Uses platform-specific vars in common role

In order to ease the transition to Focal, let's use different vars for packages depending on platform. When running the Xenial logic against Focal, the kernel removal tasks failed since several of the package names were not found. Also adding a "grsecurity" tag since the grsec story for Focal still needs work, so it's easy to skip now.
freedomofpress · Sep 4, 2020 · e29dd3f · e29dd3f
1 parent 1418f6c
commit e29dd3f
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 28 deletions.
diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -3,6 +3,15 @@
 # and aid in clearing memory. Only the hour is configurable.
 daily_reboot_time: 4 # An integer between 0 and 23
 
+securedrop_common_packages:
+  - apt-transport-https
+  - aptitude
+  - cron-apt
+  - ntp
+  - ntpdate
+  - resolvconf
+  - tmux
+
 disabled_kernel_modules:
   - btusb
   - bluetooth

diff --git a/install_files/ansible-base/roles/common/tasks/install_ntp.yml b/install_files/ansible-base/roles/common/tasks/install_ntp.yml
diff --git a/install_files/ansible-base/roles/common/tasks/install_packages.yml b/install_files/ansible-base/roles/common/tasks/install_packages.yml
@@ -0,0 +1,7 @@
+---
+- name: Install base apt depedencies
+  apt:
+    name: "{{ securedrop_common_packages }}"
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
diff --git a/install_files/ansible-base/roles/common/tasks/install_tmux.yml b/install_files/ansible-base/roles/common/tasks/install_tmux.yml
diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml
@@ -1,5 +1,7 @@
 ---
-- include: install_ntp.yml
+- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
+
+- include: install_packages.yml
 
 - include: post_ubuntu_install_checks.yml
 
@@ -9,8 +11,6 @@
 
 - include: harden_dns.yml
 
-- include: install_tmux.yml
-
 - include: cron_apt.yml
   tags:
     - reboot

diff --git a/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml
@@ -13,14 +13,7 @@
 # We must used command due to the use of wildcards
 - name: Remove generic kernel packages.
   command: apt-get remove -y {{ item }}
-  with_items:
-    - linux-signed-generic
-    - linux-signed-generic-lts-utopic
-    - linux-signed-image-generic
-    - linux-signed-image-generic-lts-utopic
-    - linux-image-generic-lts-xenial
-    - 'linux-image-.*generic'
-    - 'linux-headers-.*'
+  with_items: "{{ securedrop_kernel_packages_to_remove }}"
   register: apt_removed_kernels
   changed_when: "'The following packages will be REMOVED' in apt_removed_kernels.stdout"
   tags:
@@ -41,6 +34,7 @@
   with_items: "{{ apt_installed_kernels.stdout_lines }}"
   tags:
     - apt
+    - grsecurity
 
 - name: Remove dependencies that are no longer required
   apt:

diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
@@ -0,0 +1,4 @@
+---
+securedrop_kernel_packages_to_remove:
+  - linux-virtual
+  - linux-generic
diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_xenial.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_xenial.yml
@@ -0,0 +1,9 @@
+---
+securedrop_kernel_packages_to_remove:
+  - linux-signed-generic
+  - linux-signed-generic-lts-utopic
+  - linux-signed-image-generic
+  - linux-signed-image-generic-lts-utopic
+  - linux-image-generic-lts-xenial
+  - 'linux-image-.*generic'
+  - 'linux-headers-.*'