use ansible DEFAULT_LOCAL_TMP for files stored on the ansible controller (#355)

zerwes · Klaus Zerwes · widhalmt · web-flow · commit 6967c27f472c · 2024-11-26T09:03:47.000Z
https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-local-tmp closes #354 --------- Co-authored-by: Klaus Zerwes <Klaus.Zerwes@rosalux.org> Co-authored-by: Thomas Widhalm <widhalmt@widhalm.or.at>
diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml
@@ -87,20 +87,20 @@
   block:
     - name: Check the existance of cert on localhost
       ansible.builtin.stat:
-        path: /tmp/{{ ansible_hostname }}-beats.zip
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-beats.zip"
       register: beats_check_temporary_cert
 
     - name: Move temporary zip file
       ansible.builtin.copy:
-        src: /tmp/{{ ansible_hostname }}-beats.zip
-        dest: "/tmp/{{ ansible_hostname }}-beats.zip_{{ ansible_date_time.iso8601_micro }}"
+        src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-beats.zip"
+        dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-beats.zip_{{ ansible_date_time.iso8601_micro }}"
         mode: preserve
       when: beats_check_temporary_cert.stat.exists
       register: beats_move_cert_file
 
     - name: Remove temporary cert file
       ansible.builtin.file:
-        path: /tmp/{{ ansible_hostname }}-beats.zip
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-beats.zip"
         state: absent
       when: beats_move_cert_file.changed
 
@@ -139,7 +139,7 @@
 - name: Fetch certificate from ca host to master
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-beats.zip"
-    dest: "/tmp/{{ ansible_hostname }}-beats.zip"
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-beats.zip"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -149,7 +149,7 @@
 
 - name: Copy the certificate to actual node
   ansible.builtin.unarchive:
-    src: "/tmp/{{ ansible_hostname }}-beats.zip"
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-beats.zip"
     dest: "/etc/beats/certs/"
     owner: root
     group: root
@@ -196,7 +196,7 @@
 - name: Fetch ca certificate from ca host to master
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/ca.crt"
-    dest: /tmp/ca.crt
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -206,7 +206,7 @@
 
 - name: Copy the ca certificate to actual node
   ansible.builtin.copy:
-    src: /tmp/ca.crt
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     dest: /etc/beats/certs
     owner: root
     group: root
diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -74,22 +74,22 @@
 
     - name: Check the existance of ca on Ansible controler
       ansible.builtin.stat:
-        path: /tmp/ca.crt
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
       register: elasticsearch_check_temporary_ca
       delegate_to: localhost
 
     - name: Move temporary ca file on Ansible controler
       ansible.builtin.copy:
-        src: /tmp/ca.crt
-        dest: "/tmp/ca.crt_{{ ansible_date_time.iso8601_micro }}"
+        src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
+        dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt_{{ ansible_date_time.iso8601_micro }}"
         mode: preserve
       when: elasticsearch_check_temporary_ca.stat.exists
       delegate_to: localhost
       register: elasticsearch_move_ca_file
 
     - name: Remove temporary ca file on Ansible controler
       ansible.builtin.file:
-        path: /tmp/ca.crt
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
         state: absent
       when: elasticsearch_move_ca_file.changed
       delegate_to: localhost
@@ -185,20 +185,20 @@
   block:
     - name: Check the existance of cert on Ansible controler
       ansible.builtin.stat:
-        path: /tmp/{{ ansible_hostname }}.p12
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}.p12"
       register: elasticsearch_check_temporary_cert
 
     - name: Move temporary cert on Ansible controler
       ansible.builtin.copy:
-        src: /tmp/{{ ansible_hostname }}.p12
-        dest: "/tmp/{{ ansible_hostname }}.p12_{{ ansible_date_time.iso8601_micro }}"
+        src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}.p12"
+        dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}.p12_{{ ansible_date_time.iso8601_micro }}"
         mode: preserve
       when: elasticsearch_check_temporary_cert.stat.exists
       register: elasticsearch_move_cert_file
 
     - name: Remove temporary cert on Ansible controler
       ansible.builtin.file:
-        path: /tmp/{{ ansible_hostname }}.p12
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}.p12"
         state: absent
       when: elasticsearch_move_cert_file.changed
 
@@ -264,7 +264,7 @@
 - name: Fetch ca certificate from ca host to Ansible controller
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/ca.crt"
-    dest: /tmp/ca.crt
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     flat: yes
   when: inventory_hostname == elasticstack_ca
   tags:
@@ -275,7 +275,7 @@
 - name: Fetch certificate from ca host to Ansible controller
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}.p12"
-    dest: "/tmp/{{ ansible_hostname }}.p12"
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}.p12"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -297,7 +297,7 @@
 
 - name: Copy the ca certificate to elasticsearch nodes
   ansible.builtin.copy:
-    src: /tmp/ca.crt
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     dest: "/etc/elasticsearch/certs"
     owner: root
     group: elasticsearch
@@ -313,7 +313,7 @@
 
 - name: Copy the certificate to elasticsearch nodes
   ansible.builtin.copy:
-    src: "/tmp/{{ ansible_hostname }}.p12"
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}.p12"
     dest: "/etc/elasticsearch/certs"
     owner: root
     group: elasticsearch
diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
@@ -91,20 +91,20 @@
   block:
     - name: Check the existance of cert on localhost
       ansible.builtin.stat:
-        path: /tmp/{{ ansible_hostname }}-kibana.p12
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-kibana.p12"
       register: kibana_check_temporary_cert
 
     - name: Move temporary cert file
       ansible.builtin.copy:
-        src: /tmp/{{ ansible_hostname }}-kibana.p12
-        dest: "/tmp/{{ ansible_hostname }}-kibana.p12_{{ ansible_date_time.iso8601_micro }}"
+        src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-kibana.p12"
+        dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-kibana.p12_{{ ansible_date_time.iso8601_micro }}"
         mode: preserve
       when: kibana_check_temporary_cert.stat.exists
       register: kibana_move_cert_file
 
     - name: Remove temporary cert file
       ansible.builtin.file:
-        path: /tmp/{{ ansible_hostname }}-kibana.p12
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-kibana.p12"
         state: absent
       when: kibana_move_cert_file.changed
 
@@ -180,7 +180,7 @@
 - name: Fetch certificate from ca host to master
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-kibana.p12"
-    dest: "/tmp/"
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-kibana.p12"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -190,7 +190,7 @@
 
 - name: Copy the certificate to actual node
   ansible.builtin.copy:
-    src: "/tmp/{{ ansible_hostname }}-kibana.p12"
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-kibana.p12"
     dest: "/etc/kibana/certs"
     owner: root
     group: kibana
@@ -215,7 +215,7 @@
 - name: Fetch ca certificate from ca host to master
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/ca.crt"
-    dest: /tmp/ca.crt
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -225,7 +225,7 @@
 
 - name: Copy the ca certificate to actual node
   ansible.builtin.copy:
-    src: /tmp/ca.crt
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     dest: /etc/kibana/certs
     owner: root
     group: kibana
diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
@@ -114,39 +114,39 @@
   block:
     - name: Check the existance of cert on Ansible controler
       ansible.builtin.stat:
-        path: /tmp/{{ ansible_hostname }}-ls.p12
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12"
       register: logstash_check_temporary_cert_ansible_controler
 
     - name: Move temporary cert file on Ansible controler
       ansible.builtin.copy:
-        src: /tmp/{{ ansible_hostname }}-ls.p12
-        dest: "/tmp/{{ ansible_hostname }}-ls.p12_{{ ansible_date_time.iso8601_micro }}"
+        src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12"
+        dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12_{{ ansible_date_time.iso8601_micro }}"
         mode: preserve
       when: logstash_check_temporary_cert_ansible_controler.stat.exists
       register: logstash_move_cert_file_ansible_controler
 
     - name: Remove temporary cert file on Ansible controler
       ansible.builtin.file:
-        path: /tmp/{{ ansible_hostname }}-ls.p12
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12"
         state: absent
       when: logstash_move_cert_file_ansible_controler.changed
 
     - name: Check the existance of cert zip file on Ansible controler
       ansible.builtin.stat:
-        path: /tmp/{{ ansible_hostname }}-ls.zip
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.zip"
       register: logstash_check_temporary_cert_zip_ansible_controler
 
     - name: Move temporary cert zip file on Ansible controler
       ansible.builtin.copy:
-        src: /tmp/{{ ansible_hostname }}-ls.zip
-        dest: "/tmp/{{ ansible_hostname }}-ls.zip_{{ ansible_date_time.iso8601_micro }}"
+        src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.zip"
+        dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.zip_{{ ansible_date_time.iso8601_micro }}"
         mode: preserve
       when: logstash_check_temporary_cert_zip_ansible_controler.stat.exists
       register: logstash_move_cert_zip_ansible_controler
 
     - name: Remove temporary cert zip file on Ansible controler
       ansible.builtin.file:
-        path: /tmp/{{ ansible_hostname }}-ls.zip
+        path: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.zip"
         state: absent
       when: logstash_move_cert_zip_ansible_controler.changed
 
@@ -173,7 +173,7 @@
 - name: Fetch certificate from ca host to Ansible controler
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12"
-    dest: "/tmp/{{ ansible_hostname }}-ls.p12"
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -195,7 +195,7 @@
 
 - name: Copy the certificate to logstash node
   ansible.builtin.copy:
-    src: "/tmp/{{ ansible_hostname }}-ls.p12"
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12"
     dest: "{{ logstash_certs_dir }}/{{ ansible_hostname }}-ls.p12"
     owner: root
     group: logstash
@@ -207,7 +207,7 @@
 
 - name: Put the certificate in keystore
   ansible.builtin.copy:
-    src: "/tmp/{{ ansible_hostname }}-ls.p12"
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12"
     dest: "{{ logstash_certs_dir }}/keystore.pfx"
     owner: root
     group: logstash
@@ -243,7 +243,7 @@
 - name: Fetch PEM certificate from ca host to Ansible controler
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip"
-    dest: "/tmp/{{ ansible_hostname }}-ls.zip"
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.zip"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -253,7 +253,7 @@
 
 - name: Copy PEM certificate to logstash node
   ansible.builtin.unarchive:
-    src: "/tmp/{{ ansible_hostname }}-ls.zip"
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.zip"
     dest: "{{ logstash_certs_dir }}/"
     owner: root
     group: logstash
@@ -323,7 +323,7 @@
 - name: Fetch ca certificate from ca host to Ansible controler
   ansible.builtin.fetch:
     src: "{{ elasticstack_ca_dir }}/ca.crt"
-    dest: /tmp/ca.crt
+    dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     flat: yes
   delegate_to: "{{ elasticstack_ca }}"
   tags:
@@ -333,7 +333,7 @@
 
 - name: Copy the ca certificate to logstash node
   ansible.builtin.copy:
-    src: /tmp/ca.crt
+    src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
     dest: "{{ logstash_certs_dir }}"
     owner: root
     group: logstash
