From f1639dce1ef07a13bb5428d7ba2104d49ddbdfcd Mon Sep 17 00:00:00 2001 From: Ethan Paul <24588726+enpaul@users.noreply.github.com> Date: Fri, 4 Dec 2020 14:47:33 -0500 Subject: [PATCH] Overhaul reuse structure from role to task orientation The overall config this will end up with is going to be nowhere near complicated enough to require the segmented structure of roles. A single directory of reusable tasks and resources will be much better --- roles/docker/tasks/main.yml | 19 ---- roles/networkd/defaults/main.yml | 2 - roles/networkd/tasks/packages.yml | 38 ------- roles/networkd/tasks/services.yml | 39 ------- roles/networkd/templates/netdev.j2 | 9 -- roles/networkd/templates/network.j2 | 27 ----- roles/packages/defaults/main.yml | 14 --- roles/packages/tasks/bindings.yml | 30 ----- roles/packages/tasks/update.yml | 37 ------ roles/packages/vars/main.yml | 46 -------- roles/sshd/defaults/main.yml | 3 - roles/sshd/tasks/install.yml | 14 --- roles/sshd/templates/motd.j2 | 7 -- tasks/centos-8-kernelplus.yml | 105 +++++++++--------- tasks/deploy-ssh-keys.yml | 29 ----- .../docker/tasks => tasks/docker}/install.yml | 8 +- .../main.yml => tasks/networkd/configure.yml | 25 +---- tasks/networkd/install.yml | 26 +++++ tasks/networkd/services.yml | 36 ++++++ .../tasks => tasks/packages}/clean.yml | 11 +- .../main.yml => tasks/packages/install.yml | 24 +--- .../tasks => tasks/packages}/repos.yml | 14 ++- tasks/packages/update.yml | 32 ++++++ tasks/preprocess-users.yml | 39 ------- tasks/sshd/banner.yml | 7 ++ .../tasks/main.yml => tasks/sshd/secure.yml | 16 +-- 26 files changed, 181 insertions(+), 476 deletions(-) delete mode 100644 roles/docker/tasks/main.yml delete mode 100644 roles/networkd/defaults/main.yml delete mode 100644 roles/networkd/tasks/packages.yml delete mode 100644 roles/networkd/tasks/services.yml delete mode 100644 roles/networkd/templates/netdev.j2 delete mode 100644 roles/networkd/templates/network.j2 delete mode 100644 roles/packages/defaults/main.yml delete mode 100644 roles/packages/tasks/bindings.yml delete mode 100644 roles/packages/tasks/update.yml delete mode 100644 roles/packages/vars/main.yml delete mode 100644 roles/sshd/defaults/main.yml delete mode 100644 roles/sshd/tasks/install.yml delete mode 100644 roles/sshd/templates/motd.j2 delete mode 100644 tasks/deploy-ssh-keys.yml rename {roles/docker/tasks => tasks/docker}/install.yml (89%) rename roles/networkd/tasks/main.yml => tasks/networkd/configure.yml (53%) create mode 100644 tasks/networkd/install.yml create mode 100644 tasks/networkd/services.yml rename {roles/packages/tasks => tasks/packages}/clean.yml (64%) rename roles/packages/tasks/main.yml => tasks/packages/install.yml (68%) rename {roles/packages/tasks => tasks/packages}/repos.yml (77%) create mode 100644 tasks/packages/update.yml delete mode 100644 tasks/preprocess-users.yml create mode 100644 tasks/sshd/banner.yml rename roles/sshd/tasks/main.yml => tasks/sshd/secure.yml (72%) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml deleted file mode 100644 index 05ecfa7..0000000 --- a/roles/docker/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- import_tasks: install.yml - -- name: Start and enable docker service - become: true - systemd: - name: docker - state: started - enabled: yes - -- import_tasks: tasks/preprocess-users.yml - -- name: Add superusers to the docker group - become: true - user: - name: "{{ item.name }}" - groups: docker - append: yes - loop: "{{ _users_local_admin }}" diff --git a/roles/networkd/defaults/main.yml b/roles/networkd/defaults/main.yml deleted file mode 100644 index f0e20b5..0000000 --- a/roles/networkd/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -omni_restart_services: false diff --git a/roles/networkd/tasks/packages.yml b/roles/networkd/tasks/packages.yml deleted file mode 100644 index 6a047e9..0000000 --- a/roles/networkd/tasks/packages.