| --- |
| - hosts: all |
| become_user: root |
| become_method: sudo |
| |
| pre_tasks: |
| - include_role: name=lfit.system-update |
| |
| - name: Install base packages |
| include_tasks: "{{item}}" |
| with_first_found: |
| - "install-base-pkgs-{{ansible_distribution}}.yaml" |
| - "install-base-pkgs-{{ansible_os_family}}.yaml" |
| |
| - name: Allow jenkins user sudo access |
| copy: |
| dest: /etc/sudoers.d/89-jenkins-user-defaults |
| content: | |
| Defaults:jenkins !requiretty |
| jenkins ALL = NOPASSWD: /usr/sbin/update-alternatives, /usr/sbin/update-java-alternatives |
| validate: /usr/sbin/visudo -cf %s |
| become: true |
| |
| roles: |
| - lfit.lf-recommended-tools |
| - lfit.lf-dev-libs |
| - lfit.haveged-install |
| - lfit.java-install |
| - lfit.python-install |
| - lfit.shellcheck-install |
| - lfit.sysstat-install |
| |
| post_tasks: |
| - name: Update /etc/nss-switch.conf to map hostname with IP |
| # Update /etc/nss-switch.conf to map hostname with IP instead of using `localhost` |
| # from /etc/hosts which is required by some of the Java API's to avoid |
| # Java UnknownHostException: "Name or service not known" error. |
| replace: |
| path: /etc/nsswitch.conf |
| regexp: '^hosts:(\s+.*)?$' |
| replace: 'hosts:\1 myhostname' |
| backup: true |
| become: true |
| |
| - name: Disable periodic updates |
| block: |
| - name: Set all periodic update options to 0 |
| replace: |
| path: /etc/apt/apt.conf.d/10periodic |
| regexp: "1" |
| replace: "0" |
| - name: Set all auto update options to 0 |
| replace: |
| path: /etc/apt/apt.conf.d/20auto-upgrades |
| regexp: "1" |
| replace: "0" |
| - name: Disable unattended upgrades |
| lineinfile: |
| path: /etc/apt/apt.conf.d/10periodic |
| regexp: "^APT::Periodic::Unattended-Upgrade" |
| line: 'APT::Periodic::Unattended-Upgrade "0";' |
| create: true |
| - name: Uninstall unattended upgrades |
| apt: |
| name: unattended-upgrades |
| state: absent |
| - name: Prevent unattended upgrades from being installed |
| dpkg_selections: |
| name: unattended-upgrades |
| selection: hold |
| - name: Disable apt-daily.* systemd services |
| systemd: |
| name: "{{service}}" |
| enabled: false |
| masked: true |
| with_items: |
| - apt-daily.service |
| - apt-daily.timer |
| - apt-daily-upgrade.service |
| - apt-daily-upgrade.timer |
| loop_control: |
| loop_var: service |
| when: ansible_distribution == 'Ubuntu' |
| become: true |
| |
| - name: System Reseal |
| script: system-reseal.sh |
| become: true |