diff --git a/.config/ansible-lint-ignore.txt b/.config/ansible-lint-ignore.txt index 3793a4a1..ab8e2235 100644 --- a/.config/ansible-lint-ignore.txt +++ b/.config/ansible-lint-ignore.txt @@ -66,19 +66,15 @@ roles/common/handlers/main.yml fqcn[action-core] roles/common/handlers/main.yml name[casing] roles/common/handlers/main.yml name[missing] roles/common/handlers/main.yml no-changed-when -roles/common/handlers/main.yml no-free-form roles/common/handlers/munin-node.yml fqcn[action-core] roles/common/handlers/munin-node.yml name[casing] -roles/common/handlers/munin-node.yml no-free-form roles/common/handlers/sysctl.yml fqcn[action-core] roles/common/handlers/sysctl.yml name[casing] roles/common/handlers/sysctl.yml no-changed-when roles/common/handlers/sysstat.yml fqcn[action-core] roles/common/handlers/sysstat.yml name[casing] -roles/common/handlers/sysstat.yml no-free-form roles/common/tasks/apache2-monit.yml fqcn[action-core] roles/common/tasks/apache2-monit.yml name[casing] -roles/common/tasks/apache2-monit.yml no-free-form roles/common/tasks/apache2.yml fqcn[action-core] roles/common/tasks/apache2.yml name[casing] roles/common/tasks/apache2.yml no-changed-when @@ -88,16 +84,12 @@ roles/common/tasks/main.yml deprecated-local-action roles/common/tasks/main.yml deprecated-module roles/common/tasks/main.yml fqcn[action-core] roles/common/tasks/main.yml fqcn[action] -roles/common/tasks/main.yml jinja[spacing] roles/common/tasks/main.yml name[casing] roles/common/tasks/main.yml name[missing] roles/common/tasks/main.yml no-changed-when -roles/common/tasks/main.yml no-free-form roles/common/tasks/main.yml no-handler -roles/common/tasks/main.yml risky-file-permissions roles/common/tasks/main.yml risky-shell-pipe roles/common/tasks/munin-node.yml fqcn[action-core] -roles/common/tasks/munin-node.yml jinja[spacing] roles/common/tasks/munin-node.yml name[casing] roles/common/tasks/munin-node.yml no-changed-when roles/common/tasks/nginx.yml fqcn[action-core] @@ -105,24 +97,17 @@ roles/common/tasks/nginx.yml name[casing] roles/common/tasks/nginx.yml no-changed-when roles/common/tasks/ntp.yml fqcn[action-core] roles/common/tasks/ntp.yml name[casing] -roles/common/tasks/ntp.yml no-free-form roles/common/tasks/ssh-tunnel.yml command-instead-of-shell roles/common/tasks/ssh-tunnel.yml fqcn[action-core] roles/common/tasks/ssh-tunnel.yml fqcn[action] -roles/common/tasks/ssh-tunnel.yml jinja[spacing] roles/common/tasks/ssh-tunnel.yml name[casing] roles/common/tasks/ssh-tunnel.yml name[missing] -roles/common/tasks/ssh-tunnel.yml no-free-form roles/common/tasks/ssh-tunnel.yml no-handler -roles/common/tasks/ssh-tunnel.yml risky-file-permissions roles/common/tasks/sysctl.yml fqcn[action-core] roles/common/tasks/sysctl.yml fqcn[action] -roles/common/tasks/sysctl.yml jinja[spacing] roles/common/tasks/sysctl.yml name[casing] -roles/common/tasks/sysctl.yml risky-file-permissions roles/common/tasks/sysstat.yml fqcn[action-core] roles/common/tasks/sysstat.yml name[casing] -roles/common/tasks/sysstat.yml no-free-form roles/drupal/handlers/main.yml fqcn[action-core] roles/drupal/handlers/main.yml name[casing] roles/drupal/handlers/main.yml no-free-form @@ -445,12 +430,6 @@ shared/osmosis.yml fqcn[action-core] shared/osmosis.yml name[casing] shared/osmosis.yml no-free-form shared/osmosis.yml risky-file-permissions -shared/project-account.yml command-instead-of-shell -shared/project-account.yml fqcn[action-core] -shared/project-account.yml name[casing] -shared/project-account.yml no-free-form -shared/project-account.yml no-handler -shared/project-account.yml risky-file-permissions sympa.yml name[casing] taginfo.yml name[casing] unattended-upgrades.yml name[casing] diff --git a/roles/comcommaker/tasks/main.yml b/roles/comcommaker/tasks/main.yml index 347f21ca..857fbb2d 100644 --- a/roles/comcommaker/tasks/main.yml +++ b/roles/comcommaker/tasks/main.yml @@ -11,7 +11,7 @@ - libapache2-mod-wsgi-py3 -- include: ../../../shared/project-account.yml +- include_tasks: ../../../shared/project-account.yml vars: user: "{{ comcommaker_user }}" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 289c808a..47aa6457 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -4,18 +4,19 @@ state: reloaded - name: restart apache - service: name=apache2 state=restarted + systemd: + name: apache2 + state: restarted - name: reload nginx systemd: name: nginx state: reloaded -- name: restart denyhosts - service: name=denyhosts state=restarted - - name: restart monit - service: name=monit state=restarted + systemd: + name: monit + state: restarted - name: generate locales command: /usr/sbin/locale-gen @@ -23,11 +24,11 @@ - name: detect sensors shell: /usr/sbin/sensors-detect < /dev/null -- include: munin-node.yml +- import_tasks: munin-node.yml -- include: sysstat.yml +- import_tasks: sysstat.yml -- include: sysctl.yml +- import_tasks: sysctl.yml - name: restart systemd-hostnamed systemd: diff --git a/roles/common/handlers/munin-node.yml b/roles/common/handlers/munin-node.yml index cffa8aae..0db1c8c5 100644 --- a/roles/common/handlers/munin-node.yml +++ b/roles/common/handlers/munin-node.yml @@ -1,2 +1,4 @@ - name: restart munin-node - service: name=munin-node state=restarted + systemd: + name: munin-node + state: restarted diff --git a/roles/common/handlers/sysstat.yml b/roles/common/handlers/sysstat.yml index 45e5e09f..d26abbcc 100644 --- a/roles/common/handlers/sysstat.yml +++ b/roles/common/handlers/sysstat.yml @@ -1,2 +1,4 @@ - name: restart sysstat - service: name=sysstat state=restarted + systemd: + name: sysstat + state: restarted diff --git a/roles/common/tasks/apache2-monit.yml b/roles/common/tasks/apache2-monit.yml index fd89dc30..09c6a129 100644 --- a/roles/common/tasks/apache2-monit.yml +++ b/roles/common/tasks/apache2-monit.yml @@ -1,5 +1,8 @@ - name: add apache proxy module - file: src="/etc/apache2/mods-available/{{ item }}" dest="/etc/apache2/mods-enabled/{{ item }}" state=link + file: + src: "/etc/apache2/mods-available/{{ item }}" + dest: "/etc/apache2/mods-enabled/{{ item }}" + state: link notify: restart apache with_items: - proxy.conf @@ -7,17 +10,29 @@ - proxy.load - name: configure monit in apache - copy: src="apache-monit" dest="/etc/apache2/sites-available/monit.conf" owner=root group=root mode=0644 + copy: + src: "apache-monit" + dest: "/etc/apache2/sites-available/monit.conf" + owner: root + group: root + mode: 0644 notify: restart apache - name: enable monit in apache - file: src="/etc/apache2/sites-available/monit.conf" dest="/etc/apache2/sites-enabled/monit.conf" state=link + file: + src: "/etc/apache2/sites-available/monit.conf" + dest: "/etc/apache2/sites-enabled/monit.conf" + state: link notify: restart apache - name: remove /etc/apache2/sites-available/monit - file: path="/etc/apache2/sites-available/monit" state=absent + file: + path: "/etc/apache2/sites-available/monit" + state: absent notify: restart apache - name: remove /etc/apache2/sites-enabled/monit - file: path="/etc/apache2/sites-enabled/monit" state=absent + file: + path: "/etc/apache2/sites-enabled/monit" + state: absent notify: restart apache diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c870ce0d..0492033d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,6 +1,6 @@ - name: set proxmox password set_fact: - proxmox_password: "{{ lookup('env','PROXMOX_PASSWORD_'+proxmox_var.host.split('.')[0]) }}" + proxmox_password: "{{ lookup('env', 'PROXMOX_PASSWORD_' + proxmox_var.host.split('.')[0]) }}" when: proxmox_var is defined and vm_host is defined and lookup('env','PROXMOX_PASSWORD_'+proxmox_var.host.split('.')[0]) - name: init cache/templates/ @@ -9,6 +9,7 @@ path: "cache/templates/" state: directory force: no + mode: 0755 when: proxmox_password is defined become: no @@ -25,6 +26,7 @@ module: get_url dest: "cache/templates/{{ item }}" url: "http://download.proxmox.com/images/system/{{ item }}" + mode: 0644 with_items: - "{{ proxmox_var.ostemplate }}" - "{{ '.'.join(proxmox_var.ostemplate.split('.')[0:-2]) + '.aplinfo' }}" @@ -69,7 +71,7 @@ onboot: yes ostemplate: "local:vztmpl/{{ proxmox_var.ostemplate }}" password: "{{ lookup('password', 'credentials/proxmox/' + inventory_hostname) }}" - pubkey: "{{ lookup('file', lookup('env','PROXMOX_SSHPUBKEY')) }}" + pubkey: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}" state: present storage: "{{ proxmox_var.storage }}" swap: "{{ proxmox_var.swap }}" @@ -111,7 +113,7 @@ ostype: "l26" scsi: scsi0: "{{ proxmox_var.storage }}:{{ proxmox_var.disk }},format=raw" - sshkeys: "{{ lookup('file', lookup('env','PROXMOX_SSHPUBKEY')) }}" + sshkeys: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}" state: present when: proxmox_password is defined and (proxmox_var.kvm is defined and proxmox_var.kvm == 1) register: create_vm @@ -137,7 +139,7 @@ ostype: "l26" scsi: scsi0: "{{ proxmox_var.storage }}:{{ proxmox_var.disk }},format=raw" - sshkeys: "{{ lookup('file', lookup('env','PROXMOX_SSHPUBKEY')) }}" + sshkeys: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}" state: present update: yes when: proxmox_password is defined and (proxmox_var.kvm is defined and proxmox_var.kvm == 1) @@ -230,7 +232,7 @@ block: | Host {{ item }} Hostname {{ hostvars[item].proxmox_var.ipv6 }} - with_items: '{{play_hosts}}' + with_items: '{{ play_hosts }}' when: proxmox_password is defined and (create_ct.changed or create_vm.changed) become: no @@ -240,7 +242,7 @@ module: known_hosts name: "{{ hostvars[item].proxmox_var.ipv6 }}" key: "{{ lookup('pipe', 'ssh-keyscan {{ hostvars[item].proxmox_var.ipv6 }}') }}" - with_items: '{{play_hosts}}' + with_items: '{{ play_hosts }}' when: proxmox_password is defined and (create_ct.changed or create_vm.changed) become: no @@ -266,7 +268,8 @@ (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '18') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '20')) -- set_fact: install_apache=false +- set_fact: + install_apache: false when: install_apache is undefined - name: add backports @@ -340,6 +343,7 @@ url: "https://download.docker.com/linux/debian/gpg" dest: "/usr/share/keyrings/docker-archive-keyring.gpg.tmp" checksum: "sha512:d07607e3119181026e3309fb828882a13621960c54290416c2f897e1834f36abdb48d11b6f71aba1d2b9e7dac3f3fe8281c248500cfe13705674a5446826b699" + mode: 0644 when: proxmox_var is defined and proxmox_var.docker is defined and proxmox_var.docker - name: activate docker apt key @@ -396,6 +400,7 @@ owner: root group: root force: no + mode: 0755 with_items: - /data - /data/project @@ -486,21 +491,23 @@ - name: add ssh key to user backuppc authorized_key: user: backuppc - key: "{{ lookup('file',item) }}" + key: "{{ lookup('file', item) }}" with_fileglob: - - "{{ lookup('env','PWD') }}/public_keys/backuppc-*" + - "{{ lookup('env', 'PWD') }}/public_keys/backuppc-*" - name: create empty /var/www for backuppc file: path: /var/www/ state: directory force: no + mode: 0755 - name: create empty file in backup-ed /var/www copy: content: "" dest: /var/www/.empty-file-for-backuppc force: no + mode: 0444 - name: update hosts.allow lineinfile: @@ -532,6 +539,7 @@ dest: /var/lib/locales/supported.d/local force: no owner: root + mode: 0644 when: ansible_distribution == 'Ubuntu' - name: configure locales @@ -577,20 +585,23 @@ - systemd daemon-reload when: "'proxmox' in group_names" -- include: ssh-tunnel.yml user=ssh-tunnel uid=1104 +- ansible.builtin.include_tasks: ssh-tunnel.yml + vars: + user: "ssh-tunnel" + uid: "1104" when: "'ssh-tunnel' in group_names" -- include: apache2.yml +- ansible.builtin.import_tasks: apache2.yml -- include: nginx.yml +- ansible.builtin.import_tasks: nginx.yml -- include: munin-node.yml +- ansible.builtin.import_tasks: munin-node.yml -- include: sysstat.yml +- ansible.builtin.include_tasks: sysstat.yml when: "'proxmox' in group_names" -- include: sysctl.yml +- ansible.builtin.include_tasks: sysctl.yml when: "'proxmox' in group_names" -- include: ntp.yml +- ansible.builtin.include_tasks: ntp.yml when: "not 'vm' in group_names" diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index 4b274222..b6346fd5 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -21,7 +21,7 @@ dest: /etc/munin/munin-node.conf regexp: "^host_name {{ inventory_hostname }}" insertafter: "^#host_name" - line: "host_name {{ inventory_hostname }}" + line: "host_name {{ inventory_hostname }}" notify: - restart munin-node diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml index 7659f12f..ab54f8d7 100644 --- a/roles/common/tasks/ntp.yml +++ b/roles/common/tasks/ntp.yml @@ -1,5 +1,10 @@ - name: install ntp package - apt: pkg=ntp + apt: + pkg: + - ntp - name: launch ntp - service: name=ntp state=started enabled=yes + systemd: + name: ntp + state: started + enabled: yes diff --git a/roles/common/tasks/ssh-tunnel.yml b/roles/common/tasks/ssh-tunnel.yml index a505b7e4..2fd21a3c 100644 --- a/roles/common/tasks/ssh-tunnel.yml +++ b/roles/common/tasks/ssh-tunnel.yml @@ -6,28 +6,45 @@ tags: ssh-tunnel - name: init user ${user} - user: name={{ user }} home=/data/project/{{ user }}/ shell=/bin/false generate_ssh_key=yes + user: + name: "{{ user }}" + home: "/data/project/{{ user }}/" + shell: "/bin/false" + generate_ssh_key: yes when: user_exist.changed tags: ssh-tunnel - name: init group ${user} - group: name={{ user }} + group: + name: "{{ user }}" tags: ssh-tunnel - name: copy default config files - copy: force=no src="shared/files/default{{ item }}" dest="/data/project/{{ user }}/{{ item }}" owner={{ user }} group={{ user }} + copy: + force: no + src: "shared/files/default{{ item }}" + dest: "/data/project/{{ user }}/{{ item }}" + owner: "{{ user }}" + group: "{{ user }}" + mode: 0644 tags: ssh-tunnel with_items: - .gitconfig - .vimrc -- fetch: src=/data/project/{{ user }}/.ssh/id_rsa.pub dest=public_keys/ansible/{{ user }}-{{ ansible_hostname }} flat=yes +- fetch: + src: "/data/project/{{ user }}/.ssh/id_rsa.pub" + dest: "public_keys/ansible/{{ user }}-{{ ansible_hostname }}" + flat: yes tags: ssh-tunnel - name: init ssh key to user ${user} - authorized_key: user={{ user }} key="{{ item }}" key_options='no-pty,no-X11-forwarding,permitopen="localhost:*"' + authorized_key: + user: "{{ user }}" + key: "{{ item }}" + key_options: 'no-pty,no-X11-forwarding,permitopen="localhost:*"' tags: ssh-tunnel when: ansible_hostname == 'osm7' with_fileglob: - - "{{ lookup('env','PWD') }}/public_keys/ansible/{{ user }}-osm3" - - "{{ lookup('env','PWD') }}/public_keys/ansible/{{ user }}-osm101" + - "{{ lookup('env', 'PWD') }}/public_keys/ansible/{{ user }}-osm3" + - "{{ lookup('env', 'PWD') }}/public_keys/ansible/{{ user }}-osm101" diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 3786573b..08e1d339 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -56,6 +56,7 @@ template: src: 'systemd-tmpfiles.conf.j2' dest: '/etc/tmpfiles.d/thp.conf' + mode: 0644 notify: - systemd-tmpfiles create @@ -65,5 +66,5 @@ - name: Allow 2MB huge pages up to 60% of the RAM sysctl: name: vm.nr_overcommit_hugepages - value: "{{ ( ansible_memtotal_mb * 0.6 / 2)|int }}" + value: "{{ (ansible_memtotal_mb * 0.6 / 2) | int }}" sysctl_file: /etc/sysctl.d/ansible.conf diff --git a/roles/common/tasks/sysstat.yml b/roles/common/tasks/sysstat.yml index 3ca5cafe..51f5bcc1 100644 --- a/roles/common/tasks/sysstat.yml +++ b/roles/common/tasks/sysstat.yml @@ -1,9 +1,10 @@ - name: install packages for sysstat and atop - apt: pkg={{ item }} update_cache=yes - with_items: - - sysstat - - xz-utils - - atop + apt: + update_cache: yes + pkg: + - sysstat + - xz-utils + - atop when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - name: Enable sysstat diff --git a/roles/drupal/tasks/main.yml b/roles/drupal/tasks/main.yml index f8cebb48..3c1e75b3 100644 --- a/roles/drupal/tasks/main.yml +++ b/roles/drupal/tasks/main.yml @@ -9,7 +9,9 @@ - postgresql-9.4 - python-psycopg2 -- include: ../../../shared/project-account.yml user=www +- include_tasks: ../../../shared/project-account.yml + vars: + user: www - name: init database postgresql_db: name=osm_fr encoding='UTF-8' lc_collate='en_US.UTF-8' lc_ctype='en_US.UTF-8' template='template0' diff --git a/roles/export-cadastre/tasks/main.yml b/roles/export-cadastre/tasks/main.yml index 158de960..295c27fa 100644 --- a/roles/export-cadastre/tasks/main.yml +++ b/roles/export-cadastre/tasks/main.yml @@ -26,7 +26,9 @@ - zlib1g-dev - libjpeg-dev -- include: ../../../shared/project-account.yml user=cadastre +- include_tasks: ../../../shared/project-account.yml + vars: + user: cadastre - name: add cadastre user to www-data group user: name="cadastre" groups="www-data" append=yes diff --git a/roles/geoosm/tasks/main.yml b/roles/geoosm/tasks/main.yml index e718bed4..41470994 100644 --- a/roles/geoosm/tasks/main.yml +++ b/roles/geoosm/tasks/main.yml @@ -33,7 +33,9 @@ - name: ensure postgresql server is running service: name=postgresql state=started -- include: ../../../shared/project-account.yml user=geoosm +- include_tasks: ../../../shared/project-account.yml + vars: + user: geoosm - name: checkout git repository for backend git: diff --git a/roles/layers.openstreetmap.fr/tasks/main.yml b/roles/layers.openstreetmap.fr/tasks/main.yml index 5e40d08c..608b6f31 100644 --- a/roles/layers.openstreetmap.fr/tasks/main.yml +++ b/roles/layers.openstreetmap.fr/tasks/main.yml @@ -1,4 +1,7 @@ -- include: ../../../shared/project-account.yml user=layers.openstreetmap.fr +- include_tasks: ../../../shared/project-account.yml + vars: + user: layers.openstreetmap.fr + - name: install packages apt: pkg={{ item }} with_items: diff --git a/roles/letsencrypt/tasks/acme-tiny.yml b/roles/letsencrypt/tasks/acme-tiny.yml index 0a68b2c1..030e6738 100644 --- a/roles/letsencrypt/tasks/acme-tiny.yml +++ b/roles/letsencrypt/tasks/acme-tiny.yml @@ -1,4 +1,7 @@ -- include: ../../../shared/project-account.yml user=letsencrypt generate_ssh_key=yes +- include_tasks: ../../../shared/project-account.yml + vars: + user: letsencrypt + generate_ssh_key: yes - name: fetch generated public ssh key fetch: src=/data/project/letsencrypt/.ssh/id_rsa.pub dest=public_keys/letsencrypt-{{ inventory_hostname }} flat=yes diff --git a/roles/letsencrypt/tasks/certbot.yml b/roles/letsencrypt/tasks/certbot.yml index b5643ab8..9d7b3660 100644 --- a/roles/letsencrypt/tasks/certbot.yml +++ b/roles/letsencrypt/tasks/certbot.yml @@ -1,4 +1,7 @@ -- include: ../../../shared/project-account.yml user=letsencrypt generate_ssh_key=yes +- include_tasks: ../../../shared/project-account.yml + vars: + user: letsencrypt + generate_ssh_key: yes - name: fetch generated public ssh key fetch: src=/data/project/letsencrypt/.ssh/id_rsa.pub dest=public_keys/letsencrypt-{{ inventory_hostname }} flat=yes diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 514a9e94..4d261351 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -1,7 +1,7 @@ - name: run acme-tiny - include: acme-tiny.yml + include_tasks: acme-tiny.yml when: letsencrypt_certbot is not defined - name: run certbot - include: certbot.yml + include_tasks: certbot.yml when: letsencrypt_certbot is defined diff --git a/roles/live/tasks/main.yml b/roles/live/tasks/main.yml index d6a6488e..2bc867ff 100644 --- a/roles/live/tasks/main.yml +++ b/roles/live/tasks/main.yml @@ -6,7 +6,9 @@ - python3-iso8601 - sqlite3 -- include: ../../../shared/project-account.yml user=live +- include_tasks: ../../../shared/project-account.yml + vars: + user: live - name: add sudoers to access live user copy: src=sudoers dest=/etc/sudoers.d/live mode=0440 owner=root group=root validate='visudo -cf %s' diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 9d9ff3c2..9a43d660 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -19,7 +19,9 @@ - php-xml - php-zip -- include: ../../../shared/project-account.yml user=nextcloud +- include_tasks: ../../../shared/project-account.yml + vars: + user: nextcloud # install phpBB3 manually in /data/project/nextcloud/nextcloud/ diff --git a/roles/osmbin/tasks/main.yml b/roles/osmbin/tasks/main.yml index b8423871..1b8f06e6 100644 --- a/roles/osmbin/tasks/main.yml +++ b/roles/osmbin/tasks/main.yml @@ -37,7 +37,9 @@ with_items: - osmium-2.15.2-or-later_1.0_all.deb -- include: ../../../shared/project-account.yml user=osmbin +- include_tasks: ../../../shared/project-account.yml + vars: + user: osmbin - name: add sudoers to access osmbin user copy: src=sudoers dest=/etc/sudoers.d/osmbin mode=0440 owner=root group=root validate='visudo -cf %s' diff --git a/roles/osmose-frontend/tasks/main.yml b/roles/osmose-frontend/tasks/main.yml index e723b529..8ab13d87 100644 --- a/roles/osmose-frontend/tasks/main.yml +++ b/roles/osmose-frontend/tasks/main.yml @@ -29,7 +29,9 @@ - name: ensure postgresql server is running service: name=postgresql state=started -- include: ../../../shared/project-account.yml user=osmose +- include_tasks: ../../../shared/project-account.yml + vars: + user: osmose - name: init /data/work/osmose/results/ file: path=/data/work/osmose/results/ state=directory owner=osmose group=osmose diff --git a/roles/osmosis/tasks/main.yml b/roles/osmosis/tasks/main.yml index 81efef18..cba5860a 100644 --- a/roles/osmosis/tasks/main.yml +++ b/roles/osmosis/tasks/main.yml @@ -23,7 +23,9 @@ - name: ensure postgresql server is running service: name=postgresql state=started -- include: ../../../shared/project-account.yml user=osmosis +- include_tasks: ../../../shared/project-account.yml + vars: + user: osmosis - name: add sudoers to access osmosis user copy: src=sudoers dest=/etc/sudoers.d/osmosis-backend mode=0440 owner=root group=root validate='visudo -cf %s' @@ -97,7 +99,10 @@ become: yes become_user: osmosis -- include: ../../../shared/osmosis.yml user=osmosis version=0.47 +- include_tasks: ../../../shared/osmosis.yml + vars: + user: osmosis + version: 0.47 # To finish installation, run: # - (cd /data/work/osmosis/ && wget http://download.openstreetmap.fr/extracts/europe/france.osm.pbf) diff --git a/roles/overpass-api/tasks/main.yml b/roles/overpass-api/tasks/main.yml index 91ef77a2..9c032e65 100644 --- a/roles/overpass-api/tasks/main.yml +++ b/roles/overpass-api/tasks/main.yml @@ -4,7 +4,10 @@ - "ansible_version.full | version_compare('2.3', '>=')" msg: "ansible version must be >= 2.3, please update ansible." -- include: ../../../shared/project-account.yml user="{{ overpass_user }}" user_system="yes" +- include_tasks: ../../../shared/project-account.yml + vars: + user: "{{ overpass_user }}" + user_system: "yes" - name: set overpass_database_dir @@ -25,9 +28,9 @@ - "{{ overpass_database_dir }}" - "{{ overpass_webroot_dir }}" -- include: compile.yml -- include: set_up_database.yml -- include: services.yml -- include: web.yml -- include: munin.yml -- include: restart.yml +- import_tasks: compile.yml +- import_tasks: set_up_database.yml +- import_tasks: services.yml +- import_tasks: web.yml +- import_tasks: munin.yml +- import_tasks: restart.yml diff --git a/roles/polygons/tasks/main.yml b/roles/polygons/tasks/main.yml index c9c8bb3e..90a3a5e2 100644 --- a/roles/polygons/tasks/main.yml +++ b/roles/polygons/tasks/main.yml @@ -25,7 +25,9 @@ - name: ensure postgresql server is running service: name=postgresql state=started -- include: ../../../shared/project-account.yml user=polygons +- include_tasks: ../../../shared/project-account.yml + vars: + user: polygons - name: add sudoers to access polygons user copy: src=sudoers dest=/etc/sudoers.d/polygons mode=0440 owner=root group=root validate='visudo -cf %s' diff --git a/roles/rawedit/tasks/main.yml b/roles/rawedit/tasks/main.yml index 48f88e64..994998bc 100644 --- a/roles/rawedit/tasks/main.yml +++ b/roles/rawedit/tasks/main.yml @@ -23,7 +23,9 @@ - name: ensure postgresql server is running service: name=postgresql state=started -- include: ../../../shared/project-account.yml user=rawedit +- include_tasks: ../../../shared/project-account.yml + vars: + user: rawedit - name: init database diff --git a/roles/renderd/tasks/cyclosm.yml b/roles/renderd/tasks/cyclosm.yml index 285cdedc..70ed6a92 100644 --- a/roles/renderd/tasks/cyclosm.yml +++ b/roles/renderd/tasks/cyclosm.yml @@ -1,5 +1,7 @@ # style cyclosm -- include: ../../../shared/project-account.yml user=cyclosm +- include_tasks: ../../../shared/project-account.yml + vars: + user: cyclosm - name: checkout git repository git: diff --git a/roles/renderd/tasks/main.yml b/roles/renderd/tasks/main.yml index 64486a8b..10926fb9 100644 --- a/roles/renderd/tasks/main.yml +++ b/roles/renderd/tasks/main.yml @@ -42,7 +42,9 @@ - libapache2-mod-tile # style OSM-FR style -- include: ../../../shared/project-account.yml user=osmfr-cartocss +- include_tasks: ../../../shared/project-account.yml + vars: + user: osmfr-cartocss when: renderd_osmfr - name: checkout git repository @@ -53,7 +55,9 @@ # style layers # TODO: recompilation de renderd avec XMLCONFIGS_MAX=64 -- include: ../../../shared/project-account.yml user=layers +- include_tasks: ../../../shared/project-account.yml + vars: + user: layers when: renderd_layers - name: checkout git repository diff --git a/roles/taginfo/tasks/main.yml b/roles/taginfo/tasks/main.yml index 094e9e3f..61f0f836 100644 --- a/roles/taginfo/tasks/main.yml +++ b/roles/taginfo/tasks/main.yml @@ -29,7 +29,9 @@ - osmctools -- include: ../../../shared/project-account.yml user=taginfo +- include_tasks: ../../../shared/project-account.yml + vars: + user: taginfo - name: init /data/work/taginfo paths file: path={{ item }} state=directory owner=taginfo group=taginfo diff --git a/roles/yeswiki/tasks/main.yml b/roles/yeswiki/tasks/main.yml index db356452..4954f362 100644 --- a/roles/yeswiki/tasks/main.yml +++ b/roles/yeswiki/tasks/main.yml @@ -11,7 +11,9 @@ - php7.0-zip - python-pymysql -- include: ../../../shared/project-account.yml user=yeswiki +- include_tasks: ../../../shared/project-account.yml + vars: + user: yeswiki # install yeswiki manually in /data/project/yeswiki/yeswiki/ diff --git a/shared/project-account.yml b/shared/project-account.yml index 801fe026..de16ef2d 100644 --- a/shared/project-account.yml +++ b/shared/project-account.yml @@ -1,50 +1,58 @@ -- name: create root project_dir and work_dir - file: +--- +- name: Create root project_dir and work_dir + ansible.builtin.file: path: "{{ item }}" state: directory + mode: "0755" with_items: - /data/project - /data/work -- name: set project_dir and work_dir - set_fact: - project_dir: "/data/project/{{ user }}" - work_dir: "/data/work/{{ user }}" +- name: Set project_dir and work_dir + ansible.builtin.set_fact: + project_dir: /data/project/{{ user }} + work_dir: /data/work/{{ user }} -- name: Check if user exists - action: shell /usr/bin/getent passwd {{ user }} - register: user_exist - ignore_errors: True - changed_when: "user_exist.rc != 0" - -- name: init user ${user} - user: +- name: Init user ${user} + ansible.builtin.user: name: "{{ user }}" home: "{{ project_dir }}" - shell: "/bin/bash" + shell: /bin/bash generate_ssh_key: "{{ generate_ssh_key | default('no') }}" system: "{{ user_system | default('no') }}" - when: user_exist.changed -- name: init group ${user} - group: name={{ user }} +- name: Init group ${user} + ansible.builtin.group: + name: "{{ user }}" -- name: check if /data exists - stat: +- name: Check if /data exists + ansible.builtin.stat: path: /data register: data_exists -- name: init /data path - file: +- name: Init /data path + ansible.builtin.file: path: /data state: directory + mode: "0755" when: not data_exists.stat.exists -- name: init /data/work/ path for ${user} - file: path={{ work_dir }} state=directory owner={{ user }} group={{ user }} - -- name: copy default config files - copy: force=no src="shared/files/default{{ item }}" dest="{{ project_dir }}/{{ item }}" owner={{ user }} group={{ user }} +- name: Init /data/work/ path for ${user} + ansible.builtin.file: + path: "{{ work_dir }}" + state: directory + owner: "{{ user }}" + group: "{{ user }}" + mode: "0755" + +- name: Copy default config files + ansible.builtin.copy: + force: false + src: shared/files/default{{ item }} + dest: "{{ project_dir }}/{{ item }}" + owner: "{{ user }}" + group: "{{ user }}" + mode: "0644" with_items: - .gitconfig - .vimrc