Update ansible role ffmwu-build

* use ecdsautils from ffmwu debian repo instead of building from source
 * remove some trailing white spaces
 * use command module instead of shell module where it is possible
 * update module syntax to list form for better reading
 * role ffmwu-build should be idempotent now

ffmwu-build.yml

@@ -4,5 +4,5 @@
   remote_user: admin
   strategy: linear
 
-  roles: 
+  roles:
   - ffmwu-build

roles/ffmwu-build/handlers/main.yml

@@ -1,8 +1,15 @@
 ---
 - name: check apache syntax
-  shell: apachectl -t
+  command: /usr/sbin/apachectl -t
   become: true
 
 - name: restart systemd unit apache2
-  systemd: name=apache2 state=restarted
+  systemd:
+    name: apache2
+    state: restarted
+  become: true
+
+- name: update apt cache
+  apt:
+    update_cache: yes
   become: true

roles/ffmwu-build/tasks/ecdsautils.yml

@@ -1,28 +0,0 @@
----
-- name: checkout ecdsautils repo
-  git: repo=https://github.com/tcatm/ecdsautils.git
-       dest=/home/admin/clones/ecdsautils
-       version=v0.3.2
-
-- name: create build directory
-  file: path=/home/admin/clones/ecdsautils/build state=directory
-
-- name: build ecdsautils
-  shell: "{{ item }}"
-  args:
-    chdir: /home/admin/clones/ecdsautils/build
-  with_items:
-    - cmake ..
-    - make
-
-- name: install ecdsautils to /usr/local/bin
-  copy:
-    src: "{{ item }}"
-    dest: /usr/local/bin/
-    mode: 0755
-    remote_src: True
-  with_items:
-    - /home/admin/clones/ecdsautils/build/src/ecdsakeygen
-    - /home/admin/clones/ecdsautils/build/src/ecdsaverify
-    - /home/admin/clones/ecdsautils/build/src/ecdsasign
-  become: true

roles/ffmwu-build/tasks/git-repos.yml

@@ -0,0 +1,6 @@
+---
+- name: checkout sites-ffmwu repo
+  git:
+    repo: https://github.com/freifunk-mwu/sites-ffmwu.git
+    dest: /home/admin/clones/sites-ffmwu
+    version: stable

roles/ffmwu-build/tasks/main.yml

@@ -1,6 +1,5 @@
 ---
-- include: tasks/packages.yml
-- include: tasks/ecdsautils.yml
-- include: tasks/repos.yml
-- include: tasks/rsync.yml
-- include: tasks/web.yml
+- include: packages.yml
+- include: git-repos.yml
+- include: rsyncd.yml
+- include: web.yml

roles/ffmwu-build/tasks/packages.yml

@@ -1,14 +1,37 @@
 ---
 - name: add apt repository of neoraider
-  apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider'
+  apt_repository:
+    repo: 'deb https://repo.universe-factory.net/debian/ sid main'
+    state: present
+    filename: 'neoraider'
   become: true
+  notify: update apt cache
+
+- name: add apt repository of freifunk-mwu
+  apt_repository:
+    repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main'
+    state: present
+    filename: 'ffmwu'
+  become: true
+  notify: update apt cache
 
 - name: add apt-key of neoraider
-  apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: 16EF3F64CB201D9C
+    state: present
   become: true
+  notify: update apt cache
+
+- name: add apt-key of freifunk-mwu package sigs
+  apt_key:
+    url: http://repo.freifunk-mwu.de/83A70084.gpg.key
+    state: present
+  become: true
+  notify: update apt cache
 
 - name: install needed packages for build-server
-  apt: 
+  apt:
     state: present
     name: "{{ item }}"
     update_cache: yes
@@ -17,13 +40,12 @@
     - apache2
     - apache2-utils
     - build-essential
-    - cmake
+    - ecdsautils
     - gawk
     - git
     - haveged
     - libncurses5-dev
     - libssl-dev
-    - libuecc-dev
     - pkg-config
     - subversion
     - unzip

roles/ffmwu-build/tasks/repos.yml

@@ -1,4 +0,0 @@
----
-- name: checkout sites-ffmwu repo
-  git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git
-       dest=/home/admin/clones/sites-ffmwu

roles/ffmwu-build/tasks/rsyncd.yml

@@ -1,10 +1,16 @@
 ---
 - name: install rsnycd configuration file
-  copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640
+  copy:
+    src: rsyncd.conf
+    dest: /etc/rsyncd.conf
+    mode: 0640
   become: true
 
 - name: install rsnyc systemd unit
-  copy: src=rsync.service dest=/etc/systemd/system/ mode=644
+  copy:
+    src: rsync.service
+    dest: /etc/systemd/system/
+    mode: 0644
   become: true
 
 - name: ensure rsync is started on boot as a daemon

roles/ffmwu-build/tasks/web.yml

@@ -1,89 +1,123 @@
 ---
-- name: ensure webroot owns by user/group admin
-  file: dest=/var/www/html owner=admin group=admin recurse=yes
+- name: ensure webroot owned by user/group admin
+  file:
+    dest: /var/www/html
+    owner: admin
+    group: admin
+    recurse: yes
   become: true
 
 - name: enable apache module ssl
-  apache2_module: state=present name=ssl
+  apache2_module:
+    state: present
+    name: ssl
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- name: disable default apache sites and unwanted default configs
-  shell: a2dissite "{{ item }}"
-  with_items:
-    - 000-default
-    - default-ssl
+- name: disable default apache http site
+  command: /usr/sbin/a2dissite 000-default
+  args:
+    removes: /etc/apache2/sites-enabled/000-default.conf
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- shell: a2disconf "{{ item }}"
-  with_items:
-    - other-vhosts-access-log.conf
+- name: disable default apache https site
+  command: /usr/sbin/a2dissite default-ssl
+  args:
+    removes: /etc/apache2/sites-enabled/default-ssl.conf
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- name: configure apache ssl module settings
-  lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf
-              regexp="^([\s\t]+)?SSLCipherSuite"
-              line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
-              state=present
+- name: disable unwanted default configs
+  command: /usr/sbin/a2disconf other-vhosts-access-log
+  args:
+    removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- lineinfile: dest=/etc/apache2/mods-available/ssl.conf
-              regexp="^([\s\t]+)?SSLProtocol"
-              line="SSLProtocol all -SSLv2 -SSLv3"
-              state=present
+- name: configure apache ssl cipher suites
+  lineinfile:
+    dest: /etc/apache2/mods-enabled/ssl.conf
+    regexp: '^([\s\t]+)?SSLCipherSuite'
+    line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+    state: present
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- name: configure apache ssl protocols
+  lineinfile:
+    dest: /etc/apache2/mods-available/ssl.conf
+    regexp: '^([\s\t]+)?SSLProtocol'
+    line: "SSLProtocol all -SSLv2 -SSLv3"
+    state: present
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
 - name: configure apache security settings
-  lineinfile: dest=/etc/apache2/conf-available/security.conf
-              regexp="^ServerTokens"
-              line="ServerTokens Prod"
-              state=present
+  lineinfile:
+    dest: /etc/apache2/conf-available/security.conf
+    regexp: "^ServerTokens"
+    line: "ServerTokens Prod"
+    state: present
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- lineinfile: dest=/etc/apache2/conf-available/security.conf
-              regexp="^ServerSignature"
-              line="ServerSignature EMail"
-              state=present
+- name: configure apache server signature
+  lineinfile:
+    dest: /etc/apache2/conf-available/security.conf
+    regexp: "^ServerSignature"
+    line: "ServerSignature EMail"
+    state: present
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- name: write ffmwu apache sites
-  template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf
+- name: write ffmwu http site
+  template:
+    src: ffmwu-default-http.conf.j2
+    dest: /etc/apache2/sites-available/ffmwu-default-http.conf
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf
+- name: write ffmwu https site
+  template:
+    src: ffmwu-default-https.conf.j2
+    dest: /etc/apache2/sites-available/ffmwu-default-https.conf
   become: true
   notify:
     - check apache syntax
     - restart systemd unit apache2
 
-- name: enable ffmwu apache sites
-  shell: a2ensite "{{ item }}"
-  with_items:
-    - ffmwu-default-http
-    - ffmwu-default-https
+- name: enable ffmwu apache http site
+  command: /usr/sbin/a2ensite ffmwu-default-http
+  args:
+    creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- name: enable ffmwu apache https site
+  command: /usr/sbin/a2ensite ffmwu-default-https
+  args:
+    creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf
   become: true
   notify:
     - check apache syntax

roles/ffmwu-build/templates/ffmwu-default-http.conf.j2

@@ -2,9 +2,9 @@
 	ServerName {{ inventory_hostname }}
 	ServerAdmin webmaster@freifunk-mwu.de
 
-	DocumentRoot /var/www/html/firmware
+	DocumentRoot /var/www/html
 
-	<Directory /var/www/html/firmware>
+	<Directory /var/www/html>
 			Options +Indexes +FollowSymlinks
 			IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
 			AllowOverride None

roles/ffmwu-build/templates/ffmwu-default-https.conf.j2

@@ -3,9 +3,9 @@
 		ServerAdmin webmaster@freifunk-mwu.de
 		ServerName {{ inventory_hostname }}
 
-		DocumentRoot /var/www/html/firmware
+		DocumentRoot /var/www/html
 
-		<Directory /var/www/html/firmware>
+		<Directory /var/www/html>
 				Options +Indexes +FollowSymlinks
 				IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
 				AllowOverride None