From 5b09029239e37d940db4b92177820b68e6ef76b6 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Fri, 20 Oct 2023 21:30:25 -0400 Subject: [PATCH] Update base role to pass linting --- dev/host_vars/mediaserver.yml | 7 ++++++- roles/base/handlers/main.yml | 4 ++++ roles/base/tasks/ansible.yml | 2 +- roles/base/tasks/ddclient.yml | 2 +- roles/base/tasks/firewall.yml | 4 ++-- roles/base/tasks/mail.yml | 4 ++-- roles/base/tasks/network.yml | 2 +- roles/base/tasks/samba.yml | 19 ++++++------------- roles/base/tasks/system.yml | 19 +++++++++---------- roles/base/tasks/wireguard.yml | 2 +- roles/docker/tasks/main.yml | 4 ++-- 11 files changed, 35 insertions(+), 34 deletions(-) diff --git a/dev/host_vars/mediaserver.yml b/dev/host_vars/mediaserver.yml index e553918..f4b6910 100644 --- a/dev/host_vars/mediaserver.yml +++ b/dev/host_vars/mediaserver.yml @@ -5,7 +5,12 @@ allow_reboot: false manage_network: false users: - - name: jellyfin + jellyfin: + uid: 1001 + gid: 1001 + shell: /usr/sbin/nologin + home: false + system: true samba: users: diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index 10f55bb..ebc970a 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -5,6 +5,10 @@ listen: reboot_host when: allow_reboot +- name: Reconfigure locales + ansible.builtin.command: dpkg-reconfigure -f noninteractive locales + listen: reconfigure_locales + - name: Restart WireGuard ansible.builtin.service: name: wg-quick@wg0 diff --git a/roles/base/tasks/ansible.yml b/roles/base/tasks/ansible.yml index 32e87a1..d833acd 100644 --- a/roles/base/tasks/ansible.yml +++ b/roles/base/tasks/ansible.yml @@ -2,4 +2,4 @@ ansible.builtin.file: path: "~/.ansible/tmp" state: directory - mode: 0700 + mode: "700" diff --git a/roles/base/tasks/ddclient.yml b/roles/base/tasks/ddclient.yml index 7643c83..5258017 100644 --- a/roles/base/tasks/ddclient.yml +++ b/roles/base/tasks/ddclient.yml @@ -7,7 +7,7 @@ ansible.builtin.template: src: ddclient.conf.j2 dest: /etc/ddclient.conf - mode: 0600 + mode: "600" register: ddclient_settings - name: Start ddclient and enable on boot diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml index 00bbefc..22e394a 100644 --- a/roles/base/tasks/firewall.yml +++ b/roles/base/tasks/firewall.yml @@ -32,14 +32,14 @@ ansible.builtin.template: src: fail2ban-ssh.conf.j2 dest: /etc/fail2ban/jail.d/sshd.conf - mode: 0640 + mode: "640" notify: restart_fail2ban - name: Install Fail2ban IP allow list ansible.builtin.template: src: fail2ban-allowlist.conf.j2 dest: /etc/fail2ban/jail.d/allowlist.conf - mode: 0640 + mode: "640" when: fail2ban_ignoreip is defined notify: restart_fail2ban diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index 33da2db..bd87716 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -11,10 +11,10 @@ ansible.builtin.template: src: msmtprc.j2 dest: /root/.msmtprc - mode: 0600 + mode: "600" - name: Install /etc/aliases ansible.builtin.copy: dest: /etc/aliases content: "root: {{ mail.rootalias }}" - mode: 0644 + mode: "644" diff --git a/roles/base/tasks/network.yml b/roles/base/tasks/network.yml index 225ea7c..02ea330 100644 --- a/roles/base/tasks/network.yml +++ b/roles/base/tasks/network.yml @@ -10,6 +10,6 @@ ansible.builtin.template: src: "interface.j2" dest: "/etc/network/interfaces.d/{{ item.name }}" - mode: 0400 + mode: "400" loop: "{{ interfaces }}" notify: reboot_host diff --git a/roles/base/tasks/samba.yml b/roles/base/tasks/samba.yml index 0fffd1d..033ed21 100644 --- a/roles/base/tasks/samba.yml +++ b/roles/base/tasks/samba.yml @@ -3,23 +3,15 @@ name: samba state: present -- name: Create nologin shell accounts for Samba - ansible.builtin.user: - name: "{{ item.name }}" - state: present - shell: /usr/sbin/nologin - createhome: false - system: yes - loop: "{{ samba.users }}" - when: item.manage_user is defined and item.manage_user is true - - name: Create Samba users - ansible.builtin.shell: "smbpasswd -a {{ item.name }}" + ansible.builtin.command: "smbpasswd -a {{ item.name }}" args: stdin: "{{ item.password }}\n{{ item.password }}" loop: "{{ samba.users }}" + loop_control: + label: "{{ item.name }}" register: samba_users - changed_when: "'User added' in samba_users.stdout" + changed_when: "'Added user' in samba_users.stdout" - name: Ensure share directories exist ansible.builtin.file: @@ -27,13 +19,14 @@ owner: "{{ item.owner }}" group: "{{ item.group }}" state: directory - mode: 0755 + mode: "755" loop: "{{ samba.shares }}" - name: Configure Samba shares ansible.builtin.template: src: smb.conf.j2 dest: /etc/samba/smb.conf + mode: "700" notify: restart_samba - name: Start smbd and enable on boot diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml index 522306c..76a0963 100644 --- a/roles/base/tasks/system.yml +++ b/roles/base/tasks/system.yml @@ -10,7 +10,7 @@ state: present - name: Check for existing GPG keys - command: "gpg --list-keys {{ item.id }} 2>/dev/null" + ansible.builtin.command: "gpg --list-keys {{ item.id }} 2>/dev/null" register: gpg_check loop: "{{ root_gpgkeys }}" failed_when: false @@ -18,20 +18,22 @@ when: root_gpgkeys is defined - name: Import GPG keys - command: "gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}" + ansible.builtin.command: + "gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}" register: gpg_check_import loop: "{{ gpg_check.results }}" loop_control: label: "{{ item.item }}" + changed_when: false when: root_gpgkeys is defined and item.rc != 0 - name: Check GPG key imports - fail: + ansible.builtin.fail: msg: "{{ item.stderr }}" loop: "{{ gpg_check_import.results }}" loop_control: label: "{{ item.item.item }}" - when: (item.skipped | default(false) == false) and ('imported' not in item.stderr) + when: root_gpgkeys is defined and (not item.skipped | default(false)) and ('imported' not in item.stderr) - name: Install NTPsec ansible.builtin.apt: @@ -47,7 +49,7 @@ community.general.locale_gen: name: "{{ locale_default }}" state: present - register: locale_gen_output + notify: reconfigure_locales - name: Set the default locale ansible.builtin.lineinfile: @@ -55,15 +57,11 @@ regexp: "^LANG=" line: "LANG={{ locale_default }}" -- name: Reconfigure locales - ansible.builtin.command: dpkg-reconfigure -f noninteractive locales - when: locale_gen_output.changed - - name: Manage root authorized_keys ansible.builtin.template: src: authorized_keys.j2 dest: /root/.ssh/authorized_keys - mode: 0400 + mode: "400" when: authorized_keys is defined - name: Create system user groups @@ -84,6 +82,7 @@ group: "{{ item.value.gid }}" shell: "{{ item.value.shell | default('/bin/bash') }}" create_home: "{{ item.value.home | default(false) }}" + system: "{{ item.value.system | default(false) }}" loop: "{{ users | dict2items }}" loop_control: label: "{{ item.key }}" diff --git a/roles/base/tasks/wireguard.yml b/roles/base/tasks/wireguard.yml index b3ba047..6f58d08 100644 --- a/roles/base/tasks/wireguard.yml +++ b/roles/base/tasks/wireguard.yml @@ -22,7 +22,7 @@ ansible.builtin.template: src: wireguard.j2 dest: /etc/wireguard/wg0.conf - mode: 0400 + mode: "400" notify: restart_wireguard - name: Start WireGuard interface diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f6d8e26..d5ba874 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -48,7 +48,7 @@ repo: "{{ item.url }}" dest: "{{ docker_repos_path }}/{{ item.name }}" version: "{{ item.version }}" - accept_newhostkey: "{{ item.accept_newhostkey | default('false') }}" + accept_newhostkey: "{{ item.accept_newhostkey | default(false) }}" gpg_whitelist: "{{ item.trusted_keys | default([]) }}" verify_commit: "{{ true if (item.trusted_keys is defined and item.trusted_keys) else false }}" key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}" @@ -86,7 +86,7 @@ mode: 0400 register: compose_env_update notify: compose_restart - no_log: "{{ docker_compose_env_nolog | default('true') }}" + no_log: "{{ docker_compose_env_nolog | default(true) }}" loop: "{{ docker_compose_deploy }}" loop_control: label: "{{ item.name }}"