From 2c3fb0d51f0e1044eaca306cc74045b01a202891 Mon Sep 17 00:00:00 2001 From: B Stack Date: Thu, 6 Oct 2016 15:22:05 -0400 Subject: built ldap_certs, fixed sudo task --- master.yml | 6 ++++++ roles/ldap_certs/tasks/main.yml | 38 ++++++++++++++++++++++++++++++++++++++ roles/ldap_certs/tests/test.yml | 11 +++++++++++ roles/ldap_certs/vars/FreeBSD.yml | 6 ++++-- roles/ldap_certs/vars/default.yml | 2 ++ roles/sudo/tasks/main.yml | 8 ++++++-- test.yml | 5 ++--- 7 files changed, 69 insertions(+), 7 deletions(-) create mode 100644 roles/ldap_certs/tests/test.yml diff --git a/master.yml b/master.yml index 064767e..6aa28ea 100644 --- a/master.yml +++ b/master.yml @@ -7,9 +7,15 @@ - resolv_conf - ssh - ssh_keys + - sudo + - ldap_certs vars: ssh_key_files: - { user: 'bgstack15', file: '../../../company/pubkeys/bgstack15.pubkeys' } + sudo_files: + - { exists: 'false', file: '../../../company/sudo-files/40_BGSTACK15' } + ldap_certs: + - { exists: 'true', gets_hashlink: 'true', file: '../../../company/ldap_certs-files/certs-example-2016.pem' } - name: Webservers hosts: webservers diff --git a/roles/ldap_certs/tasks/main.yml b/roles/ldap_certs/tasks/main.yml index 685cd79..a088b38 100644 --- a/roles/ldap_certs/tasks/main.yml +++ b/roles/ldap_certs/tasks/main.yml @@ -14,3 +14,41 @@ - files: - 'roles/ldap_certs/hosts/{{ ansible_fqdn }}.yml' skip: true + +- name: ldap_certs deploy files that exist + template: src='{{ item.file }}' dest='{{ ldap_certs_cert_dir }}/{{ item.file | regex_replace('.*/','') }}' owner='{{ ldap_certs_owner }}' group='{{ ldap_certs_group }}' mode=0644 #' + with_items: + - '{{ ldap_certs }}' + when: + - ( not '{{ item.exists | lower }}' == 'false' ) + - ldap_certs is defined + +- name: ldap_certs remove files that should not exist + file: path='{{ ldap_certs_cert_dir }}/{{ item.file | regex_replace('.*/','') }}' state='absent' + with_items: + - '{{ ldap_certs }}' + when: + - ( not '{{ item.exists }}' ) or ( '{{ item.exists | lower }}' == 'false' ) + - ldap_certs is defined + +- name: ldap_certs get hash values + command: openssl x509 -in "{{ ldap_certs_cert_dir }}/{{ item.file | regex_replace('.*/','') }}" -hash -noout + register: hashes + with_items: + - '{{ ldap_certs }}' + when: + - '{{ item.exists }}' + - ( not '{{ item.gets_hashlink | lower }}' == 'false' ) + - ldap_certs is defined + +- name: ldap_certs deploy hashlink files + file: + path: "{{ ldap_certs_hashlink_dir }}/{{ item.stdout | quote }}.0" + src: "{{ ldap_certs_cert_dir}}/{{ item.item.file | regex_replace('.*/','') }}" + state: 'link' + with_items: + - '{{ hashes.results }}' + when: + - hashes is defined + - item.stdout is defined + - ldap_certs is defined diff --git a/roles/ldap_certs/tests/test.yml b/roles/ldap_certs/tests/test.yml new file mode 100644 index 0000000..9ef1e9c --- /dev/null +++ b/roles/ldap_certs/tests/test.yml @@ -0,0 +1,11 @@ +--- +- name: Test playbook for ldap_certs + hosts: test + remote_user: root + roles: + - ldap_certs + vars: + ldap_certs: + - { exists: 'false', gets_hashlink: 'false', file: '../../../company/ldap_certs-files/CA1-CA1.crt' } + - { exists: 'false', gets_hashlink: 'false', file: '../../../company/ldap_certs-files/CA2-SubCA.crt' } + - { exists: 'true', gets_hashlink: 'true', file: '../../../company/ldap_certs-files/certs-example-2016.pem' } diff --git a/roles/ldap_certs/vars/FreeBSD.yml b/roles/ldap_certs/vars/FreeBSD.yml index e55cdee..de25638 100644 --- a/roles/ldap_certs/vars/FreeBSD.yml +++ b/roles/ldap_certs/vars/FreeBSD.yml @@ -1,3 +1,5 @@ --- -ldap_certs_cert_dir: /usr/local/etc/openldap -ldap_certs_hashlink_dir: /usr/local/etc/openldap +ldap_certs_cert_dir: /usr/local/etc/openldap/certs +ldap_certs_hashlink_dir: /usr/local/etc/openldap/cacerts +ldap_certs_owner: root +ldap_certs_group: wheel diff --git a/roles/ldap_certs/vars/default.yml b/roles/ldap_certs/vars/default.yml index 10dd8eb..5188d42 100644 --- a/roles/ldap_certs/vars/default.yml +++ b/roles/ldap_certs/vars/default.yml @@ -1,3 +1,5 @@ --- ldap_certs_cert_dir: /etc/openldap/certs ldap_certs_hashlink_dir: /etc/openldap/cacerts +ldap_certs_owner: root +ldap_certs_group: root diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml index 07fda25..0b712f5 100644 --- a/roles/sudo/tasks/main.yml +++ b/roles/sudo/tasks/main.yml @@ -8,11 +8,14 @@ - '{{ ansible_distribution }}.yml' - default.yml -- stat: path='{{ sudo_rules_dir }}/{{ item.priority }}_{{ item.name }}' #' +- name: sudo stat files described by strings + stat: path='{{ sudo_rules_dir }}/{{ item.priority }}_{{ item.name }}' #' with_items: - '{{ sudo_strings }}' register: "s" - when: sudo_strings is defined + when: + - sudo_strings is defined + - item.priority is defined - name: sudo deploy rules from files template: @@ -60,4 +63,5 @@ - '{{ s.results }}' when: - s is defined + - sudo_strings is defined - ( not item.item.exists ) or ( '{{ item.item.exists | lower }}' == 'false' ) diff --git a/test.yml b/test.yml index c72e519..9ef1e9c 100644 --- a/test.yml +++ b/test.yml @@ -3,10 +3,9 @@ hosts: test remote_user: root roles: - - sudo - ldap_certs vars: ldap_certs: - - { exists: 'true', gets_hashlink: 'false', file: '../../../company/ldap_certs-files/CA1-CA1.crt' } - - { exists: 'true', gets_hashlink: 'false', file: '../../../company/ldap_certs-files/CA2-SubCA.crt' } + - { exists: 'false', gets_hashlink: 'false', file: '../../../company/ldap_certs-files/CA1-CA1.crt' } + - { exists: 'false', gets_hashlink: 'false', file: '../../../company/ldap_certs-files/CA2-SubCA.crt' } - { exists: 'true', gets_hashlink: 'true', file: '../../../company/ldap_certs-files/certs-example-2016.pem' } -- cgit