소스 검색

Fix various deprecated syntax issues to be Ansible 2.0 friendly

Emmanuel Bouthenot 8 년 전
부모
커밋
351f45de6c

+ 6 - 6
roles/common/tasks/base.yml

@@ -19,14 +19,14 @@
     id: '{{ item.id }}'
     url: '{{ item.url }}'
     state: 'present'
-  with_items: apt_keys
+  with_items: '{{ apt_keys }}'
   when: apt_keys
 
 - name: Add apt sources for custom Debian repositories
   apt_repository:
     repo: 'deb {{ item.uri }} {{ item.suite }} {{ item.sections }}'
     state: 'present'
-  with_items: apt_repositories
+  with_items: '{{ apt_repositories }}'
   when: apt_repositories
 
 - name: Remove deprecated apt options files
@@ -65,7 +65,7 @@
 
 - name: Install additional packages
   apt: pkg={{ item }} install_recommends=no state=installed update_cache=yes
-  with_items: apt_additional_packages
+  with_items: '{{ apt_additional_packages }}'
   when: apt_additional_packages
 
 - name: Install ntp daemon
@@ -114,16 +114,16 @@
 
 - name: Install unprivileged user
   user: name="{{item.user}}" comment="{{item.fullname}}" groups=adm,operator,sudo append=yes shell=/bin/zsh state=present
-  with_items: admins
+  with_items: '{{ admins }}'
   when: admins
 
 - name: Install SSH key for unprivileged user
   authorized_key: user="{{item.user}}" key="{{lookup('file', 'data/users/' + item.user + '/id_rsa.pub')}}" state=present
-  with_items: admins
+  with_items: '{{ admins }}'
   when: admins
 
 - name: Install SSH key for root
   authorized_key: user=root key="{{lookup('file', 'data/users/' + item.user + '/id_rsa.pub')}}" state=present
-  with_items: admins
+  with_items: '{{ admins }}'
   when: admins
 

+ 1 - 1
roles/common/tasks/dkim.yml

@@ -68,5 +68,5 @@
     owner: 'root'
     group: 'opendkim'
     mode: '0640'
-  with_items: dkim_domains
+  with_items: '{{ dkim_domains }}'
   when: dkim_domains

+ 93 - 61
roles/common/tasks/security.yml

@@ -1,86 +1,118 @@
-- name: Install auto upgrades package
-  apt: pkg=unattended-upgrades state=installed update_cache=yes
+- name: 'Install auto upgrades package'
+  apt:
+    pkg: 'unattended-upgrades'
+    state: 'installed'
+    update_cache: 'yes'
   when: with_auto_upgrade
 
-- name: Reconfigure unattended-upgrades package
-  debconf: name="unattended-upgrades" question="unattended-upgrades/enable_auto_updates" value="true" vtype="boolean"
+- name: 'Reconfigure unattended-upgrades package'
+  debconf:
+    name: 'unattended-upgrades'
+    question: 'unattended-upgrades/enable_auto_updates'
+    value: 'true'
+    vtype: 'boolean'
   notify:
-    - Reconfigure unattended-upgrades
+    - 'Reconfigure unattended-upgrades'
   when: with_auto_upgrade
 
-- name: Update unattended-upgrades configuration
-  template: src={{ item }} dest=/etc/apt/apt.conf.d/90unattended-upgrades-local owner=root group=root mode=0644
-  first_available_file:
-    - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
-    - apt/auto-upgrades.j2
+- name: 'Update unattended-upgrades configuration'
+  template:
+    src: '{{ item }}'
+    dest: '/etc/apt/apt.conf.d/90unattended-upgrades-local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_first_found:
+    - 'apt/auto-upgrades.{{ ansible_lsb.codename }}.j2'
+    - 'apt/auto-upgrades.j2'
   when: with_auto_upgrade
 
-- name: Install logcheck packages
-  apt: pkg={{ item }} state=installed update_cache=yes
+- name: 'Install logcheck packages'
+  apt:
+    pkg: '{{ item }}'
+    state: 'installed'
+    update_cache: 'yes'
   with_items:
-    - logcheck
-    - logcheck-database
+    - 'logcheck'
+    - 'logcheck-database'
   when: with_logcheck
 
-- name: Install local configuration files for logcheck
-  copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
+- name: 'Install local configuration files for logcheck'
+  copy:
+    src: 'logcheck/{{ item }}_local'
+    dest: '/etc/logcheck/ignore.d.server/{{ item }}_local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   with_items:
-    - amavisd-new
-    - ansible
-    - apache2
-    - bind
-    - dhclient
-    - dnsmasq
-    - dovecot
-    - dropbear
-    - ferm
-    - git-daemon
-    - gogs
-    - ipmi
-    - irqbalance
-    - kernel
-    - libpam-modules
-    - mon
-    - noip2
-    - ntp
-    - openvpn
-    - php
-    - postfix
-    - pure-ftpd
-    - pve-cluster
-    - redir
-    - rpc-mountd
-    - rrdcached
-    - rsyslog
-    - smartd
-    - spamd
-    - sshd
-    - svn
-    - sympa
-    - systemd
-    - zabbix-agentd
+    - 'amavisd-new'
+    - 'ansible'
+    - 'apache2'
+    - 'bind'
+    - 'dhclient'
+    - 'dnsmasq'
+    - 'dovecot'
+    - 'dropbear'
+    - 'ferm'
+    - 'git-daemon'
+    - 'gogs'
+    - 'ipmi'
+    - 'irqbalance'
+    - 'kernel'
+    - 'libpam-modules'
+    - 'mon'
+    - 'noip2'
+    - 'ntp'
+    - 'openvpn'
+    - 'php'
+    - 'postfix'
+    - 'pure-ftpd'
+    - 'pve-cluster'
+    - 'redir'
+    - 'rpc-mountd'
+    - 'rrdcached'
+    - 'rsyslog'
+    - 'smartd'
+    - 'spamd'
+    - 'sshd'
+    - 'svn'
+    - 'sympa'
+    - 'systemd'
+    - 'zabbix-agentd'
   when: with_logcheck
 
-- name: Update logcheck cron job
-  template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
+- name: 'Update logcheck cron job'
+  template:
+    src: 'cron/logcheck.j2'
+    dest: '/etc/cron.d/logcheck'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   when: with_logcheck
 
-- name: Install rkhunter related packages
-  apt: pkg={{ item }} state=installed update_cache=yes
+- name: 'Install rkhunter related packages'
+  apt:
+    pkg: '{{ item }}'
+    state: 'installed'
+    update_cache: 'yes'
   with_items:
-    - lsof
-    - unhide
-    - rkhunter
+    - 'lsof'
+    - 'unhide'
+    - 'rkhunter'
   when: with_rkhunter
 
-- name: Reconfigure rkhunter package
-  debconf: name="{{item.name}}" question="{{item.question}}" value="{{item.value}}" vtype="{{item.vtype}}"
+- name: 'Reconfigure rkhunter package'
+  debconf:
+    name: '{{item.name}}'
+    question: '{{item.question}}'
+    value: '{{item.value}}'
+    vtype: '{{item.vtype}}'
   with_items:
     - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
     - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
     - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
   notify:
-    - Reconfigure rkhunter
+    - 'Reconfigure rkhunter'
   when: with_rkhunter
 
 - name: Update rkhunter configuration
@@ -108,4 +140,4 @@
   args:
     creates: '/etc/ssl/private/dh{{ item }}.pem'
   with_items:
-    - 2048
+    - '2048'

+ 8 - 8
roles/common/tasks/ssl.yml

@@ -5,7 +5,7 @@
     owner: 'root'
     group: 'root'
     mode: '0755'
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   when: ssl_certs
 
 - name: 'Install ssl certificates (certificate)'
@@ -16,7 +16,7 @@
     group: 'root'
     mode: '0640'
   register: ssl_cert_result
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   when: ssl_certs
 
 - name: 'Install ssl certificates (private key)'
@@ -27,7 +27,7 @@
     group: 'root'
     mode: '0640'
   register: ssl_key_result
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   when: ssl_certs
 
 - name: 'Install ssl certificates (chain)'
@@ -38,29 +38,29 @@
     group: 'root'
     mode: '0644'
   register: ssl_chain_result
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   when: ssl_certs
 
 - name: 'Gathering info about ssl full chain (certificate + chain)'
   stat:
     path: '/etc/ssl/local/certs/{{ item }}/fullchain.pem'
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   register: ssl_fullchain_stats
   when: ssl_certs
 
 - name: 'Gathering info about ssl bundle (key + fullchain)'
   stat:
     path: '/etc/ssl/local/certs/{{ item }}/bundle.pem'
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   register: ssl_bundle_stats
   when: ssl_certs
 
 - name: 'Create ssl certificates full chain (certificate + chain)'
   shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/fullchain.pem'
-  with_items: ssl_fullchain_stats.results
+  with_items: '{{ ssl_fullchain_stats.results }}'
   when: ssl_certs and (not item.stat.exists or ssl_cert_result|changed or ssl_chain_result|changed)
 
 - name: 'Create ssl certificates bundle (key + certificate + bundle)'
   shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/privkey.pem' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/bundle.pem'
-  with_items: ssl_bundle_stats.results
+  with_items: '{{ ssl_bundle_stats.results }}'
   when: ssl_certs and (not item.stat.exists or ssl_key_result|changed or ssl_cert_result|changed or ssl_chain_result|changed)

+ 2 - 2
roles/ftpserver/tasks/pure-ftpd.yml

@@ -78,12 +78,12 @@
     group: '{{item.gid}}'
     mode: 0755
     state: 'directory'
-  with_items: ftp_accounts
+  with_items: '{{ ftp_accounts }}'
   when: ftp_accounts and with_ftp
 
 - name: 'Add FTP accounts in pure-ftpd'
   raw: printf "{{item.password}}\n{{item.password}}\n" | pure-pw useradd "{{item.user}}" -d "{{item.home}}" -u "{{item.uid}}" -g "{{item.gid}}"
-  with_items: ftp_accounts
+  with_items: '{{ ftp_accounts }}'
   when: ftp_accounts and with_ftp
 
 - name: 'Rebuild pure-ftpd internal DB'

+ 1 - 1
roles/webserver/tasks/apache2.yml

@@ -21,7 +21,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   notify:
     - 'Reload apache2'
   when: with_apache2 and ssl_certs

+ 1 - 1
roles/webserver/tasks/nginx.yml

@@ -84,7 +84,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  with_items: ssl_certs
+  with_items: '{{ ssl_certs }}'
   notify:
     - 'Reload nginx'
   when: with_nginx and ssl_certs