Update ansible role ffmwu-build

* use ecdsautils from ffmwu debian repo instead of building from source
 * remove some trailing white spaces
 * use command module instead of shell module where it is possible
 * update module syntax to list form for better reading
 * role ffmwu-build should be idempotent now
This commit is contained in:
Tobias Hachmer 2016-11-26 14:17:14 +01:00
parent 0167536d22
commit 6127353ae7
11 changed files with 129 additions and 87 deletions

View file

@ -4,5 +4,5 @@
remote_user: admin remote_user: admin
strategy: linear strategy: linear
roles: roles:
- ffmwu-build - ffmwu-build

View file

@ -1,8 +1,15 @@
--- ---
- name: check apache syntax - name: check apache syntax
shell: apachectl -t command: /usr/sbin/apachectl -t
become: true become: true
- name: restart systemd unit apache2 - name: restart systemd unit apache2
systemd: name=apache2 state=restarted systemd:
name: apache2
state: restarted
become: true
- name: update apt cache
apt:
update_cache: yes
become: true become: true

View file

@ -1,28 +0,0 @@
---
- name: checkout ecdsautils repo
git: repo=https://github.com/tcatm/ecdsautils.git
dest=/home/admin/clones/ecdsautils
version=v0.3.2
- name: create build directory
file: path=/home/admin/clones/ecdsautils/build state=directory
- name: build ecdsautils
shell: "{{ item }}"
args:
chdir: /home/admin/clones/ecdsautils/build
with_items:
- cmake ..
- make
- name: install ecdsautils to /usr/local/bin
copy:
src: "{{ item }}"
dest: /usr/local/bin/
mode: 0755
remote_src: True
with_items:
- /home/admin/clones/ecdsautils/build/src/ecdsakeygen
- /home/admin/clones/ecdsautils/build/src/ecdsaverify
- /home/admin/clones/ecdsautils/build/src/ecdsasign
become: true

View file

@ -0,0 +1,6 @@
---
- name: checkout sites-ffmwu repo
git:
repo: https://github.com/freifunk-mwu/sites-ffmwu.git
dest: /home/admin/clones/sites-ffmwu
version: stable

View file

@ -1,6 +1,5 @@
--- ---
- include: tasks/packages.yml - include: packages.yml
- include: tasks/ecdsautils.yml - include: git-repos.yml
- include: tasks/repos.yml - include: rsyncd.yml
- include: tasks/rsync.yml - include: web.yml
- include: tasks/web.yml

View file

@ -1,14 +1,37 @@
--- ---
- name: add apt repository of neoraider - name: add apt repository of neoraider
apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider' apt_repository:
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
state: present
filename: 'neoraider'
become: true become: true
notify: update apt cache
- name: add apt repository of freifunk-mwu
apt_repository:
repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main'
state: present
filename: 'ffmwu'
become: true
notify: update apt cache
- name: add apt-key of neoraider - name: add apt-key of neoraider
apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present apt_key:
keyserver: keyserver.ubuntu.com
id: 16EF3F64CB201D9C
state: present
become: true become: true
notify: update apt cache
- name: add apt-key of freifunk-mwu package sigs
apt_key:
url: http://repo.freifunk-mwu.de/83A70084.gpg.key
state: present
become: true
notify: update apt cache
- name: install needed packages for build-server - name: install needed packages for build-server
apt: apt:
state: present state: present
name: "{{ item }}" name: "{{ item }}"
update_cache: yes update_cache: yes
@ -17,13 +40,12 @@
- apache2 - apache2
- apache2-utils - apache2-utils
- build-essential - build-essential
- cmake - ecdsautils
- gawk - gawk
- git - git
- haveged - haveged
- libncurses5-dev - libncurses5-dev
- libssl-dev - libssl-dev
- libuecc-dev
- pkg-config - pkg-config
- subversion - subversion
- unzip - unzip

View file

@ -1,4 +0,0 @@
---
- name: checkout sites-ffmwu repo
git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git
dest=/home/admin/clones/sites-ffmwu

View file

@ -1,10 +1,16 @@
--- ---
- name: install rsnycd configuration file - name: install rsnycd configuration file
copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640 copy:
src: rsyncd.conf
dest: /etc/rsyncd.conf
mode: 0640
become: true become: true
- name: install rsnyc systemd unit - name: install rsnyc systemd unit
copy: src=rsync.service dest=/etc/systemd/system/ mode=644 copy:
src: rsync.service
dest: /etc/systemd/system/
mode: 0644
become: true become: true
- name: ensure rsync is started on boot as a daemon - name: ensure rsync is started on boot as a daemon

View file

@ -1,89 +1,123 @@
--- ---
- name: ensure webroot owns by user/group admin - name: ensure webroot owned by user/group admin
file: dest=/var/www/html owner=admin group=admin recurse=yes file:
dest: /var/www/html
owner: admin
group: admin
recurse: yes
become: true become: true
- name: enable apache module ssl - name: enable apache module ssl
apache2_module: state=present name=ssl apache2_module:
state: present
name: ssl
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- name: disable default apache sites and unwanted default configs - name: disable default apache http site
shell: a2dissite "{{ item }}" command: /usr/sbin/a2dissite 000-default
with_items: args:
- 000-default removes: /etc/apache2/sites-enabled/000-default.conf
- default-ssl
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- shell: a2disconf "{{ item }}" - name: disable default apache https site
with_items: command: /usr/sbin/a2dissite default-ssl
- other-vhosts-access-log.conf args:
removes: /etc/apache2/sites-enabled/default-ssl.conf
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- name: configure apache ssl module settings - name: disable unwanted default configs
lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf command: /usr/sbin/a2disconf other-vhosts-access-log
regexp="^([\s\t]+)?SSLCipherSuite" args:
line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
state=present
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- lineinfile: dest=/etc/apache2/mods-available/ssl.conf - name: configure apache ssl cipher suites
regexp="^([\s\t]+)?SSLProtocol" lineinfile:
line="SSLProtocol all -SSLv2 -SSLv3" dest: /etc/apache2/mods-enabled/ssl.conf
state=present regexp: '^([\s\t]+)?SSLCipherSuite'
line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
state: present
become: true
notify:
- check apache syntax
- restart systemd unit apache2
- name: configure apache ssl protocols
lineinfile:
dest: /etc/apache2/mods-available/ssl.conf
regexp: '^([\s\t]+)?SSLProtocol'
line: "SSLProtocol all -SSLv2 -SSLv3"
state: present
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- name: configure apache security settings - name: configure apache security settings
lineinfile: dest=/etc/apache2/conf-available/security.conf lineinfile:
regexp="^ServerTokens" dest: /etc/apache2/conf-available/security.conf
line="ServerTokens Prod" regexp: "^ServerTokens"
state=present line: "ServerTokens Prod"
state: present
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- lineinfile: dest=/etc/apache2/conf-available/security.conf - name: configure apache server signature
regexp="^ServerSignature" lineinfile:
line="ServerSignature EMail" dest: /etc/apache2/conf-available/security.conf
state=present regexp: "^ServerSignature"
line: "ServerSignature EMail"
state: present
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- name: write ffmwu apache sites - name: write ffmwu http site
template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf template:
src: ffmwu-default-http.conf.j2
dest: /etc/apache2/sites-available/ffmwu-default-http.conf
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf - name: write ffmwu https site
template:
src: ffmwu-default-https.conf.j2
dest: /etc/apache2/sites-available/ffmwu-default-https.conf
become: true become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
- name: enable ffmwu apache sites - name: enable ffmwu apache http site
shell: a2ensite "{{ item }}" command: /usr/sbin/a2ensite ffmwu-default-http
with_items: args:
- ffmwu-default-http creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf
- ffmwu-default-https become: true
notify:
- check apache syntax
- restart systemd unit apache2
- name: enable ffmwu apache https site
command: /usr/sbin/a2ensite ffmwu-default-https
args:
creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf
become: true become: true
notify: notify:
- check apache syntax - check apache syntax

View file

@ -2,9 +2,9 @@
ServerName {{ inventory_hostname }} ServerName {{ inventory_hostname }}
ServerAdmin webmaster@freifunk-mwu.de ServerAdmin webmaster@freifunk-mwu.de
DocumentRoot /var/www/html/firmware DocumentRoot /var/www/html
<Directory /var/www/html/firmware> <Directory /var/www/html>
Options +Indexes +FollowSymlinks Options +Indexes +FollowSymlinks
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=* IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
AllowOverride None AllowOverride None

View file

@ -3,9 +3,9 @@
ServerAdmin webmaster@freifunk-mwu.de ServerAdmin webmaster@freifunk-mwu.de
ServerName {{ inventory_hostname }} ServerName {{ inventory_hostname }}
DocumentRoot /var/www/html/firmware DocumentRoot /var/www/html
<Directory /var/www/html/firmware> <Directory /var/www/html>
Options +Indexes +FollowSymlinks Options +Indexes +FollowSymlinks
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=* IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
AllowOverride None AllowOverride None