hashbang · KellerFuchs · Nov 1, 2018 · Nov 1, 2018 · Nov 1, 2018 · Nov 1, 2018
diff --git a/ansible/group_vars/all/apt.yml b/ansible/group_vars/all/apt.yml
diff --git a/ansible/tasks/docker/main.post.yml → ansible/hacks/docker.post.yml b/ansible/tasks/docker/main.post.yml → ansible/hacks/docker.post.yml
diff --git a/ansible/tasks/docker/main.pre.yml → ansible/hacks/docker.pre.yml b/ansible/tasks/docker/main.pre.yml → ansible/hacks/docker.pre.yml
@@ -1,4 +1,8 @@
 ---
+- name: Ensure systemd is installed
+  apt:
+    name: systemd
+
 - name: Ensure resolvconf package does not link
   debconf:
     name: resolvconf

diff --git a/ansible/main.yml b/ansible/main.yml
@@ -2,109 +2,46 @@
 - hosts: all
   gather_facts: false
   pre_tasks:
-  - name: Install python2 for Ansible
-    raw: bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qqy python-minimal)"
-    register: output
-    changed_when: output.stdout != ""
-  - name: Gathering Facts
-    setup:
+    - name: Install python2 for Ansible
+      raw: bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qqy python-minimal)"
+      register: output
+      changed_when: output.stdout != ""
 
-  tasks:
-
-  - name: Install minimum system packages
-    apt:
-      update_cache: true
-      name: "{{ item }}"
-    with_items:
-    - ansible
-    - git
-    - gnupg
-    - apt-transport-https
-    - unattended-upgrades
-    - systemd
-    - apt-utils
-    - lsb-release
-    - curl
-    - initscripts
-    - systemd
-    - udev
-    - util-linux
-    - openssh-server
-
-  - name: Remove undesirable apt files
-    file:
-      path: /etc/apt/{{ item }}
-      state: absent
-    with_items:
-      - trusted.gpg # Use trusted.gpg.d rather than a monolithic file!
-      - # We aren't running Ubuntu ...
-        sources.list.d/ppa_launchpad_net_ansible_ansible_ubuntu.list
-
-  - name: Add the backports suite
-    blockinfile:
-      path: /etc/apt/sources.list
-      create: yes
-      content: |
-        # Backports.  Must be enabled per-package using a pin
-        deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free
-        deb-src http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free
+    - name: Gathering Facts
+      setup:
 
-  - name: Prefer the installed release over backports, by default
-    copy:
-      dest: /etc/apt/preferences
-      mode: "0644"
-      content: |
-        # Give {{ ansible_distribution_release }} priority over everything
-        Package: *
-        Pin: release n={{ ansible_distribution_release }}
-        Pin-Priority: 900
+    - name: Determine if we are in a docker environment
+      stat: path=/.dockerenv
+      register: dockerenv
 
-        # Give backports priority over other sources
-        Package: *
-        Pin: release n={{ ansible_distribution_release }}-backports
-        Pin-Priority: 800
+    - set_fact:
+        in_docker: "{{ dockerenv.stat.exists }}"
 
-  - name: Pin Ansible from backports
-    copy:
-      dest: /etc/apt/preferences.d/ansible
-      mode: "0644"
-      content: |
-        Package: ansible ieee-data python-netaddr
-        Pin: release n={{ ansible_distribution_release }}-backports
-        Pin-Priority: 990
+    - name: Run Docker preinit task
+      include_tasks: hacks/docker.pre.yml
+      when: in_docker
+      ignore_errors: True
 
+  roles:
+    - apt
+    - systemd-cron.d
+    - systemd-journald
+    - unbound
 
-  - name: Install latest ansible
-    apt:
-      name: ansible
-      state: latest
-      update_cache: yes
-
-  - name: Determine if we are in a docker environment
-    stat: path=/.dockerenv
-    register: dockerenv
-
-  - name: Run Docker preinit task
-    include_tasks: tasks/docker/main.pre.yml
-    when: dockerenv.stat.exists
-    ignore_errors: True
-
+  tasks:
   - name: Include tasks files
     include_tasks: "tasks/{{ item }}/main.yml"
     with_items:
     - tor
     - hashbang
-    - logging
-    - dns
     - mail
-    - packages
     - profile
     - misc
     - ldap-nss
     - security
     - nginx
 
   - name: Run Docker postinit task
-    include_tasks: tasks/docker/main.post.yml
-    when: dockerenv.stat.exists
+    include_tasks: hacks/docker.post.yml
+    when: in_docker
     ignore_errors: True
diff --git a/ansible/roles/apt/handlers/main.yml b/ansible/roles/apt/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: apt update
+  apt:
+    update_cache: yes
diff --git a/ansible/roles/apt/tasks/main.yml b/ansible/roles/apt/tasks/main.yml
@@ -0,0 +1,93 @@
+- name: Update apt cache
+  apt:
+    update_cache: true
+
+- # Those are the packages required for our playbooks to function correctly
+  name: Install minimum system packages
+  apt:
+    name:
+      - git
+      - gnupg
+      - apt-transport-https
+      - systemd
+      - openssh-server
+
+- name: Remove undesirable apt files
+  notify: apt update
+  file:
+    path: /etc/apt/{{ item }}
+    state: absent
+  with_items:
+    - trusted.gpg # Use trusted.gpg.d rather than a monolithic file!
+    - # We aren't running Ubuntu ...
+      sources.list.d/ppa_launchpad_net_ansible_ansible_ubuntu.list
+
+- name: Add the backports suite
+  notify: apt update
+  blockinfile:
+    path: /etc/apt/sources.list
+    create: yes
+    content: |
+      # Backports.  Must be enabled per-package using a pin
+      deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free
+      deb-src http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free
+
+- name: Prefer the installed release over backports, by default
+  copy:
+    dest: /etc/apt/preferences
+    mode: "0644"
+    content: |
+      # Give {{ ansible_distribution_release }} priority over everything
+      Package: *
+      Pin: release n={{ ansible_distribution_release }}
+      Pin-Priority: 900
+
+      # Give backports priority over other sources
+      Package: *
+      Pin: release n={{ ansible_distribution_release }}-backports
+      Pin-Priority: 800
+
+- name: Pin Ansible from backports
+  copy:
+    dest: /etc/apt/preferences.d/ansible
+    mode: "0644"
+    content: |
+      Package: ansible ieee-data python-netaddr
+      Pin: release n={{ ansible_distribution_release }}-backports
+      Pin-Priority: 990
+
+- name: Add 3rd-party repositories (1/2)
+  notify: apt update
+  with_dict: "{{ apt.repositories }}"
+  apt_repository:
+    repo: deb {{ item.value.url | mandatory }} {{ item.value.suite | default(ansible_distribution_release) }} {{ item.value.section | default('main') }}
+    state: present
+    update_cache: no
+    filename: "{{ item.key }}"
+
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Add 3rd-party repositories (2/2)
+  notify: apt update
+  with_dict: "{{ apt.repositories }}"
+  apt_key:
+    data: "{{ lookup('file', 'apt/{{ item.key }}.asc') }}"
+    id: "{{ item.value.key }}"
+    keyring: /etc/apt/trusted.gpg.d/{{ item.value.keyring | default(item.key) }}.gpg
+
+  loop_control:
+    label: "{{ item.key }}"
+
+
+- # Required to re-run `apt update` before installing the latest Ansible version
+  meta: flush_handlers
+
+- name: Install latest ansible
+  apt:
+    name: ansible
+    state: latest
+
+- name: Install extra packages
+  apt:
+    name: "{{ apt.packages.values() | flatten | map(attribute='name') | list }}"
diff --git a/ansible/roles/systemd-cron.d/handlers/main.yml b/ansible/roles/systemd-cron.d/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: systemd reload
+  when: not in_docker
+  systemd:
+    daemon_reload: yes
diff --git a/ansible/roles/systemd-cron.d/tasks/main.yml b/ansible/roles/systemd-cron.d/tasks/main.yml
@@ -0,0 +1,53 @@
+- name: Install crontab target
+  notify: systemd reload
+  copy:
+    dest: /etc/systemd/system/crontab.target
+    content: |
+      [Install]
+      WantedBy=multi-user.target
+
+      [Unit]
+      Description=Simulates cron, limited to /etc/cron.*
+      [email protected]
+      [email protected]
+      [email protected]
+      [email protected]
+
+- name: Install crontab service
+  notify: systemd reload
+  copy:
+    dest: /etc/systemd/system/[email protected]
+    content: |
+      [Unit]
+      Description=%I job for /etc/cron.%I
+      RefuseManualStart=yes
+      RefuseManualStop=yes
+      ConditionDirectoryNotEmpty=/etc/cron.%I
+
+      [Service]
+      Type=oneshot
+      IgnoreSIGPIPE=no
+      WorkingDirectory=/
+      ExecStart=/bin/run-parts --report /etc/cron.%I
+
+- name: Install crontab generic timer
+  notify: systemd reload
+  copy:
+    dest: /etc/systemd/system/[email protected]
+    content: |
+      [Unit]
+      Description=%I timer simulating /etc/cron.%I
+      PartOf=crontab.target
+      RefuseManualStart=yes
+      RefuseManualStop=yes
+
+      [Timer]
+      OnCalendar=%I
+      Persistent=yes
+
+- name: Enable crontab service
+  when: not in_docker
+  systemd:
+    name: crontab
+    enabled: yes
+    masked: no
diff --git a/ansible/roles/systemd-journald/handlers/main.yml b/ansible/roles/systemd-journald/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: reload journald
+  when: not in_docker
+  systemd:
+    name: systemd-journald
+    state: reloaded
diff --git a/ansible/tasks/logging/main.yml → ...ble/roles/systemd-journald/tasks/main.yml b/ansible/tasks/logging/main.yml → ...ble/roles/systemd-journald/tasks/main.yml
@@ -1,9 +1,11 @@
 ---
 - name: Configure journald
+  notify: reload journald
   copy:
     dest: /etc/journald.conf
     content: |
       [Journal]
       MaxLevelStore=notice
       MaxRetentionSec=1month
+      Storage=persistent
       SystemMaxUse=1G
diff --git a/ansible/roles/unbound/handlers/main.yml b/ansible/roles/unbound/handlers/main.yml
@@ -0,0 +1,11 @@
+- name: reload resolvconf
+  when: not in_docker
+  systemd:
+    name: resolvconf
+    state: reloaded
+
+- name: reload unbound
+  when: not in_docker
+  systemd:
+    name: unbound
+    state: reloaded