diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml deleted file mode 100644 index 05ecfa7..0000000 --- a/roles/docker/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- import_tasks: install.yml - -- name: Start and enable docker service - become: true - systemd: - name: docker - state: started - enabled: yes - -- import_tasks: tasks/preprocess-users.yml - -- name: Add superusers to the docker group - become: true - user: - name: "{{ item.name }}" - groups: docker - append: yes - loop: "{{ _users_local_admin }}" diff --git a/roles/networkd/defaults/main.yml b/roles/networkd/defaults/main.yml deleted file mode 100644 index f0e20b5..0000000 --- a/roles/networkd/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -omni_restart_services: false diff --git a/roles/networkd/tasks/packages.yml b/roles/networkd/tasks/packages.yml deleted file mode 100644 index 6a047e9..0000000 --- a/roles/networkd/tasks/packages.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- name: Install networkd on Fedora - when: ansible_distribution == "Fedora" - become: true - dnf: - state: latest - name: - - systemd-resolved - - systemd-networkd - -- name: Install networkd on CentOS 7 - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - state: latest - name: - - systemd-resolved - - systemd-networkd - -- name: Install networkd on CentOS 8 - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" - become: true - block: - # The systemd-networkd EPEL package is currently in the testing phase, so we have - # to enable the testing EPEL repo to install it. Note that this is also done in - # the packages role - # https://bugzilla.redhat.com/show_bug.cgi?id=1789146 - - name: Enable EPEL-Testing repository on CentOS 8s - lineinfile: - path: /etc/yum.repos.d/epel-testing.repo - regexp: "enabled=(0|1)" - line: "enabled=1" - insertbefore: "^$" - firstmatch: true - - name: Install networkd - dnf: - state: latest - name: systemd-networkd diff --git a/roles/networkd/tasks/services.yml b/roles/networkd/tasks/services.yml deleted file mode 100644 index 428f085..0000000 --- a/roles/networkd/tasks/services.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Disable NetworkManager - become: true - systemd: - name: "{{ item }}" - enabled: false - loop: - - NetworkManager - - NetworkManager-wait-online - -- name: Enable systemd-networkd - become: true - systemd: - name: "{{ item }}" - enabled: true - loop: - - systemd-networkd - - systemd-resolved - - systemd-networkd-wait-online - -- name: Stop NetworkManager - when: omni_restart_services == true - become: true - systemd: - name: "{{ item }}" - state: stopped - loop: - - NetworkManager - - NetworkManager-wait-online - -- name: Start systemd-networkd - when: omni_restart_services == true - become: true - systemd: - name: "{{ item }}" - state: started - loop: - - systemd-networkd - - systemd-resolved diff --git a/roles/networkd/templates/netdev.j2 b/roles/networkd/templates/netdev.j2 deleted file mode 100644 index 3f364b4..0000000 --- a/roles/networkd/templates/netdev.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# ANSIBLE MANAGED FILE - DO NOT EDIT -[NetDev] -Name={{ item.0.key }} -Kind=vlan - -[VLAN] -Id={{ item.1 }} - -# EOF diff --git a/roles/networkd/templates/network.j2 b/roles/networkd/templates/network.j2 deleted file mode 100644 index e251a56..0000000 --- a/roles/networkd/templates/network.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# ANSIBLE MANAGED FILE - DO NOT EDIT -[Match] -Name={{ item.key }} - -[Network] -DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }} -IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }} -{% if item.value['addresses'] is defined %} -{% for ip_addr in item.value['addresses'] %} -Address={{ ip_addr }} -{% endfor %} -{% endif %} -{% if item.value['dns'] is defined %} -{% for dns_server in item.value['dns'] %} -DNS={{ dns_server }} -{% endfor %} -{% endif %} -{% if item.value['gateway'] is defined %} -Gateway={{ item.value['gateway'] }} -{% endif %} -{% if item.value['vlans'] is defined %} -{% for vlan_tag in item.value['vlans'] %} -VLAN={{ item.key }}.{{ vlan_tag }} -{% endfor %} -{% endif %} - -# EOF diff --git a/roles/packages/defaults/main.yml b/roles/packages/defaults/main.yml deleted file mode 100644 index cb40c68..0000000 --- a/roles/packages/defaults/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# Role parameter documentation -# -# omni_pkg_repos - whether to install/enable additional repositories -# omni_pkg_bindings - whether to install required ansible bindings to the system python -# omni_pkg_update - whether to perform a package update -# onni_pkg_clean - whether to force clean the package manager cache -# omni_pkg_exclude - packages to exclude from an update; has no effect if -# ``omni_pkg_update`` is false -omni_pkg_repos: true -omni_pkg_bindings: true -omni_pkg_update: false -omni_pkg_clean: false -omni_pkg_exclude: ["kernel*", "docker-ce"] diff --git a/roles/packages/tasks/bindings.yml b/roles/packages/tasks/bindings.yml deleted file mode 100644 index ddbecb5..0000000 --- a/roles/packages/tasks/bindings.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Install CentOS 8 python bindings - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" - become: true - dnf: - state: latest - name: - - python3-libselinux - - python3-policycoreutils - - python3-firewall - -- name: Install CentOS 7 python bindings - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - state: latest - name: - - libselinux-python - - policycoreutils-python - - python-firewall - -- name: Install Fedora python bindings - when: ansible_distribution == "Fedora" - become: true - dnf: - state: latest - name: - - libselinux-python - - policycoreutils-python - - python3-firewall diff --git a/roles/packages/tasks/update.yml b/roles/packages/tasks/update.yml deleted file mode 100644 index 66c1aed..0000000 --- a/roles/packages/tasks/update.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# Gotta hate this, but I have to hardcode the systemd exclusion on cent8 -# Because I'm using "janky-systemd-networkd-2-the-jankening" (see the networkd role) -# there are a pile of conflicts when you run "dnf update" with it installed. I found -# two options that work: 1) uninstall systemd-networkd, update, then reinstall it; -# 2) hardcode the exclusion here. Whenever I thought too hard about the potential -# consequences of instituting uninstalling-my-network-init-system-as-a-service I -# started to get a migaine, so I went with option two. -- name: Upgrade Fedora and CentOS 8 packages - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" - become: true - dnf: - state: latest - name: "*" - exclude: "{{ ','.join(omni_pkg_exclude + ['systemd*']) }}" - -- name: Upgrade CentOS 7 packages - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - state: latest - name: "*" - exclude: "{{ ','.join(omni_pkg_exclude) }}" - -- name: Upgrade Fedora packages - when: ansible_distribution == "Fedora" - become: true - dnf: - state: latest - name: "*" - exclude: "{{ ','.join(omni_pkg_exclude) }}" - -# Yeah I'll get here eventually -# - name: Upgrade APT packages -# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" -# become: true -# apt: diff --git a/roles/packages/vars/main.yml b/roles/packages/vars/main.yml deleted file mode 100644 index e1f0090..0000000 --- a/roles/packages/vars/main.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -omni_packages_global: - - automake - - cmake - - curl - - gcc - - gcc-c++ - - git - - make - - nano - - openssl-devel - - systemd-devel - - unzip - - vim - - vim-minimal - -omni_packages_fedora: - - libselinux-python - - git-lfs - - readline-devel - - policycoreutils-python - - python-devel - - python-virtualenv - - python3-devel - -omni_packages_centos_8: - - bind-utils - - bash-completion - - nc - - nfs-utils - - python3 - - python3-pip - - python3-setuptools - - python3-virtualenv - - wget - -omni_packages_centos_7: - - bind-utils - - bash-completion - - nc - - nfs-utils - - python3 - - python3-pip - - python3-setuptools - - python3-virtualenv - - wget diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml deleted file mode 100644 index 4042d3a..0000000 --- a/roles/sshd/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -omni_restart_services: false -omni_ssh_enabled: true diff --git a/roles/sshd/tasks/install.yml b/roles/sshd/tasks/install.yml deleted file mode 100644 index 1607095..0000000 --- a/roles/sshd/tasks/install.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Install OpenSSH server on Fedora and CentOS 8 - when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") - become: true - dnf: - name: openssh-server - state: latest - -- name: Install OpenSSH server on CentOS 7 - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - name: openssh-server - state: latest diff --git a/roles/sshd/templates/motd.j2 b/roles/sshd/templates/motd.j2 deleted file mode 100644 index 4fdc8aa..0000000 --- a/roles/sshd/templates/motd.j2 +++ /dev/null @@ -1,7 +0,0 @@ - - //////////// //// //// /////////// - //// ////// //// //// //// - //////// //// /// //// /////////// - //// //// ////// //// - //////////// //// //// {{ omni_description | default('Omni Network System') }} - _______________________________{{ omni_description | default('Omni Network System') | length * '\\' }}\ diff --git a/tasks/centos-8-kernelplus.yml b/tasks/centos-8-kernelplus.yml index ef67138..15acac9 100644 --- a/tasks/centos-8-kernelplus.yml +++ b/tasks/centos-8-kernelplus.yml @@ -1,62 +1,61 @@ --- -- name: Disable kernel installation from base repository +# This is a workaround for Cent8 removing drivers from the kernel that are required for +# my RAID cards to work. Kernel-Plus includes the drivers, thus one of the first things +# we need to do is to replace the kernel before doing an update. +- name: Replace default kernel with kernel-plus on CentOS 8 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" become: true - lineinfile: - path: /etc/yum.repos.d/CentOS-Base.repo - line: exclude=kernel* + block: + - name: Disable kernel installation from base repository + lineinfile: + path: /etc/yum.repos.d/CentOS-Base.repo + line: exclude=kernel* -- name: Enable Centos-plus repository - become: true - lineinfile: - path: /etc/yum.repos.d/CentOS-centosplus.repo - regexp: "#?enabled=(0|1)" - line: enabled=1 + - name: Enable Centos-plus repository + lineinfile: + path: /etc/yum.repos.d/CentOS-centosplus.repo + regexp: "#?enabled=(0|1)" + line: enabled=1 -- name: Enable kernel installation from plus repository - become: true - lineinfile: - path: /etc/yum.repos.d/CentOS-centosplus.repo - line: includepkgs=kernel* + - name: Enable kernel installation from plus repository + lineinfile: + path: /etc/yum.repos.d/CentOS-centosplus.repo + line: includepkgs=kernel* -# Note that the order of the next four tasks is very specific and intentional -# See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view -- name: Install kernel-plus - become: true - dnf: - name: - - kernel-plus - - kernel-plus-devel - state: latest - register: _dnf_kernel_plus + # Note that the order of the next four tasks is very specific and intentional + # See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view + - name: Install kernel-plus + dnf: + state: "{{ _runtime_update_state }}" + name: + - kernel-plus + - kernel-plus-devel + register: _dnf_kernel_plus -- name: Uninstall kernel-tools - become: true - dnf: - name: - - kernel-tools - - kernel-tools-libs - state: absent + - name: Uninstall kernel-tools + dnf: + name: + - kernel-tools + - kernel-tools-libs + state: absent -- name: Install kernel-plus-tools - become: true - dnf: - name: - - kernel-plus-tools - - kernel-plus-tools-libs - state: latest + - name: Install kernel-plus-tools + dnf: + state: "{{ _runtime_update_state }}" + name: + - kernel-plus-tools + - kernel-plus-tools-libs -- name: Reboot into new kernel - become: true - when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel - reboot: - reboot_timeout: 3600 + - name: Reboot into new kernel + when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel + reboot: + reboot_timeout: 3600 -- name: Uninstall kernel - become: true - dnf: - name: - - kernel - - kernel-devel - - kernel-core - - kernel-modules - state: absent + - name: Uninstall kernel + dnf: + state: absent + name: + - kernel + - kernel-devel + - kernel-core + - kernel-modules diff --git a/tasks/deploy-ssh-keys.yml b/tasks/deploy-ssh-keys.yml deleted file mode 100644 index 3b4b2b0..0000000 --- a/tasks/deploy-ssh-keys.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: Create SSH directory - become: true - file: - path: /home/{{ item.name }}/.ssh - state: directory - owner: "{{ item.name }}" - group: "{{ item.name }}" - mode: 0755 - loop: "{{ _users_local }}" - -- name: Update authorized keys - become: true - authorized_key: - user: "{{ item.name }}" - key: "{{ item.sshkeys | join('\n') }}" - state: present - exclusive: true - loop: "{{ _users_local }}" - -- name: Enforce ownership of authorized keys - become: true - file: - path: /home/{{ item.name }}/.ssh/authorized_keys - state: touch - owner: "{{ item.name }}" - group: "{{ item.name }}" - mode: 0444 - loop: "{{ _users_local }}" diff --git a/roles/docker/tasks/install.yml b/tasks/docker/install.yml similarity index 89% rename from roles/docker/tasks/install.yml rename to tasks/docker/install.yml index b8fbaf5..fdd1423 100644 --- a/roles/docker/tasks/install.yml +++ b/tasks/docker/install.yml @@ -15,8 +15,8 @@ when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" yum: # Update the cache to update with the new docker repo - update_cache: yes - state: latest + update_cache: true + state: "{{ _runtime_update_state }}" name: - device-mapper-persistent-data # Required for docker devicestorage driver - lvm2 # same @@ -28,8 +28,8 @@ when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" dnf: # Update the cache to update with the new docker repo - update_cache: yes - state: latest + update_cache: true + state: "{{ _runtime_update_state }}" name: - device-mapper-persistent-data # Required for docker devicestorage driver - lvm2 # same diff --git a/roles/networkd/tasks/main.yml b/tasks/networkd/configure.yml similarity index 53% rename from roles/networkd/tasks/main.yml rename to tasks/networkd/configure.yml index 2784762..84028bd 100644 --- a/roles/networkd/tasks/main.yml +++ b/tasks/networkd/configure.yml @@ -1,6 +1,4 @@ --- -- import_tasks: packages.yml - - name: Configure networking via systemd become: true when: omni_networking is defined @@ -13,33 +11,14 @@ - name: Make network files template: - src: network.j2 + src: networkd/network.j2 dest: "/etc/systemd/network/{{ item.key }}.network" mode: 0644 loop: "{{ omni_networking | dict2items }}" - name: Make netdev files template: - src: netdev.j2 + src: networkd/netdev.j2 dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev" mode: 0644 loop: "{{ omni_networking | dict2items | subelements('value.vlans', true) }}" - -- import_tasks: services.yml - -- name: Symlink so systemd-resolved uses /etc/resolv.conf - become: true - file: - dest: /etc/resolv.conf - src: /run/systemd/resolve/resolv.conf - state: link - force: true - setype: net_conf_t - -- name: Symlink so /etc/resolv.conf uses systemd - become: true - file: - dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service - src: /usr/lib/systemd/system/systemd-resolved.service - state: link - force: true diff --git a/tasks/networkd/install.yml b/tasks/networkd/install.yml new file mode 100644 index 0000000..cfadff0 --- /dev/null +++ b/tasks/networkd/install.yml @@ -0,0 +1,26 @@ +--- +- name: Install systemd-networkd on CentOS 7 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + become: true + yum: + state: "{{ _runtime_update_state }}" + name: + - systemd-networkd + - systemd-resolved + +- name: Install systemd-networkd on CentOS 8 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" + become: true + dnf: + state: "{{ _runtime_update_state }}" + name: systemd-networkd + + +- name: Install systemd-networkd on Fedora + when: ansible_distribution == "Fedora" and ansible_distribution_major_version == "8" + become: true + dnf: + state: "{{ _runtime_update_state }}" + name: + - systemd-networkd + - systemd-resolved diff --git a/tasks/networkd/services.yml b/tasks/networkd/services.yml new file mode 100644 index 0000000..ced87fa --- /dev/null +++ b/tasks/networkd/services.yml @@ -0,0 +1,36 @@ +--- +- name: Disable NetworkManager + become: true + systemd: + name: "{{ item }}" + enabled: false + loop: + - NetworkManager + - NetworkManager-wait-online + +- name: Enable systemd-networkd + become: true + systemd: + name: "{{ item }}" + enabled: true + loop: + - systemd-networkd + - systemd-resolved + - systemd-networkd-wait-online + +- name: Symlink so systemd-resolved uses /etc/resolv.conf + become: true + file: + dest: /etc/resolv.conf + src: /run/systemd/resolve/resolv.conf + state: link + force: true + setype: net_conf_t + +- name: Symlink so /etc/resolv.conf uses systemd + become: true + file: + dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service + src: /usr/lib/systemd/system/systemd-resolved.service + state: link + force: true diff --git a/roles/packages/tasks/clean.yml b/tasks/packages/clean.yml similarity index 64% rename from roles/packages/tasks/clean.yml rename to tasks/packages/clean.yml index e0a03c7..6844dd4 100644 --- a/roles/packages/tasks/clean.yml +++ b/tasks/packages/clean.yml @@ -1,14 +1,17 @@ --- -- name: Clean DNF cache - become: true +# I'm honestly not sure why these 304 warnings are being raised by the linter here... +- name: Clean DNF cache # noqa: 304 when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") + become: true command: cmd: /usr/bin/dnf clean all warn: false + changed_when: true -- name: Clean YUM cache - become: true +- name: Clean YUM cache # noqa: 304 when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + become: true command: cmd: /usr/bin/yum clean all warn: false + changed_when: true diff --git a/roles/packages/tasks/main.yml b/tasks/packages/install.yml similarity index 68% rename from roles/packages/tasks/main.yml rename to tasks/packages/install.yml index ae753f6..69ff429 100644 --- a/roles/packages/tasks/main.yml +++ b/tasks/packages/install.yml @@ -1,23 +1,3 @@ ---- -- import_tasks: bindings.yml - when: omni_pkg_bindings == true - -- import_tasks: repos.yml - when: omni_pkg_repos == true - -- import_tasks: clean.yml - when: omni_pkg_clean == true - -- import_tasks: update.yml - when: omni_pkg_update == true - -- name: Install packages on Fedora - become: true - when: ansible_distribution == "Fedora" - dnf: - state: latest - name: "{{ omni_packages_global + omni_packages_fedora }}" - # NOTE: This is currently horrifically broken. See the ongoing drama around # systemd-networkd on cent8. Basically triggering an update- or an install- will give # a conflict error due to the spicy-jankaroni-with-extra-cheese edition of @@ -30,12 +10,12 @@ become: true when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" dnf: - state: latest + state: "{{ _runtime_update_state }}" name: "{{ omni_packages_global + omni_packages_centos_8 }}" - name: Install packages on CentOS 7 become: true when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" yum: - state: latest + state: "{{ _runtime_update_state }}" name: "{{ omni_packages_global + omni_packages_centos_7 }}" diff --git a/roles/packages/tasks/repos.yml b/tasks/packages/repos.yml similarity index 77% rename from roles/packages/tasks/repos.yml rename to tasks/packages/repos.yml index 213bfbe..4f71ca6 100644 --- a/roles/packages/tasks/repos.yml +++ b/tasks/packages/repos.yml @@ -5,14 +5,16 @@ block: - name: Enable Extra Packages for Enterprise Linux on CentOS 8 dnf: - state: latest + state: present name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm - - name: Enable EPEL-Testing repository on CentOS 8s + # The testing repo had to be enabled for a previous version of systemd-networkd + # to be installed + - name: Disable EPEL-Testing repository on CentOS 8 lineinfile: path: /etc/yum.repos.d/epel-testing.repo regexp: "enabled=(0|1)" - line: "enabled=1" + line: "enabled=0" insertbefore: "^$" firstmatch: true @@ -25,6 +27,6 @@ - name: Enable Extra Packages for Enterprise Linux on CentOS 7 become: true when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - dnf: - state: latest - name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmz + yum: + state: present + name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm diff --git a/tasks/packages/update.yml b/tasks/packages/update.yml new file mode 100644 index 0000000..d109c4e --- /dev/null +++ b/tasks/packages/update.yml @@ -0,0 +1,32 @@ +--- +# Ansible Lint 403 ("Package installs should not use latest") is silenced here because +# it would defeat the point otherwise +- name: Upgrade Fedora and CentOS 8 packages # noqa: 403 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" + become: true + dnf: + state: latest + name: "*" + exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}" + +- name: Upgrade CentOS 7 packages # noqa: 403 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + become: true + yum: + state: latest + name: "*" + exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}" + +- name: Upgrade Fedora packages # noqa: 403 + when: ansible_distribution == "Fedora" + become: true + dnf: + state: latest + name: "*" + exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}" + +# Yeah I'll get here eventually +# - name: Upgrade APT packages +# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" +# become: true +# apt: diff --git a/tasks/preprocess-users.yml b/tasks/preprocess-users.yml deleted file mode 100644 index 74a6f69..0000000 --- a/tasks/preprocess-users.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Load users variables - include_vars: - file: users.yml - -- name: Reconcile user targets with host targets to get host users - set_fact: - _users_local: >- - {{ - _users_local | default([]) + ([item] if item.targets | intersect(omni_local_targets) else []) - }} - loop: "{{ omni_users }}" - -- name: Determine local user names - set_fact: - _users_local_names: "{{ _users_local_names | default([]) + [item.name] }}" - loop: "{{ _users_local }}" - -- name: Determine administrative users - set_fact: - _users_local_admin: >- - {{ - _users_local_admin | default([]) + ([item] if item.admin | default(False) else []) - }} - loop: "{{ _users_local }}" - -- name: Determine existing users - shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"' - changed_when: false - register: _users_local_existing - -- name: Determine removed users - set_fact: - _users_local_removed: >- - {{ - _users_local_removed | default([]) + - ([item] if item not in _users_local_names else []) - }} - loop: "{{ _users_local_existing.stdout_lines }}" diff --git a/tasks/sshd/banner.yml b/tasks/sshd/banner.yml new file mode 100644 index 0000000..2a4c0f5 --- /dev/null +++ b/tasks/sshd/banner.yml @@ -0,0 +1,7 @@ +--- +- name: Install SSH Banner + become: true + template: + src: motd.j2 + dest: /etc/issue.net + mode: 0644 diff --git a/roles/sshd/tasks/main.yml b/tasks/sshd/secure.yml similarity index 72% rename from roles/sshd/tasks/main.yml rename to tasks/sshd/secure.yml index 06c54c3..df2493b 100644 --- a/roles/sshd/tasks/main.yml +++ b/tasks/sshd/secure.yml @@ -1,13 +1,4 @@ --- -- import_tasks: install.yml - -- name: Install SSH Banner - become: true - template: - src: motd.j2 - dest: /etc/issue.net - mode: 0644 - - name: Set parameters in sshd config become: true lineinfile: @@ -26,10 +17,13 @@ set: "GSSAPIAuthentication no" - match: "#?ChallengeResponseAuthentication (yes|no)" set: "ChallengeResponseAuthentication no" + loop_control: + label: "{{ item.set }}" + register: _sshd_config_result - name: Restart sshd service + when: _sshd_config_result.changed become: true systemd: name: sshd - state: "{{ 'restarted' if omni_restart_services == true else 'started' }}" - enabled: "{{ omni_ssh_enabled }}" + state: restarted