roles/common: run ansible-lint --write

This commit is contained in:
Alan Orth 2023-08-23 21:33:22 +03:00
parent b9e91c4a3d
commit 17736a4f14
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
11 changed files with 228 additions and 233 deletions

View File

@ -1,10 +1,9 @@
---
- name: Configure cron-apt (config)
ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
- { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root }
- { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root }
- name: Configure cron-apt (security)
ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root

View File

@ -4,7 +4,7 @@
src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: 0644
mode: "0644"
notify: restart fail2ban
- name: Configure fail2ban nginx filter
@ -15,7 +15,7 @@
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: 0644
mode: "0644"
notify: restart fail2ban
- name: Create fail2ban service override directory
@ -23,7 +23,7 @@
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: 0755
mode: "0755"
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override
@ -31,7 +31,7 @@
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: 0644
mode: "0644"
notify:
- reload systemd
- restart fail2ban

View File

@ -26,7 +26,7 @@
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: 0644
mode: "0644"
notify:
- restart nftables
- restart fail2ban
@ -37,23 +37,23 @@
path: /etc/nftables
state: directory
owner: root
mode: 0755
mode: "0755"
- name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/nftables/{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: 0644
mode: "0644"
force: "{{ item.force }}"
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
- { src: spamhaus-ipv4.nft, force: "no" }
- { src: spamhaus-ipv6.nft, force: "no" }
- { src: abusech-ipv4.nft, force: "no" }
- { src: abuseipdb-ipv4.nft, force: "yes" }
- { src: abuseipdb-ipv6.nft, force: "yes" }
notify:
- restart nftables
- restart fail2ban
@ -62,8 +62,8 @@
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/local/bin/{{ item }}"
mode: 0755
dest: /usr/local/bin/{{ item }}
mode: "0755"
owner: root
group: root
loop:
@ -75,8 +75,8 @@
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:

View File

@ -24,7 +24,7 @@
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: 0644
mode: "0644"
notify:
- restart nftables
- restart fail2ban
@ -35,23 +35,23 @@
path: /etc/nftables
state: directory
owner: root
mode: 0755
mode: "0755"
- name: Copy extra nftables configuration files
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/nftables/{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: 0644
mode: "0644"
force: "{{ item.force }}"
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
- { src: spamhaus-ipv4.nft, force: "no" }
- { src: spamhaus-ipv6.nft, force: "no" }
- { src: abusech-ipv4.nft, force: "no" }
- { src: abuseipdb-ipv4.nft, force: "yes" }
- { src: abuseipdb-ipv6.nft, force: "yes" }
notify:
- restart nftables
- restart fail2ban
@ -60,8 +60,8 @@
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/local/bin/{{ item }}"
mode: 0755
dest: /usr/local/bin/{{ item }}
mode: "0755"
owner: root
group: root
loop:
@ -73,8 +73,8 @@
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:

View File

@ -1,6 +1,6 @@
---
- name: Import OS-specific variables
ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
tags: always
- name: Configure network time

View File

@ -12,8 +12,8 @@
# I can see on existing servers, systemd-timesyncd is a standalone package on
# Ubuntu 20.04 and Debian 11.
- name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
(ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
is version('11', '>='))
ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
- name: Start and enable systemd's NTP client

View File

@ -1,5 +1,4 @@
---
- name: Configure Debian packages
block:
# Create directory for third-party package signing keys. Required on distros
@ -9,7 +8,7 @@
- name: Create /etc/apt/keyrings
file:
path: /etc/apt/keyrings
mode: 0755
mode: "0755"
owner: root
group: root
state: directory

View File

@ -1,5 +1,4 @@
---
- name: Configure Ubuntu packages
block:
# Create directory for third-party package signing keys. Required on distros
@ -9,7 +8,7 @@
- name: Create /etc/apt/keyrings
file:
path: /etc/apt/keyrings
mode: 0755
mode: "0755"
owner: root
group: root
state: directory

View File

@ -3,7 +3,7 @@
ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
- name: Add public keys to authorized_keys
ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub

View File

@ -1,8 +1,8 @@
---
# SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
mode=0600
when: ansible_distribution == 'Debian'
notify: reload sshd

View File

@ -10,7 +10,7 @@
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
owner: root
group: root
mode: 0644
mode: "0644"
register: download_tarsnap_signing_key
when: not tarsnap_signing_key_stat.stat.exists
@ -20,16 +20,14 @@
dest: /etc/apt/sources.list.d/tarsnap.list
owner: root
group: root
mode: 0644
mode: "0644"
register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l'
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
(download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or
add_tarsnap_apt_repository is changed
when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
- name: Install tarsnap
ansible.builtin.apt:
@ -42,6 +40,6 @@
dest: /root/.tarsnaprc
owner: root
group: root
mode: 0600
mode: "0600"
# vim: set sw=2 ts=2: