /dev/null +++ b/roles/logrotate/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload logrotate + service: + name: logrotate + state: reloaded diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml new file mode 100644 index 0000000..f6667b7 --- /dev/null +++ b/roles/logrotate/tasks/main.yml @@ -0,0 +1,25 @@ +--- +# Install and configure logrotate + +# Install the apt package +name: Install logrotate +apt: + name: + - logrotate + +# Copy the configuration and reload the service if it has changed +- name: Configure logrotate + template: + src: logrotate.d/rsyslog.j2 + dst: /etc/logrotate.d/rsyslog + owner: root + groupe: root + mode: "0644" + notify: restart logrotate + +# Make sure the service is enabled and started +- name: Enable logrotate service + service: + name: logrotate + enabled: true + state: started diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2 new file mode 100644 index 0000000..c304bb4 --- /dev/null +++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2 @@ -0,0 +1,37 @@ +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 1 + daily + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} From 05326c15d32a6b20c8f882434f07ee7011b3ea06 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:27:09 +0100 Subject: [PATCH 11/22] Enforce logrotate rules --- roles/logrotate/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index f6667b7..dd3a4d2 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -23,3 +23,7 @@ apt: name: logrotate enabled: true state: started + +# Enforce new logrotate rules now +- name: Run logrotate now + command: logrotate -f /etc/logrotate.d/rsyslog From 0122a293ebe146b4ca5f904162cfcfa3ba3a6a06 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:34:13 +0100 Subject: [PATCH 12/22] Add the unify group --- hosts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts b/hosts index a06cac8..90d248e 100644 --- a/hosts +++ b/hosts @@ -445,6 +445,13 @@ edc_pve gs_pve rives_pve +# every unifi +[unifi] +gs_unifi +edc_unifi +fleming_unifi +rives_unifi +pacaterie_unifi ############################################################################### # Groups by service From 0d9fd160302057fac8ad0bc987f40e111ff8844f Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:35:03 +0100 Subject: [PATCH 13/22] Add logrotate to the base playbook --- base.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/base.yml b/base.yml index 5aee2d2..1ea1901 100755 --- a/base.yml +++ b/base.yml @@ -10,3 +10,8 @@ - hosts: all,!unifi roles: - ldap_client + +# Install logrotate +- hosts: all,!unifi,!pve:children + roles: + - logrotate From 66c2ff63053c72e93e7197f2c9ffef8015706161 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:37:18 +0100 Subject: [PATCH 14/22] full path to logrotate for command --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index dd3a4d2..8e78e90 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -26,4 +26,4 @@ apt: # Enforce new logrotate rules now - name: Run logrotate now - command: logrotate -f /etc/logrotate.d/rsyslog + command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog From 43274ef2ec8d57cc6b25333f49a47662f146ae3e Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:40:29 +0100 Subject: [PATCH 15/22] Add the ansible_managed var at the begining of the config file --- roles/logrotate/templates/logrotate.d/rsyslog.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2 index c304bb4..beab470 100644 --- a/roles/logrotate/templates/logrotate.d/rsyslog.j2 +++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + /var/log/syslog { rotate 7 From 73142dbe03210e1cc5ec1cbc291b2d3669107037 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:41:25 +0100 Subject: [PATCH 16/22] Fix yaml syntax --- roles/logrotate/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index 8e78e90..81fc7ed 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -2,10 +2,10 @@ # Install and configure logrotate # Install the apt package -name: Install logrotate -apt: - name: - - logrotate +- name: Install logrotate + apt: + name: + - logrotate # Copy the configuration and reload the service if it has changed - name: Configure logrotate From d50288ccffbaa4925ed6aa63d26fd0161df642bd Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 15:12:28 +0100 Subject: [PATCH 17/22] fix host syntax --- base.yml | 2 +- hosts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base.yml b/base.yml index 1ea1901..38ec360 100755 --- a/base.yml +++ b/base.yml @@ -12,6 +12,6 @@ - ldap_client # Install logrotate -- hosts: all,!unifi,!pve:children +- hosts: all,!unifi,!pve roles: - logrotate diff --git a/hosts b/hosts index 90d248e..98a435e 100644 --- a/hosts +++ b/hosts @@ -446,7 +446,7 @@ gs_pve rives_pve # every unifi -[unifi] +[unifi:children] gs_unifi edc_unifi fleming_unifi From e1a961273df956ae0c53d0e54dcd12903d040c62 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 15:42:52 +0100 Subject: [PATCH 18/22] fix typo: dst -> dest --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index 81fc7ed..b786ba0 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -11,7 +11,7 @@ - name: Configure logrotate template: src: logrotate.d/rsyslog.j2 - dst: /etc/logrotate.d/rsyslog + dest: /etc/logrotate.d/rsyslog owner: root groupe: root mode: "0644" From e6af0f2bd74c890e053f3bc567236089babfc647 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 15:59:03 +0100 Subject: [PATCH 19/22] fix typo: groupe -> group --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index b786ba0..e9ba3a1 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -13,7 +13,7 @@ src: logrotate.d/rsyslog.j2 dest: /etc/logrotate.d/rsyslog owner: root - groupe: root + group: root mode: "0644" notify: restart logrotate From 795ee3846fa98377604abb5505ab204e1eac80fc Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 16:02:10 +0100 Subject: [PATCH 20/22] fix indent --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index e9ba3a1..656a746 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -15,7 +15,7 @@ owner: root group: root mode: "0644" - notify: restart logrotate + notify: restart logrotate # Make sure the service is enabled and started - name: Enable logrotate service From fff6ec5807ed6ea998799c9cecfef81a8d6b2374 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 16:04:09 +0100 Subject: [PATCH 21/22] fix typo: restart -> reload --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index 656a746..e76b591 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -15,7 +15,7 @@ owner: root group: root mode: "0644" - notify: restart logrotate + notify: reload logrotate # Make sure the service is enabled and started - name: Enable logrotate service From be0c2f8e4a7506b470b39188ac160e893402d6a3 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 16:21:56 +0100 Subject: [PATCH 22/22] If you want to ONLY run the logrotate role --- logrotate.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100755 logrotate.yml diff --git a/logrotate.yml b/logrotate.yml new file mode 100755 index 0000000..8d3479e --- /dev/null +++ b/logrotate.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +# Playbook to run ONLY the logrotate role +# Install logrotate +- hosts: all,!unifi,!pve + roles: + - logrotate