roles/common: run ansible-lint --write

roles/common/tasks/cron-apt.yml

@@ -1,10 +1,9 @@
 ---
-
 - name: Configure cron-apt (config)
   ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
   loop:
-    - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
+    - { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root }
-    - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
+    - { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root }
 
 - name: Configure cron-apt (security)
   ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root

roles/common/tasks/fail2ban.yml

@@ -4,7 +4,7 @@
     src: etc/fail2ban/jail.d/sshd.local.j2
     dest: /etc/fail2ban/jail.d/sshd.local
     owner: root
-    mode: 0644
+    mode: "0644"
   notify: restart fail2ban
 
 - name: Configure fail2ban nginx filter
@@ -15,7 +15,7 @@
     src: etc/fail2ban/jail.d/nginx.local.j2
     dest: /etc/fail2ban/jail.d/nginx.local
     owner: root
-    mode: 0644
+    mode: "0644"
   notify: restart fail2ban
 
 - name: Create fail2ban service override directory
@@ -23,7 +23,7 @@
     path: /etc/systemd/system/fail2ban.service.d
     state: directory
     owner: root
-    mode: 0755
+    mode: "0755"
 
 # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
 - name: Configure fail2ban service override
@@ -31,7 +31,7 @@
     src: etc/systemd/system/fail2ban.service.d/override.conf.j2
     dest: /etc/systemd/system/fail2ban.service.d/override.conf
     owner: root
-    mode: 0644
+    mode: "0644"
   notify:
     - reload systemd
     - restart fail2ban

roles/common/tasks/firewall_Debian.yml

@@ -2,115 +2,115 @@
 # Debian 11+ will use nftables directly, with no firewalld.
 
 - block:
-  - name: Install Debian firewall packages
+    - name: Install Debian firewall packages
-    when: ansible_distribution_major_version is version('11', '>=')
+      when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.package:
+      ansible.builtin.package:
-      name:
+        name:
-        - fail2ban
+          - fail2ban
-        - libnet-ip-perl # for aggregate-cidr-addresses.pl
+          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-        - nftables
+          - nftables
-        - python3-systemd
+          - python3-systemd
-        - curl # for nftables update scripts
+          - curl # for nftables update scripts
-      state: present
+        state: present
-      cache_valid_time: 3600
+        cache_valid_time: 3600
 
-  - name: Remove iptables on newer Debian
+    - name: Remove iptables on newer Debian
-    when: ansible_distribution_major_version is version('11', '>=')
+      when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.apt:
+      ansible.builtin.apt:
-      pkg: iptables
+        pkg: iptables
-      state: absent
+        state: absent
 
-  - name: Copy nftables.conf
+    - name: Copy nftables.conf
-    when: ansible_distribution_major_version is version('11', '>=')
+      when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.template:
+      ansible.builtin.template:
-      src: nftables.conf.j2
+        src: nftables.conf.j2
-      dest: /etc/nftables.conf
+        dest: /etc/nftables.conf
-      owner: root
+        owner: root
-      mode: 0644
+        mode: "0644"
-    notify:
+      notify:
-      - restart nftables
+        - restart nftables
-      - restart fail2ban
+        - restart fail2ban
 
-  - name: Create /etc/nftables extra config directory
+    - name: Create /etc/nftables extra config directory
-    when: ansible_distribution_major_version is version('11', '>=')
+      when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.file:
+      ansible.builtin.file:
-      path: /etc/nftables
+        path: /etc/nftables
-      state: directory
+        state: directory
-      owner: root
+        owner: root
-      mode: 0755
+        mode: "0755"
 
-  - name: Copy extra nftables configuration files
+    - name: Copy extra nftables configuration files
-    when: ansible_distribution_major_version is version('11', '>=')
+      when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.copy:
+      ansible.builtin.copy:
-      src: "{{ item.src }}"
+        src: "{{ item.src }}"
-      dest: "/etc/nftables/{{ item.src }}"
+        dest: /etc/nftables/{{ item.src }}
-      owner: root
+        owner: root
-      group: root
+        group: root
-      mode: 0644
+        mode: "0644"
-      force: "{{ item.force }}"
+        force: "{{ item.force }}"
-    loop:
+      loop:
-      - { src: "spamhaus-ipv4.nft", force: "no" }
+        - { src: spamhaus-ipv4.nft, force: "no" }
-      - { src: "spamhaus-ipv6.nft", force: "no" }
+        - { src: spamhaus-ipv6.nft, force: "no" }
-      - { src: "abusech-ipv4.nft", force: "no" }
+        - { src: abusech-ipv4.nft, force: "no" }
-      - { src: "abuseipdb-ipv4.nft", force: "yes" }
+        - { src: abuseipdb-ipv4.nft, force: "yes" }
-      - { src: "abuseipdb-ipv6.nft", force: "yes" }
+        - { src: abuseipdb-ipv6.nft, force: "yes" }
-    notify:
+      notify:
-      - restart nftables
+        - restart nftables
-      - restart fail2ban
+        - restart fail2ban
 
-  - name: Copy nftables update scripts
+    - name: Copy nftables update scripts
-    when: ansible_distribution_version is version('11', '>=')
+      when: ansible_distribution_version is version('11', '>=')
-    ansible.builtin.copy:
+      ansible.builtin.copy:
-      src: "{{ item }}"
+        src: "{{ item }}"
-      dest: "/usr/local/bin/{{ item }}"
+        dest: /usr/local/bin/{{ item }}
-      mode: 0755
+        mode: "0755"
-      owner: root
+        owner: root
-      group: root
+        group: root
-    loop:
+      loop:
-      - update-spamhaus-nftables.sh
+        - update-spamhaus-nftables.sh
-      - aggregate-cidr-addresses.pl
+        - aggregate-cidr-addresses.pl
-      - update-abusech-nftables.sh
+        - update-abusech-nftables.sh
 
-  - name: Copy nftables systemd units
+    - name: Copy nftables systemd units
-    when: ansible_distribution_version is version('11', '>=')
+      when: ansible_distribution_version is version('11', '>=')
-    ansible.builtin.copy:
+      ansible.builtin.copy:
-      src: "{{ item }}"
+        src: "{{ item }}"
-      dest: "/etc/systemd/system/{{ item }}"
+        dest: /etc/systemd/system/{{ item }}
-      mode: 0644
+        mode: "0644"
-      owner: root
+        owner: root
-      group: root
+        group: root
-    loop:
+      loop:
-      - update-spamhaus-nftables.service
+        - update-spamhaus-nftables.service
-      - update-spamhaus-nftables.timer
+        - update-spamhaus-nftables.timer
-      - update-abusech-nftables.service
+        - update-abusech-nftables.service
-      - update-abusech-nftables.timer
+        - update-abusech-nftables.timer
-    register: nftables_systemd_units
+      register: nftables_systemd_units
 
-  # need to reload to pick up service/timer/environment changes
+    # need to reload to pick up service/timer/environment changes
-  - name: Reload systemd daemon
+    - name: Reload systemd daemon
-    ansible.builtin.systemd:
+      ansible.builtin.systemd:
-      daemon_reload: true
+        daemon_reload: true
-    when: nftables_systemd_units is changed
+      when: nftables_systemd_units is changed
 
-  - name: Start and enable nftables update timers
+    - name: Start and enable nftables update timers
-    when: ansible_distribution_version is version('11', '>=')
+      when: ansible_distribution_version is version('11', '>=')
-    ansible.builtin.systemd:
+      ansible.builtin.systemd:
-      name: "{{ item }}"
+        name: "{{ item }}"
-      state: started
+        state: started
-      enabled: true
+        enabled: true
-    loop:
+      loop:
-      - update-spamhaus-nftables.timer
+        - update-spamhaus-nftables.timer
-      - update-abusech-nftables.timer
+        - update-abusech-nftables.timer
 
-  - name: Start and enable nftables
+    - name: Start and enable nftables
-    when: ansible_distribution_major_version is version('11', '>=')
+      when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.systemd:
+      ansible.builtin.systemd:
-      name: nftables
+        name: nftables
-      state: started
+        state: started
-      enabled: true
+        enabled: true
 
-  - ansible.builtin.include_tasks: fail2ban.yml
+    - ansible.builtin.include_tasks: fail2ban.yml
-    when: ansible_distribution_major_version is version('9', '>=')
+      when: ansible_distribution_major_version is version('9', '>=')
   tags: firewall
 
 # vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -2,113 +2,113 @@
 # Ubuntu 20.04 will use nftables directly, with no firewalld.
 
 - block:
-  - name: Install Ubuntu firewall packages
+    - name: Install Ubuntu firewall packages
-    ansible.builtin.package:
+      ansible.builtin.package:
-      name:
+        name:
-        - fail2ban
+          - fail2ban
-        - libnet-ip-perl # for aggregate-cidr-addresses.pl
+          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-        - nftables
+          - nftables
-        - python3-systemd
+          - python3-systemd
-        - curl # for nftables update scripts
+          - curl # for nftables update scripts
-      state: present
+        state: present
-      cache_valid_time: 3600
+        cache_valid_time: 3600
 
-  - name: Remove ufw
+    - name: Remove ufw
-    ansible.builtin.package:
+      ansible.builtin.package:
-      name: ufw
+        name: ufw
-      state: absent
+        state: absent
 
