diff --git a/ansible.cfg b/ansible.cfg index b330c5c..ea9a9df 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,8 +3,12 @@ inventory = ./inventory retry_files_enabled = False #vault_password_file = ~/.ansible/vault-password-file remote_tmp = $HOME/ansible_tmp +remote_user = admin ansible_managed = Ansible managed - don't edit this file! roles_path = ./roles +[privilege_escalation] +become=True + #[ssh_connection] #pipelining = True diff --git a/roles/ffmwu-bird/tasks/main.yml b/roles/ffmwu-bird/tasks/main.yml index be1ba94..cd2807e 100644 --- a/roles/ffmwu-bird/tasks/main.yml +++ b/roles/ffmwu-bird/tasks/main.yml @@ -7,7 +7,6 @@ owner: admin group: bird mode: 0750 - become: yes - name: standardise file ownerships file: @@ -16,7 +15,6 @@ owner: admin group: bird mode: 0750 - become: yes with_items: - /etc/bird/bird.conf - /etc/bird/mwu_peers_v4.inc diff --git a/roles/ffmwu-build/tasks/packages.yml b/roles/ffmwu-build/tasks/packages.yml index 6838671..71b26b5 100644 --- a/roles/ffmwu-build/tasks/packages.yml +++ b/roles/ffmwu-build/tasks/packages.yml @@ -4,7 +4,6 @@ repo: 'deb https://repo.universe-factory.net/debian/ sid main' state: present filename: 'neoraider' - become: true notify: update apt cache - name: add apt repository of freifunk-mwu @@ -12,7 +11,6 @@ repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main' state: present filename: 'ffmwu' - become: true notify: update apt cache - name: add apt-key of neoraider @@ -20,14 +18,12 @@ keyserver: keyserver.ubuntu.com id: 16EF3F64CB201D9C state: present - become: true notify: update apt cache - name: add apt-key of freifunk-mwu package sigs apt_key: url: http://repo.freifunk-mwu.de/83A70084.gpg.key state: present - become: true notify: update apt cache - name: install needed packages for build-server @@ -50,4 +46,3 @@ - subversion - unzip - zlib1g-dev - become: true diff --git a/roles/ffmwu-build/tasks/rsyncd.yml b/roles/ffmwu-build/tasks/rsyncd.yml index 208fd74..bc838e7 100644 --- a/roles/ffmwu-build/tasks/rsyncd.yml +++ b/roles/ffmwu-build/tasks/rsyncd.yml @@ -4,18 +4,15 @@ src: rsyncd.conf dest: /etc/rsyncd.conf mode: 0640 - become: true - name: install rsnyc systemd unit copy: src: rsync.service dest: /etc/systemd/system/ mode: 0644 - become: true - name: ensure rsync is started on boot as a daemon systemd: name: rsync state: started enabled: True - become: true diff --git a/roles/ffmwu-build/tasks/web.yml b/roles/ffmwu-build/tasks/web.yml index 311865b..710f607 100644 --- a/roles/ffmwu-build/tasks/web.yml +++ b/roles/ffmwu-build/tasks/web.yml @@ -5,13 +5,11 @@ owner: admin group: admin recurse: yes - become: true - name: enable apache module ssl apache2_module: state: present name: ssl - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -20,7 +18,6 @@ command: /usr/sbin/a2dissite 000-default args: removes: /etc/apache2/sites-enabled/000-default.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -29,7 +26,6 @@ command: /usr/sbin/a2dissite default-ssl args: removes: /etc/apache2/sites-enabled/default-ssl.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -38,7 +34,6 @@ command: /usr/sbin/a2disconf other-vhosts-access-log args: removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -49,7 +44,6 @@ regexp: '^([\s\t]+)?SSLCipherSuite' line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -60,7 +54,6 @@ regexp: '^([\s\t]+)?SSLProtocol' line: "SSLProtocol all -SSLv2 -SSLv3" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -71,7 +64,6 @@ regexp: "^ServerTokens" line: "ServerTokens Prod" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -82,7 +74,6 @@ regexp: "^ServerSignature" line: "ServerSignature EMail" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -91,7 +82,6 @@ template: src: ffmwu-default-http.conf.j2 dest: /etc/apache2/sites-available/ffmwu-default-http.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -100,7 +90,6 @@ template: src: ffmwu-default-https.conf.j2 dest: /etc/apache2/sites-available/ffmwu-default-https.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -109,7 +98,6 @@ command: /usr/sbin/a2ensite ffmwu-default-http args: creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -118,7 +106,6 @@ command: /usr/sbin/a2ensite ffmwu-default-https args: creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf - become: true notify: - check apache syntax - restart systemd unit apache2 diff --git a/roles/ffmwu-meshing/tasks/fastd.yml b/roles/ffmwu-meshing/tasks/fastd.yml index 3a212bb..623339e 100644 --- a/roles/ffmwu-meshing/tasks/fastd.yml +++ b/roles/ffmwu-meshing/tasks/fastd.yml @@ -2,7 +2,6 @@ - name: ensure correct ownership of /etc/fastd file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin - become: True - name: find ssh keyfile name for use with git shell: grep IdentityFile ~/.ssh/config | awk '{print $2}' diff --git a/roles/ffmwu-server/tasks/main.yml b/roles/ffmwu-server/tasks/main.yml index 265cd6e..07e8678 100644 --- a/roles/ffmwu-server/tasks/main.yml +++ b/roles/ffmwu-server/tasks/main.yml @@ -10,7 +10,6 @@ - block: - name: ensure needed system users are present user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present - become: True - name: ensure all wanted ssh keys exclusively authorized_key: exclusive=True state=present user=admin @@ -18,11 +17,9 @@ - name: ensure vim is default editor alternatives: name=editor path=/usr/bin/vim.basic - become: True - name: set timezone to Europe/Berlin timezone: name=Europe/Berlin - become: True when: (ansible_managed_server is defined) and (ansible_managed_server) # end block diff --git a/roles/git-fastd-peers/tasks/main.yml b/roles/git-fastd-peers/tasks/main.yml index d3086dd..5a1ffa0 100644 --- a/roles/git-fastd-peers/tasks/main.yml +++ b/roles/git-fastd-peers/tasks/main.yml @@ -5,7 +5,6 @@ state: present with_items: - git - become: true - name: create fastd peer mesh directories file: @@ -15,7 +14,6 @@ owner: admin group: admin with_dict: "{{ meshes }}" - become: true - name: create fastd peer intragate directories file: @@ -25,7 +23,6 @@ owner: admin group: admin with_dict: "{{ meshes }}" - become: true - name: clone fastd peer mesh repos git: diff --git a/roles/kmod-batman/tasks/main.yml b/roles/kmod-batman/tasks/main.yml index 1ee26f7..15fe652 100644 --- a/roles/kmod-batman/tasks/main.yml +++ b/roles/kmod-batman/tasks/main.yml @@ -9,10 +9,8 @@ - linux-headers-amd64 - batman-adv-dkms - batctl - become: true - name: configure batman module to load on system boot template: src: batman-adv.module.conf.j2 dest: /etc/modules-load.d/batman-adv.conf - become: true diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml index bc0ff67..9e181cb 100644 --- a/roles/network-batman/tasks/main.yml +++ b/roles/network-batman/tasks/main.yml @@ -4,14 +4,12 @@ src: dummy.j2 dest: "/etc/network/interfaces.d/{{ item.key }}0" with_dict: "{{ meshes }}" - become: true - name: create batman interfaces template: src: batman.j2 dest: "/etc/network/interfaces.d/{{ item.key }}BAT" with_dict: "{{ meshes }}" - become: true - name: set sysfs variables template: @@ -19,4 +17,3 @@ dest: "/etc/sysfs.d/99-{{ item.key }}BAT.conf" with_dict: "{{ meshes }}" notify: activate sysfs variables - become: true diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index 1474772..978d76d 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -4,11 +4,9 @@ src: fastd-mesh.j2 dest: "/etc/network/interfaces.d/{{ item.key }}VPN" with_dict: "{{ meshes }}" - become: true - name: create fastd intragate interfaces template: src: fastd-intragate.j2 dest: "/etc/network/interfaces.d/{{ item.key }}igVPN" with_dict: "{{ meshes }}" - become: true diff --git a/roles/network-ffrl/tasks/main.yml b/roles/network-ffrl/tasks/main.yml index 439c2de..13c7fd0 100644 --- a/roles/network-ffrl/tasks/main.yml +++ b/roles/network-ffrl/tasks/main.yml @@ -4,4 +4,3 @@ src: ffrl.j2 dest: "/etc/network/interfaces.d/{{ item.key }}" with_dict: "{{ ffrl_exit_server }}" - become: true diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml index 06ea01b..3b360e3 100644 --- a/roles/network-meshbridge/tasks/main.yml +++ b/roles/network-meshbridge/tasks/main.yml @@ -4,7 +4,6 @@ src: bridge.j2 dest: "/etc/network/interfaces.d/{{ item.key }}BR" with_dict: "{{ meshes }}" - become: true - name: set sysfs variables template: @@ -12,4 +11,3 @@ dest: "/etc/sysfs.d/99-{{ item.key }}BR.conf" with_dict: "{{ meshes }}" notify: activate sysfs variables - become: true diff --git a/roles/network-routetables/tasks/main.yml b/roles/network-routetables/tasks/main.yml index ba14fc9..d816c2f 100644 --- a/roles/network-routetables/tasks/main.yml +++ b/roles/network-routetables/tasks/main.yml @@ -6,4 +6,3 @@ line: "{{ item.value }}{{ '\t' }}{{ item.key }}" state: present with_dict: "{{ routing_tables }}" - become: true diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml index 62beb1d..81c049c 100644 --- a/roles/packages/tasks/main.yml +++ b/roles/packages/tasks/main.yml @@ -21,7 +21,6 @@ with_items: "{{ (pkg_repo_list|default({})).repo_keys | default([]) }}" loop_control: loop_var: pkg_item - become: True # see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repo_keys is defined) - name: ensure defined apt repos @@ -33,7 +32,6 @@ with_items: "{{ (pkg_repo_list|default({})).repos | default([]) }}" loop_control: loop_var: pkg_item - become: True # see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repos is defined) # see defaults in with - when: pkg_repo_list is defined @@ -48,7 +46,6 @@ with_items: "{{meshing_pkg_pkg_list | default([])}}" loop_control: loop_var: mwu_m_item - become: True # see default in with - when: meshing_pkg_pkg_list is defined - name: ensure defined python libs @@ -56,7 +53,6 @@ with_items: "{{meshing_pkg_pip_list | default([])}}" loop_control: loop_var: mwu_m_item - become: True # see default in with - when: meshing_pkg_pip_list is defined when: (really_do is defined) and (really_do) diff --git a/roles/prerequisites/tasks/main.yml b/roles/prerequisites/tasks/main.yml index 6ec8837..b5f19bc 100755 --- a/roles/prerequisites/tasks/main.yml +++ b/roles/prerequisites/tasks/main.yml @@ -11,4 +11,3 @@ - name: Test root access for admin account command: "true" changed_when: False - become: True diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml index f5e28b4..a33f925 100644 --- a/roles/server-basic/tasks/main.yml +++ b/roles/server-basic/tasks/main.yml @@ -6,15 +6,12 @@ update_cache: yes cache_valid_time: 21600 with_items: "{{ packages }}" - become: true - name: ensure vim is default editor alternatives: name: editor path: /usr/bin/vim.basic - become: true - name: set timezone to Europe/Berlin timezone: name: Europe/Berlin - become: true diff --git a/roles/server-repos/tasks/main.yml b/roles/server-repos/tasks/main.yml index c7a6724..016900d 100644 --- a/roles/server-repos/tasks/main.yml +++ b/roles/server-repos/tasks/main.yml @@ -8,21 +8,18 @@ with_items: - dirmngr - apt-transport-https - become: true - name: ensure apt key for universe-factory is present apt_key: state: present id: 16ef3f64cb201d9c keyserver: pgp.mit.edu - become: true - name: ensure apt key for freifunk-mwu is present apt_key: state: present id: 83A70084 url: "http://repo.freifunk-mwu.de/83A70084.gpg.key" - become: true - name: ensure needed apt repos are present apt_repository: @@ -31,4 +28,3 @@ update_cache: "{{ item.update_cache }}" filename: "{{ item.name }}" with_items: "{{ repos }}" - become: true diff --git a/roles/service-bird/tasks/main.yml b/roles/service-bird/tasks/main.yml index 152a1ee..822b130 100644 --- a/roles/service-bird/tasks/main.yml +++ b/roles/service-bird/tasks/main.yml @@ -7,7 +7,6 @@ with_items: - bird-bgp - bird-doc - become: true - name: write bird configuration template: @@ -20,7 +19,6 @@ with_items: - "" - 6 - become: true - name: configure mwu peers template: @@ -33,7 +31,6 @@ with_items: - 4 - 6 - become: true - name: enable + start systemd units bird + bird6 systemd: @@ -43,4 +40,3 @@ with_items: - "" - 6 - become: true diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index b958b4f..9430dd6 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -3,14 +3,12 @@ apt: name: isc-dhcp-server state: present - become: true - name: enable systemd unit isc-dhcp-server systemd: name: isc-dhcp-server enabled: yes daemon_reload: yes - become: true - name: concatenate meshbridge interfaces set_fact: @@ -22,18 +20,15 @@ regexp: '^INTERFACESv4="' line: 'INTERFACESv4="{{ dhcp_interfaces }}"' notify: restart isc dhcp server - become: true - name: set ipv6 interfaces isc dhcp should listen on lineinfile: path: /etc/default/isc-dhcp-server regexp: '^INTERFACESv6="' line: 'INTERFACESv6=""' - become: true - name: configure isc dhcp server template: src: dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf # notify: restart isc dhcp server - become: true diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index 9284cf1..4228108 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: fastd state: present - become: true - name: create fastd intragate directories file: @@ -11,18 +10,15 @@ state: directory mode: 0755 with_dict: "{{ meshes }}" - become: true - name: template fastd mesh config template: src: fastd-intragate.conf.j2 dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf" with_dict: "{{ meshes }}" - become: true - name: write fastd intragate secret template: src: fastd-secret.conf.j2 dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf" with_dict: "{{ meshes }}" - become: true diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index dc377de..cf0036a 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: fastd state: present - become: true - name: create fastd directories file: @@ -11,18 +10,15 @@ state: directory mode: 0755 with_dict: "{{ meshes }}" - become: true - name: template fastd mesh config template: src: fastd-mesh.conf.j2 dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf" with_dict: "{{ meshes }}" - become: true - name: write fastd mesh secret template: src: fastd-secret.conf.j2 dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" with_dict: "{{ meshes }}" - become: true diff --git a/roles/service-haveged/tasks/main.yml b/roles/service-haveged/tasks/main.yml index 3e3f5a7..d57f916 100644 --- a/roles/service-haveged/tasks/main.yml +++ b/roles/service-haveged/tasks/main.yml @@ -4,11 +4,9 @@ name: haveged state: present notify: reload systemd - become: true - name: start and enable systemd unit haveged systemd: name: haveged enabled: yes state: started - become: true diff --git a/roles/service-ntpd/tasks/main.yml b/roles/service-ntpd/tasks/main.yml index 907c8ae..50cabca 100644 --- a/roles/service-ntpd/tasks/main.yml +++ b/roles/service-ntpd/tasks/main.yml @@ -4,7 +4,6 @@ name: systemd-timesyncd enabled: no state: stopped - become: true - name: install ntp packages apt: @@ -17,7 +16,6 @@ - ntp-doc - ntpdate - ntpstat - become: true - name: enable and start ntp daemon systemd: @@ -25,4 +23,3 @@ enabled: yes state: started daemon_reload: yes - become: true diff --git a/roles/service-radvd/tasks/main.yml b/roles/service-radvd/tasks/main.yml index 71d1521..42c4ba7 100644 --- a/roles/service-radvd/tasks/main.yml +++ b/roles/service-radvd/tasks/main.yml @@ -3,18 +3,15 @@ apt: name: radvd state: present - become: true - name: enable systemd unit radvd systemd: name: radvd enabled: yes daemon_reload: yes - become: true - name: configure radvd template: src: radvd.conf.j2 dest: /etc/radvd.conf #notify: restart radvd - become: true diff --git a/roles/service-rclocal/tasks/main.yml b/roles/service-rclocal/tasks/main.yml index 8a161f4..1400aa1 100644 --- a/roles/service-rclocal/tasks/main.yml +++ b/roles/service-rclocal/tasks/main.yml @@ -4,10 +4,8 @@ src: rc.local.j2 dest: /etc/rc.local mode: 0755 - become: true - name: enable systemd unit rc.local systemd: name: rc.local enabled: yes - become: true