From 92b0ab946ab0076579d8e0d3e55935a1b137216f Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 3 Nov 2021 13:18:51 +0000
Subject: [PATCH] Run a single "apt" task for non-optional packages
---
roles/float-base/tasks/apt.yml | 15 +++++++++++++++
roles/float-base/tasks/firewall.yml | 4 ----
roles/float-base/tasks/harden.yml | 12 ------------
roles/float-base/tasks/prometheus.yml | 5 -----
roles/float-base/tasks/service_discovery.yml | 2 +-
roles/float-base/tasks/syslog.yml | 18 ------------------
6 files changed, 16 insertions(+), 40 deletions(-)
diff --git a/roles/float-base/tasks/apt.yml b/roles/float-base/tasks/apt.yml
index 52a90e1b..67d656f5 100644
--- a/roles/float-base/tasks/apt.yml
+++ b/roles/float-base/tasks/apt.yml
@@ -83,6 +83,14 @@
state: present
when: "testing|default(True)"
+# mtail 3.0.0~rc19-2 on Buster is broken when reading from named pipes
+# Pin mtail to ai3 repo that ships mtail 3.0.0~rc5-1~bpo9+1
+- name: Force mtail version on buster
+ copy:
+ src: "mtail.apt-preferences"
+ dest: "/etc/apt/preferences.d/99float-syslog"
+ when: float_debian_dist == 'buster'
+
- name: Install base packages
apt:
name: "{{ packages }}"
@@ -108,6 +116,13 @@
- man-db
- jq
- gpg
+ - firewall
+ - rsyslog
+ - rsyslog-gnutls
+ - mtail
+ - auditd
+ - audisp-json
+ - prometheus-node-exporter
- name: Install extra packages
apt:
diff --git a/roles/float-base/tasks/firewall.yml b/roles/float-base/tasks/firewall.yml
index 849eee76..84b34d90 100644
--- a/roles/float-base/tasks/firewall.yml
+++ b/roles/float-base/tasks/firewall.yml
@@ -1,9 +1,5 @@
---
-- apt:
- name: firewall
- state: present
-
- template:
src: firewall/10float.j2
dest: /etc/firewall/filter.d/10float
diff --git a/roles/float-base/tasks/harden.yml b/roles/float-base/tasks/harden.yml
index b9e19588..ec7950bf 100644
--- a/roles/float-base/tasks/harden.yml
+++ b/roles/float-base/tasks/harden.yml
@@ -39,18 +39,6 @@
- name: Restrict core dumps (PAM)
lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present
-# Audit configuration on Debian stretch uses augenrules by default, so
-# we copy our rules in /etc/audit/rules.d.
-# TODO: evaluate whether we still need this.
-- name: Auditd installed
- apt:
- name: "{{ packages }}"
- state: present
- vars:
- packages:
- - auditd
- - audisp-json
-
- name: Auditd default config removed
file:
path: /etc/audit/rules.d/audit.rules
diff --git a/roles/float-base/tasks/prometheus.yml b/roles/float-base/tasks/prometheus.yml
index b713f22a..8fd76e92 100644
--- a/roles/float-base/tasks/prometheus.yml
+++ b/roles/float-base/tasks/prometheus.yml
@@ -7,11 +7,6 @@
notify:
- reload prometheus-node-exporter
-- name: Install prometheus node package
- apt:
- name: prometheus-node-exporter
- state: present
-
- name: Install prometheus node extra package
apt:
name:
diff --git a/roles/float-base/tasks/service_discovery.yml b/roles/float-base/tasks/service_discovery.yml
index a39c90fa..bd6e4158 100644
--- a/roles/float-base/tasks/service_discovery.yml
+++ b/roles/float-base/tasks/service_discovery.yml
@@ -8,5 +8,5 @@
- name: Create /etc/host.conf
copy:
dest: /etc/host.conf
- content: "multi on"
+ content: "multi on\n"
diff --git a/roles/float-base/tasks/syslog.yml b/roles/float-base/tasks/syslog.yml
index 3adc8197..1a1ff4f7 100644
--- a/roles/float-base/tasks/syslog.yml
+++ b/roles/float-base/tasks/syslog.yml
@@ -1,23 +1,5 @@
---
-# mtail 3.0.0~rc19-2 on Buster is broken when reading from named pipes
-# Pin mtail to ai3 repo that ships mtail 3.0.0~rc5-1~bpo9+1
-- name: Force mtail version on buster
- copy:
- src: "mtail.apt-preferences"
- dest: "/etc/apt/preferences.d/99float-syslog"
- when: float_debian_dist == 'buster'
-
-- name: Install rsyslog packages
- apt:
- name: "{{ packages }}"
- state: present
- vars:
- packages:
- - rsyslog
- - rsyslog-gnutls
- - mtail
-
- name: Install mtail systemd socket unit
copy:
src: "mtail.socket"
--
GitLab