From 820bfe6b2bab9d341e215731aecf33161b6eaa8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20-=20Le=20Filament?= <remi@le-filament.com> Date: Wed, 5 Jul 2023 16:13:12 +0200 Subject: [PATCH] [UPD] ansible-lint --- .ansible-lint | 7 ++ .yamllint | 39 ++++++++++ handlers/main.yml | 30 ++++--- meta/main.yml | 34 ++++---- tasks/mail.yml | 44 ++++++----- tasks/main.yml | 193 ++++++++++++++++++++++++---------------------- 6 files changed, 207 insertions(+), 140 deletions(-) create mode 100644 .ansible-lint create mode 100644 .yamllint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..8d40d06 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,7 @@ +--- +warn_list: # or 'skip_list' to silence them completely + - git-latest # Git checkouts must contain explicit version + - ignore-errors # Use failed_when and specify error conditions instead of using ignore_errors + - no-changed-when # Commands should not change things if nothing needs doing + - no-handler # Tasks that run when changed should likely be handlers + - package-latest # Package installs should not use latest diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..fbebdb8 --- /dev/null +++ b/.yamllint @@ -0,0 +1,39 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + # comments enable + comments: enable + comments-indentation: enable + document-start: enable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: + level: warning + indent-sequences: consistent + spaces: 4 + check-multi-line-strings: true + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + # trailing-spaces enable + trailing-spaces: enable + truthy: enable diff --git a/handlers/main.yml b/handlers/main.yml index 3eba505..eb83c91 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,17 +1,27 @@ --- -- name: restore-iptables - service: name=netfilter-persistent state=restarted +- name: Restore iptables + ansible.builtin.service: + name: netfilter-persistent + state: restarted -- name: restart fail2ban - service: name=fail2ban state=restarted +- name: Restart fail2ban + ansible.builtin.service: + name: fail2ban + state: restarted -- name: restart docker - service: name=docker state=restarted +- name: Restart docker + ansible.builtin.service: + name: docker + state: restarted when: inventory_hostname in groups.docker -- name: restart auditd - service: name=auditd state=restarted +- name: Restart auditd + ansible.builtin.service: + name: auditd + state: restarted -- name: restart rsyslog - service: name=rsyslog state=restarted +- name: Restart rsyslog + ansible.builtin.service: + name: rsyslog + state: restarted diff --git a/meta/main.yml b/meta/main.yml index 9ba58c8..9db171b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,19 +1,19 @@ --- galaxy_info: - author: Rémi - description: This role installs and configures security on servers (iptables, fail2ban, auditd) - company: Le Filament (https://le-filament.com) - license: AGPL-3.0-or-later - min_ansible_version: 2.1 - platforms: - - name: Ubuntu - versions: - - xenial - - bionic - - focal - galaxy_tags: - - iptables - - fail2ban - - auditd - - security - - firewall + author: lefilament + description: This role installs and configures security on servers (iptables, fail2ban, auditd) + company: Le Filament (https://le-filament.com) + license: AGPL-3.0-or-later + min_ansible_version: "2.1" + platforms: + - name: Ubuntu + versions: + - xenial + - bionic + - focal + galaxy_tags: + - iptables + - fail2ban + - auditd + - security + - firewall diff --git a/tasks/mail.yml b/tasks/mail.yml index 07b19e5..3b820e1 100644 --- a/tasks/mail.yml +++ b/tasks/mail.yml @@ -1,27 +1,29 @@ --- -- name: remove mail packages not necessary - apt: - name: [bsd-mailx mailutils postfix] - autoremove: true - state: absent +- name: Remove mail packages not necessary + ansible.builtin.apt: + name: [bsd-mailx mailutils postfix] + autoremove: true + state: absent when: ansible_os_family == "Debian" -- name: check that ssmtp is installed - package: name=ssmtp state=present +- name: Check that ssmtp is installed + ansible.builtin.package: + name: ssmtp + state: present - name: Check that sendmail redirects to ssmtp - file: - src: ssmtp - dest: /usr/sbin/sendmail - force: true - owner: root - group: mail - state: link + ansible.builtin.file: + src: ssmtp + dest: /usr/sbin/sendmail + force: true + owner: root + group: mail + state: link -- name: configuration file for ssmtp - template: - src: ssmtp.conf.j2 - dest: /etc/ssmtp/ssmtp.conf - owner: root - group: mail - mode: '0640' +- name: Configuration file for ssmtp + ansible.builtin.template: + src: ssmtp.conf.j2 + dest: /etc/ssmtp/ssmtp.conf + owner: root + group: mail + mode: '0640' diff --git a/tasks/main.yml b/tasks/main.yml index 61f3204..a110150 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,120 +1,129 @@ --- -- name: import mail tasks - import_tasks: mail.yml +- name: Import mail tasks + ansible.builtin.import_tasks: mail.yml when: server_security__manage_mail == 'enabled' -- name: install fail2ban, iptables-persistent and auditd - package: - name: - - fail2ban - - iptables-persistent - - auditd - state: present +- name: Install fail2ban, iptables-persistent and auditd + ansible.builtin.package: + name: + - fail2ban + - iptables-persistent + - auditd + state: present async: 120 poll: 10 when: not ansible_check_mode -- name: check presence of fail2ban, iptables-persistent and auditd packages - package: - name: - - fail2ban - - iptables-persistent - - auditd - state: present +- name: Check presence of fail2ban, iptables-persistent and auditd packages + ansible.builtin.package: + name: + - fail2ban + - iptables-persistent + - auditd + state: present when: ansible_check_mode -- name: make fail2ban persistent - service: name=fail2ban enabled=yes state=started +- name: Make fail2ban persistent + ansible.builtin.service: + name: fail2ban + enabled: true + state: started -- name: make sure netfilter-persistent is enabled - service: name=netfilter-persistent enabled=yes state=started +- name: Make sure netfilter-persistent is enabled + ansible.builtin.service: + name: netfilter-persistent + enabled: true + state: started -- name: make sure auditd is enabled - service: name=auditd enabled=yes state=started +- name: Make sure auditd is enabled + ansible.builtin.service: + name: auditd + enabled: true + state: started -- name: push specific fail2ban jail configuration file - template: - src: "jail.{{ ansible_distribution }}{{ ansible_distribution_major_version }}.j2" - dest: "/etc/fail2ban/jail.local" - owner: 'root' - group: 'root' - mode: '0644' +- name: Push specific fail2ban jail configuration file + ansible.builtin.template: + src: "jail.{{ ansible_distribution }}{{ ansible_distribution_major_version }}.j2" + dest: "/etc/fail2ban/jail.local" + owner: 'root' + group: 'root' + mode: '0644' when: ansible_os_family == "Debian" - notify: restart fail2ban + notify: Restart fail2ban tags: fail2ban -- name: push specific fail2ban actions - template: - src: "{{ item }}.j2" - dest: "/etc/fail2ban/{{ item }}.local" - owner: 'root' - group: 'root' - mode: '0644' +- name: Push specific fail2ban actions + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/etc/fail2ban/{{ item }}.local" + owner: 'root' + group: 'root' + mode: '0644' with_items: - - action.d/sendmail-common - - action.d/sendmail-whois-lines + - action.d/sendmail-common + - action.d/sendmail-whois-lines when: ansible_os_family == "Debian" - notify: restart fail2ban + notify: Restart fail2ban tags: fail2ban -- name: push specific fail2ban filters - copy: - src: traefik-auth - dest: "/etc/fail2ban/filter.d/traefik-auth.conf" - owner: 'root' - group: 'root' - mode: '0644' - force: no +- name: Push specific fail2ban filters + ansible.builtin.copy: + src: traefik-auth + dest: "/etc/fail2ban/filter.d/traefik-auth.conf" + owner: 'root' + group: 'root' + mode: '0644' + force: false when: inventory_hostname in groups.docker - notify: restart fail2ban + notify: Restart fail2ban tags: fail2ban -- name: create iptables configuration - template: - src: iptables.conf.j2 - dest: /etc/iptables/rules.v4 - owner: root - group: root - mode: '0600' +- name: Create iptables configuration + ansible.builtin.template: + src: iptables.conf.j2 + dest: /etc/iptables/rules.v4 + owner: root + group: root + mode: '0600' notify: - - restore-iptables - - restart fail2ban - - restart docker + - Restore iptables + - Restart fail2ban + - Restart docker -- name: create ip6tables configuration - template: - src: ip6tables.conf.j2 - dest: "/etc/iptables/rules.v6" - owner: root - group: root - mode: '0600' +- name: Create ip6tables configuration + ansible.builtin.template: + src: ip6tables.conf.j2 + dest: "/etc/iptables/rules.v6" + owner: root + group: root + mode: '0600' notify: - - restore-iptables - - restart fail2ban - - restart docker + - Restore iptables + - Restart fail2ban + - Restart docker -- name: push iptables rsyslog configuration - copy: - src: rsyslog.d-iptables - dest: /etc/rsyslog.d/33-iptables.conf - owner: root - group: root - mode: '0644' - notify: restart rsyslog +- name: Push iptables rsyslog configuration + ansible.builtin.copy: + src: rsyslog.d-iptables + dest: /etc/rsyslog.d/33-iptables.conf + owner: root + group: root + mode: '0644' + notify: Restart rsyslog -- name: push iptables logrotate configuration - copy: - src: logrotate.d-iptables - dest: /etc/logrotate.d/iptables - owner: root - group: root - mode: '0644' +- name: Push iptables logrotate configuration + ansible.builtin.copy: + src: logrotate.d-iptables + dest: /etc/logrotate.d/iptables + owner: root + group: root + mode: '0644' -- name: configuration file for auditd - template: - src: audit.rules.j2 - dest: /etc/audit/rules.d/audit.rules - owner: root - group: root - mode: '0640' - notify: restart auditd +- name: Configuration file for auditd + ansible.builtin.template: + src: audit.rules.j2 + dest: /etc/audit/rules.d/audit.rules + owner: root + group: root + mode: '0640' + notify: Restart auditd -- GitLab