From 7dc374644d13bdf8c1453c72b50875742cc4570f Mon Sep 17 00:00:00 2001 From: YPCrumble Date: Sat, 22 Apr 2023 09:36:22 -0400 Subject: [PATCH] Upgrade repo for Ubuntu 22.04. (#190) * Upgrade repo for Ubuntu 22.04. * Remove unnecessary Dockerfile from Molecule configuration. * Add python3-distutils package required by Ubuntu 22.04. * Use postgresql_privs module to set database user permissions. * Update linting. * Remove ntp from base packages installed as it is no longer necessary. --- .ansible-lint | 9 ++++ .github/workflows/molecule.yml | 6 +-- .yamllint | 2 + README.md | 6 +-- Vagrantfile | 2 +- dbservers.yml | 2 +- docker/Dockerfile | 2 +- group_vars/development/vars.yml | 2 +- molecule/default/Dockerfile.j2 | 14 ------- molecule/default/converge.yml | 9 ++-- molecule/default/molecule.yml | 13 +++--- requirements-dev.txt | 9 ++-- requirements.txt | 2 +- roles/avahi/tasks/main.yml | 10 ++++- roles/base/tasks/create_swap_file.yml | 32 +++++++------- roles/base/tasks/main.yml | 9 ++-- roles/celery/handlers/main.yml | 2 +- roles/celery/tasks/copy_scripts.yml | 6 +-- roles/celery/tasks/main.yml | 4 +- roles/celery/tasks/setup_supervisor.yml | 33 ++++++++------- roles/certbot/tasks/main.yml | 12 +++--- roles/db/handlers/main.yml | 4 +- roles/db/tasks/main.yml | 30 ++++++++----- roles/memcached/handlers/main.yml | 2 +- roles/memcached/tasks/main.yml | 18 ++++---- roles/nginx/handlers/main.yml | 8 ++-- roles/nginx/tasks/main.yml | 35 +++++++++------- roles/rabbitmq/handlers/main.yml | 2 +- roles/rabbitmq/tasks/main.yml | 18 ++++---- roles/rabbitmq/tasks/setup_users.yml | 6 +-- roles/rabbitmq/tasks/setup_vhosts.yml | 2 +- roles/security/handlers/main.yml | 4 +- .../tasks/create_non_root_sudo_user.yml | 10 ++--- .../tasks/force_ssh_authentication.yml | 8 ++-- roles/security/tasks/main.yml | 18 +++++--- .../tasks/perform_aptitude_dist_upgrade.yml | 4 +- roles/security/tasks/setup_fail2ban.yml | 4 +- .../tasks/setup_unattended_upgrades.yml | 10 +++-- .../tasks/setup_uncomplicated_firewall.yml | 6 +-- roles/security/vars/main.yml | 1 + roles/web/handlers/main.yml | 4 +- roles/web/tasks/create_users_and_groups.yml | 6 +-- .../web/tasks/install_additional_packages.yml | 5 ++- roles/web/tasks/main.yml | 14 +++---- roles/web/tasks/set_file_permissions.yml | 2 +- roles/web/tasks/setup_django_app.yml | 10 ++--- roles/web/tasks/setup_git_repo.yml | 31 ++++++-------- roles/web/tasks/setup_supervisor.yml | 9 ++-- roles/web/tasks/setup_virtualenv.yml | 42 ++++++++++--------- security.yml | 4 +- site.yml | 4 +- vagrant.yml | 2 +- webservers.yml | 2 +- 53 files changed, 278 insertions(+), 233 deletions(-) delete mode 100644 molecule/default/Dockerfile.j2 diff --git a/.ansible-lint b/.ansible-lint index 6948d3c4..49799184 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,12 @@ +--- + skip_list: - ANSIBLE0006 - ANSIBLE0012 + # TODO: Remove free-form from the repo. + - no-free-form + - name[missing] + # TODO: Fix this. + - name[casing] + # TODO: Test removing this from each task and see if there is a workaround. + - no-changed-when diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 02bd8c4c..8a5e1c7e 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -7,12 +7,12 @@ jobs: strategy: max-parallel: 4 matrix: - python-version: [3.6, 3.7] + python-version: [3.9, "3.10", 3.11] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.yamllint b/.yamllint index 3a2255e4..a996634c 100644 --- a/.yamllint +++ b/.yamllint @@ -1,3 +1,5 @@ +--- + extends: default rules: diff --git a/README.md b/README.md index 5a34db83..4b0f099d 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ Environment-specific settings are in the `group_vars` directory. A `certbot` role is also included for automatically generating and renewing trusted SSL certificates with [Let's Encrypt][lets-encrypt]. -**Tested with OS:** Ubuntu 18.04 LTS (64-bit), Ubuntu 16.04 LTS (64-bit). +**Tested with OS:** Ubuntu 22.04 LTS (64-bit), Ubuntu 20.04 LTS (64-bit). **Tested with Cloud Providers:** [Digital Ocean][digital-ocean], [AWS][aws], [Rackspace][rackspace] @@ -313,9 +313,9 @@ to run during deployment in most Django environments. ### Changing the Ubuntu release -The [Vagrantfile](Vagrantfile) uses the Ubuntu 20.04 LTS Vagrant box for a +The [Vagrantfile](Vagrantfile) uses the Ubuntu 22.04 LTS Vagrant box for a 64-bit PC that is published by Canonical in HashiCorp Atlas. To use Ubuntu -18.04 LTS instead, change the `config.vm.box` setting to `ubuntu/bionic64`. +20.04 LTS instead, change the `config.vm.box` setting to `ubuntu/focal64`. ### Changing the Python version used by your application diff --git a/Vagrantfile b/Vagrantfile index a794fa17..6d441031 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,7 +5,7 @@ VAGRANTFILE_API_VERSION = "2" Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| - config.vm.box = "ubuntu/focal64" + config.vm.box = "ubuntu/jammy64" config.ssh.forward_agent = false config.vm.define "my-cool-app.local", primary: true do |app| app.vm.hostname = "my-cool-app" diff --git a/dbservers.yml b/dbservers.yml index a49b5d21..343add34 100644 --- a/dbservers.yml +++ b/dbservers.yml @@ -9,7 +9,7 @@ update_apt_cache: true module_defaults: - apt: + ansible.builtin.apt: force_apt_get: true roles: diff --git a/docker/Dockerfile b/docker/Dockerfile index 473bc899..4025f427 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,5 @@ # Use the official Ubuntu 20.04 base image from the Docker repository -FROM ubuntu:focal +FROM ubuntu:jammy # Allow processes to detect that they are being run in a container ENV container oci diff --git a/group_vars/development/vars.yml b/group_vars/development/vars.yml index 89c5b00b..fa1e756c 100644 --- a/group_vars/development/vars.yml +++ b/group_vars/development/vars.yml @@ -11,7 +11,7 @@ application_name: django_default_project # # More info here: https://launchpad.net/~fkrull/+archive/ubuntu/deadsnakes enable_deadsnakes_ppa: true -virtualenv_python_version: python3.9 +virtualenv_python_version: python3.11 # Git settings. diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 deleted file mode 100644 index 0a605536..00000000 --- a/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 555dff02..75440405 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,11 +1,12 @@ --- # See https://github.com/metacloud/molecule/issues/843#issuecomment-304710797 # and https://github.com/metacloud/molecule/blob/v2/test/scenarios/driver/ec2/molecule/default/playbook.yml#L1-L13 -- hosts: all +- name: Converge + hosts: all gather_facts: false tasks: - name: Install Python3 for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) become: true changed_when: false @@ -17,11 +18,11 @@ tasks: - name: Install Python3 - raw: apt-get install python3-minimal + ansible.builtin.raw: apt-get install python3-minimal changed_when: false module_defaults: - apt: + ansible.builtin.apt: force_apt_get: true roles: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 6cdedcf9..ca2bdf24 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -4,13 +4,16 @@ dependency: driver: name: docker lint: | + set -e yamllint . + ansible-lint + flake8 platforms: - - name: instance-xenial + - name: instance-jammy groups: - vagrant image: ubuntu - image_version: xenial + image_version: jammy privileged: true - name: instance-focal groups: @@ -20,14 +23,10 @@ platforms: privileged: true provisioner: name: ansible - lint: - name: ansible-lint env: ANSIBLE_ROLES_PATH: ../../roles/ inventory: links: group_vars: ../../group_vars/ verifier: - name: testinfra - lint: - name: flake8 + name: ansible diff --git a/requirements-dev.txt b/requirements-dev.txt index 993772d0..f38a0853 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,6 +1,7 @@ -r requirements.txt -molecule==3.3.4 -molecule-docker==0.2.4 -testinfra==3.2.1 -yamllint==1.19.0 +ansible-lint==6.14.6 +flake8==3.9.1 +molecule==4.0.4 +molecule-docker==2.1.0 +yamllint==1.30.0 diff --git a/requirements.txt b/requirements.txt index ec3d9fa7..b2144a9c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -ansible==4.2.0 +ansible==7.4.0 diff --git a/roles/avahi/tasks/main.yml b/roles/avahi/tasks/main.yml index 1c0a99ec..2d523134 100644 --- a/roles/avahi/tasks/main.yml +++ b/roles/avahi/tasks/main.yml @@ -1,8 +1,14 @@ --- - name: Install the Avahi mDNS/DNS-SD daemon - apt: name=avahi-daemon update_cache={{ update_apt_cache }} state=present + ansible.builtin.apt: + name: avahi-daemon + update_cache: "{{ update_apt_cache }}" + state: present tags: packages - name: Ensure the Avahi mDNS/DNS-SD daemon is running - service: name=avahi-daemon state=started enabled=yes + ansible.builtin.service: + name: avahi-daemon + state: started + enabled: true diff --git a/roles/base/tasks/create_swap_file.yml b/roles/base/tasks/create_swap_file.yml index e1e81460..c57b1859 100644 --- a/roles/base/tasks/create_swap_file.yml +++ b/roles/base/tasks/create_swap_file.yml @@ -1,38 +1,40 @@ --- - name: Create swap file - command: dd if=/dev/zero of={{ swap_file_path }} bs=1024 count={{ swap_file_size_kb }}k + ansible.builtin.command: dd if=/dev/zero of={{ swap_file_path }} bs=1024 count={{ swap_file_size_kb }}k creates="{{ swap_file_path }}" tags: swap.file.create - name: Change swap file permissions - file: path="{{ swap_file_path }}" - owner=root - group=root - mode=0600 + ansible.builtin.file: + path: "{{ swap_file_path }}" + owner: root + group: root + mode: "0600" tags: swap.file.permissions - name: Check swap file type - command: file {{ swap_file_path }} + ansible.builtin.command: file {{ swap_file_path }} register: swapfile tags: swap.file.mkswap changed_when: false - name: Make swap file - command: "mkswap {{ swap_file_path }}" + ansible.builtin.command: "mkswap {{ swap_file_path }}" when: swapfile.stdout.find('swap file') == -1 tags: swap.file.mkswap - name: Write swap entry in fstab - mount: name=none - src={{ swap_file_path }} - fstype=swap - opts=sw - passno=0 - dump=0 - state=present + ansible.posix.mount: + name: none + src: "{{ swap_file_path }}" + fstype: swap + opts: sw + passno: 0 + dump: 0 + state: present tags: swap.fstab - name: Mount swap - command: "swapon {{ swap_file_path }}" + ansible.builtin.command: "swapon {{ swap_file_path }}" when: ansible_swaptotal_mb < 1 tags: swap.file.swapon diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index a6880c74..14af50a9 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -1,11 +1,11 @@ --- -- include: create_swap_file.yml +- ansible.builtin.import_tasks: create_swap_file.yml when: create_swap_file tags: swap - name: Install security updates - apt: default_release={{ ansible_distribution_release }}-security + ansible.builtin.apt: default_release={{ ansible_distribution_release }}-security update_cache={{ update_apt_cache }} upgrade=dist tags: @@ -13,14 +13,13 @@ - skip_ansible_lint - name: Install base packages - apt: + ansible.builtin.apt: update_cache: "{{ update_apt_cache }}" state: present name: - locales - build-essential - acl - - ntp - htop - git - "{{ base_python_package }}-pip" @@ -31,7 +30,7 @@ - packages.security - name: Upgrade pip - pip: name=pip state=latest + ansible.builtin.pip: name=pip state=latest tags: - packages - skip_ansible_lint diff --git a/roles/celery/handlers/main.yml b/roles/celery/handlers/main.yml index 92a08194..0d5956d0 100644 --- a/roles/celery/handlers/main.yml +++ b/roles/celery/handlers/main.yml @@ -1,4 +1,4 @@ --- - name: restart {{ celery_application_name }} - supervisorctl: name={{ celery_application_name }} state=restarted + community.general.supervisorctl: name={{ celery_application_name }} state=restarted diff --git a/roles/celery/tasks/copy_scripts.yml b/roles/celery/tasks/copy_scripts.yml index cc614b5f..b0f0e311 100644 --- a/roles/celery/tasks/copy_scripts.yml +++ b/roles/celery/tasks/copy_scripts.yml @@ -1,14 +1,14 @@ --- - name: Create the folder for the celery scripts - file: path={{ celery_scripts_dir }} + ansible.builtin.file: path={{ celery_scripts_dir }} owner={{ celery_user }} group={{ celery_group }} mode=0774 state=directory -- name: Create the {{ celery_application_name }} script file - template: src={{ celery_template_file }} +- name: Create the script file for {{ celery_application_name }} + ansible.builtin.template: src={{ celery_template_file }} dest={{ celery_scripts_dir }}/{{ celery_application_name }}_start owner={{ celery_user }} group={{ celery_group }} diff --git a/roles/celery/tasks/main.yml b/roles/celery/tasks/main.yml index 115ca91e..1ec68ad6 100644 --- a/roles/celery/tasks/main.yml +++ b/roles/celery/tasks/main.yml @@ -1,7 +1,7 @@ --- -- include: copy_scripts.yml +- ansible.builtin.import_tasks: copy_scripts.yml tags: celery -- include: setup_supervisor.yml +- ansible.builtin.import_tasks: setup_supervisor.yml tags: celery diff --git a/roles/celery/tasks/setup_supervisor.yml b/roles/celery/tasks/setup_supervisor.yml index 0e886e8b..91624c30 100644 --- a/roles/celery/tasks/setup_supervisor.yml +++ b/roles/celery/tasks/setup_supervisor.yml @@ -1,42 +1,47 @@ --- - name: Ensure the Supervisor service is running - service: + ansible.builtin.service: name: supervisor state: started - enabled: yes + enabled: true # TODO: This is likely due to a bug in Ansible. # Remove this line in the future. # See https://github.com/ansible/ansible/issues/75005 use: sysvinit - name: Create the Supervisor config file for {{ celery_application_name }} - template: src=supervisor_{{ celery_application_name }}.conf.j2 + ansible.builtin.template: src=supervisor_{{ celery_application_name }}.conf.j2 dest=/etc/supervisor/conf.d/{{ celery_application_name }}.conf + mode=0644 -- name: Create the {{ celery_application_name }} log directory - file: path={{ celery_log_dir }} - owner={{ celery_user }} - group={{ celery_group }} - state=directory +- name: Create the log directory for {{ celery_application_name }} + ansible.builtin.file: + path: "{{ celery_log_dir }}" + owner: "{{ celery_user }}" + group: "{{ celery_group }}" + state: directory + mode: "0644" + changed_when: false - name: Check for an existing celery logfile - stat: + ansible.builtin.stat: path: "{{ celery_log_file }}" register: p -- name: Create (or retain) the {{ celery_application_name }} log file +- name: Create (or retain) the log file for {{ celery_application_name }} # Removing until https://github.com/ansible/ansible/issues/45530 gets resolved. - # copy: content="" + # ansible.builtin.copy: content="" # dest={{ celery_log_file }} # owner={{ celery_user }} # group={{ celery_group }} # force=no - file: + ansible.builtin.file: path: "{{ celery_log_file }}" owner: "{{ celery_user }}" group: "{{ celery_group }}" - state: '{{ "file" if p.stat.exists else "touch" }}' + state: '{{ "file" if p.stat.exists else "touch" }}' + mode: "0644" - name: Re-read the Supervisor config files - supervisorctl: name={{ celery_application_name }} state=present + community.general.supervisorctl: name={{ celery_application_name }} state=present diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index ab4bff8d..796e679d 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install Certbot - apt: + ansible.builtin.apt: update_cache: "{{ update_apt_cache }}" state: present name: @@ -10,24 +10,24 @@ tags: packages - name: Check if Nginx exists - stat: path=/etc/init.d/nginx + ansible.builtin.stat: path=/etc/init.d/nginx register: nginx_status - name: Ensure Nginx is stopped - service: name=nginx state=stopped + ansible.builtin.service: name=nginx state=stopped when: nginx_status.stat.exists - name: Install certbot and generate cert - command: "{{ certbot_script }} certonly --noninteractive --agree-tos --standalone --email {{ certbot_admin_email }} -d {{ inventory_hostname }}" + ansible.builtin.command: "{{ certbot_script }} certonly --noninteractive --agree-tos --standalone --email {{ certbot_admin_email }} -d {{ inventory_hostname }}" args: creates: "{{ certbot_output_dir }}" - name: Ensure Nginx is started - service: name=nginx state=started + ansible.builtin.service: name=nginx state=started when: nginx_status.stat.exists - name: Ensure a cron job to auto-renew the cert exists - cron: name="daily auto renew cert" + ansible.builtin.cron: name="daily auto renew cert" special_time=daily job="{{ certbot_script }} renew --standalone --no-self-upgrade --pre-hook \"service nginx stop\" --post-hook \"service nginx start\" --quiet" state=present diff --git a/roles/db/handlers/main.yml b/roles/db/handlers/main.yml index 89c27fe8..39dcee12 100644 --- a/roles/db/handlers/main.yml +++ b/roles/db/handlers/main.yml @@ -1,4 +1,4 @@ --- -- name: restart postgresql - service: name=postgresql state=restarted enabled=yes +- name: Restart postgresql + ansible.builtin.service: name=postgresql state=restarted enabled=yes diff --git a/roles/db/tasks/main.yml b/roles/db/tasks/main.yml index adfa93c7..909c8f30 100644 --- a/roles/db/tasks/main.yml +++ b/roles/db/tasks/main.yml @@ -1,19 +1,19 @@ --- - name: Add the PostgreSQL repository key to the apt trusted keys - apt_key: url=https://www.postgresql.org/media/keys/ACCC4CF8.asc + ansible.builtin.apt_key: url=https://www.postgresql.org/media/keys/ACCC4CF8.asc state=present - name: Add the PostgreSQL repository to the apt sources list - apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main' + ansible.builtin.apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main' update_cache={{ update_apt_cache }} state=present - name: Ensure locale is available - locale_gen: name=en_US.UTF-8 + community.general.locale_gen: name=en_US.UTF-8 - name: Install PostgreSQL - apt: + ansible.builtin.apt: update_cache: "{{ update_apt_cache }}" state: present name: @@ -23,10 +23,10 @@ tags: packages - name: Ensure the PostgreSQL service is running - service: + ansible.builtin.service: name: postgresql state: started - enabled: yes + enabled: true # TODO: This is likely due to a bug in Ansible. # Remove this line in the future. # See https://github.com/ansible/ansible/issues/75005 @@ -35,7 +35,7 @@ - name: Ensure database is created become: true become_user: postgres - postgresql_db: + community.postgresql.postgresql_db: name: "{{ db_name }}" encoding: UTF-8 lc_collate: en_US.UTF-8 @@ -46,16 +46,26 @@ - name: Ensure user has access to the database become: true become_user: postgres - postgresql_user: db={{ db_name }} + community.postgresql.postgresql_user: db={{ db_name }} name={{ db_user }} password={{ db_password }} encrypted=yes - priv=ALL state=present +# If objs is omitted for type "database", it defaults to the database +# to which the connection is established +- name: Grant database privileges to the user. + become: true + become_user: postgres + community.postgresql.postgresql_privs: + db: "{{ db_name }}" + privs: ALL + type: database + role: "{{ db_user }}" + - name: Ensure user does not have unnecessary privileges become: true become_user: postgres - postgresql_user: name={{ db_user }} + community.postgresql.postgresql_user: name={{ db_user }} role_attr_flags=NOSUPERUSER,NOCREATEDB state=present diff --git a/roles/memcached/handlers/main.yml b/roles/memcached/handlers/main.yml index 01b28d62..1ef5f4bd 100644 --- a/roles/memcached/handlers/main.yml +++ b/roles/memcached/handlers/main.yml @@ -1,4 +1,4 @@ --- - name: restart memcached - service: name=memcached state=restarted enabled=yes + ansible.builtin.service: name=memcached state=restarted enabled=yes diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 2f3e7962..80742a71 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -1,22 +1,26 @@ --- - name: Install Memcached - apt: name=memcached update_cache={{ update_apt_cache }} state=present + ansible.builtin.apt: + name: memcached + update_cache: "{{ update_apt_cache }}" + state: present tags: packages - name: Create the Memcached configuration file - template: src=memcached.conf.j2 - dest=/etc/memcached.conf - mode=0644 - backup=yes + ansible.builtin.template: + src: memcached.conf.j2 + dest: /etc/memcached.conf + mode: "0644" + backup: true notify: - restart memcached - name: Ensure the Memcached service is running - service: + ansible.builtin.service: name: memcached state: started - enabled: yes + enabled: true # TODO: This is likely due to a bug in Ansible. # Remove this line in the future. # See https://github.com/ansible/ansible/issues/75005 diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml index 55f22a5c..b2f4752d 100644 --- a/roles/nginx/handlers/main.yml +++ b/roles/nginx/handlers/main.yml @@ -1,6 +1,6 @@ --- -- name: restart nginx - service: name=nginx state=restarted enabled=yes +- name: Restart nginx + ansible.builtin.service: name=nginx state=restarted enabled=yes -- name: reload nginx - service: name=nginx state=reloaded +- name: Reload nginx + ansible.builtin.service: name=nginx state=reloaded diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 9acbd042..b822caed 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,44 +1,51 @@ --- - name: Install Nginx - apt: name=nginx update_cache={{ update_apt_cache }} state=present + ansible.builtin.apt: name=nginx update_cache={{ update_apt_cache }} state=present tags: packages - name: Copy the SSL certificate to the remote server - copy: content={{ ssl_crt }} dest={{ nginx_ssl_dest_dir }}/{{ application_name }}.crt - notify: restart nginx + ansible.builtin.copy: + content={{ ssl_crt }} + dest={{ nginx_ssl_dest_dir }}/{{ application_name }}.crt + mode="0644" + notify: Restart nginx when: not nginx_use_letsencrypt - name: Copy the SSL private key to the remote server - copy: content={{ ssl_key }} dest={{ nginx_ssl_dest_dir }}/{{ application_name }}.key - notify: restart nginx + ansible.builtin.copy: + content={{ ssl_key }} + dest={{ nginx_ssl_dest_dir }}/{{ application_name }}.key + mode="0644" + notify: Restart nginx when: not nginx_use_letsencrypt - name: Ensure that a strong Diffie-Hellman group is used - command: openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048 creates=/etc/ssl/certs/dhparams.pem + ansible.builtin.command: openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048 creates=/etc/ssl/certs/dhparams.pem when: nginx_strong_dh_group is defined and nginx_strong_dh_group - name: Create the Nginx configuration file - template: src={{ application_name }}.j2 + ansible.builtin.template: src={{ application_name }}.j2 dest=/etc/nginx/sites-available/{{ application_name }} backup=yes - notify: reload nginx + mode=0644 + notify: Reload nginx - name: Ensure that the default site is disabled - file: path=/etc/nginx/sites-enabled/default state=absent - notify: reload nginx + ansible.builtin.file: path=/etc/nginx/sites-enabled/default state=absent + notify: Reload nginx - name: Ensure that the application site is enabled - file: src=/etc/nginx/sites-available/{{ application_name }} + ansible.builtin.file: src=/etc/nginx/sites-available/{{ application_name }} dest=/etc/nginx/sites-enabled/{{ application_name }} state=link - notify: reload nginx + notify: Reload nginx - name: Ensure Nginx service is started - service: + ansible.builtin.service: name: nginx state: started - enabled: yes + enabled: true # TODO: This is likely due to a bug in Ansible. # Remove this line in the future. # See https://github.com/ansible/ansible/issues/75005 diff --git a/roles/rabbitmq/handlers/main.yml b/roles/rabbitmq/handlers/main.yml index 4e6adfcd..f283d6c8 100644 --- a/roles/rabbitmq/handlers/main.yml +++ b/roles/rabbitmq/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart rabbitmq-server - service: + ansible.builtin.service: name: rabbitmq-server state: restarted diff --git a/roles/rabbitmq/tasks/main.yml b/roles/rabbitmq/tasks/main.yml index a7c2dd02..586c107d 100644 --- a/roles/rabbitmq/tasks/main.yml +++ b/roles/rabbitmq/tasks/main.yml @@ -1,26 +1,26 @@ --- - name: Add the RabbitMQ release signing key to the apt trusted keys - apt_key: url=https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-server/gpg.9F4587F226208342.key + ansible.builtin.apt_key: url=https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-server/gpg.9F4587F226208342.key state=present - name: Add the RabbitMQ repository to the apt sources list - apt_repository: repo='deb https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-server/deb/ubuntu {{ ansible_distribution_release }} main' + ansible.builtin.apt_repository: repo='deb https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-server/deb/ubuntu {{ ansible_distribution_release }} main' update_cache={{ update_apt_cache }} state=present - name: Add the RabbitMQ Erlang signing key to the apt trusted keys - apt_key: url=https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-erlang/gpg.E495BB49CC4BBE5B.key + ansible.builtin.apt_key: url=https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-erlang/gpg.E495BB49CC4BBE5B.key state=present - name: Add the RabbitMQ Erlang repository to the apt sources list - apt_repository: repo='deb https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-erlang/deb/ubuntu {{ ansible_distribution_release }} main' + ansible.builtin.apt_repository: repo='deb https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-erlang/deb/ubuntu {{ ansible_distribution_release }} main' update_cache={{ update_apt_cache }} state=present - name: Install RabbitMQ server - apt: + ansible.builtin.apt: update_cache: "{{ update_apt_cache }}" state: present name: @@ -29,7 +29,7 @@ - packages - name: Make sure rabbitmq-server is enabled and running - service: + ansible.builtin.service: name: rabbitmq-server state: started enabled: true @@ -39,9 +39,9 @@ use: sysvinit - name: Enable the RabbitMQ Management Console - rabbitmq_plugin: names=rabbitmq_management state=enabled + community.rabbitmq.rabbitmq_plugin: names=rabbitmq_management state=enabled notify: restart rabbitmq-server -- include: setup_vhosts.yml +- ansible.builtin.import_tasks: setup_vhosts.yml -- include: setup_users.yml +- ansible.builtin.import_tasks: setup_users.yml diff --git a/roles/rabbitmq/tasks/setup_users.yml b/roles/rabbitmq/tasks/setup_users.yml index 02d01664..6cf09741 100644 --- a/roles/rabbitmq/tasks/setup_users.yml +++ b/roles/rabbitmq/tasks/setup_users.yml @@ -1,14 +1,14 @@ --- - name: Create default admin user - rabbitmq_user: user={{ rabbitmq_admin_user }} + community.rabbitmq.rabbitmq_user: user={{ rabbitmq_admin_user }} password={{ rabbitmq_admin_password }} vhost=/ tags=administrator state=present - name: Create application user - rabbitmq_user: user={{ rabbitmq_application_user }} + community.rabbitmq.rabbitmq_user: user={{ rabbitmq_application_user }} password={{ rabbitmq_application_password }} vhost={{ rabbitmq_application_vhost }} configure_priv=.* @@ -17,5 +17,5 @@ state=present - name: Ensure the default 'guest' user doesn't exist - rabbitmq_user: user=guest + community.rabbitmq.rabbitmq_user: user=guest state=absent diff --git a/roles/rabbitmq/tasks/setup_vhosts.yml b/roles/rabbitmq/tasks/setup_vhosts.yml index 3a7b3a42..da80c126 100644 --- a/roles/rabbitmq/tasks/setup_vhosts.yml +++ b/roles/rabbitmq/tasks/setup_vhosts.yml @@ -1,4 +1,4 @@ --- - name: Create a vhost for the application - rabbitmq_vhost: name={{ rabbitmq_application_vhost }} state=present + community.rabbitmq.rabbitmq_vhost: name={{ rabbitmq_application_vhost }} state=present diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml index 6e0baef4..926c0731 100644 --- a/roles/security/handlers/main.yml +++ b/roles/security/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart ssh - service: name=ssh state=restarted + ansible.builtin.service: name=ssh state=restarted - name: restart fail2ban - service: name=fail2ban state=restarted + ansible.builtin.service: name=fail2ban state=restarted diff --git a/roles/security/tasks/create_non_root_sudo_user.yml b/roles/security/tasks/create_non_root_sudo_user.yml index 9a39172b..c74f7dfa 100644 --- a/roles/security/tasks/create_non_root_sudo_user.yml +++ b/roles/security/tasks/create_non_root_sudo_user.yml @@ -1,25 +1,25 @@ --- - name: Add user - user: name="{{ server_user }}" shell="{{ shell }}" password="{{ server_user_password }}" + ansible.builtin.user: name="{{ server_user }}" shell="{{ shell }}" password="{{ server_user_password }}" - name: Install sudo - apt: name=sudo update_cache={{ update_apt_cache }} state=present cache_valid_time=86400 + ansible.builtin.apt: name=sudo update_cache={{ update_apt_cache }} state=present cache_valid_time=86400 - name: Add user to sudoers - lineinfile: dest=/etc/sudoers + ansible.builtin.lineinfile: dest=/etc/sudoers regexp="{{ server_user }} ALL" line="{{ server_user }} ALL=(ALL) ALL" state=present - name: Limit su access to sudo group - command: dpkg-statoverride --update --add root sudo 4750 /bin/su + ansible.builtin.command: dpkg-statoverride --update --add root sudo 4750 /bin/su register: limit_su_res failed_when: limit_su_res.rc != 0 and ("already exists" not in limit_su_res.stderr) changed_when: limit_su_res.rc == 0 - name: Disallow root SSH access - lineinfile: dest=/etc/ssh/sshd_config + ansible.builtin.lineinfile: dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present diff --git a/roles/security/tasks/force_ssh_authentication.yml b/roles/security/tasks/force_ssh_authentication.yml index 5f9c10e7..18198ee0 100644 --- a/roles/security/tasks/force_ssh_authentication.yml +++ b/roles/security/tasks/force_ssh_authentication.yml @@ -1,19 +1,21 @@ --- - name: Add authorized_keys for the user - authorized_key: user={{ server_user }} key="{{ lookup('file', item) }}" + ansible.posix.authorized_key: + user: "{{ server_user }}" + key: "{{ lookup('file', item) }}" with_items: - "{{ user_public_keys }}" - name: Disallow password authentication - lineinfile: dest=/etc/ssh/sshd_config + ansible.builtin.lineinfile: dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present notify: restart ssh - name: Allow ssh only for primary user - lineinfile: dest=/etc/ssh/sshd_config + ansible.builtin.lineinfile: dest=/etc/ssh/sshd_config regexp="^AllowUsers" line="AllowUsers {{ server_user }}" state=present diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 8e0d42ad..647a29d7 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -1,21 +1,27 @@ --- -- include: perform_aptitude_dist_upgrade.yml +- name: Perform aptitude dist-upgrade + ansible.builtin.import_tasks: perform_aptitude_dist_upgrade.yml when: perform_aptitude_dist_upgrade is defined and perform_aptitude_dist_upgrade -- include: create_non_root_sudo_user.yml +- name: Create non-root sudo user + ansible.builtin.import_tasks: create_non_root_sudo_user.yml when: server_user != "root" -- include: force_ssh_authentication.yml +- name: Force SSH Authentication + ansible.builtin.import_tasks: force_ssh_authentication.yml when: force_ssh_authentication is defined and force_ssh_authentication -- include: setup_unattended_upgrades.yml +- name: Setup Unattended Upgrades + ansible.builtin.import_tasks: setup_unattended_upgrades.yml when: enable_unattended_upgrades is defined and enable_unattended_upgrades -- include: setup_uncomplicated_firewall.yml +- name: Setup uncomplicated firewall + ansible.builtin.import_tasks: setup_uncomplicated_firewall.yml when: enable_ufw is defined and enable_ufw # TODO: Re-enable this test when we figure out how to integrate ipv6 support with GitHub Actions. tags: molecule-notest -- include: setup_fail2ban.yml +- name: Setup Fail2Ban + ansible.builtin.import_tasks: setup_fail2ban.yml when: enable_fail2ban is defined and enable_fail2ban diff --git a/roles/security/tasks/perform_aptitude_dist_upgrade.yml b/roles/security/tasks/perform_aptitude_dist_upgrade.yml index 7640c7f5..07f3d6e8 100644 --- a/roles/security/tasks/perform_aptitude_dist_upgrade.yml +++ b/roles/security/tasks/perform_aptitude_dist_upgrade.yml @@ -1,7 +1,7 @@ --- - name: Update APT packages cache - apt: update_cache={{ update_apt_cache }} cache_valid_time=86400 + ansible.builtin.apt: update_cache={{ update_apt_cache }} cache_valid_time=86400 - name: Perform aptitude dist-upgrade - apt: upgrade=dist + ansible.builtin.apt: upgrade=dist diff --git a/roles/security/tasks/setup_fail2ban.yml b/roles/security/tasks/setup_fail2ban.yml index 5d5b3b1d..a1e3fc0e 100644 --- a/roles/security/tasks/setup_fail2ban.yml +++ b/roles/security/tasks/setup_fail2ban.yml @@ -1,9 +1,9 @@ --- - name: Install fail2ban - apt: update_cache={{ update_apt_cache }} state=present pkg=fail2ban + ansible.builtin.apt: update_cache={{ update_apt_cache }} state=present pkg=fail2ban - name: Set up fail2ban - command: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + ansible.builtin.command: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local creates=/etc/fail2ban/jail.local notify: restart fail2ban diff --git a/roles/security/tasks/setup_unattended_upgrades.yml b/roles/security/tasks/setup_unattended_upgrades.yml index d635fa15..cd4cd838 100644 --- a/roles/security/tasks/setup_unattended_upgrades.yml +++ b/roles/security/tasks/setup_unattended_upgrades.yml @@ -1,14 +1,18 @@ --- - name: Install Unattended Upgrades - apt: update_cache={{ update_apt_cache }} state=present pkg=unattended-upgrades + ansible.builtin.apt: update_cache={{ update_apt_cache }} state=present pkg=unattended-upgrades - name: Set up unattended upgrades - copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic + ansible.builtin.copy: + src=apt_periodic + dest=/etc/apt/apt.conf.d/10periodic + mode="0644" - name: Automatically remove unused dependencies - lineinfile: dest=/etc/apt/apt.conf.d/50unattended-upgrades + ansible.builtin.lineinfile: dest=/etc/apt/apt.conf.d/50unattended-upgrades regexp="Unattended-Upgrade::Remove-Unused-Dependencies" line="Unattended-Upgrade::Remove-Unused-Dependencies \"true\";" state=present create=yes + mode="0644" diff --git a/roles/security/tasks/setup_uncomplicated_firewall.yml b/roles/security/tasks/setup_uncomplicated_firewall.yml index 8ff31bc8..9783d27f 100644 --- a/roles/security/tasks/setup_uncomplicated_firewall.yml +++ b/roles/security/tasks/setup_uncomplicated_firewall.yml @@ -1,13 +1,13 @@ --- - name: Install Uncomplicated Firewall - apt: update_cache={{ update_apt_cache }} state=present pkg=ufw + ansible.builtin.apt: update_cache={{ update_apt_cache }} state=present pkg=ufw # Allow only ssh and http(s) ports - name: Allow ssh and http(s) connections - ufw: rule=allow port={{ item }} + community.general.ufw: rule=allow port={{ item }} with_items: - "{{ ufw_allowed_ports }}" - name: Enable ufw/firewall - ufw: state=enabled policy=deny + community.general.ufw: state=enabled policy=deny diff --git a/roles/security/vars/main.yml b/roles/security/vars/main.yml index d27e1b82..aff7677f 100644 --- a/roles/security/vars/main.yml +++ b/roles/security/vars/main.yml @@ -1,4 +1,5 @@ --- + user_public_keys: - ~/.ssh/id_rsa.pub diff --git a/roles/web/handlers/main.yml b/roles/web/handlers/main.yml index 94c5f6ea..17370208 100644 --- a/roles/web/handlers/main.yml +++ b/roles/web/handlers/main.yml @@ -1,4 +1,4 @@ --- -- name: restart application - supervisorctl: name={{ application_name }} state=restarted +- name: Restart application + community.general.supervisorctl: name={{ application_name }} state=restarted diff --git a/roles/web/tasks/create_users_and_groups.yml b/roles/web/tasks/create_users_and_groups.yml index 93efba7d..a442f811 100644 --- a/roles/web/tasks/create_users_and_groups.yml +++ b/roles/web/tasks/create_users_and_groups.yml @@ -1,10 +1,10 @@ --- - name: Create the application user - user: name={{ gunicorn_user }} state=present + ansible.builtin.user: name={{ gunicorn_user }} state=present - name: Create the application group - group: name={{ gunicorn_group }} system=yes state=present + ansible.builtin.group: name={{ gunicorn_group }} system=yes state=present - name: Add the application user to the application group - user: name={{ gunicorn_user }} group={{ gunicorn_group }} state=present + ansible.builtin.user: name={{ gunicorn_user }} group={{ gunicorn_group }} state=present diff --git a/roles/web/tasks/install_additional_packages.yml b/roles/web/tasks/install_additional_packages.yml index 77c178cf..1fd4792d 100644 --- a/roles/web/tasks/install_additional_packages.yml +++ b/roles/web/tasks/install_additional_packages.yml @@ -1,13 +1,13 @@ --- - name: Add deadsnakes team New Python Versions PPA to the apt sources list - apt_repository: repo='ppa:deadsnakes/ppa' + ansible.builtin.apt_repository: repo='ppa:deadsnakes/ppa' update_cache={{ update_apt_cache }} state=present when: enable_deadsnakes_ppa - name: Install additional packages - apt: + ansible.builtin.apt: update_cache: "{{ update_apt_cache }}" state: present name: @@ -15,3 +15,4 @@ - gnutls-dev - libpq-dev - "{{ virtualenv_python_version + '-dev' }}" + - "{{ virtualenv_python_version + '-distutils' }}" # Required by Ubuntu 22.04 diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml index 8f8623bb..7e502027 100644 --- a/roles/web/tasks/main.yml +++ b/roles/web/tasks/main.yml @@ -1,21 +1,21 @@ --- -- include: install_additional_packages.yml +- ansible.builtin.import_tasks: install_additional_packages.yml tags: packages -- include: create_users_and_groups.yml +- ansible.builtin.import_tasks: create_users_and_groups.yml -- include: set_file_permissions.yml +- ansible.builtin.import_tasks: set_file_permissions.yml tags: deploy -- include: setup_virtualenv.yml +- ansible.builtin.import_tasks: setup_virtualenv.yml tags: virtualenv -- include: setup_git_repo.yml +- ansible.builtin.import_tasks: setup_git_repo.yml tags: deploy -- include: setup_django_app.yml +- ansible.builtin.import_tasks: setup_django_app.yml tags: deploy -- include: setup_supervisor.yml +- ansible.builtin.import_tasks: setup_supervisor.yml tags: supervisor diff --git a/roles/web/tasks/set_file_permissions.yml b/roles/web/tasks/set_file_permissions.yml index d918ae0a..ea0b1d20 100644 --- a/roles/web/tasks/set_file_permissions.yml +++ b/roles/web/tasks/set_file_permissions.yml @@ -1,7 +1,7 @@ --- - name: Ensure that the application file permissions are set properly - file: path={{ virtualenv_path }} + ansible.builtin.file: path={{ virtualenv_path }} recurse=yes owner={{ gunicorn_user }} group={{ gunicorn_group }} diff --git a/roles/web/tasks/setup_django_app.yml b/roles/web/tasks/setup_django_app.yml index 5b4c3c3f..e68b85dd 100644 --- a/roles/web/tasks/setup_django_app.yml +++ b/roles/web/tasks/setup_django_app.yml @@ -1,13 +1,13 @@ --- - name: Install packages required by the Django app inside virtualenv - pip: + ansible.builtin.pip: virtualenv: "{{ virtualenv_path }}" requirements: "{{ requirements_file }}" extra_args: "{{ pip_use_upgrade_flag | ternary('--upgrade', omit) }}" - name: Run the Django syncdb command - django_manage: + community.general.django_manage: command: syncdb app_path: "{{ project_path }}" virtualenv: "{{ virtualenv_path }}" @@ -17,7 +17,7 @@ tags: django.syncdb - name: Run Django database migrations - django_manage: + community.general.django_manage: command: migrate app_path: "{{ project_path }}" virtualenv: "{{ virtualenv_path }}" @@ -27,12 +27,12 @@ tags: django.migrate - name: Run Django collectstatic - django_manage: + community.general.django_manage: command: collectstatic app_path: "{{ project_path }}" virtualenv: "{{ virtualenv_path }}" settings: "{{ django_settings_file }}" environment: "{{ django_environment }}" when: run_django_collectstatic is defined and run_django_collectstatic - notify: restart application + notify: Restart application tags: django.collectstatic diff --git a/roles/web/tasks/setup_git_repo.yml b/roles/web/tasks/setup_git_repo.yml index 90102048..81ba5fe1 100644 --- a/roles/web/tasks/setup_git_repo.yml +++ b/roles/web/tasks/setup_git_repo.yml @@ -9,7 +9,7 @@ # https://stackoverflow.com/questions/24124140/ssh-agent-forwarding-with-ansible - name: Add ssh agent line to sudoers - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers state: present regexp: SSH_AUTH_SOCK @@ -17,28 +17,23 @@ when: ssh_forward_agent is defined and ssh_forward_agent tags: git -# The git module calls python's tempfile.mkstemp() which uses the TMPDIR -# environment variable. However this is set to /tmp which is mounted as -# noexec. As a result the git command will fail. The solution is to set -# TMPDIR to point to some other suitable location. Here we use /var/tmp -# but any suitable location will do. -# -# https://github.com/ansible/ansible/issues/30064 -# https://docs.python.org/dev/library/tempfile.html?highlight=mkstemp#tempfile.tempdir - - name: Setup the Git repo - environment: - TMPDIR: "/var/tmp" - git: repo={{ git_repo }} - version={{ git_branch }} - dest={{ project_path }} - accept_hostkey=yes + # Specifying user to prevent Git directory ownership warnings, via this SO question: + # https://stackoverflow.com/a/73356197/2532070 + # The question says this does not work but it does seem to work. + become_user: "{{ gunicorn_user }}" + become: true + ansible.builtin.git: + repo: "{{ git_repo }}" + version: "{{ git_branch }}" + dest: "{{ project_path }}" + accept_hostkey: true when: setup_git_repo is defined and setup_git_repo - notify: restart application + notify: Restart application tags: git - name: Delete all .pyc files - command: find . -name '*.pyc' -delete + ansible.builtin.command: find . -name '*.pyc' -delete args: chdir: "{{ project_path }}" tags: git diff --git a/roles/web/tasks/setup_supervisor.yml b/roles/web/tasks/setup_supervisor.yml index 2a2b40d5..d386ec49 100644 --- a/roles/web/tasks/setup_supervisor.yml +++ b/roles/web/tasks/setup_supervisor.yml @@ -1,19 +1,20 @@ --- - name: Ensure the Supervisor service is running - service: + ansible.builtin.service: name: supervisor state: started - enabled: yes + enabled: true # TODO: This is likely due to a bug in Ansible. # Remove this line in the future. # See https://github.com/ansible/ansible/issues/75005 use: sysvinit - name: Create the Supervisor config file - template: src=supervisor_config.j2 + ansible.builtin.template: src=supervisor_config.j2 dest=/etc/supervisor/conf.d/{{ application_name }}.conf backup=yes + mode="0644" - name: Re-read the Supervisor config files - supervisorctl: name={{ application_name }} state=present + community.general.supervisorctl: name={{ application_name }} state=present diff --git a/roles/web/tasks/setup_virtualenv.yml b/roles/web/tasks/setup_virtualenv.yml index 0e2ecdd5..d36bcf27 100644 --- a/roles/web/tasks/setup_virtualenv.yml +++ b/roles/web/tasks/setup_virtualenv.yml @@ -1,39 +1,41 @@ --- - name: Install virtualenv - pip: + ansible.builtin.pip: name: virtualenv version: 15.1.0 tags: packages - name: Check if Supervisor exists - stat: path=/etc/init.d/supervisor + ansible.builtin.stat: path=/etc/init.d/supervisor register: supervisor_status when: recreate_virtualenv - name: Ensure all processes managed by Supervisor are stopped if exists - command: supervisorctl stop all + community.general.supervisorctl: + name: all + state: stopped when: recreate_virtualenv and supervisor_status.stat.exists - name: Ensure no existing virtualenv exists - file: + ansible.builtin.file: state: absent path: "{{ virtualenv_path }}/" when: recreate_virtualenv - name: Create the virtualenv - command: virtualenv -p {{ virtualenv_python_version }} {{ virtualenv_path }} + ansible.builtin.command: virtualenv -p {{ virtualenv_python_version }} {{ virtualenv_path }} creates={{ virtualenv_path }}/bin/activate - name: Ensure gunicorn and pycurl are installed in the virtualenv - pip: + ansible.builtin.pip: virtualenv: "{{ virtualenv_path }}" name: - gunicorn - pycurl - name: Create the Gunicorn script file - template: src=gunicorn_start.j2 + ansible.builtin.template: src=gunicorn_start.j2 dest={{ virtualenv_path }}/bin/gunicorn_start owner={{ gunicorn_user }} group={{ gunicorn_group }} @@ -42,43 +44,45 @@ tags: deploy - name: Create the application log folder - file: path={{ application_log_dir }} - owner={{ gunicorn_user }} - group={{ gunicorn_group }} - mode=0774 - state=directory + ansible.builtin.file: + path: "{{ application_log_dir }}" + owner: "{{ gunicorn_user }}" + group: "{{ gunicorn_group }}" + mode: "0774" + state: directory + changed_when: false - name: Check for an existing application logfile - stat: + ansible.builtin.stat: path: "{{ application_log_file }}" register: p - name: Create (or retain) the application log file # Removing until https://github.com/ansible/ansible/issues/45530 gets resolved. - # copy: content="" + # ansible.builtin.copy: content="" # dest={{ application_log_file }} # owner={{ gunicorn_user }} # group={{ gunicorn_group }} # mode=0664 # force=no - file: + ansible.builtin.file: path: "{{ application_log_file }}" owner: "{{ gunicorn_user }}" group: "{{ gunicorn_group }}" mode: 0664 - state: '{{ "file" if p.stat.exists else "touch" }}' + state: '{{ "file" if p.stat.exists else "touch" }}' - name: Create the virtualenv postactivate script to set environment variables - template: src=virtualenv_postactivate.j2 + ansible.builtin.template: src=virtualenv_postactivate.j2 dest={{ virtualenv_path }}/bin/postactivate owner={{ gunicorn_user }} group={{ gunicorn_group }} mode=0640 backup=yes - notify: restart application + notify: Restart application tags: deploy - name: Create the maintenance page - template: src=maintenance_off.html + ansible.builtin.template: src=maintenance_off.html dest={{ virtualenv_path }}/maintenance_off.html mode=0664 diff --git a/security.yml b/security.yml index 3bd4bdf2..2fc6d004 100644 --- a/security.yml +++ b/security.yml @@ -6,11 +6,11 @@ become_user: root remote_user: root vars: - - update_apt_cache: true + update_apt_cache: true vars_files: - roles/base/defaults/main.yml module_defaults: - apt: + ansible.builtin.apt: force_apt_get: true roles: diff --git a/site.yml b/site.yml index 511bb8ac..a74e4eb3 100644 --- a/site.yml +++ b/site.yml @@ -1,5 +1,5 @@ --- -- include: dbservers.yml +- ansible.builtin.import_tasks: dbservers.yml -- include: webservers.yml +- ansible.builtin.import_tasks: webservers.yml diff --git a/vagrant.yml b/vagrant.yml index 33f37b25..b7cebb90 100644 --- a/vagrant.yml +++ b/vagrant.yml @@ -8,7 +8,7 @@ vars: update_apt_cache: true module_defaults: - apt: + ansible.builtin.apt: force_apt_get: true roles: diff --git a/webservers.yml b/webservers.yml index 5f9736d7..27e1114e 100644 --- a/webservers.yml +++ b/webservers.yml @@ -8,7 +8,7 @@ vars: update_apt_cache: true module_defaults: - apt: + ansible.builtin.apt: force_apt_get: true roles: