Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
fc769a7b
Verified
Commit
fc769a7b
authored
Jun 12, 2020
by
Frederik Schwan
Committed by
Sven-Hendrik Haase
Jun 17, 2020
Browse files
fix E301 'Commands should not change things if nothing needs doing'
parent
631e8ba0
Changes
12
Hide whitespace changes
Inline
Side-by-side
playbooks/tasks/fetch-borg-keys.yml
View file @
fc769a7b
...
...
@@ -12,10 +12,12 @@
-
name
:
fetch borg key
command
:
"
/usr/local/bin/borg
key
export
::
/dev/stdout"
register
:
borg_key
changed_when
:
"
borg_key.rc
==
0"
-
name
:
fetch borg offsite key
command
:
"
/usr/local/bin/borg-offsite
key
export
::
/dev/stdout"
register
:
borg_offsite_key
changed_when
:
"
borg_offsite_key.rc
==
0"
-
name
:
save borg key
shell
:
gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
...
...
@@ -23,6 +25,8 @@
stdin
:
"
{{
borg_key.stdout
}}"
chdir
:
"
{{
playbook_dir
}}/../.."
delegate_to
:
localhost
register
:
gpg_key
changed_when
:
"
gpg_key.rc
==
0"
-
name
:
save borg offsite key
shell
:
gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
...
...
@@ -30,3 +34,5 @@
stdin
:
"
{{
borg_offsite_key.stdout
}}"
chdir
:
"
{{
playbook_dir
}}/../.."
delegate_to
:
localhost
register
:
gpg_offsite_key
changed_when
:
"
gpg_offsite_key.rc
==
0"
playbooks/tasks/reencrypt-vault-key.yml
View file @
fc769a7b
...
...
@@ -3,4 +3,5 @@
hosts
:
127.0.0.1
tasks
:
-
name
:
reencrypt vault key
shell
:
set -o pipefail && gpg --decrypt --batch --quiet "{{playbook_dir}}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{userid}} {% endfor %} | sponge "{{playbook_dir}}/../../misc/vault-password.gpg"
shell
:
set -o pipefail && gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %} | sponge "{{ playbook_dir }}/../../misc/vault-password.gpg"
changed_when
:
false
playbooks/tasks/sync-ssh-hostkeys.yml
View file @
fc769a7b
...
...
@@ -6,9 +6,11 @@
-
name
:
fetch hostkey checksums
shell
:
"
for
type
in
sha256
md5;
do
for
file
in
/etc/ssh/ssh_host_*.pub;
do
ssh-keygen
-l
-f
$file
-E
$type;
done;
echo;
done"
register
:
ssh_hostkeys
changed_when
:
ssh_hostkeys | length >
0
-
name
:
fetch known_hosts
shell
:
"
set
-o
pipefail
&&
ssh-keyscan
127.0.0.1
2>/dev/null
|
sed
's#^127.0.0.1#{{
inventory_hostname
}}#'"
register
:
known_hosts
changed_when
:
known_hosts | length >
0
-
name
:
store hostkeys
hosts
:
localhost
...
...
roles/borg-client/tasks/main.yml
View file @
fc769a7b
...
...
@@ -11,6 +11,7 @@
register
:
borg_list
ignore_errors
:
True
loop
:
"
{{
backup_hosts
}}"
changed_when
:
borg_list.stdout | length >
0
-
name
:
init borg repository
command
:
borg init -e keyfile {{ item['host'] }}:{{ item['dir'] }}
...
...
@@ -36,6 +37,7 @@
command
:
getent passwd postgres
register
:
check_postgres_user
ignore_errors
:
True
changed_when
:
check_postgres_user.stdout | length >
0
-
name
:
make postgres backup directory
file
:
path={{ postgres_backup_dir }} owner=root group=root state=directory
...
...
roles/borg-server/tasks/main.yml
View file @
fc769a7b
...
...
@@ -30,6 +30,7 @@
register
:
ssh_keys
delegate_to
:
"
{{
item
}}"
with_items
:
"
{{
backup_clients
}}"
changed_when
:
ssh_keys.stdout | length >
0
-
name
:
allow certain clients to connect
authorized_key
:
...
...
roles/dbscripts/tasks/main.yml
View file @
fc769a7b
...
...
@@ -186,6 +186,8 @@
-
name
:
generate mirror config
command
:
/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
register
:
gen_rsyncd
changed_when
:
"
gen_rsyncd.rc
==
0"
-
name
:
install svnlog
copy
:
src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
...
...
@@ -197,11 +199,15 @@
command
:
git config --global user.name = 'svntogit'
become
:
yes
become_user
:
svntogit
register
:
git_config_username
changed_when
:
"
git_config_username.rc
==
0"
-
name
:
configure svntogit git user email
command
:
git config --global user.name = 'svntogit@repos.archlinux.org'
become
:
yes
become_user
:
svntogit
register
:
git_config_email
changed_when
:
"
git_config_email.rc
==
0"
-
name
:
template arch-svntogit
copy
:
src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
...
...
@@ -225,6 +231,8 @@
become
:
yes
become_user
:
svntogit
ignore_errors
:
yes
register
:
git_public_remote
changed_when
:
"
git_public_remote.rc
==
0"
# The following command also serves as a way to get the data the first time the repo is set up
-
name
:
configure svntogit pull upstream branch
...
...
@@ -234,6 +242,8 @@
-
packages
become
:
yes
become_user
:
svntogit
register
:
git_pull_upstream
changed_when
:
"
git_pull_upstream.rc
==
0"
-
name
:
configure svntogit push upstream branch
command
:
git push -u public master chdir=/srv/svntogit/repos/{{ item }}
...
...
@@ -242,6 +252,8 @@
-
packages
become
:
yes
become_user
:
svntogit
register
:
git_push_master
changed_when
:
"
git_push_master.rc
==
0"
-
name
:
fix svntogit home permissions
file
:
path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
...
...
roles/install_arch/tasks/main.yml
View file @
fc769a7b
...
...
@@ -3,6 +3,7 @@
-
name
:
read /etc/motd
command
:
cat /etc/motd
register
:
motd_contents
changed_when
:
cat.stdout | length >
0
-
name
:
check whether we're running in the Hetzner rescue system
fail
:
msg="Not running in Hetzner rescue system!"
...
...
@@ -12,11 +13,13 @@
command
:
sgdisk -g --clear -n 1:0:+10M {{ item }} -c 1:boot -t 1:ef02
with_items
:
-
"
{{
system_disks
}}"
changed_when
:
"
sgdisk.rc
==
0"
-
name
:
create root partitions
command
:
sgdisk -n 2:0:0 {{ item }} -c 2:root
with_items
:
-
"
{{
system_disks
}}"
changed_when
:
"
sgdisk.rc
==
0"
-
name
:
partition and format the disks (btrfs)
command
:
mkfs.btrfs -f -L root -d {{ raid_level|default(raid1) }} -m {{ raid_level|default(raid1) }} -O no-holes /dev/sda2 /dev/sdb2
...
...
@@ -76,9 +79,13 @@
-
name
:
initialize pacman keyring inside bootstrap chroot
command
:
chroot /tmp/root.x86_64 pacman-key --init
register
:
chroot_pacman_key_init
changed_when
:
"
chroot_pacman_key_init.rc
==
0"
-
name
:
populate pacman keyring inside bootstrap chroot
command
:
chroot /tmp/root.x86_64 pacman-key --populate archlinux
register
:
chroot_pacman_key_populate
changed_when
:
"
chroot_pacman_key_populate.rc
==
0"
-
name
:
install ucode update for Intel
set_fact
:
ucode="intel-ucode"
...
...
@@ -111,9 +118,13 @@
-
name
:
run locale-gen inside chroot
command
:
chroot /mnt locale-gen
register
:
chroot_locale_gen
changed_when
:
"
chroot_locale_gen.rc
==
0"
-
name
:
run systemd-firstboot
command
:
chroot /mnt systemd-firstboot --locale=en_US.UTF-8 --timezone=UTC --hostname={{ hostname }}
register
:
chroot_systemd_firstboot
changed_when
:
"
chroot_systemd_firstboot.rc
==
0"
-
name
:
add mdadm_udev to mkinitcpio.conf
lineinfile
:
...
...
@@ -125,6 +136,8 @@
-
name
:
run mkinitcpio
command
:
chroot /mnt mkinitcpio -p linux
register
:
chroot_mkinitcpio
changed_when
:
"
chroot_mkinitcpio.rc
==
0"
-
name
:
configure network (static)
template
:
src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
...
...
@@ -151,12 +164,18 @@
command
:
chroot /mnt grub-install --recheck {{ item }}
with_items
:
-
"
{{
system_disks
}}"
register
:
chroot_grub_install
changed_when
:
"
chroot_grub_install.rc
==
0"
-
name
:
configure grub
command
:
chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
register
:
chroot_grub_mkconfig
changed_when
:
"
chroot_grub_mkconfig.rc
==
0"
-
name
:
enable services inside chroot
command
:
chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer hcloud-init
register
:
chroot_systemd_services
changed_when
:
"
chroot_systemd_services.rc
==
0"
-
name
:
assign pubkey list to fact
set_fact
:
pubkey_list="{{ lookup('file', "{{ playbook_dir }}/../../pubkeys/" + item) }}"
...
...
@@ -177,6 +196,8 @@
-
name
:
clean pacman cache
shell
:
yes | chroot /mnt pacman -Scc
register
:
chroot_pacman_clean_cache
changed_when
:
"
chroot_pacman_clean_cache.rc
==
0"
-
name
:
remove LOCK file on mountpoint
file
:
path=/mnt/LOCK state=absent
roles/opendkim/tasks/main.yml
View file @
fc769a7b
...
...
@@ -30,6 +30,7 @@
command
:
opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
tags
:
-
dkimverify
changed_when
:
false
-
name
:
start and enable opendkim
service
:
name=opendkim enabled=yes state=started
...
...
roles/rsync_net/tasks/main.yml
View file @
fc769a7b
...
...
@@ -11,6 +11,7 @@
delegate_to
:
"
{{
item
}}"
with_items
:
"
{{
backup_clients
}}"
remote_user
:
root
changed_when
:
client_ssh_keys.changed
-
local_action
:
tempfile state=file
register
:
tempfile
...
...
@@ -19,3 +20,5 @@
-
name
:
upload authorized_keys file
local_action
:
command scp "{{ tempfile.path }}" "{{ rsync_net_username }}@{{ inventory_hostname }}":.ssh/authorized_keys
register
:
scp
changed_when
:
"
scp.rc
==
0"
roles/security_tracker/tasks/main.yml
View file @
fc769a7b
...
...
@@ -54,6 +54,8 @@
command
:
/usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
with_items
:
-
E240B57E2C4630BA768E2F26FC1B547C8D8172C8
register
:
gpg
changed_when
:
"
gpg.rc
==
0"
-
name
:
clone security-tracker repo
git
:
repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
...
...
roles/spampd/tasks/main.yml
View file @
fc769a7b
...
...
@@ -39,6 +39,8 @@
with_items
:
-
yerp.gpg.key
-
zmi.gpg.key
register
:
sa-update
changed_when
:
"
sa-update.rc
==
0"
-
name
:
install SA configs
template
:
src={{ item }}.j2 dest=/etc/mail/spamassassin/{{ item }} owner=root group=root mode=0644
...
...
@@ -50,6 +52,7 @@
-
name
:
check SA config validity
command
:
/usr/bin/vendor_perl/spamassassin --lint
changed_when
:
false
-
name
:
activate systemd timers
service
:
name={{ item }} enabled=yes state=started
...
...
roles/sudo/tasks/main.yml
View file @
fc769a7b
...
...
@@ -6,6 +6,8 @@
# https://github.com/ansible/ansible/issues/11024
-
name
:
remove all users from wheel group
command
:
groupmems -g wheel --purge
register
:
groupmems
changed_when
:
"
groupmems.rc
==
0"
-
name
:
add sudo users to wheel
user
:
name="{{ item }}" append=yes groups=wheel
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment