Remove all stretch-related configuration switches

No need to support those anymore. Fixes issue #78.

Remove all stretch-related configuration switches
67e4670f · ale · 04097355 · 67e4670f · 04097355 · 67e4670f
Commit 67e4670f authored 4 years ago by ale
--- a/roles/base/files/mtail.service
+++ b/roles/base/files/mtail.service
@@ -5,7 +5,7 @@ Requires=mtail.socket
 [Service]
 Type=simple
 # Systemd will pass mtail.socket as FD 3.
-ExecStart=/usr/bin/mtail -progs /etc/mtail -logtostderr -port 3903 -logfds 3
+ExecStart=/usr/bin/mtail --progs /etc/mtail --logtostderr --port 3903 --logs /dev/fd/3
 Restart=on-failure
 User=mtail

--- a/roles/base/files/mtail.service.buster
+++ b/roles/base/files/mtail.service.buster
-[Unit]
-Description=MTail
-Requires=mtail.socket
-[Service]
-Type=simple
-# Systemd will pass mtail.socket as FD 3.
-ExecStart=/usr/bin/mtail --progs /etc/mtail --logtostderr --port 3903 --logs /dev/fd/3
-Restart=on-failure
-User=mtail
-# Limit memory leaks
-MemoryMax=1G
-ExecStartPost=+/bin/sh -c "echo 0 > /sys/fs/cgroup/memory/system.slice/%n/memory.swappiness"
-[Install]
-WantedBy=multi-user.target
--- a/roles/base/files/node-exporter.default
+++ b/roles/base/files/node-exporter.default
+ARGS="--collector.systemd.unit-blacklist=.+(\.device|\.swap|\.mount|\.scope|\.slice|\.target)"
-ARGS="--collectors.enabled=conntrack,diskstats,entropy,filefd,filesystem,hwmon,loadavg,meminfo,netdev,netstat,sockstat,stat,systemd,textfile,time,uname,vmstat \
-    --collector.diskstats.ignored-devices=^(ram|loop|fd)\d+$ \
-    --collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/) \
-    --collector.textfile.directory=/var/lib/prometheus/node-exporter \
-    --collector.systemd.unit-blacklist=^.*\.(device|swap|mount)$"
--- a/roles/base/files/node-exporter.default.buster
+++ b/roles/base/files/node-exporter.default.buster
-ARGS="--collector.systemd.unit-blacklist=.+(\.device|\.swap|\.mount|\.scope|\.slice|\.target)"
--- a/roles/base/tasks/apt.yml
+++ b/roles/base/tasks/apt.yml
@@ -76,26 +76,7 @@
      - restic
      - runcron
      - acpid
- name: Install Stretch packages
-  apt:
-    name: "{{ packages }}"
-    state: present
-  vars:
-    packages:
-      - apt-transport-https
-      - liblz4-tool
-      - python-docker
-  when: float_debian_dist == 'stretch'
- name: Install Buster packages
-  apt:
-    name: "{{ packages }}"
-    state: present
-  vars:
-    packages:
      - lz4
-  when: float_debian_dist == 'buster'
 - name: Install extra packages
  apt:

--- a/roles/base/tasks/harden.yml
+++ b/roles/base/tasks/harden.yml
@@ -41,6 +41,7 @@
 # Audit configuration on Debian stretch uses augenrules by default, so
 # we copy our rules in /etc/audit/rules.d.
+# TODO: evaluate whether we still need this.
 - name: Auditd installed
  apt:
    name: "{{ packages }}"

--- a/roles/base/tasks/prometheus.yml
+++ b/roles/base/tasks/prometheus.yml
@@ -2,7 +2,7 @@
 - name: Install prometheus config files in /etc/default
  copy:
-    src: "{{ 'node-exporter.default' if ansible_distribution_release == 'stretch' else 'node-exporter.default.buster' }}"
+    src: "node-exporter.default"
    dest: "/etc/default/prometheus-node-exporter"
  notify:
    - reload prometheus-node-exporter

--- a/roles/base/tasks/syslog.yml
+++ b/roles/base/tasks/syslog.yml
@@ -8,17 +8,9 @@
    dest: "/etc/apt/preferences.d/99float-syslog"
  when: float_debian_dist == 'buster'
-# Install rsyslog from the backports repository. This isn't strictly
+- name: Install rsyslog packages
-# necessary but it is done to have the same version of rsyslog on all
-# hosts, including the log-collector.
-#
-# This sources.list check must use float_debian_dist because otherwise
-# Ansible complains about the unknown source on dist upgrades.
-# TODO: drop this check when stretch is obsolete.
- name: Install rsyslog packages from backports
  apt:
    name: "{{ packages }}"
-    default_release: "{{ 'stretch-backports' if float_debian_dist == 'stretch' else '' }}"
    state: present
  vars:
    packages:
@@ -34,7 +26,7 @@
 - name: Install mtail systemd unit
  copy:
-    src: "{{ 'mtail.service' if ansible_distribution_release == 'stretch' else 'mtail.service.buster' }}"
+    src: "mtail.service"
    dest: "/etc/systemd/system/mtail.service"
  notify: restart mtail

