roles/OpenVPN-Client/handlers/main.yml

 ---
   - name: restart openvpn
     service: name=openvpn state=restarted
-    sudo: true
+    become: true

roles/OpenVPN-Client/tasks/copyCerts.yml

---- 
-- 
+---
+-
   copy: "src=/tmp/{{ inventory_hostname }}/ca.crt dest=/etc/openvpn/ca.crt  mode=644 owner=root group=root"
   name: "Copying CA certificate"
   when: "client_ca_cert.stat.exists == false"
-- 
+-
   copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.crt dest=/etc/openvpn/{{ inventory_hostname }}.crt mode=644 owner=root group=root"
   name: "Copying Client certificate"
   when: "client_sign_cert.stat.exists == false"
-- 
+-
   copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.key dest=/etc/openvpn/{{ inventory_hostname }}.key  mode=600 owner=root group=root"
   name: "Copying Client key"
   when: "client_key.stat.exists == false"

roles/OpenVPN-Client/tasks/installOpenVPN.yml

---- 
+---
 - name: "Install OpenVPN"
   yum: "name=openvpn state=present"
-  sudo: true
+  become: true
   notify: restart openvpn
 
 - name: "Copying client.conf to the OpenVPN client"
   template: "src=client.conf.j2 dest=/etc/openvpn/client.conf"
-  sudo: true
+  become: true
   notify: restart openvpn
 

roles/OpenVPN-Client/tasks/main.yml

@@ -3,6 +3,6 @@
  include: installOpenVPN.yml
 
 - name: "Start OpenVPN"
-  service: name=openvpn state=started
-  sudo: true
+  service: name=openvpn state=started enabled=yes
+  become: true
 

roles/OpenVPN-Client/vars/main.yml

+readme.txt
\ No newline at end of file

roles/OpenVPN-Server/handlers/main.yml

 ---
   - name: restart openvpn
     service: name=openvpn state=restarted
-    sudo: true
+    become: true

roles/OpenVPN-Server/tasks/installOpenVPN.yml

---- 
+---
 - name: "Install OpenVPN"
   yum: "name=openvpn state=present"
   notify: "restart openvpn"
-  sudo: true
+  become: true
+
+- name: Create path
+  shell: mkdir -p {{ dhparms_file | dirname }}
+  args:
+    creates: "{{ dhparms_file | dirname }}"
+  become: true
 
 - name: "Generate DH parameters"
   shell: openssl dhparam -out {{ dhparms_file }} 512
   args:
     creates: "{{ dhparms_file }}"
-  sudo: true
+  become: true
 
 - name: "Configure OpenVPN Server"
   template: "src=server.conf.j2 dest=/etc/openvpn/server.conf"
   notify: "restart openvpn"
-  sudo: true
+  become: true

roles/OpenVPN-Server/tasks/main.yml

@@ -3,5 +3,5 @@
  include: installOpenVPN.yml
 
 - name: "Start OpenVPN"
-  service: name=openvpn state=started
-  sudo: true
+  service: name=openvpn state=started enabled=yes
+  become: true

roles/OpenVPN-Server/vars/main.yml

+readme.txt
\ No newline at end of file

roles/SSHKnownHosts/tasks/main.yml

+- name: install known hosts file
+  copy: src=files/ssh_known_hosts dest=/etc/ssh/ssh_known_hosts owner=root mode=644
+  become: true
+  become_user: root

roles/additional_paths/tasks/main.yml

+- name: setup additiona PATHs in /etc/profile.d
+  template:
+    src: additional_paths.sh.j2
+    dest: /etc/profile.d/additional_paths.sh
+  become: true
+  when: additional_paths is defined

roles/additional_paths/templates/additional_paths.sh.j2

+export PATH=$PATH:{{ additional_paths|join(":") }}

roles/allow_stale_nfs/tasks/main.yml

+---
+- name: place /usr/local/ last in the PATH in /etc/profile
+  lineinfile:
+  args:
+    dest: "/etc/profile"
+    insertbefore: BOF
+    line: "PATH=/bin:/usr/bin:/usr/local/bin"
+  become: true
+  become_user: root
+
+- name: remove old line
+  lineinfile:
+  args:
+    dest: "/etc/profile"
+    regexp: "^PATH=/usr/local/bin:/bin:/usr/bin$"
+    state: absent
+  become: true
+  become_user: root
+
+- name: remove /usr/local/ from the PATH in /etc/profile
+  lineinfile:
+  args:
+    dest: "/etc/profile"
+    regexp: ".*pathmunge /usr/local.*"
+    state: absent
+  become: true
+  become_user: root
+
+- name: dont execute abrt-cli on login
+  file: path=/etc/profile.d/abrt-console-notification.sh state=absent
+  become: true
+  become_user: root

roles/apache2/tasks/apacheDebian.yml

+---
+-
+ name: "Install Apache2"
+ apt: name={{ item }} state=present
+ with_items:
+  - apache2
+  - apache2-dev
+ become: true
+
+-
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
+ become: true
+-
+ name: "Templating default site"
+ template: src=default.j2 dest=/etc/apache2/sites-available/000-default.conf owner=www-data group=www-data
+ become: true
+
+-
+ name: "Enable ssl module"
+ apache2_module: state=present name=ssl
+ become: true
+
+-
+ name: "Enable default-ssl site"
+ shell: a2ensite default-ssl
+ become: true
+ notify: restart apache2
+
+

roles/apache2/tasks/apacheRedHat.yml

+---
+
+-
+ name: "Installing Apache"
+ become: true
+ yum: name={{ item }} state=present
+ with_items:
+  - mod_ssl
+  - mod_wsgi
+  - openssl
+  - httpd
+  - httpd-devel
+-
+ name: Setting httpd.conf
+ become: true
+ replace: dest=/etc/httpd/conf/httpd.conf regexp="^#ServerName www.example.com:80" replace="ServerName {{ ansible_fqdn }}"
+
+-
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/httpd/conf.d/ssl.conf owner=apache group=apache
+ become: true
+
+-
+ name: Templating wsgi.conf
+ become: true
+ template: src=wsgi.conf.j2 dest=/etc/httpd/conf.d/wsgi.conf owner=root group=root
+-
+ name: Restarting Apache
+ become: true
+ service: name=httpd state=restarted

roles/apache2/tasks/main.yml

+---
+- include: apacheDebian.yml
+  when: ansible_os_family == "Debian"
+- include: apacheRedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: "Create apache key directory"
+  file: path={{ x509_key | dirname }} state=directory owner={{ apache_user }} mode=700
+  become: true
+
+- name: "Create apache cert directory"
+  file: path={{ x509_cert | dirname }} state=directory owner={{ apache_user }} mode=755
+  become: true
+
+- name: "Copying the apache key file"
+  template: src="files/{{ apache_key_file }}" dest="{{ x509_key }}" mode=0600 owner={{ apache_user }} group={{ apache_group }}
+  become: true
+  when: apache_key_file is defined
+
+- name: "Copying the apache cert file"
+  template: src="files/{{ apache_cert_file }}" dest="{{ x509_cert }}" mode=0644 owner={{ apache_user }} group={{ apache_group }}
+  become: true
+  when: apache_cert_file is defined
+
+- name: "Create log directory, start aoacge will have errors without it"
+  file: dest=/etc/apache2/logs state=directory
+  become: true
+
+-
+ name: "Change permissions for /var/www"
+ file: path=/var/www state=directory owner=root group={{ apache_user }} mode=0775
+ become: true
+
+-
+ name: "Starting Apache2"
+ service: name=apache2 state=started enabled=yes
+ become: true
+ when: ansible_os_family=="Debian"
+
+

roles/apache2/templates/default-ssl.j2

+<IfModule mod_ssl.c>
+<VirtualHost _default_:443>
+	ServerAdmin webmaster@localhost
+    {% if hpcidDomain is defined %}
+    ServerName {{ hpcidDomain }}
+    {% endif %}
+
+	DocumentRoot /var/www
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	<Directory "/usr/lib/cgi-bin">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		Order allow,deny
+		Allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	SSLCertificateFile    {{ x509_cert }}
+	SSLCertificateKeyFile {{ x509_key }}
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convinience.
+	# SSLCertificateChainFile 
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#   Access Control:
+	#   With SSLRequire you can do per-directory access control based
+	#   on arbitrary complex boolean expressions containing server
+	#   variable checks and other lookup directives.  The syntax is a
+	#   mixture between C and Perl.  See the mod_ssl documentation
+	#   for more details.
+	#<Location />
+	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+	#</Location>
+
+	#   SSL Engine Options:
+	#   Set various options for the SSL engine.
+	#   o FakeBasicAuth:
+	#     Translate the client X.509 into a Basic Authorisation.  This means that
+	#     the standard Auth/DBMAuth methods can be used for access control.  The
+	#     user name is the `one line' version of the client's X.509 certificate.
+	#     Note that no password is obtained from the user. Every entry in the user
+	#     file needs this password: `xxj31ZMTZzkVA'.
+	#   o ExportCertData:
+	#     This exports two additional environment variables: SSL_CLIENT_CERT and
+	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+	#     server (always existing) and the client (only existing when client
+	#     authentication is used). This can be used to import the certificates
+	#     into CGI scripts.
+	#   o StdEnvVars:
+	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+	#     Per default this exportation is switched off for performance reasons,
+	#     because the extraction step is an expensive operation and is usually
+	#     useless for serving static content. So one usually enables the
+	#     exportation for CGI and SSI requests only.
+	#   o StrictRequire:
+	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+	#     under a "Satisfy any" situation, i.e. when it applies access is denied
+	#     and no other module can change it.
+	#   o OptRenegotiate:
+	#     This enables optimized SSL connection renegotiation handling when SSL
+	#     directives are used in per-directory context.
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is send or allowed to received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-6]" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+</VirtualHost>
+</IfModule>

roles/apache2/templates/default.j2

+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+		ServerName {{ ansible_nodename }}
+		Redirect permanent / https://{{ ansible_nodename }}/
+
+        DocumentRoot /var/www
+        <Directory />
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+        <Directory /var/www/>
+                Options Indexes FollowSymLinks MultiViews
+                AllowOverride None
+                Order allow,deny
+                allow from all
+        </Directory>
+#		<Directory /etc/karaage3>
+#                Options FollowSymLinks
+#                AllowOverride None
+#        </Directory>
+
+        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+        <Directory "/usr/lib/cgi-bin">
+                AllowOverride None
+                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+                Order allow,deny
+                Allow from all
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>

roles/apache2/vars/main.yml

+---
+ apache_user: "{% if ansible_os_family == 'RedHat'  %}apache{% else %}www-data{% endif %}"
+ apache_group: "{% if ansible_os_family == 'RedHat'  %}apache{% else %}www-data{% endif %}"
+ apache_config: "/etc/{% if ansible_os_family == 'RedHat' %}httpd{% else %}apache2{% endif %}"
+ x509_cert: "{{ apache_config }}/ssl/certs/server.cert.pem"
+ x509_key: "{{ apache_config }}/ssl/private/server.key.pem"

roles/apt-get-update/tasks/main.yml

+---
+- name: apt-get update
+  apt: update_cache=True
+  become: true
+  when: ansible_os_family=="Debian"