From 6127353ae70c44742a97fc72af5707d7b8ccfb13 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 26 Nov 2016 14:17:14 +0100 Subject: [PATCH] Update ansible role ffmwu-build * use ecdsautils from ffmwu debian repo instead of building from source * remove some trailing white spaces * use command module instead of shell module where it is possible * update module syntax to list form for better reading * role ffmwu-build should be idempotent now --- ffmwu-build.yml | 2 +- roles/ffmwu-build/handlers/main.yml | 11 +- roles/ffmwu-build/tasks/ecdsautils.yml | 28 ----- roles/ffmwu-build/tasks/git-repos.yml | 6 + roles/ffmwu-build/tasks/main.yml | 9 +- roles/ffmwu-build/tasks/packages.yml | 32 +++++- roles/ffmwu-build/tasks/repos.yml | 4 - .../tasks/{rsync.yml => rsyncd.yml} | 10 +- roles/ffmwu-build/tasks/web.yml | 106 ++++++++++++------ .../templates/ffmwu-default-http.conf.j2 | 4 +- .../templates/ffmwu-default-https.conf.j2 | 4 +- 11 files changed, 129 insertions(+), 87 deletions(-) delete mode 100644 roles/ffmwu-build/tasks/ecdsautils.yml create mode 100644 roles/ffmwu-build/tasks/git-repos.yml delete mode 100644 roles/ffmwu-build/tasks/repos.yml rename roles/ffmwu-build/tasks/{rsync.yml => rsyncd.yml} (62%) diff --git a/ffmwu-build.yml b/ffmwu-build.yml index 1651e02..958d485 100755 --- a/ffmwu-build.yml +++ b/ffmwu-build.yml @@ -4,5 +4,5 @@ remote_user: admin strategy: linear - roles: + roles: - ffmwu-build diff --git a/roles/ffmwu-build/handlers/main.yml b/roles/ffmwu-build/handlers/main.yml index 6df1caf..7996492 100644 --- a/roles/ffmwu-build/handlers/main.yml +++ b/roles/ffmwu-build/handlers/main.yml @@ -1,8 +1,15 @@ --- - name: check apache syntax - shell: apachectl -t + command: /usr/sbin/apachectl -t become: true - name: restart systemd unit apache2 - systemd: name=apache2 state=restarted + systemd: + name: apache2 + state: restarted + become: true + +- name: update apt cache + apt: + update_cache: yes become: true diff --git a/roles/ffmwu-build/tasks/ecdsautils.yml b/roles/ffmwu-build/tasks/ecdsautils.yml deleted file mode 100644 index 59ab9b9..0000000 --- a/roles/ffmwu-build/tasks/ecdsautils.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: checkout ecdsautils repo - git: repo=https://github.com/tcatm/ecdsautils.git - dest=/home/admin/clones/ecdsautils - version=v0.3.2 - -- name: create build directory - file: path=/home/admin/clones/ecdsautils/build state=directory - -- name: build ecdsautils - shell: "{{ item }}" - args: - chdir: /home/admin/clones/ecdsautils/build - with_items: - - cmake .. - - make - -- name: install ecdsautils to /usr/local/bin - copy: - src: "{{ item }}" - dest: /usr/local/bin/ - mode: 0755 - remote_src: True - with_items: - - /home/admin/clones/ecdsautils/build/src/ecdsakeygen - - /home/admin/clones/ecdsautils/build/src/ecdsaverify - - /home/admin/clones/ecdsautils/build/src/ecdsasign - become: true diff --git a/roles/ffmwu-build/tasks/git-repos.yml b/roles/ffmwu-build/tasks/git-repos.yml new file mode 100644 index 0000000..52f1d4d --- /dev/null +++ b/roles/ffmwu-build/tasks/git-repos.yml @@ -0,0 +1,6 @@ +--- +- name: checkout sites-ffmwu repo + git: + repo: https://github.com/freifunk-mwu/sites-ffmwu.git + dest: /home/admin/clones/sites-ffmwu + version: stable diff --git a/roles/ffmwu-build/tasks/main.yml b/roles/ffmwu-build/tasks/main.yml index 0b92c72..8200c71 100644 --- a/roles/ffmwu-build/tasks/main.yml +++ b/roles/ffmwu-build/tasks/main.yml @@ -1,6 +1,5 @@ --- -- include: tasks/packages.yml -- include: tasks/ecdsautils.yml -- include: tasks/repos.yml -- include: tasks/rsync.yml -- include: tasks/web.yml +- include: packages.yml +- include: git-repos.yml +- include: rsyncd.yml +- include: web.yml diff --git a/roles/ffmwu-build/tasks/packages.yml b/roles/ffmwu-build/tasks/packages.yml index 9609f7c..6838671 100644 --- a/roles/ffmwu-build/tasks/packages.yml +++ b/roles/ffmwu-build/tasks/packages.yml @@ -1,14 +1,37 @@ --- - name: add apt repository of neoraider - apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider' + apt_repository: + repo: 'deb https://repo.universe-factory.net/debian/ sid main' + state: present + filename: 'neoraider' become: true + notify: update apt cache + +- name: add apt repository of freifunk-mwu + apt_repository: + repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main' + state: present + filename: 'ffmwu' + become: true + notify: update apt cache - name: add apt-key of neoraider - apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present + apt_key: + keyserver: keyserver.ubuntu.com + id: 16EF3F64CB201D9C + state: present become: true + notify: update apt cache + +- name: add apt-key of freifunk-mwu package sigs + apt_key: + url: http://repo.freifunk-mwu.de/83A70084.gpg.key + state: present + become: true + notify: update apt cache - name: install needed packages for build-server - apt: + apt: state: present name: "{{ item }}" update_cache: yes @@ -17,13 +40,12 @@ - apache2 - apache2-utils - build-essential - - cmake + - ecdsautils - gawk - git - haveged - libncurses5-dev - libssl-dev - - libuecc-dev - pkg-config - subversion - unzip diff --git a/roles/ffmwu-build/tasks/repos.yml b/roles/ffmwu-build/tasks/repos.yml deleted file mode 100644 index 65e331b..0000000 --- a/roles/ffmwu-build/tasks/repos.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: checkout sites-ffmwu repo - git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git - dest=/home/admin/clones/sites-ffmwu diff --git a/roles/ffmwu-build/tasks/rsync.yml b/roles/ffmwu-build/tasks/rsyncd.yml similarity index 62% rename from roles/ffmwu-build/tasks/rsync.yml rename to roles/ffmwu-build/tasks/rsyncd.yml index b48cf2a..208fd74 100644 --- a/roles/ffmwu-build/tasks/rsync.yml +++ b/roles/ffmwu-build/tasks/rsyncd.yml @@ -1,10 +1,16 @@ --- - name: install rsnycd configuration file - copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640 + copy: + src: rsyncd.conf + dest: /etc/rsyncd.conf + mode: 0640 become: true - name: install rsnyc systemd unit - copy: src=rsync.service dest=/etc/systemd/system/ mode=644 + copy: + src: rsync.service + dest: /etc/systemd/system/ + mode: 0644 become: true - name: ensure rsync is started on boot as a daemon diff --git a/roles/ffmwu-build/tasks/web.yml b/roles/ffmwu-build/tasks/web.yml index 4fca1f1..311865b 100644 --- a/roles/ffmwu-build/tasks/web.yml +++ b/roles/ffmwu-build/tasks/web.yml @@ -1,89 +1,123 @@ --- -- name: ensure webroot owns by user/group admin - file: dest=/var/www/html owner=admin group=admin recurse=yes +- name: ensure webroot owned by user/group admin + file: + dest: /var/www/html + owner: admin + group: admin + recurse: yes become: true - name: enable apache module ssl - apache2_module: state=present name=ssl + apache2_module: + state: present + name: ssl become: true notify: - check apache syntax - restart systemd unit apache2 -- name: disable default apache sites and unwanted default configs - shell: a2dissite "{{ item }}" - with_items: - - 000-default - - default-ssl +- name: disable default apache http site + command: /usr/sbin/a2dissite 000-default + args: + removes: /etc/apache2/sites-enabled/000-default.conf become: true notify: - check apache syntax - restart systemd unit apache2 -- shell: a2disconf "{{ item }}" - with_items: - - other-vhosts-access-log.conf +- name: disable default apache https site + command: /usr/sbin/a2dissite default-ssl + args: + removes: /etc/apache2/sites-enabled/default-ssl.conf become: true notify: - check apache syntax - restart systemd unit apache2 -- name: configure apache ssl module settings - lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf - regexp="^([\s\t]+)?SSLCipherSuite" - line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" - state=present +- name: disable unwanted default configs + command: /usr/sbin/a2disconf other-vhosts-access-log + args: + removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf become: true notify: - check apache syntax - restart systemd unit apache2 -- lineinfile: dest=/etc/apache2/mods-available/ssl.conf - regexp="^([\s\t]+)?SSLProtocol" - line="SSLProtocol all -SSLv2 -SSLv3" - state=present +- name: configure apache ssl cipher suites + lineinfile: + dest: /etc/apache2/mods-enabled/ssl.conf + regexp: '^([\s\t]+)?SSLCipherSuite' + line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + state: present + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- name: configure apache ssl protocols + lineinfile: + dest: /etc/apache2/mods-available/ssl.conf + regexp: '^([\s\t]+)?SSLProtocol' + line: "SSLProtocol all -SSLv2 -SSLv3" + state: present become: true notify: - check apache syntax - restart systemd unit apache2 - name: configure apache security settings - lineinfile: dest=/etc/apache2/conf-available/security.conf - regexp="^ServerTokens" - line="ServerTokens Prod" - state=present + lineinfile: + dest: /etc/apache2/conf-available/security.conf + regexp: "^ServerTokens" + line: "ServerTokens Prod" + state: present become: true notify: - check apache syntax - restart systemd unit apache2 -- lineinfile: dest=/etc/apache2/conf-available/security.conf - regexp="^ServerSignature" - line="ServerSignature EMail" - state=present +- name: configure apache server signature + lineinfile: + dest: /etc/apache2/conf-available/security.conf + regexp: "^ServerSignature" + line: "ServerSignature EMail" + state: present become: true notify: - check apache syntax - restart systemd unit apache2 -- name: write ffmwu apache sites - template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf +- name: write ffmwu http site + template: + src: ffmwu-default-http.conf.j2 + dest: /etc/apache2/sites-available/ffmwu-default-http.conf become: true notify: - check apache syntax - restart systemd unit apache2 -- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf +- name: write ffmwu https site + template: + src: ffmwu-default-https.conf.j2 + dest: /etc/apache2/sites-available/ffmwu-default-https.conf become: true notify: - check apache syntax - restart systemd unit apache2 -- name: enable ffmwu apache sites - shell: a2ensite "{{ item }}" - with_items: - - ffmwu-default-http - - ffmwu-default-https +- name: enable ffmwu apache http site + command: /usr/sbin/a2ensite ffmwu-default-http + args: + creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf + become: true + notify: + - check apache syntax + - restart systemd unit apache2 + +- name: enable ffmwu apache https site + command: /usr/sbin/a2ensite ffmwu-default-https + args: + creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf become: true notify: - check apache syntax diff --git a/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 b/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 index a48beee..c970ff5 100644 --- a/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 +++ b/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 @@ -2,9 +2,9 @@ ServerName {{ inventory_hostname }} ServerAdmin webmaster@freifunk-mwu.de - DocumentRoot /var/www/html/firmware + DocumentRoot /var/www/html - + Options +Indexes +FollowSymlinks IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=* AllowOverride None diff --git a/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 b/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 index 0f83aaf..b483ff8 100644 --- a/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 +++ b/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 @@ -3,9 +3,9 @@ ServerAdmin webmaster@freifunk-mwu.de ServerName {{ inventory_hostname }} - DocumentRoot /var/www/html/firmware + DocumentRoot /var/www/html - + Options +Indexes +FollowSymlinks IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=* AllowOverride None