From 38fef42aa61b566de77ddf188277872672dd0549 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Fri, 10 May 2024 13:32:56 +0200 Subject: [PATCH] style: Add ansible-lint Signed-off-by: Julien Riou --- .ansible-lint | 9 ++++ .github/workflows/pre-commit.yml | 6 +-- .pre-commit-config.yaml | 19 +++++---- TODO.md | 3 -- main.yml | 72 +++++++++++++++++++++++--------- tasks/apt.yml | 1 + tasks/bacula.yml | 2 +- tasks/easyrsa.yml | 8 ++-- tasks/hostname.yml | 3 +- tasks/iptables.yml | 2 +- tasks/mosquitto.yml | 2 +- tasks/motd.yml | 8 +++- tasks/nagios.yml | 15 +++++-- tasks/nrpe.yml | 3 ++ tasks/openvpn.yml | 4 +- tasks/serial2mqtt.yml | 13 +++--- tasks/ssh.yml | 3 +- tasks/sysctl.yml | 2 +- tasks/telegraf.yml | 5 ++- tasks/time.yml | 1 + tasks/users.yml | 1 + tasks/vim.yml | 1 + upgrade.yml | 3 +- 23 files changed, 128 insertions(+), 58 deletions(-) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..57fe7e6 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,9 @@ +--- +exclude_paths: + - .cache/ + - .github/ + - .pre-commit-config.yaml + - group_vars/pilote.yml + +skip_list: + - latest diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 59c632c..6a474d2 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -10,6 +10,6 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v3 - - uses: pre-commit/action@v3.0.1 + - uses: actions/checkout@v3 + - uses: actions/setup-python@v3 + - uses: pre-commit/action@v3.0.1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b71a1c8..34d5ba1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,9 +1,14 @@ --- repos: -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 - hooks: - - id: check-yaml - - id: detect-private-key - - id: end-of-file-fixer - - id: trailing-whitespace + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: check-yaml + - id: detect-private-key + - id: end-of-file-fixer + - id: trailing-whitespace + + - repo: https://github.com/ansible/ansible-lint + rev: v24.2.3 + hooks: + - id: ansible-lint diff --git a/TODO.md b/TODO.md index 9bdf499..b1a75ed 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,3 @@ * EasyRSA tasks * Variables documentation -* Github actions - * pre-commit - * ansible-lint diff --git a/main.yml b/main.yml index 0b65dbb..992ddd7 100644 --- a/main.yml +++ b/main.yml @@ -1,23 +1,55 @@ --- -- hosts: pilote +- name: Configure pilote + hosts: pilote gather_facts: true tasks: - - ansible.builtin.include_tasks: tasks/sysctl.yml - - ansible.builtin.include_tasks: tasks/apt.yml - - ansible.builtin.include_tasks: tasks/users.yml - - ansible.builtin.include_tasks: tasks/profile.yml - - ansible.builtin.include_tasks: tasks/hostname.yml - - ansible.builtin.include_tasks: tasks/motd.yml - - ansible.builtin.include_tasks: tasks/time.yml - - ansible.builtin.include_tasks: tasks/ssh.yml - - ansible.builtin.include_tasks: tasks/openvpn.yml - - ansible.builtin.include_tasks: tasks/nagios.yml - - ansible.builtin.include_tasks: tasks/nrpe.yml - - ansible.builtin.include_tasks: tasks/mosquitto.yml - - ansible.builtin.include_tasks: tasks/serial2mqtt.yml - - ansible.builtin.include_tasks: tasks/telegraf.yml - - ansible.builtin.include_tasks: tasks/bacula.yml - - ansible.builtin.include_tasks: tasks/iptables.yml - # TODO - #- ansible.builtin.include_tasks: tasks/easyrsa.yml - - ansible.builtin.include_tasks: tasks/vim.yml + - name: Configure sysctl + ansible.builtin.include_tasks: tasks/sysctl.yml + + - name: Configure apt + ansible.builtin.include_tasks: tasks/apt.yml + + - name: Configure