Verified Commit fc769a7b authored by Frederik Schwan's avatar Frederik Schwan Committed by Sven-Hendrik Haase
Browse files

fix E301 'Commands should not change things if nothing needs doing'

parent 631e8ba0
...@@ -12,10 +12,12 @@ ...@@ -12,10 +12,12 @@
- name: fetch borg key - name: fetch borg key
command: "/usr/local/bin/borg key export :: /dev/stdout" command: "/usr/local/bin/borg key export :: /dev/stdout"
register: borg_key register: borg_key
changed_when: "borg_key.rc == 0"
- name: fetch borg offsite key - name: fetch borg offsite key
command: "/usr/local/bin/borg-offsite key export :: /dev/stdout" command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
register: borg_offsite_key register: borg_offsite_key
changed_when: "borg_offsite_key.rc == 0"
- name: save borg key - name: save borg key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %} shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
...@@ -23,6 +25,8 @@ ...@@ -23,6 +25,8 @@
stdin: "{{ borg_key.stdout }}" stdin: "{{ borg_key.stdout }}"
chdir: "{{ playbook_dir }}/../.." chdir: "{{ playbook_dir }}/../.."
delegate_to: localhost delegate_to: localhost
register: gpg_key
changed_when: "gpg_key.rc == 0"
- name: save borg offsite key - name: save borg offsite key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %} shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
...@@ -30,3 +34,5 @@ ...@@ -30,3 +34,5 @@
stdin: "{{ borg_offsite_key.stdout }}" stdin: "{{ borg_offsite_key.stdout }}"
chdir: "{{ playbook_dir }}/../.." chdir: "{{ playbook_dir }}/../.."
delegate_to: localhost delegate_to: localhost
register: gpg_offsite_key
changed_when: "gpg_offsite_key.rc == 0"
...@@ -3,4 +3,5 @@ ...@@ -3,4 +3,5 @@
hosts: 127.0.0.1 hosts: 127.0.0.1
tasks: tasks:
- name: reencrypt vault key - name: reencrypt vault key
shell: set -o pipefail && gpg --decrypt --batch --quiet "{{playbook_dir}}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{userid}} {% endfor %} | sponge "{{playbook_dir}}/../../misc/vault-password.gpg" shell: set -o pipefail && gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %} | sponge "{{ playbook_dir }}/../../misc/vault-password.gpg"
changed_when: false
...@@ -6,9 +6,11 @@ ...@@ -6,9 +6,11 @@
- name: fetch hostkey checksums - name: fetch hostkey checksums
shell: "for type in sha256 md5; do for file in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $file -E $type; done; echo; done" shell: "for type in sha256 md5; do for file in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $file -E $type; done; echo; done"
register: ssh_hostkeys register: ssh_hostkeys
changed_when: ssh_hostkeys | length > 0
- name: fetch known_hosts - name: fetch known_hosts
shell: "set -o pipefail && ssh-keyscan 127.0.0.1 2>/dev/null | sed 's#^127.0.0.1#{{ inventory_hostname }}#'" shell: "set -o pipefail && ssh-keyscan 127.0.0.1 2>/dev/null | sed 's#^127.0.0.1#{{ inventory_hostname }}#'"
register: known_hosts register: known_hosts
changed_when: known_hosts | length > 0
- name: store hostkeys - name: store hostkeys
hosts: localhost hosts: localhost
......
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
register: borg_list register: borg_list
ignore_errors: True ignore_errors: True
loop: "{{ backup_hosts }}" loop: "{{ backup_hosts }}"
changed_when: borg_list.stdout | length > 0
- name: init borg repository - name: init borg repository
command: borg init -e keyfile {{ item['host'] }}:{{ item['dir'] }} command: borg init -e keyfile {{ item['host'] }}:{{ item['dir'] }}
...@@ -36,6 +37,7 @@ ...@@ -36,6 +37,7 @@
command: getent passwd postgres command: getent passwd postgres
register: check_postgres_user register: check_postgres_user
ignore_errors: True ignore_errors: True
changed_when: check_postgres_user.stdout | length > 0
- name: make postgres backup directory - name: make postgres backup directory
file: path={{ postgres_backup_dir }} owner=root group=root state=directory file: path={{ postgres_backup_dir }} owner=root group=root state=directory
......
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
register: ssh_keys register: ssh_keys
delegate_to: "{{ item }}" delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}" with_items: "{{ backup_clients }}"
changed_when: ssh_keys.stdout | length > 0
- name: allow certain clients to connect - name: allow certain clients to connect
authorized_key: authorized_key:
......
...@@ -186,6 +186,8 @@ ...@@ -186,6 +186,8 @@
- name: generate mirror config - name: generate mirror config
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
register: gen_rsyncd
changed_when: "gen_rsyncd.rc == 0"
- name: install svnlog - name: install svnlog
copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755 copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
...@@ -197,11 +199,15 @@ ...@@ -197,11 +199,15 @@
command: git config --global user.name = 'svntogit' command: git config --global user.name = 'svntogit'
become: yes become: yes
become_user: svntogit become_user: svntogit
register: git_config_username
changed_when: "git_config_username.rc == 0"
- name: configure svntogit git user email - name: configure svntogit git user email
command: git config --global user.name = 'svntogit@repos.archlinux.org' command: git config --global user.name = 'svntogit@repos.archlinux.org'
become: yes become: yes
become_user: svntogit become_user: svntogit
register: git_config_email
changed_when: "git_config_email.rc == 0"
- name: template arch-svntogit - name: template arch-svntogit
copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755 copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
...@@ -225,6 +231,8 @@ ...@@ -225,6 +231,8 @@
become: yes become: yes
become_user: svntogit become_user: svntogit
ignore_errors: yes ignore_errors: yes
register: git_public_remote
changed_when: "git_public_remote.rc == 0"
# The following command also serves as a way to get the data the first time the repo is set up # The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch - name: configure svntogit pull upstream branch
...@@ -234,6 +242,8 @@ ...@@ -234,6 +242,8 @@
- packages - packages
become: yes become: yes
become_user: svntogit become_user: svntogit
register: git_pull_upstream
changed_when: "git_pull_upstream.rc == 0"
- name: configure svntogit push upstream branch - name: configure svntogit push upstream branch
command: git push -u public master chdir=/srv/svntogit/repos/{{ item }} command: git push -u public master chdir=/srv/svntogit/repos/{{ item }}
...@@ -242,6 +252,8 @@ ...@@ -242,6 +252,8 @@
- packages - packages
become: yes become: yes
become_user: svntogit become_user: svntogit
register: git_push_master
changed_when: "git_push_master.rc == 0"
- name: fix svntogit home permissions - name: fix svntogit home permissions
file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775 file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
- name: read /etc/motd - name: read /etc/motd
command: cat /etc/motd command: cat /etc/motd
register: motd_contents register: motd_contents
changed_when: cat.stdout | length > 0
- name: check whether we're running in the Hetzner rescue system - name: check whether we're running in the Hetzner rescue system
fail: msg="Not running in Hetzner rescue system!" fail: msg="Not running in Hetzner rescue system!"
...@@ -12,11 +13,13 @@ ...@@ -12,11 +13,13 @@
command: sgdisk -g --clear -n 1:0:+10M {{ item }} -c 1:boot -t 1:ef02 command: sgdisk -g --clear -n 1:0:+10M {{ item }} -c 1:boot -t 1:ef02
with_items: with_items:
- "{{ system_disks }}" - "{{ system_disks }}"
changed_when: "sgdisk.rc == 0"
- name: create root partitions - name: create root partitions
command: sgdisk -n 2:0:0 {{ item }} -c 2:root command: sgdisk -n 2:0:0 {{ item }} -c 2:root
with_items: with_items:
- "{{ system_disks }}" - "{{ system_disks }}"
changed_when: "sgdisk.rc == 0"
- name: partition and format the disks (btrfs) - name: partition and format the disks (btrfs)
command: mkfs.btrfs -f -L root -d {{ raid_level|default(raid1) }} -m {{ raid_level|default(raid1) }} -O no-holes /dev/sda2 /dev/sdb2 command: mkfs.btrfs -f -L root -d {{ raid_level|default(raid1) }} -m {{ raid_level|default(raid1) }} -O no-holes /dev/sda2 /dev/sdb2
...@@ -76,9 +79,13 @@ ...@@ -76,9 +79,13 @@
- name: initialize pacman keyring inside bootstrap chroot - name: initialize pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --init command: chroot /tmp/root.x86_64 pacman-key --init
register: chroot_pacman_key_init
changed_when: "chroot_pacman_key_init.rc == 0"
- name: populate pacman keyring inside bootstrap chroot - name: populate pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --populate archlinux command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
register: chroot_pacman_key_populate
changed_when: "chroot_pacman_key_populate.rc == 0"
- name: install ucode update for Intel - name: install ucode update for Intel
set_fact: ucode="intel-ucode" set_fact: ucode="intel-ucode"
...@@ -111,9 +118,13 @@ ...@@ -111,9 +118,13 @@
- name: run locale-gen inside chroot - name: run locale-gen inside chroot
command: chroot /mnt locale-gen command: chroot /mnt locale-gen
register: chroot_locale_gen
changed_when: "chroot_locale_gen.rc == 0"
- name: run systemd-firstboot - name: run systemd-firstboot
command: chroot /mnt systemd-firstboot --locale=en_US.UTF-8 --timezone=UTC --hostname={{ hostname }} command: chroot /mnt systemd-firstboot --locale=en_US.UTF-8 --timezone=UTC --hostname={{ hostname }}
register: chroot_systemd_firstboot
changed_when: "chroot_systemd_firstboot.rc == 0"
- name: add mdadm_udev to mkinitcpio.conf - name: add mdadm_udev to mkinitcpio.conf
lineinfile: lineinfile:
...@@ -125,6 +136,8 @@ ...@@ -125,6 +136,8 @@
- name: run mkinitcpio - name: run mkinitcpio
command: chroot /mnt mkinitcpio -p linux command: chroot /mnt mkinitcpio -p linux
register: chroot_mkinitcpio
changed_when: "chroot_mkinitcpio.rc == 0"
- name: configure network (static) - name: configure network (static)
template: src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644 template: src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
...@@ -151,12 +164,18 @@ ...@@ -151,12 +164,18 @@
command: chroot /mnt grub-install --recheck {{ item }} command: chroot /mnt grub-install --recheck {{ item }}
with_items: with_items:
- "{{ system_disks }}" - "{{ system_disks }}"
register: chroot_grub_install
changed_when: "chroot_grub_install.rc == 0"
- name: configure grub - name: configure grub
command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
register: chroot_grub_mkconfig
changed_when: "chroot_grub_mkconfig.rc == 0"
- name: enable services inside chroot - name: enable services inside chroot
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer hcloud-init command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer hcloud-init
register: chroot_systemd_services
changed_when: "chroot_systemd_services.rc == 0"
- name: assign pubkey list to fact - name: assign pubkey list to fact
set_fact: pubkey_list="{{ lookup('file', "{{ playbook_dir }}/../../pubkeys/" + item) }}" set_fact: pubkey_list="{{ lookup('file', "{{ playbook_dir }}/../../pubkeys/" + item) }}"
...@@ -177,6 +196,8 @@ ...@@ -177,6 +196,8 @@
- name: clean pacman cache - name: clean pacman cache
shell: yes | chroot /mnt pacman -Scc shell: yes | chroot /mnt pacman -Scc
register: chroot_pacman_clean_cache
changed_when: "chroot_pacman_clean_cache.rc == 0"
- name: remove LOCK file on mountpoint - name: remove LOCK file on mountpoint
file: path=/mnt/LOCK state=absent file: path=/mnt/LOCK state=absent
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
tags: tags:
- dkimverify - dkimverify
changed_when: false
- name: start and enable opendkim - name: start and enable opendkim
service: name=opendkim enabled=yes state=started service: name=opendkim enabled=yes state=started
......
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
delegate_to: "{{ item }}" delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}" with_items: "{{ backup_clients }}"
remote_user: root remote_user: root
changed_when: client_ssh_keys.changed
- local_action: tempfile state=file - local_action: tempfile state=file
register: tempfile register: tempfile
...@@ -19,3 +20,5 @@ ...@@ -19,3 +20,5 @@
- name: upload authorized_keys file - name: upload authorized_keys file
local_action: command scp "{{ tempfile.path }}" "{{ rsync_net_username }}@{{ inventory_hostname }}":.ssh/authorized_keys local_action: command scp "{{ tempfile.path }}" "{{ rsync_net_username }}@{{ inventory_hostname }}":.ssh/authorized_keys
register: scp
changed_when: "scp.rc == 0"
...@@ -54,6 +54,8 @@ ...@@ -54,6 +54,8 @@
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}" command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
with_items: with_items:
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8 - E240B57E2C4630BA768E2F26FC1B547C8D8172C8
register: gpg
changed_when: "gpg.rc == 0"
- name: clone security-tracker repo - name: clone security-tracker repo
git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
......
...@@ -39,6 +39,8 @@ ...@@ -39,6 +39,8 @@
with_items: with_items:
- yerp.gpg.key - yerp.gpg.key
- zmi.gpg.key - zmi.gpg.key
register: sa-update
changed_when: "sa-update.rc == 0"
- name: install SA configs - name: install SA configs
template: src={{ item }}.j2 dest=/etc/mail/spamassassin/{{ item }} owner=root group=root mode=0644 template: src={{ item }}.j2 dest=/etc/mail/spamassassin/{{ item }} owner=root group=root mode=0644
...@@ -50,6 +52,7 @@ ...@@ -50,6 +52,7 @@
- name: check SA config validity - name: check SA config validity
command: /usr/bin/vendor_perl/spamassassin --lint command: /usr/bin/vendor_perl/spamassassin --lint
changed_when: false
- name: activate systemd timers - name: activate systemd timers
service: name={{ item }} enabled=yes state=started service: name={{ item }} enabled=yes state=started
......
...@@ -6,6 +6,8 @@ ...@@ -6,6 +6,8 @@
# https://github.com/ansible/ansible/issues/11024 # https://github.com/ansible/ansible/issues/11024
- name: remove all users from wheel group - name: remove all users from wheel group
command: groupmems -g wheel --purge command: groupmems -g wheel --purge
register: groupmems
changed_when: "groupmems.rc == 0"
- name: add sudo users to wheel - name: add sudo users to wheel
user: name="{{ item }}" append=yes groups=wheel user: name="{{ item }}" append=yes groups=wheel
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment