Merge branch 'local-containers' into 'master'

Small changes for testing some roles in local containers

See merge request !58

host_vars/apollo.archlinux.org

@@ -36,5 +36,3 @@ fail2ban_jails:
   sshd: true
   postfix: true
   dovecot: false
-
-fastcgi_cache: wiki

roles/archwiki/meta/main.yml

+---
+dependencies:
+  - role: nginx

roles/archwiki/tasks/main.yml

@@ -30,6 +30,9 @@
   when: maintenance is not defined
   tags: ['nginx']
 
+- name: remove old fastcgi cache directory
+  file: path=/etc/nginx/wikicache state=absent
+
 - name: configure robots.txt
   copy: src=robots.txt dest="{{ archwiki_dir }}/robots.txt" owner=root group=root mode=0644
 

roles/archwiki/templates/archwiki-runjobs.service.j2

@@ -13,6 +13,3 @@ ProtectSystem=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
-
-[Install]
-WantedBy=multi-user.target

roles/archwiki/templates/archwiki-runjobs.timer.j2

 [Unit]
 Description=Archwiki runJobs timer
+After=mysqld.service
 
 [Timer]
 OnUnitActiveSec=5min

roles/archwiki/templates/nginx.d.conf.j2

+fastcgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=wiki:100m inactive=60m;
+fastcgi_cache_key "$scheme$request_method$host$request_uri";
+
 upstream archwiki {
     server unix://{{ archwiki_socket }};
 }
@@ -39,7 +42,7 @@ server {
     }
 
     location /robots.txt {
-	alias {{ archwiki_dir }}/robots.txt;
+        alias {{ archwiki_dir }}/robots.txt;
     }
 
     location ^~ /. {
@@ -61,7 +64,7 @@ server {
 
     # special case for '/load.php' type URLs to cache css/js in nginx to relieve php-fpm
     location = /load.php {
-        access_log   /var/log/nginx/wiki.archlinux.org/access.log main;
+        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
         fastcgi_pass   archwiki;
         fastcgi_index  index.php;
         fastcgi_split_path_info ^(.+\.php)(.*)$;

roles/common/files/smartd-override.conf

+[Unit]
+ConditionVirtualization=no

roles/common/tasks/main.yml

@@ -23,8 +23,16 @@
   pacman: name=smartmontools state=present
   when: "'hcloud' not in group_names"
 
+# override smartd.service with ConditionVirtualization=no
+# this should appear in the next upstream release, see https://github.com/smartmontools/smartmontools/issues/62
+- name: create drop-in directory for smartd.service
+  file: path=/etc/systemd/system/smartd.service.d state=directory owner=root group=root mode=0755
+
+- name: install drop-in snippet for smartd.service
+  copy: src=smartd-override.conf dest=/etc/systemd/system/smartd.service.d/override.conf owner=root group=root mode=0644
+
 - name: start and enable smart
-  service: name=smartd enabled=yes state=started
+  service: name=smartd enabled=yes state=started daemon_reload=yes
   when: "'hcloud' not in group_names"
 
 - name: start and enable btrfs scrub timer

roles/firewalld/handlers/main.yml

 ---
-- name: restart firewalld
-  service: name=firewalld state=restarted
+# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
+# https://github.com/systemd/systemd/issues/2830
+# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
+#- name: restart firewalld
+#  service: name=firewalld state=restarted
+- name: stop firewalld
+  service: name=firewalld state=stopped
+  listen: restart firewalld
+- name: start firewalld
+  service: name=firewalld state=started
+  listen: restart firewalld

roles/fluxbb/tasks/main.yml

@@ -32,7 +32,7 @@
   template: >
     src=nginx.conf.j2 dest=/etc/nginx/nginx.d/fluxbb.conf
     owner=root group=root mode=0644
-  notify: restart nginx
+  notify: reload nginx
 
 - name: install python-passlib
   pacman: name=python-passlib

roles/mariadb/tasks/main.yml

@@ -40,9 +40,8 @@
   no_log: true
 
 - name: configure zabbix-agent user
+  # FIXME: "zabbix_agent" is hardcoded in the password variable: {{ vault_mariadb_users.zabbix_agent }}
+  # NOTE: the zabbix-agent role uses {{zabbix_agent_mysql_password}} in the my.cnf.j2 template
   mysql_user: user={{ zabbix_agent_mysql_user }} host=localhost password={{ vault_mariadb_users.zabbix_agent }}
 
 # TODO: implement in ansible: grant process on *.* to 'zabbix_agent'@'localhost';
-
-- name: install zabbix mysql config
-  template: src=zabbix_agentd.my.cnf.j2 dest=/etc/zabbix/zabbix_agentd.my.cnf owner=zabbix-agent group=zabbix-agent mode=0600

roles/mariadb/templates/zabbix_agentd.my.cnf.j2

-[client]
-user={{zabbix_agent_mysql_user}}
-password={{vault_mariadb_users.zabbix_agent}}

roles/nginx/defaults/main.yml

 ---
 letsencrypt_validation_dir: "/var/lib/letsencrypt"
-fastcgi_cache: false

roles/nginx/handlers/main.yml

 ---
 
-- name: restart nginx
-  service: name=nginx state=restarted
-
 - name: reload nginx
   service: name=nginx state=reloaded

roles/nginx/tasks/main.yml

@@ -9,7 +9,7 @@
 - name: configure nginx
   template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644
   notify:
-    - restart nginx
+    - reload nginx
 
 - name: snippets directories
   file: state=directory path=/etc/nginx/{{ item }} owner=root group=root mode=0755

roles/nginx/templates/nginx.conf.j2

@@ -72,11 +72,6 @@ http {
 
     index index.php index.html index.htm;
 
-{% if fastcgi_cache %}
-    fastcgi_cache_path /etc/nginx/wikicache levels=1:2 keys_zone=wiki:100m inactive=60m;
-    fastcgi_cache_key "$scheme$request_method$host$request_uri";
-
-{% endif %}
     access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_http main;
 
     include snippets/sslsettings.conf;

roles/php_fpm/handlers/main.yaml

 ---
 - name: daemon reload
   systemd:
-    reload-daemon: yes
+    daemon-reload: yes

roles/sudo/defaults/main.yml

+---
+sudo_users:
+  - root