-  - name: Copy nftables.conf
+    - name: Copy nftables.conf
-    when: ansible_distribution_version is version('20.04', '>=')
+      when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.template:
+      ansible.builtin.template:
-      src: nftables.conf.j2
+        src: nftables.conf.j2
-      dest: /etc/nftables.conf
+        dest: /etc/nftables.conf
-      owner: root
+        owner: root
-      mode: 0644
+        mode: "0644"
-    notify:
+      notify:
-      - restart nftables
+        - restart nftables
-      - restart fail2ban
+        - restart fail2ban
 
-  - name: Create /etc/nftables extra config directory
+    - name: Create /etc/nftables extra config directory
-    when: ansible_distribution_version is version('20.04', '>=')
+      when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.file:
+      ansible.builtin.file:
-      path: /etc/nftables
+        path: /etc/nftables
-      state: directory
+        state: directory
-      owner: root
+        owner: root
-      mode: 0755
+        mode: "0755"
 
-  - name: Copy extra nftables configuration files
+    - name: Copy extra nftables configuration files
-    when: ansible_distribution_version is version('20.04', '>=')
+      when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.copy:
+      ansible.builtin.copy:
-      src: "{{ item.src }}"
+        src: "{{ item.src }}"
-      dest: "/etc/nftables/{{ item.src }}"
+        dest: /etc/nftables/{{ item.src }}
-      owner: root
+        owner: root
-      group: root
+        group: root
-      mode: 0644
+        mode: "0644"
-      force: "{{ item.force }}"
+        force: "{{ item.force }}"
-    loop:
+      loop:
-      - { src: "spamhaus-ipv4.nft", force: "no" }
+        - { src: spamhaus-ipv4.nft, force: "no" }
-      - { src: "spamhaus-ipv6.nft", force: "no" }
+        - { src: spamhaus-ipv6.nft, force: "no" }
-      - { src: "abusech-ipv4.nft", force: "no" }
+        - { src: abusech-ipv4.nft, force: "no" }
-      - { src: "abuseipdb-ipv4.nft", force: "yes" }
+        - { src: abuseipdb-ipv4.nft, force: "yes" }
-      - { src: "abuseipdb-ipv6.nft", force: "yes" }
+        - { src: abuseipdb-ipv6.nft, force: "yes" }
-    notify:
+      notify:
-      - restart nftables
+        - restart nftables
-      - restart fail2ban
+        - restart fail2ban
 
-  - name: Copy nftables update scripts
+    - name: Copy nftables update scripts
-    when: ansible_distribution_version is version('20.04', '>=')
+      when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.copy:
+      ansible.builtin.copy:
-      src: "{{ item }}"
+        src: "{{ item }}"
-      dest: "/usr/local/bin/{{ item }}"
+        dest: /usr/local/bin/{{ item }}
-      mode: 0755
+        mode: "0755"
-      owner: root
+        owner: root
-      group: root
+        group: root
-    loop:
+      loop:
-      - update-spamhaus-nftables.sh
+        - update-spamhaus-nftables.sh
-      - aggregate-cidr-addresses.pl
+        - aggregate-cidr-addresses.pl
-      - update-abusech-nftables.sh
+        - update-abusech-nftables.sh
 
-  - name: Copy nftables systemd units
+    - name: Copy nftables systemd units
-    when: ansible_distribution_version is version('20.04', '>=')
+      when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.copy:
+      ansible.builtin.copy:
-      src: "{{ item }}"
+        src: "{{ item }}"
-      dest: "/etc/systemd/system/{{ item }}"
+        dest: /etc/systemd/system/{{ item }}
-      mode: 0644
+        mode: "0644"
-      owner: root
+        owner: root
-      group: root
+        group: root
-    loop:
+      loop:
         - update-spamhaus-nftables.service
         - update-spamhaus-nftables.timer
         - update-abusech-nftables.service
         - update-abusech-nftables.timer
-    register: nftables_systemd_units
+      register: nftables_systemd_units
 
-  # need to reload to pick up service/timer/environment changes
+    # need to reload to pick up service/timer/environment changes
-  - name: Reload systemd daemon
+    - name: Reload systemd daemon
-    ansible.builtin.systemd:
+      ansible.builtin.systemd:
-      daemon_reload: true
+        daemon_reload: true
-    when: nftables_systemd_units is changed
+      when: nftables_systemd_units is changed
 
