diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 342d522..2f3b0d2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -26,6 +26,18 @@ v0.2.8 - Add ``debops.dhparam`` role, included in the ``common.yml`` playbook by default. [drybjed] +- Redesign common playbooks to only work with hosts that are in + ``[debops_all_hosts]`` inventory group. This should improve support for + non-DebOps managed hosts in Ansible inventory, but it requires modification + of existing inventories. [drybjed] + +- Add ``debops.sshd`` configuration variables to ``debops.apt_preferences``, + ``debops.ferm`` and ``debops.tcpwrappers`` configuration in common playbook. + [drybjed] + +- Add set of common "service" playbooks that invoke Ansible roles that are used + on all hosts. [drybjed] + v0.2.7 ------ diff --git a/playbooks/bootstrap.yml b/playbooks/bootstrap.yml index c3315ca..c8c0a07 100644 --- a/playbooks/bootstrap.yml +++ b/playbooks/bootstrap.yml @@ -30,7 +30,7 @@ - name: Bootstrap host for Ansible management - hosts: 'all:!localhost' + hosts: 'debops_all_hosts' gather_facts: False roles: diff --git a/playbooks/common.yml b/playbooks/common.yml index b24f695..f5e6d5c 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -3,13 +3,15 @@ - include: core.yml - name: Common configuration for all hosts - hosts: 'all:!localhost:!debops_no_common' + hosts: 'debops_all_hosts:!debops_no_common' gather_facts: True become: True roles: - role: debops.apt_preferences tags: [ 'apt_preferences', 'role::apt_preferences' ] + apt_preferences_dependent_list: + - '{{ sshd_apt_preferences_dependent_list | d([]) }}' - role: debops.etc_services tags: [ 'etc_services', 'role::etc_services' ] @@ -31,9 +33,13 @@ - role: debops.ferm tags: [ 'ferm', 'role::ferm' ] + ferm_dependent_rules: + - '{{ (sshd_ferm_dependent_rules | d([])) }}' - role: debops.tcpwrappers tags: [ 'tcpwrappers', 'role::tcpwrappers' ] + tcpwrappers_dependent_allow: + - '{{ sshd_tcpwrappers_dependent_allow | d([]) }}' - role: debops.ntp tags: [ 'ntp', 'role::ntp' ] diff --git a/playbooks/core.yml b/playbooks/core.yml index cc6a607..2bac51f 100644 --- a/playbooks/core.yml +++ b/playbooks/core.yml @@ -1,7 +1,7 @@ --- - name: Prepare core environment - hosts: 'all:!localhost' + hosts: 'debops_all_hosts' become: False roles: diff --git a/playbooks/service/apt_preferences.yml b/playbooks/service/apt_preferences.yml new file mode 100644 index 0000000..db2efd4 --- /dev/null +++ b/playbooks/service/apt_preferences.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage APT preferences + hosts: 'debops_all_hosts:debops_service_apt_preferences' + become: True + + roles: + + - role: debops.apt_preferences + tags: [ 'role::apt_preferences' ] + diff --git a/playbooks/service/atd.yml b/playbooks/service/atd.yml new file mode 100644 index 0000000..9950263 --- /dev/null +++ b/playbooks/service/atd.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage at service + hosts: 'debops_all_hosts:debops_service_atd' + become: True + + roles: + + - role: debops.atd + tags: [ 'role::atd' ] + diff --git a/playbooks/service/dhparam.yml b/playbooks/service/dhparam.yml new file mode 100644 index 0000000..e5683c9 --- /dev/null +++ b/playbooks/service/dhparam.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage Diffie-Hellman parameters + hosts: 'debops_all_hosts:debops_service_dhparam' + become: True + + roles: + + - role: debops.dhparam + tags: [ 'role::dhparam' ] + diff --git a/playbooks/service/directories.yml b/playbooks/service/directories.yml new file mode 100644 index 0000000..00d2ee7 --- /dev/null +++ b/playbooks/service/directories.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage custom directories + hosts: 'debops_all_hosts:debops_service_directories' + become: True + + roles: + + - role: debops.directories + tags: [ 'role::directories' ] + diff --git a/playbooks/service/etc_services.yml b/playbooks/service/etc_services.yml new file mode 100644 index 0000000..4e71376 --- /dev/null +++ b/playbooks/service/etc_services.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage service database + hosts: 'debops_all_hosts:debops_service_etc_services' + become: True + + roles: + + - role: debops.etc_services + tags: [ 'role::etc_services' ] + diff --git a/playbooks/service/ferm.yml b/playbooks/service/ferm.yml new file mode 100644 index 0000000..ed1d911 --- /dev/null +++ b/playbooks/service/ferm.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage firewall using ferm + hosts: 'debops_all_hosts:debops_service_ferm' + become: True + + roles: + + - role: debops.ferm + tags: [ 'role::ferm' ] + diff --git a/playbooks/service/ifupdown.yml b/playbooks/service/ifupdown.yml new file mode 100644 index 0000000..a6191f1 --- /dev/null +++ b/playbooks/service/ifupdown.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage network configuration + hosts: 'debops_all_hosts:debops_service_ifupdown' + become: True + + roles: + + - role: debops.ifupdown + tags: [ 'role::ifupdown' ] + diff --git a/playbooks/service/pki.yml b/playbooks/service/pki.yml new file mode 100644 index 0000000..70f4798 --- /dev/null +++ b/playbooks/service/pki.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage Public Key Infrastructure + hosts: 'debops_all_hosts:debops_service_pki' + become: True + + roles: + + - role: debops.pki + tags: [ 'role::pki' ] + diff --git a/playbooks/service/rsyslog.yml b/playbooks/service/rsyslog.yml new file mode 100644 index 0000000..0f7fd31 --- /dev/null +++ b/playbooks/service/rsyslog.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage rsyslog + hosts: 'debops_all_hosts:debops_service_rsyslog' + become: True + + roles: + + - role: debops.rsyslog + tags: [ 'role::rsyslog' ] + diff --git a/playbooks/service/sshd.yml b/playbooks/service/sshd.yml new file mode 100644 index 0000000..7a8fc8f --- /dev/null +++ b/playbooks/service/sshd.yml @@ -0,0 +1,26 @@ +--- + +- name: Manage OpenSSH Server + hosts: 'debops_all_hosts:debops_service_sshd' + become: True + + roles: + + - role: debops.apt_preferences + tags: [ 'role::apt_preferences' ] + apt_preferences_dependent_list: + - '{{ sshd_apt_preferences_dependent_list | d([]) }}' + + - role: debops.ferm + tags: [ 'role::ferm' ] + ferm_dependent_rules: + - '{{ sshd_ferm_dependent_rules | d([]) }}' + + - role: debops.tcpwrappers + tags: [ 'role::tcpwrappers' ] + tcpwrappers_dependent_allow: + - '{{ sshd_tcpwrappers_dependent_allow | d([]) }}' + + - role: debops.sshd + tags: [ 'role::sshd' ] + diff --git a/playbooks/service/sshkeys.yml b/playbooks/service/sshkeys.yml new file mode 100644 index 0000000..42186a6 --- /dev/null +++ b/playbooks/service/sshkeys.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage system-wide SSH keys + hosts: 'debops_all_hosts:debops_service_sshkeys' + become: True + + roles: + + - role: debops.sshkeys + tags: [ 'role::sshkeys' ] + diff --git a/playbooks/service/tcpwrappers.yml b/playbooks/service/tcpwrappers.yml new file mode 100644 index 0000000..cf30cb0 --- /dev/null +++ b/playbooks/service/tcpwrappers.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage TCP Wrappers + hosts: 'debops_all_hosts:debops_service_tcpwrappers' + become: True + + roles: + + - role: debops.tcpwrappers + tags: [ 'role::tcpwrappers' ] + diff --git a/playbooks/service/users.yml b/playbooks/service/users.yml new file mode 100644 index 0000000..fb3fc8e --- /dev/null +++ b/playbooks/service/users.yml @@ -0,0 +1,11 @@ +--- + +- name: Manage local users and groups + hosts: 'debops_all_hosts:debops_service_users' + become: True + + roles: + + - role: debops.users + tags: [ 'role::users' ] +