Skip to content
Extraits de code Groupes Projets
Valider 820bfe6b rédigé par Rémi - Le Filament's avatar Rémi - Le Filament
Parcourir les fichiers

[UPD] ansible-lint

parent 2a9e7a0f
Branches
Aucune étiquette associée trouvée
Aucune requête de fusion associée trouvée
---
warn_list: # or 'skip_list' to silence them completely
- git-latest # Git checkouts must contain explicit version
- ignore-errors # Use failed_when and specify error conditions instead of using ignore_errors
- no-changed-when # Commands should not change things if nothing needs doing
- no-handler # Tasks that run when changed should likely be handlers
- package-latest # Package installs should not use latest
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
# comments enable
comments: enable
comments-indentation: enable
document-start: enable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation:
level: warning
indent-sequences: consistent
spaces: 4
check-multi-line-strings: true
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: enable
new-lines:
type: unix
# trailing-spaces enable
trailing-spaces: enable
truthy: enable
---
- name: restore-iptables
service: name=netfilter-persistent state=restarted
- name: Restore iptables
ansible.builtin.service:
name: netfilter-persistent
state: restarted
- name: restart fail2ban
service: name=fail2ban state=restarted
- name: Restart fail2ban
ansible.builtin.service:
name: fail2ban
state: restarted
- name: restart docker
service: name=docker state=restarted
- name: Restart docker
ansible.builtin.service:
name: docker
state: restarted
when: inventory_hostname in groups.docker
- name: restart auditd
service: name=auditd state=restarted
- name: Restart auditd
ansible.builtin.service:
name: auditd
state: restarted
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: Restart rsyslog
ansible.builtin.service:
name: rsyslog
state: restarted
---
galaxy_info:
author: Rémi
author: lefilament
description: This role installs and configures security on servers (iptables, fail2ban, auditd)
company: Le Filament (https://le-filament.com)
license: AGPL-3.0-or-later
min_ansible_version: 2.1
min_ansible_version: "2.1"
platforms:
- name: Ubuntu
versions:
......
---
- name: remove mail packages not necessary
apt:
- name: Remove mail packages not necessary
ansible.builtin.apt:
name: [bsd-mailx mailutils postfix]
autoremove: true
state: absent
when: ansible_os_family == "Debian"
- name: check that ssmtp is installed
package: name=ssmtp state=present
- name: Check that ssmtp is installed
ansible.builtin.package:
name: ssmtp
state: present
- name: Check that sendmail redirects to ssmtp
file:
ansible.builtin.file:
src: ssmtp
dest: /usr/sbin/sendmail
force: true
......@@ -18,8 +20,8 @@
group: mail
state: link
- name: configuration file for ssmtp
template:
- name: Configuration file for ssmtp
ansible.builtin.template:
src: ssmtp.conf.j2
dest: /etc/ssmtp/ssmtp.conf
owner: root
......
---
- name: import mail tasks
import_tasks: mail.yml
- name: Import mail tasks
ansible.builtin.import_tasks: mail.yml
when: server_security__manage_mail == 'enabled'
- name: install fail2ban, iptables-persistent and auditd
package:
- name: Install fail2ban, iptables-persistent and auditd
ansible.builtin.package:
name:
- fail2ban
- iptables-persistent
......@@ -14,8 +14,8 @@
poll: 10
when: not ansible_check_mode
- name: check presence of fail2ban, iptables-persistent and auditd packages
package:
- name: Check presence of fail2ban, iptables-persistent and auditd packages
ansible.builtin.package:
name:
- fail2ban
- iptables-persistent
......@@ -23,28 +23,37 @@
state: present
when: ansible_check_mode
- name: make fail2ban persistent
service: name=fail2ban enabled=yes state=started
- name: Make fail2ban persistent
ansible.builtin.service:
name: fail2ban
enabled: true
state: started
- name: make sure netfilter-persistent is enabled
service: name=netfilter-persistent enabled=yes state=started
- name: Make sure netfilter-persistent is enabled
ansible.builtin.service:
name: netfilter-persistent
enabled: true
state: started
- name: make sure auditd is enabled
service: name=auditd enabled=yes state=started
- name: Make sure auditd is enabled
ansible.builtin.service:
name: auditd
enabled: true
state: started
- name: push specific fail2ban jail configuration file
template:
- name: Push specific fail2ban jail configuration file
ansible.builtin.template:
src: "jail.{{ ansible_distribution }}{{ ansible_distribution_major_version }}.j2"
dest: "/etc/fail2ban/jail.local"
owner: 'root'
group: 'root'
mode: '0644'
when: ansible_os_family == "Debian"
notify: restart fail2ban
notify: Restart fail2ban
tags: fail2ban
- name: push specific fail2ban actions
template:
- name: Push specific fail2ban actions
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/etc/fail2ban/{{ item }}.local"
owner: 'root'
......@@ -54,67 +63,67 @@
- action.d/sendmail-common
- action.d/sendmail-whois-lines
when: ansible_os_family == "Debian"
notify: restart fail2ban
notify: Restart fail2ban
tags: fail2ban
- name: push specific fail2ban filters
copy:
- name: Push specific fail2ban filters
ansible.builtin.copy:
src: traefik-auth
dest: "/etc/fail2ban/filter.d/traefik-auth.conf"
owner: 'root'
group: 'root'
mode: '0644'
force: no
force: false
when: inventory_hostname in groups.docker
notify: restart fail2ban
notify: Restart fail2ban
tags: fail2ban
- name: create iptables configuration
template:
- name: Create iptables configuration
ansible.builtin.template:
src: iptables.conf.j2
dest: /etc/iptables/rules.v4
owner: root
group: root
mode: '0600'
notify:
- restore-iptables
- restart fail2ban
- restart docker
- Restore iptables
- Restart fail2ban
- Restart docker
- name: create ip6tables configuration
template:
- name: Create ip6tables configuration
ansible.builtin.template:
src: ip6tables.conf.j2
dest: "/etc/iptables/rules.v6"
owner: root
group: root
mode: '0600'
notify:
- restore-iptables
- restart fail2ban
- restart docker
- Restore iptables
- Restart fail2ban
- Restart docker
- name: push iptables rsyslog configuration
copy:
- name: Push iptables rsyslog configuration
ansible.builtin.copy:
src: rsyslog.d-iptables
dest: /etc/rsyslog.d/33-iptables.conf
owner: root
group: root
mode: '0644'
notify: restart rsyslog
notify: Restart rsyslog
- name: push iptables logrotate configuration
copy:
- name: Push iptables logrotate configuration
ansible.builtin.copy:
src: logrotate.d-iptables
dest: /etc/logrotate.d/iptables
owner: root
group: root
mode: '0644'
- name: configuration file for auditd
template:
- name: Configuration file for auditd
ansible.builtin.template:
src: audit.rules.j2
dest: /etc/audit/rules.d/audit.rules
owner: root
group: root
mode: '0640'
notify: restart auditd
notify: Restart auditd
0% Chargement en cours ou .
You are about to add 0 people to the discussion. Proceed with caution.
Veuillez vous inscrire ou vous pour commenter