From 4d7a6793ec95776d1fb41f67a80f0377e181bd09 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Fri, 23 Feb 2024 17:39:26 -0700
Subject: [PATCH] Added the "all" role, for all hosts.

This eliminates duplicate code from all (other) roles, installing the
institute certificate authority.  Originally intended to ensure the
institute CA was installed before OpenVPN needed it.  OpenVPN actually
just needed the /usr/local/share/ca-certificates/ file (not
update-ca-certificates execution).
---
 README.org                       | 154 ++++++++++++-------------------
 playbooks/site.yml               |   4 +
 roles_t/all/handlers/main.yml    |   3 +
 roles_t/all/tasks/main.yml       |  14 +++
 roles_t/campus/handlers/main.yml |   4 -
 roles_t/campus/tasks/main.yml    |  10 --
 roles_t/core/handlers/main.yml   |   4 -
 roles_t/core/tasks/main.yml      |  10 --
 roles_t/front/handlers/main.yml  |   4 -
 roles_t/front/tasks/main.yml     |  10 --
 10 files changed, 80 insertions(+), 137 deletions(-)
 create mode 100644 roles_t/all/handlers/main.yml
 create mode 100644 roles_t/all/tasks/main.yml

diff --git a/README.org b/README.org
index 3e01f0d..0864bfc 100644
--- a/README.org
+++ b/README.org
@@ -1237,6 +1237,58 @@ information, see the Gate role's [[netplan-gate][Configure Netplan]] task.)
 At this point Gate was ready for provisioning with Ansible.
 
 
+* The All Role
+
+The ~all~ role contains tasks that are executed on all of the
+institute's servers.  At the moment there is just the one.
+
+** Include Particulars
+
+The ~all~ role's task contains a reference to a common institute
+particular, the institute's ~domain_name~, a variable found in the
+=public/vars.yml= file.  Thus the first task of the ~all~ role is to
+include the variables defined in this file (described in [[*The Particulars][The
+Particulars]]).  The code block below is the first to tangle into
+[[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]].
+
+#+CAPTION: [[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes
+---
+- name: Include public variables.
+  include_vars: ../public/vars.yml
+  tags: accounts
+#+END_SRC
+
+** Trust Institute Certificate Authority
+
+All servers should recognize the institute's Certificate Authority as
+trustworthy, so its certificate is added to the set of trusted CAs on
+each host.  More information about how the small institute manages its
+X.509 certificates is available in [[*Keys][Keys]].
+
+#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes
+
+- name: Trust the institute CA.
+  become: yes
+  copy:
+    src: ../Secret/CA/pki/ca.crt
+    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
+    mode: u=r,g=r,o=r
+    owner: root
+    group: root
+  notify: Update CAs.
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/all/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/all/handlers/main.yml :mkdirp yes
+
+- name: Update CAs.
+  become: yes
+  command: update-ca-certificates
+#+END_SRC
+
+
 * The Front Role
 
 The ~front~ role installs and configures the services expected on the
@@ -1261,14 +1313,9 @@ certificates signed by the institute CA.
 
 ** Include Particulars
 
-The ~front~ role's tasks contain references to several common
-institute particulars, variables in the public and private =vars.yml=
-files and the institute membership roll in =private/members.yml=.  The
-first ~front~ role tasks are to include these files (described in [[*The Particulars][The
-Particulars]] and [[*Account Management][Account Management]]).
-
-The code block below is the first to tangle into
-[[file:roles/front/tasks/main.yml][=roles/front/tasks/main.yml=]].
+The first task, as in [[*The All Role][The All Role]], is to include the institute
+particulars.  The ~front~ role refers to private variables and the
+membership roll, so these are included was well.
 
 #+CAPTION: [[file:roles/front/tasks/main.yml][=roles/front/tasks/main.yml=]]
 #+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :mkdirp yes
@@ -1524,35 +1571,6 @@ recipient" replies.  The [[*Account Management][Account Management]] chapter des
   tags: accounts
 #+END_SRC
 
-** Trust Institute Certificate Authority
-
-Front should recognize the institute's Certificate Authority as
-trustworthy, so its certificate is added to Front's set of trusted
-CAs.  More information about how the small institute manages its
-X.509 certificates is available in [[*Keys][Keys]].
-
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
-
-- name: Trust the institute CA.
-  become: yes
-  copy:
-    src: ../Secret/CA/pki/ca.crt
-    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
-    mode: u=r,g=r,o=r
-    owner: root
-    group: root
-  notify: Update CAs.
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
-
-- name: Update CAs.
-  become: yes
-  command: update-ca-certificates
-#+END_SRC
-
 ** Install Server Certificate
 
 The servers on Front use the same certificate (and key) to
@@ -2947,35 +2965,6 @@ describes the ~members~ and ~usernames~ variables.
   tags: accounts
 #+END_SRC
 
-** Trust Institute Certificate Authority
-
-Core should recognize the institute's Certificate Authority as
-trustworthy, so its certificate is added to Core's set of trusted
-CAs.  More information about how the small institute manages its
-X.509 certificates is available in [[*Keys][Keys]].
-
-#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml
-
-- name: Trust the institute CA.
-  become: yes
-  copy:
-    src: ../Secret/CA/pki/ca.crt
-    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
-    mode: u=r,g=r,o=r
-    owner: root
-    group: root
-  notify: Update CAs.
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml
-
-- name: Update CAs.
-  become: yes
-  command: update-ca-certificates
-#+END_SRC
-
 ** Install Server Certificate
 
 The servers on Core use the same certificate (and key) to authenticate
@@ -5289,35 +5278,6 @@ these groups speeds up debugging.
     groups: root,adm
 #+END_SRC
 
-** Trust Institute Certificate Authority
-
-Campus hosts should recognize the institute's Certificate Authority as
-trustworthy, so its certificate is added to the host's set of trusted
-CAs.  (For more information about how the small institute manages its
-keys, certificates and passwords, see [[*Keys][Keys]].)
-
-#+CAPTION: [[file:roles_t/campus/tasks/main.yml][=roles_t/campus/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/campus/tasks/main.yml
-
-- name: Trust the institute CA.
-  become: yes
-  copy:
-    src: ../Secret/CA/pki/ca.crt
-    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
-    mode: u=r,g=r,o=r
-    owner: root
-    group: root
-  notify: Update CAs.
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/campus/handlers/main.yml][=roles_t/campus/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/campus/handlers/main.yml
-
-- name: Update CAs.
-  become: yes
-  command: update-ca-certificates
-#+END_SRC
-
 ** Install Unattended Upgrades
 
 The institute prefers to install security updates as soon as possible.
@@ -5591,6 +5551,10 @@ the example inventory: [[file:hosts][=hosts=]].
 #+CAPTION: [[file:playbooks/site.yml][=playbooks/site.yml=]]
 #+BEGIN_SRC conf :tangle playbooks/site.yml :mkdirp yes
 ---
+- name: Configure All
+  hosts: all
+  roles: [ all ]
+
 - name: Configure Front
   hosts: front
   roles: [ front ]
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 0aa8866..e127476 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -1,4 +1,8 @@
 ---
+- name: Configure All
+  hosts: all
+  roles: [ all ]
+
 - name: Configure Front
   hosts: front
   roles: [ front ]
diff --git a/roles_t/all/handlers/main.yml b/roles_t/all/handlers/main.yml
new file mode 100644
index 0000000..3ba4265
--- /dev/null
+++ b/roles_t/all/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: Update CAs.
+  become: yes
+  command: update-ca-certificates
diff --git a/roles_t/all/tasks/main.yml b/roles_t/all/tasks/main.yml
new file mode 100644
index 0000000..16b0e95
--- /dev/null
+++ b/roles_t/all/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Include public variables.
+  include_vars: ../public/vars.yml
+  tags: accounts
+
+- name: Trust the institute CA.
+  become: yes
+  copy:
+    src: ../Secret/CA/pki/ca.crt
+    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
+    mode: u=r,g=r,o=r
+    owner: root
+    group: root
+  notify: Update CAs.
diff --git a/roles_t/campus/handlers/main.yml b/roles_t/campus/handlers/main.yml
index c929d42..75255bd 100644
--- a/roles_t/campus/handlers/main.yml
+++ b/roles_t/campus/handlers/main.yml
@@ -15,10 +15,6 @@
     service: systemd-timesyncd
     state: restarted
 
-- name: Update CAs.
-  become: yes
-  command: update-ca-certificates
-
 - name: Restart Postfix.
   become: yes
   systemd:
diff --git a/roles_t/campus/tasks/main.yml b/roles_t/campus/tasks/main.yml
index e185415..fa8e838 100644
--- a/roles_t/campus/tasks/main.yml
+++ b/roles_t/campus/tasks/main.yml
@@ -80,16 +80,6 @@
     append: yes
     groups: root,adm
 
-- name: Trust the institute CA.
-  become: yes
-  copy:
-    src: ../Secret/CA/pki/ca.crt
-    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
-    mode: u=r,g=r,o=r
-    owner: root
-    group: root
-  notify: Update CAs.
-
 - name: Install basic software.
   become: yes
   apt: pkg=unattended-upgrades
diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml
index 418014a..e5bd621 100644
--- a/roles_t/core/handlers/main.yml
+++ b/roles_t/core/handlers/main.yml
@@ -29,10 +29,6 @@
     service: bind9
     state: reloaded
 
-- name: Update CAs.
-  become: yes
-  command: update-ca-certificates
-
 - name: Restart Postfix.
   become: yes
   systemd:
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index bbf3053..d305321 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -302,16 +302,6 @@
   when: members[item].status != 'current'
   tags: accounts
 
-- name: Trust the institute CA.
-  become: yes
-  copy:
-    src: ../Secret/CA/pki/ca.crt
-    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
-    mode: u=r,g=r,o=r
-    owner: root
-    group: root
-  notify: Update CAs.
-
 - name: Install server certificate/key.
   become: yes
   copy:
diff --git a/roles_t/front/handlers/main.yml b/roles_t/front/handlers/main.yml
index 1b4abd2..8870c6f 100644
--- a/roles_t/front/handlers/main.yml
+++ b/roles_t/front/handlers/main.yml
@@ -9,10 +9,6 @@
     service: ssh
     state: reloaded
 
-- name: Update CAs.
-  become: yes
-  command: update-ca-certificates
-
 - name: Restart Postfix.
   become: yes
   systemd:
diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml
index d30366e..b8b3a56 100644
--- a/roles_t/front/tasks/main.yml
+++ b/roles_t/front/tasks/main.yml
@@ -134,16 +134,6 @@
   when: members[item].status != 'current'
   tags: accounts
 
-- name: Trust the institute CA.
-  become: yes
-  copy:
-    src: ../Secret/CA/pki/ca.crt
-    dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
-    mode: u=r,g=r,o=r
-    owner: root
-    group: root
-  notify: Update CAs.
-
 - name: Install server certificate/key.
   become: yes
   copy:
-- 
2.25.1