Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
214 lines (158 sloc) 6.44 KB
---
- name: Security assertions
hosts: [ 'all' ]
tags: [ 'play::security-assertions' ]
gather_facts: False
become: False
tasks:
- name: Check for Ansible version without known vulnerabilities
assert:
that:
- 'ansible_version.full is version_compare("2.1.5.0", ">=")'
- '((ansible_version.minor == 2) and
(ansible_version.full is version_compare("2.2.2.0", ">="))) or
(ansible_version.minor != 2)'
msg: |
VULNERABLE or unsupported Ansible version DETECTED, please update to
Ansible >= v2.1.5 or a newer Ansible release >= v2.2.2! To skip, add
"--skip-tags play::security-assertions" parameter. Check the
debops-playbook changelog for details. Exiting.
run_once: True
delegate_to: 'localhost'
- import_playbook: service/core.yml
- name: Common configuration for all hosts
hosts: [ 'debops_all_hosts', '!debops_no_common' ]
gather_facts: True
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: debops.netbase
tags: [ 'role::netbase', 'skip::netbase' ]
- role: debops.etckeeper
tags: [ 'role::etckeeper', 'skip::etckeeper' ]
- role: debops.debops_fact
tags: [ 'role::debops_fact', 'skip::debops_fact' ]
- role: debops.environment
tags: [ 'role::environment', 'skip::environment' ]
- role: debops.nullmailer/env
tags: [ 'role::nullmailer', 'role::ferm', 'role::tcpwrappers' ]
- role: debops.pki/env
tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
- role: debops.sshd/env
tags: [ 'role::sshd', 'role::ldap' ]
- role: debops.secret
tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
secret_directories:
- '{{ pki_env_secret_directories }}'
- role: debops.apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ sshd__apt_preferences__dependent_list }}'
- '{{ apt_install__apt_preferences__dependent_list }}'
- '{{ yadm__apt_preferences__dependent_list }}'
- '{{ rsyslog__apt_preferences__dependent_list }}'
- role: debops.apt_proxy
tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
- role: debops.cron
tags: [ 'role::cron', 'skip::cron' ]
- role: debops.atd
tags: [ 'role::atd', 'skip::atd' ]
- role: debops.dhparam
tags: [ 'role::dhparam', 'skip::dhparam' ]
- role: debops.pki
tags: [ 'role::pki', 'skip::pki' ]
- role: debops.apt
tags: [ 'role::apt', 'skip::apt' ]
- role: debops.python
tags: [ 'role::python', 'skip::python' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
# LDAP client initialization should be done separately to prepare local
# facts for other roles to use in configuration.
- role: debops.ldap
tags: [ 'role::ldap', 'skip::ldap' ]
- role: debops.ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ sudo__ldap__dependent_tasks }}'
- '{{ sshd__ldap__dependent_tasks }}'
- role: debops.apt_listchanges
tags: [ 'role::apt_listchanges', 'skip::apt_listchanges' ]
- role: debops.apt_install
tags: [ 'role::apt_install', 'skip::apt_install' ]
- role: debops.keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
keyring__dependent_gpg_keys:
- '{{ yadm__keyring__dependent_gpg_keys }}'
- role: debops.yadm
tags: [ 'role::yadm', 'skip::yadm' ]
- role: debops.sudo
tags: [ 'role::sudo', 'skip::sudo' ]
- role: debops.root_account
tags: [ 'role::root_account', 'skip::root_account' ]
- role: debops.system_groups
tags: [ 'role::system_groups', 'skip::system_groups' ]
- role: debops.system_users
tags: [ 'role::system_users', 'skip::system_users' ]
- role: debops.pam_access
tags: [ 'role::pam_access', 'skip::pam_access' ]
pam_access__dependent_rules:
- '{{ sshd__pam_access__dependent_rules }}'
- role: debops.etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ rsyslog__etc_services__dependent_list }}'
- role: debops.logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ rsyslog__logrotate__dependent_config }}'
- role: debops.auth
tags: [ 'role::auth', 'skip::auth' ]
- role: debops.nsswitch
tags: [ 'role::nsswitch', 'skip::nsswitch' ]
- role: debops.machine
tags: [ 'role::machine', 'skip::machine' ]
- role: debops.users
tags: [ 'role::users', 'skip::users' ]
- role: debops.mount
tags: [ 'role::mount', 'skip::mount' ]
- role: debops.resources
tags: [ 'role::resources', 'skip::resources' ]
- role: debops.ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ ntp__ferm__dependent_rules }}'
- '{{ nullmailer__ferm__dependent_rules }}'
- '{{ rsyslog__ferm__dependent_rules }}'
- '{{ sshd__ferm__dependent_rules }}'
- role: debops.tcpwrappers
tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
tcpwrappers_dependent_allow:
- '{{ nullmailer__tcpwrappers__dependent_allow }}'
- '{{ sshd__tcpwrappers__dependent_allow }}'
- role: debops.locales
tags: [ 'role::locales', 'skip::locales' ]
- role: debops.ntp
tags: [ 'role::ntp', 'skip::ntp' ]
- role: debops.proc_hidepid
tags: [ 'role::proc_hidepid', 'skip::proc_hidepid' ]
- role: debops.console
tags: [ 'role::console', 'skip::console' ]
- role: debops.sysctl
tags: [ 'role::sysctl', 'skip::sysctl' ]
- role: debops.nullmailer
tags: [ 'role::nullmailer', 'skip::nullmailer' ]
- role: debops.rsyslog
tags: [ 'role::rsyslog', 'skip::rsyslog' ]
- role: debops.unattended_upgrades
tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
- role: debops.authorized_keys
tags: [ 'role::authorized_keys', 'skip::authorized_keys' ]
- role: debops.sshd
tags: [ 'role::sshd', 'skip::sshd' ]
- role: debops.apt_mark
tags: [ 'role::apt_mark', 'skip::apt_mark' ]
You can’t perform that action at this time.