better pihole role; change update_only and uninstall from variable to global tag; update accordingly dependent roles

2023-01-11 17:44:16 +01:00 · 2023-01-11 17:44:16 +01:00 · 082d6ed47e
commit 082d6ed47e
parent 6aa6e080dd
16 changed files with 76 additions and 49 deletions
--- a/README.md
+++ b/README.md
@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration

 The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)

-## Global variables
+## Global tags

- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example)
+- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
+- **global.uninstall**: activate the uninstall phase for specified tags and targets

 ## Authors & contributors

--- a/handbook.yml
+++ b/handbook.yml
@ -9,8 +9,8 @@

    - { role: hardening-basic, tags: [hardening, ips, ids] }
    - { role: iptables-basic, tags: [firewall, ips, ids] }
-    - { role: fail2ban-basic, tags: [fail2ban, ips, ids] }
-    - { role: auditd, tags: [auditd] }
+    - { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
+    - { role: auditd, tags: [hardening, auditd] }
    - { role: iptables-webserver, tags: [firewall, webserver] }
    - { role: iptables-kdeconnect, tags: [firewall] }

--- a/roles/auditd/meta/main.yml
+++ b/roles/auditd/meta/main.yml
@ -39,7 +39,9 @@ galaxy_info:
  #   - 7
  #   - 99.99

-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - auditd
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/auditd/tasks/main.yml
+++ b/roles/auditd/tasks/main.yml
@ -2,7 +2,9 @@
 # tasks file for auditd

 - name: Install and setup rules Auditd if enabled
-  when: 'auditd_enabled is true'
+  when:
+    - 'auditd_enabled is true'
+    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Install auditd
      ansible.builtin.package:
--- a/roles/dns-filter/meta/main.yml
+++ b/roles/dns-filter/meta/main.yml
@ -39,7 +39,8 @@ galaxy_info:
  #   - 7
  #   - 99.99

-  galaxy_tags: []
+  galaxy_tags:
+    - dns_filter
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/dns-filter/tasks/main.yml
+++ b/roles/dns-filter/tasks/main.yml
@ -5,7 +5,5 @@
  when:
    - "dns_filter_enabled is true"
    - "dns_filter_selected in dns_filter_list"
-  block:
-    - name: Call DNS filter role
-      ansible.builtin.include_role:
-        name: "{{ dns_filter_selected }}"
+  ansible.builtin.include_role:
+    name: "{{ dns_filter_selected }}"
--- a/roles/fail2ban-basic/meta/main.yml
+++ b/roles/fail2ban-basic/meta/main.yml
@ -39,7 +39,11 @@ galaxy_info:
  #   - 7
  #   - 99.99

-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - fail2ban
+    - ips
+    - ids
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/fail2ban-basic/tasks/main.yml
+++ b/roles/fail2ban-basic/tasks/main.yml
@ -2,7 +2,9 @@
 # tasks file for fail2ban-basic
 #
 - name: Fail2ban Configuration
-  when: fail2ban_enabled is true
+  when:
+    - fail2ban_enabled is true
+    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Install Fail2ban
      ansible.builtin.package:
--- a/roles/pi-hole/README.md
+++ b/roles/pi-hole/README.md
@ -11,19 +11,25 @@ Requirements
 Role Variables
 --------------

- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
- **pihole_update_gravity** (boolean): If true the dns database will be updated
 - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
+- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
+
+Role Tags
+--------------
+
+- **global.update_only**: `pihole -up`
+- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)

 Dependencies
 ------------

-.
+- curl
+- sqlite3 required by `pihole.install_custom_list`

 Example Playbook
 ----------------

-`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"`
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`

 License
 -------
--- a/roles/pi-hole/meta/main.yml
+++ b/roles/pi-hole/meta/main.yml
@ -39,7 +39,8 @@ galaxy_info:
  #   - 7
  #   - 99.99

-  galaxy_tags: []
+  galaxy_tags:
+    - dns_filter
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/pi-hole/tasks/main.yml
+++ b/roles/pi-hole/tasks/main.yml
@ -2,6 +2,7 @@
 # tasks file for pi-hole

 - name: Pi-Hole setup
+  when: "'global.update_only' not in ansible_run_tags"
  block:
    - name: Populate service facts
      ansible.builtin.service_facts:
@ -17,28 +18,6 @@
          ansible.builtin.debug:
            msg: "curl -sSL https://install.pi-hole.net | bash"

-    - name: Check if can install custom list
-      when: 'pihole_install_custom_list is true'
-      block:
-        - name: Check if pi-hole db exists
-          stat:
-            path: /etc/pihole/gravity.db
-          register: pihole_db
-
-        - name: Install sqlite3 package
-          ansible.builtin.package:
-            name: sqlite3
-
-        - name: Install more lists than default
-          when: pihole_db.stat.exists
-          ansible.builtin.shell:
-            cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
-          loop: "{{ pihole_custom_list }}"
-
-    - name: Update Gravity
-      when: 'pihole_update_gravity is true'
-      ansible.builtin.shell: pihole updateGravity
-
    - name: iptables-webserver
      ansible.builtin.include_role:
        name: iptables-webserver
@ -55,3 +34,31 @@
    - name: iptables-persistent
      ansible.builtin.include_role:
        name: iptables-persistent
+
+- name: Update pihole FTL
+  when: "'global.update_only' in ansible_run_tags"
+  ansible.builtin.shell: pihole -up
+
+- block:
+  - name: Check if pi-hole db exists
+    stat:
+      path: /etc/pihole/gravity.db
+    register: pihole_db
+
+  - name: Install sqlite3 package
+    ansible.builtin.package:
+      name: sqlite3
+
+  - name: Install more lists than default
+    when: pihole_db.stat.exists
+    ansible.builtin.shell:
+      cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
+    loop: "{{ pihole_custom_list }}"
+  when: "pihole_install_custom_list is true"
+
+- name: Update Gravity
+  ansible.builtin.shell: pihole updateGravity
+  when: "
+    (pihole_install_custom_list is true) or
+    ('pihole.update_gravity' in ansible_run_tags)
+    "
--- a/roles/wakeonlan/README.md
+++ b/roles/wakeonlan/README.md
@ -1,7 +1,7 @@
 wakeonlan
 =========

-This role install/ uninstall Wake on LAN support for target
+This role install Wake on LAN support for target

 Requirements
 ------------
--- a/roles/yggdrasil/README.md
+++ b/roles/yggdrasil/README.md
@ -12,13 +12,16 @@ Role Variables
 --------------

 Respond to:
- **update_only** (boolean)
-
 - **yggdrasil_enabled** (boolean): If true install yggdrasil
 - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
 - **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration

+Role Tags
+--------------
+
+- **global.update_only**: If present will update only the peers
+- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
+
 Dependencies
 ------------

--- a/roles/yggdrasil/defaults/main.yml
+++ b/roles/yggdrasil/defaults/main.yml
@ -3,5 +3,4 @@

 yggdrasil_enabled: false
 yggdrasil_sshd_enabled: false
-yggdrasil_uninstall: false
 yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf
--- a/roles/yggdrasil/meta/main.yml
+++ b/roles/yggdrasil/meta/main.yml
@ -39,7 +39,8 @@ galaxy_info:
  #   - 7
  #   - 99.99

-  galaxy_tags: []
+  galaxy_tags:
+    - yggdrasil
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
--- a/roles/yggdrasil/tasks/main.yml
+++ b/roles/yggdrasil/tasks/main.yml
@ -1,7 +1,7 @@
 - name: Install and configure yggdrasil
  when:
    - "yggdrasil_enabled is true"
-    - "update_only is false"
+    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Gather package facts
      package_facts:
@ -64,8 +64,8 @@
 - name: Remove yggdrasil if not enabled
  when:
    - "yggdrasil_enabled is false"
-    - "yggdrasil_uninstall is true"
-    - "update_only is false"
+    - "'global.uninstall' in ansible_run_tags"
+    - "'global.update_only' not in ansible_run_tags"
  block:
    - name: Gather package facts
      package_facts: