improve roles structure | fixes #32375

6ca55484 · Emmanuel Cohen · Antoine SCHILDKNECHT · 9174de2e · 6ca55484 · 6ca55484
Commit 6ca55484 authored 4 years ago by Emmanuel Cohen Committed by Antoine SCHILDKNECHT 4 years ago
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@ ifdef debug
 	MOLECULE_FLAGS += --debug
 endif
 ifdef keep
-	MOLECULE_TEST_FLAGS += --destroy=never
+	MOLECULE_TEST_FLAGS += --destroy=never --parallel
 endif

 .PHONY: all

--- a/ansible.cfg
+++ b/ansible.cfg
@@ -30,6 +30,8 @@ stdout_callback = debug
 inventory_ignore_patterns = files

 [ssh_connection]
+# enable pipelining to speed up ansible execution
+pipelining = True

 # add custom ssh options
 ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

--- a/playbooks/locale.yml
+++ b/playbooks/locale.yml
-#!/usr/bin/env ansible-playbook
---
-
- name: LOCALE
-  hosts: all
-  tags: all
-  roles:
-    - conf
-    - locale
-
-...
--- a/playbooks/ntp.yml
+++ b/playbooks/ntp.yml
-#!/usr/bin/env ansible-playbook
---
-
- name: NTP
-  hosts: all
-  tags: all
-  roles:
-    - conf
-    - ntp
-
-...
--- a/roles/base/meta/main.yml
+++ b/roles/base/meta/main.yml
@@ -3,13 +3,9 @@
 dependencies:
  - role: conf
  - role: init
-  - role: repos
-  - role: sysutils
-  - role: logs
-  - role: locale
+  - role: sysconfig
  - role: users
  - role: postfix
-  - role: ntp
  - role: ferm-install
  - role: ferm-configure
  - role: fail2ban

--- a/roles/ferm-configure/tasks/main.yml
+++ b/roles/ferm-configure/tasks/main.yml
@@ -23,52 +23,22 @@
 - name: input
  when: ferm_input_rules | length > 0
  notify: reload ferm
-  copy:
+  template:
+    src: ferm_rules_input.conf.j2
    dest: /etc/ferm/input.d/{{ ferm_rules_filename }}.conf
-    content: |
-      {% for rule in ferm_input_rules %}
-      {% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
-      {% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
-      {% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
-      {% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
-      {% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
-      {% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
-      {% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
-      {% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
-      {% endfor %}

 - name: output
  when: ferm_output_rules | length > 0
  notify: reload ferm
-  copy:
+  template:
+    src: ferm_rules_output.conf.j2
    dest: /etc/ferm/output.d/{{ ferm_rules_filename }}.conf
-    content: |
-      {% for rule in ferm_output_rules %}
-      {% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
-      {% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
-      {% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
-      {% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
-      {% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
-      {% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
-      {% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
-      {% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
-      {% endfor %}

 - name: forward
  when: ferm_forward_rules | length > 0
  notify: reload ferm
-  copy:
+  template:
+    src: ferm_rules_forward.conf.j2
    dest: /etc/ferm/forward.d/{{ ferm_rules_filename }}.conf
-    content: |
-      {% for rule in ferm_forward_rules %}
-      {% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
-      {% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
-      {% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
-      {% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
-      {% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
-      {% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
-      {% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
-      {% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
-      {% endfor %}

 ...
--- a/roles/ferm-configure/templates/ferm_rules_forward.conf.j2
+++ b/roles/ferm-configure/templates/ferm_rules_forward.conf.j2
+{% for rule in ferm_forward_rules %}
+{% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
+{% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
+{% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
+{% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
+{% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
+{% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
+{% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
+{% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
+{% endfor %}
\ No newline at end of file
--- a/roles/ferm-configure/templates/ferm_rules_input.conf.j2
+++ b/roles/ferm-configure/templates/ferm_rules_input.conf.j2
+{% for rule in ferm_input_rules %}
+{% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
+{% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
+{% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
+{% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
+{% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
+{% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
+{% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
+{% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
+{% endfor %}
\ No newline at end of file
--- a/roles/ferm-configure/templates/ferm_rules_output.conf.j2
+++ b/roles/ferm-configure/templates/ferm_rules_output.conf.j2
+{% for rule in ferm_output_rules %}
+{% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
+{% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
+{% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
+{% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
+{% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
+{% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
+{% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
+{% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
+{% endfor %}
\ No newline at end of file
--- a/roles/locale/defaults/main.yml
+++ b/roles/locale/defaults/main.yml
---
-
-locale_packages:
-  - locales
-  - tzdata
-
-init_locale: "{{ envsetup_locale | d('C.UTF-8', true) }}"
-
-init_timezone: "{{ envsetup_timezone | d('Etc/UTC', true) }}"
-
-...
--- a/roles/locale/handlers/main.yml
+++ b/roles/locale/handlers/main.yml
---
-
- name: update locale
-  command: locale-gen
-
- name: restart cron
-  service:
-    name: cron
-    state: restarted
-
-...
--- a/roles/logs/defaults/main.yml
+++ b/roles/logs/defaults/main.yml
---
-
-logs_packages:
-  - rsyslog
-
-...
--- a/roles/ntp/defaults/main.yml
+++ b/roles/ntp/defaults/main.yml
---
-
-ntp_servers: "{{ envsetup_ntp_server }}"
-
-...
--- a/roles/repos/defaults/main.yml
+++ b/roles/repos/defaults/main.yml
---
-
-repos_prefix: "{{ envsetup_apt_cache_url | d('http://', true) }}"
-repos_deb: deb.debian.org
-repos_deb_sec: security.debian.org
-repos_release: "{{ ansible_distribution_release }}"
-
-repos_skyreach_token: "{{ envsetup_skyreach_apt_token }}"
-repos_skyreach_host: "{{ envsetup_skyreach_host }}"
-
-...
--- a/roles/repos/handlers/main.yml
+++ b/roles/repos/handlers/main.yml
---
-
- name: update cache
-  apt:
-    force_apt_get: true
-    update_cache: true
--- a/roles/sysutils/defaults/main.yml
+++ b/roles/sysutils/defaults/main.yml
 ---

-sysutils_packages:
+repos_prefix: "{{ envsetup_apt_cache_url | d('http://', true) }}"
+repos_deb: deb.debian.org
+repos_deb_sec: security.debian.org
+repos_release: "{{ ansible_distribution_release }}"
+
+repos_skyreach_token: "{{ envsetup_skyreach_apt_token }}"
+repos_skyreach_host: "{{ envsetup_skyreach_host }}"
+
+
+sysconfig_packages:
  - bash-completion
  - bmon
  - curl
@@ -28,9 +37,9 @@ sysutils_packages:
  - unattended-upgrades
  - vim

-sysutils_firewall_enabled: true
-sysutils_ferm_rules_filename: sysutils
-sysutils_ferm_input_rules:
+sysconfig_firewall_enabled: true
+sysconfig_ferm_rules_filename: sysutils
+sysconfig_ferm_input_rules:
  # munin
  - proto:
      - tcp
@@ -41,7 +50,20 @@ sysutils_ferm_input_rules:
      - tcp
    dport:
      - 9090
-sysutils_ferm_output_rules: []
-sysutils_ferm_global_settings:
+sysconfig_ferm_output_rules: []
+sysconfig_ferm_global_settings:
+
+locale_packages:
+  - locales
+  - tzdata
+
+init_locale: "{{ envsetup_locale | d('C.UTF-8', true) }}"
+
+init_timezone: "{{ envsetup_timezone | d('Etc/UTC', true) }}"
+
+sysconfig_logs_packages:
+  - rsyslog
+
+ntp_servers: "{{ envsetup_ntp_server }}"

 ...
--- a/roles/ntp/handlers/main.yml
+++ b/roles/ntp/handlers/main.yml
 ---
+- name: update cache
+  apt:
+    force_apt_get: true
+    update_cache: true
+    
+- name: update locale
+  command: locale-gen
+
+- name: restart cron
+  service:
+    name: cron
+    state: restarted
+
+- name: update cache
+  apt:
+    force_apt_get: true
+    update_cache: true

 - name: systemd daemon reload
  systemd:

--- a/roles/locale/tasks/main.yml
+++ b/roles/locale/tasks/main.yml
 ---
-
 - name: install locale packages
  apt:
    force_apt_get: true

--- a/roles/logs/tasks/main.yml
+++ b/roles/logs/tasks/main.yml
 ---
-
 - name: install logs packages
  apt:
    force_apt_get: true
    install_recommends: false
-    name: "{{ logs_packages }}"
+    name: "{{ sysconfig_logs_packages }}"

 - name: start rsyslog
  systemd:

--- a/roles/sysutils/tasks/main.yml
+++ b/roles/sysutils/tasks/main.yml
 ---
+- include: repos.yml

 - name: install system utilities
  apt:
    force_apt_get: true
    install_recommends: false
-    name: "{{ sysutils_packages }}"
+    name: "{{ sysconfig_packages }}"

 - name: install ubicast-config
  apt:
@@ -22,13 +23,19 @@
 # FIREWALL

 - name: firewall
-  when: sysutils_firewall_enabled
+  when: sysconfig_firewall_enabled
  vars:
-    ferm_rules_filename: "{{ sysutils_ferm_rules_filename }}"
-    ferm_input_rules: "{{ sysutils_ferm_input_rules }}"
-    ferm_output_rules: "{{ sysutils_ferm_output_rules }}"
-    ferm_global_settings: "{{ sysutils_ferm_global_settings }}"
+    ferm_rules_filename: "{{ sysconfig_ferm_rules_filename }}"
+    ferm_input_rules: "{{ sysconfig_ferm_input_rules }}"
+    ferm_output_rules: "{{ sysconfig_ferm_output_rules }}"
+    ferm_global_settings: "{{ sysconfig_ferm_global_settings }}"
  include_role:
    name: ferm-configure

+- include: logs.yml
+
+- include: locale.yml
+
+- include: ntp.yml
+
 ...