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- name: Install networkd on Fedora - when: ansible_distribution == "Fedora" - become: true - dnf: - state: latest - name: - - systemd-resolved - - systemd-networkd - -- name: Install networkd on CentOS 7 - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - state: latest - name: - - systemd-resolved - - systemd-networkd - -- name: Install networkd on CentOS 8 - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" - become: true - block: - # The systemd-networkd EPEL package is currently in the testing phase, so we have - # to enable the testing EPEL repo to install it. Note that this is also done in - # the packages role - # https://bugzilla.redhat.com/show_bug.cgi?id=1789146 - - name: Enable EPEL-Testing repository on CentOS 8s - lineinfile: - path: /etc/yum.repos.d/epel-testing.repo - regexp: "enabled=(0|1)" - line: "enabled=1" - insertbefore: "^$" - firstmatch: true - - name: Install networkd - dnf: - state: latest - name: systemd-networkd diff --git a/roles/networkd/tasks/services.yml b/roles/networkd/tasks/services.yml deleted file mode 100644 index 428f085..0000000 --- a/roles/networkd/tasks/services.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Disable NetworkManager - become: true - systemd: - name: "{{ item }}" - enabled: false - loop: - - NetworkManager - - NetworkManager-wait-online - -- name: Enable systemd-networkd - become: true - systemd: - name: "{{ item }}" - enabled: true - loop: - - systemd-networkd - - systemd-resolved - - systemd-networkd-wait-online - -- name: Stop NetworkManager - when: omni_restart_services == true - become: true - systemd: - name: "{{ item }}" - state: stopped - loop: - - NetworkManager - - NetworkManager-wait-online - -- name: Start systemd-networkd - when: omni_restart_services == true - become: true - systemd: - name: "{{ item }}" - state: started - loop: - - systemd-networkd - - systemd-resolved diff --git a/roles/networkd/templates/netdev.j2 b/roles/networkd/templates/netdev.j2 deleted file mode 100644 index 3f364b4..0000000 --- a/roles/networkd/templates/netdev.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# ANSIBLE MANAGED FILE - DO NOT EDIT -[NetDev] -Name={{ item.0.key }} -Kind=vlan - -[VLAN] -Id={{ item.1 }} - -# EOF diff --git a/roles/networkd/templates/network.j2 b/roles/networkd/templates/network.j2 deleted file mode 100644 index e251a56..0000000 --- a/roles/networkd/templates/network.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# ANSIBLE MANAGED FILE - DO NOT EDIT -[Match] -Name={{ item.key }} - -[Network] -DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }} -IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }} -{% if item.value['addresses'] is defined %} -{% for ip_addr in item.value['addresses'] %} -Address={{ ip_addr }} -{% endfor %} -{% endif %} -{% if item.value['dns'] is defined %} -{% for dns_server in item.value['dns'] %} -DNS={{ dns_server }} -{% endfor %} -{% endif %} -{% if item.value['gateway'] is defined %} -Gateway={{ item.value['gateway'] }} -{% endif %} -{% if item.value['vlans'] is defined %} -{% for vlan_tag in item.value['vlans'] %} -VLAN={{ item.key }}.{{ vlan_tag }} -{% endfor %} -{% endif %} - -# EOF diff --git a/roles/packages/defaults/main.yml b/roles/packages/defaults/main.yml deleted file mode 100644 index cb40c68..0000000 --- a/roles/packages/defaults/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# Role parameter documentation -# -# omni_pkg_repos - whether to install/enable additional repositories -# omni_pkg_bindings - whether to install required ansible bindings to the system python -# omni_pkg_update - whether to perform a package update -# onni_pkg_clean - whether to force clean the package manager cache -# omni_pkg_exclude - packages to exclude from an update; has no effect if -# ``omni_pkg_update`` is false -omni_pkg_repos: true -omni_pkg_bindings: true -omni_pkg_update: false -omni_pkg_clean: false -omni_pkg_exclude: ["kernel*", "docker-ce"] diff --git a/roles/packages/tasks/bindings.yml b/roles/packages/tasks/bindings.yml deleted file mode 100644 index ddbecb5..0000000 --- a/roles/packages/tasks/bindings.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Install CentOS 8 python bindings - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" - become: true - dnf: - state: latest - name: - - python3-libselinux - - python3-policycoreutils - - python3-firewall - -- name: Install CentOS 7 python bindings - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - state: latest - name: - - libselinux-python - - policycoreutils-python - - python-firewall - -- name: Install Fedora python bindings - when: ansible_distribution == "Fedora" - become: true - dnf: - state: latest - name: - - libselinux-python - - policycoreutils-python - - python3-firewall diff --git a/roles/packages/tasks/update.yml b/roles/packages/tasks/update.yml deleted file mode 100644 index 66c1aed..0000000 --- a/roles/packages/tasks/update.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# Gotta hate this, but I have to hardcode the systemd exclusion on cent8 -# Because I'm using "janky-systemd-networkd-2-the-jankening" (see the networkd role) -# there are a pile of conflicts when you run "dnf update" with it installed. I found -# two options that work: 1) uninstall systemd-networkd, update, then reinstall it; -# 2) hardcode the exclusion here. Whenever I thought too hard about the potential -# consequences of instituting uninstalling-my-network-init-system-as-a-service I -# started to get a migaine, so I went with option two. -- name: Upgrade Fedora and CentOS 8 packages - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" - become: true - dnf: - state: latest - name: "*" - exclude: "{{ ','.join(omni_pkg_exclude + ['systemd*']) }}" - -- name: Upgrade CentOS 7 packages - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - state: latest - name: "*" - exclude: "{{ ','.join(omni_pkg_exclude) }}" - -- name: Upgrade Fedora packages - when: ansible_distribution == "Fedora" - become: true - dnf: - state: latest - name: "*" - exclude: "{{ ','.join(omni_pkg_exclude) }}" - -# Yeah I'll get here eventually -# - name: Upgrade APT packages -# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" -# become: true -# apt: diff --git a/roles/packages/vars/main.yml b/roles/packages/vars/main.yml deleted file mode 100644 index e1f0090..0000000 --- a/roles/packages/vars/main.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -omni_packages_global: - - automake - - cmake - - curl - - gcc - - gcc-c++ - - git - - make - - nano - - openssl-devel - - systemd-devel - - unzip - - vim - - vim-minimal - -omni_packages_fedora: - - libselinux-python - - git-lfs - - readline-devel - - policycoreutils-python - - python-devel - - python-virtualenv - - python3-devel - -omni_packages_centos_8: - - bind-utils - - bash-completion - - nc - - nfs-utils - - python3 - - python3-pip - - python3-setuptools - - python3-virtualenv - - wget - -omni_packages_centos_7: - - bind-utils - - bash-completion - - nc - - nfs-utils - - python3 - - python3-pip - - python3-setuptools - - python3-virtualenv - - wget diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml deleted file mode 100644 index 4042d3a..0000000 --- a/roles/sshd/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -omni_restart_services: false -omni_ssh_enabled: true diff --git a/roles/sshd/tasks/install.yml b/roles/sshd/tasks/install.yml deleted file mode 100644 index 1607095..0000000 --- a/roles/sshd/tasks/install.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Install OpenSSH server on Fedora and CentOS 8 - when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") - become: true - dnf: - name: openssh-server - state: latest - -- name: Install OpenSSH server on CentOS 7 - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - become: true - yum: - name: openssh-server - state: latest diff --git a/roles/sshd/templates/motd.j2 b/roles/sshd/templates/motd.j2 deleted file mode 100644 index 4fdc8aa..0000000 --- a/roles/sshd/templates/motd.j2 +++ /dev/null @@ -1,7 +0,0 @@ - - //////////// //// //// /////////// - //// ////// //// //// //// - //////// //// /// //// /////////// - //// //// ////// //// - //////////// //// //// {{ omni_description | default('Omni Network System') }} - _______________________________{{ omni_description | default('Omni Network System') | length * '\\' }}\ diff --git a/tasks/centos-8-kernelplus.yml b/tasks/centos-8-kernelplus.yml index ef67138..15acac9 100644 --- a/tasks/centos-8-kernelplus.yml +++ b/tasks/centos-8-kernelplus.yml @@ -1,62 +1,61 @@ --- -- name: Disable kernel installation from base repository +# This is a workaround for Cent8 removing drivers from the kernel that are required for +# my RAID cards to work. Kernel-Plus includes the drivers, thus one of the first things +# we need to do is to replace the kernel before doing an update. +- name: Replace default kernel with kernel-plus on CentOS 8 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" become: true - lineinfile: - path: /etc/yum.repos.d/CentOS-Base.repo - line: exclude=kernel* + block: + - name: Disable kernel installation from base repository + lineinfile: + path: /etc/yum.repos.d/CentOS-Base.repo + line: exclude=kernel* -- name: Enable Centos-plus repository - become: true - lineinfile: - path: /etc/yum.repos.d/CentOS-centosplus.repo - regexp: "#?enabled=(0|1)" - line: enabled=1 + - name: Enable Centos-plus repository + lineinfile: + path: /etc/yum.repos.d/CentOS-centosplus.repo + regexp: "#?enabled=(0|1)" + line: enabled=1 -- name: Enable kernel installation from plus repository - become: true - lineinfile: - path: /etc/yum.repos.d/CentOS-centosplus.repo - line: includepkgs=kernel* + - name: Enable kernel installation from plus repository + lineinfile: + path: /etc/yum.repos.d/CentOS-centosplus.repo + line: includepkgs=kernel* -# Note that the order of the next four tasks is very specific and intentional -# See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view -- name: Install kernel-plus - become: true - dnf: - name: - - kernel-plus - - kernel-plus-devel - state: latest - register: _dnf_kernel_plus + # Note that the order of the next four tasks is very specific and intentional + # See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view + - name: Install kernel-plus + dnf: + state: "{{ _runtime_update_state }}" + name: + - kernel-plus + - kernel-plus-devel + register: _dnf_kernel_plus -- name: Uninstall kernel-tools - become: true - dnf: - name: - - kernel-tools - - kernel-tools-libs - state: absent + - name: Uninstall kernel-tools + dnf: + name: + - kernel-tools + - kernel-tools-libs + state: absent -- name: Install kernel-plus-tools - become: true - dnf: - name: - - kernel-plus-tools - - kernel-plus-tools-libs - state: latest + - name: Install kernel-plus-tools + dnf: + state: "{{ _runtime_update_state }}" + name: + - kernel-plus-tools + - kernel-plus-tools-libs -- name: Reboot into new kernel - become: true - when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel - reboot: - reboot_timeout: 3600 + - name: Reboot into new kernel + when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel + reboot: + reboot_timeout: 3600 -- name: Uninstall kernel - become: true - dnf: - name: - - kernel - - kernel-devel - - kernel-core - - kernel-modules - state: absent + - name: Uninstall kernel + dnf: + state: absent + name: + - kernel + - kernel-devel + - kernel-core + - kernel-modules diff --git a/tasks/deploy-ssh-keys.yml b/tasks/deploy-ssh-keys.yml deleted file mode 100644 index 3b4b2b0..0000000 --- a/tasks/deploy-ssh-keys.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: Create SSH directory - become: true - file: - path: /home/{{ item.name }}/.ssh - state: directory - owner: "{{ item.name }}" - group: "{{ item.name }}" - mode: 0755 - loop: "{{ _users_local }}" - -- name: Update authorized keys - become: true - authorized_key: - user: "{{ item.name }}" - key: "{{ item.sshkeys | join('\n') }}" - state: present - exclusive: true - loop: "{{ _users_local }}" - -- name: Enforce ownership of authorized keys - become: true - file: - path: /home/{{ item.name }}/.ssh/authorized_keys - state: touch - owner: "{{ item.name }}" - group: "{{ item.name }}" - mode: 0444 - loop: "{{ _users_local }}" diff --git a/roles/docker/tasks/install.yml b/tasks/docker/install.yml similarity index 89% rename from roles/docker/tasks/install.yml rename to tasks/docker/install.yml index b8fbaf5..fdd1423 100644 --- a/roles/docker/tasks/install.yml +++ b/tasks/docker/install.yml @@ -15,8 +15,8 @@ when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" yum: # Update the cache to update with the new docker repo - update_cache: yes - state: latest + update_cache: true + state: "{{ _runtime_update_state }}" name: - device-mapper-persistent-data # Required for docker devicestorage driver - lvm2 # same @@ -28,8 +28,8 @@ when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" dnf: # Update the cache to update with the new docker repo - update_cache: yes - state: latest + update_cache: true + state: "{{ _runtime_update_state }}" name: - device-mapper-persistent-data # Required for docker devicestorage driver - lvm2 # same diff --git a/roles/networkd/tasks/main.yml b/tasks/networkd/configure.yml similarity index 53% rename from roles/networkd/tasks/main.yml rename to tasks/networkd/configure.yml index 2784762..84028bd 100644 --- a/roles/networkd/tasks/main.yml +++ b/tasks/networkd/configure.yml @@ -1,6 +1,4 @@ --- -- import_tasks: packages.yml - - name: Configure networking via systemd become: true when: omni_networking is defined @@ -13,33 +11,14 @@ - name: Make network files template: - src: network.j2 + src: networkd/network.j2 dest: "/etc/systemd/network/{{ item.key }}.network" mode: 0644 loop: "{{ omni_networking | dict2items }}" - name: Make netdev files template: - src: netdev.j2 + src: networkd/netdev.j2 dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev" mode: 0644 loop: "{{ omni_networking | dict2items | subelements('value.vlans', true) }}" - -- import_tasks: services.yml - -- name: Symlink so systemd-resolved uses /etc/resolv.conf - become: true - file: - dest: /etc/resolv.conf - src: /run/systemd/resolve/resolv.conf - state: link - force: true - setype: net_conf_t - -- name: Symlink so /etc/resolv.conf uses systemd - become: true - file: - dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service - src: /usr/lib/systemd/system/systemd-resolved.service - state: link - force: true diff --git a/tasks/networkd/install.yml b/tasks/networkd/install.yml new file mode 100644 index 0000000..cfadff0 --- /dev/null +++ b/tasks/networkd/install.yml @@ -0,0 +1,26 @@ +--- +- name: Install systemd-networkd on CentOS 7 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + become: true + yum: + state: "{{ _runtime_update_state }}" + name: + - systemd-networkd + - systemd-resolved + +- name: Install systemd-networkd on CentOS 8 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" + become: true + dnf: + state: "{{ _runtime_update_state }}" + name: systemd-networkd + + +- name: Install systemd-networkd on Fedora + when: ansible_distribution == "Fedora" and ansible_distribution_major_version == "8" + become: true + dnf: + state: "{{ _runtime_update_state }}" + name: + - systemd-networkd + - systemd-resolved diff --git a/tasks/networkd/services.yml b/tasks/networkd/services.yml new file mode 100644 index 0000000..ced87fa --- /dev/null +++ b/tasks/networkd/services.yml @@ -0,0 +1,36 @@ +--- +- name: Disable NetworkManager + become: true + systemd: + name: "{{ item }}" + enabled: false + loop: + - NetworkManager + - NetworkManager-wait-online + +- name: Enable systemd-networkd + become: true + systemd: + name: "{{ item }}" + enabled: true + loop: + - systemd-networkd + - systemd-resolved + - systemd-networkd-wait-online + +- name: Symlink so systemd-resolved uses /etc/resolv.conf + become: true + file: + dest: /etc/resolv.conf + src: /run/systemd/resolve/resolv.conf + state: link + force: true + setype: net_conf_t + +- name: Symlink so /etc/resolv.conf uses systemd + become: true + file: + dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service + src: /usr/lib/systemd/system/systemd-resolved.service + state: link + force: true diff --git a/roles/packages/tasks/clean.yml b/tasks/packages/clean.yml similarity index 64% rename from roles/packages/tasks/clean.yml rename to tasks/packages/clean.yml index e0a03c7..6844dd4 100644 --- a/roles/packages/tasks/clean.yml +++ b/tasks/packages/clean.yml @@ -1,14 +1,17 @@ --- -- name: Clean DNF cache - become: true +# I'm honestly not sure why these 304 warnings are being raised by the linter here... +- name: Clean DNF cache # noqa: 304 when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") + become: true command: cmd: /usr/bin/dnf clean all warn: false + changed_when: true -- name: Clean YUM cache - become: true +- name: Clean YUM cache # noqa: 304 when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + become: true command: cmd: /usr/bin/yum clean all warn: false + changed_when: true diff --git a/roles/packages/tasks/main.yml b/tasks/packages/install.yml similarity index 68% rename from roles/packages/tasks/main.yml rename to tasks/packages/install.yml index ae753f6..69ff429 100644 --- a/roles/packages/tasks/main.yml +++ b/tasks/packages/install.yml @@ -1,23 +1,3 @@ ---- -- import_tasks: bindings.yml - when: omni_pkg_bindings == true - -- import_tasks: repos.yml - when: omni_pkg_repos == true - -- import_tasks: clean.yml - when: omni_pkg_clean == true - -- import_tasks: update.yml - when: omni_pkg_update == true - -- name: Install packages on Fedora - become: true - when: ansible_distribution == "Fedora" - dnf: - state: latest - name: "{{ omni_packages_global + omni_packages_fedora }}" - # NOTE: This is currently horrifically broken. See the ongoing drama around # systemd-networkd on cent8. Basically triggering an update- or an install- will give # a conflict error due to the spicy-jankaroni-with-extra-cheese edition of @@ -30,12 +10,12 @@ become: true when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" dnf: - state: latest + state: "{{ _runtime_update_state }}" name: "{{ omni_packages_global + omni_packages_centos_8 }}" - name: Install packages on CentOS 7 become: true when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" yum: - state: latest + state: "{{ _runtime_update_state }}" name: "{{ omni_packages_global + omni_packages_centos_7 }}" diff --git a/roles/packages/tasks/repos.yml b/tasks/packages/repos.yml similarity index 77% rename from roles/packages/tasks/repos.yml rename to tasks/packages/repos.yml index 213bfbe..4f71ca6 100644 --- a/roles/packages/tasks/repos.yml +++ b/tasks/packages/repos.yml @@ -5,14 +5,16 @@ block: - name: Enable Extra Packages for Enterprise Linux on CentOS 8 dnf: - state: latest + state: present name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm - - name: Enable EPEL-Testing repository on CentOS 8s + # The testing repo had to be enabled for a previous version of systemd-networkd + # to be installed + - name: Disable EPEL-Testing repository on CentOS 8 lineinfile: path: /etc/yum.repos.d/epel-testing.repo regexp: "enabled=(0|1)" - line: "enabled=1" + line: "enabled=0" insertbefore: "^$" firstmatch: true @@ -25,6 +27,6 @@ - name: Enable Extra Packages for Enterprise Linux on CentOS 7 become: true when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - dnf: - state: latest - name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmz + yum: + state: present + name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm diff --git a/tasks/packages/update.yml b/tasks/packages/update.yml new file mode 100644 index 0000000..d109c4e --- /dev/null +++ b/tasks/packages/update.yml @@ -0,0 +1,32 @@ +--- +# Ansible Lint 403 ("Package installs should not use latest") is silenced here because +# it would defeat the point otherwise +- name: Upgrade Fedora and CentOS 8 packages # noqa: 403 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" + become: true + dnf: + state: latest + name: "*" + exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}" + +- name: Upgrade CentOS 7 packages # noqa: 403 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + become: true + yum: + state: latest + name: "*" + exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}" + +- name: Upgrade Fedora packages # noqa: 403 + when: ansible_distribution == "Fedora" + become: true + dnf: + state: latest + name: "*" + exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}" + +# Yeah I'll get here eventually +# - name: Upgrade APT packages +# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" +# become: true +# apt: diff --git a/tasks/preprocess-users.yml b/tasks/preprocess-users.yml deleted file mode 100644 index 74a6f69..0000000 --- a/tasks/preprocess-users.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Load users variables - include_vars: - file: users.yml - -- name: Reconcile user targets with host targets to get host users - set_fact: - _users_local: >- - {{ - _users_local | default([]) + ([item] if item.targets | intersect(omni_local_targets) else []) - }} - loop: "{{ omni_users }}" - -- name: Determine local user names - set_fact: - _users_local_names: "{{ _users_local_names | default([]) + [item.name] }}" - loop: "{{ _users_local }}" - -- name: Determine administrative users - set_fact: - _users_local_admin: >- - {{ - _users_local_admin | default([]) + ([item] if item.admin | default(False) else []) - }} - loop: "{{ _users_local }}" - -- name: Determine existing users - shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"' - changed_when: false - register: _users_local_existing - -- name: Determine removed users - set_fact: - _users_local_removed: >- - {{ - _users_local_removed | default([]) + - ([item] if item not in _users_local_names else []) - }} - loop: "{{ _users_local_existing.stdout_lines }}" diff --git a/tasks/sshd/banner.yml b/tasks/sshd/banner.yml new file mode 100644 index 0000000..2a4c0f5 --- /dev/null +++ b/tasks/sshd/banner.yml @@ -0,0 +1,7 @@ +--- +- name: Install SSH Banner + become: true + template: + src: motd.j2 + dest: /etc/issue.net + mode: 0644 diff --git a/roles/sshd/tasks/main.yml b/tasks/sshd/secure.yml similarity index 72% rename from roles/sshd/tasks/main.yml rename to tasks/sshd/secure.yml index 06c54c3..df2493b 100644 --- a/roles/sshd/tasks/main.yml +++ b/tasks/sshd/secure.yml @@ -1,13 +1,4 @@ --- -- import_tasks: install.yml - -- name: Install SSH Banner - become: true - template: - src: motd.j2 - dest: /etc/issue.net - mode: 0644 - - name: Set parameters in sshd config become: true lineinfile: @@ -26,10 +17,13 @@ set: "GSSAPIAuthentication no" - match: "#?ChallengeResponseAuthentication (yes|no)" set: "ChallengeResponseAuthentication no" + loop_control: + label: "{{ item.set }}" + register: _sshd_config_result - name: Restart sshd service + when: _sshd_config_result.changed become: true systemd: name: sshd - state: "{{ 'restarted' if omni_restart_services == true else 'started' }}" - enabled: "{{ omni_ssh_enabled }}" + state: restarted