Touch anything

* Add quoting * Use fully qualified community names (FQCNs) * Use quoted octal unix-permissions * Replace module "synchronize" with "copy" * Add and fix names to tasks and handlers
2022-05-01 22:31:20 +02:00 · 2022-05-01 22:31:20 +02:00 · 7523e61773
parent 4d9e4a4d80
commit 7523e61773
15 changed files with 205 additions and 189 deletions
--- a/roles/fai/handlers/main.yml
+++ b/roles/fai/handlers/main.yml
@ -1,48 +1,56 @@
 ---
 # handlers file for fai

- name: restart tftp server
-  service:
+- name: "Restart tftp server"
+  ansible.builtin.service:
    name: tftpd-hpa
    state: restarted
    enabled: true
  listen: restart tftpd

- name: restart apt-cacher-ng
-  service:
+- name: "Restarting apt-cacher-ng"
+  ansible.builtin.service:
    name: apt-cacher-ng
    state: restarted
    enabled: true
  listen: restart apt-cacher-ng

- name: pack fai configuration
-  shell: "tar -C {{ fai_configdir }} -cf {{ fai_download_dir }}/{{ fai_profiles_archive }} ."
+- name: "Pack fai configuration"
+  ansible.builtin.shell: |
+    tar -C "{{ fai_configdir }}" \
+    -cf "{{ fai_download_dir + '/' + fai_profiles_archive }}" .
  listen: pack fai-config

- name: ensure inetd is refreshed, when config changed
-  service:
+- name: "Restarting inetd"
+  ansible.builtin.service:
    name: inetutils-inetd
    state: restarted
  listen: restart inetd

- name: reload ntp config
-  service:
+- name: "Restarting ntp config"
+  ansible.builtin.service:
    name: ntp
    state: restarted
  listen: restart ntp

- name: ensure http server is restart after config change
-  service:
+- name: "Restarting nginx"
+  ansible.builtin.service:
    name: nginx
    state: restarted
  listen: restart nginx

- name: apply iptables rules
-  shell: iptables-restore /etc/iptables/rules.v4
+- name: "apply iptables rules"
+  ansible.builtin.shell: iptables-restore "/etc/iptables/rules.v4"
  listen: apply iptables

- name: reload dhcp
-  service:
+- name: "restart dhcp"
+  ansible.builtin.service:
    name: isc-dhcp-server
    state: restarted
  listen: restart dhcpd
+
+- name: "Reloading unbound"
+  ansible.builtin.service:
+    name: unbound
+    state: reloaded
+  listen: "reload unbound"
--- a/roles/fai/tasks/apt-cacher-ng.yml
+++ b/roles/fai/tasks/apt-cacher-ng.yml
@ -1,11 +1,11 @@
- name: install apt cacher
-  package:
+- name: "Install apt cacher"
+  ansible.builtin.package:
    name:
      - apt-cacher-ng
    state: present

- name: configure apt cacher
-  copy:
+- name: "Configure apt cacher"
+  ansible.builtin.copy:
    content: |
      CacheDir: /var/cache/apt-cacher-ng
      LogDir: /var/log/apt-cacher-ng
@ -33,35 +33,35 @@

      # Only serve available files
      Offlinemode: {% if apt_cacher_offline_mode %}1{% else %}0{% endif %}
-    dest: /etc/apt-cacher-ng/acng.conf
+    dest: "/etc/apt-cacher-ng/acng.conf"
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0644'
  notify: restart apt-cacher-ng

- name: set ubuntu server as backend
-  copy:
+- name: "Set ubuntu server as backend"
+  ansible.builtin.copy:
    content: |
      http://archive.ubuntu.com/ubuntu/
-    dest: /etc/apt-cacher-ng/backends_ubuntu
+    dest: "/etc/apt-cacher-ng/backends_ubuntu"
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0644'

- name: ensure service is started and enabled
-  service:
+- name: "Ensure service is started and enabled"
+  ansible.builtin.service:
    name: apt-cacher-ng
    enabled: true
    state: started

- name: set apt cache also for installer host
-  copy:
-    dest: /etc/apt/apt.conf.d/00proxy
+- name: "Set apt cache also for installer host"
+  ansible.builtin.copy:
+    dest: "/etc/apt/apt.conf.d/00proxy"
    content: |
      Acquire::http::Proxy "http://localhost:3142";
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0644'
  when:
    - use_apt_cache_for_server

--- a/roles/fai/tasks/fai-configure.yml
+++ b/roles/fai/tasks/fai-configure.yml
@ -1,6 +1,6 @@
- name: setup repos for fai
-  copy:
-    dest: /etc/fai/apt/sources.list
+- name: "Setup repos for fai"
+  ansible.builtin.copy:
+    dest: "/etc/fai/apt/sources.list"
    content: |
      {% if use_apt_cache_for_server %}
      deb http://localhost:3142/deb.debian.org/debian buster main contrib non-free
@ -13,15 +13,15 @@
      deb http://deb.debian.org/debian/ buster-updates main
      deb http://fai-project.org/download buster koeln
      {% endif %}
-    mode: u=rw,g=r,o=r
+    mode: '0644'
    owner: root
    group: root
  register: fai_apt_mirrors

- name: set loguser
-  copy:
-    dest: /etc/fai/fai.conf
-    mode: u=rw,g=r,o=r
+- name: "Set loguser"
+  ansible.builtin.copy:
+    dest: "/etc/fai/fai.conf"
+    mode: '0644'
    owner: root
    group: root
    content: |
--- a/roles/fai/tasks/fai-ipxe.yml
+++ b/roles/fai/tasks/fai-ipxe.yml
@ -1,20 +1,21 @@
- package:
+- name: "Install package ipxe"
+  ansible.builtin.package:
    name: ipxe
    state: present

- name: copy ipxe
-  copy:
+- name: "Copy ipxe"
+  ansible.builtin.copy:
    src: "{{ item }}"
-    dest: /srv/tftp/fai
+    dest: "/srv/tftp/fai"
    remote_src: yes
  with_items:
-    - /usr/lib/ipxe/ipxe.efi
-    - /usr/lib/ipxe/ipxe.pxe
-    - /usr/lib/ipxe/ipxe.lkrn
+    - "/usr/lib/ipxe/ipxe.efi"
+    - "/usr/lib/ipxe/ipxe.pxe"
+    - "/usr/lib/ipxe/ipxe.lkrn"
  notify: restart tftpd

- name: write ipxe menu
-  copy:
+- name: "Write ipxe menu"
+  ansible.builtin.copy:
    content: |
      #!ipxe
      set boot-root {{ http_mirror_ipxe_root_url }}
@ -95,8 +96,8 @@
      goto start{% endif %}

      {% endfor %}
-    dest: /srv/tftp/fai/menu.ipxe
-    mode: 0644
+    dest: "/srv/tftp/fai/menu.ipxe"
+    mode: '0644'
    owner: root
    group: root
  notify: restart tftpd
--- a/roles/fai/tasks/fai-prepare.yml
+++ b/roles/fai/tasks/fai-prepare.yml
@ -1,36 +1,36 @@
- name: trust fai key
-  apt_key:
+- name: "Trust fai key"
+  ansible.builtin.apt_key:
    id: B11EE3273F6B2DEB528C93DA2BF8D9FE074BCDE4
    url: https://fai-project.org/download/2BF8D9FE074BCDE4.asc 
    state: present

- name: add fai repo
-  apt_repository:
+- name: "Add fai repo"
+  ansible.builtin.apt_repository:
    repo: deb http://fai-project.org/download {{ debian_release }} koeln 
    state: present

- name: install all required fai programs
-  package:
+- name: "Install all required fai programs"
+  ansible.builtin.package:
    name:
      - fai-server
      - squashfs-tools
      - ipxe
    state: present

- name: create fai profiles directory
-  file:
+- name: "Create fai profiles directory"
+  ansible.builtin.file:
    name: "{{ fai_configdir }}"
    state: directory
-    mode: u=rwx,g=rx,o=rx
+    mode: '0755'
    owner: root
    group: root
    recurse: true

- name: create http download directories
-  file:
+- name: "Create http download directories"
+  ansible.builtin.file:
    name: "{{ item }}"
    state: directory
-    mode: u=rwx,g=rx,o=rx
+    mode: '0755'
    owner: root
    group: root
    recurse: true
--- a/roles/fai/tasks/fai-profiles.yml
+++ b/roles/fai/tasks/fai-profiles.yml
@ -1,37 +1,39 @@
- name: create fai dir
-  file:
-    name: /srv/fai/config
+- name: "Create fai dir"
+  ansible.builtin.file:
+    name: "/srv/fai/config"
    state: directory
    owner: root
    group: root
-    mode: u=rwx,g=rx,o=rx
+    mode: '0755'

- name: copy fai profiles
-  synchronize:
-    src: profiles/
+- name: "Copy fai profiles"
+  ansible.builtin.copy:
+    src: "profiles/"
    dest: "{{ fai_configdir }}"
-    mode: push
-    delete: yes
+    user: root
+    group: root
+    mode: '0755'
+    force: yes
    recursive: yes
  notify: pack fai-config

- name: Set APT proxy
-  template:
+- name: "Set APT proxy"
+  ansible.builtin.template:
    src: fai-profile-00-proxy.yml
    dest: "{{ fai_configdir }}/files/etc/apt/apt.conf.d/00-proxy/HW4F_DESKTOP"
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0644'
  notify: pack fai-config

- name: Set fai provision vars for HW4F profile
-  copy:
+- name: "Set fai provision vars for HW4F profile"
+  ansible.builtin.copy:
    content: |
-      # set time
+      ### CONFIGURE TIME
      UTC=yes
      TIMEZONE=Europe/Berlin

-      # some install parameters
+      ### INSTALL PARAMETERS
      STOP_ON_ERROR=700
      MAXPACKAGES=800

@ -43,6 +45,6 @@
    dest: "{{ fai_configdir }}/class/HW4F_DESKTOP.var"
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0644'
  notify: pack fai-config

--- a/roles/fai/tasks/fai-pxe.yml
+++ b/roles/fai/tasks/fai-pxe.yml
@ -1,44 +1,50 @@
- find:
-    paths: /srv/fai/nfsroot/boot
+- name: "Find linux kernel images"
+  ansible.builtin.find:
+    paths: "/srv/fai/nfsroot/boot"
    patterns: "vmlinuz-*"
  register: fai_live_vmlinuz

- find:
-    paths: /srv/fai/nfsroot/boot
+- name: "Find linux initial ram-disks"
+  ansible.builtin.find:
+    paths: "/srv/fai/nfsroot/boot"
    patterns: "initrd.img-*"
  register: fai_live_initrd

- set_fact:
+- name: "Manipulate file pathes"
+  ansible.builtin.set_fact:
    fai_live_vmlinuz: "{{ fai_live_vmlinuz.files[0].path |regex_replace('.*/', '') }}"
    fai_live_initrd: "{{ fai_live_initrd.files[0].path |regex_replace('.*/', '') }}"

- name: copy linux kernel and initrd to tftp root
-  copy:
+- name: "Copy linux kernel and initrd to tftp root"
+  ansible.builtin.copy:
    src: "/srv/fai/nfsroot/boot/{{ item }}"
-    dest: "{{ ipxe_download_dir }}/{{ item }}"
+    dest: "{{ ipxe_download_dir + '/' + item }}"
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0544'
    remote_src: true
  with_items:
    - "{{ fai_live_vmlinuz }}"
    - "{{ fai_live_initrd }}"

- name: check for generated squashfs image
-  stat:
+- name: "Check for generated squashfs image"
+  ansible.builtin.stat:
    path: "{{ fai_squashfs_path }}"
  register: squash_img

- name: generate a downloadable squashfs of root filesystem
+- name: "Generate a downloadable squashfs of root filesystem"
  shell: "fai-cd -f -M -S {{ fai_squashfs_path }} -d {{ http_mirror_fai_profiles_url }}"
  when:
    - not squash_img.stat.exists

- name: copy additional files
-  synchronize:
-    src: "{{ item.value.files }}/"
-    dest: "{{ ipxe_download_dir }}/{{ item.key }}"
+- name: "Copy additional files"
+  ansible.builtin.copy:
+    src: "{{ item.value.files + '/' }}"
+    dest: "{{ ipxe_download_dir + '/' + item.key }}"
    mode: push
-    delete: yes
+    force: yes
    recursive: yes
-  with_dict: "{{ ipxe_additional_entries }}"
+  loop: "{{ ipxe_additional_entries
+    |dict2items }}"
+  tags:
+    - copy_additional_files
--- a/roles/fai/tasks/fai-root.yml
+++ b/roles/fai/tasks/fai-root.yml
@ -1,5 +1,6 @@
- copy:
-    dest: /etc/fai/nfsroot.conf
+- name: "Create configuration for nfsroot"
+  ansible.builtin.copy:
+    dest: "/etc/fai/nfsroot.conf"
    content: |
      # For a detailed description see nfsroot.conf(5)

@ -16,14 +17,14 @@
      FAI_CONFIGDIR=/srv/fai/config
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0644'

- name: test nfsroot exists
-  stat:
-    path: /srv/fai/nfsroot
+- name: "Test nfsroot exists"
+  ansible.builtin.stat:
+    path: "/srv/fai/nfsroot"
  register: nfsroot_res

- name: generate root filesystem, kernel and initrd
-  shell: fai-make-nfsroot
+- name: "Generate root filesystem, kernel and initrd"
+  ansible.builtin.shell: fai-make-nfsroot
  when:
    - not nfsroot_res.stat.exists
--- a/roles/fai/tasks/isc-dhcp-server.yml
+++ b/roles/fai/tasks/isc-dhcp-server.yml
@ -1,11 +1,11 @@
- name: install dhcpd
-  package:
+- name: "Install dhcpd"
+  ansible.builtin.package:
    name:
      - isc-dhcp-server
    state: present

- name: configure dhcp server
-  copy:
+- name: "Configure dhcp server"
+  ansible.builtin.copy:
    content: |
      option dhcp-max-message-size 2048;
      use-host-decl-names on;
@ -46,26 +46,26 @@
          }
        }
      }
-    dest: /etc/dhcp/dhcpd.conf
-    mode: u=rw,g=r,o=o
+    dest: "/etc/dhcp/dhcpd.conf"
+    mode: '0644'
    owner: root
    group: root
    #    validate: dhcpd -t -cf %s
  notify: restart dhcpd

- name: set dhcp server interface
-  copy:
+- name: "Set dhcp server interface"
+  ansible.builtin.copy:
    content: |
      INTERFACESv4="{{dhcp_interface}}"
      INTERFACESv6=""
-    dest: /etc/default/isc-dhcp-server
-    mode: u=rw,g=r,o=o
+    dest: "/etc/default/isc-dhcp-server"
+    mode: '0644'
    owner: root
    group: root
  notify: restart dhcpd

- name: start dhcp server
-  service:
+- name: "Start dhcp server"
+  ansible.builtin.service:
    name: isc-dhcp-server
    state: started
    enabled: true
--- a/roles/fai/tasks/main.yml
+++ b/roles/fai/tasks/main.yml
@ -1,29 +1,31 @@
 ---
 # tasks file for fai
 - fail:
-    msg: Please specify FAI serving NIC in variable lan_interface (e.g. eth1)
+    msg: |
+      Please specify the NIC serving FAI
+      in variable 'dhcp_interface' (e.g. eth1)
  when:
    - not dhcp_interface is defined

- name: setup apt proxy cache
+- name: "Setup apt proxy cache"
  include: apt-cacher-ng.yml

- name: configure a time server
+- name: "Configure a time server"
  include: time-server.yml

- name: configure a web server
+- name: "Configure a web server"
  include: nginx.yml

- name: configure tftp
+- name: "Configure tftp"
  include: tftpd-hpa.yml

- name: configure dns server
+- name: "Configure dns server"
  include: unbound.yml

- name: configure nic
+- name: "Configure nic"
  include: network.yml

- name: setup dhcp
+- name: "Setup dhcp"
  include: isc-dhcp-server.yml

 - include: fai-prepare.yml
--- a/roles/fai/tasks/network.yml
+++ b/roles/fai/tasks/network.yml
@ -1,19 +1,20 @@
- name: install packages
-  package:
+---
+- name: "Install networking packages"
+  ansible.builtin.package:
    name:
      - iptables
      - iptables-persistent
      - ifupdown
    state: present

- name: ensure resolved is stopped and disabled
+- name: "Ensure systemd-resolved is stopped and disabled"
  service:
    name: systemd-resolved
    enabled: false
    state: stopped

- name: write config for lan interface
-  copy:
+- name: "Write config for lan interface"
+  ansible.builtin.copy:
    content: |
      auto {{ dhcp_interface }}
      allow-hotplug {{ dhcp_interface }}
@ -26,15 +27,15 @@
    mode: 0644
  register: dhcp_iface_config

- name: restart lan interface
-  shell: |
+- name: "Restart lan interface"
+  ansible.builtin.shell: |
    ifdown --force {{ dhcp_interface }} || true
    ifup {{ dhcp_interface }}
  when:
    - dhcp_iface_config.changed

- name: enable permantent masquerading for ipv4
-  copy:
+- name: "Enable permantent masquerading for ipv4"
+  ansible.builtin.copy:
    content: |
      *nat
      :PREROUTING ACCEPT [0:0]
@ -43,11 +44,11 @@
      :OUTPUT ACCEPT [0:0]
      -A POSTROUTING -o {{wan_interface}} -j MASQUERADE
      COMMIT
-    dest: /etc/iptables/rules.v4
+    dest: "/etc/iptables/rules.v4"
  notify: apply iptables

- name: enable ip forwarding
-  sysctl:
+- name: "Enable ip forwarding"
+  ansible.builtin.sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes
--- a/roles/fai/tasks/nginx.yml
+++ b/roles/fai/tasks/nginx.yml
@ -1,11 +1,11 @@
- name: install nginx
-  package:
+- name: "Install nginx"
+  ansible.builtin.package:
    name:
      - nginx-light
    state: present

- name: configure http server
-  copy:
+- name: "Configure http server"
+  ansible.builtin.copy:
    content: |
      server {
        listen 80 default_server;
@ -22,14 +22,14 @@
          autoindex on;
        }
      }
-    dest: /etc/nginx/sites-enabled/default
-    mode: 0644
+    dest: "/etc/nginx/sites-enabled/default"
+    mode: '0644'
    owner: root
    group: root
  notify: restart nginx

- name: place info site
-  copy:
+- name: "Place info site"
+  ansible.builtin.copy:
    content: |
      <html>
        <head>
@ -41,13 +41,13 @@
        </body>
      </html>

-    dest: /var/www/html/index.html
-    mode: 0644
+    dest: "/var/www/html/index.html"
+    mode: "0644"
    owner: root
    group: root

- name: ensure http server is running
-  service:
+- name: "Ensure http server is running"
+  ansible.builtin.service:
    name: nginx
    state: started
    enabled: true
--- a/roles/fai/tasks/tftpd-hpa.yml
+++ b/roles/fai/tasks/tftpd-hpa.yml
@ -1,21 +1,21 @@
- name: install tftp server
-  package:
+- name: "Install tftp server"
+  ansible.builtin.package:
    name: 
      - tftpd-hpa
    state: present

- name: create tftp fai directory
-  file:
+- name: "Create tftp fai directory"
+  ansible.builtin.file:
    name: "{{ tftp_dir }}"
    state: directory
    owner: root
    group: root
-    mode: u=rwx,g=rx,o=rx
+    mode: '0755'
    recurse: true

- name: configure tftp server
-  copy:
-    dest: /etc/default/tftpd-hpa
+- name: "Configure tftp server"
+  ansible.builtin.copy:
+    dest: "/etc/default/tftpd-hpa"
    content: |
      TFTP_USERNAME="tftp"
      TFTP_DIRECTORY="{{ tftp_dir }}"
@ -23,10 +23,11 @@
      TFTP_OPTIONS="--secure"
    owner: root
    group: root
-    mode: 0644
+    mode: '0644'
  notify: restart tftpd

- service:
+- name: "Start tftp daemon"
+  ansible.builtin.service:
    name: tftpd-hpa
    state: started
    enabled: true
--- a/roles/fai/tasks/time-server.yml
+++ b/roles/fai/tasks/time-server.yml
@ -1,29 +1,29 @@
- name: install inetd and ntp
-  package:
+- name: "Install inetd and ntp"
+  ansible.builtin.package:
    name:
      - inetutils-tools
      - inetutils-inetd
      - ntp
    state: present

- name: configure rdate for inetd
-  copy:
+- name: "Configure rdate for inetd"
+  ansible.builtin.copy:
    content: |
      time stream tcp nowait root internal
-    dest: /etc/inetd.conf
+    dest: "/etc/inetd.conf"
    owner: root
    group: root
-    mode: u=rw,g=r,o=r
+    mode: '0644'
  notify: restart inetd

- name: start inetd
-  service:
+- name: "Start inetd"
+  ansible.builtin.service:
    name: inetutils-inetd
    state: started
    enabled: true

- name: configure ntp server
-  copy:
+- name: "Configure ntp server"
+  ansible.builtin.copy:
    content: |
      driftfile /var/lib/ntp/ntp.drift

@ -48,14 +48,14 @@
      restrict ::1

      restrict source notrap nomodify noquery
-    dest: /etc/ntp.conf
-    mode: 0644
+    dest: "/etc/ntp.conf"
+    mode: '0644'
    owner: root
    group: root
  notify: restart ntp

- name: ntp is running and enabled
-  service:
+- name: "Start and enable ntp daemon"
+  ansible.builtin.service:
    name: ntp
    state: started
    enabled: true
--- a/roles/fai/tasks/unbound.yml
+++ b/roles/fai/tasks/unbound.yml
@ -1,10 +1,10 @@
- name: install unbound server
-  package:
+- name: "Install unbound server"
+  ansible.builtin.package:
    name: unbound
    state: present

- name: configure dns
-  copy:
+- name: "Configure DNS"
+  ansible.builtin.copy:
    content: |
      server:
        access-control: {{ server_net }}.0/{{ server_netbits }} allow
@ -15,20 +15,14 @@

        local-zone: "{{ domain_name }}." static
        local-data: "{{ server_name }}.{{ domain_name }}. IN A {{ server_ip }}"
-    dest: /etc/unbound/unbound.conf.d/fai.conf
-    mode: u=rw,g=r,o=r
+    dest: "/etc/unbound/unbound.conf.d/fai.conf"
+    mode: '0644'
    owner: root
    group: root
-  register: unbound_conf
+  notify: reload unbound

- name: ensure unbound is enabled and running
-  service:
+- name: "Ensure unbound is enabled and running"
+  ansible.builtin.service:
    name: unbound
    state: started
    enabled: true
-
- name: apply dns config
-  systemd:
-    name: unbound
-    state: restarted
-  when: unbound_conf.changed