From 820bfe6b2bab9d341e215731aecf33161b6eaa8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20-=20Le=20Filament?= <remi@le-filament.com>
Date: Wed, 5 Jul 2023 16:13:12 +0200
Subject: [PATCH] [UPD] ansible-lint

---
 .ansible-lint     |   7 ++
 .yamllint         |  39 ++++++++++
 handlers/main.yml |  30 ++++---
 meta/main.yml     |  34 ++++----
 tasks/mail.yml    |  44 ++++++-----
 tasks/main.yml    | 193 ++++++++++++++++++++++++----------------------
 6 files changed, 207 insertions(+), 140 deletions(-)
 create mode 100644 .ansible-lint
 create mode 100644 .yamllint

diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000..8d40d06
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,7 @@
+---
+warn_list:  # or 'skip_list' to silence them completely
+    - git-latest  # Git checkouts must contain explicit version
+    - ignore-errors  # Use failed_when and specify error conditions instead of using ignore_errors
+    - no-changed-when  # Commands should not change things if nothing needs doing
+    - no-handler  # Tasks that run when changed should likely be handlers
+    - package-latest  # Package installs should not use latest
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..fbebdb8
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,39 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    colons:
+        max-spaces-after: -1
+        level: error
+    commas:
+        max-spaces-after: -1
+        level: error
+    # comments enable
+    comments: enable
+    comments-indentation: enable
+    document-start: enable
+    empty-lines:
+        max: 3
+        level: error
+    hyphens:
+        level: error
+    indentation:
+        level: warning
+        indent-sequences: consistent
+        spaces: 4
+        check-multi-line-strings: true
+    key-duplicates: enable
+    line-length: disable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    # trailing-spaces enable
+    trailing-spaces: enable
+    truthy: enable
diff --git a/handlers/main.yml b/handlers/main.yml
index 3eba505..eb83c91 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,17 +1,27 @@
 ---
 
-- name: restore-iptables
-  service: name=netfilter-persistent state=restarted
+- name: Restore iptables
+  ansible.builtin.service:
+      name: netfilter-persistent
+      state: restarted
 
-- name: restart fail2ban
-  service: name=fail2ban state=restarted
+- name: Restart fail2ban
+  ansible.builtin.service:
+      name: fail2ban
+      state: restarted
 
-- name: restart docker
-  service: name=docker state=restarted
+- name: Restart docker
+  ansible.builtin.service:
+      name: docker
+      state: restarted
   when: inventory_hostname in groups.docker
 
-- name: restart auditd
-  service: name=auditd state=restarted
+- name: Restart auditd
+  ansible.builtin.service:
+      name: auditd
+      state: restarted
 
-- name: restart rsyslog
-  service: name=rsyslog state=restarted
+- name: Restart rsyslog
+  ansible.builtin.service:
+      name: rsyslog
+      state: restarted
diff --git a/meta/main.yml b/meta/main.yml
index 9ba58c8..9db171b 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,19 +1,19 @@
 ---
 galaxy_info:
-  author: Rémi
-  description: This role installs and configures security on servers (iptables, fail2ban, auditd)
-  company: Le Filament (https://le-filament.com)
-  license: AGPL-3.0-or-later
-  min_ansible_version: 2.1
-  platforms:
-    - name: Ubuntu
-      versions:
-        - xenial
-        - bionic
-        - focal
-  galaxy_tags:
-    - iptables
-    - fail2ban
-    - auditd
-    - security
-    - firewall
+    author: lefilament
+    description: This role installs and configures security on servers (iptables, fail2ban, auditd)
+    company: Le Filament (https://le-filament.com)
+    license: AGPL-3.0-or-later
+    min_ansible_version: "2.1"
+    platforms:
+        - name: Ubuntu
+          versions:
+              - xenial
+              - bionic
+              - focal
+    galaxy_tags:
+        - iptables
+        - fail2ban
+        - auditd
+        - security
+        - firewall
diff --git a/tasks/mail.yml b/tasks/mail.yml
index 07b19e5..3b820e1 100644
--- a/tasks/mail.yml
+++ b/tasks/mail.yml
@@ -1,27 +1,29 @@
 ---
-- name: remove mail packages not necessary
-  apt:
-    name: [bsd-mailx mailutils postfix]
-    autoremove: true
-    state: absent
+- name: Remove mail packages not necessary
+  ansible.builtin.apt:
+      name: [bsd-mailx mailutils postfix]
+      autoremove: true
+      state: absent
   when: ansible_os_family == "Debian"
 
-- name: check that ssmtp is installed
-  package: name=ssmtp state=present
+- name: Check that ssmtp is installed
+  ansible.builtin.package:
+      name: ssmtp
+      state: present
 
 - name: Check that sendmail redirects to ssmtp
-  file:
-    src: ssmtp
-    dest: /usr/sbin/sendmail
-    force: true
-    owner: root
-    group: mail
-    state: link
+  ansible.builtin.file:
+      src: ssmtp
+      dest: /usr/sbin/sendmail
+      force: true
+      owner: root
+      group: mail
+      state: link
 
-- name: configuration file for ssmtp
-  template:
-    src: ssmtp.conf.j2
-    dest: /etc/ssmtp/ssmtp.conf
-    owner: root
-    group: mail
-    mode: '0640'
+- name: Configuration file for ssmtp
+  ansible.builtin.template:
+      src: ssmtp.conf.j2
+      dest: /etc/ssmtp/ssmtp.conf
+      owner: root
+      group: mail
+      mode: '0640'
diff --git a/tasks/main.yml b/tasks/main.yml
index 61f3204..a110150 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,120 +1,129 @@
 ---
-- name: import mail tasks
-  import_tasks: mail.yml
+- name: Import mail tasks
+  ansible.builtin.import_tasks: mail.yml
   when: server_security__manage_mail == 'enabled'
 
-- name: install fail2ban, iptables-persistent and auditd
-  package:
-    name:
-      - fail2ban
-      - iptables-persistent
-      - auditd
-    state: present
+- name: Install fail2ban, iptables-persistent and auditd
+  ansible.builtin.package:
+      name:
+          - fail2ban
+          - iptables-persistent
+          - auditd
+      state: present
   async: 120
   poll: 10
   when: not ansible_check_mode
 
-- name: check presence of fail2ban, iptables-persistent and auditd packages
-  package:
-    name:
-      - fail2ban
-      - iptables-persistent
-      - auditd
-    state: present
+- name: Check presence of fail2ban, iptables-persistent and auditd packages
+  ansible.builtin.package:
+      name:
+          - fail2ban
+          - iptables-persistent
+          - auditd
+      state: present
   when: ansible_check_mode
 
-- name: make fail2ban persistent
-  service: name=fail2ban enabled=yes state=started
+- name: Make fail2ban persistent
+  ansible.builtin.service:
+      name: fail2ban
+      enabled: true
+      state: started
 
-- name: make sure netfilter-persistent is enabled
-  service: name=netfilter-persistent enabled=yes state=started
+- name: Make sure netfilter-persistent is enabled
+  ansible.builtin.service:
+      name: netfilter-persistent
+      enabled: true
+      state: started
 
-- name: make sure auditd is enabled
-  service: name=auditd enabled=yes state=started
+- name: Make sure auditd is enabled
+  ansible.builtin.service:
+      name: auditd
+      enabled: true
+      state: started
 
-- name: push specific fail2ban jail configuration file
-  template:
-    src: "jail.{{ ansible_distribution }}{{ ansible_distribution_major_version }}.j2"
-    dest: "/etc/fail2ban/jail.local"
-    owner: 'root'
-    group: 'root'
-    mode: '0644'
+- name: Push specific fail2ban jail configuration file
+  ansible.builtin.template:
+      src: "jail.{{ ansible_distribution }}{{ ansible_distribution_major_version }}.j2"
+      dest: "/etc/fail2ban/jail.local"
+      owner: 'root'
+      group: 'root'
+      mode: '0644'
   when: ansible_os_family == "Debian"
-  notify: restart fail2ban
+  notify: Restart fail2ban
   tags: fail2ban
 
-- name: push specific fail2ban actions
-  template:
-    src: "{{ item }}.j2"
-    dest: "/etc/fail2ban/{{ item }}.local"
-    owner: 'root'
-    group: 'root'
-    mode: '0644'
+- name: Push specific fail2ban actions
+  ansible.builtin.template:
+      src: "{{ item }}.j2"
+      dest: "/etc/fail2ban/{{ item }}.local"
+      owner: 'root'
+      group: 'root'
+      mode: '0644'
   with_items:
-    - action.d/sendmail-common
-    - action.d/sendmail-whois-lines
+      - action.d/sendmail-common
+      - action.d/sendmail-whois-lines
   when: ansible_os_family == "Debian"
-  notify: restart fail2ban
+  notify: Restart fail2ban
   tags: fail2ban
 
-- name: push specific fail2ban filters
-  copy:
-    src: traefik-auth
-    dest: "/etc/fail2ban/filter.d/traefik-auth.conf"
-    owner: 'root'
-    group: 'root'
-    mode: '0644'
-    force: no
+- name: Push specific fail2ban filters
+  ansible.builtin.copy:
+      src: traefik-auth
+      dest: "/etc/fail2ban/filter.d/traefik-auth.conf"
+      owner: 'root'
+      group: 'root'
+      mode: '0644'
+      force: false
   when: inventory_hostname in groups.docker
-  notify: restart fail2ban
+  notify: Restart fail2ban
   tags: fail2ban
 
-- name: create iptables configuration
-  template:
-    src: iptables.conf.j2
-    dest: /etc/iptables/rules.v4
-    owner: root
-    group: root
-    mode: '0600'
+- name: Create iptables configuration
+  ansible.builtin.template:
+      src: iptables.conf.j2
+      dest: /etc/iptables/rules.v4
+      owner: root
+      group: root
+      mode: '0600'
   notify:
-    - restore-iptables
-    - restart fail2ban
-    - restart docker
+      - Restore iptables
+      - Restart fail2ban
+      - Restart docker
 
-- name: create ip6tables configuration
-  template:
-    src: ip6tables.conf.j2
-    dest: "/etc/iptables/rules.v6"
-    owner: root
-    group: root
-    mode: '0600'
+- name: Create ip6tables configuration
+  ansible.builtin.template:
+      src: ip6tables.conf.j2
+      dest: "/etc/iptables/rules.v6"
+      owner: root
+      group: root
+      mode: '0600'
   notify:
-    - restore-iptables
-    - restart fail2ban
-    - restart docker
+      - Restore iptables
+      - Restart fail2ban
+      - Restart docker
 
-- name: push iptables rsyslog configuration
-  copy:
-    src: rsyslog.d-iptables
-    dest: /etc/rsyslog.d/33-iptables.conf
-    owner: root
-    group: root
-    mode: '0644'
-  notify: restart rsyslog
+- name: Push iptables rsyslog configuration
+  ansible.builtin.copy:
+      src: rsyslog.d-iptables
+      dest: /etc/rsyslog.d/33-iptables.conf
+      owner: root
+      group: root
+      mode: '0644'
+  notify: Restart rsyslog
 
-- name: push iptables logrotate configuration
-  copy:
-    src: logrotate.d-iptables
-    dest: /etc/logrotate.d/iptables
-    owner: root
-    group: root
-    mode: '0644'
+- name: Push iptables logrotate configuration
+  ansible.builtin.copy:
+      src: logrotate.d-iptables
+      dest: /etc/logrotate.d/iptables
+      owner: root
+      group: root
+      mode: '0644'
 
-- name: configuration file for auditd
-  template:
-    src: audit.rules.j2
-    dest: /etc/audit/rules.d/audit.rules
-    owner: root
-    group: root
-    mode: '0640'
-  notify: restart auditd
+- name: Configuration file for auditd
+  ansible.builtin.template:
+      src: audit.rules.j2
+      dest: /etc/audit/rules.d/audit.rules
+      owner: root
+      group: root
+      mode: '0640'
+  notify: Restart auditd
-- 
GitLab