-  - name: Start and enable nftables update timers
+    - name: Start and enable nftables update timers
-    when: ansible_distribution_version is version('20.04', '>=')
+      when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.systemd:
+      ansible.builtin.systemd:
-      name: "{{ item }}"
+        name: "{{ item }}"
-      state: started
+        state: started
-      enabled: true
+        enabled: true
-    loop:
+      loop:
-      - update-spamhaus-nftables.timer
+        - update-spamhaus-nftables.timer
-      - update-abusech-nftables.timer
+        - update-abusech-nftables.timer
 
-  - name: Start and enable nftables
+    - name: Start and enable nftables
-    when: ansible_distribution_version is version('20.04', '>=')
+      when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.systemd:
+      ansible.builtin.systemd:
-      name: nftables
+        name: nftables
-      state: started
+        state: started
-      enabled: true
+        enabled: true
 
-  - ansible.builtin.include_tasks: fail2ban.yml
+    - ansible.builtin.include_tasks: fail2ban.yml
-    when: ansible_distribution_version is version('16.04', '>=')
+      when: ansible_distribution_version is version('16.04', '>=')
   tags: firewall
 
 # vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
   tags: always
 
 - name: Configure network time

roles/common/tasks/ntp.yml

@@ -12,8 +12,8 @@
 # I can see on existing servers, systemd-timesyncd is a standalone package on
 # Ubuntu 20.04 and Debian 11.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
+  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-        (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
+    is version('11', '>='))
   ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
 
 - name: Start and enable systemd's NTP client

roles/common/tasks/packages_Debian.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Configure Debian packages
   block:
     # Create directory for third-party package signing keys. Required on distros
@@ -9,7 +8,7 @@
     - name: Create /etc/apt/keyrings
       file:
         path: /etc/apt/keyrings
-        mode: 0755
+        mode: "0755"
         owner: root
         group: root
         state: directory

roles/common/tasks/packages_Ubuntu.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Configure Ubuntu packages
   block:
     # Create directory for third-party package signing keys. Required on distros
@@ -9,7 +8,7 @@
     - name: Create /etc/apt/keyrings
       file:
         path: /etc/apt/keyrings
-        mode: 0755
+        mode: "0755"
         owner: root
         group: root
         state: directory
@@ -25,23 +24,23 @@
     - name: Set Ubuntu base packages
       ansible.builtin.set_fact:
         ubuntu_base_packages:
-        - git
+          - git
-        - git-lfs
+          - git-lfs
-        - tmux
+          - tmux
-        - iotop
+          - iotop
-        - htop
+          - htop
-        - strace
+          - strace
-        - cron-apt
+          - cron-apt
-        - safe-rm
+          - safe-rm
-        - debian-goodies
+          - debian-goodies
-        - mosh
+          - mosh
-        - python-pycurl # for ansible's apt_repository
+          - python-pycurl # for ansible's apt_repository
-        - vim
+          - vim
-        - unzip
+          - unzip
-        - apt-transport-https # for https support in apt
+          - apt-transport-https # for https support in apt
-        - zstd
+          - zstd
-        - rsync
+          - rsync
-        - lsof
+          - lsof
 
     - name: Install base packages
       ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
@@ -67,7 +66,7 @@
       ansible.builtin.set_fact:
         ubuntu_annoying_packages:
           - whoopsie # security (CIS 4.1)
-          - apport   # security (CIS 4.1)
+          - apport # security (CIS 4.1)
           - command-not-found # annoying
           - command-not-found-data # annoying
           - python3-commandnotfound # annoying

roles/common/tasks/ssh-keys.yml

@@ -3,7 +3,7 @@
   ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
 
 - name: Add public keys to authorized_keys
-  ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
   with_fileglob:
     # use descriptive names for keys, like: aorth-mzito-rsa.pub
     - ssh-pub-keys/*.pub

roles/common/tasks/sshd.yml

@@ -1,8 +1,8 @@
 ---
-
 # SSH configs don't change in Debian minor versions
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
+  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
+    mode=0600
   when: ansible_distribution == 'Debian'
   notify: reload sshd
 

roles/common/tasks/tarsnap.yml

@@ -10,7 +10,7 @@
     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   register: download_tarsnap_signing_key
   when: not tarsnap_signing_key_stat.stat.exists
 
@@ -20,16 +20,14 @@
     dest: /etc/apt/sources.list.d/tarsnap.list
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   register: add_tarsnap_apt_repository
   when: ansible_architecture != 'armv7l'
 
 - name: Update apt cache
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when:
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
-    (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or
-    add_tarsnap_apt_repository is changed
 
 - name: Install tarsnap
   ansible.builtin.apt:
@@ -42,6 +40,6 @@
     dest: /root/.tarsnaprc
     owner: root
     group: root
-    mode: 0600
+    mode: "0600"
 
 # vim: set sw=2 ts=2: