diff --git a/playbooks/accounts.archlinux.org.yml b/playbooks/accounts.archlinux.org.yml
index 5425e687489e9a23c8d588b7665e4a428539cb41..6d94b1759c3dc6e4995d72e28b946f3189217960 100644
--- a/playbooks/accounts.archlinux.org.yml
+++ b/playbooks/accounts.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup Keycloak server
+- name: Setup Keycloak server
hosts: accounts.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml
index 387fe203bd38ff88a30e87b9b26c2a5bc2ae5278..62d6c3a50d8536c9a4773da9e2fcd0071a4fd38d 100644
--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -1,4 +1,4 @@
-- name: basic setup for all hosts
+- name: Basic setup for all hosts
hosts: all
remote_user: root
roles:
diff --git a/playbooks/archive-mirrors.yml b/playbooks/archive-mirrors.yml
index 5d4518be053b62f4ff2a9d07eec307636a1ba930..b5730996a34c8bf754c85db62ef6b8a1c7d6573f 100644
--- a/playbooks/archive-mirrors.yml
+++ b/playbooks/archive-mirrors.yml
@@ -1,4 +1,4 @@
-- name: common playbook for archive-mirrors
+- name: Common playbook for archive-mirrors
hosts: archive_mirrors
remote_user: root
roles:
diff --git a/playbooks/archlinux.org.yml b/playbooks/archlinux.org.yml
index ec22de8b291ab32b16138f495eaebb0340e42879..3329b791109135f320c2f41e7ca964772b1cb281 100644
--- a/playbooks/archlinux.org.yml
+++ b/playbooks/archlinux.org.yml
@@ -1,14 +1,14 @@
- name: "prepare postgres ssl hosts list"
hosts: archlinux.org
tasks:
- - name: assign ipv4 addresses to fact postgres_hosts4
+ - name: Assign ipv4 addresses to fact postgres_hosts4
set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
vars:
gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
-- name: setup archlinux.org
+- name: Setup archlinux.org
hosts: archlinux.org
remote_user: root
roles:
diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml
index 787f94ea878c76f57252fc6ec669f0c07d0bbfa9..bf869676eb9139c8ef6e8569784000c203071f24 100644
--- a/playbooks/aur.archlinux.org.yml
+++ b/playbooks/aur.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup aur.archlinux.org
+- name: Setup aur.archlinux.org
hosts: aur.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/bbs.archlinux.org.yml b/playbooks/bbs.archlinux.org.yml
index 72102d2c478f337fda674eb66426a9c293bbed5c..300b685d5a7ded5c495f915f483b7de9a01c5e2c 100644
--- a/playbooks/bbs.archlinux.org.yml
+++ b/playbooks/bbs.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup bbs.archlinux.org
+- name: Setup bbs.archlinux.org
hosts: bbs.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/bugs.archlinux.org.yml b/playbooks/bugs.archlinux.org.yml
index 0bb89df30c9d7c96fddd6461fb6013bc1a61bc95..8420bca55a681cb0c5a2f931bb6343f509a06c7f 100644
--- a/playbooks/bugs.archlinux.org.yml
+++ b/playbooks/bugs.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup bugs.archlinux.org
+- name: Setup bugs.archlinux.org
hosts: bugs.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/build.archlinux.org.yml b/playbooks/build.archlinux.org.yml
index 5b2719f046d1d857850ce683663233e449a7e312..cc13de1fae8cda220b05f67936fb2c2a2c4a3bc6 100644
--- a/playbooks/build.archlinux.org.yml
+++ b/playbooks/build.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup build.archlinux.org
+- name: Setup build.archlinux.org
hosts: build.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/dashboards.archlinux.org.yml b/playbooks/dashboards.archlinux.org.yml
index 3d744a09b9fa0650547e499de78028585c369f79..73a63b6214056717338f41f120654b75b297ca22 100644
--- a/playbooks/dashboards.archlinux.org.yml
+++ b/playbooks/dashboards.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup public dashboards server
+- name: Setup public dashboards server
hosts: dashboards.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/debuginfod.archlinux.org.yml b/playbooks/debuginfod.archlinux.org.yml
index a78c970903152fef45243a8ea5edae14c569f5d9..92dbfc068f63d445e3d222d7f447a6ca347da135 100644
--- a/playbooks/debuginfod.archlinux.org.yml
+++ b/playbooks/debuginfod.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup debuginfod.archlinux.org
+- name: Setup debuginfod.archlinux.org
hosts: debuginfod.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/gemini.archlinux.org.yml b/playbooks/gemini.archlinux.org.yml
index a6659518ace6671ad4a19d908387f45ee4c4f136..7f68d9eb359b811cbe75c17f1e59034f7808e0f8 100644
--- a/playbooks/gemini.archlinux.org.yml
+++ b/playbooks/gemini.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup gemini.archlinux.org
+- name: Setup gemini.archlinux.org
hosts: gemini.archlinux.org
remote_user: root
vars:
diff --git a/playbooks/gitlab-runners.yml b/playbooks/gitlab-runners.yml
index b943d70c95d08bd3ca0db9efcf2b0c47390060db..c6abbf615dc1f899f5d31fb7b23d512c1d019104 100644
--- a/playbooks/gitlab-runners.yml
+++ b/playbooks/gitlab-runners.yml
@@ -1,4 +1,4 @@
-- name: setup gitlab-runners
+- name: Setup gitlab-runners
hosts: gitlab_runners
remote_user: root
roles:
diff --git a/playbooks/gitlab.archlinux.org.yml b/playbooks/gitlab.archlinux.org.yml
index 0df29a54200032e4abefa8f377f634f3e3fce84b..19b2ccf391fae45d4ffa8f7623fca525226a7413 100644
--- a/playbooks/gitlab.archlinux.org.yml
+++ b/playbooks/gitlab.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup gitlab server
+- name: Setup gitlab server
hosts: gitlab.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/gluebuddy.archlinux.org.yml b/playbooks/gluebuddy.archlinux.org.yml
index a6da7933feea1733782a7b8b3f33870fc2f9698a..380ce8cffdfa4cdd2901a4a4fc1a6b70e193ad89 100644
--- a/playbooks/gluebuddy.archlinux.org.yml
+++ b/playbooks/gluebuddy.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup gluebuddy.archlinux.org
+- name: Setup gluebuddy.archlinux.org
hosts: gluebuddy.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/hetzner_storagebox.yml b/playbooks/hetzner_storagebox.yml
index d0de542724fa449cd4f25784844d3fa75971c576..1eda3e12d70d4492554e833d93e455a014f67bd9 100644
--- a/playbooks/hetzner_storagebox.yml
+++ b/playbooks/hetzner_storagebox.yml
@@ -1,4 +1,4 @@
-- name: setup Hetzner storagebox account
+- name: Setup Hetzner storagebox account
hosts: localhost
gather_facts: false
vars_files:
diff --git a/playbooks/homedir.archlinux.org.yml b/playbooks/homedir.archlinux.org.yml
index 9afc659490a8ed11019ddf41b45e8cad6447bf41..bc039c33926c3eb3eeba4be21093e866adc6717b 100644
--- a/playbooks/homedir.archlinux.org.yml
+++ b/playbooks/homedir.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup homedir.archlinux.org
+- name: Setup homedir.archlinux.org
hosts: homedir.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/lists.archlinux.org.yml b/playbooks/lists.archlinux.org.yml
index 298aeb1dce25c6c9d32891376925a3bdec303ebb..0629ec0ba7907a9e1b5f17e5b0cf04cd0cfd9964 100644
--- a/playbooks/lists.archlinux.org.yml
+++ b/playbooks/lists.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup mailman server
+- name: Setup mailman server
hosts: lists.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml
index b8e5e90f3d3a8101f1cf269b431d76597da35d42..7a2b699e5e0a4a8a0200425d15e8543e6e907892 100644
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup mail.archlinux.org
+- name: Setup mail.archlinux.org
hosts: mail.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/mailman3.archlinux.org.yml b/playbooks/mailman3.archlinux.org.yml
index b2ca8650326455be93640cd0c533e7c870338a78..171eb42dcb0fe502c0f2e255c73e4bd4f28c1d57 100644
--- a/playbooks/mailman3.archlinux.org.yml
+++ b/playbooks/mailman3.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup mailman3 server
+- name: Setup mailman3 server
hosts: mailman3.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/man.archlinux.org.yml b/playbooks/man.archlinux.org.yml
index 2481e80c82ec17b96a811672cbd0ff1994e8c392..e3ff9480046aa8c771c2a0710d9f0e889642c28e 100644
--- a/playbooks/man.archlinux.org.yml
+++ b/playbooks/man.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup man.archlinux.org
+- name: Setup man.archlinux.org
hosts: man.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/matrix.archlinux.org.yml b/playbooks/matrix.archlinux.org.yml
index cda2c872008152fddd23363cb35ac24876f29c36..cb833d45ce564f61fa8e6631ffb845626b55c6b9 100644
--- a/playbooks/matrix.archlinux.org.yml
+++ b/playbooks/matrix.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup matrix
+- name: Setup matrix
hosts: matrix.archlinux.org
remote_user: root
vars_files:
diff --git a/playbooks/md.archlinux.org.yml b/playbooks/md.archlinux.org.yml
index dbd20b96ae2fd2f254406b7a5f8a61071b65a522..594a3837d1cf311998eac7eb98ae971a50defb67 100644
--- a/playbooks/md.archlinux.org.yml
+++ b/playbooks/md.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup hedgedoc server
+- name: Setup hedgedoc server
hosts: md.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/mirrors.yml b/playbooks/mirrors.yml
index b654fe69ff9da371653c699772044c399941c08e..f3a2cd58cb35a3fc234d7e3ba039d80f37669803 100644
--- a/playbooks/mirrors.yml
+++ b/playbooks/mirrors.yml
@@ -1,4 +1,4 @@
-- name: common playbook for mirrors
+- name: Common playbook for mirrors
hosts: mirrors
remote_user: root
roles:
diff --git a/playbooks/monitoring.archlinux.org.yml b/playbooks/monitoring.archlinux.org.yml
index a4d4ebe8c38f686149f8118c53028936907bbbc0..2bd20f858573080b1e100e901aa41b6755f43bd6 100644
--- a/playbooks/monitoring.archlinux.org.yml
+++ b/playbooks/monitoring.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup prometheus server
+- name: Setup prometheus server
hosts: monitoring.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/patchwork.archlinux.org.yml b/playbooks/patchwork.archlinux.org.yml
index afd8d892ca2ac35841539679b5dfd1d52e9c5289..4776e4c8aa93b6f66516f9546bbd18d40d9908be 100644
--- a/playbooks/patchwork.archlinux.org.yml
+++ b/playbooks/patchwork.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup patchwork.archlinux.org
+- name: Setup patchwork.archlinux.org
hosts: patchwork.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/phrik.yml b/playbooks/phrik.yml
index 4da2d28f600c8e030dee3809a7ff42db4983d1be..7013f212008edac10627b69d955d265bbda45401 100644
--- a/playbooks/phrik.yml
+++ b/playbooks/phrik.yml
@@ -1,4 +1,4 @@
-- name: setup phrik bot server
+- name: Setup phrik bot server
hosts: phrik.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/quassel.archlinux.org.yml b/playbooks/quassel.archlinux.org.yml
index d7fd34a9c79230d36f2646e8a8eaaf75d51cb9f2..8ec0688437df76d7db501ca2805d25cd4ccac13f 100644
--- a/playbooks/quassel.archlinux.org.yml
+++ b/playbooks/quassel.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup quassel server
+- name: Setup quassel server
hosts: quassel.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/rebuilderd-workers.yml b/playbooks/rebuilderd-workers.yml
index a7b88f5c38f9915234a5f06e74369f7a1f822439..d4409792f22e5c7abd5487467e824d0fcd88a42b 100644
--- a/playbooks/rebuilderd-workers.yml
+++ b/playbooks/rebuilderd-workers.yml
@@ -1,4 +1,4 @@
-- name: common playbook for rebuilderd_workers
+- name: Common playbook for rebuilderd_workers
hosts: rebuilderd_workers
remote_user: root
roles:
diff --git a/playbooks/redirect.archlinux.org.yml b/playbooks/redirect.archlinux.org.yml
index 53fbc6ba2c14ced53970fccbb860d5e2db750ae6..5bbcd4da8e9d81fdec96144f1b3c8296649e2297 100644
--- a/playbooks/redirect.archlinux.org.yml
+++ b/playbooks/redirect.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup redirect.archlinux.org
+- name: Setup redirect.archlinux.org
hosts: redirect.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/reproducible.archlinux.org.yml b/playbooks/reproducible.archlinux.org.yml
index 0942f810b7691ae8982a53fcb49107af97546f6c..88724c7b89898448a9d1eee731a6a563b87164c7 100644
--- a/playbooks/reproducible.archlinux.org.yml
+++ b/playbooks/reproducible.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup reproducible builds rebuilder
+- name: Setup reproducible builds rebuilder
hosts: reproducible.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/rsync.net.yml b/playbooks/rsync.net.yml
index 045e2e8550a4dc9be5865b72d65649db7dd7dee5..3102e4b19f35a644958be478050dbd724a52d9dd 100644
--- a/playbooks/rsync.net.yml
+++ b/playbooks/rsync.net.yml
@@ -1,4 +1,4 @@
-- name: setup rsync.net account
+- name: Setup rsync.net account
hosts: localhost
gather_facts: false
vars_files:
diff --git a/playbooks/security.archlinux.org.yml b/playbooks/security.archlinux.org.yml
index 77aa612c82bad9e93bb63d2ec08895906caf3754..9599c0da3a1efd449e1c854d5e13137494d6ddb4 100644
--- a/playbooks/security.archlinux.org.yml
+++ b/playbooks/security.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup security.archlinux.org
+- name: Setup security.archlinux.org
hosts: security.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/state.archlinux.org.yml b/playbooks/state.archlinux.org.yml
index 1d7e7948ce0f72741876a43fe8160d8eaf621b2f..fd1f00972c81f3139be3cb690271f05a13b5c286 100644
--- a/playbooks/state.archlinux.org.yml
+++ b/playbooks/state.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup state.archlinux.org (terraform state store)
+- name: Setup state.archlinux.org (terraform state store)
hosts: state.archlinux.org
remote_user: root
roles:
diff --git a/playbooks/tasks/fetch-borg-keys.yml b/playbooks/tasks/fetch-borg-keys.yml
index a361a11c6fdad98da61f9980e2e7b78b0b37a846..2f18412dee62d7459e29c4e1fe2cbca56115e047 100644
--- a/playbooks/tasks/fetch-borg-keys.yml
+++ b/playbooks/tasks/fetch-borg-keys.yml
@@ -1,23 +1,23 @@
-- name: prepare local storage directory
+- name: Prepare local storage directory
hosts: localhost
tasks:
- - name: create borg-keys directory
+ - name: Create borg-keys directory
file: path="{{ playbook_dir }}/../../borg-keys/" state=directory # noqa 208
-- name: fetch borg keys
+- name: Fetch borg keys
hosts: borg_clients
tasks:
- - name: fetch borg key
+ - name: Fetch borg key
command: "/usr/local/bin/borg key export :: /dev/stdout"
register: borg_key
changed_when: "borg_key.rc == 0"
- - name: fetch borg offsite key
+ - name: Fetch borg offsite key
command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
register: borg_offsite_key
changed_when: "borg_offsite_key.rc == 0"
- - name: save borg key
+ - name: Save borg key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
args:
stdin: "{{ borg_key.stdout }}"
@@ -26,7 +26,7 @@
register: gpg_key
changed_when: "gpg_key.rc == 0"
- - name: save borg offsite key
+ - name: Save borg offsite key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
args:
stdin: "{{ borg_offsite_key.stdout }}"
diff --git a/playbooks/tasks/include/reencrypt-vault-key.yml b/playbooks/tasks/include/reencrypt-vault-key.yml
index 234c5a0cfae5523e192d69dcff0012f9bb0ae262..46ed11360fc1621a690c1fd22de11bddba04022e 100644
--- a/playbooks/tasks/include/reencrypt-vault-key.yml
+++ b/playbooks/tasks/include/reencrypt-vault-key.yml
@@ -1,7 +1,7 @@
-- name: check if moreutils is installed
+- name: Check if moreutils is installed
pacman: name=moreutils state=present
-- name: reencrypt vault {{ vault_id }} key
+- name: Reencrypt vault {{ vault_id }} key
shell: |
set -eo pipefail
gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg" \
diff --git a/playbooks/tasks/include/upgrade-server.yml b/playbooks/tasks/include/upgrade-server.yml
index 258423b70cbd0680ae9741dcc118d9fefd729047..f29270dd1c26a038e212e3d2f6772f069ee7be34 100644
--- a/playbooks/tasks/include/upgrade-server.yml
+++ b/playbooks/tasks/include/upgrade-server.yml
@@ -1,62 +1,62 @@
-- name: ensure latest keyring
+- name: Ensure latest keyring
pacman:
name: archlinux-keyring
state: latest
update_cache: yes
-- name: upgrade all packages
+- name: Upgrade all packages
pacman:
upgrade: yes
register: pacman_upgrade
-- name: stop if no packages were upgraded
+- name: Stop if no packages were upgraded
meta: end_host
when: pacman_upgrade is not changed
-- name: check for running builds
+- name: Check for running builds
block:
- - name: list build-related processes
+ - name: List build-related processes
command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
register: pgrep
ignore_errors: true
- - name: abort reboot with running builds
+ - name: Abort reboot with running builds
meta: end_host
when: pgrep is succeeded
when: "'buildservers' in group_names"
-- name: check for active borg backup jobs
+- name: Check for active borg backup jobs
block:
- - name: check if /backup exists
+ - name: Check if /backup exists
stat: path=/backup
register: backup_mountdir
- - name: abort reboot when borg backup is running
+ - name: Abort reboot when borg backup is running
meta: end_host
when: backup_mountdir.stat.exists
when: "'borg_clients' in group_names"
-- name: gemini pre-reboot checks
+- name: Gemini pre-reboot checks
block:
- - name: list logged on users
+ - name: List logged on users
command: who
register: who
- - name: abort reboot with logged on users
+ - name: Abort reboot with logged on users
meta: end_host
when:
- who is changed
- who.stdout_lines|length > 1
- - name: stop arch-svntogit.timer
+ - name: Stop arch-svntogit.timer
service: name=arch-svntogit.timer state=stopped
- - name: wait for svntogit to finish
+ - name: Wait for svntogit to finish
wait_for:
path: /srv/svntogit/update-repos.sh.lock
state: absent
when: inventory_hostname == "gemini.archlinux.org"
-- name: reboot
+- name: Reboot
reboot:
diff --git a/playbooks/tasks/install_arch.yml b/playbooks/tasks/install_arch.yml
index 6f4b9d72f73982251df45eb548cbb343b0dab7b4..1f9978b0ca560c3ccf7b33db0b5e89ba26446488 100644
--- a/playbooks/tasks/install_arch.yml
+++ b/playbooks/tasks/install_arch.yml
@@ -1,7 +1,7 @@
# This script is for provisioning a server for first boot.
# Care: It is not idempotent by design.
-- name: install_arch
+- name: Install arch
hosts: all
remote_user: root
roles:
diff --git a/playbooks/tasks/pacman-website.yml b/playbooks/tasks/pacman-website.yml
index a64d9549ae57841ae366b41370d595fbcf52f7a3..57dd8c62993d3eb8824fe758988c4f1f420e54ff 100644
--- a/playbooks/tasks/pacman-website.yml
+++ b/playbooks/tasks/pacman-website.yml
@@ -8,13 +8,13 @@
tempfile: state=directory suffix=pacman
register: tempdir
- - name: fetch pacman tarball
+ - name: Fetch pacman tarball
get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.xz dest={{ tempdir.path }}/pacman.tar.xz
- - name: unpack tarball
+ - name: Unpack tarball
unarchive: src={{ tempdir.path }}/pacman.tar.xz dest={{ tempdir.path }}
- - name: build website
+ - name: Build website
command: "{{ item }}"
args:
chdir: "{{ tempdir.path }}/pacman-{{ pacman_version }}"
@@ -23,10 +23,10 @@
- ninja -C build doc/website.tar.gz
- block:
- - name: create website directory
+ - name: Create website directory
file: state=directory owner=root group=root mode=0755 path={{ pacman_dir }}
- - name: upload website
+ - name: Upload website
unarchive:
src: "{{ tempdir.path }}/pacman-{{ pacman_version }}/build/doc/website.tar.gz"
dest: "{{ pacman_dir }}"
diff --git a/playbooks/tasks/reencrypt-vault-default-key.yml b/playbooks/tasks/reencrypt-vault-default-key.yml
index 33d8206871eba4df5113558e27f8e69ef9b7e0f7..4fb85edfd0ee1d783def7fb2cd0707e6abd5f425 100644
--- a/playbooks/tasks/reencrypt-vault-default-key.yml
+++ b/playbooks/tasks/reencrypt-vault-default-key.yml
@@ -1,7 +1,7 @@
-- name: reencrypt vault default key
+- name: Reencrypt vault default key
hosts: localhost
tasks:
- - name: reencrypt vault default key
+ - name: Reencrypt vault default key
include_tasks: include/reencrypt-vault-key.yml
vars:
vault_id: default
diff --git a/playbooks/tasks/reencrypt-vault-super-key.yml b/playbooks/tasks/reencrypt-vault-super-key.yml
index 33fd5eb30e928df8c5829ce331b7d45683dd8f5a..f5c893d59a30920145100327e9c3a2af140b0daf 100644
--- a/playbooks/tasks/reencrypt-vault-super-key.yml
+++ b/playbooks/tasks/reencrypt-vault-super-key.yml
@@ -1,7 +1,7 @@
-- name: reencrypt vault super key
+- name: Reencrypt vault super key
hosts: localhost
tasks:
- - name: reencrypt vault super key
+ - name: Reencrypt vault super key
include_tasks: include/reencrypt-vault-key.yml
vars:
vault_id: super
diff --git a/playbooks/tasks/sync-ssh-hostkeys.yml b/playbooks/tasks/sync-ssh-hostkeys.yml
index f7ba3fdfecc77bb0ff27492ae87b53582531c4fb..b500128e63de0de29f3cb1e16af6d67786eeda1f 100644
--- a/playbooks/tasks/sync-ssh-hostkeys.yml
+++ b/playbooks/tasks/sync-ssh-hostkeys.yml
@@ -1,8 +1,8 @@
-- name: fetch ssh hostkeys
+- name: Fetch ssh hostkeys
hosts: all
gather_facts: false
tasks:
- - name: fetch hostkey checksums
+ - name: Fetch hostkey checksums
shell: |
for type in sha256 md5; do
for file in /etc/ssh/ssh_host_*.pub; do
@@ -13,7 +13,7 @@
register: ssh_hostkeys
changed_when: ssh_hostkeys | length > 0
- - name: fetch known_hosts
+ - name: Fetch known_hosts
shell: |
set -eo pipefail
ssh-keyscan 127.0.0.1 2>/dev/null \
@@ -26,10 +26,10 @@
register: known_hosts
changed_when: known_hosts | length > 0
-- name: store hostkeys
+- name: Store hostkeys
hosts: localhost
tasks:
- - name: store hostkeys
+ - name: Store hostkeys
copy:
dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
content: |
@@ -40,7 +40,7 @@
{% endfor %}
mode: preserve
- - name: store known_hosts
+ - name: Store known_hosts
blockinfile:
path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
block: |
@@ -51,9 +51,9 @@
{% endfor %}
-- name: upload known_hosts to all nodes
+- name: Upload known_hosts to all nodes
hosts: all
tasks:
- - name: upload known_hosts
+ - name: Upload known_hosts
copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
tags: ['upload-known-hosts']
diff --git a/playbooks/tasks/upgrade-servers.yml b/playbooks/tasks/upgrade-servers.yml
index 6de69dd755f0265d6377a33ed0589cc7cd0c57b9..f51c53bcf8ce9eea9c2d32fc50170fd8748f60cf 100644
--- a/playbooks/tasks/upgrade-servers.yml
+++ b/playbooks/tasks/upgrade-servers.yml
@@ -1,19 +1,19 @@
-- name: upgrade and reboot all hetzner servers
+- name: Upgrade and reboot all hetzner servers
hosts: all,!kape_servers,!equinix_metal
max_fail_percentage: 0
serial: 20%
gather_facts: false
tasks:
- - name: upgrade each host in this batch
+ - name: Upgrade each host in this batch
include_tasks: include/upgrade-server.yml
-- name: upgrade and reboot all Kape and Equinix Metal servers
+- name: Upgrade and reboot all Kape and Equinix Metal servers
hosts: kape_servers,equinix_metal
max_fail_percentage: 0
serial: 1
gather_facts: false
tasks:
- - name: upgrade each host in this batch
+ - name: Upgrade each host in this batch
include_tasks: include/upgrade-server.yml
diff --git a/playbooks/wiki.archlinux.org.yml b/playbooks/wiki.archlinux.org.yml
index 41b1b8fddf885f53a50a55b5d3ccc26511f80f71..644d7f6fb45152cd11807d3c77807f658afb8c8e 100644
--- a/playbooks/wiki.archlinux.org.yml
+++ b/playbooks/wiki.archlinux.org.yml
@@ -1,4 +1,4 @@
-- name: setup wiki.archlinux.org
+- name: Setup wiki.archlinux.org
hosts: wiki.archlinux.org
remote_user: root
roles:
diff --git a/roles/acme_dns_challenge/handlers/main.yml b/roles/acme_dns_challenge/handlers/main.yml
index d889effb95e68108d57d1f18a299e9448fb178b4..fba3a6d1545b068ff0ac792e84492f4f93a835b3 100644
--- a/roles/acme_dns_challenge/handlers/main.yml
+++ b/roles/acme_dns_challenge/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart powerdns
+- name: Restart powerdns
service: name=pdns state=restarted
diff --git a/roles/acme_dns_challenge/tasks/main.yml b/roles/acme_dns_challenge/tasks/main.yml
index c79aea6816eae82472754b0fd9bdcdffd8122b6f..63558cf555e343a073c0286597990ac2ee576c87 100644
--- a/roles/acme_dns_challenge/tasks/main.yml
+++ b/roles/acme_dns_challenge/tasks/main.yml
@@ -1,24 +1,24 @@
-- name: install powerdns
+- name: Install powerdns
pacman: name=powerdns state=present
-- name: install PowerDNS configuration
+- name: Install PowerDNS configuration
template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644
loop:
- {src: pdns.conf.j2, dest: pdns.conf}
- {src: dnsupdate-policy.lua.j2, dest: dnsupdate-policy.lua}
notify: restart powerdns
-- name: create directory for sqlite3 dbs
+- name: Create directory for sqlite3 dbs
file: path=/var/lib/powerdns state=directory owner=powerdns group=powerdns mode=0755
-- name: initialize sqlite3 database for _acme-challenge zones
+- name: Initialize sqlite3 database for _acme-challenge zones
command: sqlite3 -init /usr/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3 ""
become: true
become_user: powerdns
args:
creates: /var/lib/powerdns/pdns.sqlite3
-- name: create _acme-challenge zones
+- name: Create _acme-challenge zones
shell: |
pdnsutil create-zone _acme-challenge.{{ item }} {{ inventory_hostname }}
pdnsutil replace-rrset _acme-challenge.{{ item }} @ SOA "{{ inventory_hostname }}. root.archlinux.org. 0 10800 3600 604800 3600"
@@ -27,18 +27,18 @@
become_user: powerdns
changed_when: false
-- name: import TSIG key (for certbot)
+- name: Import TSIG key (for certbot)
command: pdnsutil import-tsig-key {{ certbot_rfc2136_key }} {{ certbot_rfc2136_algorithm }} {{ certbot_rfc2136_secret }}
changed_when: false
-- name: open powerdns ipv4 port for monitoring.archlinux.org
+- name: Open powerdns ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
tags:
- firewall
-- name: open firewall hole
+- name: Open firewall hole
ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes
-- name: start and enable powerdns
+- name: Start and enable powerdns
systemd: name=pdns.service enabled=yes daemon_reload=yes state=started
diff --git a/roles/alertmanager/handlers/main.yml b/roles/alertmanager/handlers/main.yml
index bfb1d46931ef97f2fd2bdf0d6aa74eaca93c71e3..9ce78242de2a2f1142f2930ce450b34928a188fd 100644
--- a/roles/alertmanager/handlers/main.yml
+++ b/roles/alertmanager/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload alertmanager
+- name: Reload alertmanager
service: name=alertmanager state=reloaded
diff --git a/roles/alertmanager/tasks/main.yml b/roles/alertmanager/tasks/main.yml
index b35c228e116a129d97954e703bbcf694d48a26b7..7c280edcf703eb9afa20f491d0d8abd7c2c65a81 100644
--- a/roles/alertmanager/tasks/main.yml
+++ b/roles/alertmanager/tasks/main.yml
@@ -1,9 +1,9 @@
-- name: install alertmanager server
+- name: Install alertmanager server
pacman: name=alertmanager state=present
-- name: install alertmanager configuration
+- name: Install alertmanager configuration
template: src=alertmanager.yml.j2 dest=/etc/alertmanager/alertmanager.yml owner=root group=alertmanager mode=640
notify: reload alertmanager
-- name: enable alertmanager server service
+- name: Enable alertmanager server service
systemd: name=alertmanager enabled=yes daemon_reload=yes state=started
diff --git a/roles/arch_boxes_sync/tasks/main.yml b/roles/arch_boxes_sync/tasks/main.yml
index 98d43e789ad4d141267973e7cb40d6e3bb3a0106..facceb5c377d7802cc132c4e0ef71d07c3c3cae2 100644
--- a/roles/arch_boxes_sync/tasks/main.yml
+++ b/roles/arch_boxes_sync/tasks/main.yml
@@ -1,10 +1,10 @@
-- name: install arch-boxes-sync.sh script dependencies
+- name: Install arch-boxes-sync.sh script dependencies
pacman: name=curl,jq,unzip state=present
-- name: install arch-boxes-sync.sh script
+- name: Install arch-boxes-sync.sh script
copy: src=arch-boxes-sync.sh dest=/usr/local/bin/ owner=root group=root mode=0755
-- name: install arch-boxes-sync.{service,timer}
+- name: Install arch-boxes-sync.{service,timer}
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- arch-boxes-sync.service
@@ -12,5 +12,5 @@
notify:
- daemon reload
-- name: start and enable arch-boxes-sync.timer
+- name: Start and enable arch-boxes-sync.timer
systemd: name=arch-boxes-sync.timer enabled=yes daemon_reload=yes state=started
diff --git a/roles/archbuild/handlers/main.yml b/roles/archbuild/handlers/main.yml
index b7dd1329ddc3a1ab0c1adb00e3c6fc5bf0f3ee5d..53c25acb653061ac6585331c532338b68ce70faa 100644
--- a/roles/archbuild/handlers/main.yml
+++ b/roles/archbuild/handlers/main.yml
@@ -1,3 +1,3 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
diff --git a/roles/archbuild/tasks/main.yml b/roles/archbuild/tasks/main.yml
index 7ed1734635693922ebc1fd9cec918efca6d4916c..d4ee7e3a1eaaf71fdc88a7c3267e7da7c8c902ec 100644
--- a/roles/archbuild/tasks/main.yml
+++ b/roles/archbuild/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: install archbuild
+- name: Install archbuild
pacman:
name:
- base-devel
@@ -16,7 +16,7 @@
- appstream-generator
state: present
-- name: install archbuild scripts
+- name: Install archbuild scripts
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
with_items:
- mkpkg
@@ -28,12 +28,12 @@
- clean-offload-build
- gitpkg
-- name: install archbuild config files
+- name: Install archbuild config files
copy: src={{ item }} dest=/usr/local/share/{{ item }} owner=root group=root mode=0644
with_items:
- elinks-pkgdiffrepo.conf
-- name: install archbuild units
+- name: Install archbuild units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- clean-chroots.timer
@@ -47,33 +47,33 @@
notify:
- daemon reload
-- name: install archbuild unit
+- name: Install archbuild unit
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- var-lib-archbuild.mount
notify:
- daemon reload
-- name: install archbuild user units
+- name: Install archbuild user units
copy: src={{ item }} dest=/etc/systemd/user/{{ item }} owner=root group=root mode=0644
with_items:
- mkpkg@.timer
- mkpkg@.service
-- name: install user-.slice snippet
+- name: Install user-.slice snippet
copy: src=user-.slice.d dest=/etc/systemd/system owner=root group=root mode=0644
-- name: start and enable archbuild mounts
+- name: Start and enable archbuild mounts
service: name={{ item }} enabled={{ "yes" if archbuild_fs == 'tmpfs' else "no" }} state={{ "started" if archbuild_fs == 'tmpfs' else "stopped" }}
with_items:
- var-lib-archbuild.mount
-- name: start and enable archbuilddest mount
+- name: Start and enable archbuilddest mount
service: name={{ item }} enabled=yes state=started
with_items:
- var-lib-archbuilddest.mount
-- name: create archbuilddest
+- name: Create archbuilddest
file:
state: directory
path: '/var/lib/{{ "/".join(item) }}'
@@ -84,7 +84,7 @@
- [archbuilddest]
- [srcdest]
-- name: set acl on archbuilddest
+- name: Set acl on archbuilddest
acl:
name: '/var/lib/archbuilddest/{{ item[0] }}'
state: present
@@ -104,18 +104,18 @@
'default:other::r-x',
'default:mask::rwx']
-- name: start and enable archbuild units
+- name: Start and enable archbuild units
service: name={{ item }} enabled=yes state=started
with_items:
- clean-chroots.timer
- clean-dests.timer
- clean-offload-build.timer
-- name: install makepkg.conf
+- name: Install makepkg.conf
template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644
-- name: install archbuild sudoers config
+- name: Install archbuild sudoers config
copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440
-- name: install gitconfig
+- name: Install gitconfig
copy: src=gitconfig dest=/etc/gitconfig owner=root group=root mode=0644
diff --git a/roles/archive/tasks/main.yml b/roles/archive/tasks/main.yml
index 4eb0e5ed8377ced24eb1754aabb9a666e1191307..5e0664c58c4d31024ec5dc922906dcf27b6503eb 100644
--- a/roles/archive/tasks/main.yml
+++ b/roles/archive/tasks/main.yml
@@ -1,7 +1,7 @@
-- name: install archivetools package
+- name: Install archivetools package
pacman: name=archivetools state=present
-- name: make archive dir
+- name: Make archive dir
file:
path: "{{ archive_dir }}"
state: directory
@@ -9,7 +9,7 @@
group: archive
mode: 0755
-- name: setup archive configuration
+- name: Setup archive configuration
template:
src: archive.conf.j2
dest: /etc/archive.conf
@@ -17,34 +17,34 @@
group: root
mode: 0644
-- name: setup archive timer
+- name: Setup archive timer
systemd: name=archive.timer enabled=yes state=started
-- name: setup archive-hardlink timer
+- name: Setup archive-hardlink timer
systemd: name=archive-hardlink.timer enabled=yes state=started
-- name: install internet archive packages
+- name: Install internet archive packages
pacman: name=python-internetarchive,python-xtarfile state=present
-- name: create archive user
+- name: Create archive user
user: name={{ archive_user_name }} shell=/bin/false home="{{ archive_user_home }}" createhome=yes
-- name: configure archive.org client
+- name: Configure archive.org client
command: ia configure --username={{ vault_archive_username }} --password={{ vault_archive_password }} creates={{ archive_user_home }}/.config/ia.ini
become: true
become_user: "{{ archive_user_name }}"
-- name: clone archive uploader code
+- name: Clone archive uploader code
git: repo=https://github.com/archlinux/arch-historical-archive.git dest="{{ archive_repo }}" version="{{ archive_uploader_version }}"
become: true
become_user: "{{ archive_user_name }}"
-- name: install system service
+- name: Install system service
template: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- archive-uploader.service
- archive-uploader.timer
-- name: start uploader timer
+- name: Start uploader timer
systemd:
name: archive-uploader.timer
enabled: true
diff --git a/roles/archive_web/tasks/main.yml b/roles/archive_web/tasks/main.yml
index 18287e45daa7dab4458b539245069e791b93657d..a9b2528ff8e8787028f8cf3085d62cbb5c62eed9 100644
--- a/roles/archive_web/tasks/main.yml
+++ b/roles/archive_web/tasks/main.yml
@@ -1,10 +1,10 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ archive_domain }}"]
-- name: set up nginx
+- name: Set up nginx
template:
src: nginx.d.conf.j2
dest: /etc/nginx/nginx.d/archive.conf
@@ -15,7 +15,7 @@
- reload nginx
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file:
path: /var/log/nginx/{{ archive_domain }}
state: directory
diff --git a/roles/archmanweb/tasks/main.yml b/roles/archmanweb/tasks/main.yml
index 26cb1c5e34f3c2e65772266b7bcfa862d0d9b6a8..e4d71f032b0f658d491d80d35653ff990bc57b4e 100644
--- a/roles/archmanweb/tasks/main.yml
+++ b/roles/archmanweb/tasks/main.yml
@@ -1,11 +1,11 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ archmanweb_domain }}"]
when: 'archmanweb_domain is defined'
-- name: install required packages
+- name: Install required packages
pacman:
state: present
name:
@@ -22,24 +22,24 @@
- make
- sassc
-- name: make archmanweb user
+- name: Make archmanweb user
user: name=archmanweb shell=/bin/false home="{{ archmanweb_dir }}"
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner=archmanweb group=archmanweb mode=0755 path="{{ archmanweb_dir }}"
-- name: set archmanweb groups
+- name: Set archmanweb groups
user: name=archmanweb groups=uwsgi
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ archmanweb_nginx_conf }}" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ archmanweb_domain }} state=directory owner=root group=root mode=0755
-- name: clone archmanweb repo
+- name: Clone archmanweb repo
git: >
repo={{ archmanweb_repository }}
dest="{{ archmanweb_dir }}/repo"
@@ -51,7 +51,7 @@
become_user: archmanweb
register: release
-- name: build archlinux-common-style
+- name: Build archlinux-common-style
command:
cmd: make SASS=sassc
chdir: "{{ archmanweb_dir }}/repo/archlinux-common-style"
@@ -59,27 +59,27 @@
become_user: archmanweb
when: release.changed or archmanweb_forced_deploy
-- name: configure archmanweb
+- name: Configure archmanweb
template: src=local_settings.py.j2 dest={{ archmanweb_dir }}/repo/local_settings.py owner=archmanweb group=archmanweb mode=0660
register: config
no_log: true
-- name: copy robots.txt
+- name: Copy robots.txt
copy: src=robots.txt dest="{{ archmanweb_dir }}/repo/robots.txt" owner=root group=root mode=0644
-- name: create archmanweb db user
+- name: Create archmanweb db user
postgresql_user: name={{ archmanweb_db_user }} password={{ vault_archmanweb_db_password }} login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
no_log: true
-- name: create archmanweb db
+- name: Create archmanweb db
postgresql_db: name="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archmanweb_db_user }}"
register: db_created
-- name: add pg_trgm extension to the archmanweb db
+- name: Add pg_trgm extension to the archmanweb db
postgresql_ext: name="pg_trgm" db="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}"
when: db_created.changed or archmanweb_forced_deploy
-- name: run Django management tasks
+- name: Run Django management tasks
django_manage: app_path="{{ archmanweb_dir }}/repo" command="{{ item }}"
with_items:
- migrate
@@ -89,18 +89,18 @@
become_user: archmanweb
when: db_created.changed or release.changed or config.changed or archmanweb_forced_deploy
-- name: configure UWSGI for archmanweb
+- name: Configure UWSGI for archmanweb
template: src=archmanweb.ini.j2 dest=/etc/uwsgi/vassals/archmanweb.ini owner=archmanweb group=http mode=0640
-- name: deploy new release
+- name: Deploy new release
file: path=/etc/uwsgi/vassals/archmanweb.ini state=touch owner=archmanweb group=http mode=0640
when: release.changed or config.changed or archmanweb_forced_deploy
-- name: install systemd units
+- name: Install systemd units
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archmanweb_update.service
- archmanweb_update.timer
-- name: start and enable archmanweb update timer
+- name: Start and enable archmanweb update timer
systemd: name="archmanweb_update.timer" enabled=yes state=started daemon_reload=yes
diff --git a/roles/archusers/tasks/main.yml b/roles/archusers/tasks/main.yml
index 329d2a1925cbe7a578d1594edad12c160cc4344a..ae46f9abd3aaeab755e0aad9cf4983b472a10544 100644
--- a/roles/archusers/tasks/main.yml
+++ b/roles/archusers/tasks/main.yml
@@ -1,13 +1,13 @@
-- name: create Arch Linux-specific groups
+- name: Create Arch Linux-specific groups
group: name="{{ item }}" state=present system=no
with_items: "{{ arch_groups }}"
-- name: filter arch_users for users with non-matching hosts
+- name: Filter arch_users for users with non-matching hosts
set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [ item ] }}"
when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
with_dict: "{{ arch_users }}"
-- name: create Arch Linux-specific users
+- name: Create Arch Linux-specific users
user:
name: "{{ item.key }}"
group: users
@@ -19,25 +19,25 @@
state: present
loop: "{{ arch_users_filtered }}"
-- name: create .ssh directory
+- name: Create .ssh directory
file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700
loop: "{{ arch_users_filtered }}"
-- name: configure ssh keys
+- name: Configure ssh keys
template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600
when: item.value.ssh_key is defined
loop: "{{ arch_users_filtered }}"
-- name: remove ssh keys if undefined
+- name: Remove ssh keys if undefined
file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent
when: item.value.ssh_key is not defined
loop: "{{ arch_users_filtered }}"
-- name: get list of remote users
+- name: Get list of remote users
find: paths="/home" file_type="directory"
register: all_users
-- name: disable ssh keys of disabled users
+- name: Disable ssh keys of disabled users
file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
when:
- item not in (arch_users_filtered | map(attribute='key'))
diff --git a/roles/archweb/handlers/main.yml b/roles/archweb/handlers/main.yml
index 4c8932c7474905ef926e2450dd478f3128766659..481889db08ff215815b64c0436907688d6bb9073 100644
--- a/roles/archweb/handlers/main.yml
+++ b/roles/archweb/handlers/main.yml
@@ -1,6 +1,6 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
-- name: restart archweb memcached
+- name: Restart archweb memcached
service: name=archweb-memcached state=restarted
diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index 8ff3b43f6888bcef4de21cb6495fa95189c3798b..18bf68ec2fcdb56fde8b646a2a3a205e3b8309de 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: run maintenance mode
+- name: Run maintenance mode
include_role:
name: maintenance
vars:
@@ -9,41 +9,41 @@
service_nginx_template: "maintenance-nginx.d.conf.j2"
when: maintenance is defined and archweb_site
-- name: install required packages
+- name: Install required packages
pacman: name=git,python-setuptools,python-psycopg2,llvm-libs,uwsgi-plugin-python state=present
-- name: make archweb user
+- name: Make archweb user
user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
-- name: set archweb groups
+- name: Set archweb groups
user: name=archweb groups=uwsgi
when: archweb_site|bool
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: "{{ [archweb_domain] + archweb_alternate_domains }}"
when: archweb_site|bool and maintenance is not defined
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644
notify: reload nginx
when: archweb_site|bool and maintenance is not defined
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
when: archweb_site|bool
-- name: make rsync iso dir
+- name: Make rsync iso dir
file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
when: archweb_site|bool
-- name: clone archweb repo
+- name: Clone archweb repo
git: >
repo={{ archweb_repository }}
dest="{{ archweb_dir }}"
@@ -54,36 +54,36 @@
become_user: archweb
register: release
-- name: make virtualenv
+- name: Make virtualenv
command: python -m venv --system-site-packages "{{ archweb_dir }}"/env creates="{{ archweb_dir }}/env/bin/python"
become: true
become_user: archweb
-- name: install stuff into virtualenv
+- name: Install stuff into virtualenv
pip: requirements="{{ archweb_dir }}/requirements_prod.txt" virtualenv="{{ archweb_dir }}/env"
become: true
become_user: archweb
register: virtualenv
-- name: create media dir
+- name: Create media dir
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
when: archweb_site|bool
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
-- name: make archlinux.org dir
+- name: Make archlinux.org dir
file: path="{{ archweb_dir }}/archlinux.org" state=directory owner=archweb group=archweb mode=0755
-- name: configure robots.txt
+- name: Configure robots.txt
copy: src=robots.txt dest="{{ archweb_dir }}/archlinux.org/robots.txt" owner=root group=root mode=0644
-- name: configure archweb
+- name: Configure archweb
template: src=local_settings.py.j2 dest={{ archweb_dir }}/local_settings.py owner=archweb group=archweb mode=0660
register: config
no_log: true
-- name: create archweb db users
+- name: Create archweb db users
postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
no_log: true
when: archweb_site or archweb_services
@@ -93,18 +93,18 @@
- { user: "{{ archweb_db_dbscripts_user }}", password: "{{ vault_archweb_db_dbscripts_password }}" }
- { user: "{{ archweb_db_backup_user }}", password: "{{ vault_archweb_db_backup_password }}" }
-- name: create archweb db
+- name: Create archweb db
postgresql_db: name="{{ archweb_db }}" login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archweb_db_site_user }}"
when: archweb_site or archweb_services
register: db_created
-- name: django migrate
+- name: Django migrate
django_manage: app_path="{{ archweb_dir }}" command=migrate virtualenv="{{ archweb_dir }}/env"
become: true
become_user: archweb
when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
-- name: db privileges for archweb users
+- name: DB privileges for archweb users
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
privs=CONNECT roles="{{ item }}" type=database
when: archweb_site or archweb_services
@@ -113,7 +113,7 @@
- "{{ archweb_db_dbscripts_user }}"
- "{{ archweb_db_backup_user }}"
-- name: table privileges for archweb users
+- name: Table privileges for archweb users
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
when: archweb_site or archweb_services
@@ -122,7 +122,7 @@
- { user: "{{ archweb_db_dbscripts_user }}", objs: "{{ archweb_db_dbscripts_table_objs }}" }
- { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" }
-- name: sequence privileges for archweb users
+- name: Sequence privileges for archweb users
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
when: archweb_site or archweb_services
@@ -130,25 +130,25 @@
- { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_sequence_objs }}" }
- { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_sequence_objs }}" }
-- name: django collectstatic
+- name: Django collectstatic
django_manage: app_path="{{ archweb_dir }}" command=collectstatic virtualenv="{{ archweb_dir }}/env"
become: true
become_user: archweb
when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
-- name: install reporead service
+- name: Install reporead service
template: src="archweb-reporead.service.j2" dest="/etc/systemd/system/archweb-reporead.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_services or archweb_reporead
-- name: install readlinks service
+- name: Install readlinks service
template: src="archweb-readlinks.service.j2" dest="/etc/systemd/system/archweb-readlinks.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_services or archweb_reporead
-- name: install mirrorcheck service and timer
+- name: Install mirrorcheck service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-mirrorcheck.service
@@ -157,7 +157,7 @@
- daemon reload
when: archweb_services or archweb_mirrorcheck
-- name: install mirrorresolv service and timer
+- name: Install mirrorresolv service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-mirrorresolv.service
@@ -166,7 +166,7 @@
- daemon reload
when: archweb_services or archweb_mirrorresolv
-- name: install populate_signoffs service and timer
+- name: Install populate_signoffs service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-populate_signoffs.service
@@ -175,7 +175,7 @@
- daemon reload
when: archweb_services or archweb_populate_signoffs
-- name: install planet service and timer
+- name: Install planet service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-planet.service
@@ -184,7 +184,7 @@
- daemon reload
when: archweb_planet
-- name: install rebuilderd status service and timer
+- name: Install rebuilderd status service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-rebuilderd.service
@@ -193,27 +193,27 @@
- daemon reload
when: archweb_site
-- name: install pgp_import service
+- name: Install pgp_import service
template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_services or archweb_pgp_import
-- name: create pacman.d hooks dir
+- name: Create pacman.d hooks dir
file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks"
when: archweb_services or archweb_pgp_import
-- name: install pgp_import hook
+- name: Install pgp_import hook
template: src="archweb-pgp_import-pacman-hook.j2" dest="/etc/pacman.d/hooks/archweb-pgp_import.hook" owner=root group=root mode=0644
when: archweb_services or archweb_pgp_import
-- name: install archweb memcached service
+- name: Install archweb memcached service
template: src="archweb-memcached.service.j2" dest="/etc/systemd/system/archweb-memcached.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_site|bool
-- name: install archweb rsync iso service and timer
+- name: Install archweb rsync iso service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-rsync_iso.service
@@ -222,16 +222,16 @@
- daemon reload
when: archweb_site|bool
-- name: deploy archweb
+- name: Deploy archweb
template: src=archweb.ini.j2 dest=/etc/uwsgi/vassals/archweb.ini owner=archweb group=http mode=0640
when: archweb_site|bool
-- name: deploy new release
+- name: Deploy new release
file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=archweb group=http mode=0640
when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
notify: restart archweb memcached
-- name: start and enable archweb memcached service and archweb-rsync_iso timer
+- name: Start and enable archweb memcached service and archweb-rsync_iso timer
systemd:
name: "{{ item }}"
enabled: true
@@ -242,55 +242,55 @@
- archweb-rsync_iso.timer
when: archweb_site|bool
-- name: start and enable archweb reporead service
+- name: Start and enable archweb reporead service
service: name="archweb-reporead.service" enabled=yes state=started
when: archweb_services or archweb_reporead
-- name: restart archweb reporead service
+- name: Restart archweb reporead service
service: name="archweb-reporead.service" state=restarted
when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
-- name: start and enable archweb readlinks service
+- name: Start and enable archweb readlinks service
service: name="archweb-readlinks.service" enabled=yes state=started
when: archweb_services or archweb_reporead
-- name: restart archweb readlinks service
+- name: Restart archweb readlinks service
service: name="archweb-readlinks.service" state=restarted
when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
-- name: start and enable archweb mirrorcheck timer
+- name: Start and enable archweb mirrorcheck timer
service: name="archweb-mirrorcheck.timer" enabled=yes state=started
when: archweb_services or archweb_mirrorcheck
-- name: start and enable archweb mirrorresolv timer
+- name: Start and enable archweb mirrorresolv timer
service: name="archweb-mirrorresolv.timer" enabled=yes state=started
when: archweb_services or archweb_mirrorresolv
-- name: start and enable archweb populate_signoffs timer
+- name: Start and enable archweb populate_signoffs timer
service: name="archweb-populate_signoffs.timer" enabled=yes state=started
when: archweb_services or archweb_populate_signoffs
-- name: start and enable archweb planet timer
+- name: Start and enable archweb planet timer
service: name="archweb-planet.timer" enabled=yes state=started
when: archweb_planet
-- name: start and enable archweb rebulderd update timer
+- name: Start and enable archweb rebulderd update timer
service: name="archweb-rebuilderd.timer" enabled=yes state=started
when: archweb_site
-- name: install donation import wrapper script
+- name: Install donation import wrapper script
template: src=donor_import_wrapper.sh.j2 dest=/usr/local/bin/donor_import_wrapper.sh owner=root group=root mode=0755
when: archweb_site
-- name: install sudoer rights for fetchmail to call archweb django scripts
+- name: Install sudoer rights for fetchmail to call archweb django scripts
template: src=sudoers-fetchmail-archweb.j2 dest=/etc/sudoers.d/fetchmail-archweb owner=root group=root mode=0440
when: archweb_site
-- name: create retro dir
+- name: Create retro dir
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
when: archweb_site|bool
-- name: clone archweb-retro repo
+- name: Clone archweb-retro repo
git:
repo: "{{ archweb_retro_repository }}"
dest: "{{ archweb_retro_dir }}"
diff --git a/roles/archwiki/handlers/main.yml b/roles/archwiki/handlers/main.yml
index 0b96b9130510007b87dccb4b70e8b694df2aef40..88ddedf18cd1ab774bd70636605931e0d3e19a2d 100644
--- a/roles/archwiki/handlers/main.yml
+++ b/roles/archwiki/handlers/main.yml
@@ -1,7 +1,7 @@
-- name: restart php-fpm@archwiki
+- name: Restart php-fpm@archwiki
service: name=php-fpm@{{ archwiki_user }} state=restarted
-- name: run wiki updatescript
+- name: Run wiki updatescript
command: php {{ archwiki_dir }}/public/maintenance/update.php --quick
become: true
become_user: "{{ archwiki_user }}"
@@ -11,7 +11,7 @@
# otherwise nginx will spit errors into the log until it is restarted (even
# reload is not enough).
# reference: https://stackoverflow.com/a/6896903
-- name: purge nginx cache
+- name: Purge nginx cache
command: find /var/lib/nginx/cache -type f -delete
# The MediaWiki file cache can be invalidated by deleting the files in the
@@ -20,5 +20,5 @@
# being set to true). References:
# - https://www.mediawiki.org/wiki/Manual:File_cache
# - https://www.mediawiki.org/wiki/Manual:$wgInvalidateCacheOnLocalSettingsChange
-- name: invalidate MediaWiki file cache
+- name: Invalidate MediaWiki file cache
file: path="{{ archwiki_dir }}/public/LocalSettings.php" state=touch owner=archwiki group=archwiki mode=0640
diff --git a/roles/archwiki/tasks/main.yml b/roles/archwiki/tasks/main.yml
index 215f49e53a62aedb77e1ce9eadb4de939155adb1..bea0775f2714f38758fcdde3034639ecec738aee 100644
--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: run maintenance mode
+- name: Run maintenance mode
include_role:
name: maintenance
vars:
@@ -8,49 +8,49 @@
service_nginx_conf: "{{ archwiki_nginx_conf }}"
when: maintenance is defined
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ archwiki_domain }}"]
when: 'archwiki_domain is defined'
-- name: install packages
+- name: Install packages
pacman: name=git,php-intl state=present
-- name: make archwiki user
+- name: Make archwiki user
user: name="{{ archwiki_user }}" shell=/bin/false home="{{ archwiki_dir }}" createhome=no
register: user_created
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0751 path="{{ archwiki_dir }}"
-- name: fix cache permissions
+- name: Fix cache permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/cache"
-- name: fix sessions permissions
+- name: Fix sessions permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/sessions"
-- name: fix uploads permissions
+- name: Fix uploads permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/uploads"
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
notify:
- reload nginx
when: maintenance is not defined
tags: ['nginx']
-- name: configure robots.txt
+- name: Configure robots.txt
copy: src=robots.txt dest="{{ archwiki_dir }}/robots.txt" owner=root group=root mode=0644
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ archwiki_domain }} state=directory owner=root group=root mode=0755
-- name: make debug log dir
+- name: Make debug log dir
file: path=/var/log/archwiki state=directory owner={{ archwiki_user }} group=root mode=0700
-- name: clone archwiki repo
+- name: Clone archwiki repo
git: repo={{ archwiki_repository }} dest="{{ archwiki_dir }}/public" version={{ archwiki_version }}
become: true
become_user: "{{ archwiki_user }}"
@@ -61,41 +61,41 @@
- purge nginx cache
- invalidate MediaWiki file cache
-- name: configure archwiki
+- name: Configure archwiki
template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
register: config
no_log: true
-- name: create archwiki db
+- name: Create archwiki db
mysql_db: name="{{ archwiki_db }}" login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
register: db_created
-- name: create archwiki db user
+- name: Create archwiki db user
mysql_user: name={{ archwiki_db_user }} password={{ vault_archwiki_db_password }}
login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
priv="{{ archwiki_db }}.*:ALL"
no_log: true
-- name: configure php-fpm
+- name: Configure php-fpm
template:
src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ archwiki_user }}.conf"
owner=root group=root mode=0644
notify:
- restart php-fpm@{{ archwiki_user }}
-- name: start and enable systemd socket
+- name: Start and enable systemd socket
service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true
-- name: create memcached.service.d drop-in directory
+- name: Create memcached.service.d drop-in directory
file: path=/etc/systemd/system/memcached@archwiki.service.d state=directory owner=root group=root mode=0755
-- name: install memcached.service drop-in
+- name: Install memcached.service drop-in
template: src="memcached.service.d-archwiki.conf.j2" dest="/etc/systemd/system/memcached@archwiki.service.d/archwiki.conf" owner=root group=root mode=0644
-- name: start and enable memcached service
+- name: Start and enable memcached service
service: name=memcached@archwiki.service state=started enabled=true daemon_reload=true
-- name: install systemd services/timers
+- name: Install systemd services/timers
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
loop:
- archwiki-runjobs.service
@@ -105,7 +105,7 @@
- archwiki-prune-cache.timer
- archwiki-question-updater.service
-- name: start and enable archwiki timers and services
+- name: Start and enable archwiki timers and services
systemd:
name: "{{ item }}"
enabled: true
@@ -116,17 +116,17 @@
- archwiki-prune-cache.timer
- archwiki-runjobs-wait.service
-- name: create question answer file
+- name: Create question answer file
systemd:
name: archwiki-question-updater.service
state: started
daemon_reload: true
-- name: ensure question answer file exists and set permissions
+- name: Ensure question answer file exists and set permissions
file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
-- name: create pacman.d hooks dir
+- name: Create pacman.d hooks dir
file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks
-- name: install archwiki question updater hook
+- name: Install archwiki question updater hook
template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644
diff --git a/roles/aurweb/handlers/main.yml b/roles/aurweb/handlers/main.yml
index bc9206e422115bc7d8019582b1198ffb41cad790..35462b4f3defff6fafbc611fa69af76f6bf05ff8 100644
--- a/roles/aurweb/handlers/main.yml
+++ b/roles/aurweb/handlers/main.yml
@@ -1,9 +1,9 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
-- name: restart php-fpm@{{ aurweb_user }}
+- name: Restart php-fpm@{{ aurweb_user }}
service: name=php-fpm@{{ aurweb_user }} state=restarted
-- name: restart sshd
+- name: Restart sshd
service: name=sshd state=restarted
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 40a81340f7768b8578fd9936df3ff7e0cdc1e2f3..f5a115241395c9332742893382e53514c4908583 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: install required packages
+- name: Install required packages
pacman:
state: present
name:
@@ -11,37 +11,37 @@
- gcc
- pkg-config
-- name: install the cgit package
+- name: Install the cgit package
pacman:
state: present
name:
- cgit-aurweb
register: cgit
-- name: install the git package
+- name: Install the git package
pacman:
state: present
name:
- git
register: git
-- name: make aur user
+- name: Make aur user
user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes
register: aur_user
-- name: create .ssh for the aur user
+- name: Create .ssh for the aur user
file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700
-- name: install SSH key for mirroring to GitHub
+- name: Install SSH key for mirroring to GitHub
copy: src=id_ed25519 dest={{ aur_user.home }}/.ssh/ owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
-- name: fetch host keys for github.com
+- name: Fetch host keys for github.com
command: ssh-keyscan github.com
args:
creates: "{{ aur_user.home }}/.ssh/known_hosts"
register: github_host_keys
-- name: write github.com host keys to the aur user's known_hosts
+- name: Write github.com host keys to the aur user's known_hosts
lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644
loop: "{{ github_host_keys.stdout_lines }}"
when: github_host_keys.changed
@@ -49,7 +49,7 @@
- name: Create directory
file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
-- name: receive valid signing keys
+- name: Receive valid signing keys
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
loop: '{{ aurweb_pgp_keys }}'
become: true
@@ -57,7 +57,7 @@
register: gpg
changed_when: "gpg.rc == 0"
-- name: aurweb git repo check
+- name: Aurweb git repo check
git: >
repo={{ aurweb_repository }}
dest="{{ aurweb_dir }}"
@@ -69,7 +69,7 @@
register: release
check_mode: true
-- name: install AUR systemd service and timers
+- name: Install AUR systemd service and timers
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- aurweb-git.service
@@ -91,7 +91,7 @@
- aurweb-github-mirror.timer
when: release.changed
-- name: stop AUR systemd services and timers
+- name: Stop AUR systemd services and timers
service: name={{ item }} enabled=yes state=stopped
with_items:
- aurweb-git.timer
@@ -105,7 +105,7 @@
- aurweb-github-mirror.timer
when: release.changed
-- name: clone aurweb repo
+- name: Clone aurweb repo
git: >
repo={{ aurweb_repository }}
dest="{{ aurweb_dir }}"
@@ -116,35 +116,35 @@
become_user: "{{ aurweb_user }}"
when: release.changed
-- name: create necessary directories
+- name: Create necessary directories
file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
with_items:
- 'aurblup'
- 'sessions'
- 'uploads'
-- name: create aurweb conf dir
+- name: Create aurweb conf dir
file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755
-- name: copy aurweb configuration file
+- name: Copy aurweb configuration file
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644
# Note: initdb needs the config
-- name: install custom aurweb configuration
+- name: Install custom aurweb configuration
template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644
-- name: create aur db
+- name: Create aur db
mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" encoding=utf8
register: db_created
no_log: true
-- name: create aur db user
+- name: Create aur db user
mysql_user: name={{ aurweb_db_user }} password={{ vault_aurweb_db_password }}
login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}"
priv="{{ aurweb_db }}.*:ALL"
no_log: true
-- name: initialize the database
+- name: Initialize the database
command: poetry run python -m aurweb.initdb
args:
chdir: "{{ aurweb_dir }}"
@@ -152,7 +152,7 @@
become_user: "{{ aurweb_user }}"
when: db_created.changed
-- name: run migrations
+- name: Run migrations
command: poetry run alembic upgrade head
args:
chdir: "{{ aurweb_dir }}"
@@ -183,19 +183,19 @@
become_user: "{{ aurweb_user }}"
when: release.changed or aurweb_installed.rc != 0
-- name: install custom aurweb-git-auth wrapper script
+- name: Install custom aurweb-git-auth wrapper script
template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
when: release.changed
-- name: install custom aurweb-git-serve wrapper script
+- name: Install custom aurweb-git-serve wrapper script
template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
when: release.changed
-- name: install custom aurweb-git-update wrapper script
+- name: Install custom aurweb-git-update wrapper script
template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
when: release.changed
-- name: link custom aurweb-git-update wrapper to hooks/update
+- name: Link custom aurweb-git-update wrapper to hooks/update
file:
src: /usr/local/bin/aurweb-git-update.sh
dest: "{{ aurweb_dir }}/aur.git/hooks/update"
@@ -215,36 +215,36 @@
become: true
become_user: "{{ aurweb_user }}"
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ aurweb_domain }}"]
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
-- name: install cgit configuration
+- name: Install cgit configuration
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
-- name: configure cgit uwsgi service
+- name: Configure cgit uwsgi service
template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
-- name: deploy new cgit release
+- name: Deploy new cgit release
become: true
become_user: "{{ aurweb_user }}"
file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644
when: cgit.changed
-- name: configure smartgit uwsgi service
+- name: Configure smartgit uwsgi service
template: src=smartgit.ini.j2 dest=/etc/uwsgi/vassals/smartgit.ini owner={{ aurweb_user }} group=http mode=0644
-- name: deploy new smartgit release
+- name: Deploy new smartgit release
become: true
become_user: "{{ aurweb_user }}"
file:
@@ -255,10 +255,10 @@
mode: 0644
when: git.changed
-- name: create git repo dir
+- name: Create git repo dir
file: path={{ aurweb_git_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
-- name: init git directory
+- name: Init git directory
command: git init --bare {{ aurweb_git_dir }}
args:
creates: "{{ aurweb_git_dir }}/HEAD"
@@ -267,7 +267,7 @@
tags:
- skip_ansible_lint
-- name: save hideRefs setting on var
+- name: Save hideRefs setting on var
command: git config --local --get-all transfer.hideRefs
register: git_config
args:
@@ -276,7 +276,7 @@
tags:
- skip_ansible_lint
-- name: configure git tranfser.hideRefs
+- name: Configure git tranfser.hideRefs
command: git config --local transfer.hideRefs '^refs/'
args:
chdir: "{{ aurweb_git_dir }}"
@@ -286,7 +286,7 @@
tags:
- skip_ansible_lint
-- name: configure git transfer.hideRefs second
+- name: Configure git transfer.hideRefs second
command: git config --local --add transfer.hideRefs '!refs/'
args:
chdir: "{{ aurweb_git_dir }}"
@@ -296,7 +296,7 @@
tags:
- skip_ansible_lint
-- name: configure git transfer.hideRefs third
+- name: Configure git transfer.hideRefs third
command: git config --local --add transfer.hideRefs '!HEAD'
args:
chdir: "{{ aurweb_git_dir }}"
@@ -306,12 +306,12 @@
tags:
- skip_ansible_lint
-- name: configure sshd
+- name: Configure sshd
template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
notify:
- restart sshd
-- name: start and enable AUR systemd services and timers
+- name: Start and enable AUR systemd services and timers
service: name={{ item }} enabled=yes state=started daemon_reload=yes
with_items:
- aurweb-git.timer
diff --git a/roles/borg_client/tasks/main.yml b/roles/borg_client/tasks/main.yml
index f4f3dc45b53e55c7002c58915102da148afe793e..d852c33c0f43a2ed761f9c69f15882f18a00a807 100644
--- a/roles/borg_client/tasks/main.yml
+++ b/roles/borg_client/tasks/main.yml
@@ -1,7 +1,7 @@
-- name: install borg and tools
+- name: Install borg and tools
pacman: name=borg state=present
-- name: check if borg repository already exists
+- name: Check if borg repository already exists
command: "{{ item['borg_cmd'] }} list {{ item['host'] }}/{{ item['dir'] }}"
environment:
BORG_RELOCATED_REPO_ACCESS_IS_OK: "yes"
@@ -10,7 +10,7 @@
loop: "{{ backup_hosts }}"
changed_when: borg_list.stdout | length > 0
-- name: init borg repository
+- name: Init borg repository
command: "{{ item['borg_cmd'] }} init -e keyfile {{ item['host'] }}/{{ item['dir'] }}"
when: borg_list is failed
environment:
@@ -21,48 +21,48 @@
- skip_ansible_lint
-- name: install convenience scripts
+- name: Install convenience scripts
template: src=borg.j2 dest=/usr/local/bin/borg{{ item['suffix'] }} owner=root group=root mode=0755
loop: "{{ backup_hosts }}"
-- name: install borg backup scripts
+- name: Install borg backup scripts
template: src=borg-backup.sh.j2 dest=/usr/local/bin/borg-backup{{ item['suffix'] }}.sh owner=root group=root mode=0755
loop: "{{ backup_hosts }}"
-- name: install postgres backup script
+- name: Install postgres backup script
template: src=backup-postgres.sh.j2 dest=/usr/local/bin/backup-postgres.sh owner=root group=root mode=0755
when: postgres_backup_dir is defined
-- name: check whether postgres user exists
+- name: Check whether postgres user exists
command: getent passwd postgres
register: check_postgres_user
ignore_errors: true
changed_when: check_postgres_user.stdout | length > 0
-- name: make postgres backup directory
+- name: Make postgres backup directory
file: path={{ postgres_backup_dir }} owner=root group=root mode=0755 state=directory
when: check_postgres_user is succeeded and postgres_backup_dir is defined
-- name: install mysql backup script
+- name: Install mysql backup script
template: src=backup-mysql.sh.j2 dest=/usr/local/bin/backup-mysql.sh owner=root group=root mode=0755
when: mysql_backup_dir is defined
-- name: install mysql backup config
+- name: Install mysql backup config
template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }} owner=root group=root mode=0644
when: mysql_backup_defaults is defined
-- name: create mysql backup directory
+- name: Create mysql backup directory
file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755
when: mysql_backup_dir is defined
-- name: install systemd services for backup
+- name: Install systemd services for backup
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- borg-backup.service
- borg-backup-offsite.service
-- name: install systemd timer for backup
+- name: Install systemd timer for backup
copy: src=borg-backup.timer dest=/etc/systemd/system/borg-backup.timer owner=root group=root mode=0644
-- name: activate systemd timer for backup
+- name: Activate systemd timer for backup
systemd: name=borg-backup.timer enabled=yes state=started daemon-reload=yes
diff --git a/roles/borg_server/tasks/main.yml b/roles/borg_server/tasks/main.yml
index aadea58c81e63308083504fbc085a2e459adfa85..60b7835dbf45bbda7ef16338085482e700da34cf 100644
--- a/roles/borg_server/tasks/main.yml
+++ b/roles/borg_server/tasks/main.yml
@@ -1,12 +1,12 @@
-- name: install borg
+- name: Install borg
pacman: name=borg state=present
-- name: create borg user
+- name: Create borg user
user:
name: borg
home: "{{ backup_dir }}"
-- name: create borg user home
+- name: Create borg user home
file:
path: "{{ backup_dir }}"
state: directory
@@ -14,7 +14,7 @@
group: borg
mode: 0700
-- name: create the root backup directory at {{ backup_dir }}
+- name: Create the root backup directory at {{ backup_dir }}
file:
path: "{{ backup_dir }}/{{ item }}"
state: directory
@@ -23,14 +23,14 @@
mode: 0700
with_items: "{{ backup_clients }}"
-- name: fetch ssh keys from each borg client machine
+- name: Fetch ssh keys from each borg client machine
command: cat /root/.ssh/id_rsa.pub
register: ssh_keys
delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}"
changed_when: ssh_keys.stdout | length > 0
-- name: allow certain clients to connect
+- name: Allow certain clients to connect
authorized_key:
user: borg
key: "{{ item.stdout }}"
diff --git a/roles/bugbot/tasks/main.yml b/roles/bugbot/tasks/main.yml
index e6917755a5e499161ed2ac8e68b86eb72235cce0..b58782da8ef06eeae213d3282ddccb3a976ae1db 100644
--- a/roles/bugbot/tasks/main.yml
+++ b/roles/bugbot/tasks/main.yml
@@ -1,13 +1,13 @@
-- name: install bugbot utilities
+- name: Install bugbot utilities
pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present
-- name: receive valid signing keys
+- name: Receive valid signing keys
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
with_items: '{{ bugbot_pgp_emails }}'
register: gpg
changed_when: "gpg.rc == 0"
-- name: clone bugbot source
+- name: Clone bugbot source
git:
repo: https://gitlab.archlinux.org/archlinux/bugbot.git
dest: /srv/bugbot
@@ -16,11 +16,11 @@
gpg_whitelist: '{{ bugbot_pgp_keys }}'
version: '{{ bugbot_version }}'
-- name: install env file
+- name: Install env file
template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
-- name: install bugbot systemd service
+- name: Install bugbot systemd service
copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service owner=root group=root mode=0644
-- name: start and enable bugbot service
+- name: Start and enable bugbot service
systemd: name=bugbot.service enabled=yes state=started daemon_reload=yes
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 66c8dc73ec8b6c325e53eb867cb85142685942af..2edbcd52bbf90239e887e5f24a7f0d2f8eda2122 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -1,30 +1,30 @@
-- name: install certbot
+- name: Install certbot
pacman: name=certbot{{ ",certbot-dns-rfc2136" if certbot_dns_support }} state=present
-- name: install rfc2136.ini
+- name: Install rfc2136.ini
template: src=rfc2136.ini.j2 dest=/etc/letsencrypt/rfc2136.ini owner=root group=root mode=0600
when: certbot_dns_support
-- name: install letsencrypt hook
+- name: Install letsencrypt hook
copy: src=hook.sh dest=/etc/letsencrypt/hook.sh owner=root group=root mode=0755
-- name: create letsencrypt hook dir
+- name: Create letsencrypt hook dir
file: state=directory path=/etc/letsencrypt/hook.d owner=root group=root mode=0755
-- name: install letsencrypt renewal service
+- name: Install letsencrypt renewal service
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- certbot-renewal.service
- certbot-renewal.timer
-- name: activate letsencrypt renewal service
+- name: Activate letsencrypt renewal service
systemd:
name: certbot-renewal.timer
enabled: true
state: started
daemon_reload: true
-- name: open firewall holes for certbot standalone authenticator
+- name: Open firewall holes for certbot standalone authenticator
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- http
diff --git a/roles/certificate/tasks/main.yml b/roles/certificate/tasks/main.yml
index 2a3e3a996341e25d0b29580e3f5514b16dbf80a1..6d680390891d5381253b753d499e632cdc405e2f 100644
--- a/roles/certificate/tasks/main.yml
+++ b/roles/certificate/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: create ssl cert (HTTP-01)
+- name: Create ssl cert (HTTP-01)
shell: |
set -o pipefail
# We can't start nginx without the certificate and we can't issue a certificate without nginx running.
@@ -10,7 +10,7 @@
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
when: challenge | default(certificate_challenge) == "HTTP-01"
-- name: create ssl cert (DNS-01)
+- name: Create ssl cert (DNS-01)
command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
args:
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 3e913cce7eb609c4253dbf64fb4c95747fe4f9f9..736c5e516896df601cd0dcd1fbf161ccef1321fb 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -1,12 +1,12 @@
-- name: restart journald
+- name: Restart journald
systemd:
name: systemd-journald
state: restarted
daemon_reload: true
-- name: systemd daemon-reload
+- name: Systemd daemon-reload
systemd:
daemon_reload: true
-- name: restart systemd-zram-setup@zram0
+- name: Restart systemd-zram-setup@zram0
service: name=systemd-zram-setup@zram0 state=restarted daemon_reload=yes
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index d836d0d3f77cb5176e4f23307d399c5601fe3317..adc3abf90fa40572080c9b6523017e1513539d60 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,66 +1,66 @@
-- name: install essential tools
+- name: Install essential tools
pacman: name=vim,nano,tmux,htop,ncdu,bash-completion,rsync,vnstat state=present
-- name: start and enable vnstatd
+- name: Start and enable vnstatd
service: name=vnstat enabled=yes state=started
-- name: install inetutils for hostname
+- name: Install inetutils for hostname
pacman: name=inetutils state=present
-- name: set hostname
+- name: Set hostname
hostname: name="{{ inventory_hostname }}"
-- name: install pacman config
+- name: Install pacman config
template: src=pacman.conf.j2 dest=/etc/pacman.conf mode=0644 owner=root group=root
-- name: configure pacman mirror
+- name: Configure pacman mirror
template: src=mirrorlist.j2 dest=/etc/pacman.d/mirrorlist owner=root group=root mode=0644
-- name: update package cache
+- name: Update package cache
pacman: update_cache=yes
-- name: start and enable auditd
+- name: Start and enable auditd
service: name=auditd enabled=yes state=started
-- name: start and enable systemd-timesyncd
+- name: Start and enable systemd-timesyncd
service: name=systemd-timesyncd enabled=yes state=started
-- name: install smart
+- name: Install smart
pacman: name=smartmontools state=present
when: "'hcloud' not in group_names"
-- name: configure smartd to do periodic health checks
+- name: Configure smartd to do periodic health checks
copy: src=smartd.conf dest=/etc/smartd.conf owner=root group=root mode=0644
when: "'hcloud' not in group_names"
-- name: start and enable smart
+- name: Start and enable smart
service: name=smartd enabled=yes state=started
when: "'hcloud' not in group_names"
-- name: start and enable btrfs scrub timer
+- name: Start and enable btrfs scrub timer
service: name=btrfs-scrub@{{ '-' if (item.mount | length == 1) else (item.mount.split("/", 1)[1] | replace("/", "-")) }}.timer enabled=yes state=started
loop: "{{ ansible_mounts | sort(attribute='mount') | groupby('uuid') | map(attribute=1) | map('first') }}"
when:
- item.fstype == 'btrfs'
- not 'backup' in item.mount
-- name: generate locales
+- name: Generate locales
locale_gen: name={{ item }} state=present
with_items:
- en_US.UTF-8
-- name: configure locales
+- name: Configure locales
template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644
-- name: generate ssh key for root
+- name: Generate ssh key for root
command: ssh-keygen -b 4096 -N "" -f /root/.ssh/id_rsa creates="/root/.ssh/id_rsa"
-- name: configure networking
+- name: Configure networking
include_role:
name: networking
when: configure_network
-- name: configure tcp receive window limits
+- name: Configure tcp receive window limits
sysctl:
name: net.ipv4.tcp_rmem
value: "{{ tcp_rmem }}"
@@ -68,7 +68,7 @@
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_rmem is defined
-- name: configure tcp send window limits
+- name: Configure tcp send window limits
sysctl:
name: net.ipv4.tcp_wmem
value: "{{ tcp_wmem }}"
@@ -76,48 +76,48 @@
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_wmem is defined
-- name: create drop-in directories for systemd configuration
+- name: Create drop-in directories for systemd configuration
file: path=/etc/systemd/{{ item }}.d state=directory owner=root group=root mode=0755
loop:
- system.conf
- journald.conf
-- name: install journald.conf overrides
+- name: Install journald.conf overrides
template: src=journald.conf.j2 dest=/etc/systemd/journald.conf.d/override.conf owner=root group=root mode=644
notify:
- restart journald
-- name: install system.conf overrides
+- name: Install system.conf overrides
template: src=system.conf.j2 dest=/etc/systemd/system.conf.d/override.conf owner=root group=root mode=0644
notify:
- systemd daemon-reload
-- name: install zram-generator
+- name: Install zram-generator
pacman: name=zram-generator state=present
when: enable_zram_swap
-- name: install zram-generator config for zram
+- name: Install zram-generator config for zram
template: src=zram-generator.conf dest=/etc/systemd/zram-generator.conf owner=root group=root mode=0644
notify:
- restart systemd-zram-setup@zram0
when: enable_zram_swap
-- name: disable zswap to prevent conflict with zram
+- name: Disable zswap to prevent conflict with zram
copy: content="w- /sys/module/zswap/parameters/enabled - - - - N" dest=/etc/tmpfiles.d/zram.conf owner=root group=root mode=0644
register: zramtmpfiles
when: enable_zram_swap
-- name: use tmpfiles.d/zram.conf
+- name: Use tmpfiles.d/zram.conf
command: systemd-tmpfiles --create
when: zramtmpfiles.changed
-- name: create drop-in directories for oomd
+- name: Create drop-in directories for oomd
file: path=/etc/systemd/system/{{ item }}.d state=directory owner=root group=root mode=0755
with_items:
- "-.slice"
- user@.service
-- name: install drop-in snippets for oomd
+- name: Install drop-in snippets for oomd
copy: src=oomd-override_{{ item }}.conf dest=/etc/systemd/system/{{ item }}.d/override.conf owner=root group=root mode=0644
with_items:
- "-.slice"
@@ -125,32 +125,32 @@
notify:
- systemd daemon-reload
-- name: start systemd-oomd
+- name: Start systemd-oomd
service: name=systemd-oomd state=started enabled=yes
-- name: install logrotate
+- name: Install logrotate
pacman: name=logrotate state=present
-- name: configure logrotate
+- name: Configure logrotate
template: src=logrotate.conf.j2 dest=/etc/logrotate.conf owner=root group=root mode=0644
-- name: enable logrotate timer
+- name: Enable logrotate timer
service: name=logrotate.timer state=started enabled=yes
-- name: create zsh directory
+- name: Create zsh directory
file: path=/root/.zsh state=directory owner=root group=root mode=0700
-- name: install root shell config
+- name: Install root shell config
copy: src={{ item }} dest=/root/.{{ item }} owner=root group=root mode=0644
with_items:
- zshrc
- dircolors
-- name: install pacman-contrib,archlinux-contrib
+- name: Install pacman-contrib,archlinux-contrib
pacman: name=pacman-contrib,archlinux-contrib state=installed
-- name: install custom paccache.service
+- name: Install custom paccache.service
copy: src=paccache.service dest=/etc/systemd/system/paccache.service owner=root group=root mode=0644
-- name: enable paccache timer
+- name: Enable paccache timer
systemd: name=paccache.timer enabled=yes state=started daemon_reload=yes
diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index d050885d3b043e82a15ce15e177e97bc27d8895b..6936bc73f056d59a1767062077b0feb713ae5cf7 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -1,44 +1,44 @@
-- name: install svn, git, rsync and some perl stuff
+- name: Install svn, git, rsync and some perl stuff
pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
-- name: install sourceballs requirements (makepkg download dependencies)
+- name: Install sourceballs requirements (makepkg download dependencies)
pacman: name=git,subversion,mercurial,breezy state=present
-- name: install binutils for createlinks script
+- name: Install binutils for createlinks script
pacman: name=binutils state=present
-- name: create dbscripts users
+- name: Create dbscripts users
user: name="{{ item }}" shell=/bin/bash
with_items:
- svn-packages
- svn-community
-- name: add cleanup user
+- name: Add cleanup user
user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
-- name: add sourceballs user
+- name: Add sourceballs user
user: name=sourceballs shell=/sbin/nologin
-- name: set up sudoers.d for special users
+- name: Set up sudoers.d for special users
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"]
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
notify:
- reload nginx
tags:
- nginx
-- name: create Arch Linux-specific users
+- name: Create Arch Linux-specific users
user:
name: "{{ item.key }}"
group: users
@@ -47,25 +47,25 @@
state: present
with_dict: "{{ arch_users }}"
-- name: create .ssh directory
+- name: Create .ssh directory
file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700
-- name: configure ssh keys for devs
+- name: Configure ssh keys for devs
template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
vars:
pubkey_groups: ['dev']
tags: ['archusers']
-- name: create .ssh directory
+- name: Create .ssh directory
file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700
-- name: configure ssh keys for TUs
+- name: Configure ssh keys for TUs
template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
vars:
pubkey_groups: ['tu']
tags: ['archusers']
-- name: create staging directories in user homes
+- name: Create staging directories in user homes
dbscripts_mkdirs:
pathtmpl: '/home/{user}/staging/{dirname}'
permissions: '755'
@@ -74,88 +74,88 @@
group: users
tags: ["archusers"]
-- name: create dbscripts paths
+- name: Create dbscripts paths
file: path="{{ item }}" state=directory owner=root group=root mode=0755
with_items:
- /srv/repos/svn-community
- /srv/repos/svn-packages
-- name: create svn-community/package-cleanup directory
+- name: Create svn-community/package-cleanup directory
file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
-- name: add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
+- name: Add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
-- name: add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
+- name: Add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
-- name: add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
+- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
-- name: add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
+- name: Add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
-- name: add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
+- name: Add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present
-- name: create svn-packages/package-cleanup directory
+- name: Create svn-packages/package-cleanup directory
file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
-- name: add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
+- name: Add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
-- name: add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
+- name: Add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
-- name: add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
+- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
-- name: add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
+- name: Add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
-- name: add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
+- name: Add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present
-- name: create svn-community/source-cleanup directory
+- name: Create svn-community/source-cleanup directory
file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
-- name: create svn-packages/source-cleanup directory
+- name: Create svn-packages/source-cleanup directory
file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755
-- name: create svn-community/svn directory
+- name: Create svn-community/svn directory
file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
-- name: add acl default:user::rwx to /srv/repos/svn-community/svn
+- name: Add acl default:user::rwx to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
-- name: add acl default:group::r-x to /srv/repos/svn-community/svn
+- name: Add acl default:group::r-x to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
-- name: add acl default:other::r-x to /srv/repos/svn-community/svn
+- name: Add acl default:other::r-x to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present
-- name: create svn-packages/svn directory
+- name: Create svn-packages/svn directory
file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
-- name: add acl default:user::rwx to /srv/repos/svn-packages/svn
+- name: Add acl default:user::rwx to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
-- name: add acl default:group::r-x to /srv/repos/svn-packages/svn
+- name: Add acl default:group::r-x to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
-- name: add acl default:other::r-x to /srv/repos/svn-packages/svn
+- name: Add acl default:other::r-x to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present
-- name: create svn-community/tmp directory
+- name: Create svn-community/tmp directory
file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
-- name: add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
+- name: Add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present
-- name: create svn-packages/tmp directory
+- name: Create svn-packages/tmp directory
file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
-- name: add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
+- name: Add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present
-- name: touch /srv/ftp/lastsync file
+- name: Touch /srv/ftp/lastsync file
file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
-- name: touch /srv/ftp/lastupdate file
+- name: Touch /srv/ftp/lastupdate file
file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
-- name: add acl group:tu:rw- to /srv/ftp/lastupdate
+- name: Add acl group:tu:rw- to /srv/ftp/lastupdate
acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
-- name: add acl group:dev:rw- to /srv/ftp/lastupdate
+- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
-- name: fetch dbscripts PGP key
+- name: Fetch dbscripts PGP key
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
with_items: '{{ dbscripts_pgp_emails }}'
register: gpg
changed_when: "gpg.rc == 0"
-- name: clone dbscripts git repo
+- name: Clone dbscripts git repo
git: >
dest=/srv/repos/{{ item }}/dbscripts
repo=https://gitlab.archlinux.org/archlinux/dbscripts.git
@@ -165,73 +165,73 @@
- svn-community
- svn-packages
-- name: make /srv/svn
+- name: Make /srv/svn
file: path=/srv/svn state=directory owner=root group=root mode=0755
-- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
+- name: Symlink /srv/svn/community to /srv/repos/svn-community/svn
file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
-- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
+- name: Symlink /srv/svn/packages to /srv/repos/svn-packages/svn
file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
-- name: symlink /community to /srv/repos/svn-community/dbscripts
+- name: Symlink /community to /srv/repos/svn-community/dbscripts
file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
-- name: symlink /packages to /srv/repos/svn-packages/dbscripts
+- name: Symlink /packages to /srv/repos/svn-packages/dbscripts
file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
-- name: make debug packages-debug pool
+- name: Make debug packages-debug pool
file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=dev mode=0775
-- name: make debug community-debug pool
+- name: Make debug community-debug pool
file: path=/srv/ftp/pool/community-debug state=directory owner=root group=tu mode=2775
-- name: make package root debug repos
+- name: Make package root debug repos
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
with_items: '{{ package_repos }}'
-- name: make community root debug repos
+- name: Make community root debug repos
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=00755
with_items: '{{ community_repos }}'
-- name: make package debug repos
+- name: Make package debug repos
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
with_items: '{{ package_repos }}'
-- name: make community debug repos
+- name: Make community debug repos
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=tu mode=0775
with_items: '{{ community_repos }}'
-- name: put rsyncd.conf into tmpfiles
+- name: Put rsyncd.conf into tmpfiles
copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
register: rsyncdtmpfiles
-- name: use tmpfiles.d/rsyncd.conf
+- name: Use tmpfiles.d/rsyncd.conf
command: systemd-tmpfiles --create
when: rsyncdtmpfiles.changed
-- name: create rsyncd-conf-genscripts
+- name: Create rsyncd-conf-genscripts
file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
-- name: install rsync.conf.proto
+- name: Install rsync.conf.proto
template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
-- name: configure gen_rsyncd.conf.pl
+- name: Configure gen_rsyncd.conf.pl
template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
no_log: true
-- name: generate mirror config
+- name: Generate mirror config
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
register: gen_rsyncd
changed_when: "gen_rsyncd.rc == 0"
-- name: install svnlog
+- name: Install svnlog
copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
-- name: add arch-svntogit user
+- name: Add arch-svntogit user
user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
-- name: configure svntogit git user name
+- name: Configure svntogit git user name
command: git config --global user.name svntogit
become: true
become_user: svntogit
@@ -240,7 +240,7 @@
tags:
- skip_ansible_lint
-- name: configure svntogit git user email
+- name: Configure svntogit git user email
command: git config --global user.email svntogit@repos.archlinux.org
become: true
become_user: svntogit
@@ -249,13 +249,13 @@
tags:
- skip_ansible_lint
-- name: template arch-svntogit
+- name: Template arch-svntogit
copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
-- name: create svntogit repos subdir
+- name: Create svntogit repos subdir
file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775
-- name: clone git-svn repos
+- name: Clone git-svn repos
command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
with_items:
- community
@@ -265,7 +265,7 @@
tags:
- skip_ansible_lint
-- name: add svntogit public remotes
+- name: Add svntogit public remotes
command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
with_items:
- community
@@ -279,7 +279,7 @@
- skip_ansible_lint
# The following command also serves as a way to get the data the first time the repo is set up
-- name: configure svntogit pull upstream branch
+- name: Configure svntogit pull upstream branch
command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }}
environment:
SHELL: /bin/bash
@@ -293,40 +293,40 @@
tags:
- skip_ansible_lint
-- name: fix svntogit home permissions
+- name: Fix svntogit home permissions
file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
-- name: install repo helpers
+- name: Install repo helpers
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
with_items:
- lsrepo
- checklib32
-- name: install createlinks script
+- name: Install createlinks script
copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755
-- name: start and enable rsync
+- name: Start and enable rsync
service: name=rsyncd.socket enabled=yes state=started
-- name: open firewall holes for rsync
+- name: Open firewall holes for rsync
ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
- firewall
-- name: configure svnserve
+- name: Configure svnserve
copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
-- name: start and enable svnserve
+- name: Start and enable svnserve
service: name=svnserve enabled=yes state=started
-- name: open firewall holes for svnserve
+- name: Open firewall holes for svnserve
ansible.posix.firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
- firewall
-- name: install systemd timers
+- name: Install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- cleanup.timer
@@ -344,7 +344,7 @@
notify:
- daemon reload
-- name: activate systemd timers
+- name: Activate systemd timers
service: name={{ item }} enabled=yes state=started
with_items:
- cleanup.timer
diff --git a/roles/debuginfod/handlers/main.yml b/roles/debuginfod/handlers/main.yml
index 3e008c97b7b0a31244d5ec076a30a377ec3ace34..330f24254fc57ac7465186d752945eee8c9316e6 100644
--- a/roles/debuginfod/handlers/main.yml
+++ b/roles/debuginfod/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload debuginfod
+- name: Reload debuginfod
service: name=debuginfod state=reloaded
diff --git a/roles/debuginfod/tasks/main.yml b/roles/debuginfod/tasks/main.yml
index 71935652e3741e9b28f7e2edbc41741c5535d49a..ebdb00af088c1485034134200c26595c2a6e3f41 100644
--- a/roles/debuginfod/tasks/main.yml
+++ b/roles/debuginfod/tasks/main.yml
@@ -1,53 +1,53 @@
-- name: install debuginfod
+- name: Install debuginfod
pacman: name=debuginfod state=present
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ debuginfod_domain }}"]
when: debuginfod_domain
-- name: configure debuginfod systemd service
+- name: Configure debuginfod systemd service
template: src=debuginfod.service.j2 dest=/etc/systemd/system/debuginfod.service owner=root group=root mode=0644
vars:
debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
notify:
- reload debuginfod
-- name: create http directory for debuginfod website files
+- name: Create http directory for debuginfod website files
file: path=/srv/http/debuginfod state=directory owner=root group=root mode=0755
-- name: install website files
+- name: Install website files
copy: src={{ item }} dest=/srv/http/debuginfod/{{ item }} owner=root group=root mode=0644
loop:
- archlinux.png
- index.html
-- name: install packagelist units
+- name: Install packagelist units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- packagelist.timer
- packagelist.service
-- name: start and enable packagelist.timer
+- name: Start and enable packagelist.timer
service: name=packagelist.timer enabled=yes state=started
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
notify:
- reload nginx
when: debuginfod_domain
tags: ['nginx']
-- name: open debuginfod ipv4 port for monitoring.archlinux.org
+- name: Open debuginfod ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8002 accept"
tags:
- firewall
-- name: start and enable debuginfod
+- name: Start and enable debuginfod
service: name=debuginfod enabled=yes state=started
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
index 3b278cb8473944a7c388618b92684e49a7f6f43c..9315e0850cb286c92423f536f7956c66a30bc19a 100644
--- a/roles/dovecot/handlers/main.yml
+++ b/roles/dovecot/handlers/main.yml
@@ -1,7 +1,7 @@
-- name: reload dovecot
+- name: Reload dovecot
service: name=dovecot state=restarted
-- name: run sievec
+- name: Run sievec
command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }}
loop:
- spam-to-folder.sieve
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index a6ecefc70733d25e120332bfd5f50cab3f59c55c..b4eab78f9538c4fe87cddf455bc1be2708667485 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -1,48 +1,48 @@
-- name: install dovecot
+- name: Install dovecot
pacman: name=dovecot,pigeonhole state=present
# FIXME: check directory permissions
-- name: create dovecot configuration directory
+- name: Create dovecot configuration directory
file: path=/etc/dovecot state=directory owner=root group=root mode=0755
-- name: create dhparam
+- name: Create dhparam
command: openssl dhparam -out /etc/dovecot/dh.pem 4096 creates=/etc/dovecot/dh.pem
-- name: install dovecot.conf
+- name: Install dovecot.conf
template: src=dovecot.conf.j2 dest=/etc/dovecot/dovecot.conf owner=root group=root mode=0644
notify:
- reload dovecot
-- name: add vmail group
+- name: Add vmail group
group: name=vmail gid=5000
-- name: add vmail user
+- name: Add vmail user
user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
-- name: install PAM config
+- name: Install PAM config
copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
-- name: create dovecot sieve dir
+- name: Create dovecot sieve dir
file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755
-- name: install spam-to-folder.sieve
+- name: Install spam-to-folder.sieve
copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve/ mode=0644 owner=root group=root
notify:
- run sievec
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ mail_domain }}"]
-- name: install dovecot cert renewal hook
+- name: Install dovecot cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/dovecot owner=root group=root mode=0755
-- name: start and enable dovecot
+- name: Start and enable dovecot
service: name=dovecot enabled=yes state=started
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- imaps
@@ -51,13 +51,13 @@
tags:
- firewall
-- name: install systemd timers
+- name: Install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- dovecot-cleanup.timer
- dovecot-cleanup.service
-- name: activate systemd timers
+- name: Activate systemd timers
systemd:
name: "{{ item }}"
state: started
diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml
index 731c718ac6bfa06860e7b893cafd1eaf4d16631d..15ca9394841994c75e0853cd3dcc3a0df5f4aa98 100644
--- a/roles/fail2ban/handlers/main.yml
+++ b/roles/fail2ban/handlers/main.yml
@@ -1,7 +1,7 @@
-- name: restart fail2ban
+- name: Restart fail2ban
systemd:
name: fail2ban
state: restarted
-- name: reload fail2ban jails
+- name: Reload fail2ban jails
shell: type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
index fa8d7607a5f44c103166408ac67dbd2a8019c7d8..2e0fb243e5c78efd2db870fa8d1c50d61e05d6d4 100644
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -1,11 +1,11 @@
-- name: install fail2ban
+- name: Install fail2ban
package:
name: "fail2ban"
state: "present"
notify:
- restart fail2ban
-- name: create systemd unit override path
+- name: Create systemd unit override path
file:
path: "/etc/systemd/system/fail2ban.service.d"
state: "directory"
@@ -13,7 +13,7 @@
group: "root"
mode: 0755
-- name: install systemd unit override file
+- name: Install systemd unit override file
template:
src: "fail2ban.service.j2"
dest: "/etc/systemd/system/fail2ban.service.d/override.conf"
@@ -21,7 +21,7 @@
group: "root"
mode: 0644
-- name: install local config files
+- name: Install local config files
template:
src: "{{ item }}.j2"
dest: "/etc/fail2ban/{{ item }}"
@@ -34,7 +34,7 @@
notify:
- restart fail2ban
-- name: install firewallcmd-allports.local
+- name: Install firewallcmd-allports.local
template:
src: "firewallcmd-allports.local.j2"
dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
@@ -44,7 +44,7 @@
notify:
- restart fail2ban
-- name: install sshd jail
+- name: Install sshd jail
when: fail2ban_jails.sshd
template:
src: "sshd.jail.j2"
@@ -55,7 +55,7 @@
notify:
- reload fail2ban jails
-- name: install postfix jail
+- name: Install postfix jail
when: fail2ban_jails.postfix
template:
src: "postfix.jail.j2"
@@ -66,7 +66,7 @@
notify:
- reload fail2ban jails
-- name: install dovecot jail
+- name: Install dovecot jail
when: fail2ban_jails.dovecot
template:
src: "dovecot.jail.j2"
@@ -77,7 +77,7 @@
notify:
- reload fail2ban jails
-- name: install nginx-limit-req jail
+- name: Install nginx-limit-req jail
when: fail2ban_jails.nginx_limit_req
template:
src: "nginx-limit-req.jail.j2"
@@ -88,7 +88,7 @@
notify:
- reload fail2ban jails
-- name: start and enable service
+- name: Start and enable service
systemd:
name: "fail2ban.service"
enabled: true
diff --git a/roles/fetchmail/handlers/main.yml b/roles/fetchmail/handlers/main.yml
index 7a8dce8e4ea98b42d6db68725b84c604463dc4a9..49ee5c58e01aa7fc0340e877f657b022d57d7e61 100644
--- a/roles/fetchmail/handlers/main.yml
+++ b/roles/fetchmail/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart fetchmail
+- name: Restart fetchmail
service: name=fetchmail state=restarted
diff --git a/roles/fetchmail/tasks/main.yml b/roles/fetchmail/tasks/main.yml
index d17ee5a88dcd8c4d49a8213fa14e0b2ffb26d47d..32c0709ca8d9f86234bc8b21536e516ea67f75f8 100644
--- a/roles/fetchmail/tasks/main.yml
+++ b/roles/fetchmail/tasks/main.yml
@@ -1,10 +1,10 @@
-- name: install fetchmail
+- name: Install fetchmail
pacman: name=fetchmail state=present
-- name: template fetchmail config
+- name: Template fetchmail config
template: src=fetchmailrc.j2 dest=/etc/fetchmailrc owner=fetchmail group=nobody mode=600
notify:
- restart fetchmail
-- name: start and enable fetchmail
+- name: Start and enable fetchmail
service: name=fetchmail enabled=yes state=started
diff --git a/roles/firewalld/handlers/main.yml b/roles/firewalld/handlers/main.yml
index 942cb99cc1362dd7b82b5ba84ee1a5cfbd135027..8ccb109c53378cd4f935d0a200cb6bd6bb24753f 100644
--- a/roles/firewalld/handlers/main.yml
+++ b/roles/firewalld/handlers/main.yml
@@ -1,11 +1,11 @@
# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
# https://github.com/systemd/systemd/issues/2830
# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
-# - name: restart firewalld
+# - name: Restart firewalld
# service: name=firewalld state=restarted
-- name: stop firewalld
+- name: Stop firewalld
service: name=firewalld state=stopped
listen: restart firewalld
-- name: start firewalld
+- name: Start firewalld
service: name=firewalld state=started
listen: restart firewalld
diff --git a/roles/firewalld/tasks/main.yml b/roles/firewalld/tasks/main.yml
index 13ed8f32fe74687610843bb1892e06ca6dce187a..982d1012bab04fcceb45adae9cffb76dec4d4f6f 100644
--- a/roles/firewalld/tasks/main.yml
+++ b/roles/firewalld/tasks/main.yml
@@ -1,20 +1,20 @@
-- name: install firewalld
+- name: Install firewalld
pacman:
name: firewalld
state: present
-- name: install firewalld config
+- name: Install firewalld config
template: src=firewalld.conf.j2 dest=/etc/firewalld/firewalld.conf owner=root group=root mode=0644
notify:
- restart firewalld
-- name: start and enable firewalld
+- name: Start and enable firewalld
service:
name: firewalld
enabled: "{{ configure_firewall }}"
state: "{{ configure_firewall | ternary('started', 'stopped') }}"
-- name: disable default dhcpv6-client rule
+- name: Disable default dhcpv6-client rule
ansible.posix.firewalld:
service: dhcpv6-client
state: disabled
diff --git a/roles/fluxbb/handlers/main.yml b/roles/fluxbb/handlers/main.yml
index 5b6b366b4283bae7ffe3e2e72ea6af9f06e035ec..f26cb90057db58d6d06c93dd705d02f488f9b9fc 100644
--- a/roles/fluxbb/handlers/main.yml
+++ b/roles/fluxbb/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart php-fpm@fluxbb
+- name: Restart php-fpm@fluxbb
systemd: name=php-fpm@fluxbb.service state=restarted
diff --git a/roles/fluxbb/tasks/main.yml b/roles/fluxbb/tasks/main.yml
index 443e0b67e77ff02b35ad6aa00ca7077088db52da..107d3db7fef8f195a75fb0f9bf4cf3c7ae8e61a5 100644
--- a/roles/fluxbb/tasks/main.yml
+++ b/roles/fluxbb/tasks/main.yml
@@ -1,67 +1,67 @@
-- name: create user
+- name: Create user
user: >
name=fluxbb home="{{ fluxbb_dir }}"
shell=/bin/false system=yes createhome=no
-- name: clone fluxbb
+- name: Clone fluxbb
git:
repo: https://gitlab.archlinux.org/archlinux/archbbs.git
dest: "{{ fluxbb_dir }}"
version: "{{ fluxbb_version }}"
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}"
changed_when: false
-- name: create uploads directory
+- name: Create uploads directory
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"
-- name: create mariadb database
+- name: Create mariadb database
mysql_db: name=fluxbb state=present
-- name: create mariadb user
+- name: Create mariadb user
mysql_user: >
user=fluxbb host=localhost password={{ fluxbb_db_password }}
priv='fluxbb.*:ALL'
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ fluxbb_domain }}"]
-- name: create nginx log directory
+- name: Create nginx log directory
file: path=/var/log/nginx/{{ fluxbb_domain }} state=directory owner=root group=root mode=0755
-- name: configure nginx
+- name: Configure nginx
template: >
src=nginx.conf.j2 dest=/etc/nginx/nginx.d/fluxbb.conf
owner=root group=root mode=0644
notify: reload nginx
-- name: install python-passlib
+- name: Install python-passlib
pacman: name=python-passlib
-- name: create auth file
+- name: Create auth file
htpasswd: >
path=/etc/nginx/auth/fluxx
name={{ fluxbb_htpasswd.username }}
password={{ fluxbb_htpasswd.password }}
owner=root group=http mode=0640
-- name: install forum config
+- name: Install forum config
template: >
src=config.php.j2 dest={{ fluxbb_dir }}/config.php
owner=fluxbb group=fluxbb mode=400
-- name: install php-apcu
+- name: Install php-apcu
pacman: name=php-apcu,php-intl
-- name: configure php-fpm
+- name: Configure php-fpm
template: >
src=php-fpm.conf.j2 dest=/etc/php/php-fpm.d/fluxbb.conf
owner=root group=root mode=0644
notify: restart php-fpm@fluxbb
-- name: start and enable systemd socket
+- name: Start and enable systemd socket
service: name=php-fpm@fluxbb.socket state=started enabled=true
diff --git a/roles/flyspray/handlers/main.yml b/roles/flyspray/handlers/main.yml
index f9b2114d08ea8858b1824c96c10260e4dc5f0ba9..e0984639850f08611f198d9b36b6070f88b7ce34 100644
--- a/roles/flyspray/handlers/main.yml
+++ b/roles/flyspray/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart php-fpm7@flyspray
+- name: Restart php-fpm7@flyspray
service: name=php-fpm7@flyspray state=restarted
diff --git a/roles/flyspray/tasks/main.yml b/roles/flyspray/tasks/main.yml
index c61c81c3280c590663b3bfd9779ad43dfe77ba99..25de86c5d2f1e0da04edd8e8e5c6dc088813aa66 100644
--- a/roles/flyspray/tasks/main.yml
+++ b/roles/flyspray/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: run maintenance mode
+- name: Run maintenance mode
include_role:
name: maintenance
vars:
@@ -8,40 +8,40 @@
service_nginx_conf: "{{ flyspray_nginx_conf }}"
when: maintenance is defined
-- name: install git
+- name: Install git
pacman: name=git state=present
-- name: make flyspray user
+- name: Make flyspray user
user: name="{{ flyspray_user }}" shell=/bin/false home="{{ flyspray_dir }}" createhome=no
register: user_created
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0755
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ flyspray_domain }}"]
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644
notify:
- reload nginx
when: maintenance is not defined
tags: ['nginx']
-- name: install nginx migrated-tasks.map
+- name: Install nginx migrated-tasks.map
copy: src=migrated-tasks.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755
-- name: create setup dir with write permissions
+- name: Create setup dir with write permissions
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755
when: not user_created.changed
-- name: clone flyspray repo
+- name: Clone flyspray repo
git:
repo: https://gitlab.archlinux.org/archlinux/flyspray.git
version: "{{ flyspray_commit }}"
@@ -50,44 +50,44 @@
become_user: "{{ flyspray_user }}"
register: release
-- name: take away setup dir write permissions
+- name: Take away setup dir write permissions
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000
-- name: configure flyspray
+- name: Configure flyspray
template: src=flyspray.conf.php.j2 dest=/srv/http/flyspray/flyspray.conf.php owner="{{ flyspray_user }}" group="{{ flyspray_user }}" mode=0660
register: config
no_log: true
-- name: create flyspray db
+- name: Create flyspray db
mysql_db: name="{{ flyspray_db }}" login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}"
register: db_created
-- name: create flyspray db user
+- name: Create flyspray db user
mysql_user: name={{ flyspray_db_user }} password={{ vault_flyspray_db_password }}
login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}"
priv="{{ flyspray_db }}.*:ALL"
no_log: true
-- name: configure php-fpm
+- name: Configure php-fpm
template:
src=php-fpm.conf.j2 dest="/etc/php7/php-fpm.d/{{ flyspray_user }}.conf"
owner=root group=root mode=0644
notify:
- restart php-fpm7@flyspray
-- name: install fail2ban register ban filter
+- name: Install fail2ban register ban filter
template: src=fail2ban.filter.j2 dest=/etc/fail2ban/filter.d/nginx-flyspray-register.local owner=root group=root mode=0644
notify:
- restart fail2ban
tags:
- fail2ban
-- name: install fail2ban register ban jail
+- name: Install fail2ban register ban jail
template: src=fail2ban.jail.j2 dest=/etc/fail2ban/jail.d/nginx-flyspray-register.local owner=root group=root mode=0644
notify:
- restart fail2ban
tags:
- fail2ban
-- name: start and enable systemd socket
+- name: Start and enable systemd socket
service: name=php-fpm7@flyspray.socket state=started enabled=true
diff --git a/roles/geo_dns/handlers/main.yml b/roles/geo_dns/handlers/main.yml
index d889effb95e68108d57d1f18a299e9448fb178b4..fba3a6d1545b068ff0ac792e84492f4f93a835b3 100644
--- a/roles/geo_dns/handlers/main.yml
+++ b/roles/geo_dns/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart powerdns
+- name: Restart powerdns
service: name=pdns state=restarted
diff --git a/roles/geo_dns/tasks/main.yml b/roles/geo_dns/tasks/main.yml
index 682c997f96c8724209a2faeb4e21a9b874f122df..d0d0b42b3cceb48250da50624202dcfe09b62953 100644
--- a/roles/geo_dns/tasks/main.yml
+++ b/roles/geo_dns/tasks/main.yml
@@ -1,27 +1,27 @@
-- name: install powerdns and geoip
+- name: Install powerdns and geoip
pacman: name=powerdns,libmaxminddb,geoip,yaml-cpp state=present
-- name: install PowerDNS configuration
+- name: Install PowerDNS configuration
template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644
loop:
- {src: pdns.conf.j2, dest: pdns.conf}
- {src: geo.yml.j2, dest: geo.yml}
notify: restart powerdns
-- name: create drop-in directory for geoipupdate
+- name: Create drop-in directory for geoipupdate
file: path=/etc/systemd/system/geoipupdate.service.d state=directory owner=root group=root mode=0755
-- name: install drop-in snippet for geoipupdate
+- name: Install drop-in snippet for geoipupdate
copy: src=geoipupdate-pdns-reload.conf dest=/etc/systemd/system/geoipupdate.service.d/pdns-reload.conf owner=root group=root mode=0644
-- name: open powerdns ipv4 port for monitoring.archlinux.org
+- name: Open powerdns ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
tags:
- firewall
-- name: open firewall hole
+- name: Open firewall hole
ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes
-- name: start and enable powerdns
+- name: Start and enable powerdns
systemd: name=pdns.service enabled=yes daemon_reload=yes state=started
diff --git a/roles/geoipupdate/tasks/main.yml b/roles/geoipupdate/tasks/main.yml
index 5b277dae25117056fb8c3cf07810561971d96d02..597d1f78175e43496ae713728d9d0e3f64fe2ec3 100644
--- a/roles/geoipupdate/tasks/main.yml
+++ b/roles/geoipupdate/tasks/main.yml
@@ -1,14 +1,14 @@
-- name: install geoipupdate
+- name: Install geoipupdate
pacman: name=geoipupdate state=present
register: installation
-- name: configure geoipupdate
+- name: Configure geoipupdate
template: src=GeoIP.conf.j2 dest=/etc/GeoIP.conf owner=root group=root mode=0600
register: configuration
-- name: run geoipupdate after installation or configuration change
+- name: Run geoipupdate after installation or configuration change
systemd: name=geoipupdate state=restarted
when: installation is changed or configuration is changed
-- name: start and enable geoipupdate.timer
+- name: Start and enable geoipupdate.timer
systemd: name=geoipupdate.timer enabled=yes state=started
diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml
index 378c85d3c0e84a0ed02a7d336c7c46957d059072..7e9d721f0f735e88fa0b4f49f94d49c296e07865 100644
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@@ -1,13 +1,13 @@
-- name: install docker dependencies
+- name: Install docker dependencies
pacman: name=docker,python-docker state=present
-- name: start docker
+- name: Start docker
service: name=docker enabled=yes state=started
-- name: copy sshd_config into place to change the port to 222
+- name: Copy sshd_config into place to change the port to 222
copy: src=sshd_config dest=/srv/gitlab/sshd_config owner=root group=root mode=640
-- name: start docker gitlab image
+- name: Start docker gitlab image
docker_container:
name: gitlab
image: gitlab/gitlab-ee:latest
@@ -99,11 +99,11 @@
- "/srv/gitlab/data:/var/opt/gitlab"
- "/srv/gitlab/sshd_config:/assets/sshd_config"
-- name: prune unused docker images
+- name: Prune unused docker images
docker_prune:
images: true
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
when: configure_firewall
with_items:
@@ -114,11 +114,11 @@
tags:
- firewall
-- name: copy gitlab-cleanup timer and service
+- name: Copy gitlab-cleanup timer and service
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- gitlab-cleanup.timer
- gitlab-cleanup.service
-- name: activate systemd timers for gitlab-cleanup
+- name: Activate systemd timers for gitlab-cleanup
systemd: name=gitlab-cleanup.timer enabled=yes state=started daemon-reload=yes
diff --git a/roles/gitlab_runner/handlers/main.yml b/roles/gitlab_runner/handlers/main.yml
index 40375983ec25e807e9bbb9fb2dcdae35aaa17d6a..94bed04c69387447c3a79076cb2da2dfaa975a38 100644
--- a/roles/gitlab_runner/handlers/main.yml
+++ b/roles/gitlab_runner/handlers/main.yml
@@ -1,11 +1,11 @@
-- name: systemd daemon-reload
+- name: Systemd daemon-reload
systemd: daemon_reload=yes
-- name: restart gitlab-runner
+- name: Restart gitlab-runner
service: name=gitlab-runner state=restarted
-- name: restart gitlab-runner-docker-cleanup.timer
+- name: Restart gitlab-runner-docker-cleanup.timer
service: name=gitlab-runner-docker-cleanup.timer state=restarted daemon_reload=yes
-- name: restart docker
+- name: Restart docker
service: name=docker state=restarted
diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
index 2bd92f56df2aa3127547f2836304151f45902b04..edde2eaf7b448c24d868f343360932fb1ad9298c 100644
--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@@ -1,15 +1,15 @@
-- name: install dependencies
+- name: Install dependencies
pacman: name=docker,python-docker,python-gitlab,gitlab-runner state=latest update_cache=yes
notify: restart gitlab-runner
-- name: install docker.slice
+- name: Install docker.slice
copy: src=docker.slice dest=/etc/systemd/system/ owner=root group=root mode=0644
notify: systemd daemon-reload
-- name: start docker
+- name: Start docker
systemd: name=docker enabled=yes state=started daemon_reload=yes
-- name: configure Docker daemon for IPv6
+- name: Configure Docker daemon for IPv6
copy: src=daemon.json dest=/etc/docker/daemon.json owner=root group=root mode=0644
notify: restart docker
@@ -17,7 +17,7 @@
# https://medium.com/@skleeschulte/how-to-enable-ipv6-for-docker-containers-on-ubuntu-18-04-c68394a219a2
# https://github.com/docker/docker.github.io/blob/c0eb65aabe4de94d56bbc20249179f626df5e8c3/engine/userguide/networking/default_network/ipv6.md
# https://github.com/moby/moby/issues/36954
-- name: add IPv6 NAT for docker
+- name: Add IPv6 NAT for docker
ansible.posix.firewalld:
zone: public
permanent: true
@@ -42,11 +42,11 @@
# --locked=false \ # Use true for secure runners
# --access-level=not_protected # Use ref_protected for secure runners
# Note: Secure runners must be added manually to the relevant projects
-- name: install runner configuration
+- name: Install runner configuration
template: src=config.toml.j2 dest=/etc/gitlab-runner/config.toml owner=root group=root mode=0600
notify: restart gitlab-runner
-- name: install gitlab-runner-docker-cleanup.{service,timer}
+- name: Install gitlab-runner-docker-cleanup.{service,timer}
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- gitlab-runner-docker-cleanup.service
@@ -54,24 +54,24 @@
notify:
- restart gitlab-runner-docker-cleanup.timer
-- name: enable and start gitlab-runner-docker-cleanup.timer
+- name: Enable and start gitlab-runner-docker-cleanup.timer
systemd: name=gitlab-runner-docker-cleanup.timer state=started enabled=yes daemon_reload=yes
-- name: enable and start gitlab runner service
+- name: Enable and start gitlab runner service
systemd: name=gitlab-runner state=started enabled=yes daemon_reload=yes
-- name: setup libvirt-executor
+- name: Setup libvirt-executor
block:
- - name: install libvirt-executor-update-base-image dependencies
+ - name: Install libvirt-executor-update-base-image dependencies
pacman: name=arch-install-scripts,sequoia-sq state=present
- - name: create libvirt-executor configuration and data directories
+ - name: Create libvirt-executor configuration and data directories
file: path={{ item }} state=directory owner=root group=root mode=0755
loop:
- /etc/libvirt-executor
- /usr/local/lib/libvirt-executor
- - name: install libvirt-executor
+ - name: Install libvirt-executor
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }}
loop:
- {src: arch-boxes.asc, dest: /usr/local/lib/libvirt-executor/, mode: 644}
@@ -79,17 +79,17 @@
- {src: libvirt-executor, dest: /usr/local/bin/, mode: 755}
- {src: libvirt-executor-update-base-image, dest: /usr/local/bin/, mode: 755}
- - name: create SSH keys for libvirt-executor
+ - name: Create SSH keys for libvirt-executor
command: ssh-keygen -N "" -f /etc/libvirt-executor/id_ed25519 -t ed25519
args:
creates: /etc/libvirt-executor/id_ed25519
- - name: install libvirt-executor-update-base-image.{service,timer}
+ - name: Install libvirt-executor-update-base-image.{service,timer}
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- libvirt-executor-update-base-image.service
- libvirt-executor-update-base-image.timer
- - name: enable and start libvirt-executor-update-base-image.timer
+ - name: Enable and start libvirt-executor-update-base-image.timer
systemd: name=libvirt-executor-update-base-image.timer state=started enabled=yes daemon_reload=yes
when: "'gitlab_vm_runners' in group_names"
diff --git a/roles/gluebuddy/handlers/main.yml b/roles/gluebuddy/handlers/main.yml
index b7dd1329ddc3a1ab0c1adb00e3c6fc5bf0f3ee5d..53c25acb653061ac6585331c532338b68ce70faa 100644
--- a/roles/gluebuddy/handlers/main.yml
+++ b/roles/gluebuddy/handlers/main.yml
@@ -1,3 +1,3 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
diff --git a/roles/gluebuddy/tasks/main.yml b/roles/gluebuddy/tasks/main.yml
index 8b7bcd0d8a546e41ad599094c0a01093a04f8117..7eb06de70b6ab1ab2f28109dffb3d84e66f6fff3 100644
--- a/roles/gluebuddy/tasks/main.yml
+++ b/roles/gluebuddy/tasks/main.yml
@@ -1,7 +1,7 @@
-- name: install sequoia
+- name: Install sequoia
pacman: name=sequoia-sq state=present
-- name: install systemd service/timer
+- name: Install systemd service/timer
copy: src={{ item }} dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- gluebuddy.service
@@ -9,16 +9,16 @@
notify:
- daemon reload
-- name: enable timer
+- name: Enable timer
systemd: name=gluebuddy.timer enabled=yes state=started
-- name: install conf file
+- name: Install conf file
template: src=gluebuddy.conf.j2 dest=/etc/conf.d/gluebuddy owner=root group=root mode=0600
-- name: install download script
+- name: Install download script
copy: src=gluebuddy_download.sh dest=/usr/local/bin/gluebuddy_download.sh owner=root group=root mode=0755
-- name: download latest gluebuddy
+- name: Download latest gluebuddy
command: /usr/local/bin/gluebuddy_download.sh
tags:
- skip_ansible_lint
diff --git a/roles/grafana/handlers/main.yml b/roles/grafana/handlers/main.yml
index a0184c559b20710490d415b18c90eb377c29ebba..0b4f2eec4e3a49b1706f5b639c1c41880e3635a2 100644
--- a/roles/grafana/handlers/main.yml
+++ b/roles/grafana/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart grafana
+- name: Restart grafana
service: name=grafana state=restarted
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
index e71a914f9a14549c3877c5ce221ea10e7d238dca..610d9680e059856e6ddd26d34c4c860fb72b8eec 100644
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -1,25 +1,25 @@
-- name: install grafana
+- name: Install grafana
pacman: name=grafana state=present
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ grafana_domain }}"]
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=http mode=640
notify:
- reload nginx
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ grafana_domain }} state=directory owner=root group=root mode=0755
-- name: create grafana config directory
+- name: Create grafana config directory
file: path=/etc/grafana mode=0700 owner=grafana group=grafana state=directory
-- name: create grafana provisioning directory
+- name: Create grafana provisioning directory
file: path={{ item }} mode=0700 owner=grafana group=grafana state=directory
with_items:
- /etc/grafana/provisioning
@@ -29,27 +29,27 @@
- /etc/grafana/provisioning/notifiers
- /var/lib/grafana/dashboards
-- name: install grafana datasources provisioning
+- name: Install grafana datasources provisioning
template: src=datasources.yaml.j2 dest=/etc/grafana/provisioning/datasources/prometheus.yml owner=grafana group=root mode=0600
notify: restart grafana
-- name: install grafana dashboard provisioning
+- name: Install grafana dashboard provisioning
template: src=dashboard.yaml.j2 dest=/etc/grafana/provisioning/dashboards/dasbhoard.yml owner=grafana group=root mode=0600
notify: restart grafana
-- name: copy grafana dashboards
+- name: Copy grafana dashboards
copy: src=dashboards dest=/var/lib/grafana/dashboards owner=grafana group=grafana mode=0600
-- name: copy (public) grafana dashboards
+- name: Copy (public) grafana dashboards
copy: src=public-dashboards dest=/var/lib/grafana/ owner=root group=grafana mode=0640
when: grafana_anonymous_access
-- name: install grafana config
+- name: Install grafana config
template: src=grafana.ini.j2 dest=/etc/grafana.ini owner=grafana group=root mode=0600
notify: restart grafana
-- name: fix /var/lib/grafana permissions
+- name: Fix /var/lib/grafana permissions
file: path=/var/lib/grafana mode=0700 owner=grafana group=grafana
-- name: start and enable service
+- name: Start and enable service
service: name=grafana state=started enabled=true
diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml
index 4649ada5b55614dd731a2c6681cb84cd66685312..f3a0d5fa566f66b2ee2a9cc69179d2434c565d52 100644
--- a/roles/hardening/handlers/main.yml
+++ b/roles/hardening/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: apply sysctl settings
+- name: Apply sysctl settings
command: sysctl --system
diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
index cee35d766e368dfc16a674928cd5d527ba0e34d1..235ad5c8e0b83b8a6ef0038c085def09aa44ae50 100644
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@@ -1,40 +1,40 @@
-- name: set restricted access to kernel logs
+- name: Set restricted access to kernel logs
copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
-- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
+- name: Set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
when: "'buildservers' not in group_names"
notify:
- apply sysctl settings
-- name: set restricted access to kernel pointers in proc fs
+- name: Set restricted access to kernel pointers in proc fs
copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
-- name: enable JIT hardening for all users
+- name: Enable JIT hardening for all users
copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
-- name: disable unprivileged bpf
+- name: Disable unprivileged bpf
copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
-- name: disable unprivileged userns
+- name: Disable unprivileged userns
copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
-- name: disable kexec load
+- name: Disable kexec load
copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
-- name: set kernel lockdown to restricted
+- name: Set kernel lockdown to restricted
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
when: "'hcloud' in group_names"
notify:
diff --git a/roles/hedgedoc/tasks/main.yml b/roles/hedgedoc/tasks/main.yml
index 8d259ff697654c6a50a538366aefd72f78a9ca3a..6392959e2279898088b1a5202b594f251b778669 100644
--- a/roles/hedgedoc/tasks/main.yml
+++ b/roles/hedgedoc/tasks/main.yml
@@ -1,40 +1,40 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ hedgedoc_domain }}"]
-- name: install hedgedoc
+- name: Install hedgedoc
pacman: name=hedgedoc state=present
-- name: add hedgedoc postgres db
+- name: Add hedgedoc postgres db
postgresql_db: db=hedgedoc
become: true
become_user: postgres
become_method: su
-- name: add hedgedoc postgres user
+- name: Add hedgedoc postgres user
postgresql_user: db=hedgedoc name=hedgedoc password={{ vault_postgres_users.hedgedoc }} encrypted=true
become: true
become_user: postgres
become_method: su
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=http mode=640
notify: reload nginx
tags: ['nginx']
-- name: add hedgedoc.service.d dir
+- name: Add hedgedoc.service.d dir
file: state=directory path=/etc/systemd/system/hedgedoc.service.d owner=root group=root mode=0755
-- name: install hedgedoc.service snippet for configuration
+- name: Install hedgedoc.service snippet for configuration
template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0644
-- name: install hedgedoc config file
+- name: Install hedgedoc config file
template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=root mode=0644
-- name: start and enable hedgedoc
+- name: Start and enable hedgedoc
service: name=hedgedoc.service enabled=yes state=started
diff --git a/roles/hetzner_storagebox/tasks/main.yml b/roles/hetzner_storagebox/tasks/main.yml
index 9594a763c0fd3fdefeb4778a66acf57559076baf..b3531ded16377de38a27db9f7e2621e873047c8f 100644
--- a/roles/hetzner_storagebox/tasks/main.yml
+++ b/roles/hetzner_storagebox/tasks/main.yml
@@ -1,12 +1,12 @@
# This role runs on localhost; use commands like sftp to upload configuration
-- name: create the root backup directory at {{ backup_dir }}
+- name: Create the root backup directory at {{ backup_dir }}
expect:
command: bash -c "echo 'mkdir {{ backup_dir }}' | sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }}"
responses:
(?i)password: "{{ storagebox_password }}"
-- name: create a home directory for each sub-account
+- name: Create a home directory for each sub-account
expect:
command: |
bash -c 'sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
@@ -17,7 +17,7 @@
responses:
(?i)password: "{{ storagebox_password }}"
-- name: fetch ssh keys from each borg client machine
+- name: Fetch ssh keys from each borg client machine
command: cat /root/.ssh/id_rsa.pub
check_mode: false
register: client_ssh_keys
@@ -25,16 +25,16 @@
with_items: "{{ backup_clients }}"
changed_when: client_ssh_keys.changed
-- name: create tempfile
+- name: Create tempfile
tempfile: state=file
check_mode: false
register: tempfile
-- name: fill tempfile
+- name: Fill tempfile
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
no_log: true
-- name: upload authorized_keys for Arch DevOps
+- name: Upload authorized_keys for Arch DevOps
expect:
command: |
bash -c 'sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
@@ -46,13 +46,13 @@
responses:
(?i)password: "{{ storagebox_password }}"
-- name: upload authorized_keys for each backup client
+- name: Upload authorized_keys for each backup client
include_tasks: upload_client_authorized_keys.yml
loop: "{{ client_ssh_keys.results }}"
loop_control:
label: "{{ item.item }}"
-- name: retrieve sub-account information
+- name: Retrieve sub-account information
uri:
url: https://robot-ws.your-server.de/storagebox/{{ storagebox_id }}/subaccount
user: "{{ hetzner_webservice_username }}"
@@ -61,11 +61,11 @@
register: subaccounts_raw
no_log: true
-- name: get list of sub-accounts
+- name: Get list of sub-accounts
set_fact:
subaccounts: "{{ subaccounts_raw.json | json_query('[].subaccount') }}"
-- name: create missing sub-accounts
+- name: Create missing sub-accounts
uri:
timeout: 60
url: https://robot-ws.your-server.de/storagebox/{{ storagebox_id }}/subaccount
@@ -81,21 +81,21 @@
register: new_subaccounts_raw
no_log: true
-- name: update list of sub-accounts
+- name: Update list of sub-accounts
set_fact:
subaccounts: "{{ subaccounts + [item.json.subaccount | combine({'comment': item.invocation.module_args.body.comment})] }}"
loop: "{{ new_subaccounts_raw.results }}"
loop_control:
label: "{{ item.invocation.module_args.body.comment }}"
-- name: match usernames to backup clients
+- name: Match usernames to backup clients
set_fact:
backup_client_usernames: "{{ backup_client_usernames | default({}) | combine({item.comment: item.username}) }}"
loop: "{{ subaccounts }}"
loop_control:
label: "{{ {item.comment: item.username} }}"
-- name: configure ssh on backup clients
+- name: Configure ssh on backup clients
blockinfile:
path: /root/.ssh/config
create: true
diff --git a/roles/hetzner_storagebox/tasks/upload_client_authorized_keys.yml b/roles/hetzner_storagebox/tasks/upload_client_authorized_keys.yml
index 6f513c4c71add88caa326774bb5ac972ba20ff6b..1b948dcfc495ccc8ddd9a255a340af5bcd2da21d 100644
--- a/roles/hetzner_storagebox/tasks/upload_client_authorized_keys.yml
+++ b/roles/hetzner_storagebox/tasks/upload_client_authorized_keys.yml
@@ -1,8 +1,8 @@
-- name: fill tempfile
+- name: Fill tempfile
copy: content="{{ lookup('template', 'authorized_keys_client.j2') }}" dest="{{ tempfile.path }}" mode=preserve
no_log: true
-- name: upload authorized_keys file to {{ backup_dir }}/{{ item.item }}
+- name: Upload authorized_keys file to {{ backup_dir }}/{{ item.item }}
expect:
command: |
bash -c 'sftp {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
diff --git a/roles/install_arch/tasks/main.yml b/roles/install_arch/tasks/main.yml
index c6b54ff780de4de0710ca9a83773016744eaf460..34ca5d6fbccef85d41265f5952605b5c75b2d1ca 100644
--- a/roles/install_arch/tasks/main.yml
+++ b/roles/install_arch/tasks/main.yml
@@ -1,138 +1,138 @@
-- name: read /etc/motd
+- name: Read /etc/motd
command: cat /etc/motd
register: motd_contents
changed_when: motd_contents.stdout | length > 0
-- name: check whether we're running in Hetzner or Equinix Metal rescue environment
+- name: Check whether we're running in Hetzner or Equinix Metal rescue environment
fail: msg="Not running in rescue system!"
when: "'Hetzner Rescue' not in motd_contents.stdout and 'Rescue environment based on Alpine Linux' not in motd_contents.stdout"
-- name: make sure all required packages are installed in the rescue system for installation
+- name: Make sure all required packages are installed in the rescue system for installation
apk: name=sgdisk,btrfs-progs,tar update_cache=yes
when: ansible_facts['os_family'] == "Alpine"
-- name: create GRUB embed partitions
+- name: Create GRUB embed partitions
command: sgdisk -g --clear -n 1:0:+1M {{ item }} -c 1:boot -t 1:ef02
with_items:
- "{{ system_disks }}"
register: sgdisk
changed_when: "sgdisk.rc == 0"
-- name: create root partitions
+- name: Create root partitions
command: sgdisk -n 2:0:0 {{ item }} -c 2:root
with_items:
- "{{ system_disks }}"
register: sgdisk
changed_when: "sgdisk.rc == 0"
-- name: partition and format the disks (btrfs RAID)
+- name: Partition and format the disks (btrfs RAID)
command: mkfs.btrfs -f -L root -d {{ raid_level|default('raid1') }} -m {{ raid_level|default('raid1') }} -O no-holes {{ system_disks | map('regex_replace', '^(.*)$', '\g<1>p2' if 'nvme' in system_disks[0] else '\g<1>2') | join(' ') }}
when: filesystem == "btrfs" and system_disks|length >= 2
-- name: partition and format the disks (btrfs single)
+- name: Partition and format the disks (btrfs single)
command: mkfs.btrfs -f -L root -d single -m single -O no-holes {{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}
when: filesystem == "btrfs" and system_disks|length == 1
-- name: mount the filesystem (btrfs)
+- name: Mount the filesystem (btrfs)
mount: src="{{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}" path=/mnt state=mounted fstype=btrfs opts="compress-force=zstd,space_cache=v2"
when: filesystem == "btrfs"
-- name: touch LOCK file on mountpoint
+- name: Touch LOCK file on mountpoint
file: path=/mnt/LOCK state=touch owner=root group=root mode=0644
-- name: download bootstrap image
+- name: Download bootstrap image
get_url:
url: https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz
dest: /tmp/
mode: 0644
-- name: extract boostrap image # noqa 208
+- name: Extract boostrap image # noqa 208
unarchive:
src: /tmp/archlinux-bootstrap-x86_64.tar.gz
dest: /tmp
remote_src: true
creates: /tmp/root.x86_64
-- name: copy resolv.conf to bootstrap chroot
+- name: Copy resolv.conf to bootstrap chroot
copy: remote_src=true src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644
-- name: mount /proc to bootstrap chroot
+- name: Mount /proc to bootstrap chroot
command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime # noqa 303
-- name: mount /sys to bootstrap chroot
+- name: Mount /sys to bootstrap chroot
command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev # noqa 303
-- name: mount /dev to bootstrap chroot
+- name: Mount /dev to bootstrap chroot
command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero # noqa 303
-- name: mount /mnt to bootstrap chroot
+- name: Mount /mnt to bootstrap chroot
command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK # noqa 303
-- name: configure pacman mirror
+- name: Configure pacman mirror
template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644
-- name: initialize pacman keyring inside bootstrap chroot
+- name: Initialize pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --init
register: chroot_pacman_key_init
changed_when: "chroot_pacman_key_init.rc == 0"
-- name: populate pacman keyring inside bootstrap chroot
+- name: Populate pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
register: chroot_pacman_key_populate
changed_when: "chroot_pacman_key_populate.rc == 0"
-- name: install ucode update
+- name: Install ucode update
block:
- - name: install ucode update for Intel
+ - name: Install ucode update for Intel
set_fact: ucode="intel-ucode"
when: "'GenuineIntel' in ansible_facts['processor']"
- - name: install ucode update for AMD
+ - name: Install ucode update for AMD
set_fact: ucode="amd-ucode"
when: "'AuthenticAMD' in ansible_facts['processor']"
when:
- "'hcloud' not in group_names"
- inventory_hostname != 'packer-base-image'
-- name: install arch base from bootstrap chroot
+- name: Install arch base from bootstrap chroot
command: chroot /tmp/root.x86_64 pacstrap /mnt base linux btrfs-progs grub openssh python-requests python-yaml inetutils {{ ucode | default('') }}
args:
creates: /tmp/root.x86_64/mnt/bin
-- name: mount /proc to new chroot
+- name: Mount /proc to new chroot
command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime # noqa 303
-- name: mount /sys to new chroot
+- name: Mount /sys to new chroot
command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev # noqa 303
-- name: mount /dev to new chroot
+- name: Mount /dev to new chroot
command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero # noqa 303
-- name: configure locale.gen
+- name: Configure locale.gen
lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644
-- name: run locale-gen inside chroot
+- name: Run locale-gen inside chroot
command: chroot /mnt locale-gen
register: chroot_locale_gen
changed_when: "chroot_locale_gen.rc == 0"
-- name: run systemd-firstboot
+- name: Run systemd-firstboot
command: chroot /mnt systemd-firstboot --locale=C.UTF-8 --timezone=UTC --hostname={{ hostname }}
register: chroot_systemd_firstboot
changed_when: "chroot_systemd_firstboot.rc == 0"
-- name: run mkinitcpio
+- name: Run mkinitcpio
command: chroot /mnt mkinitcpio -p linux
register: chroot_mkinitcpio
changed_when: "chroot_mkinitcpio.rc == 0"
-- name: configure networking
+- name: Configure networking
include_role:
name: networking
vars:
chroot_path: "/mnt"
-- name: provide default mount options (btrfs)
+- name: Provide default mount options (btrfs)
lineinfile:
path: /mnt/etc/default/grub
owner: root
@@ -142,45 +142,45 @@
line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
when: filesystem == "btrfs"
-- name: install grub
+- name: Install grub
command: chroot /mnt grub-install --recheck {{ item }}
with_items:
- "{{ system_disks }}"
register: chroot_grub_install
changed_when: "chroot_grub_install.rc == 0"
-- name: configure grub
+- name: Configure grub
command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
register: chroot_grub_mkconfig
changed_when: "chroot_grub_mkconfig.rc == 0"
-- name: setup pacman-init.service on first boot
+- name: Setup pacman-init.service on first boot
copy: src=pacman-init.service dest=/mnt/etc/systemd/system/ owner=root group=root mode=0644
-- name: remove generated keyring in the installation process
+- name: Remove generated keyring in the installation process
file: path=/mnt/etc/pacman.d/gnupg state=absent
-- name: make sure /etc/machine-id is absent
+- name: Make sure /etc/machine-id is absent
file: path=/mnt/etc/machine-id state=absent
-- name: enable services inside chroot
+- name: Enable services inside chroot
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer pacman-init
register: chroot_systemd_services
changed_when: "chroot_systemd_services.rc == 0"
-- name: add authorized key for root
+- name: Add authorized key for root
include_role:
name: root_ssh
vars:
root_ssh_directory: /tmp/root.x86_64/mnt/root/.ssh
-- name: configure sshd
+- name: Configure sshd
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
-- name: clean pacman cache
+- name: Clean pacman cache
shell: yes | chroot /mnt pacman -Scc # noqa risky-shell-pipe ("Illegal option -o pipefail" in Hetzner's recovery environment (dash?))
register: chroot_pacman_clean_cache
changed_when: "chroot_pacman_clean_cache.rc == 0"
-- name: remove LOCK file on mountpoint
+- name: Remove LOCK file on mountpoint
file: path=/mnt/LOCK state=absent
diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml
index bdfa2b24e21fe40827039bdfa3ab20e75b9eaa20..b3e6fcce7eb4fd17cbd586f172566b6e27a7168e 100644
--- a/roles/keycloak/handlers/main.yml
+++ b/roles/keycloak/handlers/main.yml
@@ -1,6 +1,6 @@
-- name: restart keycloak
+- name: Restart keycloak
service: name=keycloak state=restarted
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index f6dd059c2774da32d615ab12b95abeb38ec82562..189a27cf610e75a6c8c3fbfb3063c81df2bb4fa1 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,56 +1,56 @@
-- name: install keycloak
+- name: Install keycloak
pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present
-- name: create postgres keycloak user
+- name: Create postgres keycloak user
postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
become: true
become_user: postgres
become_method: su
no_log: true
-- name: create keycloak db
+- name: Create keycloak db
postgresql_db: name="{{ keycloak_db_name }}" owner="{{ vault_keycloak_db_user }}"
become: true
become_user: postgres
become_method: su
-- name: template keycloak config
+- name: Template keycloak config
template: src=keycloak.conf.j2 dest=/etc/keycloak/keycloak.conf owner=root group=keycloak mode=640
no_log: true
notify:
- restart keycloak
-- name: create drop-in directory for keycloak.service
+- name: Create drop-in directory for keycloak.service
file: path=/etc/systemd/system/keycloak.service.d state=directory owner=root group=root mode=0755
-- name: get service facts
+- name: Get service facts
service_facts:
-- name: create an admin user when first starting keycloak
+- name: Create an admin user when first starting keycloak
block:
- - name: install admin creation drop-in for keycloak.service
+ - name: Install admin creation drop-in for keycloak.service
copy: src=create-keycloak-admin.conf dest=/etc/systemd/system/keycloak.service.d/ owner=root group=root mode=0644
- - name: install temporary environment file with admin credentials
+ - name: Install temporary environment file with admin credentials
template: src=admin-user.conf.j2 dest=/etc/keycloak/admin-user.conf owner=root group=root mode=0600
no_log: true
- - name: start and enable keycloak
+ - name: Start and enable keycloak
service: name=keycloak enabled=yes daemon_reload=yes state=started
- - name: wait for keycloak to initialize
+ - name: Wait for keycloak to initialize
wait_for: port={{ keycloak_port }}
always:
- - name: remove admin credentials once keycloak is running
+ - name: Remove admin credentials once keycloak is running
file: path=/etc/keycloak/admin-user.conf state=absent
- - name: remove admin creation drop-in
+ - name: Remove admin creation drop-in
file: path=/etc/systemd/system/keycloak.service.d/create-keycloak-admin.conf state=absent
notify:
- daemon reload
when: ansible_facts.services["keycloak.service"]["state"] != "running"
-- name: open firewall hole
+- name: Open firewall hole
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
when: configure_firewall
with_items:
@@ -59,7 +59,7 @@
tags:
- firewall
-- name: create htpasswd for nginx prometheus endpoint
+- name: Create htpasswd for nginx prometheus endpoint
htpasswd:
path: "{{ keycloak_nginx_htpasswd }}"
name: "{{ vault_keycloak_nginx_user }}"
@@ -68,16 +68,16 @@
group: http
mode: 0640
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ keycloak_domain }}"]
-- name: make nginx log dir
+- name: Make nginx log dir
file: path="/var/log/nginx/{{ keycloak_domain }}" state=directory owner=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/keycloak.conf owner=root group=root mode=0644
notify:
- reload nginx
diff --git a/roles/libvirt/tasks/main.yml b/roles/libvirt/tasks/main.yml
index efa37cdbaedd08f9fdd31741c99a5dda9d65c709..2030d061cead1e57a4ebf8699c89e266bca55244 100644
--- a/roles/libvirt/tasks/main.yml
+++ b/roles/libvirt/tasks/main.yml
@@ -1,17 +1,17 @@
---
-- name: remove iptables to solve iptables<->iptables-nft conflict
+- name: Remove iptables to solve iptables<->iptables-nft conflict
pacman: name=iptables force=yes state=absent
-- name: install libvirt and needed optional dependencies
+- name: Install libvirt and needed optional dependencies
pacman: name=libvirt,qemu-base,dnsmasq,iptables-nft state=present
register: result
-- name: reload firewalld
+- name: Reload firewalld
service: name=firewalld state=reloaded
when: result.changed
-- name: autostart default network on boot
+- name: Autostart default network on boot
file: src=/etc/libvirt/qemu/networks/default.xml dest=/etc/libvirt/qemu/networks/autostart/default.xml state=link owner=root group=root
-- name: start and enable libvirtd
+- name: Start and enable libvirtd
systemd: name=libvirtd enabled=yes state=started daemon_reload=yes
diff --git a/roles/loki/handlers/main.yml b/roles/loki/handlers/main.yml
index 2fb42b60cc438cce1651222fc921ababd03a1034..cf54318b82ea1fb229eb6ee3d287805089f001f4 100644
--- a/roles/loki/handlers/main.yml
+++ b/roles/loki/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart loki
+- name: Restart loki
service: name=loki state=restarted
diff --git a/roles/loki/tasks/main.yml b/roles/loki/tasks/main.yml
index ed384563b0ac763fa976ef34647c1dca80ffc67a..ceefc8b82aca99750f551946f26eaceea8cacf88 100644
--- a/roles/loki/tasks/main.yml
+++ b/roles/loki/tasks/main.yml
@@ -1,26 +1,26 @@
-- name: install loki and logcli
+- name: Install loki and logcli
pacman: name=loki,logcli state=present
-- name: install loki configuration
+- name: Install loki configuration
copy: src=loki.yaml dest=/etc/loki/ owner=root group=root mode=0644
notify: restart loki
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/loki state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=640
notify: reload nginx
tags: ['nginx']
-- name: open firewall hole
+- name: Open firewall hole
ansible.posix.firewalld: service=http zone=wireguard permanent=true state=enabled immediate=yes
-- name: create drop-in directory for loki
+- name: Create drop-in directory for loki
file: path=/etc/systemd/system/loki.service.d state=directory owner=root group=root mode=0755
-- name: install drop-in snippet for loki
+- name: Install drop-in snippet for loki
copy: src=loki-override.conf dest=/etc/systemd/system/loki.service.d/override.conf owner=root group=root mode=0644
-- name: start and enable loki
+- name: Start and enable loki
systemd: name=loki.service enabled=yes daemon_reload=yes state=started
diff --git a/roles/mailman/handlers/main.yml b/roles/mailman/handlers/main.yml
index 833f0b2864f46058da01dd85c68863bb4a3b3cff..61ce4beeaecab854cbafb6f5f6a3bce078e77191 100644
--- a/roles/mailman/handlers/main.yml
+++ b/roles/mailman/handlers/main.yml
@@ -1,13 +1,13 @@
-- name: restart mailman
+- name: Restart mailman
service: name=mailman daemon_reload=yes state=restarted
-- name: reload mailman
+- name: Reload mailman
service: name=mailman state=reloaded
-- name: reload postfix
+- name: Reload postfix
service: name=postfix state=reloaded
-- name: run postmap
+- name: Run postmap
command: postmap /etc/postfix/{{ item }}
loop:
- aliases
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
index e9818381b8d12cf04010645564448f4164189fa6..7bcc05f581e7d6cf017df9cb29fd3d26213bacf6 100644
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -1,34 +1,34 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ lists_domain }}"]
-- name: install mailman, uwsgi-plugin-cgi and postfx
+- name: Install mailman, uwsgi-plugin-cgi and postfx
pacman: name=mailman,uwsgi-plugin-cgi,postfix,postfix-pcre state=present
-- name: install mailman configuration
+- name: Install mailman configuration
template: src=mm_cfg.py.j2 dest=/etc/mailman/mm_cfg.py follow=yes owner=root group=root mode=0644
notify: reload mailman
-- name: install postfix configuration
+- name: Install postfix configuration
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644
notify: reload postfix
-- name: install postfix maps
+- name: Install postfix maps
copy: src={{ item }} dest=/etc/postfix/ owner=root group=root mode=0644
loop:
- aliases
- milter_header_checks
notify: run postmap
-- name: install postfix templated maps
+- name: Install postfix templated maps
template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
loop:
- transport
notify: run postmap
-- name: open firewall holes for postfix
+- name: Open firewall holes for postfix
ansible.posix.firewalld: service=smtp zone={{ item }} permanent=true state=enabled immediate=yes
loop:
-
@@ -37,37 +37,37 @@
tags:
- firewall
-- name: create mailman list
+- name: Create mailman list
command: /usr/lib/mailman/bin/newlist -a mailman root@{{ lists_domain }} meG0n5Wq6dEWCA6s
args:
creates: /var/lib/mailman/lists/mailman
-- name: configure mailman uwsgi service
+- name: Configure mailman uwsgi service
copy: src=mailman.ini dest=/etc/uwsgi/vassals/ owner=mailman group=http mode=0644
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
-- name: install nginx mailman2->mailman3 redirect map
+- name: Install nginx mailman2->mailman3 redirect map
copy: src=migrated-lists.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
notify: reload nginx
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
-- name: start and enable postfix
+- name: Start and enable postfix
systemd: name=postfix.service enabled=yes daemon_reload=yes state=started
-- name: create drop-in directory for mailman.service
+- name: Create drop-in directory for mailman.service
file: path=/etc/systemd/system/mailman.service.d state=directory owner=root group=root mode=0755
-- name: install drop-in for mailman.service
+- name: Install drop-in for mailman.service
copy: src=override.conf dest=/etc/systemd/system/mailman.service.d/ owner=root group=root mode=0644
notify: restart mailman
-- name: start and enable mailman{.service,-*.timer}
+- name: Start and enable mailman{.service,-*.timer}
systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
loop:
- mailman.service
diff --git a/roles/mailman3/handlers/main.yml b/roles/mailman3/handlers/main.yml
index 3f47d424f8cdae4a781123bee768f963c4484902..f56cbaed77256cec68abf6a2e993dd14a85afab7 100644
--- a/roles/mailman3/handlers/main.yml
+++ b/roles/mailman3/handlers/main.yml
@@ -1,5 +1,5 @@
-- name: reload mailman
+- name: Reload mailman
service: name=mailman3 state=reloaded
-- name: restart mailman-web
+- name: Restart mailman-web
service: name=uwsgi@mailman\\x2dweb.service state=restarted
diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml
index 35986e225085019f4ee024ff7f9b08f9a124c3b8..0b3ee53cf99e6d7a781a060cce9b10c532d98044 100644
--- a/roles/mailman3/tasks/main.yml
+++ b/roles/mailman3/tasks/main.yml
@@ -1,8 +1,8 @@
-- name: install mailman3 and related packages
+- name: Install mailman3 and related packages
pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,uwsgi-plugin-python state=present
register: install
-- name: install {mailman,mailman-web} configuration
+- name: Install {mailman,mailman-web} configuration
template: src={{ item.src }} dest={{ item.dest }} owner=root group={{ item.group }} mode=0640
loop:
- {src: mailman.cfg.j2, dest: /etc/mailman.cfg, group: mailman}
@@ -13,19 +13,19 @@
- reload mailman
- restart mailman-web
-- name: install mailman postfix.cfg configuration
+- name: Install mailman postfix.cfg configuration
copy: src=postfix.cfg dest=/etc/postfix.cfg owner=root group=root mode=0644
notify: reload mailman
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ lists_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mailman.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
-- name: create postgres {mailman,mailman-web} user
+- name: Create postgres {mailman,mailman-web} user
postgresql_user: name={{ item.username }} password={{ item.password }}
loop:
- {username: "{{ vault_mailman_db_user }}", password: "{{ vault_mailman_db_password }}"}
@@ -35,7 +35,7 @@
become_method: su
no_log: true
-- name: create {mailman,mailman-web} db
+- name: Create {mailman,mailman-web} db
postgresql_db: name={{ item.db }} owner={{ item.owner }}
loop:
- {db: mailman, owner: "{{ vault_mailman_db_user }}"}
@@ -44,7 +44,7 @@
become_user: postgres
become_method: su
-- name: run Django management tasks
+- name: Run Django management tasks
command: django-admin {{ item }} --pythonpath /etc/webapps/mailman-web --settings settings
loop:
- migrate
@@ -55,13 +55,13 @@
become_user: mailman-web
when: install.changed
-- name: open LMTP ipv4 port for lists.archlinux.org
+- name: Open LMTP ipv4 port for lists.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['lists.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8024 accept"
tags:
- firewall
-- name: start and enable mailman{.service,-*.timer}
+- name: Start and enable mailman{.service,-*.timer}
systemd: name={{ item }} enabled=yes daemon_reload=yes state=started
loop:
- mailman3.service
diff --git a/roles/maintenance/tasks/main.yml b/roles/maintenance/tasks/main.yml
index 6122d1c88ef20c2c6e1d573e6e56b3798e0dbba2..74d8baf2d87a7da044403c7c085c335f8d73a95e 100644
--- a/roles/maintenance/tasks/main.yml
+++ b/roles/maintenance/tasks/main.yml
@@ -1,14 +1,14 @@
-- name: create the maintenance logs dir
+- name: Create the maintenance logs dir
file: path={{ maintenance_logs_dir }} state=directory owner=root group=root mode=0755
-- name: create the maintenance http dir
+- name: Create the maintenance http dir
file: path={{ maintenance_http_dir }} state=directory owner=root group=root mode=0755
-- name: create the service http root dir
+- name: Create the service http root dir
file: path={{ maintenance_http_dir }}/{{ service_domain }} state=directory owner=root group=root mode=0755
when: maintenance is defined and maintenance|bool
-- name: set up nginx maintenance mode
+- name: Set up nginx maintenance mode
template:
src: nginx-maintenance.conf.j2
dest: "{{ service_nginx_conf }}"
@@ -18,7 +18,7 @@
notify: reload nginx
when: service_nginx_template is not defined and maintenance is defined and maintenance|bool
-- name: set up custom nginx maintenance mode
+- name: Set up custom nginx maintenance mode
template:
src: "{{ service_nginx_template }}"
dest: "{{ service_nginx_conf }}"
@@ -28,7 +28,7 @@
notify: reload nginx
when: service_nginx_template is defined and maintenance is defined and maintenance|bool
-- name: create the 503 html file
+- name: Create the 503 html file
template:
src: 503.html.j2
dest: "{{ maintenance_http_dir }}/{{ service_domain }}/503.html"
@@ -37,5 +37,5 @@
mode: 0644
when: maintenance is defined and maintenance|bool
-- name: force reload nginx
+- name: Force reload nginx
meta: flush_handlers
diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml
index 94432d1a581c2a10d806b1f0dcbbb123e9be89f7..7e1f1247b15c86ab0b3b5e24c9c1e301919af012 100644
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart mariadb
+- name: Restart mariadb
service: name=mariadb state=restarted
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index afed3dbc0e93b978b99da8277e62e38b5eeed477..bee006d450af71ebc24c153cd4cff99e25584613 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -1,32 +1,32 @@
-- name: install mariadb
+- name: Install mariadb
pacman: name=mariadb,python-mysqlclient state=present
-- name: initialize mariadb
+- name: Initialize mariadb
command: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
args:
creates: /var/lib/mysql/mysql
-- name: configure mariadb
+- name: Configure mariadb
template: src=server.cnf.j2 dest=/etc/my.cnf.d/server.cnf owner=root group=root mode=0644
notify:
- restart mariadb
-- name: start and enable the service
+- name: Start and enable the service
service: name=mariadb state=started enabled=yes
-- name: delete anonymous users
+- name: Delete anonymous users
mysql_user: user='' host_all=yes state='absent'
-- name: disallow remote root login
+- name: Disallow remote root login
command: 'mysql -NBe "{{ item }}"'
with_items:
- DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
changed_when: false
-- name: drop test database
+- name: Drop test database
mysql_db: db=test state=absent
-- name: set root password
+- name: Set root password
mysql_user: user=root host={{ item }} password={{ vault_mariadb_users.root }}
with_items:
- '127.0.0.1'
@@ -34,6 +34,6 @@
- 'localhost'
no_log: true
-- name: create client configuration for root
+- name: Create client configuration for root
template: src=client.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0644
no_log: true
diff --git a/roles/matrix/handlers/main.yml b/roles/matrix/handlers/main.yml
index aac7600071fb62c7c2a30be1b649a469736952cf..cbc21e9101166c608f036245ef7de0302c9c3be9 100644
--- a/roles/matrix/handlers/main.yml
+++ b/roles/matrix/handlers/main.yml
@@ -1,32 +1,32 @@
-- name: restart synapse
+- name: Restart synapse
systemd:
name: synapse
state: restarted
enabled: true
daemon_reload: true
-- name: restart pantalaimon
+- name: Restart pantalaimon
systemd:
name: pantalaimon
state: restarted
enabled: true
daemon_reload: true
-- name: restart mjolnir
+- name: Restart mjolnir
systemd:
name: mjolnir
state: restarted
enabled: true
daemon_reload: true
-- name: restart matrix-appservice-irc
+- name: Restart matrix-appservice-irc
systemd:
name: matrix-appservice-irc
state: restarted
enabled: true
daemon_reload: true
-- name: restart turnserver
+- name: Restart turnserver
systemd:
name: turnserver
state: restarted
diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
index 32fea8048d0cee1dc5db788d3ad5bb758e43c3a1..0f8481a068913a5f275442a7334268e9baf377cc 100644
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -1,11 +1,11 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ matrix_domain }}"]
when: 'matrix_domain is defined'
-- name: install packages
+- name: Install packages
pacman:
name:
- coturn
@@ -32,13 +32,13 @@
- yarn
- zlib
-- name: add synapse group
+- name: Add synapse group
group: name=synapse system=yes gid=198
-- name: add synapse user
+- name: Add synapse user
user: name=synapse system=yes uid=198 group=synapse home=/var/lib/synapse shell=/bin/false createhome=no
-- name: create synapse home
+- name: Create synapse home
file: path={{ item }} state=directory owner=synapse group=synapse mode=0700
with_items:
- /var/lib/synapse
@@ -46,7 +46,7 @@
- /var/lib/synapse/mjolnir-data
- /var/lib/synapse/pantalaimon-data
-- name: make virtualenvs
+- name: Make virtualenvs
command: 'python -m venv {{ item }}'
args:
creates: '{{ item }}/bin/python'
@@ -57,7 +57,7 @@
- /var/lib/synapse/venv
- /var/lib/synapse/venv-pantalaimon
-- name: update virtualenvs
+- name: Update virtualenvs
pip:
name:
- pip
@@ -72,7 +72,7 @@
- /var/lib/synapse/venv
- /var/lib/synapse/venv-pantalaimon
-- name: install synapse
+- name: Install synapse
pip:
name:
- 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.65.0'
@@ -86,7 +86,7 @@
notify:
- restart synapse
-- name: install pantalaimon
+- name: Install pantalaimon
pip:
name:
- 'pantalaimon==0.10.4'
@@ -99,7 +99,7 @@
notify:
- restart pantalaimon
-- name: download mjolnir
+- name: Download mjolnir
git:
repo: https://github.com/matrix-org/mjolnir
dest: /var/lib/synapse/mjolnir
@@ -112,7 +112,7 @@
notify:
- restart mjolnir
-- name: install mjolnir
+- name: Install mjolnir
community.general.yarn:
path: /var/lib/synapse/mjolnir
become: true
@@ -120,7 +120,7 @@
become_method: sudo
when: mjolnir_git.changed
-- name: build mjolnir
+- name: Build mjolnir
command: yarn build
args:
chdir: /var/lib/synapse/mjolnir
@@ -129,7 +129,7 @@
become_method: sudo
when: mjolnir_git.changed
-- name: install mjolnir antispam module
+- name: Install mjolnir antispam module
pip:
name:
- /var/lib/synapse/mjolnir/synapse_antispam
@@ -142,7 +142,7 @@
notify:
- restart synapse
-- name: download matrix-appservice-irc
+- name: Download matrix-appservice-irc
git:
repo: https://github.com/matrix-org/matrix-appservice-irc
dest: /var/lib/synapse/matrix-appservice-irc
@@ -155,7 +155,7 @@
notify:
- restart matrix-appservice-irc
-- name: install matrix-appservice-irc
+- name: Install matrix-appservice-irc
community.general.npm:
path: /var/lib/synapse/matrix-appservice-irc
ci: true
@@ -164,41 +164,41 @@
become_method: sudo
when: irc_git.changed
-- name: install pg_hba.conf
+- name: Install pg_hba.conf
copy: src=pg_hba.conf dest=/var/lib/postgres/data/pg_hba.conf owner=postgres group=postgres mode=0600
notify:
- restart postgres
-- name: add synapse postgres db
+- name: Add synapse postgres db
postgresql_db: db=synapse lc_collate=C lc_ctype=C template=template0
become: true
become_user: postgres
become_method: su
-- name: add synapse postgres user
+- name: Add synapse postgres user
postgresql_user: db=synapse user=synapse password={{ vault_postgres_users.synapse }}
become: true
become_user: postgres
become_method: su
-- name: add irc postgres db
+- name: Add irc postgres db
postgresql_db: db=irc
become: true
become_user: postgres
become_method: su
-- name: create synapse config dir
+- name: Create synapse config dir
file: path={{ item }} state=directory owner=root group=synapse mode=0750
with_items:
- /etc/synapse
- /etc/synapse/mjolnir
-- name: install homeserver config
+- name: Install homeserver config
template: src=homeserver.yaml.j2 dest=/etc/synapse/homeserver.yaml owner=root group=synapse mode=0640
notify:
- restart synapse
-- name: install static config
+- name: Install static config
copy: src={{ item }} dest=/etc/synapse/{{ item }} owner=root group=root mode=0644
with_items:
- log_config.yaml
@@ -209,27 +209,27 @@
notify:
- restart synapse
-- name: install pantalaimon config
+- name: Install pantalaimon config
template: src=pantalaimon.conf.j2 dest=/etc/synapse/pantalaimon.conf owner=root group=synapse mode=0644
notify:
- restart pantalaimon
-- name: install mjolnir config
+- name: Install mjolnir config
template: src=mjolnir.yaml.j2 dest=/etc/synapse/mjolnir/production.yaml owner=root group=synapse mode=0640
notify:
- restart mjolnir
-- name: install irc-bridge config
+- name: Install irc-bridge config
template: src=irc-bridge.yaml.j2 dest=/etc/synapse/irc-bridge.yaml owner=root group=synapse mode=0640
notify:
- restart matrix-appservice-irc
-- name: install irc-bridge registration
+- name: Install irc-bridge registration
template: src=appservice-registration-irc.yaml.j2 dest=/etc/synapse/appservice-registration-irc.yaml owner=root group=synapse mode=0640
notify:
- restart synapse
-- name: install signing key
+- name: Install signing key
copy:
content: '{{ vault_matrix_secrets.signing_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.signing.key
@@ -237,7 +237,7 @@
group: synapse
mode: 0640
-- name: install ircpass key
+- name: Install ircpass key
copy:
content: '{{ vault_matrix_secrets.ircpass_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.ircpass.key
@@ -245,25 +245,25 @@
group: synapse
mode: 0640
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ matrix_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=0640
notify:
- reload nginx
when: 'matrix_domain is defined'
tags: ['nginx']
-- name: install turnserver.conf
+- name: Install turnserver.conf
template: src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf owner=turnserver group=turnserver mode=0600
notify:
- restart turnserver
-- name: install turnserver cert renewal hook
+- name: Install turnserver cert renewal hook
copy: src=letsencrypt.hook.d dest=/etc/letsencrypt/hook.d/turnserver owner=root group=root mode=0755
-- name: install synapse units
+- name: Install synapse units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- synapse.service
@@ -271,28 +271,28 @@
notify:
- restart synapse
-- name: install pantalaimon units
+- name: Install pantalaimon units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- pantalaimon.service
notify:
- restart pantalaimon
-- name: install mjolnir units
+- name: Install mjolnir units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- mjolnir.service
notify:
- restart mjolnir
-- name: install matrix-appservice-irc units
+- name: Install matrix-appservice-irc units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- matrix-appservice-irc.service
notify:
- restart matrix-appservice-irc
-- name: enable synapse units
+- name: Enable synapse units
service: name={{ item }} enabled=yes
with_items:
- synapse.service
@@ -303,35 +303,35 @@
notify:
- restart synapse
-- name: enable pantalaimon units
+- name: Enable pantalaimon units
service: name={{ item }} enabled=yes
with_items:
- pantalaimon.service
notify:
- restart pantalaimon
-- name: enable mjolnir units
+- name: Enable mjolnir units
service: name={{ item }} enabled=yes
with_items:
- mjolnir.service
notify:
- restart mjolnir
-- name: enable matrix-appservice-irc units
+- name: Enable matrix-appservice-irc units
service: name={{ item }} enabled=yes
with_items:
- matrix-appservice-irc.service
notify:
- restart matrix-appservice-irc
-- name: enable turnserver units
+- name: Enable turnserver units
service: name={{ item }} enabled=yes
with_items:
- turnserver.service
notify:
- restart turnserver
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
with_items:
# synapse's identd
diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml
index 5665f60f3efa096479b7599f26995fb5a764a741..dcfab36b12fe9f0d8cd9cad134591f0003f9530e 100644
--- a/roles/memcached/tasks/main.yml
+++ b/roles/memcached/tasks/main.yml
@@ -1,10 +1,10 @@
-- name: install memcached
+- name: Install memcached
pacman: name=memcached state=present
-- name: put memcached.conf into tmpfiles
+- name: Put memcached.conf into tmpfiles
template: src=memcached-tmpfiles.d.j2 dest=/etc/tmpfiles.d/memcached.conf owner=root group=root mode=0644
register: memcachedtmpfiles
-- name: use tmpfiles.d/memcached.conf
+- name: Use tmpfiles.d/memcached.conf
command: systemd-tmpfiles --create
when: memcachedtmpfiles.changed
diff --git a/roles/mta_sts/tasks/main.yml b/roles/mta_sts/tasks/main.yml
index 6da983042adc5ab197c3ab80afbc2e05cf05a410..cd0788a3ea842a76f82e7d180f65a044a5f46c6d 100644
--- a/roles/mta_sts/tasks/main.yml
+++ b/roles/mta_sts/tasks/main.yml
@@ -1,15 +1,15 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: "{{ ['mta-sts.'] | product(item.domains) | map('join') }}"
loop: "{{ mta_sts }}"
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ "mta-sts." + item.domains | first }} state=directory owner=root group=root mode=0755
loop: "{{ mta_sts }}"
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
diff --git a/roles/networking/handlers/main.yml b/roles/networking/handlers/main.yml
index 5a7efe1410103f2bb58b3ad341673b7623c0bca4..c622aec0dba429daf95cb46e24b7958da0a98e28 100644
--- a/roles/networking/handlers/main.yml
+++ b/roles/networking/handlers/main.yml
@@ -1,4 +1,4 @@
-- name: restart networkd
+- name: Restart networkd
systemd:
name: systemd-networkd
state: restarted
diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml
index d238f17ef60b84cf3dccfd6847d93e8db378955a..6ab1d933b8a6d203fdc0452c92b91597685f7e78 100644
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@@ -1,49 +1,49 @@
-- name: configure network (static)
+- name: Configure network (static)
block:
- - name: install 10-static-ethernet.network
+ - name: Install 10-static-ethernet.network
template: src=10-static-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
notify:
- restart networkd
- - name: create drop-in directory for 10-static-ethernet.network
+ - name: Create drop-in directory for 10-static-ethernet.network
file: path={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network.d state=directory owner=root group=root mode=0755
- - name: configure static dns (static)
+ - name: Configure static dns (static)
copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network.d/dns.conf owner=root group=root mode=0644
notify:
- restart networkd
when: static_dns|default(true)
when: not dhcp|default(false)
-- name: configure network (dhcp)
+- name: Configure network (dhcp)
block:
- - name: install 10-dhcp-ethernet.network
+ - name: Install 10-dhcp-ethernet.network
template: src=10-dhcp-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network owner=root group=root mode=0644
notify:
- restart networkd
- - name: create drop-in directory for 10-dhcp-ethernet.network
+ - name: Create drop-in directory for 10-dhcp-ethernet.network
file: path={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network.d state=directory owner=root group=root mode=0755
- - name: configure static dns (dhcp)
+ - name: Configure static dns (dhcp)
copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network.d/dns.conf owner=root group=root mode=0644
notify:
- restart networkd
when: static_dns|default(false)
when: dhcp|default(false)
-- name: create symlink to resolv.conf
+- name: Create symlink to resolv.conf
file: src=/run/systemd/resolve/stub-resolv.conf dest={{ chroot_path }}/etc/resolv.conf state=link force=yes follow=no owner=root group=root
-- name: install hcloud-init
+- name: Install hcloud-init
copy: src=hcloud-init dest={{ chroot_path }}/usr/local/bin/hcloud-init owner=root group=root mode=0755
when: "'hcloud' in group_names or inventory_hostname == 'packer-base-image'"
-- name: install hcloud-init.service
+- name: Install hcloud-init.service
copy: src=hcloud-init.service dest={{ chroot_path }}/etc/systemd/system/hcloud-init.service owner=root group=root mode=0644
when: "'hcloud' in group_names or inventory_hostname == 'packer-base-image'"
-- name: enable hcloud-init inside chroot
+- name: Enable hcloud-init inside chroot
command: chroot {{ chroot_path }} systemctl enable hcloud-init
register: chroot_systemd_services
changed_when: "chroot_systemd_services.rc == 0"
@@ -51,16 +51,16 @@
- chroot_path | length != 0
- "'hcloud' in group_names or inventory_hostname == 'packer-base-image'"
-- name: start and enable hcloud-init
+- name: Start and enable hcloud-init
service: name=hcloud-init daemon_reload=yes state=started enabled=yes
when:
- chroot_path | length == 0
- "'hcloud' in group_names or inventory_hostname == 'packer-base-image'"
-- name: start and enable networkd
+- name: Start and enable networkd
service: name=systemd-networkd state=started enabled=yes
when: chroot_path | length == 0
-- name: start and enable resolved
+- name: Start and enable resolved
service: name=systemd-resolved state=started enabled=yes
when: chroot_path | length == 0
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
index 816ad436e1aa052e1f8d162e16b0afe236d578ad..43c16d1703597e012b0ea7ba5404e139309d45cd 100644
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload nginx
+- name: Reload nginx
service: name=nginx state=reloaded
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 442a528f3f53a303da3c48f6570610cded6032b9..c93ddac3dd008282f9d1626ec3e4e0ce4b0c141d 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,21 +1,21 @@
-- name: install nginx
+- name: Install nginx
pacman: name=nginx,nginx-mod-brotli state=present
-- name: install nginx.service snippet
+- name: Install nginx.service snippet
copy: src=nginx.service.d dest=/etc/systemd/system owner=root group=root mode=0644
-- name: configure nginx
+- name: Configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644
notify:
- reload nginx
-- name: snippets directories
+- name: Snippets directories
file: state=directory path=/etc/nginx/{{ item }} owner=root group=root mode=0755
with_items:
- toplevel-snippets
- snippets
-- name: copy snippets
+- name: Copy snippets
template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
with_items:
- letsencrypt.conf
@@ -23,41 +23,41 @@
notify:
- reload nginx
-- name: install cert renewal hook
+- name: Install cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/nginx owner=root group=root mode=0755
when: "'certbot' in ansible_play_role_names"
-- name: create nginx.d directory
+- name: Create nginx.d directory
file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=0755
-- name: create auth directory
+- name: Create auth directory
file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
-- name: create maps directory
+- name: Create maps directory
file: state=directory path=/etc/nginx/maps owner=root group=root mode=0755
-- name: create default nginx log directory
+- name: Create default nginx log directory
file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755
-- name: create unique DH group
+- name: Create unique DH group
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
-- name: create directory to store validation stuff in
+- name: Create directory to store validation stuff in
file: owner=root group=http mode=0750 path={{ letsencrypt_validation_dir }} state=directory
-- name: install logrotate config
+- name: Install logrotate config
copy: src=logrotate.conf dest=/etc/logrotate.d/nginx-ansible owner=root group=root mode=0644
-- name: install inventory_hostname vhost
+- name: Install inventory_hostname vhost
template: src=nginx-hostname-vhost.conf.j2 dest=/etc/nginx/nginx.d/nginx-hostname-vhost.conf owner=root group=root mode=0644
notify:
- reload nginx
tags: ['nginx']
-- name: enable nginx
+- name: Enable nginx
service: name=nginx enabled=yes
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: service={{ item }} zone={{ nginx_firewall_zone }} permanent=true state=enabled immediate=yes
with_items:
- http
diff --git a/roles/patchwork/handlers/main.yml b/roles/patchwork/handlers/main.yml
index 5348bff90ab2f019552c2768a0d3537c808a597f..fa1c21bb0d3659dfd953f9f44d4e5173f32e674e 100644
--- a/roles/patchwork/handlers/main.yml
+++ b/roles/patchwork/handlers/main.yml
@@ -1,6 +1,6 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
-- name: restart patchwork memcached
+- name: Restart patchwork memcached
service: name=patchwork-memcached state=restarted
diff --git a/roles/patchwork/tasks/main.yml b/roles/patchwork/tasks/main.yml
index 6ff0f141402dbfb7a59c9d37dc7ba4c79608191e..b991571bf628a025116bc6a25ab8b2cf07248db2 100644
--- a/roles/patchwork/tasks/main.yml
+++ b/roles/patchwork/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: run maintenance mode
+- name: Run maintenance mode
include_role:
name: maintenance
vars:
@@ -8,129 +8,129 @@
service_nginx_conf: "{{ patchwork_nginx_conf }}"
when: maintenance is defined
-- name: install packages
+- name: Install packages
pacman: name=gcc,git,python,python-psycopg2,sudo,uwsgi-plugin-python,python-pip state=present
-- name: make patchwork user
+- name: Make patchwork user
user: name=patchwork shell=/bin/false home="{{ patchwork_dir }}" createhome=no
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner=patchwork group=patchwork mode=0755 path="{{ patchwork_dir }}"
-- name: set patchwork groups
+- name: Set patchwork groups
user: name=patchwork groups=uwsgi
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ patchwork_domain }}"]
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ patchwork_nginx_conf }}" owner=root group=root mode=644
notify:
- reload nginx
when: maintenance is not defined
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=root mode=0755
-- name: clone patchwork repo
+- name: Clone patchwork repo
git: repo=https://github.com/getpatchwork/patchwork.git dest="{{ patchwork_dir }}" version="{{ patchwork_version }}"
become: true
become_user: patchwork
register: release
-- name: make virtualenv
+- name: Make virtualenv
command: python -m venv "{{ patchwork_dir }}"/env creates="{{ patchwork_dir }}/env/bin/python"
become: true
become_user: patchwork
-- name: install from requirements into virtualenv
+- name: Install from requirements into virtualenv
pip: requirements="{{ patchwork_dir }}/requirements-prod.txt" virtualenv="{{ patchwork_dir }}/env" extra_args="--no-binary :all:"
become: true
become_user: patchwork
register: virtualenv
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory owner=patchwork group=patchwork mode=0755 path="{{ patchwork_dir }}"
-- name: configure patchwork
+- name: Configure patchwork
template: src=production.py.j2 dest="{{ patchwork_dir }}/patchwork/settings/production.py" owner=patchwork group=patchwork mode=0660
register: config
no_log: true
-- name: create patchwork db users
+- name: Create patchwork db users
postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ patchwork_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
no_log: true
with_items:
- { user: "{{ patchwork_db_user }}", password: "{{ vault_patchwork_db_password }}" }
- { user: "{{ patchwork_db_backup_user }}", password: "{{ vault_patchwork_db_backup_password }}" }
-- name: create patchwork db
+- name: Create patchwork db
postgresql_db: name="{{ patchwork_db }}" login_host="{{ patchwork_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ patchwork_db_user }}"
register: db_created
-- name: django migrate
+- name: Django migrate
django_manage: app_path="{{ patchwork_dir }}" command=migrate virtualenv="{{ patchwork_dir }}/env"
become: true
become_user: patchwork
when: (db_created.changed or release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy)
-- name: db privileges for patchwork users
+- name: DB privileges for patchwork users
postgresql_privs: database="{{ patchwork_db }}" host="{{ patchwork_db_host }}" login="{{ patchwork_db_user }}" password="{{ vault_patchwork_db_password }}"
privs=CONNECT roles="{{ item }}" type=database
with_items:
- "{{ patchwork_db_backup_user }}"
-- name: table privileges for patchwork users
+- name: Table privileges for patchwork users
postgresql_privs: database="{{ patchwork_db }}" host="{{ patchwork_db_host }}" login="{{ patchwork_db_user }}" password="{{ vault_patchwork_db_password }}"
privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
with_items:
- { user: "{{ patchwork_db_backup_user }}", objs: "{{ patchwork_db_backup_table_objs }}" }
-- name: sequence privileges for patchwork users
+- name: Sequence privileges for patchwork users
postgresql_privs: database="{{ patchwork_db }}" host="{{ patchwork_db_host }}" login="{{ patchwork_db_user }}" password="{{ vault_patchwork_db_password }}"
privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
with_items:
- { user: "{{ patchwork_db_backup_user }}", objs: "{{ patchwork_db_backup_sequence_objs }}" }
-- name: django collectstatic
+- name: Django collectstatic
django_manage: app_path="{{ patchwork_dir }}" command=collectstatic virtualenv="{{ patchwork_dir }}/env"
become: true
become_user: patchwork
when: (db_created.changed or release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy)
-- name: install patchwork parsemail script
+- name: Install patchwork parsemail script
template: src="patchwork-parsemail-wrapper.sh.j2" dest="/usr/local/bin/patchwork-parsemail-wrapper.sh" owner=root group=root mode=0755
-- name: install sudoer rights for fetchmail to call patchwork
+- name: Install sudoer rights for fetchmail to call patchwork
template: src=sudoers-fetchmail-patchwork.j2 dest=/etc/sudoers.d/fetchmail-patchwork owner=root group=root mode=0440
-- name: install patchwork memcached service
+- name: Install patchwork memcached service
template: src="patchwork-memcached.service.j2" dest="/etc/systemd/system/patchwork-memcached.service" owner=root group=root mode=0644
notify:
- daemon reload
-- name: install patchwork notification service
+- name: Install patchwork notification service
template: src="patchwork-notification.service.j2" dest="/etc/systemd/system/patchwork-notification.service" owner=root group=root mode=0644
notify:
- daemon reload
-- name: install patchwork notification timer
+- name: Install patchwork notification timer
template: src="patchwork-notification.timer.j2" dest="/etc/systemd/system/patchwork-notification.timer" owner=root group=root mode=0644
notify:
- daemon reload
-- name: deploy patchwork
+- name: Deploy patchwork
template: src=patchwork.ini.j2 dest=/etc/uwsgi/vassals/patchwork.ini owner=patchwork group=http mode=0644
-- name: deploy new release
+- name: Deploy new release
file: path=/etc/uwsgi/vassals/patchwork.ini state=touch owner=patchwork group=http mode=0644
when: (release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy)
-- name: start and enable patchwork memcached service and notification timer
+- name: Start and enable patchwork memcached service and notification timer
systemd:
name: "{{ item }}"
enabled: true
diff --git a/roles/php7_fpm/handlers/main.yaml b/roles/php7_fpm/handlers/main.yaml
index b7dd1329ddc3a1ab0c1adb00e3c6fc5bf0f3ee5d..53c25acb653061ac6585331c532338b68ce70faa 100644
--- a/roles/php7_fpm/handlers/main.yaml
+++ b/roles/php7_fpm/handlers/main.yaml
@@ -1,3 +1,3 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
diff --git a/roles/php7_fpm/tasks/main.yaml b/roles/php7_fpm/tasks/main.yaml
index 5428735333ca2918f232883b8326c48245003a80..7b9d55272e2e840b2815d7de8e4eefbdf4b477ec 100644
--- a/roles/php7_fpm/tasks/main.yaml
+++ b/roles/php7_fpm/tasks/main.yaml
@@ -1,7 +1,7 @@
-- name: install php7-fpm
+- name: Install php7-fpm
pacman: name=php7-fpm,php7-gd,php7-pgsql state=present
-- name: install php7-fpm units
+- name: Install php7-fpm units
copy: >
src={{ item }} dest=/etc/systemd/system/{{ item }}
owner=root group=root mode=0644
@@ -10,7 +10,7 @@
- php-fpm7@.service
notify: daemon reload
-- name: configure default php.ini
+- name: Configure default php.ini
template: >
src=php.ini.j2 dest=/etc/php7/php.ini
owner=root group=root mode=0644
diff --git a/roles/php_fpm/handlers/main.yaml b/roles/php_fpm/handlers/main.yaml
index b7dd1329ddc3a1ab0c1adb00e3c6fc5bf0f3ee5d..53c25acb653061ac6585331c532338b68ce70faa 100644
--- a/roles/php_fpm/handlers/main.yaml
+++ b/roles/php_fpm/handlers/main.yaml
@@ -1,3 +1,3 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
diff --git a/roles/php_fpm/tasks/main.yaml b/roles/php_fpm/tasks/main.yaml
index 01c6d645302a556827a2427022ad28e55ca31878..026e543497e789326403f2f55597284eb7df5481 100644
--- a/roles/php_fpm/tasks/main.yaml
+++ b/roles/php_fpm/tasks/main.yaml
@@ -1,7 +1,7 @@
-- name: install php-fpm
+- name: Install php-fpm
pacman: name=php-fpm,php-gd,php-pgsql state=present
-- name: install php-fpm units
+- name: Install php-fpm units
copy: >
src={{ item }} dest=/etc/systemd/system/{{ item }}
owner=root group=root mode=0644
@@ -10,7 +10,7 @@
- php-fpm@.service
notify: daemon reload
-- name: configure default php.ini
+- name: Configure default php.ini
template: >
src=php.ini.j2 dest=/etc/php/php.ini
owner=root group=root mode=0644
diff --git a/roles/phrik/tasks/main.yml b/roles/phrik/tasks/main.yml
index 1718edb493364e941679de1a7fff9edfd6203230..17c9365c226c29d3cbc552e7cd34f9f59edd3dbd 100644
--- a/roles/phrik/tasks/main.yml
+++ b/roles/phrik/tasks/main.yml
@@ -1,34 +1,34 @@
-- name: install phrik utilities
+- name: Install phrik utilities
pacman: name=git,pkgfile,polkit state=present
-- name: add phrik group
+- name: Add phrik group
group: name=phrik gid=1100 state=present
-- name: add phrik user
+- name: Add phrik user
user: name=phrik group=phrik uid=1100 comment="phrik IRC bot" createhome=yes
-- name: adding users to phrik group
+- name: Adding users to phrik group
user: groups=phrik name="{{ item }}" append=yes
with_items:
- demize
tags: ['archusers']
-- name: adding users to systemd-journal group for monitoring
+- name: Adding users to systemd-journal group for monitoring
user: groups=systemd-journal name="{{ item }}" append=yes
with_items:
- demize
tags: ['archusers']
-- name: install phrik sudoers config
+- name: Install phrik sudoers config
copy: src=sudoers dest=/etc/sudoers.d/phrik owner=root group=root mode=0440
-- name: install polkit rule for restarting phrik
+- name: Install polkit rule for restarting phrik
copy: src=20-manage-phrik.rules dest=/etc/polkit-1/rules.d/20-manage-phrik.rules owner=root group=root mode=0644
-- name: install phrik systemd service
+- name: Install phrik systemd service
copy: src=phrik.service dest=/etc/systemd/system/phrik.service owner=root group=root mode=0644
-- name: start and enable pkgfile and phrikservice
+- name: Start and enable pkgfile and phrikservice
systemd:
name: "{{ item }}"
enabled: true
diff --git a/roles/ping/tasks/main.yml b/roles/ping/tasks/main.yml
index 54ecfba85a4bc64a804aa9195b7bca0d4d0bae7f..74fb8e62c6bff4ebd41ea71455f746a0961f204a 100644
--- a/roles/ping/tasks/main.yml
+++ b/roles/ping/tasks/main.yml
@@ -1,13 +1,13 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ ping_domain }}"]
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ ping_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/ping.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index b40a9ab2c9ce4240ba3a49138e15c4138edcb96e..322279f4728671b99711c24ef8239405bae88e94 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,12 +1,12 @@
-- name: restart postfix
+- name: Restart postfix
service:
name: postfix
state: restarted
-- name: reload postfix
+- name: Reload postfix
command: postfix reload
-- name: postmap additional files
+- name: Postmap additional files
command: postmap /etc/postfix/{{ item }}
with_items:
- access_client
@@ -19,5 +19,5 @@
- domains
- msa_header_checks
-- name: update aliases db
+- name: Update aliases db
command: postalias /etc/postfix/aliases
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index dcb35f4d2b472cb873d5da796baedc3e4b2f0b8b..d04db9270ed9156d1a8481d95b88dae4f2414eb8 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -1,7 +1,7 @@
-- name: install postfix
+- name: Install postfix
pacman: name=postfix,postfix-pcre state=present
-- name: install template configs
+- name: Install template configs
template: src={{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
with_items:
- main.cf
@@ -15,7 +15,7 @@
- postmap additional files
- update aliases db
-- name: install additional files
+- name: Install additional files
copy: src={{ item }} dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
with_items:
- access_client
@@ -31,42 +31,42 @@
notify:
- postmap additional files
-- name: create dhparam 2048
+- name: Create dhparam 2048
command: openssl dhparam -out /etc/postfix/dh2048.pem 2048 creates=/etc/postfix/dh2048.pem
notify:
- reload postfix
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ mail_domain }}"]
-- name: install postfix cert renewal hook
+- name: Install postfix cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postfix owner=root group=root mode=0755
-- name: install bouncehandler config
+- name: Install bouncehandler config
template: src=wiki-bouncehandler.conf.j2 dest={{ postfix_wiki_bounce_config }} owner={{ postfix_wiki_bounce_user }} group=root mode=0600
-- name: install packages for bounce handler
+- name: Install packages for bounce handler
pacman: name=perl-mediawiki-api,perl-config-simple state=present
-- name: install bouncehandler script
+- name: Install bouncehandler script
copy: src=bouncehandler.pl dest={{ postfix_wiki_bounce_mail_handler }} owner=root group=root mode=0755
-- name: make bouncehandler user
+- name: Make bouncehandler user
user: name={{ postfix_wiki_bounce_user }} shell=/bin/false skeleton=/var/empty state=present
-- name: start and enable postfix
+- name: Start and enable postfix
service: name=postfix enabled=yes state=started
-- name: remove old files
+- name: Remove old files
file: path={{ item }} state=absent
with_items:
- compat_maps
- compat_maps.db
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- smtp
diff --git a/roles/postfix_null/handlers/main.yml b/roles/postfix_null/handlers/main.yml
index 92e6bc6be6c06e7abfda7e8930ad5bee18927a35..72e494d4c767d06c044a27ba6cb374681bb5443d 100644
--- a/roles/postfix_null/handlers/main.yml
+++ b/roles/postfix_null/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload postfix
+- name: Reload postfix
service: name=postfix state=reloaded
diff --git a/roles/postfix_null/tasks/main.yml b/roles/postfix_null/tasks/main.yml
index 0fd69c97db8238d30260eaa55730225c451266e7..2ba6d89c663f8c07a648526ac5f6c0132ff88284 100644
--- a/roles/postfix_null/tasks/main.yml
+++ b/roles/postfix_null/tasks/main.yml
@@ -1,7 +1,7 @@
-- name: install postfix
+- name: Install postfix
pacman: name=postfix state=present
-- name: install template configs
+- name: Install template configs
template: src={{ item.file }}.j2 dest=/etc/postfix/{{ item.file }} owner=root group={{ item.group }} mode={{ item.mode }}
with_items:
- {file: main.cf, group: root, mode: 644}
@@ -9,7 +9,7 @@
notify:
- reload postfix
-- name: create user account on mail to relay with
+- name: Create user account on mail to relay with
delegate_to: mail.archlinux.org
user:
name: "{{ inventory_hostname_short }}"
@@ -21,5 +21,5 @@
home: /home/"{{ inventory_hostname }}" # Set home directory so shadow.service does not fail
create_home: true
-- name: start and enable postfix
+- name: Start and enable postfix
service: name=postfix enabled=yes state=started
diff --git a/roles/postfwd/handlers/main.yml b/roles/postfwd/handlers/main.yml
index d8da47c4b2452dbdbf01319774a2ec2d7cd49328..3f06867feb03e3c5c1b7fd3da833374c275e8171 100644
--- a/roles/postfwd/handlers/main.yml
+++ b/roles/postfwd/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload postfwd
+- name: Reload postfwd
service: name=postfwd state=reloaded
diff --git a/roles/postfwd/tasks/main.yml b/roles/postfwd/tasks/main.yml
index 9e5a5b74ece91b5b8aca680c2c827c0fbaaca788..8b5828edaba0edf65a643aa26b81a995cfe3f892 100644
--- a/roles/postfwd/tasks/main.yml
+++ b/roles/postfwd/tasks/main.yml
@@ -1,10 +1,10 @@
-- name: install postfwd
+- name: Install postfwd
pacman: name=postfwd state=present
-- name: install postfwd.cf
+- name: Install postfwd.cf
template: src=postfwd.cf.j2 dest=/etc/postfwd/postfwd.cf owner=postfwd group=root mode=0600
notify:
- reload postfwd
-- name: start and enable postfwd
+- name: Start and enable postfwd
service: name=postfwd enabled=yes state=started
diff --git a/roles/postgres/handlers/main.yml b/roles/postgres/handlers/main.yml
index 852591c094974f6cb66e3289e963a6def62632dd..197b852d9cfed48f0aed362d9626d105c1a5053a 100644
--- a/roles/postgres/handlers/main.yml
+++ b/roles/postgres/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart postgres
+- name: Restart postgres
service: name=postgresql state=restarted
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index 9f916cb7695b959b4fc2493e18017a1e9d38be68..da38d4db6d7c4c4497ac5b7f5d6bcc4ad502d6b7 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -1,13 +1,13 @@
-- name: create postgres subvolume
+- name: Create postgres subvolume
command: btrfs subvol create /var/lib/postgres
args:
creates: /var/lib/postgres
when: filesystem == "btrfs"
-- name: install postgres
+- name: Install postgres
pacman: name=postgresql,python-psycopg2 state=present
-- name: create nocow database directory
+- name: Create nocow database directory
file:
state: directory
owner: postgres
@@ -17,7 +17,7 @@
mode: 0700
when: filesystem == "btrfs"
-- name: initialize postgres
+- name: Initialize postgres
become: true
become_user: postgres
become_method: su
@@ -28,7 +28,7 @@
notify:
- restart postgres
-- name: configure postgres
+- name: Configure postgres
template: src={{ item }}.j2 dest=/var/lib/postgres/data/{{ item }} owner=postgres group=postgres mode=0600
with_items:
- postgresql.conf
@@ -36,35 +36,35 @@
notify:
- restart postgres
-- name: install postgres certificate
+- name: Install postgres certificate
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem dest={{ postgres_ssl_cert_file }}
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
-- name: install postgres private key
+- name: Install postgres private key
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem dest={{ postgres_ssl_key_file }}
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
-- name: install postgres ca
+- name: Install postgres ca
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
-- name: start and enable postgres
+- name: Start and enable postgres
service: name=postgresql enabled=yes state=started
-- name: set postgres user password
+- name: Set postgres user password
postgresql_user: name=postgres password={{ vault_postgres_users.postgres }} encrypted=yes
become: true
become_user: postgres
become_method: su
-- name: install postgres cert renewal hook
+- name: Install postgres cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postgres owner=root group=root mode=0755
when: postgres_ssl == 'on'
-- name: open firewall holes to known postgresql ipv4 clients
+- name: Open firewall holes to known postgresql ipv4 clients
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{ item }} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_hosts4 + postgres_ssl_hosts4 }}"
@@ -72,7 +72,7 @@
tags:
- firewall
-- name: open firewall holes to known postgresql ipv6 clients
+- name: Open firewall holes to known postgresql ipv6 clients
ansible.posix.firewalld: zone={{ postgres_firewalld_zone }} permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv6 source address={{ item }} port protocol=tcp port=5432 accept"
with_items: "{{ postgres_hosts6 + postgres_ssl_hosts6 }}"
@@ -80,5 +80,5 @@
tags:
- firewall
-- name: copy postgresql upgrade script
+- name: Copy postgresql upgrade script
copy: src=upgrade_pg.sh dest=/usr/local/bin/upgrade_pg.sh mode=0755 owner=root group=root
diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml
index 2c1e0aa9b6578ef1f57c96390bd9536c77b258e0..9c8f6efe0a5a16f8a95e3c9ffc5f9a3e07f11a98 100644
--- a/roles/prometheus/handlers/main.yml
+++ b/roles/prometheus/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload prometheus
+- name: Reload prometheus
service: name=prometheus state=reloaded
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index a153ca765fcb7a30ca97d0434c01c518eed0441f..7f93d58051cad915aa7c8439a8a4c1265656a8b9 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -1,28 +1,28 @@
-- name: install prometheus server
+- name: Install prometheus server
pacman: name=prometheus,python-passlib,python-bcrypt state=present
-- name: install prometheus configuration
+- name: Install prometheus configuration
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml owner=root group=prometheus mode=640
notify: reload prometheus
-- name: install prometheus cli configuration
+- name: Install prometheus cli configuration
template: src=prometheus.conf.j2 dest=/etc/conf.d/prometheus owner=root group=root mode=600
notify: reload prometheus
-- name: install prometheus web-config configuration
+- name: Install prometheus web-config configuration
template: src=web-config.yml.j2 dest=/etc/prometheus/web-config.yml owner=root group=prometheus mode=640
notify: reload prometheus
when: prometheus_receive_only
-- name: install prometheus alert configuration
+- name: Install prometheus alert configuration
copy: src=node.rules.yml dest=/etc/prometheus/node.rules.yml owner=root group=root mode=644
notify: reload prometheus
when: not prometheus_receive_only
-- name: enable prometheus server service
+- name: Enable prometheus server service
systemd: name=prometheus enabled=yes daemon_reload=yes state=started
-- name: open prometheus port for monitoring.archlinux.org
+- name: Open prometheus port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9090 accept"
when: configure_firewall and prometheus_receive_only
diff --git a/roles/prometheus_exporters/handlers/main.yml b/roles/prometheus_exporters/handlers/main.yml
index 94ee1d8810cea2565c37ad9c7f0dc210e8ac82d1..a0e86e80b5602fa69645ccfc954cd3dd968ff4f2 100644
--- a/roles/prometheus_exporters/handlers/main.yml
+++ b/roles/prometheus_exporters/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload blackbox exporter
+- name: Reload blackbox exporter
service: name=prometheus-blackbox-exporter state=reloaded
diff --git a/roles/prometheus_exporters/tasks/main.yml b/roles/prometheus_exporters/tasks/main.yml
index dad9fcb0447746cb63e3ec0b588869fed042c1b1..acd889acc56297f95253bfb3573886527201d69e 100644
--- a/roles/prometheus_exporters/tasks/main.yml
+++ b/roles/prometheus_exporters/tasks/main.yml
@@ -1,27 +1,27 @@
-- name: install prometheus-node-exporter
+- name: Install prometheus-node-exporter
pacman: name=prometheus-node-exporter,arch-audit,pacman-contrib,jq,hq,sudo state=present
-- name: install prometheus-blackbox-exporter
+- name: Install prometheus-blackbox-exporter
pacman: name=prometheus-blackbox-exporter state=present
when: "'prometheus' in group_names"
-- name: install smartmontools for dedicated servers
+- name: Install smartmontools for dedicated servers
pacman: name=smartmontools state=present
when: "'dedicated_servers' in group_names"
-- name: install prometheus-memcached-exporter
+- name: Install prometheus-memcached-exporter
pacman: name=prometheus-memcached-exporter state=present
when: "'memcached' in group_names"
-- name: add node_exporter to rebuilderd group
+- name: Add node_exporter to rebuilderd group
user: name=node_exporter groups=rebuilderd append=yes
when: "'rebuilderd' in group_names"
-- name: install prometheus-mysqld-exporter
+- name: Install prometheus-mysqld-exporter
pacman: name=prometheus-mysqld-exporter state=present
when: "'mysql_servers' in group_names"
-- name: create prometheus mysqld database user
+- name: Create prometheus mysqld database user
mysql_user:
name: '{{ prometheus_mysqld_user }}'
password: '{{ vault_monitoring_mysql_password }}'
@@ -31,25 +31,25 @@
MAX_USER_CONNECTIONS: 3
when: "'mysql_servers' in group_names"
-- name: copy prometheus mysqld exporter configuration
+- name: Copy prometheus mysqld exporter configuration
template: src=prometheus-mysqld-exporter.j2 dest=/etc/conf.d/prometheus-mysqld-exporter owner=root group=root mode=600
when: "'mysql_servers' in group_names"
-- name: enable prometheus-mysqld-exporter service
+- name: Enable prometheus-mysqld-exporter service
systemd: name=prometheus-mysqld-exporter enabled=yes daemon_reload=yes state=started
when: "'mysql_servers' in group_names"
-- name: copy prometheus memcached exporter configuration
+- name: Copy prometheus memcached exporter configuration
template: src=prometheus-memcached-exporter.j2 dest=/etc/conf.d/prometheus-memcached-exporter owner=root group=root mode=600
when: "'memcached' in group_names"
-- name: install node exporter configuration
+- name: Install node exporter configuration
template: src=prometheus-node-exporter.env.j2 dest=/etc/conf.d/prometheus-node-exporter owner=root group=root mode=600
-- name: create textcollector directory
+- name: Create textcollector directory
file: path="{{ prometheus_textfile_dir }}" state=directory owner=node_exporter group=node_exporter mode=700
-- name: install node exporter textcollector scripts
+- name: Install node exporter textcollector scripts
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
with_items:
- arch-textcollector.sh
@@ -65,177 +65,177 @@
- fail2ban-textcollector.sh
- smart-textcollector.sh
-- name: install arch textcollector service
+- name: Install arch textcollector service
template: src=prometheus-arch-textcollector.service.j2 dest=/etc/systemd/system/prometheus-arch-textcollector.service owner=root group=root mode=644
-- name: install arch textcollector timer
+- name: Install arch textcollector timer
template: src=prometheus-arch-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-arch-textcollector.timer owner=root group=root mode=644
-- name: enable and start prometheus arch textcollector timer
+- name: Enable and start prometheus arch textcollector timer
systemd: name=prometheus-arch-textcollector.timer enabled=yes daemon_reload=yes state=started
-- name: install borg textcollector services
+- name: Install borg textcollector services
template: src=prometheus-borg-textcollector.service.j2 dest=/etc/systemd/system/prometheus-{{ item.name }}-textcollector.service owner=root group=root mode=644
loop:
- { name: borg, service: borg-backup }
- { name: borg-offsite, service: borg-backup-offsite }
when: "'borg_clients' in group_names"
-- name: enable borg textcollector services
+- name: Enable borg textcollector services
systemd: name=prometheus-{{ item.name }}-textcollector.service enabled=yes daemon_reload=yes
loop:
- { name: borg, service: borg-backup }
- { name: borg-offsite, service: borg-backup-offsite }
when: "'borg_clients' in group_names"
-- name: install smart textcollector service
+- name: Install smart textcollector service
template: src=prometheus-smart-textcollector.service.j2 dest=/etc/systemd/system/prometheus-smart-textcollector.service owner=root group=root mode=644
when: "'dedicated_servers' in group_names"
-- name: install smart textcollector timer
+- name: Install smart textcollector timer
template: src=prometheus-smart-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-smart-textcollector.timer owner=root group=root mode=644
when: "'dedicated_servers' in group_names"
-- name: enable and start prometheus smart textcollector timer
+- name: Enable and start prometheus smart textcollector timer
systemd: name=prometheus-smart-textcollector.timer enabled=yes daemon_reload=yes state=started
when: "'dedicated_servers' in group_names"
-- name: install hetzner textcollector service
+- name: Install hetzner textcollector service
template: src=prometheus-hetzner-textcollector.service.j2 dest=/etc/systemd/system/prometheus-hetzner-textcollector.service owner=root group=root mode=644
when: "inventory_hostname == 'monitoring.archlinux.org'"
-- name: install hetzner textcollector timer
+- name: Install hetzner textcollector timer
template: src=prometheus-hetzner-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-hetzner-textcollector.timer owner=root group=root mode=644
when: "inventory_hostname == 'monitoring.archlinux.org'"
-- name: enable and start prometheus hetzner textcollector timer
+- name: Enable and start prometheus hetzner textcollector timer
systemd: name=prometheus-hetzner-textcollector.timer enabled=yes daemon_reload=yes state=started
when: "inventory_hostname == 'monitoring.archlinux.org'"
-- name: install gitlab-exporter
+- name: Install gitlab-exporter
pacman: name=gitlab-exporter state=present
when: "inventory_hostname == 'gitlab.archlinux.org'"
-- name: install gitlab-exporter service and configuration
+- name: Install gitlab-exporter service and configuration
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode="{{ item.mode }}"
with_items:
- { src: 'gitlab-exporter.conf.j2', dest: '/etc/conf.d/gitlab-exporter', mode: '0600' }
- { src: 'gitlab-exporter.service.j2', dest: '/etc/systemd/system/gitlab-exporter.service', mode: '0644' }
when: "inventory_hostname == 'gitlab.archlinux.org'"
-- name: install gitlab-exporter timer
+- name: Install gitlab-exporter timer
copy: src=gitlab-exporter.timer dest="/etc/systemd/system/gitlab-exporter.timer" owner=root group=root mode=0644
when: "inventory_hostname == 'gitlab.archlinux.org'"
-- name: enable and start gitlab-exporter timer
+- name: Enable and start gitlab-exporter timer
systemd: name=gitlab-exporter.timer enabled=yes daemon_reload=yes state=started
when: "inventory_hostname == 'gitlab.archlinux.org'"
-- name: install fail2ban textcollector service
+- name: Install fail2ban textcollector service
template: src=prometheus-fail2ban-textcollector.service.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.service owner=root group=root mode=644
-- name: install fail2ban textcollector timer
+- name: Install fail2ban textcollector timer
template: src=prometheus-fail2ban-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.timer owner=root group=root mode=644
-- name: enable and start prometheus fail2ban textcollector timer
+- name: Enable and start prometheus fail2ban textcollector timer
systemd: name=prometheus-fail2ban-textcollector.timer enabled=yes daemon_reload=yes state=started
-- name: install blackbox exporter configuration
+- name: Install blackbox exporter configuration
template: src=blackbox.yml.j2 dest=/etc/prometheus/blackbox.yml owner=root group=root mode=0644
notify: reload blackbox exporter
when: "'prometheus' in group_names"
-- name: install rebuilderd textcollector service
+- name: Install rebuilderd textcollector service
template: src=prometheus-rebuilderd-textcollector.service.j2 dest=/etc/systemd/system/prometheus-rebuilderd-textcollector.service owner=root group=root mode=644
when: "'rebuilderd' in group_names"
-- name: install rebuilderd textcollector timer
+- name: Install rebuilderd textcollector timer
template: src=prometheus-rebuilderd-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-rebuilderd-textcollector.timer owner=root group=root mode=644
when: "'rebuilderd' in group_names"
-- name: enable and start prometheus rebuilderd textcollector timer
+- name: Enable and start prometheus rebuilderd textcollector timer
systemd: name=prometheus-rebuilderd-textcollector.timer enabled=yes daemon_reload=yes state=started
when: "'rebuilderd' in group_names"
-- name: install rebuilderd textcollector service
+- name: Install rebuilderd textcollector service
template: src=prometheus-archive-textcollector.service.j2 dest=/etc/systemd/system/prometheus-archive-textcollector.service owner=root group=root mode=644
when: "'archive_mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org'"
-- name: install rebuilderd textcollector service
+- name: Install rebuilderd textcollector service
template: src=prometheus-repository-textcollector.service.j2 dest=/etc/systemd/system/prometheus-repository-textcollector.service owner=root group=root mode=644
when: "inventory_hostname == 'gemini.archlinux.org'"
-- name: install rebuilderd textcollector timer
+- name: Install rebuilderd textcollector timer
template: src=prometheus-archive-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-archive-textcollector.timer owner=root group=root mode=644
when: "'archive_mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org'"
-- name: enable and start prometheus archive textcollector timer
+- name: Enable and start prometheus archive textcollector timer
systemd: name=prometheus-archive-textcollector.timer enabled=yes daemon_reload=yes state=started
when: "'archive_mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org'"
-- name: install rebuilderd textcollector timer
+- name: Install rebuilderd textcollector timer
template: src=prometheus-repository-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-repository-textcollector.timer owner=root group=root mode=644
when: "inventory_hostname == 'gemini.archlinux.org'"
-- name: enable and start prometheus repository textcollector timer
+- name: Enable and start prometheus repository textcollector timer
systemd: name=prometheus-repository-textcollector.timer enabled=yes daemon_reload=yes state=started
when: "inventory_hostname == 'gemini.archlinux.org'"
-- name: install sudoers for btrfs
+- name: Install sudoers for btrfs
copy: src=sudoers dest=/etc/sudoers.d/node_exporter owner=root group=root mode=0440
when: filesystem == "btrfs"
-- name: install btrfs textcollector service
+- name: Install btrfs textcollector service
template: src=prometheus-btrfs-textcollector.service.j2 dest=/etc/systemd/system/prometheus-btrfs-textcollector.service owner=root group=root mode=644
when: filesystem == "btrfs"
-- name: install btrfs textcollector timer
+- name: Install btrfs textcollector timer
template: src=prometheus-btrfs-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-btrfs-textcollector.timer owner=root group=root mode=644
when: filesystem == "btrfs"
-- name: enable and start prometheus btrfs textcollector timer
+- name: Enable and start prometheus btrfs textcollector timer
systemd: name=prometheus-btrfs-textcollector.timer enabled=yes daemon_reload=yes state=started
when: filesystem == "btrfs"
-- name: install aur textcollector service
+- name: Install aur textcollector service
template: src=prometheus-aur-textcollector.service.j2 dest=/etc/systemd/system/prometheus-aur-textcollector.service owner=root group=root mode=644
when: "'prometheus' in group_names"
-- name: install aur textcollector timer
+- name: Install aur textcollector timer
template: src=prometheus-aur-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-aur-textcollector.timer owner=root group=root mode=644
when: "'prometheus' in group_names"
-- name: enable and start prometheus aur textcollector timer
+- name: Enable and start prometheus aur textcollector timer
systemd: name=prometheus-aur-textcollector.timer enabled=yes daemon_reload=yes state=started
when: "'prometheus' in group_names"
-- name: enable prometheus-node-exporter service
+- name: Enable prometheus-node-exporter service
systemd: name=prometheus-node-exporter enabled=yes daemon_reload=yes state=started
-- name: enable prometheus-blackbox-exporter service
+- name: Enable prometheus-blackbox-exporter service
systemd: name=prometheus-blackbox-exporter enabled=yes daemon_reload=yes state=started
when: "'prometheus' in group_names"
-- name: enable prometheus-memcached-exporter service
+- name: Enable prometheus-memcached-exporter service
systemd: name=prometheus-memcached-exporter enabled=yes daemon_reload=yes state=started
when: "'memcached' in group_names"
-- name: open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
+- name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
when: "'prometheus' not in group_names"
-- name: open gitlab exporter ipv4 port for monitoring.archlinux.org
+- name: Open gitlab exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
when: "'gitlab_runners' in group_names"
-- name: open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
+- name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
when: "'mysql_servers' in group_names"
-- name: open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
+- name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
when: "'memcached' in group_names"
diff --git a/roles/promtail/handlers/main.yml b/roles/promtail/handlers/main.yml
index 1645fbe2d7c6a6e59fe00cb530b230526eafdf9c..cb1e23397b335b4b8ae316a17746138d2face5e7 100644
--- a/roles/promtail/handlers/main.yml
+++ b/roles/promtail/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart promtail
+- name: Restart promtail
service: name=promtail daemon_reload=yes state=restarted
diff --git a/roles/promtail/tasks/main.yml b/roles/promtail/tasks/main.yml
index 640b3e6e992339e6022592fb74a4e4abee47bc53..8a15009eed746791f5a02e6ec6e682f585320187 100644
--- a/roles/promtail/tasks/main.yml
+++ b/roles/promtail/tasks/main.yml
@@ -1,22 +1,22 @@
-- name: install promtail
+- name: Install promtail
pacman: name=promtail state=present
-- name: install promtail configuration
+- name: Install promtail configuration
template: src=promtail.yaml.j2 dest=/etc/loki/promtail.yaml owner=root group=promtail mode=0640
notify: restart promtail
-- name: open promtail ipv4 port for monitoring.archlinux.org
+- name: Open promtail ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9080 accept"
tags:
- firewall
-- name: create drop-in directory for promtail.service
+- name: Create drop-in directory for promtail.service
file: path=/etc/systemd/system/promtail.service.d state=directory owner=root group=root mode=0755
-- name: install drop-in for promtail.service
+- name: Install drop-in for promtail.service
copy: src=override.conf dest=/etc/systemd/system/promtail.service.d/ owner=root group=root mode=0644
notify: restart promtail
-- name: start and enable promtail
+- name: Start and enable promtail
systemd: name=promtail.service enabled=yes daemon_reload=yes state=started
diff --git a/roles/public_html/tasks/main.yml b/roles/public_html/tasks/main.yml
index 01c8f61af7a0a7e4f0f2911147fb138b8fe75a02..a54685df39e089e399d9490c62e4c48496f0f586 100644
--- a/roles/public_html/tasks/main.yml
+++ b/roles/public_html/tasks/main.yml
@@ -1,31 +1,31 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ public_domain }}", "www.{{ public_domain }}"]
-- name: copy webroot files
+- name: Copy webroot files
copy: src=public_html dest=/srv owner=root group=root mode=0644 directory_mode=0755
-- name: install public_html scripts
+- name: Install public_html scripts
template: src=generate-public_html.j2 dest=/usr/local/bin/generate-public_html owner=root group=root mode=0755
-- name: install public_html units
+- name: Install public_html units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- generate-public_html.timer
- generate-public_html.service
-- name: start and enable public_html units
+- name: Start and enable public_html units
service: name={{ item }} enabled=yes state=started
with_items:
- generate-public_html.timer
- generate-public_html.service
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644
notify:
- reload nginx
diff --git a/roles/quassel/handlers/main.yml b/roles/quassel/handlers/main.yml
index 4cdf85af110bf5549dd158dfad52dc85ded066e5..6c908e34bc23740bef804236f1c11b4f5c8257e1 100644
--- a/roles/quassel/handlers/main.yml
+++ b/roles/quassel/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: daemon reload
+- name: Daemon reload
systemd: daemon_reload=yes
diff --git a/roles/quassel/tasks/main.yml b/roles/quassel/tasks/main.yml
index d72c9912587ee1eccdc8dde229dfec4ff26b4f0a..58f3f4f750cd58a7cad0a58075886f0ec801cb89 100644
--- a/roles/quassel/tasks/main.yml
+++ b/roles/quassel/tasks/main.yml
@@ -1,19 +1,19 @@
-- name: install quassel
+- name: Install quassel
pacman: name=quassel-core,python-pexpect state=present
-- name: add quassel postgres db
+- name: Add quassel postgres db
postgresql_db: db=quassel
become: true
become_user: postgres
become_method: su
-- name: add quassel postgres user
+- name: Add quassel postgres user
postgresql_user: db=quassel name=quassel password={{ vault_postgres_users.quassel }} encrypted=true
become: true
become_user: postgres
become_method: su
-- name: initialize quassel
+- name: Initialize quassel
become: true
become_user: quassel
become_method: sudo
@@ -31,16 +31,16 @@
Database: ''
creates: /var/lib/quassel/quasselcore.conf
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ quassel_domain }}"]
-- name: install quassel cert renewal hook
+- name: Install quassel cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/quassel owner=root group=root mode=0755
-- name: install quassel units
+- name: Install quassel units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- clean-quassel.timer
@@ -48,19 +48,19 @@
notify:
- daemon reload
-- name: add quassel.service.d dir
+- name: Add quassel.service.d dir
file: state=directory path=/etc/systemd/system/quassel.service.d owner=root group=root mode=0755
-- name: install quassel.service snippet
+- name: Install quassel.service snippet
copy: src=quassel.service.d dest=/etc/systemd/system/quassel.service.d/local.conf owner=root group=root mode=0644
-- name: start and enable quassel
+- name: Start and enable quassel
service: name={{ item }} enabled=yes state=started
with_items:
- quassel.service
- clean-quassel.timer
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
with_items:
- 4242/tcp
diff --git a/roles/rebuilderd/tasks/main.yml b/roles/rebuilderd/tasks/main.yml
index 39731dccb08d4675c2b54206c2d81774797a7e3d..a8810e22d23ff1bdb5fc93d25c9accb071846693 100644
--- a/roles/rebuilderd/tasks/main.yml
+++ b/roles/rebuilderd/tasks/main.yml
@@ -1,30 +1,30 @@
-- name: install required packages
+- name: Install required packages
pacman: name=rebuilderd,rebuilderd-website state=present
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ rebuilderd_domain }}"]
-- name: configure rebuilderd.conf
+- name: Configure rebuilderd.conf
template: src=rebuilderd.conf.j2 dest=/etc/rebuilderd.conf owner=rebuilderd group=rebuilderd mode=0660
-- name: configure rebuilderd-sync.conf
+- name: Configure rebuilderd-sync.conf
template: src=rebuilderd-sync.conf.j2 dest=/etc/rebuilderd-sync.conf owner=rebuilderd group=rebuilderd mode=0660
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ rebuilderd_domain }} state=directory owner=root group=root mode=0755
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/rebuilderd.conf owner=root group=root mode=0644
notify:
- reload nginx
tags: ['nginx']
-- name: enable and start rebuilderd
+- name: Enable and start rebuilderd
systemd: name=rebuilderd enabled=yes state=started
-- name: enable and start rebuilderd {{ item }} timer
+- name: Enable and start rebuilderd {{ item }} timer
systemd: name=rebuilderd-sync@archlinux-{{ item }}.timer enabled=yes state=started
with_items: "{{ suites }}"
diff --git a/roles/rebuilderd_worker/handlers/main.yml b/roles/rebuilderd_worker/handlers/main.yml
index b7dd1329ddc3a1ab0c1adb00e3c6fc5bf0f3ee5d..53c25acb653061ac6585331c532338b68ce70faa 100644
--- a/roles/rebuilderd_worker/handlers/main.yml
+++ b/roles/rebuilderd_worker/handlers/main.yml
@@ -1,3 +1,3 @@
-- name: daemon reload
+- name: Daemon reload
systemd:
daemon-reload: true
diff --git a/roles/rebuilderd_worker/tasks/main.yml b/roles/rebuilderd_worker/tasks/main.yml
index c838137a4c96f1012e4153de0670f056312934d3..fbd34e0d9b25458ceb3d316a4b8c2522dd146890 100644
--- a/roles/rebuilderd_worker/tasks/main.yml
+++ b/roles/rebuilderd_worker/tasks/main.yml
@@ -1,23 +1,23 @@
-- name: install required packages
+- name: Install required packages
pacman: name=rebuilderd,archlinux-repro,binutils,unzip state=present
-- name: configure rebuilderd-worker.conf
+- name: Configure rebuilderd-worker.conf
template: src=rebuilderd-worker.conf.j2 dest=/etc/rebuilderd-worker.conf owner=rebuilderd group=rebuilderd mode=0660
-- name: create arch repro configuration dir
+- name: Create arch repro configuration dir
file: path=/etc/archlinux-repro state=directory owner=root group=root mode=0750
-- name: install archlinux-repro configuration
+- name: Install archlinux-repro configuration
copy: src=repro.conf dest=/etc/archlinux-repro/repro.conf owner=root group=root mode=0660
-- name: enable and start rebuilderd-worker@{{ item }}
+- name: Enable and start rebuilderd-worker@{{ item }}
systemd: name=rebuilderd-worker@{{ item }} enabled=yes state=started
with_items: '{{ rebuilderd_workers }}'
-- name: install cleanup script
+- name: Install cleanup script
copy: src=clean-repro dest=/usr/local/bin/clean-repro owner=root group=root mode=0755
-- name: install cleanup units
+- name: Install cleanup units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- clean-repro.timer
@@ -25,5 +25,5 @@
notify:
- daemon reload
-- name: start and enable cleanup timer
+- name: Start and enable cleanup timer
service: name=clean-repro.timer enabled=yes state=started
diff --git a/roles/redirects/tasks/main.yml b/roles/redirects/tasks/main.yml
index 5d18d2cc3e9e89ddc59fc25a52994075b31a9010..7fecac652c726f8c82f52ddc857a4d6226148792 100644
--- a/roles/redirects/tasks/main.yml
+++ b/roles/redirects/tasks/main.yml
@@ -1,18 +1,18 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ item.domain }}"]
loop: "{{ redirects }}"
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ item.domain }} state=directory owner=root group=root mode=0755
loop: "{{ redirects }}"
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/redirects.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
-- name: copy nginx map files
+- name: Copy nginx map files
copy: src=maps dest=/etc/nginx/ owner=root group=root mode=0600
diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml
index be5d43cbf6b4d40bf0004b72803395b25ca51d00..12203cd594f08711e266e103da357827804f2368 100644
--- a/roles/redis/tasks/main.yml
+++ b/roles/redis/tasks/main.yml
@@ -1,5 +1,5 @@
-- name: install redis
+- name: Install redis
pacman: name=redis state=present
-- name: start and enable redis
+- name: Start and enable redis
service: name=redis enabled=yes state=started
diff --git a/roles/root_ssh/tasks/main.yml b/roles/root_ssh/tasks/main.yml
index 153420e85854a5c75e8fb5ef9ff90198443e336a..532bd1afd18333d78affd65c1c1aa980e94b9067 100644
--- a/roles/root_ssh/tasks/main.yml
+++ b/roles/root_ssh/tasks/main.yml
@@ -1,5 +1,5 @@
-- name: create .ssh directory
+- name: Create .ssh directory
file: path={{ root_ssh_directory }} state=directory owner=root group=root mode=0700
-- name: add authorized keys for root
+- name: Add authorized keys for root
template: src=authorized_keys.j2 dest={{ root_ssh_directory }}/authorized_keys mode=0600 owner=root group=root
diff --git a/roles/rspamd/handlers/main.yml b/roles/rspamd/handlers/main.yml
index ee62a96196cef0dd558653b20e971d65d94ff9e8..c0ac9597a156c7ef2866c3ae22ae292ff38c68c1 100644
--- a/roles/rspamd/handlers/main.yml
+++ b/roles/rspamd/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: reload rspamd
+- name: Reload rspamd
service: name=rspamd state=reloaded
diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml
index 9ed46fb09e7fcd6182ff2f0d0ec5ccf23569e12f..d98793b00d8ce34cd326d64496300b8c5ac0255c 100644
--- a/roles/rspamd/tasks/main.yml
+++ b/roles/rspamd/tasks/main.yml
@@ -1,17 +1,17 @@
-- name: install rspamd
+- name: Install rspamd
pacman: name=rspamd state=present
-- name: install config
+- name: Install config
copy: src=local.d/ dest=/etc/rspamd/local.d/ owner=root group=root mode=0644
notify:
- reload rspamd
-- name: install dkim_signing.conf
+- name: Install dkim_signing.conf
template: src=dkim_signing.conf.j2 dest=/etc/rspamd/local.d/dkim_signing.conf owner=root group=root mode=0644
notify:
- reload rspamd
-- name: create rspamd dkim directory
+- name: Create rspamd dkim directory
file: path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0750
# For this to run, you need to generate the keys first
@@ -25,7 +25,7 @@
# roles/rspamd/files/archlinux.org.dkim-rsa.key
# roles/rspamd/files/archlinux.org.dkim-ed25519.key
#
-- name: install DKIM keys
+- name: Install DKIM keys
copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
loop:
- "{{ rspamd_dkim_domain }}.dkim-ed25519.key"
@@ -33,5 +33,5 @@
notify:
- reload rspamd
-- name: start and enable rspamd
+- name: Start and enable rspamd
service: name=rspamd enabled=yes state=started
diff --git a/roles/rsync_net/tasks/main.yml b/roles/rsync_net/tasks/main.yml
index 921ffe4a58f9b2e23d99545f9ac30445d10ec76e..2933976dfd0df2fd21eadd18137f031ed69752cc 100644
--- a/roles/rsync_net/tasks/main.yml
+++ b/roles/rsync_net/tasks/main.yml
@@ -1,26 +1,26 @@
# This role runs on localhost; use commands like sftp to upload configuration
-- name: create the root backup directory at {{ backup_dir }}
+- name: Create the root backup directory at {{ backup_dir }}
expect:
command: bash -c "echo 'mkdir {{ backup_dir }}' | sftp {{ rsync_net_username }}@{{ rsync_net_username }}.rsync.net"
responses:
(?i)password: "{{ rsync_net_password }}"
-- name: fetch ssh keys from each borg client machine
+- name: Fetch ssh keys from each borg client machine
command: cat /root/.ssh/id_rsa.pub
register: client_ssh_keys
delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}"
changed_when: client_ssh_keys.changed
-- name: create tempfile
+- name: Create tempfile
tempfile: state=file
register: tempfile
-- name: fill tempfile
+- name: Fill tempfile
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=0644 # noqa 208
-- name: upload authorized_keys file
+- name: Upload authorized_keys file
expect:
command: |
bash -c 'sftp {{ rsync_net_username }}@{{ rsync_net_username }}.rsync.net <<EOF
diff --git a/roles/security_tracker/handlers/main.yml b/roles/security_tracker/handlers/main.yml
index fa9341630a677f2be051322690226f7abcb9dc90..ea61b6f3e90f1d2fca2080a5f28f248b50bf6684 100644
--- a/roles/security_tracker/handlers/main.yml
+++ b/roles/security_tracker/handlers/main.yml
@@ -1,4 +1,4 @@
-- name: upgrade database
+- name: Upgrade database
become: true
become_user: security
command: /usr/bin/make db-upgrade chdir="{{ security_tracker_dir }}"
diff --git a/roles/security_tracker/tasks/main.yml b/roles/security_tracker/tasks/main.yml
index 7adb2750601166d292df5fb55634577304e8b489..9be87ba81815e374786a7310d74e0c0bf206955a 100644
--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: run maintenance mode
+- name: Run maintenance mode
include_role:
name: maintenance
vars:
@@ -8,7 +8,7 @@
service_nginx_conf: "{{ security_tracker_nginx_conf }}"
when: maintenance is defined
-- name: install packages
+- name: Install packages
pacman:
state: present
name:
@@ -35,13 +35,13 @@
- expac
- uwsgi-plugin-python
-- name: make security user
+- name: Make security user
user: name=security shell=/bin/false home="{{ security_tracker_dir }}" createhome=no
-- name: fix home permissions
+- name: Fix home permissions
file: state=directory mode=0750 owner=security group=http path="{{ security_tracker_dir }}"
-- name: copy security-tracker units
+- name: Copy security-tracker units
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- security-tracker-update.timer
@@ -49,11 +49,11 @@
notify:
- daemon reload
-- name: disable security-tracker timer
+- name: Disable security-tracker timer
service: name="security-tracker-update.timer" enabled=no state=stopped
when: maintenance is defined
-- name: receive valid signing keys
+- name: Receive valid signing keys
become: true
become_user: security
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
@@ -62,7 +62,7 @@
register: gpg
changed_when: "gpg.rc == 0"
-- name: clone security-tracker repo
+- name: Clone security-tracker repo
git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
become: true
become_user: security
@@ -70,43 +70,43 @@
notify:
- post security-tracker deploy
-- name: run initial setup
+- name: Run initial setup
become: true
become_user: security
command: /usr/bin/make chdir="{{ security_tracker_dir }}" creates=*.db
-- name: restrict database permissions
+- name: Restrict database permissions
file: mode=0640 owner=security group=security path="{{ security_tracker_dir }}/tracker.db"
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ security_tracker_domain }}"]
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ security_tracker_nginx_conf }}" owner=root group=root mode=644
notify:
- reload nginx
when: maintenance is not defined
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
-- name: configure security-tracker
+- name: Configure security-tracker
template: src=20-user.local.conf.j2 dest={{ security_tracker_dir }}/config/20-user.local.conf owner=security group=security mode=0640
-- name: deploy security-tracker
+- name: Deploy security-tracker
template: src=security-tracker.ini.j2 dest=/etc/uwsgi/vassals/security-tracker.ini owner=security group=http mode=0644
-- name: deploy new release
+- name: Deploy new release
become: true
become_user: security
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=security group=http mode=0644
when: release.changed
-- name: start and enable security-tracker timer
+- name: Start and enable security-tracker timer
systemd:
name: security-tracker-update.timer
enabled: true
diff --git a/roles/sources/tasks/main.yml b/roles/sources/tasks/main.yml
index a45450614fba9ac33a77a36369e8afdc9d54867a..16374603c23b4b68d104e567a66ba24f10744602 100644
--- a/roles/sources/tasks/main.yml
+++ b/roles/sources/tasks/main.yml
@@ -1,23 +1,23 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ sources_domain }}"]
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/sources.conf owner=root group=root mode=0644
notify:
- reload nginx
tags: ['nginx']
-- name: make nginx log dir
+- name: Make nginx log dir
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=root mode=0755
-- name: make sources dir
+- name: Make sources dir
file: path={{ sources_dir }} state=directory owner=root group=root mode=0755
-- name: make symlink to repo sources
+- name: Make symlink to repo sources
file: path={{ sources_dir }}/sources src=/srv/ftp/sources state=link owner=root group=root mode=0755
-- name: make symlink to other sources
+- name: Make symlink to other sources
file: path={{ sources_dir }}/other src=/srv/ftp/other state=link owner=root group=root mode=0755
diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml
index d63f84c8aa4a661bdbdc34d7af5c67bb63979ad7..a37351ecc6f8d75f6f731728f02e561433971510 100644
--- a/roles/sshd/handlers/main.yml
+++ b/roles/sshd/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart sshd
+- name: Restart sshd
service: name=sshd state=restarted
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index a594e0d487c0e3e57bc42821703d821f8fc7cd55..635085f8bacbf3d6754a961045b9b782d2f7d798 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,25 +1,25 @@
-- name: install openssh
+- name: Install openssh
pacman: name=openssh state=present
-- name: configure sshd
+- name: Configure sshd
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s'
notify:
- restart sshd
-- name: set file permissions
+- name: Set file permissions
file: path=/etc/ssh mode=0600
-- name: install motd
+- name: Install motd
template: src=motd.j2 dest=/etc/motd owner=root group=root mode=0644
- name: Create the includes dir
file: path="{{ sshd_includes_dir }}" state=directory mode=0600
when: sshd_enable_includes
-- name: start and enable sshd
+- name: Start and enable sshd
service: name=sshd enabled=yes state=started
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: service=ssh permanent=true state=enabled immediate=yes
when: configure_firewall is defined and configure_firewall
tags:
diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
index e560152455e76b2586b8c4a88f5a385f82031bad..6063f584bc420947df91503aaafae95de9903ff5 100644
--- a/roles/sudo/tasks/main.yml
+++ b/roles/sudo/tasks/main.yml
@@ -1,18 +1,18 @@
-- name: install sudo
+- name: Install sudo
pacman: name=sudo state=present
# https://github.com/ansible/ansible/issues/11024
-- name: remove all users from wheel group
+- name: Remove all users from wheel group
command: groupmems -g wheel --purge
register: groupmems
changed_when: "groupmems.rc == 0"
-- name: add sudo users to wheel
+- name: Add sudo users to wheel
user: name="{{ item }}" append=yes groups=wheel
with_items: "{{ sudo_users }}"
tags: ['archusers']
-- name: allow wheel group to use sudo
+- name: Allow wheel group to use sudo
lineinfile:
dest: /etc/sudoers
state: present
@@ -24,7 +24,7 @@
owner: root
group: root
-- name: secure path to protect against attacks
+- name: Secure path to protect against attacks
lineinfile:
dest: /etc/sudoers
state: present
diff --git a/roles/syncarchive/tasks/main.yml b/roles/syncarchive/tasks/main.yml
index 8ac16dc5388a3faa38fa8e9b60dded38e6e67cac..a6518940554c82c16ea8f8055e48c98f6a10822f 100644
--- a/roles/syncarchive/tasks/main.yml
+++ b/roles/syncarchive/tasks/main.yml
@@ -1,16 +1,16 @@
-- name: install rsync
+- name: Install rsync
pacman: name=rsync state=present
-- name: install syncarchive script
+- name: Install syncarchive script
copy: src=syncarchive dest=/usr/local/bin/syncarchive owner=root group=root mode=0755
-- name: install syncarchive units
+- name: Install syncarchive units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- syncarchive.timer
- syncarchive.service
-- name: start and enable syncarchive units
+- name: Start and enable syncarchive units
systemd:
name: "{{ item }}"
enabled: true
diff --git a/roles/syncdebug/tasks/main.yml b/roles/syncdebug/tasks/main.yml
index e315e87dfb6590493d5dc6f23c31524c8c120ef7..16903b39cf2f776a9dab07c5e153db6b3e19d737 100644
--- a/roles/syncdebug/tasks/main.yml
+++ b/roles/syncdebug/tasks/main.yml
@@ -1,16 +1,16 @@
-- name: install rsync
+- name: Install rsync
pacman: name=rsync state=present
-- name: install syncdebug script
+- name: Install syncdebug script
copy: src=syncdebug dest=/usr/local/bin/syncdebug owner=root group=root mode=0755
-- name: install syncdebug units
+- name: Install syncdebug units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- syncdebug.timer
- syncdebug.service
-- name: start and enable syncdebug units
+- name: Start and enable syncdebug units
systemd:
name: "{{ item }}"
enabled: true
diff --git a/roles/syncrepo/tasks/main.yml b/roles/syncrepo/tasks/main.yml
index 5dc6efe9dbbfd1b50fb5e30a6bad25e9584bd137..f72356ed5bdaeff237158c59ae8f8636388d706a 100644
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -1,11 +1,11 @@
-- name: create ssl cert
+- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ mirror_domain }}"]
when: 'mirror_domain is defined'
-- name: create ssl cert for geo mirror
+- name: Create ssl cert for geo mirror
include_role:
name: certificate
vars:
@@ -13,22 +13,22 @@
challenge: "DNS-01"
when: "'geo_mirrors' in group_names"
-- name: install rsync
+- name: Install rsync
pacman: name=rsync state=present
-- name: install syncrepo script
+- name: Install syncrepo script
copy: src=syncrepo dest=/usr/local/bin/syncrepo owner=root group=root mode=0755
-- name: install syncrepo units
+- name: Install syncrepo units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- syncrepo.timer
- syncrepo.service
-- name: install rsyncd config
+- name: Install rsyncd config
copy: src=rsyncd.conf dest=/etc/rsyncd.conf owner=root group=root mode=0644
-- name: start and enable syncrepo units
+- name: Start and enable syncrepo units
systemd:
name: "{{ item }}"
enabled: true
@@ -38,7 +38,7 @@
- syncrepo.timer
- rsyncd.socket
-- name: set local mirror as cachedir
+- name: Set local mirror as cachedir
lineinfile:
dest: /etc/pacman.conf
insertafter: '^#CacheDir'
@@ -48,12 +48,12 @@
owner: root
group: root
-- name: make nginx log dirs
+- name: Make nginx log dirs
file: path=/var/log/nginx/{{ item }} state=directory owner=root group=root mode=0755
loop: "{{ [mirror_domain, geo_mirror_domain] if 'geo_mirrors' in group_names else [mirror_domain] }}"
when: 'mirror_domain is defined'
-- name: set up nginx
+- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644
vars:
mirror_domains: "{{ [mirror_domain, geo_mirror_domain] if 'geo_mirrors' in group_names else [mirror_domain] }}"
@@ -62,7 +62,7 @@
when: 'mirror_domain is defined'
tags: ['nginx']
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
diff --git a/roles/terraform_state/tasks/main.yml b/roles/terraform_state/tasks/main.yml
index d602387d4d307fa7f3dccbc0d9f36104423f721b..1a83c15591e787b810d14fc144a4d06bbc05ed08 100644
--- a/roles/terraform_state/tasks/main.yml
+++ b/roles/terraform_state/tasks/main.yml
@@ -1,10 +1,10 @@
-- name: create terraform state db
+- name: Create terraform state db
postgresql_db: db="{{ terraform_db }}"
become: true
become_user: postgres
become_method: su
-- name: create terraform state db user
+- name: Create terraform state db user
postgresql_user:
name: "{{ terraform_db_user }}"
db: "{{ terraform_db }}"
diff --git a/roles/tools/tasks/main.yml b/roles/tools/tasks/main.yml
index f72b609f389ca9056756b40720370cbe2a3e51f8..b7437bfacfa886d1141d4fd3d82cdc2bf4a0f690 100644
--- a/roles/tools/tasks/main.yml
+++ b/roles/tools/tasks/main.yml
@@ -1,4 +1,4 @@
-- name: install misc utils
+- name: Install misc utils
pacman:
state: present
name:
@@ -8,6 +8,6 @@
- parallel
- nnn # Added for it's screen reader support
-- name: install extra utils
+- name: Install extra utils
pacman: state=present name={{ extra_utils }}
when: extra_utils is defined
diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml
index 3bf127d2b99db687351795ae89c2b56d93133af8..cc72bd28b7223581458b2060c645547092dc7b9c 100644
--- a/roles/unbound/handlers/main.yml
+++ b/roles/unbound/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart unbound
+- name: Restart unbound
service: name=unbound state=restarted
diff --git a/roles/uwsgi/handlers/main.yml b/roles/uwsgi/handlers/main.yml
index 1bc35c1ed90105d5363e2a49c5ac73141928b111..cff428b7016e83dba43772e9a0166ea8705d2375 100644
--- a/roles/uwsgi/handlers/main.yml
+++ b/roles/uwsgi/handlers/main.yml
@@ -1,2 +1,2 @@
-- name: restart emperor.uwsgi
+- name: Restart emperor.uwsgi
service: name=emperor.uwsgi state=restarted
diff --git a/roles/uwsgi/tasks/main.yml b/roles/uwsgi/tasks/main.yml
index a09b00d734b900bcfcca3b2c12b7ede3ba693160..c8057d8504e02e5a081204312c33038780e0715e 100644
--- a/roles/uwsgi/tasks/main.yml
+++ b/roles/uwsgi/tasks/main.yml
@@ -1,19 +1,19 @@
-- name: install uwsgi
+- name: Install uwsgi
pacman: name=uwsgi,uwsgitop state=present
-- name: make uwsgi user
+- name: Make uwsgi user
user: name=uwsgi shell=/bin/false home=/ createhome=no
-- name: configure uwsgi
+- name: Configure uwsgi
template: src=emperor.ini.j2 dest=/etc/uwsgi/emperor.ini owner=root group=root mode=0644
notify:
- restart emperor.uwsgi
-- name: vassals directory
+- name: Vassals directory
file: state=directory path=/etc/uwsgi/vassals owner=root group=root mode=0755
-- name: create default uwsgi log directory
+- name: Create default uwsgi log directory
file: state=directory path=/var/log/uwsgi owner=uwsgi group=http mode=0770
-- name: enable and start emperor.uwsgi.service
+- name: Enable and start emperor.uwsgi.service
service: name=emperor.uwsgi enabled=yes state=started
diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml
index 3b8c69445fef7d9135012331927d780a71f9dc0f..b1fe9cf89a4c8211294537c38a4c7f8a95b066f4 100644
--- a/roles/wireguard/handlers/main.yml
+++ b/roles/wireguard/handlers/main.yml
@@ -1,10 +1,10 @@
# https://github.com/systemd/systemd/issues/9627
-- name: delete wg0
+- name: Delete wg0
command: networkctl delete wg0
register: result
failed_when: result.rc not in [0, 1]
listen: reload wireguard
-- name: reload .network and .netdev files
+- name: Reload .network and .netdev files
command: networkctl reload
listen: reload wireguard
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index e40ae064afa976a46a19720a091b340ebfb32bba..445a12851b56808f252d36681a4ea4be630dc48a 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -1,24 +1,24 @@
# Used for debugging
-- name: install wireguard-tools
+- name: Install wireguard-tools
pacman: name=wireguard-tools state=present
-- name: install wireguard configuration
+- name: Install wireguard configuration
template: src={{ item.src }} dest=/etc/systemd/network/{{ item.dest }} owner=root group=systemd-network mode=0640
loop:
- {src: wg0.netdev.j2, dest: wg0.netdev}
- {src: wg0.network.j2, dest: wg0.network}
notify: reload wireguard
-- name: create wireguard zone
+- name: Create wireguard zone
ansible.posix.firewalld: zone=wireguard permanent=yes state=present
register: result
-- name: reload firewalld
+- name: Reload firewalld
service: name=firewalld state=reloaded
when: result.changed
-- name: add wg0 to the wireguard zone
+- name: Add wg0 to the wireguard zone
ansible.posix.firewalld: zone=wireguard interface=wg0 permanent=yes immediate=yes state=enabled
-- name: open firewall holes
+- name: Open firewall holes
ansible.posix.firewalld: port=51820/udp permanent=yes immediate=yes state=enabled