From 9142254a571f1ac8062abf4646c604f9a9a233f6 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Thu, 4 May 2023 01:44:18 -0400 Subject: [PATCH] Improvements for ansible-linting --- roles/base/tasks/firewall.yml | 2 ++ roles/base/tasks/mail.yml | 3 ++- roles/base/tasks/main.yml | 21 ++++++++++++++------- roles/base/tasks/network.yml | 1 + roles/base/tasks/system.yml | 1 + roles/base/tasks/wireguard.yml | 8 +++++--- roles/docker/handlers/main.yml | 4 ++++ roles/docker/tasks/main.yml | 9 +++------ roles/jellyfin/defaults/main.yml | 2 +- roles/jellyfin/tasks/main.yml | 7 +++++-- roles/proxy/tasks/main.yml | 6 ++++-- roles/traefik/handlers/main.yml | 1 + roles/traefik/tasks/main.yml | 7 ++++++- 13 files changed, 49 insertions(+), 23 deletions(-) create mode 100644 roles/docker/handlers/main.yml diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml index 0fd8529..00bbefc 100644 --- a/roles/base/tasks/firewall.yml +++ b/roles/base/tasks/firewall.yml @@ -32,12 +32,14 @@ ansible.builtin.template: src: fail2ban-ssh.conf.j2 dest: /etc/fail2ban/jail.d/sshd.conf + mode: 0640 notify: restart_fail2ban - name: Install Fail2ban IP allow list ansible.builtin.template: src: fail2ban-allowlist.conf.j2 dest: /etc/fail2ban/jail.d/allowlist.conf + mode: 0640 when: fail2ban_ignoreip is defined notify: restart_fail2ban diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index 93c0fe3..33da2db 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -11,9 +11,10 @@ ansible.builtin.template: src: msmtprc.j2 dest: /root/.msmtprc - mode: 0700 + mode: 0600 - name: Install /etc/aliases ansible.builtin.copy: dest: /etc/aliases content: "root: {{ mail.rootalias }}" + mode: 0644 diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 27040c7..8a0d8c0 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -1,24 +1,31 @@ -- ansible.builtin.import_tasks: ansible.yml +- name: Import Ansible tasks + ansible.builtin.import_tasks: ansible.yml tags: ansible -- ansible.builtin.import_tasks: system.yml +- name: Import System tasks + ansible.builtin.import_tasks: system.yml tags: system -- ansible.builtin.import_tasks: firewall.yml +- name: Import Firewall tasks + ansible.builtin.import_tasks: firewall.yml tags: firewall -- ansible.builtin.import_tasks: network.yml +- name: Import Network tasks + ansible.builtin.import_tasks: network.yml tags: network when: manage_network -- ansible.builtin.import_tasks: mail.yml +- name: Import Mail tasks + ansible.builtin.import_tasks: mail.yml tags: mail when: mail is defined -- ansible.builtin.import_tasks: ddclient.yml +- name: Import ddclient tasks + ansible.builtin.import_tasks: ddclient.yml tags: ddclient when: ddclient is defined -- ansible.builtin.import_tasks: wireguard.yml +- name: Import WireGuard tasks + ansible.builtin.import_tasks: wireguard.yml tags: wireguard when: wireguard is defined diff --git a/roles/base/tasks/network.yml b/roles/base/tasks/network.yml index c2d5743..225ea7c 100644 --- a/roles/base/tasks/network.yml +++ b/roles/base/tasks/network.yml @@ -10,5 +10,6 @@ ansible.builtin.template: src: "interface.j2" dest: "/etc/network/interfaces.d/{{ item.name }}" + mode: 0400 loop: "{{ interfaces }}" notify: reboot_host diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml index 89ceef7..89b5ef3 100644 --- a/roles/base/tasks/system.yml +++ b/roles/base/tasks/system.yml @@ -8,6 +8,7 @@ ansible.builtin.template: src: authorized_keys.j2 dest: /root/.ssh/authorized_keys + mode: 0400 when: authorized_keys is defined - name: Manage filesystem mounts diff --git a/roles/base/tasks/wireguard.yml b/roles/base/tasks/wireguard.yml index 99a51f3..7970e82 100644 --- a/roles/base/tasks/wireguard.yml +++ b/roles/base/tasks/wireguard.yml @@ -5,7 +5,9 @@ update_cache: true - name: Generate WireGuard keys - ansible.builtin.shell: wg genkey | tee privatekey | wg pubkey > publickey + ansible.builtin.shell: | + set -o pipefail + wg genkey | tee privatekey | wg pubkey > publickey args: chdir: /etc/wireguard/ creates: /etc/wireguard/privatekey @@ -19,8 +21,8 @@ ansible.builtin.template: src: wireguard.j2 dest: /etc/wireguard/wg0.conf - notify: - - restart_wireguard + mode: 0400 + notify: restart_wireguard - name: Start WireGuard interface ansible.builtin.service: diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml new file mode 100644 index 0000000..47f5644 --- /dev/null +++ b/roles/docker/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Reload systemd manager configuration + ansible.builtin.systemd: + daemon_reload: true + listen: compose_systemd diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f02a2ed..5eaecdc 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -8,17 +8,14 @@ ansible.builtin.file: path: "{{ docker_compose_root }}" state: directory + mode: 0500 - name: Install docker-compose systemd service ansible.builtin.template: src: docker-compose.service.j2 dest: "/etc/systemd/system/{{ docker_compose_service }}@.service" - register: compose_systemd - -- name: Reload systemd manager configuration - ansible.builtin.systemd: - daemon_reload: true - when: compose_systemd.changed + mode: 0400 + notify: compose_systemd - name: Add users to docker group ansible.builtin.user: diff --git a/roles/jellyfin/defaults/main.yml b/roles/jellyfin/defaults/main.yml index a58f97e..7140f4b 100644 --- a/roles/jellyfin/defaults/main.yml +++ b/roles/jellyfin/defaults/main.yml @@ -2,4 +2,4 @@ jellyfin_name: jellyfin jellyfin_volume: "{{ jellyfin_name }}" jellyfin_router: "{{ jellyfin_name }}" jellyfin_rooturl: "https://{{ jellyfin_domain }}" -jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}" \ No newline at end of file +jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}" diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index 9efb0eb..cf45dea 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -2,18 +2,19 @@ ansible.builtin.file: path: "{{ jellyfin_root }}" state: directory + mode: 0500 - name: Create jellyfin user ansible.builtin.user: name: jellyfin state: present -- name: jellyfin user uid +- name: Get user jellyfin uid ansible.builtin.getent: database: passwd key: jellyfin -- name: jellyfin user gid +- name: Get user jellyfin gid ansible.builtin.getent: database: group key: jellyfin @@ -22,12 +23,14 @@ ansible.builtin.template: src: docker-compose.yml.j2 dest: "{{ jellyfin_root }}/docker-compose.yml" + mode: 0400 notify: restart_jellyfin - name: Install Jellyfin's docker-compose variables ansible.builtin.template: src: compose-env.j2 dest: "{{ jellyfin_root }}/.env" + mode: 0400 notify: restart_jellyfin - name: Start and enable Jellyfin service diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index a35075a..f7ba8c6 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -36,12 +36,13 @@ src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf" dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf" state: link + mode: 0400 loop: "{{ nginx_sites.results }}" when: item.changed notify: reload_nginx - name: Generate self-signed certificate - ansible.builtin.shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ + ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ -subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \ -keyout /etc/ssl/private/nginx-selfsigned.key \ -out /etc/ssl/certs/nginx-selfsigned.crt' @@ -60,13 +61,14 @@ ansible.builtin.template: src: cloudflare.ini.j2 dest: /root/.cloudflare.ini - mode: '0600' + mode: 0400 when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined - name: Create nginx post renewal hook directory ansible.builtin.file: path: /etc/letsencrypt/renewal-hooks/post state: directory + mode: 0500 when: proxy.production is defined and proxy.production - name: Install nginx post renewal hook diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml index 3fe7c10..62377fd 100644 --- a/roles/traefik/handlers/main.yml +++ b/roles/traefik/handlers/main.yml @@ -2,6 +2,7 @@ ansible.builtin.file: path: "{{ traefik_root }}/config/dynamic" state: touch + mode: 0500 listen: reload_traefik - name: Restart Traefik diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index 225f2be..32b0904 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -1,6 +1,7 @@ - name: Create Traefik directories ansible.builtin.file: path: "{{ traefik_root }}/config/dynamic" + mode: 0500 state: directory - name: Install dynamic security configuration @@ -9,13 +10,14 @@ dest: "{{ traefik_root }}/config/dynamic/security.yml" owner: root group: root - mode: 0600 + mode: 0400 notify: reload_traefik - name: Install dynamic non-docker configuration ansible.builtin.template: src: "external.yml.j2" dest: "{{ traefik_root }}/config/dynamic/{{ item.name }}.yml" + mode: 0400 loop: "{{ traefik_external }}" when: traefik_external is defined @@ -23,18 +25,21 @@ ansible.builtin.template: src: docker-compose.yml.j2 dest: "{{ traefik_root }}/docker-compose.yml" + mode: 0400 notify: restart_traefik - name: Install Traefik's docker-compose variables ansible.builtin.template: src: compose-env.j2 dest: "{{ traefik_root }}/.env" + mode: 0400 notify: restart_traefik - name: Install static Traefik configuration ansible.builtin.template: src: traefik.yml.j2 dest: "{{ traefik_root }}/config/traefik.yml" + mode: 0400 notify: restart_traefik - name: Start and enable Traefik service