ansible: Split base role into separate task files
authornicoo <nicoo@realraum.at>
Mon, 17 Dec 2018 15:14:47 +0000 (16:14 +0100)
committernicoo <nicoo@realraum.at>
Mon, 17 Dec 2018 16:08:38 +0000 (17:08 +0100)
It was becoming difficult to find things in there.

ansible/roles/base/tasks/01ssh.yml [new file with mode: 0644]
ansible/roles/base/tasks/02debian.yml [new file with mode: 0644]
ansible/roles/base/tasks/03ntp.yml [new file with mode: 0644]
ansible/roles/base/tasks/04systemd.yml [new file with mode: 0644]
ansible/roles/base/tasks/05tools.yml [new file with mode: 0644]
ansible/roles/base/tasks/main.yml

diff --git a/ansible/roles/base/tasks/01ssh.yml b/ansible/roles/base/tasks/01ssh.yml
new file mode 100644 (file)
index 0000000..7e9eab5
--- /dev/null
@@ -0,0 +1,51 @@
+---
+- set_fact:
+    sshd_allowusers: >-
+      {{ [ 'root' ] | union(user_groups.noc)
+                    | union(sshd_allowusers_group | default([]))
+                    | union(sshd_allowusers_host  | default([])) }}
+
+- name: only allow pubkey auth for root
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin without-password"
+  notify: restart ssh
+
+- name: limit allowed users (1/2)
+  when: sshd_allowgroup is not defined
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^#?AllowUsers"
+    line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
+  notify: restart ssh
+
+- block:
+    - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^AllowUsers"
+        state: absent
+      notify: restart ssh
+
+    - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^#?AllowGroups"
+        line: AllowGroups {{ sshd_allowgroup }}
+      notify: restart ssh
+
+    - name: "limit allowed users (2/2): Add allowed users to ssh group"
+      user:
+        name: "{{ item }}"
+        groups: "{{ sshd_allowgroup }}"
+        append: True
+      with_items: "{{ sshd_allowusers }}"
+
+  when: sshd_allowgroup is defined
+
+- name: Set authorized keys for root user
+  authorized_key:
+    user: root
+    key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
+    exclusive: yes
diff --git a/ansible/roles/base/tasks/02debian.yml b/ansible/roles/base/tasks/02debian.yml
new file mode 100644 (file)
index 0000000..7aef268
--- /dev/null
@@ -0,0 +1,39 @@
+---
+- name: disable apt suggests and recommends
+  copy:
+    src: 02no-recommends
+    dest: /etc/apt/apt.conf.d/
+    mode: 0644
+
+- name: install basic packages
+  apt:
+    name:
+      - less
+      - psmisc
+      - sudo
+      - dstat
+      - mtr-tiny
+      - tcpdump
+      - debian-goodies
+      - lsof
+      - haveged
+      - net-tools
+      - screen
+      - aptitude
+      - unp
+      - ca-certificates
+      - file
+      - nano
+      - python-apt
+      - command-not-found
+      - man-db
+      - lshw
+    state: present
+
+- name: make sure grml-(etc|scripts)-core is not installed
+  apt:
+    name:
+      - grml-etc-core
+      - grml-scripts-core
+    state: absent
+    purge: yes
diff --git a/ansible/roles/base/tasks/03ntp.yml b/ansible/roles/base/tasks/03ntp.yml
new file mode 100644 (file)
index 0000000..621e7f6
--- /dev/null
@@ -0,0 +1,25 @@
+---
+- when: base_managed_ntpd
+  block:
+    - name: check that ISC ntpd is not installed
+      apt:
+        name: ntp
+        state: absent
+        purge: yes
+
+    - name: install openntpd
+      apt:
+        name: openntpd
+
+    - name: configure openntpd
+      copy:
+        dest: /etc/openntpd/ntpd.conf
+        content: |
+          # Use the ffgraz.net NTP server
+          servers ntp.ffgraz.net weight 3
+
+          # Use some servers announced from the NTP Pool
+          servers 0.debian.pool.ntp.org
+          servers 1.debian.pool.ntp.org
+
+      notify: restart openntpd
diff --git a/ansible/roles/base/tasks/04systemd.yml b/ansible/roles/base/tasks/04systemd.yml
new file mode 100644 (file)
index 0000000..dca585c
--- /dev/null
@@ -0,0 +1,30 @@
+---
+- name: install systemd specific packages
+  apt:
+    state: present
+    name:
+      - dbus
+      - libpam-systemd
+
+- name: set systemd-related environment variables
+  copy:
+    src: xdg_runtime_dir.sh
+    dest: /etc/profile.d/xdg_runtime_dir.sh
+    mode: 0644
+
+
+- when: ansible_distribution == "Ubuntu"
+  block:
+    - name: workaround console-setup race condition (1/2)
+      file:
+        path: /etc/systemd/system/console-setup.service.d/
+        state: directory
+
+    - name: workaround console-setup race condition (2/2)
+      copy:
+        dest: /etc/systemd/system/console-setup.service.d/override.conf
+        mode: 0644
+        content: |
+          [Unit]
+          After=systemd-tmpfiles-setup.service
+        # no need to reload systemd, it is only there to fix a boot-time race-condition
diff --git a/ansible/roles/base/tasks/05tools.yml b/ansible/roles/base/tasks/05tools.yml
new file mode 100644 (file)
index 0000000..8a25597
--- /dev/null
@@ -0,0 +1,34 @@
+---
+- name: install base tools
+  apt:
+    name:
+      - htop
+      - zsh
+
+- name: set root default shell to zsh
+  user:
+    name: root
+    shell: /bin/zsh
+
+- name: set default shell for adduser
+  with_dict:
+    DSHELL: /bin/zsh
+  lineinfile:
+    dest: /etc/adduser.conf
+    regexp: "^#?{{ item.key }}="
+    line: "{{ item.key }}={{ item.value }}"
+
+- name: Deploy default configuration for tools
+  with_dict:
+    /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
+
+    /etc/zsh/zprofile: zprofile
+    /etc/zsh/zshrc: zshrc
+    /etc/skel/.zshrc: zshrc.skel
+
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    mode: 0644
+    src: "{{ item.value }}"
+    dest: "{{ item.key }}"
index b148a6d..1bf4243 100644 (file)
@@ -1,177 +1,7 @@
 ---
-- set_fact:
-    sshd_allowusers: >-
-      {{ [ 'root' ] | union(user_groups.noc)
-                    | union(sshd_allowusers_group | default([]))
-                    | union(sshd_allowusers_host  | default([])) }}
-
-- name: only allow pubkey auth for root
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^PermitRootLogin"
-    line: "PermitRootLogin without-password"
-  notify: restart ssh
-
-- name: limit allowed users (1/2)
-  when: sshd_allowgroup is not defined
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^#?AllowUsers"
-    line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
-  notify: restart ssh
-
-- block:
-    - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
-      lineinfile:
-        dest: /etc/ssh/sshd_config
-        regexp: "^AllowUsers"
-        state: absent
-      notify: restart ssh
-
-    - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
-      lineinfile:
-        dest: /etc/ssh/sshd_config
-        regexp: "^#?AllowGroups"
-        line: AllowGroups {{ sshd_allowgroup }}
-      notify: restart ssh
-
-    - name: "limit allowed users (2/2): Add allowed users to ssh group"
-      user:
-        name: "{{ item }}"
-        groups: "{{ sshd_allowgroup }}"
-        append: True
-      with_items: "{{ sshd_allowusers }}"
-
-  when: sshd_allowgroup is defined
-
-- name: Set authorized keys for root user
-  authorized_key:
-    user: root
-    key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
-    exclusive: yes
-
-- name: disable apt suggests and recommends
-  copy:
-    src: 02no-recommends
-    dest: /etc/apt/apt.conf.d/
-    mode: 0644
-
-- name: install basic packages
-  apt:
-    name:
-      - less
-      - psmisc
-      - sudo
-      - htop
-      - dstat
-      - mtr-tiny
-      - tcpdump
-      - debian-goodies
-      - lsof
-      - haveged
-      - net-tools
-      - screen
-      - aptitude
-      - unp
-      - ca-certificates
-      - file
-      - nano
-      - zsh
-      - python-apt
-      - command-not-found
-      - man-db
-      - lshw
-    state: present
-
-- when: base_managed_ntpd
-  block:
-    - name: check that ISC ntpd is not installed
-      apt:
-        name: ntp
-        state: absent
-        purge: yes
-
-    - name: install openntpd
-      apt:
-        name: openntpd
-
-    - name: configure openntpd
-      copy:
-        dest: /etc/openntpd/ntpd.conf
-        content: |
-          # Use the ffgraz.net NTP server
-          servers ntp.ffgraz.net weight 3
-
-          # Use some servers announced from the NTP Pool
-          servers 0.debian.pool.ntp.org
-          servers 1.debian.pool.ntp.org
-
-      notify: restart openntpd
-
-
-- name: make sure grml-(etc|scripts)-core is not installed
-  apt:
-    name:
-      - grml-etc-core
-      - grml-scripts-core
-    state: absent
-    purge: yes
-
-- block:
-    - name: install systemd specific packages
-      apt:
-        name:
-          - dbus
-          - libpam-systemd
-        state: present
-
-    - name: set systemd-related environment variables
-      copy:
-        src: xdg_runtime_dir.sh
-        dest: /etc/profile.d/xdg_runtime_dir.sh
-        mode: 0644
-
-  when: ansible_service_mgr == "systemd"
-
-- block:
-    - name: workaround console-setup race condition (1/2)
-      file:
-        path: /etc/systemd/system/console-setup.service.d/
-        state: directory
-
-    - name: workaround console-setup race condition (2/2)
-      copy:
-        content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n"
-        dest: /etc/systemd/system/console-setup.service.d/override.conf
-        mode: 0644
-      # no need to relaod systemd here, it is only there to fix a boot-time race-condition
-
-  when: ansible_distribution == "Ubuntu"
-
-- name: set root default shell to zsh
-  user:
-    name: root
-    shell: /bin/zsh
-
-- name: set default shell for adduser
-  with_dict:
-    DSHELL: /bin/zsh
-  lineinfile:
-    dest: /etc/adduser.conf
-    regexp: "^#?{{ item.key }}="
-    line: "{{ item.key }}={{ item.value }}"
-
-- name: Deploy default configuration for tools
-  with_dict:
-    /etc/htoprc: "{{ global_files_dir }}/common/htoprc"
-
-    /etc/zsh/zprofile: zprofile
-    /etc/zsh/zshrc: zshrc
-    /etc/skel/.zshrc: zshrc.skel
-
-  loop_control:
-    label: "{{ item.key }}"
-  copy:
-    mode: 0644
-    src: "{{ item.value }}"
-    dest: "{{ item.key }}"
+- import_tasks: 01ssh.yml
+- import_tasks: 02debian.yml
+- import_tasks: 03ntp.yml
+- when: ansible_service_mgr == "systemd"
+  import_tasks: 04systemd.yml
+- import_tasks: 05tools.yml