users + ansible.builtin.include_tasks: tasks/users.yml + + - name: Configure profile + ansible.builtin.include_tasks: tasks/profile.yml + + - name: Configure hostname + ansible.builtin.include_tasks: tasks/hostname.yml + + - name: Configure motd + ansible.builtin.include_tasks: tasks/motd.yml + + - name: Configure time + ansible.builtin.include_tasks: tasks/time.yml + + - name: Configure SSH + ansible.builtin.include_tasks: tasks/ssh.yml + + - name: Configure OpenVPN + ansible.builtin.include_tasks: tasks/openvpn.yml + + - name: Configure Nagios + ansible.builtin.include_tasks: tasks/nagios.yml + + - name: Configure NRPE + ansible.builtin.include_tasks: tasks/nrpe.yml + + - name: Configure Mosquitto + ansible.builtin.include_tasks: tasks/mosquitto.yml + + - name: Configure serial2mqtt + ansible.builtin.include_tasks: tasks/serial2mqtt.yml + + - name: Configure telegraf + ansible.builtin.include_tasks: tasks/telegraf.yml + + - name: Configure bacula + ansible.builtin.include_tasks: tasks/bacula.yml + + - name: Configure iptables + ansible.builtin.include_tasks: tasks/iptables.yml + + - name: Configure vim + ansible.builtin.include_tasks: tasks/vim.yml diff --git a/tasks/apt.yml b/tasks/apt.yml index 0ca4e58..5974737 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -10,6 +10,7 @@ ansible.builtin.template: src: apt/raspi.list.j2 dest: /etc/apt/sources.list.d/raspi.list + mode: "0644" - name: Update system ansible.builtin.apt: diff --git a/tasks/bacula.yml b/tasks/bacula.yml index f015f12..c8f2660 100644 --- a/tasks/bacula.yml +++ b/tasks/bacula.yml @@ -7,7 +7,6 @@ - bacula-fd - bacula-sd - bacula-console - state: latest - name: Configure database ansible.builtin.copy: @@ -61,6 +60,7 @@ ansible.builtin.template: src: "bacula/conf.d/{{ item }}.conf.j2" dest: "/etc/bacula/conf.d/{{ item }}.conf" + mode: "0644" loop: - clients - filesets diff --git a/tasks/easyrsa.yml b/tasks/easyrsa.yml index 16c897c..9e53fd2 100644 --- a/tasks/easyrsa.yml +++ b/tasks/easyrsa.yml @@ -1,13 +1,13 @@ --- # TODO -- name: copy easyrsa sources to /root - copy: +- name: Copy easyrsa sources to /root + ansible.builtin.copy: src: files/easyrsa/EasyRSA-v3.0.6 dest: /root/ mode: preserve -- name: add easyrsa binary to path - file: +- name: Add easyrsa binary to path + ansible.builtin.file: src: /root/EasyRSA-v3.0.6/easyrsa dest: /usr/local/sbin/easyrsa state: link diff --git a/tasks/hostname.yml b/tasks/hostname.yml index 66a03f4..dd31bc9 100644 --- a/tasks/hostname.yml +++ b/tasks/hostname.yml @@ -1,9 +1,10 @@ --- - name: Setup hostname - hostname: + ansible.builtin.hostname: name: "{{ hostname }}" - name: Manage /etc/hosts ansible.builtin.template: src: hostname/hosts.j2 dest: /etc/hosts + mode: "0644" diff --git a/tasks/iptables.yml b/tasks/iptables.yml index dc42fcb..3737468 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -57,7 +57,7 @@ name: - netfilter-persistent - iptables-persistent - state: latest - name: Save iptables ansible.builtin.command: netfilter-persistent save + changed_when: true diff --git a/tasks/mosquitto.yml b/tasks/mosquitto.yml index 4ee6111..d90ea6e 100644 --- a/tasks/mosquitto.yml +++ b/tasks/mosquitto.yml @@ -3,12 +3,12 @@ ansible.builtin.apt: name: - mosquitto - state: latest - name: Configure mosquitto ansible.builtin.copy: src: files/mosquitto/conf.d dest: /etc/mosquitto + mode: "0644" - name: Copy mosquitto password ansible.builtin.template: diff --git a/tasks/motd.yml b/tasks/motd.yml index 3830398..2ad6df3 100644 --- a/tasks/motd.yml +++ b/tasks/motd.yml @@ -6,10 +6,16 @@ - name: Run figlet ansible.builtin.shell: - cmd: "hostname | figlet -f /usr/share/figlet/smslant.flf" + cmd: >- + set -o pipefail + hostname | figlet -f /usr/share/figlet/smslant.flf" + args: + executable: /bin/bash register: _motd + changed_when: true - name: Create motd ansible.builtin.copy: dest: /etc/motd content: "{{ _motd.stdout }}\n" + mode: "0644" diff --git a/tasks/nagios.yml b/tasks/nagios.yml index 0375a95..8a0d08a 100644 --- a/tasks/nagios.yml +++ b/tasks/nagios.yml @@ -9,12 +9,12 @@ - python3-requests - python3-jsonschema - python-pexpect - state: latest - name: Generate nagios configurations ansible.builtin.template: src: "nagios/conf.d/{{ item }}.cfg.j2" dest: "/etc/nagios4/conf.d/{{ item }}.cfg" + mode: "0644" loop: - commands - hosts @@ -26,6 +26,7 @@ ansible.builtin.template: src: nagios/contacts.cfg.j2 dest: /etc/nagios4/objects/contacts.cfg + mode: "0644" - name: Copy check_timesyncd ansible.builtin.copy: @@ -47,7 +48,7 @@ - name: Configure notify-by-telegram ansible.builtin.copy: - content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id } | to_json }}" + content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id} | to_json }}" dest: /etc/nagios4/telegram.json owner: root group: nagios @@ -62,11 +63,13 @@ ansible.builtin.copy: src: files/nagios/nagios.cfg dest: /etc/nagios4/nagios.cfg + mode: "0644" - name: Copy CGI configuration ansible.builtin.copy: src: files/nagios/cgi.cfg dest: /etc/nagios4/cgi.cfg + mode: "0644" - name: Reload nagios ansible.builtin.service: @@ -77,16 +80,19 @@ ansible.builtin.template: src: nagios/htdigest.users.j2 dest: /etc/nagios4/htdigest.users + mode: "0644" - name: Secure Apache - copy: + ansible.builtin.copy: src: files/nagios/security.conf dest: /etc/apache2/conf-available/security.conf + mode: "0644" - name: Configure vhost for the web interface ansible.builtin.copy: src: files/nagios/apache2.conf dest: /etc/nagios4/apache2.conf + mode: "0644" - name: Enable Apache modules ansible.builtin.command: @@ -94,6 +100,7 @@ loop: - auth_digest - headers + changed_when: true - name: Restart apache ansible.builtin.service: @@ -101,7 +108,7 @@ state: restarted - name: Allow HTTP from vpn - iptables: + ansible.builtin.iptables: chain: INPUT protocol: tcp source: "{{ openvpn_subnet }}" diff --git a/tasks/nrpe.yml b/tasks/nrpe.yml index fdf1f72..42e6e7f 100644 --- a/tasks/nrpe.yml +++ b/tasks/nrpe.yml @@ -10,16 +10,19 @@ ansible.builtin.template: src: nrpe/nrpe.cfg.j2 dest: /etc/nagios/nrpe.cfg + mode: "0644" - name: Generate NRPE local configuration ansible.builtin.template: src: nrpe/nrpe_local.cfg.j2 dest: /etc/nagios/nrpe_local.cfg + mode: "0644" - name: Manage daemon settings ansible.builtin.template: src: nrpe/nagios-nrpe-server.j2 dest: /etc/default/nagios-nrpe-server + mode: "0644" - name: Clone check-mqtt source code ansible.builtin.git: diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml index f7089c8..1254c9e 100644 --- a/tasks/openvpn.yml +++ b/tasks/openvpn.yml @@ -2,22 +2,24 @@ - name: Install OpenVPN ansible.builtin.apt: name: openvpn - state: latest - name: Deploy OpenVPN configuration ansible.builtin.template: src: openvpn/client.conf.j2 dest: /etc/openvpn/client.conf + mode: '0644' - name: Deploy OpenVPN CA cert ansible.builtin.copy: content: "{{ openvpn_ca }}" dest: /etc/openvpn/ca.crt + mode: '0644' - name: Deploy OpenVPN TLS auth ansible.builtin.copy: content: "{{ openvpn_ta }}" dest: /etc/openvpn/ta.key + mode: '0600' - name: Deploy OpenVPN client cert ansible.builtin.copy: diff --git a/tasks/serial2mqtt.yml b/tasks/serial2mqtt.yml index 33e1901..74f122f 100644 --- a/tasks/serial2mqtt.yml +++ b/tasks/serial2mqtt.yml @@ -4,7 +4,6 @@ name: - python3-serial - python3-paho-mqtt - state: latest - name: Clone arduino-sensors-toolkit sources ansible.builtin.git: @@ -14,11 +13,11 @@ - name: Add serial2mqtt user ansible.builtin.user: name: serial2mqtt - system: yes + system: true password: '!' home: /var/lib/serial2mqtt - create_home: no - append: yes + create_home: false + append: true groups: - dialout @@ -34,15 +33,17 @@ ansible.builtin.copy: src: files/serial2mqtt/serial2mqtt.default dest: /etc/default/serial2mqtt + mode: '0644' - name: Copy serial2mqtt service unit ansible.builtin.copy: src: files/serial2mqtt/serial2mqtt.service dest: /etc/systemd/system/serial2mqtt.service + mode: '0644' - name: Start serial2mqtt service ansible.builtin.systemd: name: serial2mqtt.service - daemon_reload: yes + daemon_reload: true state: restarted - enabled: yes + enabled: true diff --git a/tasks/ssh.yml b/tasks/ssh.yml index 45c74be..e2a10dc 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -2,7 +2,6 @@ - name: Install OpenSSH ansible.builtin.apt: name: openssh-server - state: latest - name: Allow authorized keys ansible.posix.authorized_key: @@ -20,7 +19,7 @@ mode: '0644' - name: Reload and enable SSH service - service: + ansible.builtin.service: name: ssh state: reloaded enabled: true diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml index fc3e9a9..279f3d4 100644 --- a/tasks/sysctl.yml +++ b/tasks/sysctl.yml @@ -5,4 +5,4 @@ value: '1' state: present sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf - reload: yes + reload: true diff --git a/tasks/telegraf.yml b/tasks/telegraf.yml index a5c5051..681c121 100644 --- a/tasks/telegraf.yml +++ b/tasks/telegraf.yml @@ -3,6 +3,7 @@ ansible.builtin.template: src: telegraf/influxdata.list.j2 dest: /etc/apt/sources.list.d/influxdata.list + mode: '0644' - name: Download influxdata APT key ansible.builtin.apt_key: @@ -15,12 +16,14 @@ - telegraf - lm-sensors update_cache: true - state: latest - name: Generate telegraf configurations ansible.builtin.template: src: "telegraf/{{ item }}.conf.j2" dest: "/etc/telegraf/telegraf.d/{{ item }}.conf" + mode: '0640' + owner: root + group: telegraf loop: - inputs - output diff --git a/tasks/time.yml b/tasks/time.yml index d4410b2..c3ca16f 100644 --- a/tasks/time.yml +++ b/tasks/time.yml @@ -2,3 +2,4 @@ - name: Manage time zone ansible.builtin.command: cmd: "timedatectl set-timezone {{ timezone }}" + changed_when: true diff --git a/tasks/users.yml b/tasks/users.yml index 2355d60..037a880 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -11,4 +11,5 @@ src: files/users/bashrc owner: "{{ item['name'] }}" group: "{{ item['name'] }}" + mode: '0644' loop: "{{ users }}" diff --git a/tasks/vim.yml b/tasks/vim.yml index ea21d14..cdeaeef 100644 --- a/tasks/vim.yml +++ b/tasks/vim.yml @@ -8,6 +8,7 @@ ansible.builtin.copy: src: files/vim/vimrc dest: "{{ '/root/.vimrc' if item['name'] == 'root' else '/home/' + item['name'] + '/.vimrc' }}" + mode: '0644' loop: "{{ users }}" loop_control: label: "{{ item['name'] }}" diff --git a/upgrade.yml b/upgrade.yml index 2654360..659254b 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -2,4 +2,5 @@ - name: Upgrade systems hosts: all tasks: - - include_tasks: tasks/apt-upgrade.yml + - name: Run apt upgrade + ansible.builtin.include_tasks: tasks/apt-upgrade.yml