Normalize apt tasks and check package variables format

CHANGELOG.md

@@ -1,4 +1,5 @@
 ### HEAD
+* [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881))
 * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895))
 * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894))
 * Deploys: Update WP theme paths for multisite subsites ([#854](https://github.com/roots/trellis/pull/854))

group_vars/all/main.yml

@@ -2,6 +2,9 @@ composer_keep_updated: true
 composer_global_packages:
  - { name: hirak/prestissimo }
 apt_cache_valid_time: 3600
+apt_package_state: present
+apt_security_package_state: latest
+apt_dev_package_state: latest
 ntp_timezone: Etc/UTC
 ntp_manage_config: true
 www_root: /srv/www

roles/common/defaults/main.yml

@@ -1,17 +1,17 @@
 ntp_timezone: Etc/UTC
 
 apt_packages_default:
-  - python-software-properties
-  - python-pycurl
-  - build-essential
-  - python-mysqldb
-  - curl
-  - git-core
-  - dbus
-  - libnss-myhostname
+  python-software-properties: "{{ apt_package_state }}"
+  python-pycurl: "{{ apt_package_state }}"
+  build-essential: "{{ apt_package_state }}"
+  python-mysqldb: "{{ apt_package_state }}"
+  curl: "{{ apt_package_state }}"
+  git-core: "{{ apt_package_state }}"
+  dbus: "{{ apt_package_state }}"
+  libnss-myhostname: "{{ apt_package_state }}"
 
-apt_packages_custom: []
-apt_packages: "{{ apt_packages_default + apt_packages_custom }}"
+apt_packages_custom: {}
+apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}"
 
 openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}"
 overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]"

roles/common/tasks/main.yml

@@ -12,6 +12,36 @@
   when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count
   tags: [letsencrypt, wordpress]
 
+- name: Verify dict format for apt package component variables
+  fail:
+    msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}"
+  when: package_vars_wrong_format | count
+  vars:
+    package_vars:
+      apt_packages_default: "{{ apt_packages_default }}"
+      apt_packages_custom: "{{ apt_packages_custom }}"
+      memcached_packages_default: "{{ memcached_packages_default }}"
+      memcached_packages_custom: "{{ memcached_packages_custom }}"
+      php_extensions_default: "{{ php_extensions_default }}"
+      php_extensions_custom: "{{ php_extensions_custom }}"
+      sshd_packages_default: "{{ sshd_packages_default }}"
+      sshd_packages_custom: "{{ sshd_packages_custom }}"
+    package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]"
+  tags: [sshd, memcached, php]
+
+- name: Verify dict format for apt package combined variables
+  fail:
+    msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}"
+  when: package_vars_wrong_format | count
+  vars:
+    package_vars:
+      apt_packages: "{{ apt_packages }}"
+      memcached_packages: "{{ memcached_packages }}"
+      php_extensions: "{{ php_extensions }}"
+      sshd_packages: "{{ sshd_packages }}"
+    package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]"
+  tags: [sshd, memcached, php]
+
 - name: Validate Ubuntu version
   debug:
     msg: |
@@ -61,11 +91,11 @@
 
 - name: Checking essentials
   apt:
-    name: "{{ item }}"
-    state: present
-    update_cache: true
+    name: "{{ item.key }}"
+    state: "{{ item.value }}"
+    update_cache: yes
     cache_valid_time: "{{ apt_cache_valid_time }}"
-  with_items: "{{ apt_packages }}"
+  with_dict: "{{ apt_packages }}"
 
 - name: Validate timezone variable
   stat:

roles/common/templates/package_vars_wrong_format_msg.j2

@@ -0,0 +1,4 @@
+The following variables must be formatted as dicts:
+  {{ package_vars_wrong_format | to_nice_yaml | indent(2) }}
+
+See: https://github.com/roots/trellis/pull/881

roles/fail2ban/tasks/main.yml

@@ -1,9 +1,9 @@
 ---
 - name: ensure fail2ban is installed
   apt:
-    pkg: fail2ban
-    state: latest
-    update_cache: true
+    name: fail2ban
+    state: "{{ fail2ban_package_state | default(apt_security_package_state) }}"
+    update_cache: yes
     cache_valid_time: "{{ apt_cache_valid_time }}"
   notify:
     - restart fail2ban

roles/ferm/tasks/main.yml

@@ -8,9 +8,9 @@
 
 - name: ensure ferm is installed
   apt:
-    pkg: ferm
-    state: latest
-    update_cache: true
+    name: ferm
+    state: "{{ ferm_package_state | default(apt_security_package_state) }}"
+    update_cache: yes
     cache_valid_time: "{{ apt_cache_valid_time }}"
     install_recommends: no
   notify:

roles/mariadb/tasks/main.yml

@@ -2,15 +2,17 @@
 - name: Install MySQL client
   apt:
     name: mariadb-client
-    state: present
-    update_cache: true
+    state: "{{ mariadb_client_package_state | default(apt_package_state) }}"
+    update_cache: yes
     cache_valid_time: "{{ apt_cache_valid_time }}"
 
 - block:
   - name: Install MySQL server
     apt:
       name: mariadb-server
-      state: present
+      state: "{{ mariadb_server_package_state | default(apt_package_state) }}"
+      update_cache: yes
+      cache_valid_time: "{{ apt_cache_valid_time }}"
 
   - name: Disable MariaDB binary logging
     template:

roles/memcached/defaults/main.yml

@@ -4,3 +4,10 @@ memcached_fs_file_max: 756024
 memcached_listen_ip: 127.0.0.1
 memcached_max_conn: 1024
 memcached_port: 11211
+
+memcached_packages_default:
+  memcached: "{{ apt_package_state }}"
+  php-memcached: "{{ apt_package_state }}"
+
+memcached_packages_custom: {}
+memcached_packages: "{{ memcached_packages_default | combine(memcached_packages_custom) }}"

roles/memcached/tasks/main.yml

@@ -1,13 +1,11 @@
 ---
 - name: Install memcached
   apt:
-    name: "{{ item }}"
-    state: present
+    name: "{{ item.key }}"
+    state: "{{ item.value }}"
     update_cache: yes
     cache_valid_time: "{{ apt_cache_valid_time }}"
-  with_items:
-  - memcached
-  - php-memcached
+  with_dict: "{{ memcached_packages }}"
 
 - name: Copy the client configuration file
   template:

roles/nginx/tasks/main.yml

@@ -7,8 +7,9 @@
 - name: Install Nginx
   apt:
     name: "{{ nginx_package }}"
-    state: present
-    force: yes
+    state: "{{ nginx_package_state | default(apt_package_state) }}"
+    update_cache: yes
+    cache_valid_time: "{{ apt_cache_valid_time }}"
 
 - name: Create SSL directory
   file:

roles/php/defaults/main.yml

@@ -2,22 +2,22 @@ disable_default_pool: true
 memcached_sessions: false
 
 php_extensions_default:
-  - php7.1-cli
-  - php7.1-common
-  - php7.1-curl
-  - php7.1-dev
-  - php7.1-fpm
-  - php7.1-gd
-  - php7.1-mbstring
-  - php7.1-mcrypt
-  - php7.1-mysql
-  - php7.1-opcache
-  - php7.1-xml
-  - php7.1-xmlrpc
-  - php7.1-zip
+  php7.1-cli: "{{ apt_package_state }}"
+  php7.1-common: "{{ apt_package_state }}"
+  php7.1-curl: "{{ apt_package_state }}"
+  php7.1-dev: "{{ apt_package_state }}"
+  php7.1-fpm: "{{ apt_package_state }}"
+  php7.1-gd: "{{ apt_package_state }}"
+  php7.1-mbstring: "{{ apt_package_state }}"
+  php7.1-mcrypt: "{{ apt_package_state }}"
+  php7.1-mysql: "{{ apt_package_state }}"
+  php7.1-opcache: "{{ apt_package_state }}"
+  php7.1-xml: "{{ apt_package_state }}"
+  php7.1-xmlrpc: "{{ apt_package_state }}"
+  php7.1-zip: "{{ apt_package_state }}"
 
-php_extensions_custom: []
-php_extensions: "{{ php_extensions_default + php_extensions_custom }}"
+php_extensions_custom: {}
+php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}"
 
 php_error_reporting: 'E_ALL & ~E_DEPRECATED & ~E_STRICT'
 php_display_errors: 'Off'

roles/php/tasks/main.yml

@@ -6,10 +6,11 @@
 
 - name: Install PHP 7.1
   apt:
-    name: "{{ item }}"
-    state: present
-    force: yes
-  with_items: "{{ php_extensions }}"
+    name: "{{ item.key }}"
+    state: "{{ item.value }}"
+    update_cache: yes
+    cache_valid_time: "{{ apt_cache_valid_time }}"
+  with_dict: "{{ php_extensions }}"
 
 - name: Start php7.1-fpm service
   service:

roles/sshd/defaults/main.yml

@@ -90,3 +90,10 @@ ssh_send_env: []
 
 ssh_strict_host_key_checking: ask
 ssh_use_roaming: false
+
+sshd_packages_default:
+  openssh-server: "{{ apt_security_package_state }}"
+  openssh-client: "{{ apt_security_package_state }}"
+
+sshd_packages_custom: {}
+sshd_packages: "{{ sshd_packages_default | combine(sshd_packages_custom) }}"

roles/sshd/tasks/main.yml

@@ -1,13 +1,11 @@
 ---
 - name: Ensure latest SSH server and client are installed
   apt:
-    pkg: "{{ item }}"
-    state: latest
-    update_cache: true
+    name: "{{ item.key }}"
+    state: "{{ item.value }}"
+    update_cache: yes
     cache_valid_time: "{{ apt_cache_valid_time }}"
-  with_items:
-    - openssh-server
-    - openssh-client
+  with_dict: "{{ sshd_packages }}"
   notify: restart ssh
 
 - name: Create a secure sshd_config

roles/ssmtp/tasks/main.yml

@@ -2,8 +2,8 @@
 - name: Install ssmtp
   apt:
     name: ssmtp
-    state: present
-    update_cache: true
+    state: "{{ ssmtp_package_state | default(apt_package_state) }}"
+    update_cache: yes
     cache_valid_time: "{{ apt_cache_valid_time }}"
 
 - name: ssmtp configuration

roles/xdebug/tasks/main.yml

@@ -3,8 +3,8 @@
   - name: Install Xdebug
     apt:
       name: php-xdebug
-      state: latest
-      update_cache: true
+      state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}"
+      update_cache: yes
       cache_valid_time: "{{ apt_cache_valid_time }}"
 
   - name: Template the Xdebug configuration file