Move config to conf.d folder (#50)

* Move custom blacklists to separate template. * Move custom config to separate template * Update molecule vagrant config * Allow to override needrestart.conf
systemli · May 24, 2023 · d163d0a · d163d0a
1 parent b79688d
commit d163d0a
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 29 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -35,3 +35,6 @@ needrestart_blacklist_bin: []
 needrestart_checkmk_localcheckdir: /usr/lib/check_mk_agent/local
 needrestart_checkmk_localcheck: False
 needrestart_checkmk_mrpe: False
+
+# Override old needrestart.conf
+needrestart_update_needrestart_conf: False
diff --git a/templates/needrestart.conf.j2 → files/needrestart.conf b/templates/needrestart.conf.j2 → files/needrestart.conf
@@ -36,7 +36,7 @@
 # ATTENTION: If needrestart is configured to run in interactive mode but is run
 # non-interactive (i.e. unattended-upgrades) it will fallback to list only mode.
 #
-$nrconf{restart} = '{{ needrestart_action }}';
+#$nrconf{restart} = 'i';
 
 # Use preferred UI package.
 #$nrconf{ui} = 'NeedRestart::UI::stdio';
@@ -60,20 +60,13 @@ $nrconf{blacklist} = [
 
     # ignore apt-get (Debian Bug#784237)
     qr(^/usr/bin/apt-get(\.dpkg-new)?$),
-
-{% for blacklistbin in needrestart_blacklist_bin %}
-    qr(^{{ blacklistbin }}$),
-{% endfor %}
 ];
 
 # Blacklist services (list of regex) - USE WITH CARE.
 # You should prefere to put services to $nrconf{override_rc} instead.
 # Any service listed in $nrconf{blacklist_rc} will be ignored completely!
-$nrconf{blacklist_rc} = [
-{% for blacklistrc in needrestart_blacklist_rc %}
-    qr(^{{ blacklistrc }}$),
-{% endfor %}
-];
+#$nrconf{blacklist_rc} = [
+#];
 
 # Override service default selection (hash of regex).
 $nrconf{override_rc} = {
@@ -173,15 +166,6 @@ $nrconf{blacklist_mappings} = [
     # temporary stuff
     qr#^(/var)?/tmp/#,
     qr#^(/var)?/run/#,
-
-    # Java Native Access
-    qr#/tmp/jna--#,
-
-    # Java Foreign Function Interface
-    qr#^/tmp/jffi#,
-
-    # elasticsearch
-    qr#^/tmp/elasticsearch\.#,
 ];
 
 # Verify mapped files in fileystem:
@@ -203,7 +187,7 @@ $nrconf{skip_mapfiles} = -1;
 # Enable/disable CPU microcode update hints:
 #  1: requires the user to acknowledge pending updates
 #  0: disable microcode checks completely
-$nrconf{ucodehints} = {{ needrestart_ucodehints }};
+#$nrconf{ucodehints} = 0;
 
 # Nagios Plugin: configure return code use by nagios
 # as service status[1].

diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -6,7 +6,3 @@ driver:
 platforms:
   - name: needrestart-bullseye64
     box: debian/bullseye64
-lint: yamllint .
-provisioner:
-  name: ansible
-  become: true
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -7,16 +7,30 @@
     state: present
     cache_valid_time: 600
 
+- name: Override outdated needrestart.conf
+  ansible.builtin.copy:
+    src: "needrestart.conf"
+    dest: "/etc/needrestart/needrestart.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  when: needrestart_update_needrestart_conf
+
 - name: Ensure needrestart config is latest
   ansible.builtin.template:
-    src: "{{ item }}.j2"
-    dest: "/etc/needrestart/{{ item }}"
+    src: "notify.conf.j2"
+    dest: "/etc/needrestart/notify.conf"
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Ensure custom needrestart config is deployed
+  ansible.builtin.template:
+    src: "custom_needrestart.conf.j2"
+    dest: "/etc/needrestart/conf.d/custom_needrestart.conf"
     owner: root
     group: root
     mode: "0644"
-  with_items:
-    - notify.conf
-    - needrestart.conf
 
 - name: Ensure needrestart ignorelist config include is latest
   ansible.builtin.template:
@@ -27,6 +41,15 @@
     mode: "0644"
   when: needrestart_ignorelist | default()
 
+- name: Ensure needrestart blacklist config include is latest
+  ansible.builtin.template:
+    src: "needrestart_blacklist.conf.j2"
+    dest: "/etc/needrestart/conf.d/blacklist.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  when: ( needrestart_blacklist_bin | default() ) or ( needrestart_blacklist_rc | default() )
+
 - name: Configure needrestart mail
   ansible.builtin.template:
     src: 600-mail.j2

diff --git a/templates/custom_needrestart.conf.j2 b/templates/custom_needrestart.conf.j2
@@ -0,0 +1,6 @@
+# This file overrides needrestart.conf.
+# It is managed by Ansible.
+
+$nrconf{restart} = '{{ needrestart_action }}';
+$nrconf{ucodehints} = {{ needrestart_ucodehints }};
+
diff --git a/templates/needrestart_blacklist.conf.j2 b/templates/needrestart_blacklist.conf.j2
@@ -0,0 +1,20 @@
+# This file overrides the blacklist from needrestart.conf.
+# It is managed by Ansible.
+
+# Blacklist binaries
+push ( @{$nrconf{blacklist}}, (
+{% for blacklistbin in needrestart_blacklist_bin %}
+    qr(^{{ blacklistbin }}$),
+{% endfor %}
+    )
+);
+
+
+#Blacklist services
+push ( @{$nrconf{blacklist_rc}}, (
+{% for blacklistrc in needrestart_blacklist_rc %}
+    qr(^{{ blacklistrc }}$),
+{% endfor %}
+    )
+);
+