Namespace variables

2022-12-08 23:19:54 +01:00 · 2022-12-08 23:19:54 +01:00 · 4285e87477
commit 4285e87477
parent 5982ddfcf9
28 changed files with 92 additions and 101 deletions
--- a/plays/system/main.yml
+++ b/plays/system/main.yml
@ -10,7 +10,7 @@
  roles:
    - role: "smart"
      vars:
-        smartd_conf_file_path: "files/smart/smartd.conf"
+        system_base_smartd_conf_file: "files/smart/smartd.conf"
      tags: "system:smart"
 - name: "system : group:zfs"
@ -28,4 +28,4 @@
    - role: "base"
      tags: "system:base"
      vars:
-        motd_dir_path: "files/base/motd"
+        system_base_motd_dir: "files/base/motd"
--- a/plays/system/roles/base/defaults/main.yml
+++ b/plays/system/roles/base/defaults/main.yml
@ -1,6 +1,3 @@
-# sshd
+system_base_additional_ssh_users: []
-additional_ssh_users: []
+system_base_additional_tcp_ports: []
-
+system_base_udp_ports: []
 # nftables
 additional_tcp_ports: []
 udp_ports: []
--- a/plays/system/roles/base/meta/argument_specs.yml
+++ b/plays/system/roles/base/meta/argument_specs.yml
@ -10,21 +10,21 @@ argument_specs:
      ssh_user:
        type: "str"
        required: true
-      additional_ssh_users:
+      system_base_additional_ssh_users:
        type: "list"
        elements: "str"
        required: true
-      additional_tcp_ports:
+      system_base_additional_tcp_ports:
        type: "list"
        elements: "int"
        required: true
-      udp_ports:
+      system_base_udp_ports:
        type: "list"
        elements: "int"
        required: true
-      fail2ban_ignoreip:
+      system_base_fail2ban_ignoreip:
        type: "str"
        required: true
-      motd_dir_path:
+      system_base_motd_dir:
        type: "str"
        required: false
--- a/plays/system/roles/base/tasks/include/fail2ban.yml
+++ b/plays/system/roles/base/tasks/include/fail2ban.yml
@ -7,14 +7,14 @@
    src: "./fail2ban/jail.local.j2"
    dest: "/etc/fail2ban/jail.local"
    mode: 0644
-  register: fail2ban_conf
+  register: system_base_fail2ban_conf
 - name: "fail2ban : configure fail2ban sshd jail"
  ansible.builtin.template:
    src: "./fail2ban/jail.d/sshd.local.j2"
    dest: "/etc/fail2ban/jail.d/sshd.local"
    mode: 0644
-  register: fail2ban_sshd_jail
+  register: system_base_fail2ban_sshd_jail
 - name: "fail2ban : enable fail2ban"
  ansible.builtin.systemd:
@ -25,13 +25,13 @@
  ansible.builtin.systemd:
    name: "fail2ban"
    state: "started"
-  register: fail2ban_start
+  register: system_base_fail2ban_start
 - name: "fail2ban : restart fail2ban"
  ansible.builtin.systemd:
    name: "fail2ban"
    state: "restarted"
  when:
-    (fail2ban_conf.changed or
+    (system_base_fail2ban_conf.changed or
-    fail2ban_sshd_jail.changed) and
+    system_base_fail2ban_sshd_jail.changed) and
-    not fail2ban_start.changed
+    not system_base_fail2ban_start.changed
--- a/plays/system/roles/base/tasks/include/motd.yml
+++ b/plays/system/roles/base/tasks/include/motd.yml
@ -4,10 +4,10 @@
    dest: "/etc/motd"
    mode: 0644
  when:
-    motd_dir_path is defined and
+    system_base_motd_dir is defined and
    _system_base_motd_file != ""
  vars:
    _file_path:
-      - "{{ motd_dir_path  }}/{{ ansible_hostname }}"
+      - "{{ system_base_motd_dir  }}/{{ ansible_hostname }}"
    _system_base_motd_file: >-
      {{ lookup('ansible.builtin.first_found', _file_path, errors='ignore') }}
--- a/plays/system/roles/base/tasks/include/nftables.yml
+++ b/plays/system/roles/base/tasks/include/nftables.yml
@ -7,7 +7,7 @@
    src: "./nftables/nftables.conf.j2"
    dest: "/etc/nftables.conf"
    mode: 0755
-  register: nftables_conf
+  register: system_base_nftables_conf
 - name: "nftables : enable nftables"
  ansible.builtin.systemd:
@ -18,11 +18,11 @@
  ansible.builtin.systemd:
    name: "nftables"
    state: "started"
-  register: nftables_start
+  register: system_base_nftables_start
 - name: "nftables : reload nftables configuration"
  ansible.builtin.command:
    cmd: "nft -f /etc/nftables.conf"
  when:
-    nftables_conf.changed and
+    system_base_nftables_conf.changed and
-    not nftables_start.changed
+    not system_base_nftables_start.changed
--- a/plays/system/roles/base/tasks/include/sshd.yml
+++ b/plays/system/roles/base/tasks/include/sshd.yml
@ -5,7 +5,7 @@
    src: "./sshd/99-local.conf.j2"
    dest: "/etc/ssh/sshd_config.d/99-local.conf"
    mode: 0600
-  register: sshd_conf
+  register: system_base_sshd_conf
 - name: "sshd : enable sshd"
  ansible.builtin.systemd:
@ -16,12 +16,12 @@
  ansible.builtin.systemd:
    name: "sshd"
    state: "started"
-  register: sshd_start
+  register: system_base_sshd_start
 - name: "sshd : restart sshd"
  ansible.builtin.systemd:
    name: "sshd"
    state: "restarted"
  when:
-    sshd_conf.changed and
+    system_base_sshd_conf.changed and
-    not sshd_start.changed
+    not system_base_sshd_start.changed
--- a/plays/system/roles/base/tasks/include/systemd_mail.yml
+++ b/plays/system/roles/base/tasks/include/systemd_mail.yml
@ -15,18 +15,18 @@
    src: "./systemd_mail/system/status-mail@.service"
    dest: "/etc/systemd/system/status-mail@.service"
    mode: 0644
-  register: systemd_system_status_mail_service_file
+  register: system_base_system_status_mail_service_file
 - name: "systemd_mail : systemd mail user service"
  ansible.builtin.copy:
    src: "./systemd_mail/user/status-mail@.service"
    dest: "/etc/systemd/user/status-mail@.service"
    mode: 0644
-  register: systemd_user_status_mail_service_file
+  register: system_base_user_status_mail_service_file
 - name: "systemd_mail : systemd daemon reload"
  ansible.builtin.systemd:
    daemon_reload: true
  when:
-    systemd_system_status_mail_service_file.changed or
+    system_base_system_status_mail_service_file.changed or
-    systemd_user_status_mail_service_file.changed
+    system_base_user_status_mail_service_file.changed
--- a/plays/system/roles/base/templates/fail2ban/jail.local.j2
+++ b/plays/system/roles/base/templates/fail2ban/jail.local.j2
@ -3,7 +3,7 @@
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-ignoreip = 127.0.0.1/8 ::1 {{ fail2ban_ignoreip }}
+ignoreip = 127.0.0.1/8 ::1 {{ system_base_fail2ban_ignoreip }}
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 1d
--- a/plays/system/roles/base/templates/nftables/nftables.conf.j2
+++ b/plays/system/roles/base/templates/nftables/nftables.conf.j2
@ -22,11 +22,11 @@ table inet filter {
                ct state invalid drop;
                # TCP ports.
-                tcp dport { {{ [ansible_port] | union(additional_tcp_ports) | join(", ") }} } ct state new accept;
+                tcp dport { {{ [ansible_port] | union(system_base_additional_tcp_ports) | join(", ") }} } ct state new accept;
-{% if udp_ports %}
+{% if system_base_udp_ports %}
                # UDP ports.
-                udp dport { {{ udp_ports | join(", ") }} } accept;
+                udp dport { {{ system_base_udp_ports | join(", ") }} } accept;
 {% endif %}
                # Count and drop any other traffic.
--- a/plays/system/roles/base/templates/sshd/99-local.conf.j2
+++ b/plays/system/roles/base/templates/sshd/99-local.conf.j2
@ -7,7 +7,7 @@ Port {{ ansible_port }}
 PermitRootLogin no
 # Explicitly set the list of allowed ssh users.
-AllowUsers {{ [ssh_user] | union(additional_ssh_users) | join(" ") }}
+AllowUsers {{ [ssh_user] | union(system_base_additional_ssh_users) | join(" ") }}
 # SSH enabled only via ssh-key.
 PasswordAuthentication no
--- a/plays/system/roles/mail/meta/argument_specs.yml
+++ b/plays/system/roles/mail/meta/argument_specs.yml
@ -4,18 +4,18 @@ argument_specs:
      ansible_hostname:
        type: "str"
        required: true
-      mail_domain:
+      system_mail_domain:
        type: "str"
        required: true
-      postfix_smtp_server:
+      system_mail_smtp_server:
        type: "str"
        required: true
-      postfix_smtp_port:
+      system_mail_smtp_port:
        type: "int"
        required: true
-      postfix_smtp_user:
+      system_mail_smtp_user:
        type: "str"
        required: true
-      postfix_smtp_pass:
+      system_mail_smtp_pass:
        type: "str"
        required: true
--- a/plays/system/roles/mail/tasks/main.yml
+++ b/plays/system/roles/mail/tasks/main.yml
@ -3,7 +3,7 @@
    src: "./mailname.j2"
    dest: "/etc/mailname"
    mode: 0644
-  register: mail_mailname
+  register: system_mail_mailname
 - name: "configure mailutils"
  ansible.builtin.template:
@ -23,33 +23,33 @@
    src: "./aliases.j2"
    dest: "/etc/aliases"
    mode: 0644
-  register: mail_aliases
+  register: system_mail_aliases
 - name: "update aliases"
  ansible.builtin.command:
    cmd: "newaliases"
  when:
-    mail_aliases.changed
+    system_mail_aliases.changed
 - name: "configure postfix"
  ansible.builtin.template:
    src: "./postfix/main.cf.j2"
    dest: "/etc/postfix/main.cf"
    mode: 0644
-  register: mail_postfix_conf
+  register: system_mail_postfix_conf
 - name: "configure credentials"
  ansible.builtin.template:
    src: "./postfix/sasl_passwd.j2"
    dest: "/etc/postfix/sasl_passwd"
    mode: 0600
-  register: mail_postfix_credentials
+  register: system_mail_postfix_credentials
 - name: "create hash database"
  ansible.builtin.command:
    cmd: "postmap /etc/postfix/sasl_passwd"
  when:
-    mail_postfix_credentials.changed
+    system_mail_postfix_credentials.changed
 - name: "set hash database permissions"
  ansible.builtin.file:
@ -65,16 +65,15 @@
  ansible.builtin.systemd:
    name: "postfix"
    state: "started"
-  register:
+  register: system_mail_postfix_start
    mail_postfix_start
 - name: "restart postfix"
  ansible.builtin.systemd:
    name: "postfix"
    state: "restarted"
  when:
-    (mail_mailname.changed or
+    (system_mail_mailname.changed or
-    mail_aliases.changed or
+    system_mail_aliases.changed or
-    mail_postfix_conf.changed or
+    system_mail_postfix_conf.changed or
-    mail_postfix_credentials.changed) and
+    system_mail_postfix_credentials.changed) and
-    not mail_postfix_start.changed
+    not system_mail_postfix_start.changed
--- a/plays/system/roles/mail/templates/aliases.j2
+++ b/plays/system/roles/mail/templates/aliases.j2
@ -11,4 +11,4 @@ ftp: root
 abuse: root
 noc: root
 security: root
-root: root@{{ mail_domain }}
+root: root@{{ system_mail_domain }}
--- a/plays/system/roles/mail/templates/mailname.j2
+++ b/plays/system/roles/mail/templates/mailname.j2
@ -1 +1 @@
-{{ ansible_hostname }}.{{ mail_domain }}
+{{ ansible_hostname }}.{{ system_mail_domain }}
--- a/plays/system/roles/mail/templates/mailutils.conf.j2
+++ b/plays/system/roles/mail/templates/mailutils.conf.j2
@ -1,3 +1,3 @@
 address {
-  email-domain {{ ansible_hostname }}.{{ mail_domain }};
+  email-domain {{ ansible_hostname }}.{{ system_mail_domain }};
 };
--- a/plays/system/roles/mail/templates/postfix/main.cf.j2
+++ b/plays/system/roles/mail/templates/postfix/main.cf.j2
@ -35,11 +35,11 @@ smtp_tls_wrappermode = yes
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = {{ ansible_hostname }}.{{ mail_domain }}
+myhostname = {{ ansible_hostname }}.{{ system_mail_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = $myhostname, {{ ansible_hostname }}, localhost
-relayhost = [{{ postfix_smtp_server }}]:{{ postfix_smtp_port }}
+relayhost = [{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
--- a/plays/system/roles/mail/templates/postfix/sasl_passwd.j2
+++ b/plays/system/roles/mail/templates/postfix/sasl_passwd.j2
@ -1 +1 @@
-[{{ postfix_smtp_server }}]:{{ postfix_smtp_port }} {{ postfix_smtp_user }}:{{ postfix_smtp_pass }}
+[{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }} {{ system_mail_smtp_user }}:{{ system_mail_smtp_pass }}
--- a/plays/system/roles/smart/meta/argument_specs.yml
+++ b/plays/system/roles/smart/meta/argument_specs.yml
@ -1,6 +1,6 @@
 argument_specs:
  main:
    options:
-      smartd_conf_file_path:
+      system_base_smartd_conf_file:
        type: "str"
        required: true
--- a/plays/system/roles/smart/tasks/main.yml
+++ b/plays/system/roles/smart/tasks/main.yml
@ -4,10 +4,10 @@
 - name: "smartd configuration"
  ansible.builtin.copy:
-    src: "{{ smartd_conf_file_path }}"
+    src: "{{ system_base_smartd_conf_file }}"
    dest: "/etc/smartd.conf"
    mode: 0644
-  register: smartd_conf
+  register: system_smart_smartd_conf
 - name: "enable smartmontools"
  ansible.builtin.systemd:
@ -18,12 +18,12 @@
  ansible.builtin.systemd:
    name: "smartmontools"
    state: "started"
-  register: smartd_start
+  register: system_smart_smartd_start
 - name: "restart smartmontools"
  ansible.builtin.systemd:
    name: "smartmontools"
    state: "restarted"
  when:
-    smartd_conf.changed and
+    system_smart_smartd_conf.changed and
-    not smartd_start.changed
+    not system_smart_smartd_start.changed
--- a/plays/system/roles/ups/tasks/main.yml
+++ b/plays/system/roles/ups/tasks/main.yml
@ -7,7 +7,7 @@
    src: "./apcupsd.conf"
    dest: "/etc/apcupsd/apcupsd.conf"
    mode: 0644
-  register: apcupsd_conf
+  register: system_ups_apcupsd_conf
 - name: "enable apcupsd"
  ansible.builtin.systemd:
@ -18,12 +18,12 @@
  ansible.builtin.systemd:
    name: "apcupsd"
    state: "started"
-  register: apcupsd_start
+  register: system_ups_apcupsd_start
 - name: "restart apcupsd"
  ansible.builtin.systemd:
    name: "apcupsd"
    state: "restarted"
  when:
-    apcupsd_conf.changed and
+    system_ups_apcupsd_conf.changed and
-    not apcupsd_start.changed
+    not system_ups_apcupsd_start.changed
--- a/plays/system/roles/zfs/defaults/main.yml
+++ b/plays/system/roles/zfs/defaults/main.yml
@ -1,8 +1,3 @@
-# scrub
+system_zfs_zpools: []
-zpools: []
+system_zfs_zpools_trim: []
-
+system_zfs_zpools_load_key: []
 # trim
 zpools_trim: []
 # load_key
 zpools_load_key: []
--- a/plays/system/roles/zfs/meta/argument_specs.yml
+++ b/plays/system/roles/zfs/meta/argument_specs.yml
@ -4,15 +4,15 @@ argument_specs:
      ansible_hostname:
        type: "str"
        required: true
-      zpools:
+      system_zfs_zpools:
        type: "list"
        elements: "str"
        required: true
-      zpools_trim:
+      system_zfs_zpools_trim:
        type: "list"
        elements: "str"
        required: true
-      zpools_load_key:
+      system_zfs_zpools_load_key:
        type: "list"
        elements: "str"
        required: true
--- a/plays/system/roles/zfs/tasks/include/conf.yml
+++ b/plays/system/roles/zfs/tasks/include/conf.yml
@ -3,7 +3,7 @@
    src: "./conf/zfs.conf"
    dest: "/etc/modprobe.d/zfs.conf"
    mode: 0644
-  register: zfs_conf_file
+  register: system_zfs_conf_file
 - block:
@ -15,4 +15,4 @@
      ansible.builtin.reboot:
  when:
-    zfs_conf_file.changed
+    system_zfs_conf_file.changed
--- a/plays/system/roles/zfs/tasks/include/fstrim.yml
+++ b/plays/system/roles/zfs/tasks/include/fstrim.yml
@ -6,13 +6,13 @@
    src: "./fstrim/fstrim.timer"
    dest: "/etc/systemd/system/fstrim.timer"
    mode: 0644
-  register: systemd_fstrim_timer_file
+  register: system_zfs_fstrim_timer_file
 - name: "fstrim : systemd daemon reload"
  ansible.builtin.systemd:
    daemon_reload: true
  when:
