---
## apt
# apt ou apt-get si apt seul ne fonctionne pas
# Equivalent apt update / apt-upgrade
- name: update/upgrade
apt:
update_cache: yes
upgrade: yes
cache_valid_time: 84600
# Equivalent apt install apache2 php libapache2-mod-php
- name: Install packages
apt:
state: present
pkg:
- apache2
- php
- libapache2-mod-php
# Equivalent apt autoclean
- name: Remove useless packages from the cache
apt:
autoclean: yes
# Equivalent apt autoremove
- name: Remove dependencies that are no longer required
apt:
autoremove: yes
---
- name: Delete files
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/apache2/sites-available/wordpress.conf
- /var/www/wordpress
- name: check if wordpress directory exist
stat:
path: /var/www/wordpress
register: wordpress_dir
- debug:
var: wordpress_dir.stat.exists
- name: mkdir /var/www/wordpress
file:
path: /var/www/wordpress
state: directory
owner: www-data
group: www-data
mode: 0755
when: not wordpress_dir.stat.exists
- name: chown -R wordpress dir
file:
dest: /var/www/wordpress
state: directory
owner: www-data
group: www-data
recurse: yes
- name: Find files > 30 days
find:
paths: /tmp
patterns: 'file*'
age: 30d
age_stamp: mtime
register: output
- name: Delete files
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ output.files }}"
- name: enable virtualhost (link)
file:
src: /etc/nginx/sites-available/domain.com.conf
dest: /etc/nginx/sites-enabled/domain.com.conf
state: link
notify: restart_nginx
---
- name: Ajouter le group "{{ user }}"
group:
name: "{{ user }}"
state: present
# mot de passe: créer un hash en ligne de commande
# avec phyton 2
# python -c 'import crypt; print(crypt.crypt("unmotdepasse", "$6$SomeSalt$"))'
# avec phyton 3
# python3 -c 'import crypt; print(crypt.crypt("unmotdepasse", "$6$SomeSalt$"))'
- name: Ajouter le user "{{ user }}"
user:
name: "{{ user }}"
group: www-data
home: /home/{{ user }}
password: "{{ user_passwd_hash }}"
shell: /bin/bash
state: present
# sans mot de passe et sans login avec id/gid spécifique
- name: Ajouter user "{{ user2 }}"
user:
name: "{{ user2 }}"
uid: '1100'
group: '1100'
home: /nonexistent
password: !
shell: /usr/sbin/nologin
createhome: no
state: present
---
- name: Replace Apache DocumentRoot default
lineinfile:
path: /etc/apache2/sites-enabled/000-default.conf
regexp: 'DocumentRoot'
line: 'DocumentRoot /var/www/monsite'
notify:
- restart_apache
- name: Configure clamscan_daily admin_contact
lineinfile:
dest: /etc/cron.daily/clamscan_daily
regexp: "^EMAIL_TO=.*$"
line: EMAIL_TO="{{ admin_contact }}";
state: present
# Backrefs yes will replace the line only if it is find regexp line
# and so do not add a new line !
backrefs: yes
- name: blowfish phpmyadmin
lineinfile:
path: "/var/www/phpmyadmin/config.inc.php"
regexp: "^\\$cfg\\['blowfish_secret'\\] =.*"
line: "$cfg['blowfish_secret'] = '{{ blowfish_md5 }}';"
- name: Configure php 7.4 ini
lineinfile:
path: /etc/php/7.4/fpm/php.ini
regexp: "{{ item.From }}"
line: "{{ item.To }}"
state: present
with_items:
- { From: '^memory_limit =.*$', To: 'memory_limit = 256M'}
- { From: '^max_execution_time =.*$', To: 'max_execution_time = 60'}
notify: restart_php74fpm
- name: remove blank lines
connection: local
lineinfile:
path: rapport.out
regexp: '^$'
state: absent
run_once: true
- name: remove start tab and whitespaces
connection: local
replace:
path: rapport.out
regexp: '^[ \t]{,}(.+)$'
replace: '\1'
run_once: true
- name: Add text block nanorc
blockinfile:
path: /etc/nanorc
block: "{{ lookup('file', 'files/nanorc') }}"
marker: "# -- {mark} ANSIBLE MANAGED BLOCK --"
---
## module copy:
- name: Configure /etc/mysql/mariadb.conf.d/60-server.cnf
copy:
src: files/60-server.cnf
dest: /etc/mysql/mariadb.conf.d/60-server.cnf
owner: root
group: root
mode: 0644
notify: restart_mysql
- name: save repo before upgrade
copy:
src: /etc/yum.repos.d/CentOS-Base.repo
dest: /etc/yum.repos.d/CentOS-Base.repo.0
remote_src: yes
- name: Copy root ssh key
copy:
src: "{{ item.src }}"
dest: /root/.ssh
owner: root
group: root
mode: "{{ item.chmod }}"
loop:
- { src: "files/user/root/.ssh/id_rsa", chmod: "0600" }
- { src: "files/user/root/.ssh/id_rsa.pub", chmod: "0644" }
- name: Copy all *.txt
copy:
src: "{{ item }}"
dest: /home/user
owner: user
group: user
mode: 0640
with_fileglob:
- 'files/.user/*.txt'
- name: Empty index.html
copy:
content: ""
dest: /var/www/html/index.html
group: root
owner: root
mode: 0644
hosts
htaccesstext: |
AuthType basic
AuthName "Protected Directory"
AuthUserFile /var/www/.htpasswd
Require valid-user
- name: Add htaccess
copy:
content: "{{ htaccesstext }}"
dest: /var/www/html/backupfile/.htaccess
group: root
owner: root
mode: 0444
## module fetch:
# fonctionne comme le module copy, mais en sens inverse.
# 'flat: yes' evite de sauvegarder la structure des dossiers (uniquement le fichier)
- name: Fetch source list from clients
fetch:
src: /etc/apt/sources.list
flat: yes
dest: "/tmp/files/{{ inventory_hostname }}.sourcelist"
# ls -1 /tmp/files/
# 192.168.0.10.sourcelist
# 192.168.0.11.sourcelist
# 192.168.0.12.sourcelist
## module template:
hosts
pma_directory: /var/www
templates/phpmyadmin.conf
Alias /phpmyadmin {{ pma_directory }}/phpmyadmin
- name: phpmyadmin virtualhost
template:
src: templates/phpmyadmin.conf
dest: /etc/apache2/sites-available/phpmyadmin.conf
hosts
domain: domain.com
nginx_root_dir: /var/www/html
templates/nginx.j2
server {
listen 80;
root {{ nginx_root_dir }};
index index.html index.htm;
server_name {{ domain }};
location / {
try_files $uri $uri/ =404;
}
}
- name: virtualhost domain.com
template:
src: templates/nginx.j2
dest: /etc/nginx/sites-available/domain.com.conf
owner: root
group: root
mode: 0644
notify: restart_nginx
rapport.j2
{% for host in groups['serveurweb'] %}
{{ hostvars[host].ansible_facts.hostname.upper() }}
---
{{ hostvars[host].ansible_facts.default_ipv4.address }}
{{ hostvars[host].ansible_distribution }} {{ hostvars[host].ansible_distribution_version }}
{% endfor %}
- name: Create rapport.out
connection: local
template:
src: rapport.j2
dest: rapport.out
## module synchronize:
# Synchroniser et supprimer les fichiers dans dest sur l'hôte distant qui ne
# sont pas trouvés dans src de la machine local.
# équivalent à : rsync -az --delete /var/log/apt root@host:/tmp/
- name: sync les logs vers 'dest'
synchronize:
src: /var/log/apt
dest: /tmp/
delete: yes
recursive: yes
¶ Modules command: shell:
---
- name: Add virtualhost.conf
command: a2ensite virtualhost.conf
args:
creates: /etc/apache2/sites-enabled/virtualhost.conf
notify: relancer Apache
- name: a2dissite wordpress
command: a2dissite wordpress.conf
args:
removes: /etc/apache2/sites-enabled/wordpress.conf
- name: download wordpress
command: >
wp --allow-root core download --version=4.9.12 --locale=fr_FR
chdir=/var/www/wordpress
- name: Get running processes of clamscan
shell: "ps aux | grep -v grep | grep 'clamscan' | awk '{print $2}'"
register: running_processes
ignore_errors: yes
- name: Kill running clamscan processes
ignore_errors: yes
shell: "kill -9 {{ item }}"
with_items: "{{ running_processes.stdout_lines }}"
- name: Create files
shell: |
touch -d "15 days ago" /tmp/file15d
touch -d "60 days ago" /tmp/file60d
args:
executable: /bin/bash
warn: false
LANG: en_US.UTF-8
- name: set locale
shell: |
cat > /etc/sysconfig/i18n << EOF
LANG="{{ LANG }}"
SYSFONT="latarcyrheb-sun16"
EOF
args:
executable: /bin/bash
- name: execute smart
shell: /usr/bin/smart.sh
args:
executable: /bin/bash
register: smart_out
# avoid non-zero return code
failed_when: "smart_out.rc not in [ 0, 1 ]"