diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index e99d805..0000000 --- a/.ansible-lint +++ /dev/null @@ -1,5 +0,0 @@ -parseable: true -quiet: true -skip_list: - - '501' -use_default_rules: true diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a629be7..6dbc62c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,33 +1,15 @@ stages: - lint - - test cache: - key: "$CI_COMMIT_REF_SLUG" + key: $CI_COMMIT_REF_SLUG paths: - - .cache/pip - node_modules/ lint: - stage: lint - image: python:3.7 - before_script: - - pip install ansible ansible-lint --quiet - script: - - ansible-lint playbook.yml - only: - refs: - - development - - merge_requests - -pretty-lint: stage: lint image: node:12 before_script: - - npm install + - npm install prettier --no-save script: - - npx prettier "**/*.yml" --check - only: - refs: - - development - - merge_requests + - npx prettier '**/*.yml' --check diff --git a/.prettier.json b/.prettier.json deleted file mode 100644 index 9c76f6b..0000000 --- a/.prettier.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "singleQuote": true, - "printWidth": 90, - "tabWidth": 2, - "useTabs": false, - "bracketSpacing": true, - "parser": "yaml" -} - diff --git a/.prettierrc.yml b/.prettierrc.yml new file mode 100644 index 0000000..0cb31e6 --- /dev/null +++ b/.prettierrc.yml @@ -0,0 +1,5 @@ +singleQuote: true +printWidth: 90 +tabWidth: 2 +useTabs: false +bracketSpacing: true diff --git a/defaults/main.yml b/defaults/main.yml index d2d3c30..9980a2a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,3 +1,29 @@ -poetry_url: "https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py" +poetry_url: 'https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py' poetry_user: "{{ ansible_user | default(lookup('env', 'USER'), True) }}" -poetry_dir: "{{ ansible_env.HOME }}/.poetry" +poetry_dir: '{{ ansible_env.HOME }}/.poetry' + +common_packages: + - acl + - man + - apt-transport-https + - ca-certificates + - software-properties-common + - policykit-1 + - libpolkit-agent-1-0 + - nftables + - openssh-client + - bash-completion + - git + - vim + - curl + - tree + - haveged + - rsync + +ssl_packages: + - python3-openssl + - python3-crypto + - python3-cryptography + - python-openssl + - python-crypto + - python-cryptography diff --git a/handlers/main.yml b/handlers/main.yml index 7eb7634..07d7ed5 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,71 +1,79 @@ - name: reload ssh + become: true systemd: name: ssh state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart nftables + become: true systemd: name: nftables state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart nginx + become: true systemd: name: nginx state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart docker + become: true systemd: name: docker state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart rabbitmq + become: true systemd: name: rabbitmq-server state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart memcached + become: true systemd: name: memcached state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart postfix + become: true systemd: name: postfix state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart postgres + become: true systemd: name: postgresql@11-main state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart systemd-networkd + become: true systemd: name: systemd-networkd state: restarted - enabled: yes - daemon-reload: yes + enabled: true + daemon-reload: true - name: restart systemd-resolved + become: true systemd: name: systemd-resolved state: restarted - enabled: yes - daemon-reload: yes - -- include: user.yml + enabled: true + daemon-reload: true diff --git a/handlers/user.yml b/handlers/user.yml index 8cf4b1a..b906433 100644 --- a/handlers/user.yml +++ b/handlers/user.yml @@ -1,19 +1,19 @@ - name: start user tmux service - become_user: "{{ default_user }}" - become: yes + become_user: '{{ default_user }}' + become: true systemd: - daemon-reload: yes + daemon-reload: true name: tmux state: started - enabled: yes + enabled: true scope: user - name: restart user tmux service - become_user: "{{ default_user }}" - become: yes + become_user: '{{ default_user }}' + become: true systemd: - daemon-reload: yes + daemon-reload: true name: tmux state: restarted - enabled: yes + enabled: true scope: user diff --git a/meta/main.yml b/meta/main.yml index 038b6e9..ba73357 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,10 +2,10 @@ dependencies: [] galaxy_info: author: sonny - description: "Common tasks" - license: "license GPLv3" + description: 'Common tasks' + license: 'license GPLv3' min_ansible_version: 2.7 - issue_tracker_url: "https://git.fudiggity.nl/ansible/common/-/issues" + issue_tracker_url: 'https://git.fudiggity.nl/ansible/common/-/issues' platforms: - name: Debian versions: diff --git a/tasks/host.yml b/tasks/host.yml index 818e7c2..e72e29d 100644 --- a/tasks/host.yml +++ b/tasks/host.yml @@ -1,15 +1,15 @@ - name: copy hostname template: - src: "hostname.j2" - dest: "/etc/hostname" + src: 'hostname.j2' + dest: '/etc/hostname' owner: root group: root - mode: "0644" + mode: '0644' - name: copy hosts template: - src: "hosts.j2" - dest: "/etc/hosts" + src: 'hosts.j2' + dest: '/etc/hosts' owner: root group: root - mode: "0644" + mode: '0644' diff --git a/tasks/known_hosts.yml b/tasks/known_hosts.yml index d8abe99..60f7e9c 100644 --- a/tasks/known_hosts.yml +++ b/tasks/known_hosts.yml @@ -1,39 +1,39 @@ - name: load OS specific vars - include_vars: "{{ item }}" + include_vars: '{{ item }}' with_first_found: - files: - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml" - - "{{ ansible_distribution|lower }}.yml" - - "{{ ansible_os_family|lower }}.yml" + - '{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml' + - '{{ ansible_distribution|lower }}.yml' + - '{{ ansible_os_family|lower }}.yml' paths: - - "{{ role_path }}/vars" + - '{{ role_path }}/vars' - name: install packages - become: yes + become: true package: - name: "{{ item }}" + name: '{{ item }}' state: present - loop: "{{ known_hosts_packages }}" + loop: '{{ known_hosts_packages }}' - name: retrieve user $HOME - shell: "echo $HOME" # noqa 301 - become_user: "{{ user }}" + shell: 'echo $HOME' + become_user: '{{ user }}' register: home_stats - name: set user $HOME set_fact: - user_home: "{{ home_stats.stdout }}" + user_home: '{{ home_stats.stdout }}' - name: create local ssh directory - become_user: "{{ user }}" + become_user: '{{ user }}' file: - path: "{{ user_home }}/.ssh" + path: '{{ user_home }}/.ssh' state: directory - mode: "0755" + mode: '0755' - name: add items to known hosts - become_user: "{{ user }}" + become_user: '{{ user }}' known_hosts: - name: "{{ item.domain }}" - key: "{{ item.key }}" - loop: "{{ items }}" + name: '{{ item.domain }}' + key: '{{ item.key }}' + loop: '{{ items }}' diff --git a/tasks/main.yml b/tasks/main.yml deleted file mode 100644 index 2811ac4..0000000 --- a/tasks/main.yml +++ /dev/null @@ -1,51 +0,0 @@ -- include_tasks: "sudoers.yml" - loop: - - { src: "sudoers.j2", dest: "/etc/sudoers.d/20-ansible-extra" } - -- name: copy ssh template - template: - src: "sshd_config.j2" - dest: "/etc/ssh/sshd_config" - owner: root - group: root - mode: "0644" - notify: reload ssh - -- name: viva la hollande - locale_gen: - name: nl_NL.UTF-8 - state: present - -- name: ensure basic tooling is installed - apt: - name: - - acl - - man - - apt-transport-https - - ca-certificates - - software-properties-common - - policykit-1 - - libpolkit-agent-1-0 - - nftables - - openssh-client - - bash-completion - - git - - vim - - curl - - tree - - haveged - - rsync - state: present - -- name: copy firewall template - template: - src: "nftables.j2" - dest: "/etc/nftables.conf" - owner: root - group: root - mode: "0600" - notify: restart nftables - -# see https://wiki.debian.org/systemd#Orphaned_processes -- name: enable loginctl user-linger - command: "loginctl enable-linger {{ default_user|quote }}" # noqa 301 diff --git a/tasks/network.yml b/tasks/network.yml index f9ff775..7adb693 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -1,27 +1,28 @@ - name: check old network configuration - stat: path=/etc/network/interfaces + stat: + path: '/etc/network/interfaces' register: old_config - name: move old network configuration - command: mv /etc/network/interfaces /etc/network/interfaces.save + command: 'mv /etc/network/interfaces /etc/network/interfaces.save' when: old_config.stat.exists - name: copy network configuration template: - src: "network.j2" - dest: "/etc/systemd/network/50-default.network" + src: 'network.j2' + dest: '/etc/systemd/network/50-default.network' owner: root group: root - mode: "0644" + mode: '0644' notify: restart systemd-networkd - name: copy dns configuration file: - src: "/run/systemd/resolve/resolv.conf" - dest: "/etc/resolv.conf" + src: '/run/systemd/resolve/resolv.conf' + dest: '/etc/resolv.conf' owner: root group: root state: link - force: yes - mode: "0644" + force: true + mode: '0644' notify: restart systemd-resolved diff --git a/tasks/nginx.yml b/tasks/nginx.yml index 965ef2a..9d73790 100644 --- a/tasks/nginx.yml +++ b/tasks/nginx.yml @@ -1,18 +1,18 @@ - name: install nginx - apt: + package: name: nginx state: present - name: copy nginx config template: - src: "nginx.conf.j2" - dest: "/etc/nginx/nginx.conf" + src: 'nginx.conf.j2' + dest: '/etc/nginx/nginx.conf' owner: root group: root - mode: "0644" + mode: '0644' - name: remove default site file: - path: "/etc/nginx/sites-enabled/default" + path: '/etc/nginx/sites-enabled/default' state: absent notify: restart nginx diff --git a/tasks/poetry.yml b/tasks/poetry.yml index 8649337..62b6e18 100644 --- a/tasks/poetry.yml +++ b/tasks/poetry.yml @@ -1,73 +1,73 @@ -- name: retrieve user $HOME # noqa 301 - shell: "echo $HOME" - become_user: "{{ poetry_user }}" +- name: retrieve user $HOME + shell: 'echo $HOME' + become_user: '{{ poetry_user }}' register: home_stats -- name: retrieve user $PATH # noqa 301 - shell: "echo $PATH" - become_user: "{{ poetry_user }}" +- name: retrieve user $PATH + shell: 'echo $PATH' + become_user: '{{ poetry_user }}' register: path_stats - name: set poetry user variables set_fact: - poetry_user_home: "{{ home_stats.stdout }}" - poetry_user_path: "{{ path_stats.stdout }}" + poetry_user_home: '{{ home_stats.stdout }}' + poetry_user_path: '{{ path_stats.stdout }}' - name: create user folder for binaries - become_user: "{{ poetry_user }}" + become_user: '{{ poetry_user }}' file: state: directory - mode: "0755" - path: "{{ poetry_user_home }}/.local/bin" + mode: '0755' + path: '{{ poetry_user_home }}/.local/bin' -- name: set default python binary # noqa 208 +- name: set default python binary become: true file: state: link - src: "/usr/bin/python3" - dest: "/usr/bin/python" - when: ansible_distribution == "Ubuntu" + src: '/usr/bin/python3' + dest: '/usr/bin/python' + when: ansible_distribution == 'Ubuntu' - name: setup poetry for Ubuntu/Debian derived distro's block: - name: check poetry existence - become_user: "{{ poetry_user }}" + become_user: '{{ poetry_user }}' stat: - path: "{{ poetry_dir }}" + path: '{{ poetry_dir }}' register: poetry_stats - name: download poetry installer - become_user: "{{ poetry_user }}" + become_user: '{{ poetry_user }}' get_url: - url: "{{ poetry_url }}" + url: '{{ poetry_url }}' dest: /tmp/ - mode: "0750" + mode: '0750' when: poetry_stats.stat.isdir is not defined - name: install poetry - become_user: "{{ poetry_user }}" - command: "python /tmp/get-poetry.py --yes" # noqa 305 + become_user: '{{ poetry_user }}' + command: 'python /tmp/get-poetry.py --yes' environment: - POETRY_HOME: "{{ poetry_dir }}" + POETRY_HOME: '{{ poetry_dir }}' when: poetry_stats.stat.isdir is not defined - - name: add poetry to user binaries # noqa 208 - become_user: "{{ poetry_user }}" + - name: add poetry to user binaries + become_user: '{{ poetry_user }}' file: state: link - src: "{{ poetry_dir }}/bin/poetry" - dest: "{{ poetry_user_home }}/.local/bin/poetry" - when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" + src: '{{ poetry_dir }}/bin/poetry' + dest: '{{ poetry_user_home }}/.local/bin/poetry' + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - name: setup poetry for Archlinux become: true pacman: name: poetry state: present - when: ansible_facts['os_family'] == "Archlinux" + when: ansible_facts['os_family'] == 'Archlinux' - name: update poetry config - become_user: "{{ poetry_user }}" - command: "poetry config virtualenvs.in-project true" # noqa 301 + become_user: '{{ poetry_user }}' + command: 'poetry config virtualenvs.in-project true' environment: - PATH: "{{ poetry_user_home }}/.local/bin:{{ poetry_user_path }}" + PATH: '{{ poetry_user_home }}/.local/bin:{{ poetry_user_path }}' diff --git a/tasks/setup.yml b/tasks/setup.yml new file mode 100644 index 0000000..2d34535 --- /dev/null +++ b/tasks/setup.yml @@ -0,0 +1,35 @@ +- include_tasks: 'sudoers.yml' + loop: + - { src: 'sudoers.j2', dest: '/etc/sudoers.d/20-ansible-extra' } + +- name: copy ssh template + template: + src: 'sshd_config.j2' + dest: '/etc/ssh/sshd_config' + owner: root + group: root + mode: '0644' + notify: reload ssh + +- name: viva la hollande + locale_gen: + name: nl_NL.UTF-8 + state: present + +- name: ensure basic tooling is installed + apt: + name: '{{ common_packages }}' + state: present + +- name: copy firewall template + template: + src: 'nftables.j2' + dest: '/etc/nftables.conf' + owner: root + group: root + mode: '0600' + notify: restart nftables + +# see https://wiki.debian.org/systemd#Orphaned_processes +- name: enable loginctl user-linger + command: 'loginctl enable-linger {{ default_user|quote }}' diff --git a/tasks/ssl.yml b/tasks/ssl.yml index a1cb905..8f71d76 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -1,39 +1,33 @@ - name: install SSL packages apt: - name: - - python3-openssl - - python3-crypto - - python3-cryptography - - python-openssl - - python-crypto - - python-cryptography + name: '{{ ssl_packages }}' state: present - name: create ssl directory file: - path: "/etc/ssl/{{ app_name }}" + path: '/etc/ssl/{{ app_name }}' state: directory - owner: "{{ app_user }}" - group: "{{ app_user }}" + owner: '{{ app_user }}' + group: '{{ app_user }}' mode: 0750 - name: generate an OpenSSL private key with the default values (4096 bits, RSA) - become_user: "{{ app_user }}" + become_user: '{{ app_user }}' openssl_privatekey: - path: "/etc/ssl/{{ app_name }}/local.pem" + path: '/etc/ssl/{{ app_name }}/local.pem' - name: generate an OpenSSL certificate signing request - become_user: "{{ app_user }}" + become_user: '{{ app_user }}' openssl_csr: - path: "/etc/ssl/{{ app_name }}/local.csr" - privatekey_path: "/etc/ssl/{{ app_name }}/local.pem" + path: '/etc/ssl/{{ app_name }}/local.csr' + privatekey_path: '/etc/ssl/{{ app_name }}/local.pem' common_name: fudiggity.nl - name: generate a self signed OpenSSL certificate - become_user: "{{ app_user }}" + become_user: '{{ app_user }}' openssl_certificate: - force: yes - path: "/etc/ssl/{{ app_name }}/{{ app_name }}.crt" - privatekey_path: "/etc/ssl/{{ app_name }}/local.pem" - csr_path: "/etc/ssl/{{ app_name }}/local.csr" + force: true + path: '/etc/ssl/{{ app_name }}/{{ app_name }}.crt' + privatekey_path: '/etc/ssl/{{ app_name }}/local.pem' + csr_path: '/etc/ssl/{{ app_name }}/local.csr' provider: selfsigned diff --git a/tasks/sudoers.yml b/tasks/sudoers.yml index c3c3bec..a4c8979 100644 --- a/tasks/sudoers.yml +++ b/tasks/sudoers.yml @@ -1,7 +1,7 @@ - name: copy extra sudoers file template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" + src: '{{ item.src }}' + dest: '{{ item.dest }}' owner: root group: root - mode: "0644" + mode: '0644'