-    systemd_fstrim_timer_file.changed
+    system_zfs_fstrim_timer_file.changed
 # Disabling is necessary to make sure systemd uses the new timer file.
 - name: "fstrim : disable fstrim.timer"
@ -21,7 +21,7 @@
    enabled: false
    state: "stopped"
  when:
-    systemd_fstrim_timer_file.changed
+    system_zfs_fstrim_timer_file.changed
 - name: "fstrim : enable fstrim.timer"
  ansible.builtin.systemd:
--- a/plays/system/roles/zfs/tasks/include/load_key.yml
+++ b/plays/system/roles/zfs/tasks/include/load_key.yml
@ -3,16 +3,16 @@
    src: "./load_key/zfs-load-key@.service"
    dest: "/etc/systemd/system/zfs-load-key@.service"
    mode: 0644
-  register: systemd_zfs_load_key_service_file
+  register: system_zfs_load_key_service_file
 - name: "load_key : systemd daemon reload"
  ansible.builtin.systemd:
    daemon_reload: true
  when:
-    systemd_zfs_load_key_service_file.changed
+    system_zfs_load_key_service_file.changed
 - name: "load_key : enable service to load key for {{ item }}"
  ansible.builtin.systemd:
    name: "zfs-load-key@{{ item }}.service"
    enabled: true
-  loop: "{{ zpools_load_key }}"
+  loop: "{{ system_zfs_zpools_load_key }}"
--- a/plays/system/roles/zfs/tasks/include/scrub.yml
+++ b/plays/system/roles/zfs/tasks/include/scrub.yml
@ -9,25 +9,25 @@
    src: "./scrub/zfs-scrub@.service"
    dest: "/etc/systemd/system/zfs-scrub@.service"
    mode: 0644
-  register: systemd_zfs_scrub_service_file
+  register: system_zfs_scrub_service_file
 - name: "scrub : zfs scrub systemd timer file"
  ansible.builtin.copy:
    src: "./scrub/zfs-scrub-monthly@.timer"
    dest: "/etc/systemd/system/zfs-scrub-monthly@.timer"
    mode: 0644
-  register: systemd_zfs_scrub_monthly_timer_file
+  register: system_zfs_scrub_monthly_timer_file
 - name: "scrub : systemd daemon reload"
  ansible.builtin.systemd:
    daemon_reload: true
  when:
-    systemd_zfs_scrub_service_file.changed or
+    system_zfs_scrub_service_file.changed or
-    systemd_zfs_scrub_monthly_timer_file.changed
+    system_zfs_scrub_monthly_timer_file.changed
 - name: "scrub : enable and start timer for zfs scrub of {{ item }}"
  ansible.builtin.systemd:
    name: "zfs-scrub-monthly@{{ item }}.timer"
    enabled: true
    state: "started"
-  loop: "{{ zpools }}"
+  loop: "{{ system_zfs_zpools }}"
--- a/plays/system/roles/zfs/tasks/include/trim.yml
+++ b/plays/system/roles/zfs/tasks/include/trim.yml
@ -3,25 +3,25 @@
    src: "./trim/zfs-trim@.service"
    dest: "/etc/systemd/system/zfs-trim@.service"
    mode: 0644
-  register: systemd_zfs_trim_service_file
+  register: system_zfs_trim_service_file
 - name: "trim : zfs trim timer file"
  ansible.builtin.copy:
    src: "./trim/zfs-trim-monthly@.timer"
    dest: "/etc/systemd/system/zfs-trim-monthly@.timer"
    mode: 0644
-  register: systemd_zfs_trim_monthly_timer_file
+  register: system_zfs_trim_monthly_timer_file
 - name: "trim : systemd daemon reload"
  ansible.builtin.systemd:
    daemon_reload: true
  when:
-    systemd_zfs_trim_service_file.changed or
+    system_zfs_trim_service_file.changed or
-    systemd_zfs_trim_monthly_timer_file.changed
+    system_zfs_trim_monthly_timer_file.changed
 - name: "trim : enable and start timer for zfs trim of {{ item }}"
  ansible.builtin.systemd:
    name: "zfs-trim-monthly@{{ item }}.timer"
    enabled: true
    state: "started"
-  loop: "{{ zpools_trim }}"
+  loop: "{{ system_zfs_zpools_trim }}"
`@ -1 +1 @@`
	`{{ ansible_hostname }}.{{ mail_domain }}`	`{{ ansible_hostname }}.{{ system_mail_domain }}`
`@ -1 +1 @@`
	`[{{ postfix_smtp_server }}]:{{ postfix_smtp_port }} {{ postfix_smtp_user }}:{{ postfix_smtp_pass }}`	`[{{ system_mail_smtp_server }}]:{{ system_mail_smtp_port }} {{ system_mail_smtp_user }}:{{ system_mail_smtp_pass }}`