Refactoring for common roles

roles/common-auth/tasks/ssh.yml

@@ -13,7 +13,5 @@
     value: 'no'
   - key: ChallengeResponseAuthentication
     value: 'no'
-  - key: PrintLastLog
-    value: 'no'
   notify:
   - reload ssh

roles/common-auth/tasks/sudo.yml

@@ -4,7 +4,6 @@
   apt: name={{ item }} install_recommends=no
   with_items:
     - sudo
-    - libnss-myhostname
 
 - name: Disable password based sudo for users in group sudo and enable password less sudo
   lineinfile:

roles/common-ntpclient/tasks/main.yml

@@ -1,10 +1,11 @@
 ---
 
-- name: ensure ntp and chrony are absent
+- name: ensure ntp daemons are absent
   apt: name={{ item }} state=absent purge=yes
   with_items:
     - ntp
     - chrony
+    - openntpd
 
 - name: ensure systemd NTP client is enabled
   shell: "timedatectl | grep 'NTP enabled: yes' || timedatectl set-ntp 1"

roles/common-system/tasks/kernel.yml

@@ -1,7 +0,0 @@
----
-
-- name: Ensure latest backports kernel is installed
-  apt: name={{ item }} state=latest default_release={{ ansible_distribution_release }}-backports install_recommends=no
-  with_items:
-    - linux-image-amd64
-    - linux-base

roles/common-system/tasks/main.yml

@@ -2,8 +2,8 @@
 
 - include: rclocal.yml
 - include: sysctl.yml
-- include: crypto.yml
 - include: time.yml
+- include: crypto.yml
+- include: repos.yml
+- include: packages.yml
 - include: journald.yml
-- include: kernel.yml
-- include: tools.yml

roles/common-system/tasks/packages.yml

@@ -0,0 +1,43 @@
+---
+- name: Ensure packages are installed
+  apt: name={{ item }} state=latest install_recommends=no
+  with_items:
+    - curl
+    - bash-completion
+    - dbus
+    - vim
+    - htop
+    - mtr-tiny
+    - byobu
+    - bind9-host
+    - tmux
+    - psmisc
+    - ngrep
+    - iperf3
+    - aptitude
+    - bwm-ng
+    - rsync
+    - git
+    - initramfs-tools
+    - locales
+
+- name: Ensure backported packages are installed
+  apt: name={{ item }} state=latest default_release={{ ansible_distribution_release }}-backports install_recommends=no
+  with_items:
+    - linux-base
+    - linux-image-amd64
+    - openssl
+    - libssl1.0.0
+    - systemd
+    - systemd-sysv
+    - udev
+    - libpam-systemd
+    - libnss-myhostname
+
+- name: ensure all packages are up to date
+  apt: upgrade=dist install_recommends=no dpkg_options='force-confold,force-confdef'
+
+- name: Ensure vim is default editor
+  alternatives: name=editor path=/usr/bin/vim.basic
+- name: Set defaults for vim
+  copy: src=vimrc dest=/etc/vim/vimrc.local

roles/common-repos/tasks/main.yml

@@ -3,7 +3,7 @@
 - name: Ensure deb-src ist disabled in sources.list
   replace: dest=/etc/apt/sources.list regexp='^(deb-src .*)$' replace='#\1'
 
-- name: Ensure Debian backports repository is installed
+- name: Ensure backports repository is installed
   apt_repository: repo='deb http://ftp.de.debian.org/debian {{ ansible_distribution_release }}-backports main'
 
 # - name: Ensure FFDO repository key is installed
@@ -16,6 +16,3 @@
 
 - name: Update APT cache
   apt: update_cache=yes cache_valid_time=3600
-
-# - name: ensure all packages are up to date
-#   apt: upgrade=dist install_recommends=no dpkg_options='force-confold,force-confdef'

roles/common-system/tasks/sysctl.yml

@@ -1,5 +1,5 @@
 ---
 
 - name: Install custom sysctl variables
-  template: src=sysctl.conf.j2 dest=/etc/sysctl.d/system.conf
+  copy: src=sysctl.conf dest=/etc/sysctl.d/system.conf
   notify: Load sysctl variables

roles/common-system/tasks/time.yml

@@ -1,8 +1,4 @@
 ---
-# libpam-systemd and dbus (dependency) are needed for timedatectl to work
-- name: ensure libpam-systemd is installed
-  apt: name=libpam-systemd install_recommends=no
-
 - name: ensure timezone is set to CET
   command: timedatectl set-timezone CET
   when: ansible_date_time.tz not in ['CET','CEST']

roles/common-system/tasks/tools.yml

@@ -1,24 +0,0 @@
----
-- name: Ensure some useful packages are installed
-  apt: name={{ item }} install_recommends=no
-  with_items:
-    - bash-completion
-    - vim
-    - htop
-    - mtr-tiny
-    - bind9-host
-    - curl
-    - tmux
-    - psmisc
-    - ngrep
-    - aptitude
-    - iperf
-    - pv
-    - bwm-ng
-    - rsync
-    - git
-
-- name: Ensure vim is default editor
-  alternatives: name=editor path=/usr/bin/vim.basic
-- name: Set defaults for vim
-  copy: src=vimrc dest=/etc/vim/vimrc.local

site.yml

@@ -2,10 +2,15 @@
 
 - hosts: all
   roles:
-    - common-net
-    - common-repos
     - common-auth
+    - common-net
     - common-system
+    # - service-nginx
+    # - service-node_exporter
+
+- hosts: all:!supernodes
+  roles:
+    - common-ntpclient
 
 - hosts: mesh
   roles:
@@ -28,22 +33,22 @@
 
 - hosts: mapservers
   roles:
-    - common-ntpclient
     - service-nginx
     # - service-map
 
-- hosts: serviceservers
-  roles:
-    - service-nginx
-    - service-gogs
-
-- hosts: imageservers
+- hosts: images.ffdo.de
   roles:
-    - common-ntpclient
     - service-nginx
     # - service-images
 
-- hosts: buildservers
+- hosts: build.ffdo.de
   roles:
-    - common-ntpclient
     - common-docker
+
+- hosts: services.ffdo.de
+  roles:
+    # - common-restic
+    - service-nginx
+    - service-gogs
+    - service-wiki
+    - service-prometheus