diff --git a/playbooks/accounts.archlinux.org.yml b/playbooks/accounts.archlinux.org.yml index 5425e687..6d94b175 100644 --- a/playbooks/accounts.archlinux.org.yml +++ b/playbooks/accounts.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup Keycloak server +- name: Setup Keycloak server hosts: accounts.archlinux.org remote_user: root roles: diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml index 387fe203..62d6c3a5 100644 --- a/playbooks/all-hosts-basic.yml +++ b/playbooks/all-hosts-basic.yml @@ -1,4 +1,4 @@ -- name: basic setup for all hosts +- name: Basic setup for all hosts hosts: all remote_user: root roles: diff --git a/playbooks/archive-mirrors.yml b/playbooks/archive-mirrors.yml index 5d4518be..b5730996 100644 --- a/playbooks/archive-mirrors.yml +++ b/playbooks/archive-mirrors.yml @@ -1,4 +1,4 @@ -- name: common playbook for archive-mirrors +- name: Common playbook for archive-mirrors hosts: archive_mirrors remote_user: root roles: diff --git a/playbooks/archlinux.org.yml b/playbooks/archlinux.org.yml index ec22de8b..3329b791 100644 --- a/playbooks/archlinux.org.yml +++ b/playbooks/archlinux.org.yml @@ -1,14 +1,14 @@ - name: "prepare postgres ssl hosts list" hosts: archlinux.org tasks: - - name: assign ipv4 addresses to fact postgres_hosts4 + - name: Assign ipv4 addresses to fact postgres_hosts4 set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}" vars: gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32" detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}" tags: ["postgres", "firewall"] -- name: setup archlinux.org +- name: Setup archlinux.org hosts: archlinux.org remote_user: root roles: diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml index 787f94ea..bf869676 100644 --- a/playbooks/aur.archlinux.org.yml +++ b/playbooks/aur.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup aur.archlinux.org +- name: Setup aur.archlinux.org hosts: aur.archlinux.org remote_user: root roles: diff --git a/playbooks/bbs.archlinux.org.yml b/playbooks/bbs.archlinux.org.yml index 72102d2c..300b685d 100644 --- a/playbooks/bbs.archlinux.org.yml +++ b/playbooks/bbs.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup bbs.archlinux.org +- name: Setup bbs.archlinux.org hosts: bbs.archlinux.org remote_user: root roles: diff --git a/playbooks/bugs.archlinux.org.yml b/playbooks/bugs.archlinux.org.yml index 0bb89df3..8420bca5 100644 --- a/playbooks/bugs.archlinux.org.yml +++ b/playbooks/bugs.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup bugs.archlinux.org +- name: Setup bugs.archlinux.org hosts: bugs.archlinux.org remote_user: root roles: diff --git a/playbooks/build.archlinux.org.yml b/playbooks/build.archlinux.org.yml index 5b2719f0..cc13de1f 100644 --- a/playbooks/build.archlinux.org.yml +++ b/playbooks/build.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup build.archlinux.org +- name: Setup build.archlinux.org hosts: build.archlinux.org remote_user: root roles: diff --git a/playbooks/dashboards.archlinux.org.yml b/playbooks/dashboards.archlinux.org.yml index 3d744a09..73a63b62 100644 --- a/playbooks/dashboards.archlinux.org.yml +++ b/playbooks/dashboards.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup public dashboards server +- name: Setup public dashboards server hosts: dashboards.archlinux.org remote_user: root roles: diff --git a/playbooks/debuginfod.archlinux.org.yml b/playbooks/debuginfod.archlinux.org.yml index a78c9709..92dbfc06 100644 --- a/playbooks/debuginfod.archlinux.org.yml +++ b/playbooks/debuginfod.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup debuginfod.archlinux.org +- name: Setup debuginfod.archlinux.org hosts: debuginfod.archlinux.org remote_user: root roles: diff --git a/playbooks/gemini.archlinux.org.yml b/playbooks/gemini.archlinux.org.yml index a6659518..7f68d9eb 100644 --- a/playbooks/gemini.archlinux.org.yml +++ b/playbooks/gemini.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup gemini.archlinux.org +- name: Setup gemini.archlinux.org hosts: gemini.archlinux.org remote_user: root vars: diff --git a/playbooks/gitlab-runners.yml b/playbooks/gitlab-runners.yml index b943d70c..c6abbf61 100644 --- a/playbooks/gitlab-runners.yml +++ b/playbooks/gitlab-runners.yml @@ -1,4 +1,4 @@ -- name: setup gitlab-runners +- name: Setup gitlab-runners hosts: gitlab_runners remote_user: root roles: diff --git a/playbooks/gitlab.archlinux.org.yml b/playbooks/gitlab.archlinux.org.yml index 0df29a54..19b2ccf3 100644 --- a/playbooks/gitlab.archlinux.org.yml +++ b/playbooks/gitlab.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup gitlab server +- name: Setup gitlab server hosts: gitlab.archlinux.org remote_user: root roles: diff --git a/playbooks/gluebuddy.archlinux.org.yml b/playbooks/gluebuddy.archlinux.org.yml index a6da7933..380ce8cf 100644 --- a/playbooks/gluebuddy.archlinux.org.yml +++ b/playbooks/gluebuddy.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup gluebuddy.archlinux.org +- name: Setup gluebuddy.archlinux.org hosts: gluebuddy.archlinux.org remote_user: root roles: diff --git a/playbooks/hetzner_storagebox.yml b/playbooks/hetzner_storagebox.yml index d0de5427..1eda3e12 100644 --- a/playbooks/hetzner_storagebox.yml +++ b/playbooks/hetzner_storagebox.yml @@ -1,4 +1,4 @@ -- name: setup Hetzner storagebox account +- name: Setup Hetzner storagebox account hosts: localhost gather_facts: false vars_files: diff --git a/playbooks/homedir.archlinux.org.yml b/playbooks/homedir.archlinux.org.yml index 9afc6594..bc039c33 100644 --- a/playbooks/homedir.archlinux.org.yml +++ b/playbooks/homedir.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup homedir.archlinux.org +- name: Setup homedir.archlinux.org hosts: homedir.archlinux.org remote_user: root roles: diff --git a/playbooks/lists.archlinux.org.yml b/playbooks/lists.archlinux.org.yml index 298aeb1d..0629ec0b 100644 --- a/playbooks/lists.archlinux.org.yml +++ b/playbooks/lists.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup mailman server +- name: Setup mailman server hosts: lists.archlinux.org remote_user: root roles: diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml index b8e5e90f..7a2b699e 100644 --- a/playbooks/mail.archlinux.org.yml +++ b/playbooks/mail.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup mail.archlinux.org +- name: Setup mail.archlinux.org hosts: mail.archlinux.org remote_user: root roles: diff --git a/playbooks/mailman3.archlinux.org.yml b/playbooks/mailman3.archlinux.org.yml index b2ca8650..171eb42d 100644 --- a/playbooks/mailman3.archlinux.org.yml +++ b/playbooks/mailman3.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup mailman3 server +- name: Setup mailman3 server hosts: mailman3.archlinux.org remote_user: root roles: diff --git a/playbooks/man.archlinux.org.yml b/playbooks/man.archlinux.org.yml index 2481e80c..e3ff9480 100644 --- a/playbooks/man.archlinux.org.yml +++ b/playbooks/man.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup man.archlinux.org +- name: Setup man.archlinux.org hosts: man.archlinux.org remote_user: root roles: diff --git a/playbooks/matrix.archlinux.org.yml b/playbooks/matrix.archlinux.org.yml index cda2c872..cb833d45 100644 --- a/playbooks/matrix.archlinux.org.yml +++ b/playbooks/matrix.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup matrix +- name: Setup matrix hosts: matrix.archlinux.org remote_user: root vars_files: diff --git a/playbooks/md.archlinux.org.yml b/playbooks/md.archlinux.org.yml index dbd20b96..594a3837 100644 --- a/playbooks/md.archlinux.org.yml +++ b/playbooks/md.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup hedgedoc server +- name: Setup hedgedoc server hosts: md.archlinux.org remote_user: root roles: diff --git a/playbooks/mirrors.yml b/playbooks/mirrors.yml index b654fe69..f3a2cd58 100644 --- a/playbooks/mirrors.yml +++ b/playbooks/mirrors.yml @@ -1,4 +1,4 @@ -- name: common playbook for mirrors +- name: Common playbook for mirrors hosts: mirrors remote_user: root roles: diff --git a/playbooks/monitoring.archlinux.org.yml b/playbooks/monitoring.archlinux.org.yml index a4d4ebe8..2bd20f85 100644 --- a/playbooks/monitoring.archlinux.org.yml +++ b/playbooks/monitoring.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup prometheus server +- name: Setup prometheus server hosts: monitoring.archlinux.org remote_user: root roles: diff --git a/playbooks/patchwork.archlinux.org.yml b/playbooks/patchwork.archlinux.org.yml index afd8d892..4776e4c8 100644 --- a/playbooks/patchwork.archlinux.org.yml +++ b/playbooks/patchwork.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup patchwork.archlinux.org +- name: Setup patchwork.archlinux.org hosts: patchwork.archlinux.org remote_user: root roles: diff --git a/playbooks/phrik.yml b/playbooks/phrik.yml index 4da2d28f..7013f212 100644 --- a/playbooks/phrik.yml +++ b/playbooks/phrik.yml @@ -1,4 +1,4 @@ -- name: setup phrik bot server +- name: Setup phrik bot server hosts: phrik.archlinux.org remote_user: root roles: diff --git a/playbooks/quassel.archlinux.org.yml b/playbooks/quassel.archlinux.org.yml index d7fd34a9..8ec06884 100644 --- a/playbooks/quassel.archlinux.org.yml +++ b/playbooks/quassel.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup quassel server +- name: Setup quassel server hosts: quassel.archlinux.org remote_user: root roles: diff --git a/playbooks/rebuilderd-workers.yml b/playbooks/rebuilderd-workers.yml index a7b88f5c..d4409792 100644 --- a/playbooks/rebuilderd-workers.yml +++ b/playbooks/rebuilderd-workers.yml @@ -1,4 +1,4 @@ -- name: common playbook for rebuilderd_workers +- name: Common playbook for rebuilderd_workers hosts: rebuilderd_workers remote_user: root roles: diff --git a/playbooks/redirect.archlinux.org.yml b/playbooks/redirect.archlinux.org.yml index 53fbc6ba..5bbcd4da 100644 --- a/playbooks/redirect.archlinux.org.yml +++ b/playbooks/redirect.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup redirect.archlinux.org +- name: Setup redirect.archlinux.org hosts: redirect.archlinux.org remote_user: root roles: diff --git a/playbooks/reproducible.archlinux.org.yml b/playbooks/reproducible.archlinux.org.yml index 0942f810..88724c7b 100644 --- a/playbooks/reproducible.archlinux.org.yml +++ b/playbooks/reproducible.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup reproducible builds rebuilder +- name: Setup reproducible builds rebuilder hosts: reproducible.archlinux.org remote_user: root roles: diff --git a/playbooks/rsync.net.yml b/playbooks/rsync.net.yml index 045e2e85..3102e4b1 100644 --- a/playbooks/rsync.net.yml +++ b/playbooks/rsync.net.yml @@ -1,4 +1,4 @@ -- name: setup rsync.net account +- name: Setup rsync.net account hosts: localhost gather_facts: false vars_files: diff --git a/playbooks/security.archlinux.org.yml b/playbooks/security.archlinux.org.yml index 77aa612c..9599c0da 100644 --- a/playbooks/security.archlinux.org.yml +++ b/playbooks/security.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup security.archlinux.org +- name: Setup security.archlinux.org hosts: security.archlinux.org remote_user: root roles: diff --git a/playbooks/state.archlinux.org.yml b/playbooks/state.archlinux.org.yml index 1d7e7948..fd1f0097 100644 --- a/playbooks/state.archlinux.org.yml +++ b/playbooks/state.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup state.archlinux.org (terraform state store) +- name: Setup state.archlinux.org (terraform state store) hosts: state.archlinux.org remote_user: root roles: diff --git a/playbooks/tasks/fetch-borg-keys.yml b/playbooks/tasks/fetch-borg-keys.yml index a361a11c..2f18412d 100644 --- a/playbooks/tasks/fetch-borg-keys.yml +++ b/playbooks/tasks/fetch-borg-keys.yml @@ -1,23 +1,23 @@ -- name: prepare local storage directory +- name: Prepare local storage directory hosts: localhost tasks: - - name: create borg-keys directory + - name: Create borg-keys directory file: path="{{ playbook_dir }}/../../borg-keys/" state=directory # noqa 208 -- name: fetch borg keys +- name: Fetch borg keys hosts: borg_clients tasks: - - name: fetch borg key + - name: Fetch borg key command: "/usr/local/bin/borg key export :: /dev/stdout" register: borg_key changed_when: "borg_key.rc == 0" - - name: fetch borg offsite key + - name: Fetch borg offsite key command: "/usr/local/bin/borg-offsite key export :: /dev/stdout" register: borg_offsite_key changed_when: "borg_offsite_key.rc == 0" - - name: save borg key + - name: Save borg key shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %} args: stdin: "{{ borg_key.stdout }}" @@ -26,7 +26,7 @@ register: gpg_key changed_when: "gpg_key.rc == 0" - - name: save borg offsite key + - name: Save borg offsite key shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %} args: stdin: "{{ borg_offsite_key.stdout }}" diff --git a/playbooks/tasks/include/reencrypt-vault-key.yml b/playbooks/tasks/include/reencrypt-vault-key.yml index 234c5a0c..46ed1136 100644 --- a/playbooks/tasks/include/reencrypt-vault-key.yml +++ b/playbooks/tasks/include/reencrypt-vault-key.yml @@ -1,7 +1,7 @@ -- name: check if moreutils is installed +- name: Check if moreutils is installed pacman: name=moreutils state=present -- name: reencrypt vault {{ vault_id }} key +- name: Reencrypt vault {{ vault_id }} key shell: | set -eo pipefail gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg" \ diff --git a/playbooks/tasks/include/upgrade-server.yml b/playbooks/tasks/include/upgrade-server.yml index 258423b7..f29270dd 100644 --- a/playbooks/tasks/include/upgrade-server.yml +++ b/playbooks/tasks/include/upgrade-server.yml @@ -1,62 +1,62 @@ -- name: ensure latest keyring +- name: Ensure latest keyring pacman: name: archlinux-keyring state: latest update_cache: yes -- name: upgrade all packages +- name: Upgrade all packages pacman: upgrade: yes register: pacman_upgrade -- name: stop if no packages were upgraded +- name: Stop if no packages were upgraded meta: end_host when: pacman_upgrade is not changed -- name: check for running builds +- name: Check for running builds block: - - name: list build-related processes + - name: List build-related processes command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn' register: pgrep ignore_errors: true - - name: abort reboot with running builds + - name: Abort reboot with running builds meta: end_host when: pgrep is succeeded when: "'buildservers' in group_names" -- name: check for active borg backup jobs +- name: Check for active borg backup jobs block: - - name: check if /backup exists + - name: Check if /backup exists stat: path=/backup register: backup_mountdir - - name: abort reboot when borg backup is running + - name: Abort reboot when borg backup is running meta: end_host when: backup_mountdir.stat.exists when: "'borg_clients' in group_names" -- name: gemini pre-reboot checks +- name: Gemini pre-reboot checks block: - - name: list logged on users + - name: List logged on users command: who register: who - - name: abort reboot with logged on users + - name: Abort reboot with logged on users meta: end_host when: - who is changed - who.stdout_lines|length > 1 - - name: stop arch-svntogit.timer + - name: Stop arch-svntogit.timer service: name=arch-svntogit.timer state=stopped - - name: wait for svntogit to finish + - name: Wait for svntogit to finish wait_for: path: /srv/svntogit/update-repos.sh.lock state: absent when: inventory_hostname == "gemini.archlinux.org" -- name: reboot +- name: Reboot reboot: diff --git a/playbooks/tasks/install_arch.yml b/playbooks/tasks/install_arch.yml index 6f4b9d72..1f9978b0 100644 --- a/playbooks/tasks/install_arch.yml +++ b/playbooks/tasks/install_arch.yml @@ -1,7 +1,7 @@ # This script is for provisioning a server for first boot. # Care: It is not idempotent by design. -- name: install_arch +- name: Install arch hosts: all remote_user: root roles: diff --git a/playbooks/tasks/pacman-website.yml b/playbooks/tasks/pacman-website.yml index a64d9549..57dd8c62 100644 --- a/playbooks/tasks/pacman-website.yml +++ b/playbooks/tasks/pacman-website.yml @@ -8,13 +8,13 @@ tempfile: state=directory suffix=pacman register: tempdir - - name: fetch pacman tarball + - name: Fetch pacman tarball get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.xz dest={{ tempdir.path }}/pacman.tar.xz - - name: unpack tarball + - name: Unpack tarball unarchive: src={{ tempdir.path }}/pacman.tar.xz dest={{ tempdir.path }} - - name: build website + - name: Build website command: "{{ item }}" args: chdir: "{{ tempdir.path }}/pacman-{{ pacman_version }}" @@ -23,10 +23,10 @@ - ninja -C build doc/website.tar.gz - block: - - name: create website directory + - name: Create website directory file: state=directory owner=root group=root mode=0755 path={{ pacman_dir }} - - name: upload website + - name: Upload website unarchive: src: "{{ tempdir.path }}/pacman-{{ pacman_version }}/build/doc/website.tar.gz" dest: "{{ pacman_dir }}" diff --git a/playbooks/tasks/reencrypt-vault-default-key.yml b/playbooks/tasks/reencrypt-vault-default-key.yml index 33d82068..4fb85edf 100644 --- a/playbooks/tasks/reencrypt-vault-default-key.yml +++ b/playbooks/tasks/reencrypt-vault-default-key.yml @@ -1,7 +1,7 @@ -- name: reencrypt vault default key +- name: Reencrypt vault default key hosts: localhost tasks: - - name: reencrypt vault default key + - name: Reencrypt vault default key include_tasks: include/reencrypt-vault-key.yml vars: vault_id: default diff --git a/playbooks/tasks/reencrypt-vault-super-key.yml b/playbooks/tasks/reencrypt-vault-super-key.yml index 33fd5eb3..f5c893d5 100644 --- a/playbooks/tasks/reencrypt-vault-super-key.yml +++ b/playbooks/tasks/reencrypt-vault-super-key.yml @@ -1,7 +1,7 @@ -- name: reencrypt vault super key +- name: Reencrypt vault super key hosts: localhost tasks: - - name: reencrypt vault super key + - name: Reencrypt vault super key include_tasks: include/reencrypt-vault-key.yml vars: vault_id: super diff --git a/playbooks/tasks/sync-ssh-hostkeys.yml b/playbooks/tasks/sync-ssh-hostkeys.yml index f7ba3fdf..b500128e 100644 --- a/playbooks/tasks/sync-ssh-hostkeys.yml +++ b/playbooks/tasks/sync-ssh-hostkeys.yml @@ -1,8 +1,8 @@ -- name: fetch ssh hostkeys +- name: Fetch ssh hostkeys hosts: all gather_facts: false tasks: - - name: fetch hostkey checksums + - name: Fetch hostkey checksums shell: | for type in sha256 md5; do for file in /etc/ssh/ssh_host_*.pub; do @@ -13,7 +13,7 @@ register: ssh_hostkeys changed_when: ssh_hostkeys | length > 0 - - name: fetch known_hosts + - name: Fetch known_hosts shell: | set -eo pipefail ssh-keyscan 127.0.0.1 2>/dev/null \ @@ -26,10 +26,10 @@ register: known_hosts changed_when: known_hosts | length > 0 -- name: store hostkeys +- name: Store hostkeys hosts: localhost tasks: - - name: store hostkeys + - name: Store hostkeys copy: dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt" content: | @@ -40,7 +40,7 @@ {% endfor %} mode: preserve - - name: store known_hosts + - name: Store known_hosts blockinfile: path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" block: | @@ -51,9 +51,9 @@ {% endfor %} -- name: upload known_hosts to all nodes +- name: Upload known_hosts to all nodes hosts: all tasks: - - name: upload known_hosts + - name: Upload known_hosts copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644 tags: ['upload-known-hosts'] diff --git a/playbooks/tasks/upgrade-servers.yml b/playbooks/tasks/upgrade-servers.yml index 6de69dd7..f51c53bc 100644 --- a/playbooks/tasks/upgrade-servers.yml +++ b/playbooks/tasks/upgrade-servers.yml @@ -1,19 +1,19 @@ -- name: upgrade and reboot all hetzner servers +- name: Upgrade and reboot all hetzner servers hosts: all,!kape_servers,!equinix_metal max_fail_percentage: 0 serial: 20% gather_facts: false tasks: - - name: upgrade each host in this batch + - name: Upgrade each host in this batch include_tasks: include/upgrade-server.yml -- name: upgrade and reboot all Kape and Equinix Metal servers +- name: Upgrade and reboot all Kape and Equinix Metal servers hosts: kape_servers,equinix_metal max_fail_percentage: 0 serial: 1 gather_facts: false tasks: - - name: upgrade each host in this batch + - name: Upgrade each host in this batch include_tasks: include/upgrade-server.yml diff --git a/playbooks/wiki.archlinux.org.yml b/playbooks/wiki.archlinux.org.yml index 41b1b8fd..644d7f6f 100644 --- a/playbooks/wiki.archlinux.org.yml +++ b/playbooks/wiki.archlinux.org.yml @@ -1,4 +1,4 @@ -- name: setup wiki.archlinux.org +- name: Setup wiki.archlinux.org hosts: wiki.archlinux.org remote_user: root roles: diff --git a/roles/acme_dns_challenge/handlers/main.yml b/roles/acme_dns_challenge/handlers/main.yml index d889effb..fba3a6d1 100644 --- a/roles/acme_dns_challenge/handlers/main.yml +++ b/roles/acme_dns_challenge/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart powerdns +- name: Restart powerdns service: name=pdns state=restarted diff --git a/roles/acme_dns_challenge/tasks/main.yml b/roles/acme_dns_challenge/tasks/main.yml index c79aea68..63558cf5 100644 --- a/roles/acme_dns_challenge/tasks/main.yml +++ b/roles/acme_dns_challenge/tasks/main.yml @@ -1,24 +1,24 @@ -- name: install powerdns +- name: Install powerdns pacman: name=powerdns state=present -- name: install PowerDNS configuration +- name: Install PowerDNS configuration template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644 loop: - {src: pdns.conf.j2, dest: pdns.conf} - {src: dnsupdate-policy.lua.j2, dest: dnsupdate-policy.lua} notify: restart powerdns -- name: create directory for sqlite3 dbs +- name: Create directory for sqlite3 dbs file: path=/var/lib/powerdns state=directory owner=powerdns group=powerdns mode=0755 -- name: initialize sqlite3 database for _acme-challenge zones +- name: Initialize sqlite3 database for _acme-challenge zones command: sqlite3 -init /usr/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3 "" become: true become_user: powerdns args: creates: /var/lib/powerdns/pdns.sqlite3 -- name: create _acme-challenge zones +- name: Create _acme-challenge zones shell: | pdnsutil create-zone _acme-challenge.{{ item }} {{ inventory_hostname }} pdnsutil replace-rrset _acme-challenge.{{ item }} @ SOA "{{ inventory_hostname }}. root.archlinux.org. 0 10800 3600 604800 3600" @@ -27,18 +27,18 @@ become_user: powerdns changed_when: false -- name: import TSIG key (for certbot) +- name: Import TSIG key (for certbot) command: pdnsutil import-tsig-key {{ certbot_rfc2136_key }} {{ certbot_rfc2136_algorithm }} {{ certbot_rfc2136_secret }} changed_when: false -- name: open powerdns ipv4 port for monitoring.archlinux.org +- name: Open powerdns ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept" tags: - firewall -- name: open firewall hole +- name: Open firewall hole ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes -- name: start and enable powerdns +- name: Start and enable powerdns systemd: name=pdns.service enabled=yes daemon_reload=yes state=started diff --git a/roles/alertmanager/handlers/main.yml b/roles/alertmanager/handlers/main.yml index bfb1d469..9ce78242 100644 --- a/roles/alertmanager/handlers/main.yml +++ b/roles/alertmanager/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload alertmanager +- name: Reload alertmanager service: name=alertmanager state=reloaded diff --git a/roles/alertmanager/tasks/main.yml b/roles/alertmanager/tasks/main.yml index b35c228e..7c280edc 100644 --- a/roles/alertmanager/tasks/main.yml +++ b/roles/alertmanager/tasks/main.yml @@ -1,9 +1,9 @@ -- name: install alertmanager server +- name: Install alertmanager server pacman: name=alertmanager state=present -- name: install alertmanager configuration +- name: Install alertmanager configuration template: src=alertmanager.yml.j2 dest=/etc/alertmanager/alertmanager.yml owner=root group=alertmanager mode=640 notify: reload alertmanager -- name: enable alertmanager server service +- name: Enable alertmanager server service systemd: name=alertmanager enabled=yes daemon_reload=yes state=started diff --git a/roles/arch_boxes_sync/tasks/main.yml b/roles/arch_boxes_sync/tasks/main.yml index 98d43e78..facceb5c 100644 --- a/roles/arch_boxes_sync/tasks/main.yml +++ b/roles/arch_boxes_sync/tasks/main.yml @@ -1,10 +1,10 @@ -- name: install arch-boxes-sync.sh script dependencies +- name: Install arch-boxes-sync.sh script dependencies pacman: name=curl,jq,unzip state=present -- name: install arch-boxes-sync.sh script +- name: Install arch-boxes-sync.sh script copy: src=arch-boxes-sync.sh dest=/usr/local/bin/ owner=root group=root mode=0755 -- name: install arch-boxes-sync.{service,timer} +- name: Install arch-boxes-sync.{service,timer} copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 loop: - arch-boxes-sync.service @@ -12,5 +12,5 @@ notify: - daemon reload -- name: start and enable arch-boxes-sync.timer +- name: Start and enable arch-boxes-sync.timer systemd: name=arch-boxes-sync.timer enabled=yes daemon_reload=yes state=started diff --git a/roles/archbuild/handlers/main.yml b/roles/archbuild/handlers/main.yml index b7dd1329..53c25acb 100644 --- a/roles/archbuild/handlers/main.yml +++ b/roles/archbuild/handlers/main.yml @@ -1,3 +1,3 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true diff --git a/roles/archbuild/tasks/main.yml b/roles/archbuild/tasks/main.yml index 7ed17346..d4ee7e3a 100644 --- a/roles/archbuild/tasks/main.yml +++ b/roles/archbuild/tasks/main.yml @@ -1,4 +1,4 @@ -- name: install archbuild +- name: Install archbuild pacman: name: - base-devel @@ -16,7 +16,7 @@ - appstream-generator state: present -- name: install archbuild scripts +- name: Install archbuild scripts copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 with_items: - mkpkg @@ -28,12 +28,12 @@ - clean-offload-build - gitpkg -- name: install archbuild config files +- name: Install archbuild config files copy: src={{ item }} dest=/usr/local/share/{{ item }} owner=root group=root mode=0644 with_items: - elinks-pkgdiffrepo.conf -- name: install archbuild units +- name: Install archbuild units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - clean-chroots.timer @@ -47,33 +47,33 @@ notify: - daemon reload -- name: install archbuild unit +- name: Install archbuild unit copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - var-lib-archbuild.mount notify: - daemon reload -- name: install archbuild user units +- name: Install archbuild user units copy: src={{ item }} dest=/etc/systemd/user/{{ item }} owner=root group=root mode=0644 with_items: - mkpkg@.timer - mkpkg@.service -- name: install user-.slice snippet +- name: Install user-.slice snippet copy: src=user-.slice.d dest=/etc/systemd/system owner=root group=root mode=0644 -- name: start and enable archbuild mounts +- name: Start and enable archbuild mounts service: name={{ item }} enabled={{ "yes" if archbuild_fs == 'tmpfs' else "no" }} state={{ "started" if archbuild_fs == 'tmpfs' else "stopped" }} with_items: - var-lib-archbuild.mount -- name: start and enable archbuilddest mount +- name: Start and enable archbuilddest mount service: name={{ item }} enabled=yes state=started with_items: - var-lib-archbuilddest.mount -- name: create archbuilddest +- name: Create archbuilddest file: state: directory path: '/var/lib/{{ "/".join(item) }}' @@ -84,7 +84,7 @@ - [archbuilddest] - [srcdest] -- name: set acl on archbuilddest +- name: Set acl on archbuilddest acl: name: '/var/lib/archbuilddest/{{ item[0] }}' state: present @@ -104,18 +104,18 @@ 'default:other::r-x', 'default:mask::rwx'] -- name: start and enable archbuild units +- name: Start and enable archbuild units service: name={{ item }} enabled=yes state=started with_items: - clean-chroots.timer - clean-dests.timer - clean-offload-build.timer -- name: install makepkg.conf +- name: Install makepkg.conf template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644 -- name: install archbuild sudoers config +- name: Install archbuild sudoers config copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440 -- name: install gitconfig +- name: Install gitconfig copy: src=gitconfig dest=/etc/gitconfig owner=root group=root mode=0644 diff --git a/roles/archive/tasks/main.yml b/roles/archive/tasks/main.yml index 4eb0e5ed..5e0664c5 100644 --- a/roles/archive/tasks/main.yml +++ b/roles/archive/tasks/main.yml @@ -1,7 +1,7 @@ -- name: install archivetools package +- name: Install archivetools package pacman: name=archivetools state=present -- name: make archive dir +- name: Make archive dir file: path: "{{ archive_dir }}" state: directory @@ -9,7 +9,7 @@ group: archive mode: 0755 -- name: setup archive configuration +- name: Setup archive configuration template: src: archive.conf.j2 dest: /etc/archive.conf @@ -17,34 +17,34 @@ group: root mode: 0644 -- name: setup archive timer +- name: Setup archive timer systemd: name=archive.timer enabled=yes state=started -- name: setup archive-hardlink timer +- name: Setup archive-hardlink timer systemd: name=archive-hardlink.timer enabled=yes state=started -- name: install internet archive packages +- name: Install internet archive packages pacman: name=python-internetarchive,python-xtarfile state=present -- name: create archive user +- name: Create archive user user: name={{ archive_user_name }} shell=/bin/false home="{{ archive_user_home }}" createhome=yes -- name: configure archive.org client +- name: Configure archive.org client command: ia configure --username={{ vault_archive_username }} --password={{ vault_archive_password }} creates={{ archive_user_home }}/.config/ia.ini become: true become_user: "{{ archive_user_name }}" -- name: clone archive uploader code +- name: Clone archive uploader code git: repo=https://github.com/archlinux/arch-historical-archive.git dest="{{ archive_repo }}" version="{{ archive_uploader_version }}" become: true become_user: "{{ archive_user_name }}" -- name: install system service +- name: Install system service template: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 loop: - archive-uploader.service - archive-uploader.timer -- name: start uploader timer +- name: Start uploader timer systemd: name: archive-uploader.timer enabled: true diff --git a/roles/archive_web/tasks/main.yml b/roles/archive_web/tasks/main.yml index 18287e45..a9b2528f 100644 --- a/roles/archive_web/tasks/main.yml +++ b/roles/archive_web/tasks/main.yml @@ -1,10 +1,10 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ archive_domain }}"] -- name: set up nginx +- name: Set up nginx template: src: nginx.d.conf.j2 dest: /etc/nginx/nginx.d/archive.conf @@ -15,7 +15,7 @@ - reload nginx tags: ['nginx'] -- name: make nginx log dir +- name: Make nginx log dir file: path: /var/log/nginx/{{ archive_domain }} state: directory diff --git a/roles/archmanweb/tasks/main.yml b/roles/archmanweb/tasks/main.yml index 26cb1c5e..e4d71f03 100644 --- a/roles/archmanweb/tasks/main.yml +++ b/roles/archmanweb/tasks/main.yml @@ -1,11 +1,11 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ archmanweb_domain }}"] when: 'archmanweb_domain is defined' -- name: install required packages +- name: Install required packages pacman: state: present name: @@ -22,24 +22,24 @@ - make - sassc -- name: make archmanweb user +- name: Make archmanweb user user: name=archmanweb shell=/bin/false home="{{ archmanweb_dir }}" -- name: fix home permissions +- name: Fix home permissions file: state=directory owner=archmanweb group=archmanweb mode=0755 path="{{ archmanweb_dir }}" -- name: set archmanweb groups +- name: Set archmanweb groups user: name=archmanweb groups=uwsgi -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="{{ archmanweb_nginx_conf }}" owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ archmanweb_domain }} state=directory owner=root group=root mode=0755 -- name: clone archmanweb repo +- name: Clone archmanweb repo git: > repo={{ archmanweb_repository }} dest="{{ archmanweb_dir }}/repo" @@ -51,7 +51,7 @@ become_user: archmanweb register: release -- name: build archlinux-common-style +- name: Build archlinux-common-style command: cmd: make SASS=sassc chdir: "{{ archmanweb_dir }}/repo/archlinux-common-style" @@ -59,27 +59,27 @@ become_user: archmanweb when: release.changed or archmanweb_forced_deploy -- name: configure archmanweb +- name: Configure archmanweb template: src=local_settings.py.j2 dest={{ archmanweb_dir }}/repo/local_settings.py owner=archmanweb group=archmanweb mode=0660 register: config no_log: true -- name: copy robots.txt +- name: Copy robots.txt copy: src=robots.txt dest="{{ archmanweb_dir }}/repo/robots.txt" owner=root group=root mode=0644 -- name: create archmanweb db user +- name: Create archmanweb db user postgresql_user: name={{ archmanweb_db_user }} password={{ vault_archmanweb_db_password }} login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes no_log: true -- name: create archmanweb db +- name: Create archmanweb db postgresql_db: name="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archmanweb_db_user }}" register: db_created -- name: add pg_trgm extension to the archmanweb db +- name: Add pg_trgm extension to the archmanweb db postgresql_ext: name="pg_trgm" db="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" when: db_created.changed or archmanweb_forced_deploy -- name: run Django management tasks +- name: Run Django management tasks django_manage: app_path="{{ archmanweb_dir }}/repo" command="{{ item }}" with_items: - migrate @@ -89,18 +89,18 @@ become_user: archmanweb when: db_created.changed or release.changed or config.changed or archmanweb_forced_deploy -- name: configure UWSGI for archmanweb +- name: Configure UWSGI for archmanweb template: src=archmanweb.ini.j2 dest=/etc/uwsgi/vassals/archmanweb.ini owner=archmanweb group=http mode=0640 -- name: deploy new release +- name: Deploy new release file: path=/etc/uwsgi/vassals/archmanweb.ini state=touch owner=archmanweb group=http mode=0640 when: release.changed or config.changed or archmanweb_forced_deploy -- name: install systemd units +- name: Install systemd units template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - archmanweb_update.service - archmanweb_update.timer -- name: start and enable archmanweb update timer +- name: Start and enable archmanweb update timer systemd: name="archmanweb_update.timer" enabled=yes state=started daemon_reload=yes diff --git a/roles/archusers/tasks/main.yml b/roles/archusers/tasks/main.yml index 329d2a19..ae46f9ab 100644 --- a/roles/archusers/tasks/main.yml +++ b/roles/archusers/tasks/main.yml @@ -1,13 +1,13 @@ -- name: create Arch Linux-specific groups +- name: Create Arch Linux-specific groups group: name="{{ item }}" state=present system=no with_items: "{{ arch_groups }}" -- name: filter arch_users for users with non-matching hosts +- name: Filter arch_users for users with non-matching hosts set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [ item ] }}" when: item.value.hosts is not defined or inventory_hostname in item.value.hosts with_dict: "{{ arch_users }}" -- name: create Arch Linux-specific users +- name: Create Arch Linux-specific users user: name: "{{ item.key }}" group: users @@ -19,25 +19,25 @@ state: present loop: "{{ arch_users_filtered }}" -- name: create .ssh directory +- name: Create .ssh directory file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700 loop: "{{ arch_users_filtered }}" -- name: configure ssh keys +- name: Configure ssh keys template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600 when: item.value.ssh_key is defined loop: "{{ arch_users_filtered }}" -- name: remove ssh keys if undefined +- name: Remove ssh keys if undefined file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent when: item.value.ssh_key is not defined loop: "{{ arch_users_filtered }}" -- name: get list of remote users +- name: Get list of remote users find: paths="/home" file_type="directory" register: all_users -- name: disable ssh keys of disabled users +- name: Disable ssh keys of disabled users file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent when: - item not in (arch_users_filtered | map(attribute='key')) diff --git a/roles/archweb/handlers/main.yml b/roles/archweb/handlers/main.yml index 4c8932c7..481889db 100644 --- a/roles/archweb/handlers/main.yml +++ b/roles/archweb/handlers/main.yml @@ -1,6 +1,6 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true -- name: restart archweb memcached +- name: Restart archweb memcached service: name=archweb-memcached state=restarted diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml index 8ff3b43f..18bf68ec 100644 --- a/roles/archweb/tasks/main.yml +++ b/roles/archweb/tasks/main.yml @@ -1,4 +1,4 @@ -- name: run maintenance mode +- name: Run maintenance mode include_role: name: maintenance vars: @@ -9,41 +9,41 @@ service_nginx_template: "maintenance-nginx.d.conf.j2" when: maintenance is defined and archweb_site -- name: install required packages +- name: Install required packages pacman: name=git,python-setuptools,python-psycopg2,llvm-libs,uwsgi-plugin-python state=present -- name: make archweb user +- name: Make archweb user user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no -- name: fix home permissions +- name: Fix home permissions file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}" -- name: set archweb groups +- name: Set archweb groups user: name=archweb groups=uwsgi when: archweb_site|bool -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: "{{ [archweb_domain] + archweb_alternate_domains }}" when: archweb_site|bool and maintenance is not defined -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644 notify: reload nginx when: archweb_site|bool and maintenance is not defined tags: ['nginx'] -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755 when: archweb_site|bool -- name: make rsync iso dir +- name: Make rsync iso dir file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755 when: archweb_site|bool -- name: clone archweb repo +- name: Clone archweb repo git: > repo={{ archweb_repository }} dest="{{ archweb_dir }}" @@ -54,36 +54,36 @@ become_user: archweb register: release -- name: make virtualenv +- name: Make virtualenv command: python -m venv --system-site-packages "{{ archweb_dir }}"/env creates="{{ archweb_dir }}/env/bin/python" become: true become_user: archweb -- name: install stuff into virtualenv +- name: Install stuff into virtualenv pip: requirements="{{ archweb_dir }}/requirements_prod.txt" virtualenv="{{ archweb_dir }}/env" become: true become_user: archweb register: virtualenv -- name: create media dir +- name: Create media dir file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media" when: archweb_site|bool -- name: fix home permissions +- name: Fix home permissions file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}" -- name: make archlinux.org dir +- name: Make archlinux.org dir file: path="{{ archweb_dir }}/archlinux.org" state=directory owner=archweb group=archweb mode=0755 -- name: configure robots.txt +- name: Configure robots.txt copy: src=robots.txt dest="{{ archweb_dir }}/archlinux.org/robots.txt" owner=root group=root mode=0644 -- name: configure archweb +- name: Configure archweb template: src=local_settings.py.j2 dest={{ archweb_dir }}/local_settings.py owner=archweb group=archweb mode=0660 register: config no_log: true -- name: create archweb db users +- name: Create archweb db users postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes no_log: true when: archweb_site or archweb_services @@ -93,18 +93,18 @@ - { user: "{{ archweb_db_dbscripts_user }}", password: "{{ vault_archweb_db_dbscripts_password }}" } - { user: "{{ archweb_db_backup_user }}", password: "{{ vault_archweb_db_backup_password }}" } -- name: create archweb db +- name: Create archweb db postgresql_db: name="{{ archweb_db }}" login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archweb_db_site_user }}" when: archweb_site or archweb_services register: db_created -- name: django migrate +- name: Django migrate django_manage: app_path="{{ archweb_dir }}" command=migrate virtualenv="{{ archweb_dir }}/env" become: true become_user: archweb when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy) -- name: db privileges for archweb users +- name: DB privileges for archweb users postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}" privs=CONNECT roles="{{ item }}" type=database when: archweb_site or archweb_services @@ -113,7 +113,7 @@ - "{{ archweb_db_dbscripts_user }}" - "{{ archweb_db_backup_user }}" -- name: table privileges for archweb users +- name: Table privileges for archweb users postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}" privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}" when: archweb_site or archweb_services @@ -122,7 +122,7 @@ - { user: "{{ archweb_db_dbscripts_user }}", objs: "{{ archweb_db_dbscripts_table_objs }}" } - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" } -- name: sequence privileges for archweb users +- name: Sequence privileges for archweb users postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}" privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}" when: archweb_site or archweb_services @@ -130,25 +130,25 @@ - { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_sequence_objs }}" } - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_sequence_objs }}" } -- name: django collectstatic +- name: Django collectstatic django_manage: app_path="{{ archweb_dir }}" command=collectstatic virtualenv="{{ archweb_dir }}/env" become: true become_user: archweb when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy) -- name: install reporead service +- name: Install reporead service template: src="archweb-reporead.service.j2" dest="/etc/systemd/system/archweb-reporead.service" owner=root group=root mode=0644 notify: - daemon reload when: archweb_services or archweb_reporead -- name: install readlinks service +- name: Install readlinks service template: src="archweb-readlinks.service.j2" dest="/etc/systemd/system/archweb-readlinks.service" owner=root group=root mode=0644 notify: - daemon reload when: archweb_services or archweb_reporead -- name: install mirrorcheck service and timer +- name: Install mirrorcheck service and timer template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - archweb-mirrorcheck.service @@ -157,7 +157,7 @@ - daemon reload when: archweb_services or archweb_mirrorcheck -- name: install mirrorresolv service and timer +- name: Install mirrorresolv service and timer template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - archweb-mirrorresolv.service @@ -166,7 +166,7 @@ - daemon reload when: archweb_services or archweb_mirrorresolv -- name: install populate_signoffs service and timer +- name: Install populate_signoffs service and timer template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - archweb-populate_signoffs.service @@ -175,7 +175,7 @@ - daemon reload when: archweb_services or archweb_populate_signoffs -- name: install planet service and timer +- name: Install planet service and timer template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - archweb-planet.service @@ -184,7 +184,7 @@ - daemon reload when: archweb_planet -- name: install rebuilderd status service and timer +- name: Install rebuilderd status service and timer template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - archweb-rebuilderd.service @@ -193,27 +193,27 @@ - daemon reload when: archweb_site -- name: install pgp_import service +- name: Install pgp_import service template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644 notify: - daemon reload when: archweb_services or archweb_pgp_import -- name: create pacman.d hooks dir +- name: Create pacman.d hooks dir file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks" when: archweb_services or archweb_pgp_import -- name: install pgp_import hook +- name: Install pgp_import hook template: src="archweb-pgp_import-pacman-hook.j2" dest="/etc/pacman.d/hooks/archweb-pgp_import.hook" owner=root group=root mode=0644 when: archweb_services or archweb_pgp_import -- name: install archweb memcached service +- name: Install archweb memcached service template: src="archweb-memcached.service.j2" dest="/etc/systemd/system/archweb-memcached.service" owner=root group=root mode=0644 notify: - daemon reload when: archweb_site|bool -- name: install archweb rsync iso service and timer +- name: Install archweb rsync iso service and timer template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - archweb-rsync_iso.service @@ -222,16 +222,16 @@ - daemon reload when: archweb_site|bool -- name: deploy archweb +- name: Deploy archweb template: src=archweb.ini.j2 dest=/etc/uwsgi/vassals/archweb.ini owner=archweb group=http mode=0640 when: archweb_site|bool -- name: deploy new release +- name: Deploy new release file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=archweb group=http mode=0640 when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy) notify: restart archweb memcached -- name: start and enable archweb memcached service and archweb-rsync_iso timer +- name: Start and enable archweb memcached service and archweb-rsync_iso timer systemd: name: "{{ item }}" enabled: true @@ -242,55 +242,55 @@ - archweb-rsync_iso.timer when: archweb_site|bool -- name: start and enable archweb reporead service +- name: Start and enable archweb reporead service service: name="archweb-reporead.service" enabled=yes state=started when: archweb_services or archweb_reporead -- name: restart archweb reporead service +- name: Restart archweb reporead service service: name="archweb-reporead.service" state=restarted when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy) -- name: start and enable archweb readlinks service +- name: Start and enable archweb readlinks service service: name="archweb-readlinks.service" enabled=yes state=started when: archweb_services or archweb_reporead -- name: restart archweb readlinks service +- name: Restart archweb readlinks service service: name="archweb-readlinks.service" state=restarted when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy) -- name: start and enable archweb mirrorcheck timer +- name: Start and enable archweb mirrorcheck timer service: name="archweb-mirrorcheck.timer" enabled=yes state=started when: archweb_services or archweb_mirrorcheck -- name: start and enable archweb mirrorresolv timer +- name: Start and enable archweb mirrorresolv timer service: name="archweb-mirrorresolv.timer" enabled=yes state=started when: archweb_services or archweb_mirrorresolv -- name: start and enable archweb populate_signoffs timer +- name: Start and enable archweb populate_signoffs timer service: name="archweb-populate_signoffs.timer" enabled=yes state=started when: archweb_services or archweb_populate_signoffs -- name: start and enable archweb planet timer +- name: Start and enable archweb planet timer service: name="archweb-planet.timer" enabled=yes state=started when: archweb_planet -- name: start and enable archweb rebulderd update timer +- name: Start and enable archweb rebulderd update timer service: name="archweb-rebuilderd.timer" enabled=yes state=started when: archweb_site -- name: install donation import wrapper script +- name: Install donation import wrapper script template: src=donor_import_wrapper.sh.j2 dest=/usr/local/bin/donor_import_wrapper.sh owner=root group=root mode=0755 when: archweb_site -- name: install sudoer rights for fetchmail to call archweb django scripts +- name: Install sudoer rights for fetchmail to call archweb django scripts template: src=sudoers-fetchmail-archweb.j2 dest=/etc/sudoers.d/fetchmail-archweb owner=root group=root mode=0440 when: archweb_site -- name: create retro dir +- name: Create retro dir file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}" when: archweb_site|bool -- name: clone archweb-retro repo +- name: Clone archweb-retro repo git: repo: "{{ archweb_retro_repository }}" dest: "{{ archweb_retro_dir }}" diff --git a/roles/archwiki/handlers/main.yml b/roles/archwiki/handlers/main.yml index 0b96b913..88ddedf1 100644 --- a/roles/archwiki/handlers/main.yml +++ b/roles/archwiki/handlers/main.yml @@ -1,7 +1,7 @@ -- name: restart php-fpm@archwiki +- name: Restart php-fpm@archwiki service: name=php-fpm@{{ archwiki_user }} state=restarted -- name: run wiki updatescript +- name: Run wiki updatescript command: php {{ archwiki_dir }}/public/maintenance/update.php --quick become: true become_user: "{{ archwiki_user }}" @@ -11,7 +11,7 @@ # otherwise nginx will spit errors into the log until it is restarted (even # reload is not enough). # reference: https://stackoverflow.com/a/6896903 -- name: purge nginx cache +- name: Purge nginx cache command: find /var/lib/nginx/cache -type f -delete # The MediaWiki file cache can be invalidated by deleting the files in the @@ -20,5 +20,5 @@ # being set to true). References: # - https://www.mediawiki.org/wiki/Manual:File_cache # - https://www.mediawiki.org/wiki/Manual:$wgInvalidateCacheOnLocalSettingsChange -- name: invalidate MediaWiki file cache +- name: Invalidate MediaWiki file cache file: path="{{ archwiki_dir }}/public/LocalSettings.php" state=touch owner=archwiki group=archwiki mode=0640 diff --git a/roles/archwiki/tasks/main.yml b/roles/archwiki/tasks/main.yml index 215f49e5..bea0775f 100644 --- a/roles/archwiki/tasks/main.yml +++ b/roles/archwiki/tasks/main.yml @@ -1,4 +1,4 @@ -- name: run maintenance mode +- name: Run maintenance mode include_role: name: maintenance vars: @@ -8,49 +8,49 @@ service_nginx_conf: "{{ archwiki_nginx_conf }}" when: maintenance is defined -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ archwiki_domain }}"] when: 'archwiki_domain is defined' -- name: install packages +- name: Install packages pacman: name=git,php-intl state=present -- name: make archwiki user +- name: Make archwiki user user: name="{{ archwiki_user }}" shell=/bin/false home="{{ archwiki_dir }}" createhome=no register: user_created -- name: fix home permissions +- name: Fix home permissions file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0751 path="{{ archwiki_dir }}" -- name: fix cache permissions +- name: Fix cache permissions file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/cache" -- name: fix sessions permissions +- name: Fix sessions permissions file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/sessions" -- name: fix uploads permissions +- name: Fix uploads permissions file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/uploads" -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644 notify: - reload nginx when: maintenance is not defined tags: ['nginx'] -- name: configure robots.txt +- name: Configure robots.txt copy: src=robots.txt dest="{{ archwiki_dir }}/robots.txt" owner=root group=root mode=0644 -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ archwiki_domain }} state=directory owner=root group=root mode=0755 -- name: make debug log dir +- name: Make debug log dir file: path=/var/log/archwiki state=directory owner={{ archwiki_user }} group=root mode=0700 -- name: clone archwiki repo +- name: Clone archwiki repo git: repo={{ archwiki_repository }} dest="{{ archwiki_dir }}/public" version={{ archwiki_version }} become: true become_user: "{{ archwiki_user }}" @@ -61,41 +61,41 @@ - purge nginx cache - invalidate MediaWiki file cache -- name: configure archwiki +- name: Configure archwiki template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640 register: config no_log: true -- name: create archwiki db +- name: Create archwiki db mysql_db: name="{{ archwiki_db }}" login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}" register: db_created -- name: create archwiki db user +- name: Create archwiki db user mysql_user: name={{ archwiki_db_user }} password={{ vault_archwiki_db_password }} login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}" priv="{{ archwiki_db }}.*:ALL" no_log: true -- name: configure php-fpm +- name: Configure php-fpm template: src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ archwiki_user }}.conf" owner=root group=root mode=0644 notify: - restart php-fpm@{{ archwiki_user }} -- name: start and enable systemd socket +- name: Start and enable systemd socket service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true -- name: create memcached.service.d drop-in directory +- name: Create memcached.service.d drop-in directory file: path=/etc/systemd/system/memcached@archwiki.service.d state=directory owner=root group=root mode=0755 -- name: install memcached.service drop-in +- name: Install memcached.service drop-in template: src="memcached.service.d-archwiki.conf.j2" dest="/etc/systemd/system/memcached@archwiki.service.d/archwiki.conf" owner=root group=root mode=0644 -- name: start and enable memcached service +- name: Start and enable memcached service service: name=memcached@archwiki.service state=started enabled=true daemon_reload=true -- name: install systemd services/timers +- name: Install systemd services/timers template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 loop: - archwiki-runjobs.service @@ -105,7 +105,7 @@ - archwiki-prune-cache.timer - archwiki-question-updater.service -- name: start and enable archwiki timers and services +- name: Start and enable archwiki timers and services systemd: name: "{{ item }}" enabled: true @@ -116,17 +116,17 @@ - archwiki-prune-cache.timer - archwiki-runjobs-wait.service -- name: create question answer file +- name: Create question answer file systemd: name: archwiki-question-updater.service state: started daemon_reload: true -- name: ensure question answer file exists and set permissions +- name: Ensure question answer file exists and set permissions file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644 -- name: create pacman.d hooks dir +- name: Create pacman.d hooks dir file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks -- name: install archwiki question updater hook +- name: Install archwiki question updater hook template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644 diff --git a/roles/aurweb/handlers/main.yml b/roles/aurweb/handlers/main.yml index bc9206e4..35462b4f 100644 --- a/roles/aurweb/handlers/main.yml +++ b/roles/aurweb/handlers/main.yml @@ -1,9 +1,9 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true -- name: restart php-fpm@{{ aurweb_user }} +- name: Restart php-fpm@{{ aurweb_user }} service: name=php-fpm@{{ aurweb_user }} state=restarted -- name: restart sshd +- name: Restart sshd service: name=sshd state=restarted diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index 40a81340..f5a11524 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -1,4 +1,4 @@ -- name: install required packages +- name: Install required packages pacman: state: present name: @@ -11,37 +11,37 @@ - gcc - pkg-config -- name: install the cgit package +- name: Install the cgit package pacman: state: present name: - cgit-aurweb register: cgit -- name: install the git package +- name: Install the git package pacman: state: present name: - git register: git -- name: make aur user +- name: Make aur user user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes register: aur_user -- name: create .ssh for the aur user +- name: Create .ssh for the aur user file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700 -- name: install SSH key for mirroring to GitHub +- name: Install SSH key for mirroring to GitHub copy: src=id_ed25519 dest={{ aur_user.home }}/.ssh/ owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600 -- name: fetch host keys for github.com +- name: Fetch host keys for github.com command: ssh-keyscan github.com args: creates: "{{ aur_user.home }}/.ssh/known_hosts" register: github_host_keys -- name: write github.com host keys to the aur user's known_hosts +- name: Write github.com host keys to the aur user's known_hosts lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644 loop: "{{ github_host_keys.stdout_lines }}" when: github_host_keys.changed @@ -49,7 +49,7 @@ - name: Create directory file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775 -- name: receive valid signing keys +- name: Receive valid signing keys command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }} loop: '{{ aurweb_pgp_keys }}' become: true @@ -57,7 +57,7 @@ register: gpg changed_when: "gpg.rc == 0" -- name: aurweb git repo check +- name: Aurweb git repo check git: > repo={{ aurweb_repository }} dest="{{ aurweb_dir }}" @@ -69,7 +69,7 @@ register: release check_mode: true -- name: install AUR systemd service and timers +- name: Install AUR systemd service and timers template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - aurweb-git.service @@ -91,7 +91,7 @@ - aurweb-github-mirror.timer when: release.changed -- name: stop AUR systemd services and timers +- name: Stop AUR systemd services and timers service: name={{ item }} enabled=yes state=stopped with_items: - aurweb-git.timer @@ -105,7 +105,7 @@ - aurweb-github-mirror.timer when: release.changed -- name: clone aurweb repo +- name: Clone aurweb repo git: > repo={{ aurweb_repository }} dest="{{ aurweb_dir }}" @@ -116,35 +116,35 @@ become_user: "{{ aurweb_user }}" when: release.changed -- name: create necessary directories +- name: Create necessary directories file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755 with_items: - 'aurblup' - 'sessions' - 'uploads' -- name: create aurweb conf dir +- name: Create aurweb conf dir file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755 -- name: copy aurweb configuration file +- name: Copy aurweb configuration file copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644 # Note: initdb needs the config -- name: install custom aurweb configuration +- name: Install custom aurweb configuration template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644 -- name: create aur db +- name: Create aur db mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" encoding=utf8 register: db_created no_log: true -- name: create aur db user +- name: Create aur db user mysql_user: name={{ aurweb_db_user }} password={{ vault_aurweb_db_password }} login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" priv="{{ aurweb_db }}.*:ALL" no_log: true -- name: initialize the database +- name: Initialize the database command: poetry run python -m aurweb.initdb args: chdir: "{{ aurweb_dir }}" @@ -152,7 +152,7 @@ become_user: "{{ aurweb_user }}" when: db_created.changed -- name: run migrations +- name: Run migrations command: poetry run alembic upgrade head args: chdir: "{{ aurweb_dir }}" @@ -183,19 +183,19 @@ become_user: "{{ aurweb_user }}" when: release.changed or aurweb_installed.rc != 0 -- name: install custom aurweb-git-auth wrapper script +- name: Install custom aurweb-git-auth wrapper script template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755 when: release.changed -- name: install custom aurweb-git-serve wrapper script +- name: Install custom aurweb-git-serve wrapper script template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755 when: release.changed -- name: install custom aurweb-git-update wrapper script +- name: Install custom aurweb-git-update wrapper script template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755 when: release.changed -- name: link custom aurweb-git-update wrapper to hooks/update +- name: Link custom aurweb-git-update wrapper to hooks/update file: src: /usr/local/bin/aurweb-git-update.sh dest: "{{ aurweb_dir }}/aur.git/hooks/update" @@ -215,36 +215,36 @@ become: true become_user: "{{ aurweb_user }}" -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ aurweb_domain }}"] -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755 -- name: install cgit configuration +- name: Install cgit configuration template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644 -- name: configure cgit uwsgi service +- name: Configure cgit uwsgi service template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644 -- name: deploy new cgit release +- name: Deploy new cgit release become: true become_user: "{{ aurweb_user }}" file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644 when: cgit.changed -- name: configure smartgit uwsgi service +- name: Configure smartgit uwsgi service template: src=smartgit.ini.j2 dest=/etc/uwsgi/vassals/smartgit.ini owner={{ aurweb_user }} group=http mode=0644 -- name: deploy new smartgit release +- name: Deploy new smartgit release become: true become_user: "{{ aurweb_user }}" file: @@ -255,10 +255,10 @@ mode: 0644 when: git.changed -- name: create git repo dir +- name: Create git repo dir file: path={{ aurweb_git_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775 -- name: init git directory +- name: Init git directory command: git init --bare {{ aurweb_git_dir }} args: creates: "{{ aurweb_git_dir }}/HEAD" @@ -267,7 +267,7 @@ tags: - skip_ansible_lint -- name: save hideRefs setting on var +- name: Save hideRefs setting on var command: git config --local --get-all transfer.hideRefs register: git_config args: @@ -276,7 +276,7 @@ tags: - skip_ansible_lint -- name: configure git tranfser.hideRefs +- name: Configure git tranfser.hideRefs command: git config --local transfer.hideRefs '^refs/' args: chdir: "{{ aurweb_git_dir }}" @@ -286,7 +286,7 @@ tags: - skip_ansible_lint -- name: configure git transfer.hideRefs second +- name: Configure git transfer.hideRefs second command: git config --local --add transfer.hideRefs '!refs/' args: chdir: "{{ aurweb_git_dir }}" @@ -296,7 +296,7 @@ tags: - skip_ansible_lint -- name: configure git transfer.hideRefs third +- name: Configure git transfer.hideRefs third command: git config --local --add transfer.hideRefs '!HEAD' args: chdir: "{{ aurweb_git_dir }}" @@ -306,12 +306,12 @@ tags: - skip_ansible_lint -- name: configure sshd +- name: Configure sshd template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s' notify: - restart sshd -- name: start and enable AUR systemd services and timers +- name: Start and enable AUR systemd services and timers service: name={{ item }} enabled=yes state=started daemon_reload=yes with_items: - aurweb-git.timer diff --git a/roles/borg_client/tasks/main.yml b/roles/borg_client/tasks/main.yml index f4f3dc45..d852c33c 100644 --- a/roles/borg_client/tasks/main.yml +++ b/roles/borg_client/tasks/main.yml @@ -1,7 +1,7 @@ -- name: install borg and tools +- name: Install borg and tools pacman: name=borg state=present -- name: check if borg repository already exists +- name: Check if borg repository already exists command: "{{ item['borg_cmd'] }} list {{ item['host'] }}/{{ item['dir'] }}" environment: BORG_RELOCATED_REPO_ACCESS_IS_OK: "yes" @@ -10,7 +10,7 @@ loop: "{{ backup_hosts }}" changed_when: borg_list.stdout | length > 0 -- name: init borg repository +- name: Init borg repository command: "{{ item['borg_cmd'] }} init -e keyfile {{ item['host'] }}/{{ item['dir'] }}" when: borg_list is failed environment: @@ -21,48 +21,48 @@ - skip_ansible_lint -- name: install convenience scripts +- name: Install convenience scripts template: src=borg.j2 dest=/usr/local/bin/borg{{ item['suffix'] }} owner=root group=root mode=0755 loop: "{{ backup_hosts }}" -- name: install borg backup scripts +- name: Install borg backup scripts template: src=borg-backup.sh.j2 dest=/usr/local/bin/borg-backup{{ item['suffix'] }}.sh owner=root group=root mode=0755 loop: "{{ backup_hosts }}" -- name: install postgres backup script +- name: Install postgres backup script template: src=backup-postgres.sh.j2 dest=/usr/local/bin/backup-postgres.sh owner=root group=root mode=0755 when: postgres_backup_dir is defined -- name: check whether postgres user exists +- name: Check whether postgres user exists command: getent passwd postgres register: check_postgres_user ignore_errors: true changed_when: check_postgres_user.stdout | length > 0 -- name: make postgres backup directory +- name: Make postgres backup directory file: path={{ postgres_backup_dir }} owner=root group=root mode=0755 state=directory when: check_postgres_user is succeeded and postgres_backup_dir is defined -- name: install mysql backup script +- name: Install mysql backup script template: src=backup-mysql.sh.j2 dest=/usr/local/bin/backup-mysql.sh owner=root group=root mode=0755 when: mysql_backup_dir is defined -- name: install mysql backup config +- name: Install mysql backup config template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }} owner=root group=root mode=0644 when: mysql_backup_defaults is defined -- name: create mysql backup directory +- name: Create mysql backup directory file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755 when: mysql_backup_dir is defined -- name: install systemd services for backup +- name: Install systemd services for backup template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - borg-backup.service - borg-backup-offsite.service -- name: install systemd timer for backup +- name: Install systemd timer for backup copy: src=borg-backup.timer dest=/etc/systemd/system/borg-backup.timer owner=root group=root mode=0644 -- name: activate systemd timer for backup +- name: Activate systemd timer for backup systemd: name=borg-backup.timer enabled=yes state=started daemon-reload=yes diff --git a/roles/borg_server/tasks/main.yml b/roles/borg_server/tasks/main.yml index aadea58c..60b7835d 100644 --- a/roles/borg_server/tasks/main.yml +++ b/roles/borg_server/tasks/main.yml @@ -1,12 +1,12 @@ -- name: install borg +- name: Install borg pacman: name=borg state=present -- name: create borg user +- name: Create borg user user: name: borg home: "{{ backup_dir }}" -- name: create borg user home +- name: Create borg user home file: path: "{{ backup_dir }}" state: directory @@ -14,7 +14,7 @@ group: borg mode: 0700 -- name: create the root backup directory at {{ backup_dir }} +- name: Create the root backup directory at {{ backup_dir }} file: path: "{{ backup_dir }}/{{ item }}" state: directory @@ -23,14 +23,14 @@ mode: 0700 with_items: "{{ backup_clients }}" -- name: fetch ssh keys from each borg client machine +- name: Fetch ssh keys from each borg client machine command: cat /root/.ssh/id_rsa.pub register: ssh_keys delegate_to: "{{ item }}" with_items: "{{ backup_clients }}" changed_when: ssh_keys.stdout | length > 0 -- name: allow certain clients to connect +- name: Allow certain clients to connect authorized_key: user: borg key: "{{ item.stdout }}" diff --git a/roles/bugbot/tasks/main.yml b/roles/bugbot/tasks/main.yml index e6917755..b58782da 100644 --- a/roles/bugbot/tasks/main.yml +++ b/roles/bugbot/tasks/main.yml @@ -1,13 +1,13 @@ -- name: install bugbot utilities +- name: Install bugbot utilities pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present -- name: receive valid signing keys +- name: Receive valid signing keys command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }} with_items: '{{ bugbot_pgp_emails }}' register: gpg changed_when: "gpg.rc == 0" -- name: clone bugbot source +- name: Clone bugbot source git: repo: https://gitlab.archlinux.org/archlinux/bugbot.git dest: /srv/bugbot @@ -16,11 +16,11 @@ gpg_whitelist: '{{ bugbot_pgp_keys }}' version: '{{ bugbot_version }}' -- name: install env file +- name: Install env file template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600 -- name: install bugbot systemd service +- name: Install bugbot systemd service copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service owner=root group=root mode=0644 -- name: start and enable bugbot service +- name: Start and enable bugbot service systemd: name=bugbot.service enabled=yes state=started daemon_reload=yes diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 66c8dc73..2edbcd52 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,30 +1,30 @@ -- name: install certbot +- name: Install certbot pacman: name=certbot{{ ",certbot-dns-rfc2136" if certbot_dns_support }} state=present -- name: install rfc2136.ini +- name: Install rfc2136.ini template: src=rfc2136.ini.j2 dest=/etc/letsencrypt/rfc2136.ini owner=root group=root mode=0600 when: certbot_dns_support -- name: install letsencrypt hook +- name: Install letsencrypt hook copy: src=hook.sh dest=/etc/letsencrypt/hook.sh owner=root group=root mode=0755 -- name: create letsencrypt hook dir +- name: Create letsencrypt hook dir file: state=directory path=/etc/letsencrypt/hook.d owner=root group=root mode=0755 -- name: install letsencrypt renewal service +- name: Install letsencrypt renewal service copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - certbot-renewal.service - certbot-renewal.timer -- name: activate letsencrypt renewal service +- name: Activate letsencrypt renewal service systemd: name: certbot-renewal.timer enabled: true state: started daemon_reload: true -- name: open firewall holes for certbot standalone authenticator +- name: Open firewall holes for certbot standalone authenticator ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes with_items: - http diff --git a/roles/certificate/tasks/main.yml b/roles/certificate/tasks/main.yml index 2a3e3a99..6d680390 100644 --- a/roles/certificate/tasks/main.yml +++ b/roles/certificate/tasks/main.yml @@ -1,4 +1,4 @@ -- name: create ssl cert (HTTP-01) +- name: Create ssl cert (HTTP-01) shell: | set -o pipefail # We can't start nginx without the certificate and we can't issue a certificate without nginx running. @@ -10,7 +10,7 @@ creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem' when: challenge | default(certificate_challenge) == "HTTP-01" -- name: create ssl cert (DNS-01) +- name: Create ssl cert (DNS-01) command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }} args: creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem' diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 3e913cce..736c5e51 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,12 +1,12 @@ -- name: restart journald +- name: Restart journald systemd: name: systemd-journald state: restarted daemon_reload: true -- name: systemd daemon-reload +- name: Systemd daemon-reload systemd: daemon_reload: true -- name: restart systemd-zram-setup@zram0 +- name: Restart systemd-zram-setup@zram0 service: name=systemd-zram-setup@zram0 state=restarted daemon_reload=yes diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index d836d0d3..adc3abf9 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,66 +1,66 @@ -- name: install essential tools +- name: Install essential tools pacman: name=vim,nano,tmux,htop,ncdu,bash-completion,rsync,vnstat state=present -- name: start and enable vnstatd +- name: Start and enable vnstatd service: name=vnstat enabled=yes state=started -- name: install inetutils for hostname +- name: Install inetutils for hostname pacman: name=inetutils state=present -- name: set hostname +- name: Set hostname hostname: name="{{ inventory_hostname }}" -- name: install pacman config +- name: Install pacman config template: src=pacman.conf.j2 dest=/etc/pacman.conf mode=0644 owner=root group=root -- name: configure pacman mirror +- name: Configure pacman mirror template: src=mirrorlist.j2 dest=/etc/pacman.d/mirrorlist owner=root group=root mode=0644 -- name: update package cache +- name: Update package cache pacman: update_cache=yes -- name: start and enable auditd +- name: Start and enable auditd service: name=auditd enabled=yes state=started -- name: start and enable systemd-timesyncd +- name: Start and enable systemd-timesyncd service: name=systemd-timesyncd enabled=yes state=started -- name: install smart +- name: Install smart pacman: name=smartmontools state=present when: "'hcloud' not in group_names" -- name: configure smartd to do periodic health checks +- name: Configure smartd to do periodic health checks copy: src=smartd.conf dest=/etc/smartd.conf owner=root group=root mode=0644 when: "'hcloud' not in group_names" -- name: start and enable smart +- name: Start and enable smart service: name=smartd enabled=yes state=started when: "'hcloud' not in group_names" -- name: start and enable btrfs scrub timer +- name: Start and enable btrfs scrub timer service: name=btrfs-scrub@{{ '-' if (item.mount | length == 1) else (item.mount.split("/", 1)[1] | replace("/", "-")) }}.timer enabled=yes state=started loop: "{{ ansible_mounts | sort(attribute='mount') | groupby('uuid') | map(attribute=1) | map('first') }}" when: - item.fstype == 'btrfs' - not 'backup' in item.mount -- name: generate locales +- name: Generate locales locale_gen: name={{ item }} state=present with_items: - en_US.UTF-8 -- name: configure locales +- name: Configure locales template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644 -- name: generate ssh key for root +- name: Generate ssh key for root command: ssh-keygen -b 4096 -N "" -f /root/.ssh/id_rsa creates="/root/.ssh/id_rsa" -- name: configure networking +- name: Configure networking include_role: name: networking when: configure_network -- name: configure tcp receive window limits +- name: Configure tcp receive window limits sysctl: name: net.ipv4.tcp_rmem value: "{{ tcp_rmem }}" @@ -68,7 +68,7 @@ sysctl_file: /etc/sysctl.d/net.conf when: tcp_rmem is defined -- name: configure tcp send window limits +- name: Configure tcp send window limits sysctl: name: net.ipv4.tcp_wmem value: "{{ tcp_wmem }}" @@ -76,48 +76,48 @@ sysctl_file: /etc/sysctl.d/net.conf when: tcp_wmem is defined -- name: create drop-in directories for systemd configuration +- name: Create drop-in directories for systemd configuration file: path=/etc/systemd/{{ item }}.d state=directory owner=root group=root mode=0755 loop: - system.conf - journald.conf -- name: install journald.conf overrides +- name: Install journald.conf overrides template: src=journald.conf.j2 dest=/etc/systemd/journald.conf.d/override.conf owner=root group=root mode=644 notify: - restart journald -- name: install system.conf overrides +- name: Install system.conf overrides template: src=system.conf.j2 dest=/etc/systemd/system.conf.d/override.conf owner=root group=root mode=0644 notify: - systemd daemon-reload -- name: install zram-generator +- name: Install zram-generator pacman: name=zram-generator state=present when: enable_zram_swap -- name: install zram-generator config for zram +- name: Install zram-generator config for zram template: src=zram-generator.conf dest=/etc/systemd/zram-generator.conf owner=root group=root mode=0644 notify: - restart systemd-zram-setup@zram0 when: enable_zram_swap -- name: disable zswap to prevent conflict with zram +- name: Disable zswap to prevent conflict with zram copy: content="w- /sys/module/zswap/parameters/enabled - - - - N" dest=/etc/tmpfiles.d/zram.conf owner=root group=root mode=0644 register: zramtmpfiles when: enable_zram_swap -- name: use tmpfiles.d/zram.conf +- name: Use tmpfiles.d/zram.conf command: systemd-tmpfiles --create when: zramtmpfiles.changed -- name: create drop-in directories for oomd +- name: Create drop-in directories for oomd file: path=/etc/systemd/system/{{ item }}.d state=directory owner=root group=root mode=0755 with_items: - "-.slice" - user@.service -- name: install drop-in snippets for oomd +- name: Install drop-in snippets for oomd copy: src=oomd-override_{{ item }}.conf dest=/etc/systemd/system/{{ item }}.d/override.conf owner=root group=root mode=0644 with_items: - "-.slice" @@ -125,32 +125,32 @@ notify: - systemd daemon-reload -- name: start systemd-oomd +- name: Start systemd-oomd service: name=systemd-oomd state=started enabled=yes -- name: install logrotate +- name: Install logrotate pacman: name=logrotate state=present -- name: configure logrotate +- name: Configure logrotate template: src=logrotate.conf.j2 dest=/etc/logrotate.conf owner=root group=root mode=0644 -- name: enable logrotate timer +- name: Enable logrotate timer service: name=logrotate.timer state=started enabled=yes -- name: create zsh directory +- name: Create zsh directory file: path=/root/.zsh state=directory owner=root group=root mode=0700 -- name: install root shell config +- name: Install root shell config copy: src={{ item }} dest=/root/.{{ item }} owner=root group=root mode=0644 with_items: - zshrc - dircolors -- name: install pacman-contrib,archlinux-contrib +- name: Install pacman-contrib,archlinux-contrib pacman: name=pacman-contrib,archlinux-contrib state=installed -- name: install custom paccache.service +- name: Install custom paccache.service copy: src=paccache.service dest=/etc/systemd/system/paccache.service owner=root group=root mode=0644 -- name: enable paccache timer +- name: Enable paccache timer systemd: name=paccache.timer enabled=yes state=started daemon_reload=yes diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml index d050885d..6936bc73 100644 --- a/roles/dbscripts/tasks/main.yml +++ b/roles/dbscripts/tasks/main.yml @@ -1,44 +1,44 @@ -- name: install svn, git, rsync and some perl stuff +- name: Install svn, git, rsync and some perl stuff pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present -- name: install sourceballs requirements (makepkg download dependencies) +- name: Install sourceballs requirements (makepkg download dependencies) pacman: name=git,subversion,mercurial,breezy state=present -- name: install binutils for createlinks script +- name: Install binutils for createlinks script pacman: name=binutils state=present -- name: create dbscripts users +- name: Create dbscripts users user: name="{{ item }}" shell=/bin/bash with_items: - svn-packages - svn-community -- name: add cleanup user +- name: Add cleanup user user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin -- name: add sourceballs user +- name: Add sourceballs user user: name=sourceballs shell=/sbin/nologin -- name: set up sudoers.d for special users +- name: Set up sudoers.d for special users copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600 -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"] -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644 notify: - reload nginx tags: - nginx -- name: create Arch Linux-specific users +- name: Create Arch Linux-specific users user: name: "{{ item.key }}" group: users @@ -47,25 +47,25 @@ state: present with_dict: "{{ arch_users }}" -- name: create .ssh directory +- name: Create .ssh directory file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700 -- name: configure ssh keys for devs +- name: Configure ssh keys for devs template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600 vars: pubkey_groups: ['dev'] tags: ['archusers'] -- name: create .ssh directory +- name: Create .ssh directory file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700 -- name: configure ssh keys for TUs +- name: Configure ssh keys for TUs template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600 vars: pubkey_groups: ['tu'] tags: ['archusers'] -- name: create staging directories in user homes +- name: Create staging directories in user homes dbscripts_mkdirs: pathtmpl: '/home/{user}/staging/{dirname}' permissions: '755' @@ -74,88 +74,88 @@ group: users tags: ["archusers"] -- name: create dbscripts paths +- name: Create dbscripts paths file: path="{{ item }}" state=directory owner=root group=root mode=0755 with_items: - /srv/repos/svn-community - /srv/repos/svn-packages -- name: create svn-community/package-cleanup directory +- name: Create svn-community/package-cleanup directory file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775 -- name: add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup +- name: Add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present -- name: add acl default:user::rwx to /srv/repos/svn-community/package-cleanup +- name: Add acl default:user::rwx to /srv/repos/svn-community/package-cleanup acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present -- name: add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup +- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present -- name: add acl default:group::rwx to /srv/repos/svn-community/package-cleanup +- name: Add acl default:group::rwx to /srv/repos/svn-community/package-cleanup acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present -- name: add acl default:other::r-x to /srv/repos/svn-community/package-cleanup +- name: Add acl default:other::r-x to /srv/repos/svn-community/package-cleanup acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present -- name: create svn-packages/package-cleanup directory +- name: Create svn-packages/package-cleanup directory file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775 -- name: add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup +- name: Add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present -- name: add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup +- name: Add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present -- name: add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup +- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present -- name: add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup +- name: Add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present -- name: add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup +- name: Add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present -- name: create svn-community/source-cleanup directory +- name: Create svn-community/source-cleanup directory file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755 -- name: create svn-packages/source-cleanup directory +- name: Create svn-packages/source-cleanup directory file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755 -- name: create svn-community/svn directory +- name: Create svn-community/svn directory file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755 -- name: add acl default:user::rwx to /srv/repos/svn-community/svn +- name: Add acl default:user::rwx to /srv/repos/svn-community/svn acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present -- name: add acl default:group::r-x to /srv/repos/svn-community/svn +- name: Add acl default:group::r-x to /srv/repos/svn-community/svn acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present -- name: add acl default:other::r-x to /srv/repos/svn-community/svn +- name: Add acl default:other::r-x to /srv/repos/svn-community/svn acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present -- name: create svn-packages/svn directory +- name: Create svn-packages/svn directory file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755 -- name: add acl default:user::rwx to /srv/repos/svn-packages/svn +- name: Add acl default:user::rwx to /srv/repos/svn-packages/svn acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present -- name: add acl default:group::r-x to /srv/repos/svn-packages/svn +- name: Add acl default:group::r-x to /srv/repos/svn-packages/svn acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present -- name: add acl default:other::r-x to /srv/repos/svn-packages/svn +- name: Add acl default:other::r-x to /srv/repos/svn-packages/svn acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present -- name: create svn-community/tmp directory +- name: Create svn-community/tmp directory file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775 -- name: add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp +- name: Add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present -- name: create svn-packages/tmp directory +- name: Create svn-packages/tmp directory file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775 -- name: add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp +- name: Add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present -- name: touch /srv/ftp/lastsync file +- name: Touch /srv/ftp/lastsync file file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644 -- name: touch /srv/ftp/lastupdate file +- name: Touch /srv/ftp/lastupdate file file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644 -- name: add acl group:tu:rw- to /srv/ftp/lastupdate +- name: Add acl group:tu:rw- to /srv/ftp/lastupdate acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present -- name: add acl group:dev:rw- to /srv/ftp/lastupdate +- name: Add acl group:dev:rw- to /srv/ftp/lastupdate acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present -- name: fetch dbscripts PGP key +- name: Fetch dbscripts PGP key command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }} with_items: '{{ dbscripts_pgp_emails }}' register: gpg changed_when: "gpg.rc == 0" -- name: clone dbscripts git repo +- name: Clone dbscripts git repo git: > dest=/srv/repos/{{ item }}/dbscripts repo=https://gitlab.archlinux.org/archlinux/dbscripts.git @@ -165,73 +165,73 @@ - svn-community - svn-packages -- name: make /srv/svn +- name: Make /srv/svn file: path=/srv/svn state=directory owner=root group=root mode=0755 -- name: symlink /srv/svn/community to /srv/repos/svn-community/svn +- name: Symlink /srv/svn/community to /srv/repos/svn-community/svn file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755 -- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn +- name: Symlink /srv/svn/packages to /srv/repos/svn-packages/svn file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755 -- name: symlink /community to /srv/repos/svn-community/dbscripts +- name: Symlink /community to /srv/repos/svn-community/dbscripts file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755 -- name: symlink /packages to /srv/repos/svn-packages/dbscripts +- name: Symlink /packages to /srv/repos/svn-packages/dbscripts file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755 -- name: make debug packages-debug pool +- name: Make debug packages-debug pool file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=dev mode=0775 -- name: make debug community-debug pool +- name: Make debug community-debug pool file: path=/srv/ftp/pool/community-debug state=directory owner=root group=tu mode=2775 -- name: make package root debug repos +- name: Make package root debug repos file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755 with_items: '{{ package_repos }}' -- name: make community root debug repos +- name: Make community root debug repos file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=00755 with_items: '{{ community_repos }}' -- name: make package debug repos +- name: Make package debug repos file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775 with_items: '{{ package_repos }}' -- name: make community debug repos +- name: Make community debug repos file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=tu mode=0775 with_items: '{{ community_repos }}' -- name: put rsyncd.conf into tmpfiles +- name: Put rsyncd.conf into tmpfiles copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644 register: rsyncdtmpfiles -- name: use tmpfiles.d/rsyncd.conf +- name: Use tmpfiles.d/rsyncd.conf command: systemd-tmpfiles --create when: rsyncdtmpfiles.changed -- name: create rsyncd-conf-genscripts +- name: Create rsyncd-conf-genscripts file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700 -- name: install rsync.conf.proto +- name: Install rsync.conf.proto template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644 -- name: configure gen_rsyncd.conf.pl +- name: Configure gen_rsyncd.conf.pl template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700 no_log: true -- name: generate mirror config +- name: Generate mirror config command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl register: gen_rsyncd changed_when: "gen_rsyncd.rc == 0" -- name: install svnlog +- name: Install svnlog copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755 -- name: add arch-svntogit user +- name: Add arch-svntogit user user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096 -- name: configure svntogit git user name +- name: Configure svntogit git user name command: git config --global user.name svntogit become: true become_user: svntogit @@ -240,7 +240,7 @@ tags: - skip_ansible_lint -- name: configure svntogit git user email +- name: Configure svntogit git user email command: git config --global user.email svntogit@repos.archlinux.org become: true become_user: svntogit @@ -249,13 +249,13 @@ tags: - skip_ansible_lint -- name: template arch-svntogit +- name: Template arch-svntogit copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755 -- name: create svntogit repos subdir +- name: Create svntogit repos subdir file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775 -- name: clone git-svn repos +- name: Clone git-svn repos command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }} with_items: - community @@ -265,7 +265,7 @@ tags: - skip_ansible_lint -- name: add svntogit public remotes +- name: Add svntogit public remotes command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }} with_items: - community @@ -279,7 +279,7 @@ - skip_ansible_lint # The following command also serves as a way to get the data the first time the repo is set up -- name: configure svntogit pull upstream branch +- name: Configure svntogit pull upstream branch command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }} environment: SHELL: /bin/bash @@ -293,40 +293,40 @@ tags: - skip_ansible_lint -- name: fix svntogit home permissions +- name: Fix svntogit home permissions file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775 -- name: install repo helpers +- name: Install repo helpers copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 with_items: - lsrepo - checklib32 -- name: install createlinks script +- name: Install createlinks script copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755 -- name: start and enable rsync +- name: Start and enable rsync service: name=rsyncd.socket enabled=yes state=started -- name: open firewall holes for rsync +- name: Open firewall holes for rsync ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes when: configure_firewall tags: - firewall -- name: configure svnserve +- name: Configure svnserve copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n" -- name: start and enable svnserve +- name: Start and enable svnserve service: name=svnserve enabled=yes state=started -- name: open firewall holes for svnserve +- name: Open firewall holes for svnserve ansible.posix.firewalld: port=3690/tcp permanent=true state=enabled immediate=yes when: configure_firewall tags: - firewall -- name: install systemd timers +- name: Install systemd timers copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - cleanup.timer @@ -344,7 +344,7 @@ notify: - daemon reload -- name: activate systemd timers +- name: Activate systemd timers service: name={{ item }} enabled=yes state=started with_items: - cleanup.timer diff --git a/roles/debuginfod/handlers/main.yml b/roles/debuginfod/handlers/main.yml index 3e008c97..330f2425 100644 --- a/roles/debuginfod/handlers/main.yml +++ b/roles/debuginfod/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload debuginfod +- name: Reload debuginfod service: name=debuginfod state=reloaded diff --git a/roles/debuginfod/tasks/main.yml b/roles/debuginfod/tasks/main.yml index 71935652..ebdb00af 100644 --- a/roles/debuginfod/tasks/main.yml +++ b/roles/debuginfod/tasks/main.yml @@ -1,53 +1,53 @@ -- name: install debuginfod +- name: Install debuginfod pacman: name=debuginfod state=present -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ debuginfod_domain }}"] when: debuginfod_domain -- name: configure debuginfod systemd service +- name: Configure debuginfod systemd service template: src=debuginfod.service.j2 dest=/etc/systemd/system/debuginfod.service owner=root group=root mode=0644 vars: debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}" notify: - reload debuginfod -- name: create http directory for debuginfod website files +- name: Create http directory for debuginfod website files file: path=/srv/http/debuginfod state=directory owner=root group=root mode=0755 -- name: install website files +- name: Install website files copy: src={{ item }} dest=/srv/http/debuginfod/{{ item }} owner=root group=root mode=0644 loop: - archlinux.png - index.html -- name: install packagelist units +- name: Install packagelist units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 loop: - packagelist.timer - packagelist.service -- name: start and enable packagelist.timer +- name: Start and enable packagelist.timer service: name=packagelist.timer enabled=yes state=started -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644 notify: - reload nginx when: debuginfod_domain tags: ['nginx'] -- name: open debuginfod ipv4 port for monitoring.archlinux.org +- name: Open debuginfod ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8002 accept" tags: - firewall -- name: start and enable debuginfod +- name: Start and enable debuginfod service: name=debuginfod enabled=yes state=started diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml index 3b278cb8..9315e085 100644 --- a/roles/dovecot/handlers/main.yml +++ b/roles/dovecot/handlers/main.yml @@ -1,7 +1,7 @@ -- name: reload dovecot +- name: Reload dovecot service: name=dovecot state=restarted -- name: run sievec +- name: Run sievec command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }} loop: - spam-to-folder.sieve diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index a6ecefc7..b4eab78f 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -1,48 +1,48 @@ -- name: install dovecot +- name: Install dovecot pacman: name=dovecot,pigeonhole state=present # FIXME: check directory permissions -- name: create dovecot configuration directory +- name: Create dovecot configuration directory file: path=/etc/dovecot state=directory owner=root group=root mode=0755 -- name: create dhparam +- name: Create dhparam command: openssl dhparam -out /etc/dovecot/dh.pem 4096 creates=/etc/dovecot/dh.pem -- name: install dovecot.conf +- name: Install dovecot.conf template: src=dovecot.conf.j2 dest=/etc/dovecot/dovecot.conf owner=root group=root mode=0644 notify: - reload dovecot -- name: add vmail group +- name: Add vmail group group: name=vmail gid=5000 -- name: add vmail user +- name: Add vmail user user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail -- name: install PAM config +- name: Install PAM config copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root -- name: create dovecot sieve dir +- name: Create dovecot sieve dir file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755 -- name: install spam-to-folder.sieve +- name: Install spam-to-folder.sieve copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve/ mode=0644 owner=root group=root notify: - run sievec -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ mail_domain }}"] -- name: install dovecot cert renewal hook +- name: Install dovecot cert renewal hook template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/dovecot owner=root group=root mode=0755 -- name: start and enable dovecot +- name: Start and enable dovecot service: name=dovecot enabled=yes state=started -- name: open firewall holes +- name: Open firewall holes ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes with_items: - imaps @@ -51,13 +51,13 @@ tags: - firewall -- name: install systemd timers +- name: Install systemd timers copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - dovecot-cleanup.timer - dovecot-cleanup.service -- name: activate systemd timers +- name: Activate systemd timers systemd: name: "{{ item }}" state: started diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml index 731c718a..15ca9394 100644 --- a/roles/fail2ban/handlers/main.yml +++ b/roles/fail2ban/handlers/main.yml @@ -1,7 +1,7 @@ -- name: restart fail2ban +- name: Restart fail2ban systemd: name: fail2ban state: restarted -- name: reload fail2ban jails +- name: Reload fail2ban jails shell: type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index fa8d7607..2e0fb243 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -1,11 +1,11 @@ -- name: install fail2ban +- name: Install fail2ban package: name: "fail2ban" state: "present" notify: - restart fail2ban -- name: create systemd unit override path +- name: Create systemd unit override path file: path: "/etc/systemd/system/fail2ban.service.d" state: "directory" @@ -13,7 +13,7 @@ group: "root" mode: 0755 -- name: install systemd unit override file +- name: Install systemd unit override file template: src: "fail2ban.service.j2" dest: "/etc/systemd/system/fail2ban.service.d/override.conf" @@ -21,7 +21,7 @@ group: "root" mode: 0644 -- name: install local config files +- name: Install local config files template: src: "{{ item }}.j2" dest: "/etc/fail2ban/{{ item }}" @@ -34,7 +34,7 @@ notify: - restart fail2ban -- name: install firewallcmd-allports.local +- name: Install firewallcmd-allports.local template: src: "firewallcmd-allports.local.j2" dest: "/etc/fail2ban/action.d/firewallcmd-allports.local" @@ -44,7 +44,7 @@ notify: - restart fail2ban -- name: install sshd jail +- name: Install sshd jail when: fail2ban_jails.sshd template: src: "sshd.jail.j2" @@ -55,7 +55,7 @@ notify: - reload fail2ban jails -- name: install postfix jail +- name: Install postfix jail when: fail2ban_jails.postfix template: src: "postfix.jail.j2" @@ -66,7 +66,7 @@ notify: - reload fail2ban jails -- name: install dovecot jail +- name: Install dovecot jail when: fail2ban_jails.dovecot template: src: "dovecot.jail.j2" @@ -77,7 +77,7 @@ notify: - reload fail2ban jails -- name: install nginx-limit-req jail +- name: Install nginx-limit-req jail when: fail2ban_jails.nginx_limit_req template: src: "nginx-limit-req.jail.j2" @@ -88,7 +88,7 @@ notify: - reload fail2ban jails -- name: start and enable service +- name: Start and enable service systemd: name: "fail2ban.service" enabled: true diff --git a/roles/fetchmail/handlers/main.yml b/roles/fetchmail/handlers/main.yml index 7a8dce8e..49ee5c58 100644 --- a/roles/fetchmail/handlers/main.yml +++ b/roles/fetchmail/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart fetchmail +- name: Restart fetchmail service: name=fetchmail state=restarted diff --git a/roles/fetchmail/tasks/main.yml b/roles/fetchmail/tasks/main.yml index d17ee5a8..32c0709c 100644 --- a/roles/fetchmail/tasks/main.yml +++ b/roles/fetchmail/tasks/main.yml @@ -1,10 +1,10 @@ -- name: install fetchmail +- name: Install fetchmail pacman: name=fetchmail state=present -- name: template fetchmail config +- name: Template fetchmail config template: src=fetchmailrc.j2 dest=/etc/fetchmailrc owner=fetchmail group=nobody mode=600 notify: - restart fetchmail -- name: start and enable fetchmail +- name: Start and enable fetchmail service: name=fetchmail enabled=yes state=started diff --git a/roles/firewalld/handlers/main.yml b/roles/firewalld/handlers/main.yml index 942cb99c..8ccb109c 100644 --- a/roles/firewalld/handlers/main.yml +++ b/roles/firewalld/handlers/main.yml @@ -1,11 +1,11 @@ # NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service) # https://github.com/systemd/systemd/issues/2830 # https://bugzilla.opensuse.org/show_bug.cgi?id=1146856 -# - name: restart firewalld +# - name: Restart firewalld # service: name=firewalld state=restarted -- name: stop firewalld +- name: Stop firewalld service: name=firewalld state=stopped listen: restart firewalld -- name: start firewalld +- name: Start firewalld service: name=firewalld state=started listen: restart firewalld diff --git a/roles/firewalld/tasks/main.yml b/roles/firewalld/tasks/main.yml index 13ed8f32..982d1012 100644 --- a/roles/firewalld/tasks/main.yml +++ b/roles/firewalld/tasks/main.yml @@ -1,20 +1,20 @@ -- name: install firewalld +- name: Install firewalld pacman: name: firewalld state: present -- name: install firewalld config +- name: Install firewalld config template: src=firewalld.conf.j2 dest=/etc/firewalld/firewalld.conf owner=root group=root mode=0644 notify: - restart firewalld -- name: start and enable firewalld +- name: Start and enable firewalld service: name: firewalld enabled: "{{ configure_firewall }}" state: "{{ configure_firewall | ternary('started', 'stopped') }}" -- name: disable default dhcpv6-client rule +- name: Disable default dhcpv6-client rule ansible.posix.firewalld: service: dhcpv6-client state: disabled diff --git a/roles/fluxbb/handlers/main.yml b/roles/fluxbb/handlers/main.yml index 5b6b366b..f26cb900 100644 --- a/roles/fluxbb/handlers/main.yml +++ b/roles/fluxbb/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart php-fpm@fluxbb +- name: Restart php-fpm@fluxbb systemd: name=php-fpm@fluxbb.service state=restarted diff --git a/roles/fluxbb/tasks/main.yml b/roles/fluxbb/tasks/main.yml index 443e0b67..107d3db7 100644 --- a/roles/fluxbb/tasks/main.yml +++ b/roles/fluxbb/tasks/main.yml @@ -1,67 +1,67 @@ -- name: create user +- name: Create user user: > name=fluxbb home="{{ fluxbb_dir }}" shell=/bin/false system=yes createhome=no -- name: clone fluxbb +- name: Clone fluxbb git: repo: https://gitlab.archlinux.org/archlinux/archbbs.git dest: "{{ fluxbb_dir }}" version: "{{ fluxbb_version }}" -- name: fix home permissions +- name: Fix home permissions file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}" changed_when: false -- name: create uploads directory +- name: Create uploads directory file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads" -- name: create mariadb database +- name: Create mariadb database mysql_db: name=fluxbb state=present -- name: create mariadb user +- name: Create mariadb user mysql_user: > user=fluxbb host=localhost password={{ fluxbb_db_password }} priv='fluxbb.*:ALL' -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ fluxbb_domain }}"] -- name: create nginx log directory +- name: Create nginx log directory file: path=/var/log/nginx/{{ fluxbb_domain }} state=directory owner=root group=root mode=0755 -- name: configure nginx +- name: Configure nginx template: > src=nginx.conf.j2 dest=/etc/nginx/nginx.d/fluxbb.conf owner=root group=root mode=0644 notify: reload nginx -- name: install python-passlib +- name: Install python-passlib pacman: name=python-passlib -- name: create auth file +- name: Create auth file htpasswd: > path=/etc/nginx/auth/fluxx name={{ fluxbb_htpasswd.username }} password={{ fluxbb_htpasswd.password }} owner=root group=http mode=0640 -- name: install forum config +- name: Install forum config template: > src=config.php.j2 dest={{ fluxbb_dir }}/config.php owner=fluxbb group=fluxbb mode=400 -- name: install php-apcu +- name: Install php-apcu pacman: name=php-apcu,php-intl -- name: configure php-fpm +- name: Configure php-fpm template: > src=php-fpm.conf.j2 dest=/etc/php/php-fpm.d/fluxbb.conf owner=root group=root mode=0644 notify: restart php-fpm@fluxbb -- name: start and enable systemd socket +- name: Start and enable systemd socket service: name=php-fpm@fluxbb.socket state=started enabled=true diff --git a/roles/flyspray/handlers/main.yml b/roles/flyspray/handlers/main.yml index f9b2114d..e0984639 100644 --- a/roles/flyspray/handlers/main.yml +++ b/roles/flyspray/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart php-fpm7@flyspray +- name: Restart php-fpm7@flyspray service: name=php-fpm7@flyspray state=restarted diff --git a/roles/flyspray/tasks/main.yml b/roles/flyspray/tasks/main.yml index c61c81c3..25de86c5 100644 --- a/roles/flyspray/tasks/main.yml +++ b/roles/flyspray/tasks/main.yml @@ -1,4 +1,4 @@ -- name: run maintenance mode +- name: Run maintenance mode include_role: name: maintenance vars: @@ -8,40 +8,40 @@ service_nginx_conf: "{{ flyspray_nginx_conf }}" when: maintenance is defined -- name: install git +- name: Install git pacman: name=git state=present -- name: make flyspray user +- name: Make flyspray user user: name="{{ flyspray_user }}" shell=/bin/false home="{{ flyspray_dir }}" createhome=no register: user_created -- name: fix home permissions +- name: Fix home permissions file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0755 -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ flyspray_domain }}"] -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644 notify: - reload nginx when: maintenance is not defined tags: ['nginx'] -- name: install nginx migrated-tasks.map +- name: Install nginx migrated-tasks.map copy: src=migrated-tasks.map dest=/etc/nginx/maps/ owner=root group=root mode=0644 -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755 -- name: create setup dir with write permissions +- name: Create setup dir with write permissions file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755 when: not user_created.changed -- name: clone flyspray repo +- name: Clone flyspray repo git: repo: https://gitlab.archlinux.org/archlinux/flyspray.git version: "{{ flyspray_commit }}" @@ -50,44 +50,44 @@ become_user: "{{ flyspray_user }}" register: release -- name: take away setup dir write permissions +- name: Take away setup dir write permissions file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000 -- name: configure flyspray +- name: Configure flyspray template: src=flyspray.conf.php.j2 dest=/srv/http/flyspray/flyspray.conf.php owner="{{ flyspray_user }}" group="{{ flyspray_user }}" mode=0660 register: config no_log: true -- name: create flyspray db +- name: Create flyspray db mysql_db: name="{{ flyspray_db }}" login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}" register: db_created -- name: create flyspray db user +- name: Create flyspray db user mysql_user: name={{ flyspray_db_user }} password={{ vault_flyspray_db_password }} login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}" priv="{{ flyspray_db }}.*:ALL" no_log: true -- name: configure php-fpm +- name: Configure php-fpm template: src=php-fpm.conf.j2 dest="/etc/php7/php-fpm.d/{{ flyspray_user }}.conf" owner=root group=root mode=0644 notify: - restart php-fpm7@flyspray -- name: install fail2ban register ban filter +- name: Install fail2ban register ban filter template: src=fail2ban.filter.j2 dest=/etc/fail2ban/filter.d/nginx-flyspray-register.local owner=root group=root mode=0644 notify: - restart fail2ban tags: - fail2ban -- name: install fail2ban register ban jail +- name: Install fail2ban register ban jail template: src=fail2ban.jail.j2 dest=/etc/fail2ban/jail.d/nginx-flyspray-register.local owner=root group=root mode=0644 notify: - restart fail2ban tags: - fail2ban -- name: start and enable systemd socket +- name: Start and enable systemd socket service: name=php-fpm7@flyspray.socket state=started enabled=true diff --git a/roles/geo_dns/handlers/main.yml b/roles/geo_dns/handlers/main.yml index d889effb..fba3a6d1 100644 --- a/roles/geo_dns/handlers/main.yml +++ b/roles/geo_dns/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart powerdns +- name: Restart powerdns service: name=pdns state=restarted diff --git a/roles/geo_dns/tasks/main.yml b/roles/geo_dns/tasks/main.yml index 682c997f..d0d0b42b 100644 --- a/roles/geo_dns/tasks/main.yml +++ b/roles/geo_dns/tasks/main.yml @@ -1,27 +1,27 @@ -- name: install powerdns and geoip +- name: Install powerdns and geoip pacman: name=powerdns,libmaxminddb,geoip,yaml-cpp state=present -- name: install PowerDNS configuration +- name: Install PowerDNS configuration template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644 loop: - {src: pdns.conf.j2, dest: pdns.conf} - {src: geo.yml.j2, dest: geo.yml} notify: restart powerdns -- name: create drop-in directory for geoipupdate +- name: Create drop-in directory for geoipupdate file: path=/etc/systemd/system/geoipupdate.service.d state=directory owner=root group=root mode=0755 -- name: install drop-in snippet for geoipupdate +- name: Install drop-in snippet for geoipupdate copy: src=geoipupdate-pdns-reload.conf dest=/etc/systemd/system/geoipupdate.service.d/pdns-reload.conf owner=root group=root mode=0644 -- name: open powerdns ipv4 port for monitoring.archlinux.org +- name: Open powerdns ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept" tags: - firewall -- name: open firewall hole +- name: Open firewall hole ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes -- name: start and enable powerdns +- name: Start and enable powerdns systemd: name=pdns.service enabled=yes daemon_reload=yes state=started diff --git a/roles/geoipupdate/tasks/main.yml b/roles/geoipupdate/tasks/main.yml index 5b277dae..597d1f78 100644 --- a/roles/geoipupdate/tasks/main.yml +++ b/roles/geoipupdate/tasks/main.yml @@ -1,14 +1,14 @@ -- name: install geoipupdate +- name: Install geoipupdate pacman: name=geoipupdate state=present register: installation -- name: configure geoipupdate +- name: Configure geoipupdate template: src=GeoIP.conf.j2 dest=/etc/GeoIP.conf owner=root group=root mode=0600 register: configuration -- name: run geoipupdate after installation or configuration change +- name: Run geoipupdate after installation or configuration change systemd: name=geoipupdate state=restarted when: installation is changed or configuration is changed -- name: start and enable geoipupdate.timer +- name: Start and enable geoipupdate.timer systemd: name=geoipupdate.timer enabled=yes state=started diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml index 378c85d3..7e9d721f 100644 --- a/roles/gitlab/tasks/main.yml +++ b/roles/gitlab/tasks/main.yml @@ -1,13 +1,13 @@ -- name: install docker dependencies +- name: Install docker dependencies pacman: name=docker,python-docker state=present -- name: start docker +- name: Start docker service: name=docker enabled=yes state=started -- name: copy sshd_config into place to change the port to 222 +- name: Copy sshd_config into place to change the port to 222 copy: src=sshd_config dest=/srv/gitlab/sshd_config owner=root group=root mode=640 -- name: start docker gitlab image +- name: Start docker gitlab image docker_container: name: gitlab image: gitlab/gitlab-ee:latest @@ -99,11 +99,11 @@ - "/srv/gitlab/data:/var/opt/gitlab" - "/srv/gitlab/sshd_config:/assets/sshd_config" -- name: prune unused docker images +- name: Prune unused docker images docker_prune: images: true -- name: open firewall holes +- name: Open firewall holes ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes when: configure_firewall with_items: @@ -114,11 +114,11 @@ tags: - firewall -- name: copy gitlab-cleanup timer and service +- name: Copy gitlab-cleanup timer and service copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - gitlab-cleanup.timer - gitlab-cleanup.service -- name: activate systemd timers for gitlab-cleanup +- name: Activate systemd timers for gitlab-cleanup systemd: name=gitlab-cleanup.timer enabled=yes state=started daemon-reload=yes diff --git a/roles/gitlab_runner/handlers/main.yml b/roles/gitlab_runner/handlers/main.yml index 40375983..94bed04c 100644 --- a/roles/gitlab_runner/handlers/main.yml +++ b/roles/gitlab_runner/handlers/main.yml @@ -1,11 +1,11 @@ -- name: systemd daemon-reload +- name: Systemd daemon-reload systemd: daemon_reload=yes -- name: restart gitlab-runner +- name: Restart gitlab-runner service: name=gitlab-runner state=restarted -- name: restart gitlab-runner-docker-cleanup.timer +- name: Restart gitlab-runner-docker-cleanup.timer service: name=gitlab-runner-docker-cleanup.timer state=restarted daemon_reload=yes -- name: restart docker +- name: Restart docker service: name=docker state=restarted diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml index 2bd92f56..edde2eaf 100644 --- a/roles/gitlab_runner/tasks/main.yml +++ b/roles/gitlab_runner/tasks/main.yml @@ -1,15 +1,15 @@ -- name: install dependencies +- name: Install dependencies pacman: name=docker,python-docker,python-gitlab,gitlab-runner state=latest update_cache=yes notify: restart gitlab-runner -- name: install docker.slice +- name: Install docker.slice copy: src=docker.slice dest=/etc/systemd/system/ owner=root group=root mode=0644 notify: systemd daemon-reload -- name: start docker +- name: Start docker systemd: name=docker enabled=yes state=started daemon_reload=yes -- name: configure Docker daemon for IPv6 +- name: Configure Docker daemon for IPv6 copy: src=daemon.json dest=/etc/docker/daemon.json owner=root group=root mode=0644 notify: restart docker @@ -17,7 +17,7 @@ # https://medium.com/@skleeschulte/how-to-enable-ipv6-for-docker-containers-on-ubuntu-18-04-c68394a219a2 # https://github.com/docker/docker.github.io/blob/c0eb65aabe4de94d56bbc20249179f626df5e8c3/engine/userguide/networking/default_network/ipv6.md # https://github.com/moby/moby/issues/36954 -- name: add IPv6 NAT for docker +- name: Add IPv6 NAT for docker ansible.posix.firewalld: zone: public permanent: true @@ -42,11 +42,11 @@ # --locked=false \ # Use true for secure runners # --access-level=not_protected # Use ref_protected for secure runners # Note: Secure runners must be added manually to the relevant projects -- name: install runner configuration +- name: Install runner configuration template: src=config.toml.j2 dest=/etc/gitlab-runner/config.toml owner=root group=root mode=0600 notify: restart gitlab-runner -- name: install gitlab-runner-docker-cleanup.{service,timer} +- name: Install gitlab-runner-docker-cleanup.{service,timer} copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 loop: - gitlab-runner-docker-cleanup.service @@ -54,24 +54,24 @@ notify: - restart gitlab-runner-docker-cleanup.timer -- name: enable and start gitlab-runner-docker-cleanup.timer +- name: Enable and start gitlab-runner-docker-cleanup.timer systemd: name=gitlab-runner-docker-cleanup.timer state=started enabled=yes daemon_reload=yes -- name: enable and start gitlab runner service +- name: Enable and start gitlab runner service systemd: name=gitlab-runner state=started enabled=yes daemon_reload=yes -- name: setup libvirt-executor +- name: Setup libvirt-executor block: - - name: install libvirt-executor-update-base-image dependencies + - name: Install libvirt-executor-update-base-image dependencies pacman: name=arch-install-scripts,sequoia-sq state=present - - name: create libvirt-executor configuration and data directories + - name: Create libvirt-executor configuration and data directories file: path={{ item }} state=directory owner=root group=root mode=0755 loop: - /etc/libvirt-executor - /usr/local/lib/libvirt-executor - - name: install libvirt-executor + - name: Install libvirt-executor copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }} loop: - {src: arch-boxes.asc, dest: /usr/local/lib/libvirt-executor/, mode: 644} @@ -79,17 +79,17 @@ - {src: libvirt-executor, dest: /usr/local/bin/, mode: 755} - {src: libvirt-executor-update-base-image, dest: /usr/local/bin/, mode: 755} - - name: create SSH keys for libvirt-executor + - name: Create SSH keys for libvirt-executor command: ssh-keygen -N "" -f /etc/libvirt-executor/id_ed25519 -t ed25519 args: creates: /etc/libvirt-executor/id_ed25519 - - name: install libvirt-executor-update-base-image.{service,timer} + - name: Install libvirt-executor-update-base-image.{service,timer} copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 loop: - libvirt-executor-update-base-image.service - libvirt-executor-update-base-image.timer - - name: enable and start libvirt-executor-update-base-image.timer + - name: Enable and start libvirt-executor-update-base-image.timer systemd: name=libvirt-executor-update-base-image.timer state=started enabled=yes daemon_reload=yes when: "'gitlab_vm_runners' in group_names" diff --git a/roles/gluebuddy/handlers/main.yml b/roles/gluebuddy/handlers/main.yml index b7dd1329..53c25acb 100644 --- a/roles/gluebuddy/handlers/main.yml +++ b/roles/gluebuddy/handlers/main.yml @@ -1,3 +1,3 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true diff --git a/roles/gluebuddy/tasks/main.yml b/roles/gluebuddy/tasks/main.yml index 8b7bcd0d..7eb06de7 100644 --- a/roles/gluebuddy/tasks/main.yml +++ b/roles/gluebuddy/tasks/main.yml @@ -1,7 +1,7 @@ -- name: install sequoia +- name: Install sequoia pacman: name=sequoia-sq state=present -- name: install systemd service/timer +- name: Install systemd service/timer copy: src={{ item }} dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 with_items: - gluebuddy.service @@ -9,16 +9,16 @@ notify: - daemon reload -- name: enable timer +- name: Enable timer systemd: name=gluebuddy.timer enabled=yes state=started -- name: install conf file +- name: Install conf file template: src=gluebuddy.conf.j2 dest=/etc/conf.d/gluebuddy owner=root group=root mode=0600 -- name: install download script +- name: Install download script copy: src=gluebuddy_download.sh dest=/usr/local/bin/gluebuddy_download.sh owner=root group=root mode=0755 -- name: download latest gluebuddy +- name: Download latest gluebuddy command: /usr/local/bin/gluebuddy_download.sh tags: - skip_ansible_lint diff --git a/roles/grafana/handlers/main.yml b/roles/grafana/handlers/main.yml index a0184c55..0b4f2eec 100644 --- a/roles/grafana/handlers/main.yml +++ b/roles/grafana/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart grafana +- name: Restart grafana service: name=grafana state=restarted diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index e71a914f..610d9680 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -1,25 +1,25 @@ -- name: install grafana +- name: Install grafana pacman: name=grafana state=present -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ grafana_domain }}"] -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=http mode=640 notify: - reload nginx tags: ['nginx'] -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ grafana_domain }} state=directory owner=root group=root mode=0755 -- name: create grafana config directory +- name: Create grafana config directory file: path=/etc/grafana mode=0700 owner=grafana group=grafana state=directory -- name: create grafana provisioning directory +- name: Create grafana provisioning directory file: path={{ item }} mode=0700 owner=grafana group=grafana state=directory with_items: - /etc/grafana/provisioning @@ -29,27 +29,27 @@ - /etc/grafana/provisioning/notifiers - /var/lib/grafana/dashboards -- name: install grafana datasources provisioning +- name: Install grafana datasources provisioning template: src=datasources.yaml.j2 dest=/etc/grafana/provisioning/datasources/prometheus.yml owner=grafana group=root mode=0600 notify: restart grafana -- name: install grafana dashboard provisioning +- name: Install grafana dashboard provisioning template: src=dashboard.yaml.j2 dest=/etc/grafana/provisioning/dashboards/dasbhoard.yml owner=grafana group=root mode=0600 notify: restart grafana -- name: copy grafana dashboards +- name: Copy grafana dashboards copy: src=dashboards dest=/var/lib/grafana/dashboards owner=grafana group=grafana mode=0600 -- name: copy (public) grafana dashboards +- name: Copy (public) grafana dashboards copy: src=public-dashboards dest=/var/lib/grafana/ owner=root group=grafana mode=0640 when: grafana_anonymous_access -- name: install grafana config +- name: Install grafana config template: src=grafana.ini.j2 dest=/etc/grafana.ini owner=grafana group=root mode=0600 notify: restart grafana -- name: fix /var/lib/grafana permissions +- name: Fix /var/lib/grafana permissions file: path=/var/lib/grafana mode=0700 owner=grafana group=grafana -- name: start and enable service +- name: Start and enable service service: name=grafana state=started enabled=true diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml index 4649ada5..f3a0d5fa 100644 --- a/roles/hardening/handlers/main.yml +++ b/roles/hardening/handlers/main.yml @@ -1,2 +1,2 @@ -- name: apply sysctl settings +- name: Apply sysctl settings command: sysctl --system diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml index cee35d76..235ad5c8 100644 --- a/roles/hardening/tasks/main.yml +++ b/roles/hardening/tasks/main.yml @@ -1,40 +1,40 @@ -- name: set restricted access to kernel logs +- name: Set restricted access to kernel logs copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644 notify: - apply sysctl settings -- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE +- name: Set ptrace scope, restrict ptrace to CAP_SYS_PTRACE copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644 when: "'buildservers' not in group_names" notify: - apply sysctl settings -- name: set restricted access to kernel pointers in proc fs +- name: Set restricted access to kernel pointers in proc fs copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644 notify: - apply sysctl settings -- name: enable JIT hardening for all users +- name: Enable JIT hardening for all users copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644 notify: - apply sysctl settings -- name: disable unprivileged bpf +- name: Disable unprivileged bpf copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644 notify: - apply sysctl settings -- name: disable unprivileged userns +- name: Disable unprivileged userns copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644 notify: - apply sysctl settings -- name: disable kexec load +- name: Disable kexec load copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644 notify: - apply sysctl settings -- name: set kernel lockdown to restricted +- name: Set kernel lockdown to restricted copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644 when: "'hcloud' in group_names" notify: diff --git a/roles/hedgedoc/tasks/main.yml b/roles/hedgedoc/tasks/main.yml index 8d259ff6..6392959e 100644 --- a/roles/hedgedoc/tasks/main.yml +++ b/roles/hedgedoc/tasks/main.yml @@ -1,40 +1,40 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ hedgedoc_domain }}"] -- name: install hedgedoc +- name: Install hedgedoc pacman: name=hedgedoc state=present -- name: add hedgedoc postgres db +- name: Add hedgedoc postgres db postgresql_db: db=hedgedoc become: true become_user: postgres become_method: su -- name: add hedgedoc postgres user +- name: Add hedgedoc postgres user postgresql_user: db=hedgedoc name=hedgedoc password={{ vault_postgres_users.hedgedoc }} encrypted=true become: true become_user: postgres become_method: su -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=http mode=640 notify: reload nginx tags: ['nginx'] -- name: add hedgedoc.service.d dir +- name: Add hedgedoc.service.d dir file: state=directory path=/etc/systemd/system/hedgedoc.service.d owner=root group=root mode=0755 -- name: install hedgedoc.service snippet for configuration +- name: Install hedgedoc.service snippet for configuration template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0644 -- name: install hedgedoc config file +- name: Install hedgedoc config file template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=root mode=0644 -- name: start and enable hedgedoc +- name: Start and enable hedgedoc service: name=hedgedoc.service enabled=yes state=started diff --git a/roles/hetzner_storagebox/tasks/main.yml b/roles/hetzner_storagebox/tasks/main.yml index 9594a763..b3531ded 100644 --- a/roles/hetzner_storagebox/tasks/main.yml +++ b/roles/hetzner_storagebox/tasks/main.yml @@ -1,12 +1,12 @@ # This role runs on localhost; use commands like sftp to upload configuration -- name: create the root backup directory at {{ backup_dir }} +- name: Create the root backup directory at {{ backup_dir }} expect: command: bash -c "echo 'mkdir {{ backup_dir }}' | sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }}" responses: (?i)password: "{{ storagebox_password }}" -- name: create a home directory for each sub-account +- name: Create a home directory for each sub-account expect: command: | bash -c 'sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }} < 0 -- name: check whether we're running in Hetzner or Equinix Metal rescue environment +- name: Check whether we're running in Hetzner or Equinix Metal rescue environment fail: msg="Not running in rescue system!" when: "'Hetzner Rescue' not in motd_contents.stdout and 'Rescue environment based on Alpine Linux' not in motd_contents.stdout" -- name: make sure all required packages are installed in the rescue system for installation +- name: Make sure all required packages are installed in the rescue system for installation apk: name=sgdisk,btrfs-progs,tar update_cache=yes when: ansible_facts['os_family'] == "Alpine" -- name: create GRUB embed partitions +- name: Create GRUB embed partitions command: sgdisk -g --clear -n 1:0:+1M {{ item }} -c 1:boot -t 1:ef02 with_items: - "{{ system_disks }}" register: sgdisk changed_when: "sgdisk.rc == 0" -- name: create root partitions +- name: Create root partitions command: sgdisk -n 2:0:0 {{ item }} -c 2:root with_items: - "{{ system_disks }}" register: sgdisk changed_when: "sgdisk.rc == 0" -- name: partition and format the disks (btrfs RAID) +- name: Partition and format the disks (btrfs RAID) command: mkfs.btrfs -f -L root -d {{ raid_level|default('raid1') }} -m {{ raid_level|default('raid1') }} -O no-holes {{ system_disks | map('regex_replace', '^(.*)$', '\g<1>p2' if 'nvme' in system_disks[0] else '\g<1>2') | join(' ') }} when: filesystem == "btrfs" and system_disks|length >= 2 -- name: partition and format the disks (btrfs single) +- name: Partition and format the disks (btrfs single) command: mkfs.btrfs -f -L root -d single -m single -O no-holes {{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }} when: filesystem == "btrfs" and system_disks|length == 1 -- name: mount the filesystem (btrfs) +- name: Mount the filesystem (btrfs) mount: src="{{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}" path=/mnt state=mounted fstype=btrfs opts="compress-force=zstd,space_cache=v2" when: filesystem == "btrfs" -- name: touch LOCK file on mountpoint +- name: Touch LOCK file on mountpoint file: path=/mnt/LOCK state=touch owner=root group=root mode=0644 -- name: download bootstrap image +- name: Download bootstrap image get_url: url: https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz dest: /tmp/ mode: 0644 -- name: extract boostrap image # noqa 208 +- name: Extract boostrap image # noqa 208 unarchive: src: /tmp/archlinux-bootstrap-x86_64.tar.gz dest: /tmp remote_src: true creates: /tmp/root.x86_64 -- name: copy resolv.conf to bootstrap chroot +- name: Copy resolv.conf to bootstrap chroot copy: remote_src=true src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644 -- name: mount /proc to bootstrap chroot +- name: Mount /proc to bootstrap chroot command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime # noqa 303 -- name: mount /sys to bootstrap chroot +- name: Mount /sys to bootstrap chroot command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev # noqa 303 -- name: mount /dev to bootstrap chroot +- name: Mount /dev to bootstrap chroot command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero # noqa 303 -- name: mount /mnt to bootstrap chroot +- name: Mount /mnt to bootstrap chroot command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK # noqa 303 -- name: configure pacman mirror +- name: Configure pacman mirror template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644 -- name: initialize pacman keyring inside bootstrap chroot +- name: Initialize pacman keyring inside bootstrap chroot command: chroot /tmp/root.x86_64 pacman-key --init register: chroot_pacman_key_init changed_when: "chroot_pacman_key_init.rc == 0" -- name: populate pacman keyring inside bootstrap chroot +- name: Populate pacman keyring inside bootstrap chroot command: chroot /tmp/root.x86_64 pacman-key --populate archlinux register: chroot_pacman_key_populate changed_when: "chroot_pacman_key_populate.rc == 0" -- name: install ucode update +- name: Install ucode update block: - - name: install ucode update for Intel + - name: Install ucode update for Intel set_fact: ucode="intel-ucode" when: "'GenuineIntel' in ansible_facts['processor']" - - name: install ucode update for AMD + - name: Install ucode update for AMD set_fact: ucode="amd-ucode" when: "'AuthenticAMD' in ansible_facts['processor']" when: - "'hcloud' not in group_names" - inventory_hostname != 'packer-base-image' -- name: install arch base from bootstrap chroot +- name: Install arch base from bootstrap chroot command: chroot /tmp/root.x86_64 pacstrap /mnt base linux btrfs-progs grub openssh python-requests python-yaml inetutils {{ ucode | default('') }} args: creates: /tmp/root.x86_64/mnt/bin -- name: mount /proc to new chroot +- name: Mount /proc to new chroot command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime # noqa 303 -- name: mount /sys to new chroot +- name: Mount /sys to new chroot command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev # noqa 303 -- name: mount /dev to new chroot +- name: Mount /dev to new chroot command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero # noqa 303 -- name: configure locale.gen +- name: Configure locale.gen lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644 -- name: run locale-gen inside chroot +- name: Run locale-gen inside chroot command: chroot /mnt locale-gen register: chroot_locale_gen changed_when: "chroot_locale_gen.rc == 0" -- name: run systemd-firstboot +- name: Run systemd-firstboot command: chroot /mnt systemd-firstboot --locale=C.UTF-8 --timezone=UTC --hostname={{ hostname }} register: chroot_systemd_firstboot changed_when: "chroot_systemd_firstboot.rc == 0" -- name: run mkinitcpio +- name: Run mkinitcpio command: chroot /mnt mkinitcpio -p linux register: chroot_mkinitcpio changed_when: "chroot_mkinitcpio.rc == 0" -- name: configure networking +- name: Configure networking include_role: name: networking vars: chroot_path: "/mnt" -- name: provide default mount options (btrfs) +- name: Provide default mount options (btrfs) lineinfile: path: /mnt/etc/default/grub owner: root @@ -142,45 +142,45 @@ line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\"" when: filesystem == "btrfs" -- name: install grub +- name: Install grub command: chroot /mnt grub-install --recheck {{ item }} with_items: - "{{ system_disks }}" register: chroot_grub_install changed_when: "chroot_grub_install.rc == 0" -- name: configure grub +- name: Configure grub command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg register: chroot_grub_mkconfig changed_when: "chroot_grub_mkconfig.rc == 0" -- name: setup pacman-init.service on first boot +- name: Setup pacman-init.service on first boot copy: src=pacman-init.service dest=/mnt/etc/systemd/system/ owner=root group=root mode=0644 -- name: remove generated keyring in the installation process +- name: Remove generated keyring in the installation process file: path=/mnt/etc/pacman.d/gnupg state=absent -- name: make sure /etc/machine-id is absent +- name: Make sure /etc/machine-id is absent file: path=/mnt/etc/machine-id state=absent -- name: enable services inside chroot +- name: Enable services inside chroot command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer pacman-init register: chroot_systemd_services changed_when: "chroot_systemd_services.rc == 0" -- name: add authorized key for root +- name: Add authorized key for root include_role: name: root_ssh vars: root_ssh_directory: /tmp/root.x86_64/mnt/root/.ssh -- name: configure sshd +- name: Configure sshd template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644 -- name: clean pacman cache +- name: Clean pacman cache shell: yes | chroot /mnt pacman -Scc # noqa risky-shell-pipe ("Illegal option -o pipefail" in Hetzner's recovery environment (dash?)) register: chroot_pacman_clean_cache changed_when: "chroot_pacman_clean_cache.rc == 0" -- name: remove LOCK file on mountpoint +- name: Remove LOCK file on mountpoint file: path=/mnt/LOCK state=absent diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml index bdfa2b24..b3e6fcce 100644 --- a/roles/keycloak/handlers/main.yml +++ b/roles/keycloak/handlers/main.yml @@ -1,6 +1,6 @@ -- name: restart keycloak +- name: Restart keycloak service: name=keycloak state=restarted -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index f6dd059c..189a27cf 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -1,56 +1,56 @@ -- name: install keycloak +- name: Install keycloak pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present -- name: create postgres keycloak user +- name: Create postgres keycloak user postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}" become: true become_user: postgres become_method: su no_log: true -- name: create keycloak db +- name: Create keycloak db postgresql_db: name="{{ keycloak_db_name }}" owner="{{ vault_keycloak_db_user }}" become: true become_user: postgres become_method: su -- name: template keycloak config +- name: Template keycloak config template: src=keycloak.conf.j2 dest=/etc/keycloak/keycloak.conf owner=root group=keycloak mode=640 no_log: true notify: - restart keycloak -- name: create drop-in directory for keycloak.service +- name: Create drop-in directory for keycloak.service file: path=/etc/systemd/system/keycloak.service.d state=directory owner=root group=root mode=0755 -- name: get service facts +- name: Get service facts service_facts: -- name: create an admin user when first starting keycloak +- name: Create an admin user when first starting keycloak block: - - name: install admin creation drop-in for keycloak.service + - name: Install admin creation drop-in for keycloak.service copy: src=create-keycloak-admin.conf dest=/etc/systemd/system/keycloak.service.d/ owner=root group=root mode=0644 - - name: install temporary environment file with admin credentials + - name: Install temporary environment file with admin credentials template: src=admin-user.conf.j2 dest=/etc/keycloak/admin-user.conf owner=root group=root mode=0600 no_log: true - - name: start and enable keycloak + - name: Start and enable keycloak service: name=keycloak enabled=yes daemon_reload=yes state=started - - name: wait for keycloak to initialize + - name: Wait for keycloak to initialize wait_for: port={{ keycloak_port }} always: - - name: remove admin credentials once keycloak is running + - name: Remove admin credentials once keycloak is running file: path=/etc/keycloak/admin-user.conf state=absent - - name: remove admin creation drop-in + - name: Remove admin creation drop-in file: path=/etc/systemd/system/keycloak.service.d/create-keycloak-admin.conf state=absent notify: - daemon reload when: ansible_facts.services["keycloak.service"]["state"] != "running" -- name: open firewall hole +- name: Open firewall hole ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes when: configure_firewall with_items: @@ -59,7 +59,7 @@ tags: - firewall -- name: create htpasswd for nginx prometheus endpoint +- name: Create htpasswd for nginx prometheus endpoint htpasswd: path: "{{ keycloak_nginx_htpasswd }}" name: "{{ vault_keycloak_nginx_user }}" @@ -68,16 +68,16 @@ group: http mode: 0640 -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ keycloak_domain }}"] -- name: make nginx log dir +- name: Make nginx log dir file: path="/var/log/nginx/{{ keycloak_domain }}" state=directory owner=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/keycloak.conf owner=root group=root mode=0644 notify: - reload nginx diff --git a/roles/libvirt/tasks/main.yml b/roles/libvirt/tasks/main.yml index efa37cdb..2030d061 100644 --- a/roles/libvirt/tasks/main.yml +++ b/roles/libvirt/tasks/main.yml @@ -1,17 +1,17 @@ --- -- name: remove iptables to solve iptables<->iptables-nft conflict +- name: Remove iptables to solve iptables<->iptables-nft conflict pacman: name=iptables force=yes state=absent -- name: install libvirt and needed optional dependencies +- name: Install libvirt and needed optional dependencies pacman: name=libvirt,qemu-base,dnsmasq,iptables-nft state=present register: result -- name: reload firewalld +- name: Reload firewalld service: name=firewalld state=reloaded when: result.changed -- name: autostart default network on boot +- name: Autostart default network on boot file: src=/etc/libvirt/qemu/networks/default.xml dest=/etc/libvirt/qemu/networks/autostart/default.xml state=link owner=root group=root -- name: start and enable libvirtd +- name: Start and enable libvirtd systemd: name=libvirtd enabled=yes state=started daemon_reload=yes diff --git a/roles/loki/handlers/main.yml b/roles/loki/handlers/main.yml index 2fb42b60..cf54318b 100644 --- a/roles/loki/handlers/main.yml +++ b/roles/loki/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart loki +- name: Restart loki service: name=loki state=restarted diff --git a/roles/loki/tasks/main.yml b/roles/loki/tasks/main.yml index ed384563..ceefc8b8 100644 --- a/roles/loki/tasks/main.yml +++ b/roles/loki/tasks/main.yml @@ -1,26 +1,26 @@ -- name: install loki and logcli +- name: Install loki and logcli pacman: name=loki,logcli state=present -- name: install loki configuration +- name: Install loki configuration copy: src=loki.yaml dest=/etc/loki/ owner=root group=root mode=0644 notify: restart loki -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/loki state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=640 notify: reload nginx tags: ['nginx'] -- name: open firewall hole +- name: Open firewall hole ansible.posix.firewalld: service=http zone=wireguard permanent=true state=enabled immediate=yes -- name: create drop-in directory for loki +- name: Create drop-in directory for loki file: path=/etc/systemd/system/loki.service.d state=directory owner=root group=root mode=0755 -- name: install drop-in snippet for loki +- name: Install drop-in snippet for loki copy: src=loki-override.conf dest=/etc/systemd/system/loki.service.d/override.conf owner=root group=root mode=0644 -- name: start and enable loki +- name: Start and enable loki systemd: name=loki.service enabled=yes daemon_reload=yes state=started diff --git a/roles/mailman/handlers/main.yml b/roles/mailman/handlers/main.yml index 833f0b28..61ce4bee 100644 --- a/roles/mailman/handlers/main.yml +++ b/roles/mailman/handlers/main.yml @@ -1,13 +1,13 @@ -- name: restart mailman +- name: Restart mailman service: name=mailman daemon_reload=yes state=restarted -- name: reload mailman +- name: Reload mailman service: name=mailman state=reloaded -- name: reload postfix +- name: Reload postfix service: name=postfix state=reloaded -- name: run postmap +- name: Run postmap command: postmap /etc/postfix/{{ item }} loop: - aliases diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index e9818381..7bcc05f5 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -1,34 +1,34 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ lists_domain }}"] -- name: install mailman, uwsgi-plugin-cgi and postfx +- name: Install mailman, uwsgi-plugin-cgi and postfx pacman: name=mailman,uwsgi-plugin-cgi,postfix,postfix-pcre state=present -- name: install mailman configuration +- name: Install mailman configuration template: src=mm_cfg.py.j2 dest=/etc/mailman/mm_cfg.py follow=yes owner=root group=root mode=0644 notify: reload mailman -- name: install postfix configuration +- name: Install postfix configuration template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644 notify: reload postfix -- name: install postfix maps +- name: Install postfix maps copy: src={{ item }} dest=/etc/postfix/ owner=root group=root mode=0644 loop: - aliases - milter_header_checks notify: run postmap -- name: install postfix templated maps +- name: Install postfix templated maps template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644 loop: - transport notify: run postmap -- name: open firewall holes for postfix +- name: Open firewall holes for postfix ansible.posix.firewalld: service=smtp zone={{ item }} permanent=true state=enabled immediate=yes loop: - @@ -37,37 +37,37 @@ tags: - firewall -- name: create mailman list +- name: Create mailman list command: /usr/lib/mailman/bin/newlist -a mailman root@{{ lists_domain }} meG0n5Wq6dEWCA6s args: creates: /var/lib/mailman/lists/mailman -- name: configure mailman uwsgi service +- name: Configure mailman uwsgi service copy: src=mailman.ini dest=/etc/uwsgi/vassals/ owner=mailman group=http mode=0644 -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755 -- name: install nginx mailman2->mailman3 redirect map +- name: Install nginx mailman2->mailman3 redirect map copy: src=migrated-lists.map dest=/etc/nginx/maps/ owner=root group=root mode=0644 notify: reload nginx -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] -- name: start and enable postfix +- name: Start and enable postfix systemd: name=postfix.service enabled=yes daemon_reload=yes state=started -- name: create drop-in directory for mailman.service +- name: Create drop-in directory for mailman.service file: path=/etc/systemd/system/mailman.service.d state=directory owner=root group=root mode=0755 -- name: install drop-in for mailman.service +- name: Install drop-in for mailman.service copy: src=override.conf dest=/etc/systemd/system/mailman.service.d/ owner=root group=root mode=0644 notify: restart mailman -- name: start and enable mailman{.service,-*.timer} +- name: Start and enable mailman{.service,-*.timer} systemd: name={{ item }} enabled=yes daemon_reload=yes state=started loop: - mailman.service diff --git a/roles/mailman3/handlers/main.yml b/roles/mailman3/handlers/main.yml index 3f47d424..f56cbaed 100644 --- a/roles/mailman3/handlers/main.yml +++ b/roles/mailman3/handlers/main.yml @@ -1,5 +1,5 @@ -- name: reload mailman +- name: Reload mailman service: name=mailman3 state=reloaded -- name: restart mailman-web +- name: Restart mailman-web service: name=uwsgi@mailman\\x2dweb.service state=restarted diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml index 35986e22..0b3ee53c 100644 --- a/roles/mailman3/tasks/main.yml +++ b/roles/mailman3/tasks/main.yml @@ -1,8 +1,8 @@ -- name: install mailman3 and related packages +- name: Install mailman3 and related packages pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,uwsgi-plugin-python state=present register: install -- name: install {mailman,mailman-web} configuration +- name: Install {mailman,mailman-web} configuration template: src={{ item.src }} dest={{ item.dest }} owner=root group={{ item.group }} mode=0640 loop: - {src: mailman.cfg.j2, dest: /etc/mailman.cfg, group: mailman} @@ -13,19 +13,19 @@ - reload mailman - restart mailman-web -- name: install mailman postfix.cfg configuration +- name: Install mailman postfix.cfg configuration copy: src=postfix.cfg dest=/etc/postfix.cfg owner=root group=root mode=0644 notify: reload mailman -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] -- name: create postgres {mailman,mailman-web} user +- name: Create postgres {mailman,mailman-web} user postgresql_user: name={{ item.username }} password={{ item.password }} loop: - {username: "{{ vault_mailman_db_user }}", password: "{{ vault_mailman_db_password }}"} @@ -35,7 +35,7 @@ become_method: su no_log: true -- name: create {mailman,mailman-web} db +- name: Create {mailman,mailman-web} db postgresql_db: name={{ item.db }} owner={{ item.owner }} loop: - {db: mailman, owner: "{{ vault_mailman_db_user }}"} @@ -44,7 +44,7 @@ become_user: postgres become_method: su -- name: run Django management tasks +- name: Run Django management tasks command: django-admin {{ item }} --pythonpath /etc/webapps/mailman-web --settings settings loop: - migrate @@ -55,13 +55,13 @@ become_user: mailman-web when: install.changed -- name: open LMTP ipv4 port for lists.archlinux.org +- name: Open LMTP ipv4 port for lists.archlinux.org ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['lists.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8024 accept" tags: - firewall -- name: start and enable mailman{.service,-*.timer} +- name: Start and enable mailman{.service,-*.timer} systemd: name={{ item }} enabled=yes daemon_reload=yes state=started loop: - mailman3.service diff --git a/roles/maintenance/tasks/main.yml b/roles/maintenance/tasks/main.yml index 6122d1c8..74d8baf2 100644 --- a/roles/maintenance/tasks/main.yml +++ b/roles/maintenance/tasks/main.yml @@ -1,14 +1,14 @@ -- name: create the maintenance logs dir +- name: Create the maintenance logs dir file: path={{ maintenance_logs_dir }} state=directory owner=root group=root mode=0755 -- name: create the maintenance http dir +- name: Create the maintenance http dir file: path={{ maintenance_http_dir }} state=directory owner=root group=root mode=0755 -- name: create the service http root dir +- name: Create the service http root dir file: path={{ maintenance_http_dir }}/{{ service_domain }} state=directory owner=root group=root mode=0755 when: maintenance is defined and maintenance|bool -- name: set up nginx maintenance mode +- name: Set up nginx maintenance mode template: src: nginx-maintenance.conf.j2 dest: "{{ service_nginx_conf }}" @@ -18,7 +18,7 @@ notify: reload nginx when: service_nginx_template is not defined and maintenance is defined and maintenance|bool -- name: set up custom nginx maintenance mode +- name: Set up custom nginx maintenance mode template: src: "{{ service_nginx_template }}" dest: "{{ service_nginx_conf }}" @@ -28,7 +28,7 @@ notify: reload nginx when: service_nginx_template is defined and maintenance is defined and maintenance|bool -- name: create the 503 html file +- name: Create the 503 html file template: src: 503.html.j2 dest: "{{ maintenance_http_dir }}/{{ service_domain }}/503.html" @@ -37,5 +37,5 @@ mode: 0644 when: maintenance is defined and maintenance|bool -- name: force reload nginx +- name: Force reload nginx meta: flush_handlers diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml index 94432d1a..7e1f1247 100644 --- a/roles/mariadb/handlers/main.yml +++ b/roles/mariadb/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart mariadb +- name: Restart mariadb service: name=mariadb state=restarted diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index afed3dbc..bee006d4 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,32 +1,32 @@ -- name: install mariadb +- name: Install mariadb pacman: name=mariadb,python-mysqlclient state=present -- name: initialize mariadb +- name: Initialize mariadb command: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql args: creates: /var/lib/mysql/mysql -- name: configure mariadb +- name: Configure mariadb template: src=server.cnf.j2 dest=/etc/my.cnf.d/server.cnf owner=root group=root mode=0644 notify: - restart mariadb -- name: start and enable the service +- name: Start and enable the service service: name=mariadb state=started enabled=yes -- name: delete anonymous users +- name: Delete anonymous users mysql_user: user='' host_all=yes state='absent' -- name: disallow remote root login +- name: Disallow remote root login command: 'mysql -NBe "{{ item }}"' with_items: - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') changed_when: false -- name: drop test database +- name: Drop test database mysql_db: db=test state=absent -- name: set root password +- name: Set root password mysql_user: user=root host={{ item }} password={{ vault_mariadb_users.root }} with_items: - '127.0.0.1' @@ -34,6 +34,6 @@ - 'localhost' no_log: true -- name: create client configuration for root +- name: Create client configuration for root template: src=client.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0644 no_log: true diff --git a/roles/matrix/handlers/main.yml b/roles/matrix/handlers/main.yml index aac76000..cbc21e91 100644 --- a/roles/matrix/handlers/main.yml +++ b/roles/matrix/handlers/main.yml @@ -1,32 +1,32 @@ -- name: restart synapse +- name: Restart synapse systemd: name: synapse state: restarted enabled: true daemon_reload: true -- name: restart pantalaimon +- name: Restart pantalaimon systemd: name: pantalaimon state: restarted enabled: true daemon_reload: true -- name: restart mjolnir +- name: Restart mjolnir systemd: name: mjolnir state: restarted enabled: true daemon_reload: true -- name: restart matrix-appservice-irc +- name: Restart matrix-appservice-irc systemd: name: matrix-appservice-irc state: restarted enabled: true daemon_reload: true -- name: restart turnserver +- name: Restart turnserver systemd: name: turnserver state: restarted diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml index 32fea804..0f8481a0 100644 --- a/roles/matrix/tasks/main.yml +++ b/roles/matrix/tasks/main.yml @@ -1,11 +1,11 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ matrix_domain }}"] when: 'matrix_domain is defined' -- name: install packages +- name: Install packages pacman: name: - coturn @@ -32,13 +32,13 @@ - yarn - zlib -- name: add synapse group +- name: Add synapse group group: name=synapse system=yes gid=198 -- name: add synapse user +- name: Add synapse user user: name=synapse system=yes uid=198 group=synapse home=/var/lib/synapse shell=/bin/false createhome=no -- name: create synapse home +- name: Create synapse home file: path={{ item }} state=directory owner=synapse group=synapse mode=0700 with_items: - /var/lib/synapse @@ -46,7 +46,7 @@ - /var/lib/synapse/mjolnir-data - /var/lib/synapse/pantalaimon-data -- name: make virtualenvs +- name: Make virtualenvs command: 'python -m venv {{ item }}' args: creates: '{{ item }}/bin/python' @@ -57,7 +57,7 @@ - /var/lib/synapse/venv - /var/lib/synapse/venv-pantalaimon -- name: update virtualenvs +- name: Update virtualenvs pip: name: - pip @@ -72,7 +72,7 @@ - /var/lib/synapse/venv - /var/lib/synapse/venv-pantalaimon -- name: install synapse +- name: Install synapse pip: name: - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.65.0' @@ -86,7 +86,7 @@ notify: - restart synapse -- name: install pantalaimon +- name: Install pantalaimon pip: name: - 'pantalaimon==0.10.4' @@ -99,7 +99,7 @@ notify: - restart pantalaimon -- name: download mjolnir +- name: Download mjolnir git: repo: https://github.com/matrix-org/mjolnir dest: /var/lib/synapse/mjolnir @@ -112,7 +112,7 @@ notify: - restart mjolnir -- name: install mjolnir +- name: Install mjolnir community.general.yarn: path: /var/lib/synapse/mjolnir become: true @@ -120,7 +120,7 @@ become_method: sudo when: mjolnir_git.changed -- name: build mjolnir +- name: Build mjolnir command: yarn build args: chdir: /var/lib/synapse/mjolnir @@ -129,7 +129,7 @@ become_method: sudo when: mjolnir_git.changed -- name: install mjolnir antispam module +- name: Install mjolnir antispam module pip: name: - /var/lib/synapse/mjolnir/synapse_antispam @@ -142,7 +142,7 @@ notify: - restart synapse -- name: download matrix-appservice-irc +- name: Download matrix-appservice-irc git: repo: https://github.com/matrix-org/matrix-appservice-irc dest: /var/lib/synapse/matrix-appservice-irc @@ -155,7 +155,7 @@ notify: - restart matrix-appservice-irc -- name: install matrix-appservice-irc +- name: Install matrix-appservice-irc community.general.npm: path: /var/lib/synapse/matrix-appservice-irc ci: true @@ -164,41 +164,41 @@ become_method: sudo when: irc_git.changed -- name: install pg_hba.conf +- name: Install pg_hba.conf copy: src=pg_hba.conf dest=/var/lib/postgres/data/pg_hba.conf owner=postgres group=postgres mode=0600 notify: - restart postgres -- name: add synapse postgres db +- name: Add synapse postgres db postgresql_db: db=synapse lc_collate=C lc_ctype=C template=template0 become: true become_user: postgres become_method: su -- name: add synapse postgres user +- name: Add synapse postgres user postgresql_user: db=synapse user=synapse password={{ vault_postgres_users.synapse }} become: true become_user: postgres become_method: su -- name: add irc postgres db +- name: Add irc postgres db postgresql_db: db=irc become: true become_user: postgres become_method: su -- name: create synapse config dir +- name: Create synapse config dir file: path={{ item }} state=directory owner=root group=synapse mode=0750 with_items: - /etc/synapse - /etc/synapse/mjolnir -- name: install homeserver config +- name: Install homeserver config template: src=homeserver.yaml.j2 dest=/etc/synapse/homeserver.yaml owner=root group=synapse mode=0640 notify: - restart synapse -- name: install static config +- name: Install static config copy: src={{ item }} dest=/etc/synapse/{{ item }} owner=root group=root mode=0644 with_items: - log_config.yaml @@ -209,27 +209,27 @@ notify: - restart synapse -- name: install pantalaimon config +- name: Install pantalaimon config template: src=pantalaimon.conf.j2 dest=/etc/synapse/pantalaimon.conf owner=root group=synapse mode=0644 notify: - restart pantalaimon -- name: install mjolnir config +- name: Install mjolnir config template: src=mjolnir.yaml.j2 dest=/etc/synapse/mjolnir/production.yaml owner=root group=synapse mode=0640 notify: - restart mjolnir -- name: install irc-bridge config +- name: Install irc-bridge config template: src=irc-bridge.yaml.j2 dest=/etc/synapse/irc-bridge.yaml owner=root group=synapse mode=0640 notify: - restart matrix-appservice-irc -- name: install irc-bridge registration +- name: Install irc-bridge registration template: src=appservice-registration-irc.yaml.j2 dest=/etc/synapse/appservice-registration-irc.yaml owner=root group=synapse mode=0640 notify: - restart synapse -- name: install signing key +- name: Install signing key copy: content: '{{ vault_matrix_secrets.signing_key }}' dest: /etc/synapse/{{ matrix_server_name }}.signing.key @@ -237,7 +237,7 @@ group: synapse mode: 0640 -- name: install ircpass key +- name: Install ircpass key copy: content: '{{ vault_matrix_secrets.ircpass_key }}' dest: /etc/synapse/{{ matrix_server_name }}.ircpass.key @@ -245,25 +245,25 @@ group: synapse mode: 0640 -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ matrix_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=0640 notify: - reload nginx when: 'matrix_domain is defined' tags: ['nginx'] -- name: install turnserver.conf +- name: Install turnserver.conf template: src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf owner=turnserver group=turnserver mode=0600 notify: - restart turnserver -- name: install turnserver cert renewal hook +- name: Install turnserver cert renewal hook copy: src=letsencrypt.hook.d dest=/etc/letsencrypt/hook.d/turnserver owner=root group=root mode=0755 -- name: install synapse units +- name: Install synapse units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - synapse.service @@ -271,28 +271,28 @@ notify: - restart synapse -- name: install pantalaimon units +- name: Install pantalaimon units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - pantalaimon.service notify: - restart pantalaimon -- name: install mjolnir units +- name: Install mjolnir units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - mjolnir.service notify: - restart mjolnir -- name: install matrix-appservice-irc units +- name: Install matrix-appservice-irc units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - matrix-appservice-irc.service notify: - restart matrix-appservice-irc -- name: enable synapse units +- name: Enable synapse units service: name={{ item }} enabled=yes with_items: - synapse.service @@ -303,35 +303,35 @@ notify: - restart synapse -- name: enable pantalaimon units +- name: Enable pantalaimon units service: name={{ item }} enabled=yes with_items: - pantalaimon.service notify: - restart pantalaimon -- name: enable mjolnir units +- name: Enable mjolnir units service: name={{ item }} enabled=yes with_items: - mjolnir.service notify: - restart mjolnir -- name: enable matrix-appservice-irc units +- name: Enable matrix-appservice-irc units service: name={{ item }} enabled=yes with_items: - matrix-appservice-irc.service notify: - restart matrix-appservice-irc -- name: enable turnserver units +- name: Enable turnserver units service: name={{ item }} enabled=yes with_items: - turnserver.service notify: - restart turnserver -- name: open firewall holes +- name: Open firewall holes ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes with_items: # synapse's identd diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 5665f60f..dcfab36b 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -1,10 +1,10 @@ -- name: install memcached +- name: Install memcached pacman: name=memcached state=present -- name: put memcached.conf into tmpfiles +- name: Put memcached.conf into tmpfiles template: src=memcached-tmpfiles.d.j2 dest=/etc/tmpfiles.d/memcached.conf owner=root group=root mode=0644 register: memcachedtmpfiles -- name: use tmpfiles.d/memcached.conf +- name: Use tmpfiles.d/memcached.conf command: systemd-tmpfiles --create when: memcachedtmpfiles.changed diff --git a/roles/mta_sts/tasks/main.yml b/roles/mta_sts/tasks/main.yml index 6da98304..cd0788a3 100644 --- a/roles/mta_sts/tasks/main.yml +++ b/roles/mta_sts/tasks/main.yml @@ -1,15 +1,15 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: "{{ ['mta-sts.'] | product(item.domains) | map('join') }}" loop: "{{ mta_sts }}" -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ "mta-sts." + item.domains | first }} state=directory owner=root group=root mode=0755 loop: "{{ mta_sts }}" -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] diff --git a/roles/networking/handlers/main.yml b/roles/networking/handlers/main.yml index 5a7efe14..c622aec0 100644 --- a/roles/networking/handlers/main.yml +++ b/roles/networking/handlers/main.yml @@ -1,4 +1,4 @@ -- name: restart networkd +- name: Restart networkd systemd: name: systemd-networkd state: restarted diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml index d238f17e..6ab1d933 100644 --- a/roles/networking/tasks/main.yml +++ b/roles/networking/tasks/main.yml @@ -1,49 +1,49 @@ -- name: configure network (static) +- name: Configure network (static) block: - - name: install 10-static-ethernet.network + - name: Install 10-static-ethernet.network template: src=10-static-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644 notify: - restart networkd - - name: create drop-in directory for 10-static-ethernet.network + - name: Create drop-in directory for 10-static-ethernet.network file: path={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network.d state=directory owner=root group=root mode=0755 - - name: configure static dns (static) + - name: Configure static dns (static) copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network.d/dns.conf owner=root group=root mode=0644 notify: - restart networkd when: static_dns|default(true) when: not dhcp|default(false) -- name: configure network (dhcp) +- name: Configure network (dhcp) block: - - name: install 10-dhcp-ethernet.network + - name: Install 10-dhcp-ethernet.network template: src=10-dhcp-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network owner=root group=root mode=0644 notify: - restart networkd - - name: create drop-in directory for 10-dhcp-ethernet.network + - name: Create drop-in directory for 10-dhcp-ethernet.network file: path={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network.d state=directory owner=root group=root mode=0755 - - name: configure static dns (dhcp) + - name: Configure static dns (dhcp) copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network.d/dns.conf owner=root group=root mode=0644 notify: - restart networkd when: static_dns|default(false) when: dhcp|default(false) -- name: create symlink to resolv.conf +- name: Create symlink to resolv.conf file: src=/run/systemd/resolve/stub-resolv.conf dest={{ chroot_path }}/etc/resolv.conf state=link force=yes follow=no owner=root group=root -- name: install hcloud-init +- name: Install hcloud-init copy: src=hcloud-init dest={{ chroot_path }}/usr/local/bin/hcloud-init owner=root group=root mode=0755 when: "'hcloud' in group_names or inventory_hostname == 'packer-base-image'" -- name: install hcloud-init.service +- name: Install hcloud-init.service copy: src=hcloud-init.service dest={{ chroot_path }}/etc/systemd/system/hcloud-init.service owner=root group=root mode=0644 when: "'hcloud' in group_names or inventory_hostname == 'packer-base-image'" -- name: enable hcloud-init inside chroot +- name: Enable hcloud-init inside chroot command: chroot {{ chroot_path }} systemctl enable hcloud-init register: chroot_systemd_services changed_when: "chroot_systemd_services.rc == 0" @@ -51,16 +51,16 @@ - chroot_path | length != 0 - "'hcloud' in group_names or inventory_hostname == 'packer-base-image'" -- name: start and enable hcloud-init +- name: Start and enable hcloud-init service: name=hcloud-init daemon_reload=yes state=started enabled=yes when: - chroot_path | length == 0 - "'hcloud' in group_names or inventory_hostname == 'packer-base-image'" -- name: start and enable networkd +- name: Start and enable networkd service: name=systemd-networkd state=started enabled=yes when: chroot_path | length == 0 -- name: start and enable resolved +- name: Start and enable resolved service: name=systemd-resolved state=started enabled=yes when: chroot_path | length == 0 diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml index 816ad436..43c16d17 100644 --- a/roles/nginx/handlers/main.yml +++ b/roles/nginx/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload nginx +- name: Reload nginx service: name=nginx state=reloaded diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 442a528f..c93ddac3 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,21 +1,21 @@ -- name: install nginx +- name: Install nginx pacman: name=nginx,nginx-mod-brotli state=present -- name: install nginx.service snippet +- name: Install nginx.service snippet copy: src=nginx.service.d dest=/etc/systemd/system owner=root group=root mode=0644 -- name: configure nginx +- name: Configure nginx template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644 notify: - reload nginx -- name: snippets directories +- name: Snippets directories file: state=directory path=/etc/nginx/{{ item }} owner=root group=root mode=0755 with_items: - toplevel-snippets - snippets -- name: copy snippets +- name: Copy snippets template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644 with_items: - letsencrypt.conf @@ -23,41 +23,41 @@ notify: - reload nginx -- name: install cert renewal hook +- name: Install cert renewal hook template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/nginx owner=root group=root mode=0755 when: "'certbot' in ansible_play_role_names" -- name: create nginx.d directory +- name: Create nginx.d directory file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=0755 -- name: create auth directory +- name: Create auth directory file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755 -- name: create maps directory +- name: Create maps directory file: state=directory path=/etc/nginx/maps owner=root group=root mode=0755 -- name: create default nginx log directory +- name: Create default nginx log directory file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755 -- name: create unique DH group +- name: Create unique DH group command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem -- name: create directory to store validation stuff in +- name: Create directory to store validation stuff in file: owner=root group=http mode=0750 path={{ letsencrypt_validation_dir }} state=directory -- name: install logrotate config +- name: Install logrotate config copy: src=logrotate.conf dest=/etc/logrotate.d/nginx-ansible owner=root group=root mode=0644 -- name: install inventory_hostname vhost +- name: Install inventory_hostname vhost template: src=nginx-hostname-vhost.conf.j2 dest=/etc/nginx/nginx.d/nginx-hostname-vhost.conf owner=root group=root mode=0644 notify: - reload nginx tags: ['nginx'] -- name: enable nginx +- name: Enable nginx service: name=nginx enabled=yes -- name: open firewall holes +- name: Open firewall holes ansible.posix.firewalld: service={{ item }} zone={{ nginx_firewall_zone }} permanent=true state=enabled immediate=yes with_items: - http diff --git a/roles/patchwork/handlers/main.yml b/roles/patchwork/handlers/main.yml index 5348bff9..fa1c21bb 100644 --- a/roles/patchwork/handlers/main.yml +++ b/roles/patchwork/handlers/main.yml @@ -1,6 +1,6 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true -- name: restart patchwork memcached +- name: Restart patchwork memcached service: name=patchwork-memcached state=restarted diff --git a/roles/patchwork/tasks/main.yml b/roles/patchwork/tasks/main.yml index 6ff0f141..b991571b 100644 --- a/roles/patchwork/tasks/main.yml +++ b/roles/patchwork/tasks/main.yml @@ -1,4 +1,4 @@ -- name: run maintenance mode +- name: Run maintenance mode include_role: name: maintenance vars: @@ -8,129 +8,129 @@ service_nginx_conf: "{{ patchwork_nginx_conf }}" when: maintenance is defined -- name: install packages +- name: Install packages pacman: name=gcc,git,python,python-psycopg2,sudo,uwsgi-plugin-python,python-pip state=present -- name: make patchwork user +- name: Make patchwork user user: name=patchwork shell=/bin/false home="{{ patchwork_dir }}" createhome=no -- name: fix home permissions +- name: Fix home permissions file: state=directory owner=patchwork group=patchwork mode=0755 path="{{ patchwork_dir }}" -- name: set patchwork groups +- name: Set patchwork groups user: name=patchwork groups=uwsgi -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ patchwork_domain }}"] -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="{{ patchwork_nginx_conf }}" owner=root group=root mode=644 notify: - reload nginx when: maintenance is not defined tags: ['nginx'] -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=root mode=0755 -- name: clone patchwork repo +- name: Clone patchwork repo git: repo=https://github.com/getpatchwork/patchwork.git dest="{{ patchwork_dir }}" version="{{ patchwork_version }}" become: true become_user: patchwork register: release -- name: make virtualenv +- name: Make virtualenv command: python -m venv "{{ patchwork_dir }}"/env creates="{{ patchwork_dir }}/env/bin/python" become: true become_user: patchwork -- name: install from requirements into virtualenv +- name: Install from requirements into virtualenv pip: requirements="{{ patchwork_dir }}/requirements-prod.txt" virtualenv="{{ patchwork_dir }}/env" extra_args="--no-binary :all:" become: true become_user: patchwork register: virtualenv -- name: fix home permissions +- name: Fix home permissions file: state=directory owner=patchwork group=patchwork mode=0755 path="{{ patchwork_dir }}" -- name: configure patchwork +- name: Configure patchwork template: src=production.py.j2 dest="{{ patchwork_dir }}/patchwork/settings/production.py" owner=patchwork group=patchwork mode=0660 register: config no_log: true -- name: create patchwork db users +- name: Create patchwork db users postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ patchwork_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes no_log: true with_items: - { user: "{{ patchwork_db_user }}", password: "{{ vault_patchwork_db_password }}" } - { user: "{{ patchwork_db_backup_user }}", password: "{{ vault_patchwork_db_backup_password }}" } -- name: create patchwork db +- name: Create patchwork db postgresql_db: name="{{ patchwork_db }}" login_host="{{ patchwork_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ patchwork_db_user }}" register: db_created -- name: django migrate +- name: Django migrate django_manage: app_path="{{ patchwork_dir }}" command=migrate virtualenv="{{ patchwork_dir }}/env" become: true become_user: patchwork when: (db_created.changed or release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy) -- name: db privileges for patchwork users +- name: DB privileges for patchwork users postgresql_privs: database="{{ patchwork_db }}" host="{{ patchwork_db_host }}" login="{{ patchwork_db_user }}" password="{{ vault_patchwork_db_password }}" privs=CONNECT roles="{{ item }}" type=database with_items: - "{{ patchwork_db_backup_user }}" -- name: table privileges for patchwork users +- name: Table privileges for patchwork users postgresql_privs: database="{{ patchwork_db }}" host="{{ patchwork_db_host }}" login="{{ patchwork_db_user }}" password="{{ vault_patchwork_db_password }}" privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}" with_items: - { user: "{{ patchwork_db_backup_user }}", objs: "{{ patchwork_db_backup_table_objs }}" } -- name: sequence privileges for patchwork users +- name: Sequence privileges for patchwork users postgresql_privs: database="{{ patchwork_db }}" host="{{ patchwork_db_host }}" login="{{ patchwork_db_user }}" password="{{ vault_patchwork_db_password }}" privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}" with_items: - { user: "{{ patchwork_db_backup_user }}", objs: "{{ patchwork_db_backup_sequence_objs }}" } -- name: django collectstatic +- name: Django collectstatic django_manage: app_path="{{ patchwork_dir }}" command=collectstatic virtualenv="{{ patchwork_dir }}/env" become: true become_user: patchwork when: (db_created.changed or release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy) -- name: install patchwork parsemail script +- name: Install patchwork parsemail script template: src="patchwork-parsemail-wrapper.sh.j2" dest="/usr/local/bin/patchwork-parsemail-wrapper.sh" owner=root group=root mode=0755 -- name: install sudoer rights for fetchmail to call patchwork +- name: Install sudoer rights for fetchmail to call patchwork template: src=sudoers-fetchmail-patchwork.j2 dest=/etc/sudoers.d/fetchmail-patchwork owner=root group=root mode=0440 -- name: install patchwork memcached service +- name: Install patchwork memcached service template: src="patchwork-memcached.service.j2" dest="/etc/systemd/system/patchwork-memcached.service" owner=root group=root mode=0644 notify: - daemon reload -- name: install patchwork notification service +- name: Install patchwork notification service template: src="patchwork-notification.service.j2" dest="/etc/systemd/system/patchwork-notification.service" owner=root group=root mode=0644 notify: - daemon reload -- name: install patchwork notification timer +- name: Install patchwork notification timer template: src="patchwork-notification.timer.j2" dest="/etc/systemd/system/patchwork-notification.timer" owner=root group=root mode=0644 notify: - daemon reload -- name: deploy patchwork +- name: Deploy patchwork template: src=patchwork.ini.j2 dest=/etc/uwsgi/vassals/patchwork.ini owner=patchwork group=http mode=0644 -- name: deploy new release +- name: Deploy new release file: path=/etc/uwsgi/vassals/patchwork.ini state=touch owner=patchwork group=http mode=0644 when: (release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy) -- name: start and enable patchwork memcached service and notification timer +- name: Start and enable patchwork memcached service and notification timer systemd: name: "{{ item }}" enabled: true diff --git a/roles/php7_fpm/handlers/main.yaml b/roles/php7_fpm/handlers/main.yaml index b7dd1329..53c25acb 100644 --- a/roles/php7_fpm/handlers/main.yaml +++ b/roles/php7_fpm/handlers/main.yaml @@ -1,3 +1,3 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true diff --git a/roles/php7_fpm/tasks/main.yaml b/roles/php7_fpm/tasks/main.yaml index 54287353..7b9d5527 100644 --- a/roles/php7_fpm/tasks/main.yaml +++ b/roles/php7_fpm/tasks/main.yaml @@ -1,7 +1,7 @@ -- name: install php7-fpm +- name: Install php7-fpm pacman: name=php7-fpm,php7-gd,php7-pgsql state=present -- name: install php7-fpm units +- name: Install php7-fpm units copy: > src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 @@ -10,7 +10,7 @@ - php-fpm7@.service notify: daemon reload -- name: configure default php.ini +- name: Configure default php.ini template: > src=php.ini.j2 dest=/etc/php7/php.ini owner=root group=root mode=0644 diff --git a/roles/php_fpm/handlers/main.yaml b/roles/php_fpm/handlers/main.yaml index b7dd1329..53c25acb 100644 --- a/roles/php_fpm/handlers/main.yaml +++ b/roles/php_fpm/handlers/main.yaml @@ -1,3 +1,3 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true diff --git a/roles/php_fpm/tasks/main.yaml b/roles/php_fpm/tasks/main.yaml index 01c6d645..026e5434 100644 --- a/roles/php_fpm/tasks/main.yaml +++ b/roles/php_fpm/tasks/main.yaml @@ -1,7 +1,7 @@ -- name: install php-fpm +- name: Install php-fpm pacman: name=php-fpm,php-gd,php-pgsql state=present -- name: install php-fpm units +- name: Install php-fpm units copy: > src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 @@ -10,7 +10,7 @@ - php-fpm@.service notify: daemon reload -- name: configure default php.ini +- name: Configure default php.ini template: > src=php.ini.j2 dest=/etc/php/php.ini owner=root group=root mode=0644 diff --git a/roles/phrik/tasks/main.yml b/roles/phrik/tasks/main.yml index 1718edb4..17c9365c 100644 --- a/roles/phrik/tasks/main.yml +++ b/roles/phrik/tasks/main.yml @@ -1,34 +1,34 @@ -- name: install phrik utilities +- name: Install phrik utilities pacman: name=git,pkgfile,polkit state=present -- name: add phrik group +- name: Add phrik group group: name=phrik gid=1100 state=present -- name: add phrik user +- name: Add phrik user user: name=phrik group=phrik uid=1100 comment="phrik IRC bot" createhome=yes -- name: adding users to phrik group +- name: Adding users to phrik group user: groups=phrik name="{{ item }}" append=yes with_items: - demize tags: ['archusers'] -- name: adding users to systemd-journal group for monitoring +- name: Adding users to systemd-journal group for monitoring user: groups=systemd-journal name="{{ item }}" append=yes with_items: - demize tags: ['archusers'] -- name: install phrik sudoers config +- name: Install phrik sudoers config copy: src=sudoers dest=/etc/sudoers.d/phrik owner=root group=root mode=0440 -- name: install polkit rule for restarting phrik +- name: Install polkit rule for restarting phrik copy: src=20-manage-phrik.rules dest=/etc/polkit-1/rules.d/20-manage-phrik.rules owner=root group=root mode=0644 -- name: install phrik systemd service +- name: Install phrik systemd service copy: src=phrik.service dest=/etc/systemd/system/phrik.service owner=root group=root mode=0644 -- name: start and enable pkgfile and phrikservice +- name: Start and enable pkgfile and phrikservice systemd: name: "{{ item }}" enabled: true diff --git a/roles/ping/tasks/main.yml b/roles/ping/tasks/main.yml index 54ecfba8..74fb8e62 100644 --- a/roles/ping/tasks/main.yml +++ b/roles/ping/tasks/main.yml @@ -1,13 +1,13 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ ping_domain }}"] -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ ping_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/ping.conf" owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml index b40a9ab2..322279f4 100644 --- a/roles/postfix/handlers/main.yml +++ b/roles/postfix/handlers/main.yml @@ -1,12 +1,12 @@ -- name: restart postfix +- name: Restart postfix service: name: postfix state: restarted -- name: reload postfix +- name: Reload postfix command: postfix reload -- name: postmap additional files +- name: Postmap additional files command: postmap /etc/postfix/{{ item }} with_items: - access_client @@ -19,5 +19,5 @@ - domains - msa_header_checks -- name: update aliases db +- name: Update aliases db command: postalias /etc/postfix/aliases diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index dcb35f4d..d04db927 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -1,7 +1,7 @@ -- name: install postfix +- name: Install postfix pacman: name=postfix,postfix-pcre state=present -- name: install template configs +- name: Install template configs template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644 with_items: - main.cf @@ -15,7 +15,7 @@ - postmap additional files - update aliases db -- name: install additional files +- name: Install additional files copy: src={{ item }} dest=/etc/postfix/{{ item }} owner=root group=root mode=0644 with_items: - access_client @@ -31,42 +31,42 @@ notify: - postmap additional files -- name: create dhparam 2048 +- name: Create dhparam 2048 command: openssl dhparam -out /etc/postfix/dh2048.pem 2048 creates=/etc/postfix/dh2048.pem notify: - reload postfix -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ mail_domain }}"] -- name: install postfix cert renewal hook +- name: Install postfix cert renewal hook template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postfix owner=root group=root mode=0755 -- name: install bouncehandler config +- name: Install bouncehandler config template: src=wiki-bouncehandler.conf.j2 dest={{ postfix_wiki_bounce_config }} owner={{ postfix_wiki_bounce_user }} group=root mode=0600 -- name: install packages for bounce handler +- name: Install packages for bounce handler pacman: name=perl-mediawiki-api,perl-config-simple state=present -- name: install bouncehandler script +- name: Install bouncehandler script copy: src=bouncehandler.pl dest={{ postfix_wiki_bounce_mail_handler }} owner=root group=root mode=0755 -- name: make bouncehandler user +- name: Make bouncehandler user user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state=present -- name: start and enable postfix +- name: Start and enable postfix service: name=postfix enabled=yes state=started -- name: remove old files +- name: Remove old files file: path={{ item }} state=absent with_items: - compat_maps - compat_maps.db -- name: open firewall holes +- name: Open firewall holes ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes with_items: - smtp diff --git a/roles/postfix_null/handlers/main.yml b/roles/postfix_null/handlers/main.yml index 92e6bc6b..72e494d4 100644 --- a/roles/postfix_null/handlers/main.yml +++ b/roles/postfix_null/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload postfix +- name: Reload postfix service: name=postfix state=reloaded diff --git a/roles/postfix_null/tasks/main.yml b/roles/postfix_null/tasks/main.yml index 0fd69c97..2ba6d89c 100644 --- a/roles/postfix_null/tasks/main.yml +++ b/roles/postfix_null/tasks/main.yml @@ -1,7 +1,7 @@ -- name: install postfix +- name: Install postfix pacman: name=postfix state=present -- name: install template configs +- name: Install template configs template: src={{ item.file }}.j2 dest=/etc/postfix/{{ item.file }} owner=root group={{ item.group }} mode={{ item.mode }} with_items: - {file: main.cf, group: root, mode: 644} @@ -9,7 +9,7 @@ notify: - reload postfix -- name: create user account on mail to relay with +- name: Create user account on mail to relay with delegate_to: mail.archlinux.org user: name: "{{ inventory_hostname_short }}" @@ -21,5 +21,5 @@ home: /home/"{{ inventory_hostname }}" # Set home directory so shadow.service does not fail create_home: true -- name: start and enable postfix +- name: Start and enable postfix service: name=postfix enabled=yes state=started diff --git a/roles/postfwd/handlers/main.yml b/roles/postfwd/handlers/main.yml index d8da47c4..3f06867f 100644 --- a/roles/postfwd/handlers/main.yml +++ b/roles/postfwd/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload postfwd +- name: Reload postfwd service: name=postfwd state=reloaded diff --git a/roles/postfwd/tasks/main.yml b/roles/postfwd/tasks/main.yml index 9e5a5b74..8b5828ed 100644 --- a/roles/postfwd/tasks/main.yml +++ b/roles/postfwd/tasks/main.yml @@ -1,10 +1,10 @@ -- name: install postfwd +- name: Install postfwd pacman: name=postfwd state=present -- name: install postfwd.cf +- name: Install postfwd.cf template: src=postfwd.cf.j2 dest=/etc/postfwd/postfwd.cf owner=postfwd group=root mode=0600 notify: - reload postfwd -- name: start and enable postfwd +- name: Start and enable postfwd service: name=postfwd enabled=yes state=started diff --git a/roles/postgres/handlers/main.yml b/roles/postgres/handlers/main.yml index 852591c0..197b852d 100644 --- a/roles/postgres/handlers/main.yml +++ b/roles/postgres/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart postgres +- name: Restart postgres service: name=postgresql state=restarted diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 9f916cb7..da38d4db 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -1,13 +1,13 @@ -- name: create postgres subvolume +- name: Create postgres subvolume command: btrfs subvol create /var/lib/postgres args: creates: /var/lib/postgres when: filesystem == "btrfs" -- name: install postgres +- name: Install postgres pacman: name=postgresql,python-psycopg2 state=present -- name: create nocow database directory +- name: Create nocow database directory file: state: directory owner: postgres @@ -17,7 +17,7 @@ mode: 0700 when: filesystem == "btrfs" -- name: initialize postgres +- name: Initialize postgres become: true become_user: postgres become_method: su @@ -28,7 +28,7 @@ notify: - restart postgres -- name: configure postgres +- name: Configure postgres template: src={{ item }}.j2 dest=/var/lib/postgres/data/{{ item }} owner=postgres group=postgres mode=0600 with_items: - postgresql.conf @@ -36,35 +36,35 @@ notify: - restart postgres -- name: install postgres certificate +- name: Install postgres certificate copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem dest={{ postgres_ssl_cert_file }} remote_src=true owner=postgres group=postgres mode=0400 when: postgres_ssl == 'on' -- name: install postgres private key +- name: Install postgres private key copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem dest={{ postgres_ssl_key_file }} remote_src=true owner=postgres group=postgres mode=0400 when: postgres_ssl == 'on' -- name: install postgres ca +- name: Install postgres ca copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }} remote_src=true owner=postgres group=postgres mode=0400 when: postgres_ssl == 'on' -- name: start and enable postgres +- name: Start and enable postgres service: name=postgresql enabled=yes state=started -- name: set postgres user password +- name: Set postgres user password postgresql_user: name=postgres password={{ vault_postgres_users.postgres }} encrypted=yes become: true become_user: postgres become_method: su -- name: install postgres cert renewal hook +- name: Install postgres cert renewal hook template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postgres owner=root group=root mode=0755 when: postgres_ssl == 'on' -- name: open firewall holes to known postgresql ipv4 clients +- name: Open firewall holes to known postgresql ipv4 clients ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept" with_items: "{{ postgres_hosts4 + postgres_ssl_hosts4 }}" @@ -72,7 +72,7 @@ tags: - firewall -- name: open firewall holes to known postgresql ipv6 clients +- name: Open firewall holes to known postgresql ipv6 clients ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept" with_items: "{{ postgres_hosts6 + postgres_ssl_hosts6 }}" @@ -80,5 +80,5 @@ tags: - firewall -- name: copy postgresql upgrade script +- name: Copy postgresql upgrade script copy: src=upgrade_pg.sh dest=/usr/local/bin/upgrade_pg.sh mode=0755 owner=root group=root diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml index 2c1e0aa9..9c8f6efe 100644 --- a/roles/prometheus/handlers/main.yml +++ b/roles/prometheus/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload prometheus +- name: Reload prometheus service: name=prometheus state=reloaded diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index a153ca76..7f93d580 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -1,28 +1,28 @@ -- name: install prometheus server +- name: Install prometheus server pacman: name=prometheus,python-passlib,python-bcrypt state=present -- name: install prometheus configuration +- name: Install prometheus configuration template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml owner=root group=prometheus mode=640 notify: reload prometheus -- name: install prometheus cli configuration +- name: Install prometheus cli configuration template: src=prometheus.conf.j2 dest=/etc/conf.d/prometheus owner=root group=root mode=600 notify: reload prometheus -- name: install prometheus web-config configuration +- name: Install prometheus web-config configuration template: src=web-config.yml.j2 dest=/etc/prometheus/web-config.yml owner=root group=prometheus mode=640 notify: reload prometheus when: prometheus_receive_only -- name: install prometheus alert configuration +- name: Install prometheus alert configuration copy: src=node.rules.yml dest=/etc/prometheus/node.rules.yml owner=root group=root mode=644 notify: reload prometheus when: not prometheus_receive_only -- name: enable prometheus server service +- name: Enable prometheus server service systemd: name=prometheus enabled=yes daemon_reload=yes state=started -- name: open prometheus port for monitoring.archlinux.org +- name: Open prometheus port for monitoring.archlinux.org ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9090 accept" when: configure_firewall and prometheus_receive_only diff --git a/roles/prometheus_exporters/handlers/main.yml b/roles/prometheus_exporters/handlers/main.yml index 94ee1d88..a0e86e80 100644 --- a/roles/prometheus_exporters/handlers/main.yml +++ b/roles/prometheus_exporters/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload blackbox exporter +- name: Reload blackbox exporter service: name=prometheus-blackbox-exporter state=reloaded diff --git a/roles/prometheus_exporters/tasks/main.yml b/roles/prometheus_exporters/tasks/main.yml index dad9fcb0..acd889ac 100644 --- a/roles/prometheus_exporters/tasks/main.yml +++ b/roles/prometheus_exporters/tasks/main.yml @@ -1,27 +1,27 @@ -- name: install prometheus-node-exporter +- name: Install prometheus-node-exporter pacman: name=prometheus-node-exporter,arch-audit,pacman-contrib,jq,hq,sudo state=present -- name: install prometheus-blackbox-exporter +- name: Install prometheus-blackbox-exporter pacman: name=prometheus-blackbox-exporter state=present when: "'prometheus' in group_names" -- name: install smartmontools for dedicated servers +- name: Install smartmontools for dedicated servers pacman: name=smartmontools state=present when: "'dedicated_servers' in group_names" -- name: install prometheus-memcached-exporter +- name: Install prometheus-memcached-exporter pacman: name=prometheus-memcached-exporter state=present when: "'memcached' in group_names" -- name: add node_exporter to rebuilderd group +- name: Add node_exporter to rebuilderd group user: name=node_exporter groups=rebuilderd append=yes when: "'rebuilderd' in group_names" -- name: install prometheus-mysqld-exporter +- name: Install prometheus-mysqld-exporter pacman: name=prometheus-mysqld-exporter state=present when: "'mysql_servers' in group_names" -- name: create prometheus mysqld database user +- name: Create prometheus mysqld database user mysql_user: name: '{{ prometheus_mysqld_user }}' password: '{{ vault_monitoring_mysql_password }}' @@ -31,25 +31,25 @@ MAX_USER_CONNECTIONS: 3 when: "'mysql_servers' in group_names" -- name: copy prometheus mysqld exporter configuration +- name: Copy prometheus mysqld exporter configuration template: src=prometheus-mysqld-exporter.j2 dest=/etc/conf.d/prometheus-mysqld-exporter owner=root group=root mode=600 when: "'mysql_servers' in group_names" -- name: enable prometheus-mysqld-exporter service +- name: Enable prometheus-mysqld-exporter service systemd: name=prometheus-mysqld-exporter enabled=yes daemon_reload=yes state=started when: "'mysql_servers' in group_names" -- name: copy prometheus memcached exporter configuration +- name: Copy prometheus memcached exporter configuration template: src=prometheus-memcached-exporter.j2 dest=/etc/conf.d/prometheus-memcached-exporter owner=root group=root mode=600 when: "'memcached' in group_names" -- name: install node exporter configuration +- name: Install node exporter configuration template: src=prometheus-node-exporter.env.j2 dest=/etc/conf.d/prometheus-node-exporter owner=root group=root mode=600 -- name: create textcollector directory +- name: Create textcollector directory file: path="{{ prometheus_textfile_dir }}" state=directory owner=node_exporter group=node_exporter mode=700 -- name: install node exporter textcollector scripts +- name: Install node exporter textcollector scripts copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 with_items: - arch-textcollector.sh @@ -65,177 +65,177 @@ - fail2ban-textcollector.sh - smart-textcollector.sh -- name: install arch textcollector service +- name: Install arch textcollector service template: src=prometheus-arch-textcollector.service.j2 dest=/etc/systemd/system/prometheus-arch-textcollector.service owner=root group=root mode=644 -- name: install arch textcollector timer +- name: Install arch textcollector timer template: src=prometheus-arch-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-arch-textcollector.timer owner=root group=root mode=644 -- name: enable and start prometheus arch textcollector timer +- name: Enable and start prometheus arch textcollector timer systemd: name=prometheus-arch-textcollector.timer enabled=yes daemon_reload=yes state=started -- name: install borg textcollector services +- name: Install borg textcollector services template: src=prometheus-borg-textcollector.service.j2 dest=/etc/systemd/system/prometheus-{{ item.name }}-textcollector.service owner=root group=root mode=644 loop: - { name: borg, service: borg-backup } - { name: borg-offsite, service: borg-backup-offsite } when: "'borg_clients' in group_names" -- name: enable borg textcollector services +- name: Enable borg textcollector services systemd: name=prometheus-{{ item.name }}-textcollector.service enabled=yes daemon_reload=yes loop: - { name: borg, service: borg-backup } - { name: borg-offsite, service: borg-backup-offsite } when: "'borg_clients' in group_names" -- name: install smart textcollector service +- name: Install smart textcollector service template: src=prometheus-smart-textcollector.service.j2 dest=/etc/systemd/system/prometheus-smart-textcollector.service owner=root group=root mode=644 when: "'dedicated_servers' in group_names" -- name: install smart textcollector timer +- name: Install smart textcollector timer template: src=prometheus-smart-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-smart-textcollector.timer owner=root group=root mode=644 when: "'dedicated_servers' in group_names" -- name: enable and start prometheus smart textcollector timer +- name: Enable and start prometheus smart textcollector timer systemd: name=prometheus-smart-textcollector.timer enabled=yes daemon_reload=yes state=started when: "'dedicated_servers' in group_names" -- name: install hetzner textcollector service +- name: Install hetzner textcollector service template: src=prometheus-hetzner-textcollector.service.j2 dest=/etc/systemd/system/prometheus-hetzner-textcollector.service owner=root group=root mode=644 when: "inventory_hostname == 'monitoring.archlinux.org'" -- name: install hetzner textcollector timer +- name: Install hetzner textcollector timer template: src=prometheus-hetzner-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-hetzner-textcollector.timer owner=root group=root mode=644 when: "inventory_hostname == 'monitoring.archlinux.org'" -- name: enable and start prometheus hetzner textcollector timer +- name: Enable and start prometheus hetzner textcollector timer systemd: name=prometheus-hetzner-textcollector.timer enabled=yes daemon_reload=yes state=started when: "inventory_hostname == 'monitoring.archlinux.org'" -- name: install gitlab-exporter +- name: Install gitlab-exporter pacman: name=gitlab-exporter state=present when: "inventory_hostname == 'gitlab.archlinux.org'" -- name: install gitlab-exporter service and configuration +- name: Install gitlab-exporter service and configuration template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode="{{ item.mode }}" with_items: - { src: 'gitlab-exporter.conf.j2', dest: '/etc/conf.d/gitlab-exporter', mode: '0600' } - { src: 'gitlab-exporter.service.j2', dest: '/etc/systemd/system/gitlab-exporter.service', mode: '0644' } when: "inventory_hostname == 'gitlab.archlinux.org'" -- name: install gitlab-exporter timer +- name: Install gitlab-exporter timer copy: src=gitlab-exporter.timer dest="/etc/systemd/system/gitlab-exporter.timer" owner=root group=root mode=0644 when: "inventory_hostname == 'gitlab.archlinux.org'" -- name: enable and start gitlab-exporter timer +- name: Enable and start gitlab-exporter timer systemd: name=gitlab-exporter.timer enabled=yes daemon_reload=yes state=started when: "inventory_hostname == 'gitlab.archlinux.org'" -- name: install fail2ban textcollector service +- name: Install fail2ban textcollector service template: src=prometheus-fail2ban-textcollector.service.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.service owner=root group=root mode=644 -- name: install fail2ban textcollector timer +- name: Install fail2ban textcollector timer template: src=prometheus-fail2ban-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.timer owner=root group=root mode=644 -- name: enable and start prometheus fail2ban textcollector timer +- name: Enable and start prometheus fail2ban textcollector timer systemd: name=prometheus-fail2ban-textcollector.timer enabled=yes daemon_reload=yes state=started -- name: install blackbox exporter configuration +- name: Install blackbox exporter configuration template: src=blackbox.yml.j2 dest=/etc/prometheus/blackbox.yml owner=root group=root mode=0644 notify: reload blackbox exporter when: "'prometheus' in group_names" -- name: install rebuilderd textcollector service +- name: Install rebuilderd textcollector service template: src=prometheus-rebuilderd-textcollector.service.j2 dest=/etc/systemd/system/prometheus-rebuilderd-textcollector.service owner=root group=root mode=644 when: "'rebuilderd' in group_names" -- name: install rebuilderd textcollector timer +- name: Install rebuilderd textcollector timer template: src=prometheus-rebuilderd-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-rebuilderd-textcollector.timer owner=root group=root mode=644 when: "'rebuilderd' in group_names" -- name: enable and start prometheus rebuilderd textcollector timer +- name: Enable and start prometheus rebuilderd textcollector timer systemd: name=prometheus-rebuilderd-textcollector.timer enabled=yes daemon_reload=yes state=started when: "'rebuilderd' in group_names" -- name: install rebuilderd textcollector service +- name: Install rebuilderd textcollector service template: src=prometheus-archive-textcollector.service.j2 dest=/etc/systemd/system/prometheus-archive-textcollector.service owner=root group=root mode=644 when: "'archive_mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org'" -- name: install rebuilderd textcollector service +- name: Install rebuilderd textcollector service template: src=prometheus-repository-textcollector.service.j2 dest=/etc/systemd/system/prometheus-repository-textcollector.service owner=root group=root mode=644 when: "inventory_hostname == 'gemini.archlinux.org'" -- name: install rebuilderd textcollector timer +- name: Install rebuilderd textcollector timer template: src=prometheus-archive-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-archive-textcollector.timer owner=root group=root mode=644 when: "'archive_mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org'" -- name: enable and start prometheus archive textcollector timer +- name: Enable and start prometheus archive textcollector timer systemd: name=prometheus-archive-textcollector.timer enabled=yes daemon_reload=yes state=started when: "'archive_mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org'" -- name: install rebuilderd textcollector timer +- name: Install rebuilderd textcollector timer template: src=prometheus-repository-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-repository-textcollector.timer owner=root group=root mode=644 when: "inventory_hostname == 'gemini.archlinux.org'" -- name: enable and start prometheus repository textcollector timer +- name: Enable and start prometheus repository textcollector timer systemd: name=prometheus-repository-textcollector.timer enabled=yes daemon_reload=yes state=started when: "inventory_hostname == 'gemini.archlinux.org'" -- name: install sudoers for btrfs +- name: Install sudoers for btrfs copy: src=sudoers dest=/etc/sudoers.d/node_exporter owner=root group=root mode=0440 when: filesystem == "btrfs" -- name: install btrfs textcollector service +- name: Install btrfs textcollector service template: src=prometheus-btrfs-textcollector.service.j2 dest=/etc/systemd/system/prometheus-btrfs-textcollector.service owner=root group=root mode=644 when: filesystem == "btrfs" -- name: install btrfs textcollector timer +- name: Install btrfs textcollector timer template: src=prometheus-btrfs-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-btrfs-textcollector.timer owner=root group=root mode=644 when: filesystem == "btrfs" -- name: enable and start prometheus btrfs textcollector timer +- name: Enable and start prometheus btrfs textcollector timer systemd: name=prometheus-btrfs-textcollector.timer enabled=yes daemon_reload=yes state=started when: filesystem == "btrfs" -- name: install aur textcollector service +- name: Install aur textcollector service template: src=prometheus-aur-textcollector.service.j2 dest=/etc/systemd/system/prometheus-aur-textcollector.service owner=root group=root mode=644 when: "'prometheus' in group_names" -- name: install aur textcollector timer +- name: Install aur textcollector timer template: src=prometheus-aur-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-aur-textcollector.timer owner=root group=root mode=644 when: "'prometheus' in group_names" -- name: enable and start prometheus aur textcollector timer +- name: Enable and start prometheus aur textcollector timer systemd: name=prometheus-aur-textcollector.timer enabled=yes daemon_reload=yes state=started when: "'prometheus' in group_names" -- name: enable prometheus-node-exporter service +- name: Enable prometheus-node-exporter service systemd: name=prometheus-node-exporter enabled=yes daemon_reload=yes state=started -- name: enable prometheus-blackbox-exporter service +- name: Enable prometheus-blackbox-exporter service systemd: name=prometheus-blackbox-exporter enabled=yes daemon_reload=yes state=started when: "'prometheus' in group_names" -- name: enable prometheus-memcached-exporter service +- name: Enable prometheus-memcached-exporter service systemd: name=prometheus-memcached-exporter enabled=yes daemon_reload=yes state=started when: "'memcached' in group_names" -- name: open prometheus-node-exporter ipv4 port for monitoring.archlinux.org +- name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept" when: "'prometheus' not in group_names" -- name: open gitlab exporter ipv4 port for monitoring.archlinux.org +- name: Open gitlab exporter ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept" when: "'gitlab_runners' in group_names" -- name: open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org +- name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept" when: "'mysql_servers' in group_names" -- name: open prometheus memcached exporter ipv4 port for monitoring.archlinux.org +- name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept" when: "'memcached' in group_names" diff --git a/roles/promtail/handlers/main.yml b/roles/promtail/handlers/main.yml index 1645fbe2..cb1e2339 100644 --- a/roles/promtail/handlers/main.yml +++ b/roles/promtail/handlers/main.yml @@ -1,2 +1,2 @@ -- name: restart promtail +- name: Restart promtail service: name=promtail daemon_reload=yes state=restarted diff --git a/roles/promtail/tasks/main.yml b/roles/promtail/tasks/main.yml index 640b3e6e..8a15009e 100644 --- a/roles/promtail/tasks/main.yml +++ b/roles/promtail/tasks/main.yml @@ -1,22 +1,22 @@ -- name: install promtail +- name: Install promtail pacman: name=promtail state=present -- name: install promtail configuration +- name: Install promtail configuration template: src=promtail.yaml.j2 dest=/etc/loki/promtail.yaml owner=root group=promtail mode=0640 notify: restart promtail -- name: open promtail ipv4 port for monitoring.archlinux.org +- name: Open promtail ipv4 port for monitoring.archlinux.org ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9080 accept" tags: - firewall -- name: create drop-in directory for promtail.service +- name: Create drop-in directory for promtail.service file: path=/etc/systemd/system/promtail.service.d state=directory owner=root group=root mode=0755 -- name: install drop-in for promtail.service +- name: Install drop-in for promtail.service copy: src=override.conf dest=/etc/systemd/system/promtail.service.d/ owner=root group=root mode=0644 notify: restart promtail -- name: start and enable promtail +- name: Start and enable promtail systemd: name=promtail.service enabled=yes daemon_reload=yes state=started diff --git a/roles/public_html/tasks/main.yml b/roles/public_html/tasks/main.yml index 01c8f61a..a54685df 100644 --- a/roles/public_html/tasks/main.yml +++ b/roles/public_html/tasks/main.yml @@ -1,31 +1,31 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ public_domain }}", "www.{{ public_domain }}"] -- name: copy webroot files +- name: Copy webroot files copy: src=public_html dest=/srv owner=root group=root mode=0644 directory_mode=0755 -- name: install public_html scripts +- name: Install public_html scripts template: src=generate-public_html.j2 dest=/usr/local/bin/generate-public_html owner=root group=root mode=0755 -- name: install public_html units +- name: Install public_html units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - generate-public_html.timer - generate-public_html.service -- name: start and enable public_html units +- name: Start and enable public_html units service: name={{ item }} enabled=yes state=started with_items: - generate-public_html.timer - generate-public_html.service -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644 notify: - reload nginx diff --git a/roles/quassel/handlers/main.yml b/roles/quassel/handlers/main.yml index 4cdf85af..6c908e34 100644 --- a/roles/quassel/handlers/main.yml +++ b/roles/quassel/handlers/main.yml @@ -1,2 +1,2 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon_reload=yes diff --git a/roles/quassel/tasks/main.yml b/roles/quassel/tasks/main.yml index d72c9912..58f3f4f7 100644 --- a/roles/quassel/tasks/main.yml +++ b/roles/quassel/tasks/main.yml @@ -1,19 +1,19 @@ -- name: install quassel +- name: Install quassel pacman: name=quassel-core,python-pexpect state=present -- name: add quassel postgres db +- name: Add quassel postgres db postgresql_db: db=quassel become: true become_user: postgres become_method: su -- name: add quassel postgres user +- name: Add quassel postgres user postgresql_user: db=quassel name=quassel password={{ vault_postgres_users.quassel }} encrypted=true become: true become_user: postgres become_method: su -- name: initialize quassel +- name: Initialize quassel become: true become_user: quassel become_method: sudo @@ -31,16 +31,16 @@ Database: '' creates: /var/lib/quassel/quasselcore.conf -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ quassel_domain }}"] -- name: install quassel cert renewal hook +- name: Install quassel cert renewal hook template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/quassel owner=root group=root mode=0755 -- name: install quassel units +- name: Install quassel units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: - clean-quassel.timer @@ -48,19 +48,19 @@ notify: - daemon reload -- name: add quassel.service.d dir +- name: Add quassel.service.d dir file: state=directory path=/etc/systemd/system/quassel.service.d owner=root group=root mode=0755 -- name: install quassel.service snippet +- name: Install quassel.service snippet copy: src=quassel.service.d dest=/etc/systemd/system/quassel.service.d/local.conf owner=root group=root mode=0644 -- name: start and enable quassel +- name: Start and enable quassel service: name={{ item }} enabled=yes state=started with_items: - quassel.service - clean-quassel.timer -- name: open firewall holes +- name: Open firewall holes ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes with_items: - 4242/tcp diff --git a/roles/rebuilderd/tasks/main.yml b/roles/rebuilderd/tasks/main.yml index 39731dcc..a8810e22 100644 --- a/roles/rebuilderd/tasks/main.yml +++ b/roles/rebuilderd/tasks/main.yml @@ -1,30 +1,30 @@ -- name: install required packages +- name: Install required packages pacman: name=rebuilderd,rebuilderd-website state=present -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ rebuilderd_domain }}"] -- name: configure rebuilderd.conf +- name: Configure rebuilderd.conf template: src=rebuilderd.conf.j2 dest=/etc/rebuilderd.conf owner=rebuilderd group=rebuilderd mode=0660 -- name: configure rebuilderd-sync.conf +- name: Configure rebuilderd-sync.conf template: src=rebuilderd-sync.conf.j2 dest=/etc/rebuilderd-sync.conf owner=rebuilderd group=rebuilderd mode=0660 -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ rebuilderd_domain }} state=directory owner=root group=root mode=0755 -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/rebuilderd.conf owner=root group=root mode=0644 notify: - reload nginx tags: ['nginx'] -- name: enable and start rebuilderd +- name: Enable and start rebuilderd systemd: name=rebuilderd enabled=yes state=started -- name: enable and start rebuilderd {{ item }} timer +- name: Enable and start rebuilderd {{ item }} timer systemd: name=rebuilderd-sync@archlinux-{{ item }}.timer enabled=yes state=started with_items: "{{ suites }}" diff --git a/roles/rebuilderd_worker/handlers/main.yml b/roles/rebuilderd_worker/handlers/main.yml index b7dd1329..53c25acb 100644 --- a/roles/rebuilderd_worker/handlers/main.yml +++ b/roles/rebuilderd_worker/handlers/main.yml @@ -1,3 +1,3 @@ -- name: daemon reload +- name: Daemon reload systemd: daemon-reload: true diff --git a/roles/rebuilderd_worker/tasks/main.yml b/roles/rebuilderd_worker/tasks/main.yml index c838137a..fbd34e0d 100644 --- a/roles/rebuilderd_worker/tasks/main.yml +++ b/roles/rebuilderd_worker/tasks/main.yml @@ -1,23 +1,23 @@ -- name: install required packages +- name: Install required packages pacman: name=rebuilderd,archlinux-repro,binutils,unzip state=present -- name: configure rebuilderd-worker.conf +- name: Configure rebuilderd-worker.conf template: src=rebuilderd-worker.conf.j2 dest=/etc/rebuilderd-worker.conf owner=rebuilderd group=rebuilderd mode=0660 -- name: create arch repro configuration dir +- name: Create arch repro configuration dir file: path=/etc/archlinux-repro state=directory owner=root group=root mode=0750 -- name: install archlinux-repro configuration +- name: Install archlinux-repro configuration copy: src=repro.conf dest=/etc/archlinux-repro/repro.conf owner=root group=root mode=0660 -- name: enable and start rebuilderd-worker@{{ item }} +- name: Enable and start rebuilderd-worker@{{ item }} systemd: name=rebuilderd-worker@{{ item }} enabled=yes state=started with_items: '{{ rebuilderd_workers }}' -- name: install cleanup script +- name: Install cleanup script copy: src=clean-repro dest=/usr/local/bin/clean-repro owner=root group=root mode=0755 -- name: install cleanup units +- name: Install cleanup units copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 loop: - clean-repro.timer @@ -25,5 +25,5 @@ notify: - daemon reload -- name: start and enable cleanup timer +- name: Start and enable cleanup timer service: name=clean-repro.timer enabled=yes state=started diff --git a/roles/redirects/tasks/main.yml b/roles/redirects/tasks/main.yml index 5d18d2cc..7fecac65 100644 --- a/roles/redirects/tasks/main.yml +++ b/roles/redirects/tasks/main.yml @@ -1,18 +1,18 @@ -- name: create ssl cert +- name: Create ssl cert include_role: name: certificate vars: domains: ["{{ item.domain }}"] loop: "{{ redirects }}" -- name: make nginx log dir +- name: Make nginx log dir file: path=/var/log/nginx/{{ item.domain }} state=directory owner=root group=root mode=0755 loop: "{{ redirects }}" -- name: set up nginx +- name: Set up nginx template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/redirects.conf" owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] -- name: copy nginx map files +- name: Copy nginx map files copy: src=maps dest=/etc/nginx/ owner=root group=root mode=0600 diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml index be5d43cb..12203cd5 100644 --- a/roles/redis/tasks/main.yml +++ b/roles/redis/tasks/main.yml @@ -1,5 +1,5 @@ -- name: install redis +- name: Install redis pacman: name=redis state=present -- name: start and enable redis +- name: Start and enable redis service: name=redis enabled=yes state=started diff --git a/roles/root_ssh/tasks/main.yml b/roles/root_ssh/tasks/main.yml index 153420e8..532bd1af 100644 --- a/roles/root_ssh/tasks/main.yml +++ b/roles/root_ssh/tasks/main.yml @@ -1,5 +1,5 @@ -- name: create .ssh directory +- name: Create .ssh directory file: path={{ root_ssh_directory }} state=directory owner=root group=root mode=0700 -- name: add authorized keys for root +- name: Add authorized keys for root template: src=authorized_keys.j2 dest={{ root_ssh_directory }}/authorized_keys mode=0600 owner=root group=root diff --git a/roles/rspamd/handlers/main.yml b/roles/rspamd/handlers/main.yml index ee62a961..c0ac9597 100644 --- a/roles/rspamd/handlers/main.yml +++ b/roles/rspamd/handlers/main.yml @@ -1,2 +1,2 @@ -- name: reload rspamd +- name: Reload rspamd service: name=rspamd state=reloaded diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml index 9ed46fb0..d98793b0 100644 --- a/roles/rspamd/tasks/main.yml +++ b/roles/rspamd/tasks/main.yml @@ -1,17 +1,17 @@ -- name: install rspamd +- name: Install rspamd pacman: name=rspamd state=present -- name: install config +- name: Install config copy: src=local.d/ dest=/etc/rspamd/local.d/ owner=root group=root mode=0644 notify: - reload rspamd -- name: install dkim_signing.conf +- name: Install dkim_signing.conf template: src=dkim_signing.conf.j2 dest=/etc/rspamd/local.d/dkim_signing.conf owner=root group=root mode=0644 notify: - reload rspamd -- name: create rspamd dkim directory +- name: Create rspamd dkim directory file: path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0750 # For this to run, you need to generate the keys first @@ -25,7 +25,7 @@ # roles/rspamd/files/archlinux.org.dkim-rsa.key # roles/rspamd/files/archlinux.org.dkim-ed25519.key # -- name: install DKIM keys +- name: Install DKIM keys copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600 loop: - "{{ rspamd_dkim_domain }}.dkim-ed25519.key" @@ -33,5 +33,5 @@ notify: - reload rspamd -- name: start and enable rspamd +- name: Start and enable rspamd service: name=rspamd enabled=yes state=started diff --git a/roles/rsync_net/tasks/main.yml b/roles/rsync_net/tasks/main.yml index 921ffe4a..2933976d 100644 --- a/roles/rsync_net/tasks/main.yml +++ b/roles/rsync_net/tasks/main.yml @@ -1,26 +1,26 @@ # This role runs on localhost; use commands like sftp to upload configuration -- name: create the root backup directory at {{ backup_dir }} +- name: Create the root backup directory at {{ backup_dir }} expect: command: bash -c "echo 'mkdir {{ backup_dir }}' | sftp {{ rsync_net_username }}@{{ rsync_net_username }}.rsync.net" responses: (?i)password: "{{ rsync_net_password }}" -- name: fetch ssh keys from each borg client machine +- name: Fetch ssh keys from each borg client machine command: cat /root/.ssh/id_rsa.pub register: client_ssh_keys delegate_to: "{{ item }}" with_items: "{{ backup_clients }}" changed_when: client_ssh_keys.changed -- name: create tempfile +- name: Create tempfile tempfile: state=file register: tempfile -- name: fill tempfile +- name: Fill tempfile copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=0644 # noqa 208 -- name: upload authorized_keys file +- name: Upload authorized_keys file expect: command: | bash -c 'sftp {{ rsync_net_username }}@{{ rsync_net_username }}.rsync.net <