-
Notifications
You must be signed in to change notification settings - Fork 88
/
common.yml
143 lines (105 loc) · 3.99 KB
/
common.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
---
- name: Security assertions
hosts: [ 'all' ]
tags: [ 'play::security-assertions' ]
gather_facts: False
become: False
tasks:
- name: Check for Ansible version without known vulnerabilities
assert:
that:
- 'ansible_version.full | version_compare("2.1.5.0", ">=")'
- '((ansible_version.minor == 2) and (ansible_version.full | version_compare("2.2.2.0", ">="))) or (ansible_version.minor != 2)'
msg: 'VULNERABLE or unsupported Ansible version DETECTED, please update to Ansible >= v2.1.5 or a newer Ansible release >= v2.2.2! To skip, add "--skip-tags play::security-assertions" parameter. Check the debops-playbook changelog for details. Exiting.'
run_once: True
delegate_to: 'localhost'
- include: service/core.yml
- name: Common configuration for all hosts
hosts: [ 'debops_all_hosts', '!debops_no_common' ]
gather_facts: True
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: debops.debops_fact
tags: [ 'role::debops_fact' ]
- role: debops.environment
tags: [ 'role::environment' ]
- role: debops.nullmailer/env
tags: [ 'role::nullmailer', 'role::ferm', 'role::tcpwrappers' ]
- role: debops.pki/env
tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
- role: debops.secret
tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
secret_directories:
- '{{ pki_env_secret_directories }}'
- role: debops.apt_preferences
tags: [ 'apt_preferences', 'role::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ sshd__apt_preferences__dependent_list }}'
- '{{ apt__apt_preferences__dependent_list }}'
- '{{ apt_install__apt_preferences__dependent_list }}'
- '{{ rsyslog__apt_preferences__dependent_list }}'
- role: debops.apt_proxy
tags: [ 'role::apt_proxy' ]
- role: debops.atd
tags: [ 'role::atd' ]
- role: debops.dhparam
tags: [ 'role::dhparam' ]
- role: debops.pki
tags: [ 'role::pki' ]
- role: debops.apt
tags: [ 'role::apt' ]
- role: debops.apt_listchanges
tags: [ 'role::apt_listchanges' ]
- role: debops.apt_install
tags: [ 'role::apt_install' ]
- role: debops.etc_services
tags: [ 'role::etc_services' ]
etc_services__dependent_list:
- '{{ rsyslog__etc_services__dependent_list }}'
- role: debops.logrotate
tags: [ 'role::logrotate' ]
logrotate__dependent_config:
- '{{ rsyslog__logrotate__dependent_config }}'
- role: debops.auth
tags: [ 'role::auth' ]
- role: debops.nsswitch
tags: [ 'role::nsswitch' ]
- role: debops.resources
tags: [ 'role::resources' ]
- role: debops.ferm
tags: [ 'role::ferm' ]
ferm__dependent_rules:
- '{{ ntp__ferm__dependent_rules }}'
- '{{ nullmailer__ferm__dependent_rules }}'
- '{{ rsyslog__ferm__dependent_rules }}'
- '{{ sshd__ferm__dependent_rules }}'
- role: debops.tcpwrappers
tags: [ 'role::tcpwrappers' ]
tcpwrappers_dependent_allow:
- '{{ nullmailer__tcpwrappers__dependent_allow }}'
- '{{ sshd__tcpwrappers__dependent_allow }}'
- role: debops.ntp
tags: [ 'role::ntp' ]
- role: debops.root_account
tags: [ 'role::root_account' ]
- role: debops.console
tags: [ 'role::console' ]
- role: debops.sysctl
tags: [ 'role::sysctl' ]
- role: debops.nullmailer
tags: [ 'role::nullmailer' ]
- role: debops.rsyslog
tags: [ 'role::rsyslog' ]
- role: debops.unattended_upgrades
tags: [ 'role::unattended_upgrades' ]
- role: debops.users
tags: [ 'role::users' ]
- role: debops.authorized_keys
tags: [ 'role::authorized_keys' ]
- role: debops.sshd
tags: [ 'role::sshd' ]
- role: debops.cron
tags: [ 'role::cron' ]