From a03c20832b4b6d491f6a2b7c6b0d2085297111b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20-=20Le=20Filament?= <remi@le-filament.com>
Date: Wed, 5 Jul 2023 16:01:16 +0200
Subject: [PATCH] [UPD] ansible-lint
---
.ansible-lint | 7 +
.yamllint | 39 ++++
handlers/main.yml | 34 ++--
meta/main.yml | 34 ++--
tasks/main.yml | 454 +++++++++++++++++++++++-----------------------
vars/Debian.yml | 28 +--
vars/RedHat.yml | 2 +-
7 files changed, 322 insertions(+), 276 deletions(-)
create mode 100644 .ansible-lint
create mode 100644 .yamllint
diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000..8d40d06
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,7 @@
+---
+warn_list: # or 'skip_list' to silence them completely
+ - git-latest # Git checkouts must contain explicit version
+ - ignore-errors # Use failed_when and specify error conditions instead of using ignore_errors
+ - no-changed-when # Commands should not change things if nothing needs doing
+ - no-handler # Tasks that run when changed should likely be handlers
+ - package-latest # Package installs should not use latest
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..fbebdb8
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,39 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+ braces:
+ max-spaces-inside: 1
+ level: error
+ brackets:
+ max-spaces-inside: 1
+ level: error
+ colons:
+ max-spaces-after: -1
+ level: error
+ commas:
+ max-spaces-after: -1
+ level: error
+ # comments enable
+ comments: enable
+ comments-indentation: enable
+ document-start: enable
+ empty-lines:
+ max: 3
+ level: error
+ hyphens:
+ level: error
+ indentation:
+ level: warning
+ indent-sequences: consistent
+ spaces: 4
+ check-multi-line-strings: true
+ key-duplicates: enable
+ line-length: disable
+ new-line-at-end-of-file: enable
+ new-lines:
+ type: unix
+ # trailing-spaces enable
+ trailing-spaces: enable
+ truthy: enable
diff --git a/handlers/main.yml b/handlers/main.yml
index cd90d44..14cc685 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,25 +1,25 @@
---
-- name: restart-sshd
- service:
- name: ssh
- state: restarted
+- name: Restart SSHD
+ ansible.builtin.service:
+ name: ssh
+ state: restarted
-- name: restart-cron
+- name: Restart cron
ansible.builtin.service:
- name: cron
- state: restarted
+ name: cron
+ state: restarted
-- name: restart-apt-update-timer
+- name: Restart apt-update-timer
ansible.builtin.systemd:
- name: apt-daily.timer
- daemon_reload: true
- state: restarted
- enabled: true
+ name: apt-daily.timer
+ daemon_reload: true
+ state: restarted
+ enabled: true
-- name: restart-apt-upgrade-timer
+- name: Restart apt-upgrade-timer
ansible.builtin.systemd:
- name: apt-daily-upgrade.timer
- daemon_reload: true
- state: restarted
- enabled: true
+ name: apt-daily-upgrade.timer
+ daemon_reload: true
+ state: restarted
+ enabled: true
diff --git a/meta/main.yml b/meta/main.yml
index 3cc6d90..ccffe37 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,19 +1,19 @@
---
galaxy_info:
- author: RĂ©mi
- description: Initialization role (upgrade packages, create users, configure sudoers, SSHD and public keys, collect facts, etc.)
- company: Le Filament (https://le-filament.com)
- license: AGPL-3.0-or-later
- min_ansible_version: 2.1
- platforms:
- - name: EL
- versions:
- - 7
- - name: Ubuntu
- versions:
- - bionic
- - focal
- galaxy_tags:
- - sshd
- - upgrade
- - user
+ author: lefilament
+ description: Initialization role (upgrade packages, create users, configure sudoers, SSHD and public keys, collect facts, etc.)
+ company: Le Filament (https://le-filament.com)
+ license: AGPL-3.0-or-later
+ min_ansible_version: "2.1"
+ platforms:
+ - name: EL
+ versions:
+ - "7"
+ - name: Ubuntu
+ versions:
+ - bionic
+ - focal
+ galaxy_tags:
+ - sshd
+ - upgrade
+ - user
diff --git a/tasks/main.yml b/tasks/main.yml
index d605b84..d5bec29 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,350 +1,350 @@
---
- name: Include OS-specific variables.
- include_vars: "{{ ansible_os_family }}.yml"
+ ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
- name: Set machine hostname
- hostname:
- name: "{{ inventory_hostname_short | lower | regex_replace('_','') }}"
+ ansible.builtin.hostname:
+ name: "{{ inventory_hostname_short | lower | regex_replace('_', '') }}"
- name: Set timezone to Europe/Paris
community.general.timezone:
- name: Europe/Paris
+ name: Europe/Paris
notify:
- - restart-cron
+ - Restart cron
- name: Never include APT phased update
- copy:
- src: apt-phased-updates
- dest: /etc/apt/apt.conf.d/99-Phased-Updates
- owner: root
- group: root
- mode: '0644'
+ ansible.builtin.copy:
+ src: apt-phased-updates
+ dest: /etc/apt/apt.conf.d/99-Phased-Updates
+ owner: root
+ group: root
+ mode: '0644'
when: ansible_os_family == "Debian"
- name: Debian Update repo and upgrade installed packages
- apt:
- update_cache: true
- upgrade: full
- autoremove: true
- force: true
- install_recommends: false
+ ansible.builtin.apt:
+ update_cache: true
+ upgrade: full
+ autoremove: true
+ force: true
+ install_recommends: false
async: 1200
poll: 20
when: not ansible_check_mode and ansible_os_family == "Debian"
- name: Debian check Update repo and upgrade installed packages
- apt:
- update_cache: true
- upgrade: full
- autoremove: true
- force: true
- install_recommends: false
+ ansible.builtin.apt:
+ update_cache: true
+ upgrade: full
+ autoremove: true
+ force: true
+ install_recommends: false
when: ansible_check_mode and ansible_os_family == "Debian"
- name: RedHat Update repo and upgrade installed packages
- yum:
- update_cache: true
- name: '*'
- state: latest
+ ansible.builtin.yum:
+ update_cache: true
+ name: '*'
+ state: latest
when: ansible_os_family == "RedHat"
- name: Remove unecessary packages if present
- apt:
- name: "{{ packages_to_remove }}"
- autoremove: true
- purge: true
- state: absent
+ ansible.builtin.apt:
+ name: "{{ packages_to_remove }}"
+ autoremove: true
+ purge: true
+ state: absent
when: ansible_os_family == "Debian"
- name: Remove unecessary files if present
- file:
- path: "{{ item }}"
- state: absent
+ ansible.builtin.file:
+ path: "{{ item }}"
+ state: absent
when: ansible_os_family == "Debian"
with_items: "{{ files_to_remove }}"
- name: Remove unecessary users if present
- user:
- name: "{{ item }}"
- remove: true
- state: absent
+ ansible.builtin.user:
+ name: "{{ item }}"
+ remove: true
+ state: absent
with_items: "{{ users_to_remove }}"
-- name: disable dynamic motd news
- lineinfile:
- name: "/etc/default/motd-news"
- regexp: "ENABLED=1"
- line: "ENABLED=0"
- mode: '0644'
+- name: Disable dynamic motd news
+ ansible.builtin.lineinfile:
+ name: "/etc/default/motd-news"
+ regexp: "ENABLED=1"
+ line: "ENABLED=0"
+ mode: '0644'
when: ansible_os_family == "Debian"
- ignore_errors: yes
+ ignore_errors: true
- name: Copy nosnap file
- copy:
- src: nosnap
- dest: /etc/apt/preferences.d/nosnap
- owner: root
- group: root
- mode: '0644'
+ ansible.builtin.copy:
+ src: nosnap
+ dest: /etc/apt/preferences.d/nosnap
+ owner: root
+ group: root
+ mode: '0644'
when: ansible_os_family == "Debian"
- name: Remove Unattended Upgrades
- apt:
- name: "unattended-upgrades"
- autoremove: true
- purge: true
- state: absent
+ ansible.builtin.apt:
+ name: "unattended-upgrades"
+ autoremove: true
+ purge: true
+ state: absent
when: ansible_os_family == "Debian" and inventory_hostname not in groups.maintenance_contract
tags: unattended-upgrade
- name: Install Unattended Upgrades
- apt:
- name: "unattended-upgrades"
- state: present
+ ansible.builtin.apt:
+ name: "unattended-upgrades"
+ state: present
when: ansible_os_family == "Debian" and inventory_hostname in groups.maintenance_contract
tags: unattended-upgrade
-- name: enable apt auto upgrades
- copy:
- src: apt-auto-upgrades
- dest: /etc/apt/apt.conf.d/20auto-upgrades
- owner: root
- group: root
- mode: '0644'
+- name: Enable apt auto upgrades
+ ansible.builtin.copy:
+ src: apt-auto-upgrades
+ dest: /etc/apt/apt.conf.d/20auto-upgrades
+ owner: root
+ group: root
+ mode: '0644'
when: ansible_os_family == "Debian"
- name: Copy Unattended Upgrades configuration
- template:
- src: 'apt-unattended-upgrades.j2'
- dest: '/etc/apt/apt.conf.d/50unattended-upgrades'
- owner: root
- group: root
- mode: '0644'
+ ansible.builtin.template:
+ src: 'apt-unattended-upgrades.j2'
+ dest: '/etc/apt/apt.conf.d/50unattended-upgrades'
+ owner: root
+ group: root
+ mode: '0644'
when: inventory_hostname in groups.maintenance_contract
tags: unattended-upgrade
- name: Create apt-daily timer directory if it does not exist
ansible.builtin.file:
- path: '/etc/systemd/system/apt-daily.timer.d'
- state: directory
- owner: root
- group: root
- mode: '0755'
+ path: '/etc/systemd/system/apt-daily.timer.d'
+ state: directory
+ owner: root
+ group: root
+ mode: '0755'
when: inventory_hostname in groups.maintenance_contract
tags: unattended-upgrade
-- name: override apt-daily timer
+- name: Override apt-daily timer
ansible.builtin.copy:
- src: 'apt-daily.timer'
- dest: '/etc/systemd/system/apt-daily.timer.d/override.conf'
- owner: root
- group: root
- mode: '0644'
+ src: 'apt-daily.timer'
+ dest: '/etc/systemd/system/apt-daily.timer.d/override.conf'
+ owner: root
+ group: root
+ mode: '0644'
when: inventory_hostname in groups.maintenance_contract
tags: unattended-upgrade
notify:
- - restart-apt-update-timer
+ - Restart apt-update-timer
- name: Create apt-daily-upgrade timer directory if it does not exist
ansible.builtin.file:
- path: '/etc/systemd/system/apt-daily-upgrade.timer.d'
- state: directory
- owner: root
- group: root
- mode: '0755'
+ path: '/etc/systemd/system/apt-daily-upgrade.timer.d'
+ state: directory
+ owner: root
+ group: root
+ mode: '0755'
when: inventory_hostname in groups.maintenance_contract
tags: unattended-upgrade
-- name: override apt-daily-upgrade timer
+- name: Override apt-daily-upgrade timer
ansible.builtin.copy:
- src: 'apt-daily-upgrade.timer'
- dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf'
- owner: root
- group: root
- mode: '0644'
+ src: 'apt-daily-upgrade.timer'
+ dest: '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf'
+ owner: root
+ group: root
+ mode: '0644'
when: inventory_hostname in groups.maintenance_contract
tags: unattended-upgrade
notify:
- - restart-apt-upgrade-timer
-
-- name: Create {{ host_user }} group
- group:
- name: "{{ host_user }}"
-
-- name: Create {{ host_user }} user
- user:
- name: "{{ host_user }}"
- group: "{{ host_user }}"
- password: "{{ host_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
- generate_ssh_key: true
- ssh_key_file: .ssh/id_ed25519
- ssh_key_type: ed25519
- shell: /bin/bash
+ - Restart apt-upgrade-timer
+
+- name: Create group {{ host_user }}
+ ansible.builtin.group:
+ name: "{{ host_user }}"
+
+- name: Create user {{ host_user }}
+ ansible.builtin.user:
+ name: "{{ host_user }}"
+ group: "{{ host_user }}"
+ password: "{{ host_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
+ generate_ssh_key: true
+ ssh_key_file: .ssh/id_ed25519
+ ssh_key_type: ed25519
+ shell: /bin/bash
register: publickey
- name: Save public key to hostvars for SFTP
- lineinfile:
- name: "host_vars/{{ inventory_hostname }}"
- regexp: "host_user_public_key:"
- line: "host_user_public_key: {{ publickey.ssh_public_key }}"
- mode: '0664'
+ ansible.builtin.lineinfile:
+ name: "host_vars/{{ inventory_hostname }}"
+ regexp: "host_user_public_key:"
+ line: "host_user_public_key: {{ publickey.ssh_public_key }}"
+ mode: '0664'
connection: local
become: false
delegate_to: localhost
-- name: Create {{ host_user2 }} group
- group:
- name: "{{ host_user2 }}"
+- name: Create group {{ host_user2 }}
+ ansible.builtin.group:
+ name: "{{ host_user2 }}"
when: host_user2 is defined
-- name: Create {{ host_user2 }} user
- user:
- name: "{{ host_user2 }}"
- group: "{{ host_user2 }}"
- password: "{{ host_password2 | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
- generate_ssh_key: true
- ssh_key_file: .ssh/id_ed25519
- ssh_key_type: ed25519
- shell: /bin/bash
+- name: Create user {{ host_user2 }}
+ ansible.builtin.user:
+ name: "{{ host_user2 }}"
+ group: "{{ host_user2 }}"
+ password: "{{ host_password2 | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
+ generate_ssh_key: true
+ ssh_key_file: .ssh/id_ed25519
+ ssh_key_type: ed25519
+ shell: /bin/bash
when: host_user2 is defined
-- name: add user(s) in sudoers
- template:
- src: sudoers.j2
- dest: /etc/sudoers
- owner: root
- group: root
- mode: '440'
- validate: /usr/sbin/visudo -cf %s
+- name: Add user(s) in sudoers
+ ansible.builtin.template:
+ src: sudoers.j2
+ dest: /etc/sudoers
+ owner: root
+ group: root
+ mode: '440'
+ validate: /usr/sbin/visudo -cf %s
tags: sudoers
-- name: quiet nagios authentification
+- name: Quiet nagios authentification
ansible.builtin.copy:
- src: 'pam-sudo'
- dest: '/etc/pam.d/sudo'
- owner: root
- group: root
- mode: '0644'
-
-- name: add public key to authorized keys for {{ host_user }}
- authorized_key:
- key: "{{ default_ssh_public_keys }}"
- user: "{{ host_user }}"
- exclusive: true
+ src: 'pam-sudo'
+ dest: '/etc/pam.d/sudo'
+ owner: root
+ group: root
+ mode: '0644'
+
+- name: Add public key to authorized keys for {{ host_user }}
+ ansible.posix.authorized_key:
+ key: "{{ default_ssh_public_keys }}"
+ user: "{{ host_user }}"
+ exclusive: true
tags: sshd
-- name: add public key to authorized keys for {{ host_user2 }}
- authorized_key:
- key: "{{ host_user2_pubkey }}"
- user: "{{ host_user2 }}"
- exclusive: true
+- name: Add public key to authorized keys for {{ host_user2 }}
+ ansible.posix.authorized_key:
+ key: "{{ host_user2_pubkey }}"
+ user: "{{ host_user2 }}"
+ exclusive: true
when: host_user2 is defined and host_user2_pubkey is defined
tags: sshd
-- name: make sure /etc/ssh/ssh_host_ed25519_key exists
- stat:
- path: /etc/ssh/ssh_host_ed25519_key
+- name: Make sure /etc/ssh/ssh_host_ed25519_key exists
+ ansible.builtin.stat:
+ path: /etc/ssh/ssh_host_ed25519_key
register: ssh_host_exists
tags: sshd
- name: Generate /etc/ssh/ssh_host_ed25519_key if missing
- command: ssh-keygen -A
+ ansible.builtin.command: ssh-keygen -A
when: not ssh_host_exists.stat.exists and not ansible_check_mode
tags: sshd
- name: Copy sshd_config file
- template:
- src: sshd_config.j2
- dest: /etc/ssh/sshd_config
- owner: root
- group: root
- mode: '0644'
- validate: /usr/sbin/sshd -t -f %s
- notify: restart-sshd
+ ansible.builtin.template:
+ src: sshd_config.j2
+ dest: /etc/ssh/sshd_config
+ owner: root
+ group: root
+ mode: '0644'
+ validate: /usr/sbin/sshd -t -f %s
+ notify: Restart SSHD
tags: sshd
- name: Enable SSH daemon service
- service:
- name: ssh
- enabled: true
+ ansible.builtin.service:
+ name: ssh
+ enabled: true
- name: Copy bashrc file with session timeout
- copy:
- src: bash.bashrc
- dest: /etc/bash.bashrc
- owner: root
- group: root
- mode: '0644'
+ ansible.builtin.copy:
+ src: bash.bashrc
+ dest: /etc/bash.bashrc
+ owner: root
+ group: root
+ mode: '0644'
when: ansible_os_family == "Debian"
- name: Add session timeout
- blockinfile:
- path: /etc/bashrc
- block: |
- TMOUT=900
- readonly TMOUT
- export TMOUT
+ ansible.builtin.blockinfile:
+ path: /etc/bashrc
+ block: |
+ TMOUT=900
+ readonly TMOUT
+ export TMOUT
when: ansible_os_family == "RedHat"
-- name: disable ipv6
- sysctl:
- name: "net.ipv6.conf.all.forwarding"
- value: '1'
- sysctl_set: true
-
-- name: setup ipv6
- template:
- src: 51-ipv6.yaml.j2
- dest: /etc/netplan/51-ipv6.yaml
- owner: root
- group: root
- mode: '0644'
+- name: Enable ipv6 forwarding
+ ansible.posix.sysctl:
+ name: "net.ipv6.conf.all.forwarding"
+ value: '1'
+ sysctl_set: true
+
+- name: Setup ipv6
+ ansible.builtin.template:
+ src: 51-ipv6.yaml.j2
+ dest: /etc/netplan/51-ipv6.yaml
+ owner: root
+ group: root
+ mode: '0644'
when: ipv6_address is defined and inventory_hostname in groups['manual_ipv6']
-- name: set default path
- template:
- src: environment.j2
- dest: /etc/environment
- owner: root
- group: root
- mode: '0644'
+- name: Set default path
+ ansible.builtin.template:
+ src: environment.j2
+ dest: /etc/environment
+ owner: root
+ group: root
+ mode: '0644'
when: ansible_os_family == "Debian"
- name: Check if backup servers present in root known hosts
- lineinfile:
- path: /root/.ssh/known_hosts
- regexp: "{{ hostvars[item].host_server_public_key }}"
- state: absent
+ ansible.builtin.lineinfile:
+ path: /root/.ssh/known_hosts
+ regexp: "{{ hostvars[item].host_server_public_key }}"
+ state: absent
check_mode: true
changed_when: false
register: known_hosts_line
with_items: "{{ groups.backup_server }}"
- name: Add backup servers in root known host
- known_hosts:
- hash_host: true
- key: "{{ hostvars[item['item']].host_server_known_entry }}"
- name: "[{{ hostvars[item['item']].ansible_host }}]:{{ default_sshd_port }}"
+ ansible.builtin.known_hosts:
+ hash_host: true
+ key: "{{ hostvars[item['item']].host_server_known_entry }}"
+ name: "[{{ hostvars[item['item']].ansible_host }}]:{{ default_sshd_port }}"
when: item.found is not defined
with_items: "{{ known_hosts_line.results }}"
- name: Copy Installed Package Listing script on server
- template:
- src: collect_installed_packages_facts_{{ ansible_os_family }}.sh.j2
- dest: /root/collect_installed_packages_facts.sh
- owner: root
- group: root
- mode: '0700'
-
-- name: disable e-mailing of crontab
- cron:
- name: MAILTO
- env: true
- job: ""
-
-- name: add cron job to check installed packages every day
- cron:
- name: collect installed packages facts
- minute: "43"
- hour: "0"
- job: /root/collect_installed_packages_facts.sh
+ ansible.builtin.template:
+ src: collect_installed_packages_facts_{{ ansible_os_family }}.sh.j2
+ dest: /root/collect_installed_packages_facts.sh
+ owner: root
+ group: root
+ mode: '0700'
+
+- name: Disable e-mailing of crontab
+ ansible.builtin.cron:
+ name: MAILTO
+ env: true
+ job: ""
+
+- name: Add cron job to check installed packages every day
+ ansible.builtin.cron:
+ name: collect installed packages facts
+ minute: "43"
+ hour: "0"
+ job: /root/collect_installed_packages_facts.sh
diff --git a/vars/Debian.yml b/vars/Debian.yml
index 61ed1d6..8fbddb3 100644
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -1,18 +1,18 @@
---
packages_to_remove:
- - samba*
- - snapd
- - popularity-contest
- - ubuntu-advantage-tools
+ - samba*
+ - snapd
+ - popularity-contest
+ - ubuntu-advantage-tools
files_to_remove:
- - /etc/dhcp/dhclient-enter-hooks.d/samba
- - /root/snap
- - /home/{{ host_user }}/snap
- - /snap
- - /usr/games
- - /usr/local/games
- - /var/cache/snapd
- - /var/snap
- - /var/lib/snapd
+ - /etc/dhcp/dhclient-enter-hooks.d/samba
+ - /root/snap
+ - /home/{{ host_user }}/snap
+ - /snap
+ - /usr/games
+ - /usr/local/games
+ - /var/cache/snapd
+ - /var/snap
+ - /var/lib/snapd
users_to_remove:
- - zabbix
+ - zabbix
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index 1fb5304..19762d8 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -2,4 +2,4 @@
packages_to_remove: []
files_to_remove: []
users_to_remove:
- - zabbix
+ - zabbix
--
GitLab