Overhaul reuse structure from role to task orientation
The overall config this will end up with is going to be nowhere near complicated enough to require the segmented structure of roles. A single directory of reusable tasks and resources will be much better
This commit is contained in:
parent
5df550669a
commit
f1639dce1e
@ -1,19 +0,0 @@
|
|||||||
---
|
|
||||||
- import_tasks: install.yml
|
|
||||||
|
|
||||||
- name: Start and enable docker service
|
|
||||||
become: true
|
|
||||||
systemd:
|
|
||||||
name: docker
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
|
|
||||||
- import_tasks: tasks/preprocess-users.yml
|
|
||||||
|
|
||||||
- name: Add superusers to the docker group
|
|
||||||
become: true
|
|
||||||
user:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
groups: docker
|
|
||||||
append: yes
|
|
||||||
loop: "{{ _users_local_admin }}"
|
|
@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
omni_restart_services: false
|
|
@ -1,38 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Install networkd on Fedora
|
|
||||||
when: ansible_distribution == "Fedora"
|
|
||||||
become: true
|
|
||||||
dnf:
|
|
||||||
state: latest
|
|
||||||
name:
|
|
||||||
- systemd-resolved
|
|
||||||
- systemd-networkd
|
|
||||||
|
|
||||||
- name: Install networkd on CentOS 7
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
|
||||||
become: true
|
|
||||||
yum:
|
|
||||||
state: latest
|
|
||||||
name:
|
|
||||||
- systemd-resolved
|
|
||||||
- systemd-networkd
|
|
||||||
|
|
||||||
- name: Install networkd on CentOS 8
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
|
||||||
become: true
|
|
||||||
block:
|
|
||||||
# The systemd-networkd EPEL package is currently in the testing phase, so we have
|
|
||||||
# to enable the testing EPEL repo to install it. Note that this is also done in
|
|
||||||
# the packages role
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1789146
|
|
||||||
- name: Enable EPEL-Testing repository on CentOS 8s
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/yum.repos.d/epel-testing.repo
|
|
||||||
regexp: "enabled=(0|1)"
|
|
||||||
line: "enabled=1"
|
|
||||||
insertbefore: "^$"
|
|
||||||
firstmatch: true
|
|
||||||
- name: Install networkd
|
|
||||||
dnf:
|
|
||||||
state: latest
|
|
||||||
name: systemd-networkd
|
|
@ -1,39 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Disable NetworkManager
|
|
||||||
become: true
|
|
||||||
systemd:
|
|
||||||
name: "{{ item }}"
|
|
||||||
enabled: false
|
|
||||||
loop:
|
|
||||||
- NetworkManager
|
|
||||||
- NetworkManager-wait-online
|
|
||||||
|
|
||||||
- name: Enable systemd-networkd
|
|
||||||
become: true
|
|
||||||
systemd:
|
|
||||||
name: "{{ item }}"
|
|
||||||
enabled: true
|
|
||||||
loop:
|
|
||||||
- systemd-networkd
|
|
||||||
- systemd-resolved
|
|
||||||
- systemd-networkd-wait-online
|
|
||||||
|
|
||||||
- name: Stop NetworkManager
|
|
||||||
when: omni_restart_services == true
|
|
||||||
become: true
|
|
||||||
systemd:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: stopped
|
|
||||||
loop:
|
|
||||||
- NetworkManager
|
|
||||||
- NetworkManager-wait-online
|
|
||||||
|
|
||||||
- name: Start systemd-networkd
|
|
||||||
when: omni_restart_services == true
|
|
||||||
become: true
|
|
||||||
systemd:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: started
|
|
||||||
loop:
|
|
||||||
- systemd-networkd
|
|
||||||
- systemd-resolved
|
|
@ -1,9 +0,0 @@
|
|||||||
# ANSIBLE MANAGED FILE - DO NOT EDIT
|
|
||||||
[NetDev]
|
|
||||||
Name={{ item.0.key }}
|
|
||||||
Kind=vlan
|
|
||||||
|
|
||||||
[VLAN]
|
|
||||||
Id={{ item.1 }}
|
|
||||||
|
|
||||||
# EOF
|
|
@ -1,27 +0,0 @@
|
|||||||
# ANSIBLE MANAGED FILE - DO NOT EDIT
|
|
||||||
[Match]
|
|
||||||
Name={{ item.key }}
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }}
|
|
||||||
IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }}
|
|
||||||
{% if item.value['addresses'] is defined %}
|
|
||||||
{% for ip_addr in item.value['addresses'] %}
|
|
||||||
Address={{ ip_addr }}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% if item.value['dns'] is defined %}
|
|
||||||
{% for dns_server in item.value['dns'] %}
|
|
||||||
DNS={{ dns_server }}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% if item.value['gateway'] is defined %}
|
|
||||||
Gateway={{ item.value['gateway'] }}
|
|
||||||
{% endif %}
|
|
||||||
{% if item.value['vlans'] is defined %}
|
|
||||||
{% for vlan_tag in item.value['vlans'] %}
|
|
||||||
VLAN={{ item.key }}.{{ vlan_tag }}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# EOF
|
|
@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
# Role parameter documentation
|
|
||||||
#
|
|
||||||
# omni_pkg_repos - whether to install/enable additional repositories
|
|
||||||
# omni_pkg_bindings - whether to install required ansible bindings to the system python
|
|
||||||
# omni_pkg_update - whether to perform a package update
|
|
||||||
# onni_pkg_clean - whether to force clean the package manager cache
|
|
||||||
# omni_pkg_exclude - packages to exclude from an update; has no effect if
|
|
||||||
# ``omni_pkg_update`` is false
|
|
||||||
omni_pkg_repos: true
|
|
||||||
omni_pkg_bindings: true
|
|
||||||
omni_pkg_update: false
|
|
||||||
omni_pkg_clean: false
|
|
||||||
omni_pkg_exclude: ["kernel*", "docker-ce"]
|
|
@ -1,30 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Install CentOS 8 python bindings
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
|
||||||
become: true
|
|
||||||
dnf:
|
|
||||||
state: latest
|
|
||||||
name:
|
|
||||||
- python3-libselinux
|
|
||||||
- python3-policycoreutils
|
|
||||||
- python3-firewall
|
|
||||||
|
|
||||||
- name: Install CentOS 7 python bindings
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
|
||||||
become: true
|
|
||||||
yum:
|
|
||||||
state: latest
|
|
||||||
name:
|
|
||||||
- libselinux-python
|
|
||||||
- policycoreutils-python
|
|
||||||
- python-firewall
|
|
||||||
|
|
||||||
- name: Install Fedora python bindings
|
|
||||||
when: ansible_distribution == "Fedora"
|
|
||||||
become: true
|
|
||||||
dnf:
|
|
||||||
state: latest
|
|
||||||
name:
|
|
||||||
- libselinux-python
|
|
||||||
- policycoreutils-python
|
|
||||||
- python3-firewall
|
|
@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
# Gotta hate this, but I have to hardcode the systemd exclusion on cent8
|
|
||||||
# Because I'm using "janky-systemd-networkd-2-the-jankening" (see the networkd role)
|
|
||||||
# there are a pile of conflicts when you run "dnf update" with it installed. I found
|
|
||||||
# two options that work: 1) uninstall systemd-networkd, update, then reinstall it;
|
|
||||||
# 2) hardcode the exclusion here. Whenever I thought too hard about the potential
|
|
||||||
# consequences of instituting uninstalling-my-network-init-system-as-a-service I
|
|
||||||
# started to get a migaine, so I went with option two.
|
|
||||||
- name: Upgrade Fedora and CentOS 8 packages
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
|
||||||
become: true
|
|
||||||
dnf:
|
|
||||||
state: latest
|
|
||||||
name: "*"
|
|
||||||
exclude: "{{ ','.join(omni_pkg_exclude + ['systemd*']) }}"
|
|
||||||
|
|
||||||
- name: Upgrade CentOS 7 packages
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
|
||||||
become: true
|
|
||||||
yum:
|
|
||||||
state: latest
|
|
||||||
name: "*"
|
|
||||||
exclude: "{{ ','.join(omni_pkg_exclude) }}"
|
|
||||||
|
|
||||||
- name: Upgrade Fedora packages
|
|
||||||
when: ansible_distribution == "Fedora"
|
|
||||||
become: true
|
|
||||||
dnf:
|
|
||||||
state: latest
|
|
||||||
name: "*"
|
|
||||||
exclude: "{{ ','.join(omni_pkg_exclude) }}"
|
|
||||||
|
|
||||||
# Yeah I'll get here eventually
|
|
||||||
# - name: Upgrade APT packages
|
|
||||||
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
|
||||||
# become: true
|
|
||||||
# apt:
|
|
@ -1,46 +0,0 @@
|
|||||||
---
|
|
||||||
omni_packages_global:
|
|
||||||
- automake
|
|
||||||
- cmake
|
|
||||||
- curl
|
|
||||||
- gcc
|
|
||||||
- gcc-c++
|
|
||||||
- git
|
|
||||||
- make
|
|
||||||
- nano
|
|
||||||
- openssl-devel
|
|
||||||
- systemd-devel
|
|
||||||
- unzip
|
|
||||||
- vim
|
|
||||||
- vim-minimal
|
|
||||||
|
|
||||||
omni_packages_fedora:
|
|
||||||
- libselinux-python
|
|
||||||
- git-lfs
|
|
||||||
- readline-devel
|
|
||||||
- policycoreutils-python
|
|
||||||
- python-devel
|
|
||||||
- python-virtualenv
|
|
||||||
- python3-devel
|
|
||||||
|
|
||||||
omni_packages_centos_8:
|
|
||||||
- bind-utils
|
|
||||||
- bash-completion
|
|
||||||
- nc
|
|
||||||
- nfs-utils
|
|
||||||
- python3
|
|
||||||
- python3-pip
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-virtualenv
|
|
||||||
- wget
|
|
||||||
|
|
||||||
omni_packages_centos_7:
|
|
||||||
- bind-utils
|
|
||||||
- bash-completion
|
|
||||||
- nc
|
|
||||||
- nfs-utils
|
|
||||||
- python3
|
|
||||||
- python3-pip
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-virtualenv
|
|
||||||
- wget
|
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
omni_restart_services: false
|
|
||||||
omni_ssh_enabled: true
|
|
@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Install OpenSSH server on Fedora and CentOS 8
|
|
||||||
when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
|
|
||||||
become: true
|
|
||||||
dnf:
|
|
||||||
name: openssh-server
|
|
||||||
state: latest
|
|
||||||
|
|
||||||
- name: Install OpenSSH server on CentOS 7
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
|
||||||
become: true
|
|
||||||
yum:
|
|
||||||
name: openssh-server
|
|
||||||
state: latest
|
|
@ -1,7 +0,0 @@
|
|||||||
|
|
||||||
//////////// //// //// ///////////
|
|
||||||
//// ////// //// //// ////
|
|
||||||
//////// //// /// //// ///////////
|
|
||||||
//// //// ////// ////
|
|
||||||
//////////// //// //// {{ omni_description | default('Omni Network System') }}
|
|
||||||
_______________________________{{ omni_description | default('Omni Network System') | length * '\\' }}\
|
|
@ -1,62 +1,61 @@
|
|||||||
---
|
---
|
||||||
- name: Disable kernel installation from base repository
|
# This is a workaround for Cent8 removing drivers from the kernel that are required for
|
||||||
|
# my RAID cards to work. Kernel-Plus includes the drivers, thus one of the first things
|
||||||
|
# we need to do is to replace the kernel before doing an update.
|
||||||
|
- name: Replace default kernel with kernel-plus on CentOS 8
|
||||||
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||||
become: true
|
become: true
|
||||||
lineinfile:
|
block:
|
||||||
path: /etc/yum.repos.d/CentOS-Base.repo
|
- name: Disable kernel installation from base repository
|
||||||
line: exclude=kernel*
|
lineinfile:
|
||||||
|
path: /etc/yum.repos.d/CentOS-Base.repo
|
||||||
|
line: exclude=kernel*
|
||||||
|
|
||||||
- name: Enable Centos-plus repository
|
- name: Enable Centos-plus repository
|
||||||
become: true
|
lineinfile:
|
||||||
lineinfile:
|
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
||||||
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
regexp: "#?enabled=(0|1)"
|
||||||
regexp: "#?enabled=(0|1)"
|
line: enabled=1
|
||||||
line: enabled=1
|
|
||||||
|
|
||||||
- name: Enable kernel installation from plus repository
|
- name: Enable kernel installation from plus repository
|
||||||
become: true
|
lineinfile:
|
||||||
lineinfile:
|
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
||||||
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
line: includepkgs=kernel*
|
||||||
line: includepkgs=kernel*
|
|
||||||
|
|
||||||
# Note that the order of the next four tasks is very specific and intentional
|
# Note that the order of the next four tasks is very specific and intentional
|
||||||
# See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view
|
# See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view
|
||||||
- name: Install kernel-plus
|
- name: Install kernel-plus
|
||||||
become: true
|
dnf:
|
||||||
dnf:
|
state: "{{ _runtime_update_state }}"
|
||||||
name:
|
name:
|
||||||
- kernel-plus
|
- kernel-plus
|
||||||
- kernel-plus-devel
|
- kernel-plus-devel
|
||||||
state: latest
|
register: _dnf_kernel_plus
|
||||||
register: _dnf_kernel_plus
|
|
||||||
|
|
||||||
- name: Uninstall kernel-tools
|
- name: Uninstall kernel-tools
|
||||||
become: true
|
dnf:
|
||||||
dnf:
|
name:
|
||||||
name:
|
- kernel-tools
|
||||||
- kernel-tools
|
- kernel-tools-libs
|
||||||
- kernel-tools-libs
|
state: absent
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: Install kernel-plus-tools
|
- name: Install kernel-plus-tools
|
||||||
become: true
|
dnf:
|
||||||
dnf:
|
state: "{{ _runtime_update_state }}"
|
||||||
name:
|
name:
|
||||||
- kernel-plus-tools
|
- kernel-plus-tools
|
||||||
- kernel-plus-tools-libs
|
- kernel-plus-tools-libs
|
||||||
state: latest
|
|
||||||
|
|
||||||
- name: Reboot into new kernel
|
- name: Reboot into new kernel
|
||||||
become: true
|
when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel
|
||||||
when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel
|
reboot:
|
||||||
reboot:
|
reboot_timeout: 3600
|
||||||
reboot_timeout: 3600
|
|
||||||
|
|
||||||
- name: Uninstall kernel
|
- name: Uninstall kernel
|
||||||
become: true
|
dnf:
|
||||||
dnf:
|
state: absent
|
||||||
name:
|
name:
|
||||||
- kernel
|
- kernel
|
||||||
- kernel-devel
|
- kernel-devel
|
||||||
- kernel-core
|
- kernel-core
|
||||||
- kernel-modules
|
- kernel-modules
|
||||||
state: absent
|
|
||||||
|
@ -1,29 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Create SSH directory
|
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
path: /home/{{ item.name }}/.ssh
|
|
||||||
state: directory
|
|
||||||
owner: "{{ item.name }}"
|
|
||||||
group: "{{ item.name }}"
|
|
||||||
mode: 0755
|
|
||||||
loop: "{{ _users_local }}"
|
|
||||||
|
|
||||||
- name: Update authorized keys
|
|
||||||
become: true
|
|
||||||
authorized_key:
|
|
||||||
user: "{{ item.name }}"
|
|
||||||
key: "{{ item.sshkeys | join('\n') }}"
|
|
||||||
state: present
|
|
||||||
exclusive: true
|
|
||||||
loop: "{{ _users_local }}"
|
|
||||||
|
|
||||||
- name: Enforce ownership of authorized keys
|
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
path: /home/{{ item.name }}/.ssh/authorized_keys
|
|
||||||
state: touch
|
|
||||||
owner: "{{ item.name }}"
|
|
||||||
group: "{{ item.name }}"
|
|
||||||
mode: 0444
|
|
||||||
loop: "{{ _users_local }}"
|
|
@ -15,8 +15,8 @@
|
|||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||||
yum:
|
yum:
|
||||||
# Update the cache to update with the new docker repo
|
# Update the cache to update with the new docker repo
|
||||||
update_cache: yes
|
update_cache: true
|
||||||
state: latest
|
state: "{{ _runtime_update_state }}"
|
||||||
name:
|
name:
|
||||||
- device-mapper-persistent-data # Required for docker devicestorage driver
|
- device-mapper-persistent-data # Required for docker devicestorage driver
|
||||||
- lvm2 # same
|
- lvm2 # same
|
||||||
@ -28,8 +28,8 @@
|
|||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||||
dnf:
|
dnf:
|
||||||
# Update the cache to update with the new docker repo
|
# Update the cache to update with the new docker repo
|
||||||
update_cache: yes
|
update_cache: true
|
||||||
state: latest
|
state: "{{ _runtime_update_state }}"
|
||||||
name:
|
name:
|
||||||
- device-mapper-persistent-data # Required for docker devicestorage driver
|
- device-mapper-persistent-data # Required for docker devicestorage driver
|
||||||
- lvm2 # same
|
- lvm2 # same
|
@ -1,6 +1,4 @@
|
|||||||
---
|
---
|
||||||
- import_tasks: packages.yml
|
|
||||||
|
|
||||||
- name: Configure networking via systemd
|
- name: Configure networking via systemd
|
||||||
become: true
|
become: true
|
||||||
when: omni_networking is defined
|
when: omni_networking is defined
|
||||||
@ -13,33 +11,14 @@
|
|||||||
|
|
||||||
- name: Make network files
|
- name: Make network files
|
||||||
template:
|
template:
|
||||||
src: network.j2
|
src: networkd/network.j2
|
||||||
dest: "/etc/systemd/network/{{ item.key }}.network"
|
dest: "/etc/systemd/network/{{ item.key }}.network"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
loop: "{{ omni_networking | dict2items }}"
|
loop: "{{ omni_networking | dict2items }}"
|
||||||
|
|
||||||
- name: Make netdev files
|
- name: Make netdev files
|
||||||
template:
|
template:
|
||||||
src: netdev.j2
|
src: networkd/netdev.j2
|
||||||
dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev"
|
dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
loop: "{{ omni_networking | dict2items | subelements('value.vlans', true) }}"
|
loop: "{{ omni_networking | dict2items | subelements('value.vlans', true) }}"
|
||||||
|
|
||||||
- import_tasks: services.yml
|
|
||||||
|
|
||||||
- name: Symlink so systemd-resolved uses /etc/resolv.conf
|
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
dest: /etc/resolv.conf
|
|
||||||
src: /run/systemd/resolve/resolv.conf
|
|
||||||
state: link
|
|
||||||
force: true
|
|
||||||
setype: net_conf_t
|
|
||||||
|
|
||||||
- name: Symlink so /etc/resolv.conf uses systemd
|
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
|
|
||||||
src: /usr/lib/systemd/system/systemd-resolved.service
|
|
||||||
state: link
|
|
||||||
force: true
|
|
26
tasks/networkd/install.yml
Normal file
26
tasks/networkd/install.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
- name: Install systemd-networkd on CentOS 7
|
||||||
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||||
|
become: true
|
||||||
|
yum:
|
||||||
|
state: "{{ _runtime_update_state }}"
|
||||||
|
name:
|
||||||
|
- systemd-networkd
|
||||||
|
- systemd-resolved
|
||||||
|
|
||||||
|
- name: Install systemd-networkd on CentOS 8
|
||||||
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||||
|
become: true
|
||||||
|
dnf:
|
||||||
|
state: "{{ _runtime_update_state }}"
|
||||||
|
name: systemd-networkd
|
||||||
|
|
||||||
|
|
||||||
|
- name: Install systemd-networkd on Fedora
|
||||||
|
when: ansible_distribution == "Fedora" and ansible_distribution_major_version == "8"
|
||||||
|
become: true
|
||||||
|
dnf:
|
||||||
|
state: "{{ _runtime_update_state }}"
|
||||||
|
name:
|
||||||
|
- systemd-networkd
|
||||||
|
- systemd-resolved
|
36
tasks/networkd/services.yml
Normal file
36
tasks/networkd/services.yml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
- name: Disable NetworkManager
|
||||||
|
become: true
|
||||||
|
systemd:
|
||||||
|
name: "{{ item }}"
|
||||||
|
enabled: false
|
||||||
|
loop:
|
||||||
|
- NetworkManager
|
||||||
|
- NetworkManager-wait-online
|
||||||
|
|
||||||
|
- name: Enable systemd-networkd
|
||||||
|
become: true
|
||||||
|
systemd:
|
||||||
|
name: "{{ item }}"
|
||||||
|
enabled: true
|
||||||
|
loop:
|
||||||
|
- systemd-networkd
|
||||||
|
- systemd-resolved
|
||||||
|
- systemd-networkd-wait-online
|
||||||
|
|
||||||
|
- name: Symlink so systemd-resolved uses /etc/resolv.conf
|
||||||
|
become: true
|
||||||
|
file:
|
||||||
|
dest: /etc/resolv.conf
|
||||||
|
src: /run/systemd/resolve/resolv.conf
|
||||||
|
state: link
|
||||||
|
force: true
|
||||||
|
setype: net_conf_t
|
||||||
|
|
||||||
|
- name: Symlink so /etc/resolv.conf uses systemd
|
||||||
|
become: true
|
||||||
|
file:
|
||||||
|
dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
|
||||||
|
src: /usr/lib/systemd/system/systemd-resolved.service
|
||||||
|
state: link
|
||||||
|
force: true
|
@ -1,14 +1,17 @@
|
|||||||
---
|
---
|
||||||
- name: Clean DNF cache
|
# I'm honestly not sure why these 304 warnings are being raised by the linter here...
|
||||||
become: true
|
- name: Clean DNF cache # noqa: 304
|
||||||
when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
|
when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
|
||||||
|
become: true
|
||||||
command:
|
command:
|
||||||
cmd: /usr/bin/dnf clean all
|
cmd: /usr/bin/dnf clean all
|
||||||
warn: false
|
warn: false
|
||||||
|
changed_when: true
|
||||||
|
|
||||||
- name: Clean YUM cache
|
- name: Clean YUM cache # noqa: 304
|
||||||
become: true
|
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||||
|
become: true
|
||||||
command:
|
command:
|
||||||
cmd: /usr/bin/yum clean all
|
cmd: /usr/bin/yum clean all
|
||||||
warn: false
|
warn: false
|
||||||
|
changed_when: true
|
@ -1,23 +1,3 @@
|
|||||||
---
|
|
||||||
- import_tasks: bindings.yml
|
|
||||||
when: omni_pkg_bindings == true
|
|
||||||
|
|
||||||
- import_tasks: repos.yml
|
|
||||||
when: omni_pkg_repos == true
|
|
||||||
|
|
||||||
- import_tasks: clean.yml
|
|
||||||
when: omni_pkg_clean == true
|
|
||||||
|
|
||||||
- import_tasks: update.yml
|
|
||||||
when: omni_pkg_update == true
|
|
||||||
|
|
||||||
- name: Install packages on Fedora
|
|
||||||
become: true
|
|
||||||
when: ansible_distribution == "Fedora"
|
|
||||||
dnf:
|
|
||||||
state: latest
|
|
||||||
name: "{{ omni_packages_global + omni_packages_fedora }}"
|
|
||||||
|
|
||||||
# NOTE: This is currently horrifically broken. See the ongoing drama around
|
# NOTE: This is currently horrifically broken. See the ongoing drama around
|
||||||
# systemd-networkd on cent8. Basically triggering an update- or an install- will give
|
# systemd-networkd on cent8. Basically triggering an update- or an install- will give
|
||||||
# a conflict error due to the spicy-jankaroni-with-extra-cheese edition of
|
# a conflict error due to the spicy-jankaroni-with-extra-cheese edition of
|
||||||
@ -30,12 +10,12 @@
|
|||||||
become: true
|
become: true
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||||
dnf:
|
dnf:
|
||||||
state: latest
|
state: "{{ _runtime_update_state }}"
|
||||||
name: "{{ omni_packages_global + omni_packages_centos_8 }}"
|
name: "{{ omni_packages_global + omni_packages_centos_8 }}"
|
||||||
|
|
||||||
- name: Install packages on CentOS 7
|
- name: Install packages on CentOS 7
|
||||||
become: true
|
become: true
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||||
yum:
|
yum:
|
||||||
state: latest
|
state: "{{ _runtime_update_state }}"
|
||||||
name: "{{ omni_packages_global + omni_packages_centos_7 }}"
|
name: "{{ omni_packages_global + omni_packages_centos_7 }}"
|
@ -5,14 +5,16 @@
|
|||||||
block:
|
block:
|
||||||
- name: Enable Extra Packages for Enterprise Linux on CentOS 8
|
- name: Enable Extra Packages for Enterprise Linux on CentOS 8
|
||||||
dnf:
|
dnf:
|
||||||
state: latest
|
state: present
|
||||||
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
|
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
|
||||||
|
|
||||||
- name: Enable EPEL-Testing repository on CentOS 8s
|
# The testing repo had to be enabled for a previous version of systemd-networkd
|
||||||
|
# to be installed
|
||||||
|
- name: Disable EPEL-Testing repository on CentOS 8
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/yum.repos.d/epel-testing.repo
|
path: /etc/yum.repos.d/epel-testing.repo
|
||||||
regexp: "enabled=(0|1)"
|
regexp: "enabled=(0|1)"
|
||||||
line: "enabled=1"
|
line: "enabled=0"
|
||||||
insertbefore: "^$"
|
insertbefore: "^$"
|
||||||
firstmatch: true
|
firstmatch: true
|
||||||
|
|
||||||
@ -25,6 +27,6 @@
|
|||||||
- name: Enable Extra Packages for Enterprise Linux on CentOS 7
|
- name: Enable Extra Packages for Enterprise Linux on CentOS 7
|
||||||
become: true
|
become: true
|
||||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||||
dnf:
|
yum:
|
||||||
state: latest
|
state: present
|
||||||
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmz
|
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
|
32
tasks/packages/update.yml
Normal file
32
tasks/packages/update.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
# Ansible Lint 403 ("Package installs should not use latest") is silenced here because
|
||||||
|
# it would defeat the point otherwise
|
||||||
|
- name: Upgrade Fedora and CentOS 8 packages # noqa: 403
|
||||||
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||||
|
become: true
|
||||||
|
dnf:
|
||||||
|
state: latest
|
||||||
|
name: "*"
|
||||||
|
exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
|
||||||
|
|
||||||
|
- name: Upgrade CentOS 7 packages # noqa: 403
|
||||||
|
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||||
|
become: true
|
||||||
|
yum:
|
||||||
|
state: latest
|
||||||
|
name: "*"
|
||||||
|
exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
|
||||||
|
|
||||||
|
- name: Upgrade Fedora packages # noqa: 403
|
||||||
|
when: ansible_distribution == "Fedora"
|
||||||
|
become: true
|
||||||
|
dnf:
|
||||||
|
state: latest
|
||||||
|
name: "*"
|
||||||
|
exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
|
||||||
|
|
||||||
|
# Yeah I'll get here eventually
|
||||||
|
# - name: Upgrade APT packages
|
||||||
|
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||||
|
# become: true
|
||||||
|
# apt:
|
@ -1,39 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Load users variables
|
|
||||||
include_vars:
|
|
||||||
file: users.yml
|
|
||||||
|
|
||||||
- name: Reconcile user targets with host targets to get host users
|
|
||||||
set_fact:
|
|
||||||
_users_local: >-
|
|
||||||
{{
|
|
||||||
_users_local | default([]) + ([item] if item.targets | intersect(omni_local_targets) else [])
|
|
||||||
}}
|
|
||||||
loop: "{{ omni_users }}"
|
|
||||||
|
|
||||||
- name: Determine local user names
|
|
||||||
set_fact:
|
|
||||||
_users_local_names: "{{ _users_local_names | default([]) + [item.name] }}"
|
|
||||||
loop: "{{ _users_local }}"
|
|
||||||
|
|
||||||
- name: Determine administrative users
|
|
||||||
set_fact:
|
|
||||||
_users_local_admin: >-
|
|
||||||
{{
|
|
||||||
_users_local_admin | default([]) + ([item] if item.admin | default(False) else [])
|
|
||||||
}}
|
|
||||||
loop: "{{ _users_local }}"
|
|
||||||
|
|
||||||
- name: Determine existing users
|
|
||||||
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
|
|
||||||
changed_when: false
|
|
||||||
register: _users_local_existing
|
|
||||||
|
|
||||||
- name: Determine removed users
|
|
||||||
set_fact:
|
|
||||||
_users_local_removed: >-
|
|
||||||
{{
|
|
||||||
_users_local_removed | default([]) +
|
|
||||||
([item] if item not in _users_local_names else [])
|
|
||||||
}}
|
|
||||||
loop: "{{ _users_local_existing.stdout_lines }}"
|
|
7
tasks/sshd/banner.yml
Normal file
7
tasks/sshd/banner.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- name: Install SSH Banner
|
||||||
|
become: true
|
||||||
|
template:
|
||||||
|
src: motd.j2
|
||||||
|
dest: /etc/issue.net
|
||||||
|
mode: 0644
|
@ -1,13 +1,4 @@
|
|||||||
---
|
---
|
||||||
- import_tasks: install.yml
|
|
||||||
|
|
||||||
- name: Install SSH Banner
|
|
||||||
become: true
|
|
||||||
template:
|
|
||||||
src: motd.j2
|
|
||||||
dest: /etc/issue.net
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Set parameters in sshd config
|
- name: Set parameters in sshd config
|
||||||
become: true
|
become: true
|
||||||
lineinfile:
|
lineinfile:
|
||||||
@ -26,10 +17,13 @@
|
|||||||
set: "GSSAPIAuthentication no"
|
set: "GSSAPIAuthentication no"
|
||||||
- match: "#?ChallengeResponseAuthentication (yes|no)"
|
- match: "#?ChallengeResponseAuthentication (yes|no)"
|
||||||
set: "ChallengeResponseAuthentication no"
|
set: "ChallengeResponseAuthentication no"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.set }}"
|
||||||
|
register: _sshd_config_result
|
||||||
|
|
||||||
- name: Restart sshd service
|
- name: Restart sshd service
|
||||||
|
when: _sshd_config_result.changed
|
||||||
become: true
|
become: true
|
||||||
systemd:
|
systemd:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: "{{ 'restarted' if omni_restart_services == true else 'started' }}"
|
state: restarted
|
||||||
enabled: "{{ omni_ssh_enabled }}"
|
|
Reference in New Issue
Block a user