--- a/roles/base/templates/ssh/sshd_config.j2
+++ b/roles/base/templates/ssh/sshd_config.j2
@@ -12,10 +12,6 @@ HostKey /etc/ssh/ssh_host_{{ key_type }}_key
 HostCertificate /etc/ssh/ssh_host_{{ key_type }}_key-cert.pub
 {% endfor %}
-{% if ansible_distribution_release == 'stretch' %}
-UsePrivilegeSeparation sandbox
-{% endif %}
 # Ciphers and MACs
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

--- a/roles/docker/tasks/buster_upgrade.yml
+++ b/roles/docker/tasks/buster_upgrade.yml
- name: Remove docker.com GPG key
-  apt_key:
-    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
-    url: https://download.docker.com/linux/debian/gpg
-    state: absent
- name: Remove docker packages
-  apt:
-    name: "{{ packages }}"
-    state: absent
-  vars:
-    packages:
-      - docker-ce
-      - systemd-docker
- name: Remove docker files
-  file:
-    dest: "{{ item }}"
-    state: absent
-  with_items:
-    - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
-    - /etc/docker
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -3,13 +3,6 @@
 - set_fact:
    container_runtime: "podman"
- set_fact:
-    container_runtime: "docker"
-  when: "ansible_distribution_release == 'stretch'"
- include_tasks: buster_upgrade.yml
-  when: "ansible_distribution_release == 'buster'"
 - include_tasks: docker.yml
  when: "container_runtime == 'docker'"

--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -114,7 +114,7 @@
  register: mariadb_systemd_unit
 - name: Bootstrap data directory
-  shell: "/usr/bin/mysql_install_db --defaults-file={{ mariadb_config }} --datadir={{ mariadb_data_dir }} --user=mysql --auth-root-authentication-method=socket {{ ansible_distribution_release == 'stretch' and '--skip-auth-anonymous-user' or '' }} && date > {{ mariadb_data_dir }}/.float-bootstrap-ok"
+  shell: "/usr/bin/mysql_install_db --defaults-file={{ mariadb_config }} --datadir={{ mariadb_data_dir }} --user=mysql --auth-root-authentication-method=socket && date > {{ mariadb_data_dir }}/.float-bootstrap-ok"
  args:
    creates: "{{ mariadb_data_dir }}/.float-bootstrap-ok"

--- a/roles/mariadb/templates/exporter.service.j2
+++ b/roles/mariadb/templates/exporter.service.j2
@@ -4,11 +4,7 @@ Description=Prometheus exporter for MySQL server (%I)
 [Service]
 Restart=always
 User=prometheus
-{% if ansible_distribution_release == 'stretch' %}
-ExecStart=/usr/bin/prometheus-mysqld-exporter -web.listen-address {{ mariadb_metrics_address }}:{{ mariadb_metrics_port }} -config.my-cnf {{ mariadb_metrics_config }} -collect.info_schema.tables=false -collect.info_schema.tablestats=false
-{% else %}
 ExecStart=/usr/bin/prometheus-mysqld-exporter --web.listen-address {{ mariadb_metrics_address }}:{{ mariadb_metrics_port }} --config.my-cnf {{ mariadb_metrics_config }} --no-collect.info_schema.tables --no-collect.info_schema.tablestats
-{% endif %}
 [Install]
 WantedBy=multi-user.target
--- a/test/integration-test-docker.yml
+++ b/test/integration-test-docker.yml
@@ -8,15 +8,8 @@
        dest: /tmp/test-config.yml
        content: "{{ vars|to_nice_yaml }}"
-    - name: Setup test Docker image
-      docker_image:
-        name: registry.git.autistici.org/ai3/float:integration-test
-        force: true
-      when: "ansible_distribution_release == 'stretch'"
    - name: Setup test Docker image
      command: "podman pull registry.git.autistici.org/ai3/float:integration-test"
-      when: "ansible_distribution_release != 'stretch'"
    - name: Run tests
      command: docker run --net host --mount type=bind,source=/tmp/test-config.yml,destination=/test-config.yml registry.git.autistici.org/ai3/float:integration-test