Verified Commit fc769a7b authored by Frederik Schwan's avatar Frederik Schwan Committed by Sven-Hendrik Haase
Browse files

fix E301 'Commands should not change things if nothing needs doing'

parent 631e8ba0
......@@ -12,10 +12,12 @@
- name: fetch borg key
command: "/usr/local/bin/borg key export :: /dev/stdout"
register: borg_key
changed_when: "borg_key.rc == 0"
- name: fetch borg offsite key
command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
register: borg_offsite_key
changed_when: "borg_offsite_key.rc == 0"
- name: save borg key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
......@@ -23,6 +25,8 @@
stdin: "{{ borg_key.stdout }}"
chdir: "{{ playbook_dir }}/../.."
delegate_to: localhost
register: gpg_key
changed_when: "gpg_key.rc == 0"
- name: save borg offsite key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
......@@ -30,3 +34,5 @@
stdin: "{{ borg_offsite_key.stdout }}"
chdir: "{{ playbook_dir }}/../.."
delegate_to: localhost
register: gpg_offsite_key
changed_when: "gpg_offsite_key.rc == 0"
......@@ -3,4 +3,5 @@
hosts: 127.0.0.1
tasks:
- name: reencrypt vault key
shell: set -o pipefail && gpg --decrypt --batch --quiet "{{playbook_dir}}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{userid}} {% endfor %} | sponge "{{playbook_dir}}/../../misc/vault-password.gpg"
shell: set -o pipefail && gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %} | sponge "{{ playbook_dir }}/../../misc/vault-password.gpg"
changed_when: false
......@@ -6,9 +6,11 @@
- name: fetch hostkey checksums
shell: "for type in sha256 md5; do for file in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $file -E $type; done; echo; done"
register: ssh_hostkeys
changed_when: ssh_hostkeys | length > 0
- name: fetch known_hosts
shell: "set -o pipefail && ssh-keyscan 127.0.0.1 2>/dev/null | sed 's#^127.0.0.1#{{ inventory_hostname }}#'"
register: known_hosts
changed_when: known_hosts | length > 0
- name: store hostkeys
hosts: localhost
......
......@@ -11,6 +11,7 @@
register: borg_list
ignore_errors: True
loop: "{{ backup_hosts }}"
changed_when: borg_list.stdout | length > 0
- name: init borg repository
command: borg init -e keyfile {{ item['host'] }}:{{ item['dir'] }}
......@@ -36,6 +37,7 @@
command: getent passwd postgres
register: check_postgres_user
ignore_errors: True
changed_when: check_postgres_user.stdout | length > 0
- name: make postgres backup directory
file: path={{ postgres_backup_dir }} owner=root group=root state=directory
......
......@@ -30,6 +30,7 @@
register: ssh_keys
delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}"
changed_when: ssh_keys.stdout | length > 0
- name: allow certain clients to connect
authorized_key:
......
......@@ -186,6 +186,8 @@
- name: generate mirror config
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
register: gen_rsyncd
changed_when: "gen_rsyncd.rc == 0"
- name: install svnlog
copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
......@@ -197,11 +199,15 @@
command: git config --global user.name = 'svntogit'
become: yes
become_user: svntogit
register: git_config_username
changed_when: "git_config_username.rc == 0"
- name: configure svntogit git user email
command: git config --global user.name = 'svntogit@repos.archlinux.org'
become: yes
become_user: svntogit
register: git_config_email
changed_when: "git_config_email.rc == 0"
- name: template arch-svntogit
copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
......@@ -225,6 +231,8 @@
become: yes
become_user: svntogit
ignore_errors: yes
register: git_public_remote
changed_when: "git_public_remote.rc == 0"
# The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch
......@@ -234,6 +242,8 @@
- packages
become: yes
become_user: svntogit
register: git_pull_upstream
changed_when: "git_pull_upstream.rc == 0"
- name: configure svntogit push upstream branch
command: git push -u public master chdir=/srv/svntogit/repos/{{ item }}
......@@ -242,6 +252,8 @@
- packages
become: yes
become_user: svntogit
register: git_push_master
changed_when: "git_push_master.rc == 0"
- name: fix svntogit home permissions
file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
......
......@@ -3,6 +3,7 @@
- name: read /etc/motd
command: cat /etc/motd
register: motd_contents
changed_when: cat.stdout | length > 0
- name: check whether we're running in the Hetzner rescue system
fail: msg="Not running in Hetzner rescue system!"
......@@ -12,11 +13,13 @@
command: sgdisk -g --clear -n 1:0:+10M {{ item }} -c 1:boot -t 1:ef02
with_items:
- "{{ system_disks }}"
changed_when: "sgdisk.rc == 0"
- name: create root partitions
command: sgdisk -n 2:0:0 {{ item }} -c 2:root
with_items:
- "{{ system_disks }}"
changed_when: "sgdisk.rc == 0"
- name: partition and format the disks (btrfs)
command: mkfs.btrfs -f -L root -d {{ raid_level|default(raid1) }} -m {{ raid_level|default(raid1) }} -O no-holes /dev/sda2 /dev/sdb2
......@@ -76,9 +79,13 @@
- name: initialize pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --init
register: chroot_pacman_key_init
changed_when: "chroot_pacman_key_init.rc == 0"
- name: populate pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
register: chroot_pacman_key_populate
changed_when: "chroot_pacman_key_populate.rc == 0"
- name: install ucode update for Intel
set_fact: ucode="intel-ucode"
......@@ -111,9 +118,13 @@
- name: run locale-gen inside chroot
command: chroot /mnt locale-gen
register: chroot_locale_gen
changed_when: "chroot_locale_gen.rc == 0"
- name: run systemd-firstboot
command: chroot /mnt systemd-firstboot --locale=en_US.UTF-8 --timezone=UTC --hostname={{ hostname }}
register: chroot_systemd_firstboot
changed_when: "chroot_systemd_firstboot.rc == 0"
- name: add mdadm_udev to mkinitcpio.conf
lineinfile:
......@@ -125,6 +136,8 @@
- name: run mkinitcpio
command: chroot /mnt mkinitcpio -p linux
register: chroot_mkinitcpio
changed_when: "chroot_mkinitcpio.rc == 0"
- name: configure network (static)
template: src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
......@@ -151,12 +164,18 @@
command: chroot /mnt grub-install --recheck {{ item }}
with_items:
- "{{ system_disks }}"
register: chroot_grub_install
changed_when: "chroot_grub_install.rc == 0"
- name: configure grub
command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
register: chroot_grub_mkconfig
changed_when: "chroot_grub_mkconfig.rc == 0"
- name: enable services inside chroot
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer hcloud-init
register: chroot_systemd_services
changed_when: "chroot_systemd_services.rc == 0"
- name: assign pubkey list to fact
set_fact: pubkey_list="{{ lookup('file', "{{ playbook_dir }}/../../pubkeys/" + item) }}"
......@@ -177,6 +196,8 @@
- name: clean pacman cache
shell: yes | chroot /mnt pacman -Scc
register: chroot_pacman_clean_cache
changed_when: "chroot_pacman_clean_cache.rc == 0"
- name: remove LOCK file on mountpoint
file: path=/mnt/LOCK state=absent
......@@ -30,6 +30,7 @@
command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
tags:
- dkimverify
changed_when: false
- name: start and enable opendkim
service: name=opendkim enabled=yes state=started
......
......@@ -11,6 +11,7 @@
delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}"
remote_user: root
changed_when: client_ssh_keys.changed
- local_action: tempfile state=file
register: tempfile
......@@ -19,3 +20,5 @@
- name: upload authorized_keys file
local_action: command scp "{{ tempfile.path }}" "{{ rsync_net_username }}@{{ inventory_hostname }}":.ssh/authorized_keys
register: scp
changed_when: "scp.rc == 0"
......@@ -54,6 +54,8 @@
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
with_items:
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8
register: gpg
changed_when: "gpg.rc == 0"
- name: clone security-tracker repo
git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
......
......@@ -39,6 +39,8 @@
with_items:
- yerp.gpg.key
- zmi.gpg.key
register: sa-update
changed_when: "sa-update.rc == 0"
- name: install SA configs
template: src={{ item }}.j2 dest=/etc/mail/spamassassin/{{ item }} owner=root group=root mode=0644
......@@ -50,6 +52,7 @@
- name: check SA config validity
command: /usr/bin/vendor_perl/spamassassin --lint
changed_when: false
- name: activate systemd timers
service: name={{ item }} enabled=yes state=started
......
......@@ -6,6 +6,8 @@
# https://github.com/ansible/ansible/issues/11024
- name: remove all users from wheel group
command: groupmems -g wheel --purge
register: groupmems
changed_when: "groupmems.rc == 0"
- name: add sudo users to wheel
user: name="{{ item }}" append=yes groups=wheel
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment