/
main.yml
101 lines (84 loc) · 3.29 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
---
- name: Validate wordpress_sites
fail:
msg: "{{ lookup('template', 'wordpress_sites.j2') }}"
when: wordpress_sites.keys() | difference(vault_wordpress_sites.keys()) | count
tags: [wordpress]
- name: Validate format of site_hosts
fail:
msg: "{{ lookup('template', 'site_hosts.j2') }}"
with_dict: "{{ wordpress_sites }}"
when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count
tags: [letsencrypt, wordpress]
- name: Validate Ubuntu version
debug:
msg: |
Trellis is built for Ubuntu 16.04 Xenial as of https://github.com/roots/trellis/pull/626
Your Ubuntu version is {{ ansible_distribution_version }} {{ ansible_distribution_release }}
We recommend you re-create your server to get the best experience.
Note: both of these methods will delete all your existing data. It's up to you to backup what's needed and restore it.
Development via Vagrant: `vagrant destroy && vagrant up`
Staging/Production: Create a new server with Ubuntu 16.04 and provision
when: ansible_distribution_release == 'trusty'
run_once: true
- name: Check whether passlib is needed
fail:
msg: |
Ansible on OS X requires python passlib module to create user password hashes
sudo easy_install pip
pip install passlib
when: env != 'development' and darwin_without_passlib | default(false)
run_once: true
- name: Retrieve local SSH client's settings per host
set_fact:
ssh_client_ciphers: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep ciphers') }}"
ssh_client_kex: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep kexalgorithms') }}"
ssh_client_macs: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep macs') }}"
ssh_client_host_key_algorithms: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep hostkeyalgorithms') }}"
when: openssh_6_8_plus and validate_ssh | default(true)
tags: [sshd]
- name: Validate compatible settings between SSH client and server
assert:
that:
- overlapping_ciphers | count
- overlapping_kex | count
- overlapping_macs | count
- overlapping_host_keys | count
msg: "{{ lookup('template', 'validate_ssh_msg.j2') }}"
when: openssh_6_8_plus and validate_ssh | default(true)
tags: [sshd]
- name: Checking essentials
apt:
name: "{{ item }}"
state: present
update_cache: true
cache_valid_time: "{{ apt_cache_valid_time }}"
with_items: "{{ apt_packages }}"
- name: Validate timezone variable
stat:
path: /usr/share/zoneinfo/{{ ntp_timezone }}
register: timezone_path
changed_when: false
- name: Explain timezone error
fail:
msg: "{{ ntp_timezone }} is not a valid timezone. For a list of valid timezones, check https://php.net/manual/en/timezones.php"
when: not timezone_path.stat.exists
- name: Add myhostname to nsswitch.conf to ensure resolvable hostname
lineinfile:
backrefs: yes
backup: yes
dest: /etc/nsswitch.conf
line: \1 myhostname
regexp: ^(hosts\:((?!myhostname).)*)$
state: present
- name: Generate SSH key for vagrant user
user:
name: vagrant
generate_ssh_key: yes
when: env == 'development'
- name: Retrieve SSH client IP
ipify_facts:
connection: local
become: no
when: env != 'development' and ssh_client_ip_lookup | default(true)
tags: [fail2ban, ferm]