Update ansible role ffmwu-build
* use ecdsautils from ffmwu debian repo instead of building from source * remove some trailing white spaces * use command module instead of shell module where it is possible * update module syntax to list form for better reading * role ffmwu-build should be idempotent now
This commit is contained in:
parent
0167536d22
commit
6127353ae7
11 changed files with 129 additions and 87 deletions
|
@ -4,5 +4,5 @@
|
||||||
remote_user: admin
|
remote_user: admin
|
||||||
strategy: linear
|
strategy: linear
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- ffmwu-build
|
- ffmwu-build
|
||||||
|
|
|
@ -1,8 +1,15 @@
|
||||||
---
|
---
|
||||||
- name: check apache syntax
|
- name: check apache syntax
|
||||||
shell: apachectl -t
|
command: /usr/sbin/apachectl -t
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: restart systemd unit apache2
|
- name: restart systemd unit apache2
|
||||||
systemd: name=apache2 state=restarted
|
systemd:
|
||||||
|
name: apache2
|
||||||
|
state: restarted
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: update apt cache
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
become: true
|
become: true
|
||||||
|
|
|
@ -1,28 +0,0 @@
|
||||||
---
|
|
||||||
- name: checkout ecdsautils repo
|
|
||||||
git: repo=https://github.com/tcatm/ecdsautils.git
|
|
||||||
dest=/home/admin/clones/ecdsautils
|
|
||||||
version=v0.3.2
|
|
||||||
|
|
||||||
- name: create build directory
|
|
||||||
file: path=/home/admin/clones/ecdsautils/build state=directory
|
|
||||||
|
|
||||||
- name: build ecdsautils
|
|
||||||
shell: "{{ item }}"
|
|
||||||
args:
|
|
||||||
chdir: /home/admin/clones/ecdsautils/build
|
|
||||||
with_items:
|
|
||||||
- cmake ..
|
|
||||||
- make
|
|
||||||
|
|
||||||
- name: install ecdsautils to /usr/local/bin
|
|
||||||
copy:
|
|
||||||
src: "{{ item }}"
|
|
||||||
dest: /usr/local/bin/
|
|
||||||
mode: 0755
|
|
||||||
remote_src: True
|
|
||||||
with_items:
|
|
||||||
- /home/admin/clones/ecdsautils/build/src/ecdsakeygen
|
|
||||||
- /home/admin/clones/ecdsautils/build/src/ecdsaverify
|
|
||||||
- /home/admin/clones/ecdsautils/build/src/ecdsasign
|
|
||||||
become: true
|
|
6
roles/ffmwu-build/tasks/git-repos.yml
Normal file
6
roles/ffmwu-build/tasks/git-repos.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: checkout sites-ffmwu repo
|
||||||
|
git:
|
||||||
|
repo: https://github.com/freifunk-mwu/sites-ffmwu.git
|
||||||
|
dest: /home/admin/clones/sites-ffmwu
|
||||||
|
version: stable
|
|
@ -1,6 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: tasks/packages.yml
|
- include: packages.yml
|
||||||
- include: tasks/ecdsautils.yml
|
- include: git-repos.yml
|
||||||
- include: tasks/repos.yml
|
- include: rsyncd.yml
|
||||||
- include: tasks/rsync.yml
|
- include: web.yml
|
||||||
- include: tasks/web.yml
|
|
||||||
|
|
|
@ -1,14 +1,37 @@
|
||||||
---
|
---
|
||||||
- name: add apt repository of neoraider
|
- name: add apt repository of neoraider
|
||||||
apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider'
|
apt_repository:
|
||||||
|
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
|
||||||
|
state: present
|
||||||
|
filename: 'neoraider'
|
||||||
become: true
|
become: true
|
||||||
|
notify: update apt cache
|
||||||
|
|
||||||
|
- name: add apt repository of freifunk-mwu
|
||||||
|
apt_repository:
|
||||||
|
repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main'
|
||||||
|
state: present
|
||||||
|
filename: 'ffmwu'
|
||||||
|
become: true
|
||||||
|
notify: update apt cache
|
||||||
|
|
||||||
- name: add apt-key of neoraider
|
- name: add apt-key of neoraider
|
||||||
apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present
|
apt_key:
|
||||||
|
keyserver: keyserver.ubuntu.com
|
||||||
|
id: 16EF3F64CB201D9C
|
||||||
|
state: present
|
||||||
become: true
|
become: true
|
||||||
|
notify: update apt cache
|
||||||
|
|
||||||
|
- name: add apt-key of freifunk-mwu package sigs
|
||||||
|
apt_key:
|
||||||
|
url: http://repo.freifunk-mwu.de/83A70084.gpg.key
|
||||||
|
state: present
|
||||||
|
become: true
|
||||||
|
notify: update apt cache
|
||||||
|
|
||||||
- name: install needed packages for build-server
|
- name: install needed packages for build-server
|
||||||
apt:
|
apt:
|
||||||
state: present
|
state: present
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
@ -17,13 +40,12 @@
|
||||||
- apache2
|
- apache2
|
||||||
- apache2-utils
|
- apache2-utils
|
||||||
- build-essential
|
- build-essential
|
||||||
- cmake
|
- ecdsautils
|
||||||
- gawk
|
- gawk
|
||||||
- git
|
- git
|
||||||
- haveged
|
- haveged
|
||||||
- libncurses5-dev
|
- libncurses5-dev
|
||||||
- libssl-dev
|
- libssl-dev
|
||||||
- libuecc-dev
|
|
||||||
- pkg-config
|
- pkg-config
|
||||||
- subversion
|
- subversion
|
||||||
- unzip
|
- unzip
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
- name: checkout sites-ffmwu repo
|
|
||||||
git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git
|
|
||||||
dest=/home/admin/clones/sites-ffmwu
|
|
|
@ -1,10 +1,16 @@
|
||||||
---
|
---
|
||||||
- name: install rsnycd configuration file
|
- name: install rsnycd configuration file
|
||||||
copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640
|
copy:
|
||||||
|
src: rsyncd.conf
|
||||||
|
dest: /etc/rsyncd.conf
|
||||||
|
mode: 0640
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: install rsnyc systemd unit
|
- name: install rsnyc systemd unit
|
||||||
copy: src=rsync.service dest=/etc/systemd/system/ mode=644
|
copy:
|
||||||
|
src: rsync.service
|
||||||
|
dest: /etc/systemd/system/
|
||||||
|
mode: 0644
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: ensure rsync is started on boot as a daemon
|
- name: ensure rsync is started on boot as a daemon
|
|
@ -1,89 +1,123 @@
|
||||||
---
|
---
|
||||||
- name: ensure webroot owns by user/group admin
|
- name: ensure webroot owned by user/group admin
|
||||||
file: dest=/var/www/html owner=admin group=admin recurse=yes
|
file:
|
||||||
|
dest: /var/www/html
|
||||||
|
owner: admin
|
||||||
|
group: admin
|
||||||
|
recurse: yes
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: enable apache module ssl
|
- name: enable apache module ssl
|
||||||
apache2_module: state=present name=ssl
|
apache2_module:
|
||||||
|
state: present
|
||||||
|
name: ssl
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- name: disable default apache sites and unwanted default configs
|
- name: disable default apache http site
|
||||||
shell: a2dissite "{{ item }}"
|
command: /usr/sbin/a2dissite 000-default
|
||||||
with_items:
|
args:
|
||||||
- 000-default
|
removes: /etc/apache2/sites-enabled/000-default.conf
|
||||||
- default-ssl
|
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- shell: a2disconf "{{ item }}"
|
- name: disable default apache https site
|
||||||
with_items:
|
command: /usr/sbin/a2dissite default-ssl
|
||||||
- other-vhosts-access-log.conf
|
args:
|
||||||
|
removes: /etc/apache2/sites-enabled/default-ssl.conf
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- name: configure apache ssl module settings
|
- name: disable unwanted default configs
|
||||||
lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf
|
command: /usr/sbin/a2disconf other-vhosts-access-log
|
||||||
regexp="^([\s\t]+)?SSLCipherSuite"
|
args:
|
||||||
line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
|
||||||
state=present
|
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- lineinfile: dest=/etc/apache2/mods-available/ssl.conf
|
- name: configure apache ssl cipher suites
|
||||||
regexp="^([\s\t]+)?SSLProtocol"
|
lineinfile:
|
||||||
line="SSLProtocol all -SSLv2 -SSLv3"
|
dest: /etc/apache2/mods-enabled/ssl.conf
|
||||||
state=present
|
regexp: '^([\s\t]+)?SSLCipherSuite'
|
||||||
|
line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
||||||
|
state: present
|
||||||
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- name: configure apache ssl protocols
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/apache2/mods-available/ssl.conf
|
||||||
|
regexp: '^([\s\t]+)?SSLProtocol'
|
||||||
|
line: "SSLProtocol all -SSLv2 -SSLv3"
|
||||||
|
state: present
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- name: configure apache security settings
|
- name: configure apache security settings
|
||||||
lineinfile: dest=/etc/apache2/conf-available/security.conf
|
lineinfile:
|
||||||
regexp="^ServerTokens"
|
dest: /etc/apache2/conf-available/security.conf
|
||||||
line="ServerTokens Prod"
|
regexp: "^ServerTokens"
|
||||||
state=present
|
line: "ServerTokens Prod"
|
||||||
|
state: present
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- lineinfile: dest=/etc/apache2/conf-available/security.conf
|
- name: configure apache server signature
|
||||||
regexp="^ServerSignature"
|
lineinfile:
|
||||||
line="ServerSignature EMail"
|
dest: /etc/apache2/conf-available/security.conf
|
||||||
state=present
|
regexp: "^ServerSignature"
|
||||||
|
line: "ServerSignature EMail"
|
||||||
|
state: present
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- name: write ffmwu apache sites
|
- name: write ffmwu http site
|
||||||
template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf
|
template:
|
||||||
|
src: ffmwu-default-http.conf.j2
|
||||||
|
dest: /etc/apache2/sites-available/ffmwu-default-http.conf
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf
|
- name: write ffmwu https site
|
||||||
|
template:
|
||||||
|
src: ffmwu-default-https.conf.j2
|
||||||
|
dest: /etc/apache2/sites-available/ffmwu-default-https.conf
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
- restart systemd unit apache2
|
- restart systemd unit apache2
|
||||||
|
|
||||||
- name: enable ffmwu apache sites
|
- name: enable ffmwu apache http site
|
||||||
shell: a2ensite "{{ item }}"
|
command: /usr/sbin/a2ensite ffmwu-default-http
|
||||||
with_items:
|
args:
|
||||||
- ffmwu-default-http
|
creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf
|
||||||
- ffmwu-default-https
|
become: true
|
||||||
|
notify:
|
||||||
|
- check apache syntax
|
||||||
|
- restart systemd unit apache2
|
||||||
|
|
||||||
|
- name: enable ffmwu apache https site
|
||||||
|
command: /usr/sbin/a2ensite ffmwu-default-https
|
||||||
|
args:
|
||||||
|
creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf
|
||||||
become: true
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- check apache syntax
|
- check apache syntax
|
||||||
|
|
|
@ -2,9 +2,9 @@
|
||||||
ServerName {{ inventory_hostname }}
|
ServerName {{ inventory_hostname }}
|
||||||
ServerAdmin webmaster@freifunk-mwu.de
|
ServerAdmin webmaster@freifunk-mwu.de
|
||||||
|
|
||||||
DocumentRoot /var/www/html/firmware
|
DocumentRoot /var/www/html
|
||||||
|
|
||||||
<Directory /var/www/html/firmware>
|
<Directory /var/www/html>
|
||||||
Options +Indexes +FollowSymlinks
|
Options +Indexes +FollowSymlinks
|
||||||
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
|
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
|
||||||
AllowOverride None
|
AllowOverride None
|
||||||
|
|
|
@ -3,9 +3,9 @@
|
||||||
ServerAdmin webmaster@freifunk-mwu.de
|
ServerAdmin webmaster@freifunk-mwu.de
|
||||||
ServerName {{ inventory_hostname }}
|
ServerName {{ inventory_hostname }}
|
||||||
|
|
||||||
DocumentRoot /var/www/html/firmware
|
DocumentRoot /var/www/html
|
||||||
|
|
||||||
<Directory /var/www/html/firmware>
|
<Directory /var/www/html>
|
||||||
Options +Indexes +FollowSymlinks
|
Options +Indexes +FollowSymlinks
|
||||||
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
|
IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
|
||||||
AllowOverride None
|
AllowOverride None
|
||||||
|
|
Loading…
Reference in a new issue