[UPD] ansible-lint

820bfe6b · Rémi - Le Filament · 2a9e7a0f · 820bfe6b · 820bfe6b · 820bfe6b
--- a/.ansible-lint
+++ b/.ansible-lint
+---
+warn_list:  # or 'skip_list' to silence them completely
+    - git-latest  # Git checkouts must contain explicit version
+    - ignore-errors  # Use failed_when and specify error conditions instead of using ignore_errors
+    - no-changed-when  # Commands should not change things if nothing needs doing
+    - no-handler  # Tasks that run when changed should likely be handlers
+    - package-latest  # Package installs should not use latest
--- a/.yamllint
+++ b/.yamllint
+---
+# Based on ansible-lint config
+extends: default
+rules:
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    colons:
+        max-spaces-after: -1
+        level: error
+    commas:
+        max-spaces-after: -1
+        level: error
+    # comments enable
+    comments: enable
+    comments-indentation: enable
+    document-start: enable
+    empty-lines:
+        max: 3
+        level: error
+    hyphens:
+        level: error
+    indentation:
+        level: warning
+        indent-sequences: consistent
+        spaces: 4
+        check-multi-line-strings: true
+    key-duplicates: enable
+    line-length: disable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    # trailing-spaces enable
+    trailing-spaces: enable
+    truthy: enable
--- a/handlers/main.yml
+++ b/handlers/main.yml
 ---
- name: restore-iptables
+- name: Restore iptables
-  service: name=netfilter-persistent state=restarted
+  ansible.builtin.service:
+      name: netfilter-persistent
+      state: restarted
- name: restart fail2ban
+- name: Restart fail2ban
-  service: name=fail2ban state=restarted
+  ansible.builtin.service:
+      name: fail2ban
+      state: restarted
- name: restart docker
+- name: Restart docker
-  service: name=docker state=restarted
+  ansible.builtin.service:
+      name: docker
+      state: restarted
  when: inventory_hostname in groups.docker
- name: restart auditd
+- name: Restart auditd
-  service: name=auditd state=restarted
+  ansible.builtin.service:
+      name: auditd
+      state: restarted
- name: restart rsyslog
+- name: Restart rsyslog
-  service: name=rsyslog state=restarted
+  ansible.builtin.service:
+      name: rsyslog
+      state: restarted
--- a/meta/main.yml
+++ b/meta/main.yml
 ---
 galaxy_info:
-  author: Rémi
+    author: lefilament
    description: This role installs and configures security on servers (iptables, fail2ban, auditd)
    company: Le Filament (https://le-filament.com)
    license: AGPL-3.0-or-later
-  min_ansible_version: 2.1
+    min_ansible_version: "2.1"
    platforms:
        - name: Ubuntu
          versions:

--- a/tasks/mail.yml
+++ b/tasks/mail.yml
 ---
- name: remove mail packages not necessary
+- name: Remove mail packages not necessary
-  apt:
+  ansible.builtin.apt:
      name: [bsd-mailx mailutils postfix]
      autoremove: true
      state: absent
  when: ansible_os_family == "Debian"
- name: check that ssmtp is installed
+- name: Check that ssmtp is installed
-  package: name=ssmtp state=present
+  ansible.builtin.package:
+      name: ssmtp
+      state: present
 - name: Check that sendmail redirects to ssmtp
-  file:
+  ansible.builtin.file:
      src: ssmtp
      dest: /usr/sbin/sendmail
      force: true
@@ -18,8 +20,8 @@
      group: mail
      state: link
- name: configuration file for ssmtp
+- name: Configuration file for ssmtp
-  template:
+  ansible.builtin.template:
      src: ssmtp.conf.j2
      dest: /etc/ssmtp/ssmtp.conf
      owner: root

--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
- name: import mail tasks
+- name: Import mail tasks
-  import_tasks: mail.yml
+  ansible.builtin.import_tasks: mail.yml
  when: server_security__manage_mail == 'enabled'
- name: install fail2ban, iptables-persistent and auditd
+- name: Install fail2ban, iptables-persistent and auditd
-  package:
+  ansible.builtin.package:
      name:
          - fail2ban
          - iptables-persistent
@@ -14,8 +14,8 @@
  poll: 10
  when: not ansible_check_mode
- name: check presence of fail2ban, iptables-persistent and auditd packages
+- name: Check presence of fail2ban, iptables-persistent and auditd packages
-  package:
+  ansible.builtin.package:
      name:
          - fail2ban
          - iptables-persistent
@@ -23,28 +23,37 @@
      state: present
  when: ansible_check_mode
- name: make fail2ban persistent
+- name: Make fail2ban persistent
-  service: name=fail2ban enabled=yes state=started
+  ansible.builtin.service:
+      name: fail2ban
+      enabled: true
+      state: started
- name: make sure netfilter-persistent is enabled
+- name: Make sure netfilter-persistent is enabled
-  service: name=netfilter-persistent enabled=yes state=started
+  ansible.builtin.service:
+      name: netfilter-persistent
+      enabled: true
+      state: started
- name: make sure auditd is enabled
+- name: Make sure auditd is enabled
-  service: name=auditd enabled=yes state=started
+  ansible.builtin.service:
+      name: auditd
+      enabled: true
+      state: started
- name: push specific fail2ban jail configuration file
+- name: Push specific fail2ban jail configuration file
-  template:
+  ansible.builtin.template:
      src: "jail.{{ ansible_distribution }}{{ ansible_distribution_major_version }}.j2"
      dest: "/etc/fail2ban/jail.local"
      owner: 'root'
      group: 'root'
      mode: '0644'
  when: ansible_os_family == "Debian"
-  notify: restart fail2ban
+  notify: Restart fail2ban
  tags: fail2ban
- name: push specific fail2ban actions
+- name: Push specific fail2ban actions
-  template:
+  ansible.builtin.template:
      src: "{{ item }}.j2"
      dest: "/etc/fail2ban/{{ item }}.local"
      owner: 'root'
@@ -54,67 +63,67 @@
      - action.d/sendmail-common
      - action.d/sendmail-whois-lines
  when: ansible_os_family == "Debian"
-  notify: restart fail2ban
+  notify: Restart fail2ban
  tags: fail2ban
- name: push specific fail2ban filters
+- name: Push specific fail2ban filters
-  copy:
+  ansible.builtin.copy:
      src: traefik-auth
      dest: "/etc/fail2ban/filter.d/traefik-auth.conf"
      owner: 'root'
      group: 'root'
      mode: '0644'
-    force: no
+      force: false
  when: inventory_hostname in groups.docker
-  notify: restart fail2ban
+  notify: Restart fail2ban
  tags: fail2ban
- name: create iptables configuration
+- name: Create iptables configuration
-  template:
+  ansible.builtin.template:
      src: iptables.conf.j2
      dest: /etc/iptables/rules.v4
      owner: root
      group: root
      mode: '0600'
  notify:
-    - restore-iptables
+      - Restore iptables
-    - restart fail2ban
+      - Restart fail2ban
-    - restart docker
+      - Restart docker
- name: create ip6tables configuration
+- name: Create ip6tables configuration
-  template:
+  ansible.builtin.template:
      src: ip6tables.conf.j2
      dest: "/etc/iptables/rules.v6"
      owner: root
      group: root
      mode: '0600'
  notify:
-    - restore-iptables
+      - Restore iptables
-    - restart fail2ban
+      - Restart fail2ban
-    - restart docker
+      - Restart docker
- name: push iptables rsyslog configuration
+- name: Push iptables rsyslog configuration
-  copy:
+  ansible.builtin.copy:
      src: rsyslog.d-iptables
      dest: /etc/rsyslog.d/33-iptables.conf
      owner: root
      group: root
      mode: '0644'
-  notify: restart rsyslog
+  notify: Restart rsyslog
- name: push iptables logrotate configuration
+- name: Push iptables logrotate configuration
-  copy:
+  ansible.builtin.copy:
      src: logrotate.d-iptables
      dest: /etc/logrotate.d/iptables
      owner: root
      group: root
      mode: '0644'
- name: configuration file for auditd
+- name: Configuration file for auditd
-  template:
+  ansible.builtin.template:
      src: audit.rules.j2
      dest: /etc/audit/rules.d/audit.rules
      owner: root
      group: root
      mode: '0640'
-  notify: restart auditd
+  notify: Restart auditd