From d9fe5e8561253a2e104d0b0acf6504866701a20c Mon Sep 17 00:00:00 2001 From: juju4 Date: Sat, 26 Aug 2023 15:35:39 +0000 Subject: [PATCH] chore: more fix ansible-lint 6.17.2 --- deploy_client.yml | 2 +- input.yml | 2 +- main.yml | 3 +- roles/client/handlers/main.yml | 6 ++-- roles/client/tasks/main.yml | 36 +++++++++++-------- roles/client/tasks/systems/CentOS.yml | 2 +- roles/client/tasks/systems/Debian.yml | 2 +- roles/client/tasks/systems/Fedora.yml | 2 +- roles/client/tasks/systems/Ubuntu.yml | 2 +- roles/client/tasks/systems/main.yml | 12 ++++--- roles/common/tasks/facts.yml | 8 ++--- roles/common/tasks/freebsd.yml | 26 ++++++++------ roles/common/tasks/iptables.yml | 8 ++--- roles/common/tasks/main.yml | 17 +++++---- roles/common/tasks/ubuntu.yml | 42 ++++++++++++---------- roles/common/tasks/unattended-upgrades.yml | 10 +++--- tasks/cloud-pre.yml | 8 ++--- tasks/tmpfs/linux.yml | 2 +- tasks/tmpfs/macos.yml | 4 +-- tasks/tmpfs/main.yml | 8 ++--- tasks/tmpfs/umount.yml | 14 ++++---- users.yml | 15 +++++--- 22 files changed, 134 insertions(+), 97 deletions(-) diff --git a/deploy_client.yml b/deploy_client.yml index ca89c40..bad6dc3 100644 --- a/deploy_client.yml +++ b/deploy_client.yml @@ -7,7 +7,7 @@ tasks: - name: Add the droplet to an inventory group - add_host: + ansible.builtin.add_host: name: "{{ client_ip }}" groups: client-host ansible_ssh_user: "{{ 'root' if client_ip == 'localhost' else ssh_user }}" diff --git a/input.yml b/input.yml index 3003f1e..a3816f7 100644 --- a/input.yml +++ b/input.yml @@ -141,4 +141,4 @@ {%- elif _store_pki.user_input is defined %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }} {%- else %}false{% endif %}{% endif %} rescue: - - ansible.builtin.include_tasks: playbooks/rescue.yml + - ansible.builtin.include_tasks: tasks/rescue.yml diff --git a/main.yml b/main.yml index a52c9a0..df96bee 100644 --- a/main.yml +++ b/main.yml @@ -1,5 +1,6 @@ --- -- hosts: localhost +- name: Main playbook + hosts: localhost become: false tasks: - name: Playbook dir stat diff --git a/roles/client/handlers/main.yml b/roles/client/handlers/main.yml index 8fe8f5a..aa752bf 100644 --- a/roles/client/handlers/main.yml +++ b/roles/client/handlers/main.yml @@ -1,3 +1,5 @@ --- -- name: restart strongswan - service: name={{ strongswan_service }} state=restarted +- name: Restart strongswan + ansible.builtin.service: + name: "{{ strongswan_service }}" + state: restarted diff --git a/roles/client/tasks/main.yml b/roles/client/tasks/main.yml index 098da97..75aa1ab 100644 --- a/roles/client/tasks/main.yml +++ b/roles/client/tasks/main.yml @@ -1,11 +1,13 @@ --- - name: Gather Facts - setup: + ansible.builtin.setup: - name: Include system based facts and tasks - import_tasks: systems/main.yml + ansible.builtin.import_tasks: systems/main.yml - name: Install prerequisites - package: name="{{ item }}" state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - "{{ prerequisites }}" register: result @@ -14,34 +16,36 @@ delay: 3 - name: Install strongSwan - package: name=strongswan state=present + ansible.builtin.package: + name: strongswan + state: present register: result until: result is succeeded retries: 10 delay: 3 - name: Setup the ipsec config - template: + ansible.builtin.template: src: roles/strongswan/templates/client_ipsec.conf.j2 dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf" mode: "0644" with_items: - "{{ vpn_user }}" notify: - - restart strongswan + - Restart strongswan - name: Setup the ipsec secrets - template: + ansible.builtin.template: src: roles/strongswan/templates/client_ipsec.secrets.j2 dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets" mode: "0600" with_items: - "{{ vpn_user }}" notify: - - restart strongswan + - Restart strongswan - name: Include additional ipsec config - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item.dest }}" line: "{{ item.line }}" create: true @@ -51,26 +55,30 @@ - dest: "{{ configs_prefix }}/ipsec.secrets" line: include ipsec.{{ IP_subject_alt_name }}.secrets notify: - - restart strongswan + - Restart strongswan - name: Configure libstrongswan to relax CA constraints - copy: + ansible.builtin.copy: src: libstrongswan-relax-constraints.conf dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf" owner: root group: root - mode: 0644 + mode: "0644" - name: Setup the certificates and keys - template: + ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" + mode: "{{ item.mode }}" with_items: - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt" + mode: "0644" - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem" + mode: "0644" - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key" + mode: "0600" notify: - - restart strongswan + - Restart strongswan diff --git a/roles/client/tasks/systems/CentOS.yml b/roles/client/tasks/systems/CentOS.yml index 68929df..18c4fa0 100644 --- a/roles/client/tasks/systems/CentOS.yml +++ b/roles/client/tasks/systems/CentOS.yml @@ -1,6 +1,6 @@ --- - name: Set OS specific facts - set_fact: + ansible.builtin.set_fact: prerequisites: - epel-release configs_prefix: /etc/strongswan diff --git a/roles/client/tasks/systems/Debian.yml b/roles/client/tasks/systems/Debian.yml index 36873c0..575447d 100644 --- a/roles/client/tasks/systems/Debian.yml +++ b/roles/client/tasks/systems/Debian.yml @@ -1,6 +1,6 @@ --- - name: Set OS specific facts - set_fact: + ansible.builtin.set_fact: prerequisites: - libstrongswan-standard-plugins configs_prefix: /etc diff --git a/roles/client/tasks/systems/Fedora.yml b/roles/client/tasks/systems/Fedora.yml index f480578..dbc7604 100644 --- a/roles/client/tasks/systems/Fedora.yml +++ b/roles/client/tasks/systems/Fedora.yml @@ -1,6 +1,6 @@ --- - name: Set OS specific facts - set_fact: + ansible.builtin.set_fact: prerequisites: - libselinux-python configs_prefix: /etc/strongswan diff --git a/roles/client/tasks/systems/Ubuntu.yml b/roles/client/tasks/systems/Ubuntu.yml index 36873c0..575447d 100644 --- a/roles/client/tasks/systems/Ubuntu.yml +++ b/roles/client/tasks/systems/Ubuntu.yml @@ -1,6 +1,6 @@ --- - name: Set OS specific facts - set_fact: + ansible.builtin.set_fact: prerequisites: - libstrongswan-standard-plugins configs_prefix: /etc diff --git a/roles/client/tasks/systems/main.yml b/roles/client/tasks/systems/main.yml index 62bf573..a8c8250 100644 --- a/roles/client/tasks/systems/main.yml +++ b/roles/client/tasks/systems/main.yml @@ -1,12 +1,16 @@ --- -- include_tasks: Debian.yml +- name: Include Debian + ansible.builtin.include_tasks: Debian.yml when: ansible_distribution == 'Debian' -- include_tasks: Ubuntu.yml +- name: Include Ubuntu + ansible.builtin.include_tasks: Ubuntu.yml when: ansible_distribution == 'Ubuntu' -- include_tasks: CentOS.yml +- name: Include CentOS + ansible.builtin.include_tasks: CentOS.yml when: ansible_distribution == 'CentOS' -- include_tasks: Fedora.yml +- name: Include Fedora + ansible.builtin.include_tasks: Fedora.yml when: ansible_distribution == 'Fedora' diff --git a/roles/common/tasks/facts.yml b/roles/common/tasks/facts.yml index 61a17ae..473e526 100644 --- a/roles/common/tasks/facts.yml +++ b/roles/common/tasks/facts.yml @@ -1,20 +1,20 @@ --- - name: Define facts - set_fact: + ansible.builtin.set_fact: p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}" tags: update-users - name: Set facts - set_fact: + ansible.builtin.set_fact: CA_password: "{{ ca_password|default(lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@')) }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}" - name: Set IPv6 support as a fact - set_fact: + ansible.builtin.set_fact: ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}" tags: always - name: Check size of MTU - set_fact: + ansible.builtin.set_fact: reduce_mtu: "{{ 1500 - ansible_default_ipv4['mtu']|int if reduce_mtu|int == 0 and ansible_default_ipv4['mtu']|int < 1500 else reduce_mtu|int }}" tags: always diff --git a/roles/common/tasks/freebsd.yml b/roles/common/tasks/freebsd.yml index cb8361e..12453c9 100644 --- a/roles/common/tasks/freebsd.yml +++ b/roles/common/tasks/freebsd.yml @@ -1,6 +1,6 @@ --- - name: FreeBSD | Install prerequisites - package: + ansible.builtin.package: name: - python3 - sudo @@ -8,16 +8,16 @@ ansible_python_interpreter: /usr/local/bin/python2.7 - name: Set python3 as the interpreter to use - set_fact: + ansible.builtin.set_fact: ansible_python_interpreter: /usr/local/bin/python3 - name: Gather facts - setup: + ansible.builtin.setup: - name: Gather additional facts - import_tasks: facts.yml + ansible.builtin.import_tasks: facts.yml - name: Set OS specific facts - set_fact: + ansible.builtin.set_fact: config_prefix: /usr/local/ strongswan_shell: /usr/sbin/nologin strongswan_home: /var/empty @@ -42,12 +42,14 @@ value: 1 - name: Install tools - package: name="{{ item }}" state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - "{{ tools|default([]) }}" - name: Loopback included into the rc config - blockinfile: + ansible.builtin.blockinfile: dest: /etc/rc.conf create: true block: | @@ -58,7 +60,10 @@ - restart loopback bsd - name: Enable the gateway features - lineinfile: dest=/etc/rc.conf regexp='^{{ item.param }}.*' line='{{ item.param }}={{ item.value }}' + ansible.builtin.lineinfile: + dest: /etc/rc.conf + regexp: '^{{ item.param }}.*' + line: '{{ item.param }}={{ item.value }}' with_items: - { param: firewall_enable, value: '"YES"' } - { param: firewall_type, value: '"open"' } @@ -70,9 +75,10 @@ - restart ipfw - name: FreeBSD | Activate IPFW - shell: > + ansible.builtin.shell: > kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 && bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1 changed_when: false -- meta: flush_handlers +- name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/common/tasks/iptables.yml b/roles/common/tasks/iptables.yml index 463dc38..0b85c55 100644 --- a/roles/common/tasks/iptables.yml +++ b/roles/common/tasks/iptables.yml @@ -1,23 +1,23 @@ --- - name: Iptables configured - template: + ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root group: root - mode: 0640 + mode: "0640" with_items: - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } notify: - restart iptables - name: Iptables configured - template: + ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root group: root - mode: 0640 + mode: "0640" when: ipv6_support with_items: - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 2cfc6d7..cc8971c 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,30 +1,35 @@ --- - name: Check the system - raw: uname -a + ansible.builtin.raw: uname -a register: OS changed_when: false tags: - update-users -- fail: +- name: Fail + ansible.builtin.fail: when: cloud_test|default(false)|bool -- include_tasks: ubuntu.yml +- name: Include ubuntu + ansible.builtin.include_tasks: ubuntu.yml when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout' tags: - update-users -- include_tasks: freebsd.yml +- name: Include freebsd + ansible.builtin.include_tasks: freebsd.yml when: '"FreeBSD" in OS.stdout' tags: - update-users - name: Sysctl tuning - sysctl: name="{{ item.item }}" value="{{ item.value }}" + ansible.posix.sysctl: + name: "{{ item.item }}" + value: "{{ item.value }}" when: item.item with_items: - "{{ sysctl|default([]) }}" tags: - always -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index caa1d30..b137ba0 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -1,10 +1,10 @@ --- - name: Gather facts - setup: + ansible.builtin.setup: - name: Cloud only tasks block: - name: Install software updates - apt: + ansible.builtin.apt: update_cache: true install_recommends: true upgrade: dist @@ -14,21 +14,21 @@ delay: 10 - name: Check if reboot is required - shell: > + ansible.builtin.shell: > if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi args: executable: /bin/bash register: reboot_required - name: Reboot - shell: sleep 2 && shutdown -r now "Ansible updates triggered" + ansible.builtin.shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 poll: 0 when: reboot_required is defined and reboot_required.stdout == 'required' ignore_errors: true - name: Wait until the server becomes ready... - wait_for_connection: + ansible.builtin.wait_for_connection: delay: 20 timeout: 320 when: reboot_required is defined and reboot_required.stdout == 'required' @@ -36,16 +36,19 @@ when: algo_provider != "local" - name: Include unattended upgrades configuration - import_tasks: unattended-upgrades.yml + ansible.builtin.import_tasks: unattended-upgrades.yml - name: Disable MOTD on login and SSHD - replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" + ansible.builtin.replace: + dest: "{{ item.file }}" + regexp: "{{ item.regexp }}" + replace: "{{ item.line }}" with_items: - { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/login } - { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/sshd } - name: Ensure fallback resolvers are set - ini_file: + community.general.ini_file: path: /etc/systemd/resolved.conf section: Resolve option: FallbackDNS @@ -54,14 +57,14 @@ - restart systemd-resolved - name: Loopback for services configured - template: + ansible.builtin.template: src: 10-algo-lo100.network.j2 dest: /etc/systemd/network/10-algo-lo100.network notify: - restart systemd-networkd - name: systemd services enabled and started - systemd: + ansible.builtin.systemd: name: "{{ item }}" state: started enabled: true @@ -70,24 +73,24 @@ - systemd-networkd - systemd-resolved -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers - name: Check apparmor support - command: apparmor_status + ansible.builtin.command: apparmor_status ignore_errors: true changed_when: false register: apparmor_status - name: Set fact if apparmor enabled - set_fact: + ansible.builtin.set_fact: apparmor_enabled: true when: '"profiles are in enforce mode" in apparmor_status.stdout' - name: Gather additional facts - import_tasks: facts.yml + ansible.builtin.import_tasks: facts.yml - name: Set OS specific facts - set_fact: + ansible.builtin.set_fact: tools: - git - screen @@ -107,13 +110,13 @@ value: 1 - name: Install tools - apt: + ansible.builtin.apt: name: "{{ tools|default([]) }}" state: present update_cache: true - name: Install headers - apt: + ansible.builtin.apt: name: - linux-headers-generic - linux-headers-{{ ansible_kernel }} @@ -121,8 +124,9 @@ when: install_headers | bool - name: Configure the alternative ingress ip - include_tasks: aip/main.yml + ansible.builtin.include_tasks: aip/main.yml when: alternative_ingress_ip -- include_tasks: iptables.yml +- name: Include iptables + ansible.builtin.include_tasks: iptables.yml tags: iptables diff --git a/roles/common/tasks/unattended-upgrades.yml b/roles/common/tasks/unattended-upgrades.yml index da7c2fb..0e7d474 100644 --- a/roles/common/tasks/unattended-upgrades.yml +++ b/roles/common/tasks/unattended-upgrades.yml @@ -1,21 +1,21 @@ --- - name: Install unattended-upgrades - apt: + ansible.builtin.apt: name: unattended-upgrades state: present - name: Configure unattended-upgrades - template: + ansible.builtin.template: src: 50unattended-upgrades.j2 dest: /etc/apt/apt.conf.d/50unattended-upgrades owner: root group: root - mode: 0644 + mode: "0644" - name: Periodic upgrades configured - template: + ansible.builtin.template: src: 10periodic.j2 dest: /etc/apt/apt.conf.d/10periodic owner: root group: root - mode: 0644 + mode: "0644" diff --git a/tasks/cloud-pre.yml b/tasks/cloud-pre.yml index aa8051d..0d6a2c1 100644 --- a/tasks/cloud-pre.yml +++ b/tasks/cloud-pre.yml @@ -1,5 +1,7 @@ --- - name: cloud-pre + delegate_to: localhost + become: false block: - name: Display the invocation environment ansible.builtin.shell: > @@ -26,21 +28,19 @@ tags: - always - skip_ansible_lint - delegate_to: localhost - become: false - name: Provider not local when: algo_provider != "local" block: - name: Generate the SSH private key - ansible.builtin.openssl_privatekey: + community.crypto.openssl_privatekey: path: "{{ SSH_keys.private }}" size: 2048 mode: "0600" type: RSA - name: Generate the SSH public key - ansible.builtin.openssl_publickey: + community.crypto.openssl_publickey: path: "{{ SSH_keys.public }}" privatekey_path: "{{ SSH_keys.private }}" format: OpenSSH diff --git a/tasks/tmpfs/linux.yml b/tasks/tmpfs/linux.yml index d36ef7b..4f5f84d 100644 --- a/tasks/tmpfs/linux.yml +++ b/tasks/tmpfs/linux.yml @@ -1,5 +1,5 @@ --- - name: Linux | set OS specific facts - set_fact: + ansible.builtin.set_fact: tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }} tmpfs_volume_path: /dev/shm diff --git a/tasks/tmpfs/macos.yml b/tasks/tmpfs/macos.yml index 2e56037..2788117 100644 --- a/tasks/tmpfs/macos.yml +++ b/tasks/tmpfs/macos.yml @@ -1,11 +1,11 @@ --- - name: MacOS | set OS specific facts - set_fact: + ansible.builtin.set_fact: tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }} tmpfs_volume_path: /Volumes - name: MacOS | mount a ram disk - shell: > + ansible.builtin.shell: > /usr/sbin/diskutil info "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/" || /usr/sbin/diskutil erasevolume HFS+ "{{ tmpfs_volume_name }}" $(hdiutil attach -nomount ram://64000) args: diff --git a/tasks/tmpfs/main.yml b/tasks/tmpfs/main.yml index 628130e..7c1733b 100644 --- a/tasks/tmpfs/main.yml +++ b/tasks/tmpfs/main.yml @@ -1,17 +1,17 @@ --- - name: Include tasks for MacOS - import_tasks: macos.yml + ansible.builtin.import_tasks: macos.yml when: ansible_system == "Darwin" - name: Include tasks for Linux - import_tasks: linux.yml + ansible.builtin.import_tasks: linux.yml when: ansible_system == "Linux" - name: Set config paths as facts - set_fact: + ansible.builtin.set_fact: ipsec_pki_path: /{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/IPsec/ - name: Update config paths - add_host: + ansible.builtin.add_host: name: "{{ 'localhost' if cloud_instance_ip == 'localhost' else cloud_instance_ip }}" ipsec_pki_path: "{{ ipsec_pki_path }}" diff --git a/tasks/tmpfs/umount.yml b/tasks/tmpfs/umount.yml index 6c002cc..ada9a2b 100644 --- a/tasks/tmpfs/umount.yml +++ b/tasks/tmpfs/umount.yml @@ -1,19 +1,22 @@ --- - name: Linux | Delete the PKI directory - file: + ansible.builtin.file: path: /{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/ state: absent when: facts.ansible_system == "Linux" -- block: +- name: Darwin + when: + - facts.ansible_system == "Darwin" + block: - name: MacOS | check fs the ramdisk exists - command: /usr/sbin/diskutil info "{{ facts.tmpfs_volume_name }}" + ansible.builtin.command: /usr/sbin/diskutil info "{{ facts.tmpfs_volume_name }}" ignore_errors: true changed_when: false register: diskutil_info - name: MacOS | unmount and eject the ram disk - shell: > + ansible.builtin.shell: > /usr/sbin/diskutil umount force "/{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/" && /usr/sbin/diskutil eject "{{ facts.tmpfs_volume_name }}" changed_when: false @@ -22,5 +25,4 @@ until: result.rc == 0 retries: 5 delay: 3 - when: - - facts.ansible_system == "Darwin" + diff --git a/users.yml b/users.yml index 365d671..a9d4828 100644 --- a/users.yml +++ b/users.yml @@ -98,23 +98,28 @@ tasks: - name: Play roles block: - - ansible.builtin.import_role: + - name: Import common + ansible.builtin.import_role: name: common - - ansible.builtin.import_role: + - name: Import wireguard + ansible.builtin.import_role: name: wireguard when: wireguard_enabled - - ansible.builtin.import_role: + - name: Import strongswan + ansible.builtin.import_role: name: strongswan when: ipsec_enabled tags: ipsec - - ansible.builtin.import_role: + - name: Import ssh_tunneling + ansible.builtin.import_role: name: ssh_tunneling when: algo_ssh_tunneling - - ansible.builtin.debug: + - name: End message + ansible.builtin.debug: msg: - "{{ congrats.common.split('\n') }}" - " {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"