diff options
| author | Romain Gonçalves <me@rgoncalves.se> | 2024-02-08 13:32:37 +0100 |
|---|---|---|
| committer | Romain Gonçalves <me@rgoncalves.se> | 2024-02-08 13:33:36 +0100 |
| commit | adfb09b9e19f7a31632eab01171693cb81ec75ef (patch) | |
| tree | 7b05135581ff49e7a5655ab07af7bba2ada43585 /roles | |
| parent | 5c5b0fbf68dca224b7f92f5de0913fd684e7d3d9 (diff) | |
| download | rules-adfb09b9e19f7a31632eab01171693cb81ec75ef.tar.gz | |
refactor(roles): new variable naming standard
Diffstat (limited to 'roles')
28 files changed, 171 insertions, 206 deletions
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml index 81d3b2b..1665d3a 100644 --- a/roles/acme/defaults/main.yml +++ b/roles/acme/defaults/main.yml @@ -1,9 +1,9 @@ --- -acme_configuration_file: /etc/acme-client.conf -acme_certificates_dir: /etc/ssl -acme_keys_dir: /etc/ssl/private +acme__configuration_file: /etc/acme-client.conf +acme__certificates_dir: /etc/ssl +acme__keys_dir: /etc/ssl/private -acme_authority_name: letsencrypt -acme_authority_url: https://acme-v02.api.letsencrypt.org/directory -acme_authority_key: /etc/acme/letsencrypt-privkey.pem +acme__authority_name: letsencrypt +acme__authority_url: https://acme-v02.api.letsencrypt.org/directory +acme__authority_key: /etc/acme/letsencrypt-privkey.pem diff --git a/roles/acme/meta/main.yml b/roles/acme/meta/main.yml index 0458175..f3eccc3 100644 --- a/roles/acme/meta/main.yml +++ b/roles/acme/meta/main.yml @@ -5,7 +5,7 @@ argument_specs: short_description: acme main entrypoint. options: - acme_rules: + acme__rules: type: list elements: dict required: true @@ -15,37 +15,37 @@ argument_specs: required: true description: Acme domain name - acme_authority_name: + acme__authority_name: type: str required: true description: Acme authority name - acme_authority_url: + acme__authority_url: type: str required: true description: Acme authority api url - acme_authority_key: + acme__authority_key: type: path required: true description: Acme authority key file - acme_certificates_dir: + acme__certificates_dir: type: path required: true description: Acme certificates directory - acme_keys_dir: + acme__keys_dir: type: path required: true description: Acme keys directory - acme_configuration_file: + acme__configuration_file: type: path required: true description: Acme configuration file - relayd_connected_hosts: + relayd__connected_hosts: type: str required: true description: Group name of hosts for generating certificates diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml index 040c176..0435265 100644 --- a/roles/acme/tasks/main.yml +++ b/roles/acme/tasks/main.yml @@ -3,7 +3,7 @@ - name: generate acme-client configuration ansible.builtin.template: src: acme-client.conf.j2 - dest: "{{ acme_configuration_file }}" + dest: "{{ acme__configuration_file }}" owner: 0 group: 0 mode: "0644" @@ -11,20 +11,20 @@ - name: retrieve enabled domains ansible.builtin.shell: | set -o pipefail - grep "^domain" {{ acme_configuration_file }} | cut -d " " -f 2 - register: acme_result_subdomains + grep "^domain" {{ acme__configuration_file }} | cut -d " " -f 2 + register: acme__result_subdomains changed_when: false - name: generate acme certificates ansible.builtin.command: acme-client -v {{ item }} - loop: "{{ acme_result_subdomains.stdout_lines }}" - register: acme_result_generation - failed_when: acme_result_generation.rc == 1 - changed_when: acme_result_generation.rc != 2 + loop: "{{ acme__result_subdomains.stdout_lines }}" + register: acme__result_generation + failed_when: acme__result_generation.rc == 1 + changed_when: acme__result_generation.rc != 2 - name: display registered certificates ansible.builtin.debug: - msg: "{{ acme_result_generation.results | map(attribute='stderr') + msg: "{{ acme__result_generation.results | map(attribute='stderr') | join('\n') }}" - name: enable automatic acme certificates update @@ -33,4 +33,9 @@ minute: 0 hour: 6,18 job: "acme-client -v {{ item }} && rcctl reload relayd" - loop: "{{ acme_result_subdomains.stdout_lines }}" + loop: "{{ acme__result_subdomains.stdout_lines }}" + +- name: restart relayd + ansible.builtin.service: + name: relayd + state: restarted diff --git a/roles/acme/templates/acme-client.conf.j2 b/roles/acme/templates/acme-client.conf.j2 index 9453cec..00c2f60 100644 --- a/roles/acme/templates/acme-client.conf.j2 +++ b/roles/acme/templates/acme-client.conf.j2 @@ -1,19 +1,19 @@ # managed by Ansible {% import 'macros.j2' as macros with context %} -authority {{ acme_authority_name }} { - api url "{{ acme_authority_url }}" - account key "{{ acme_authority_key }}" +authority {{ acme__authority_name }} { + api url "{{ acme__authority_url }}" + account key "{{ acme__authority_key }}" } -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.acme_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.acme__rules %} domain {{ rule.domain }} { - alternative names { www.{{ rule.domain }} } - domain key "{{ acme_keys_dir }}/{{ rule.domain }}.key" - domain full chain certificate "{{ acme_certificates_dir }}/{{ rule.domain }}.crt" - sign with {{ acme_authority_name }} + # alternative names { www.{{ rule.domain }} } + domain key "{{ acme__keys_dir }}/{{ rule.domain }}.key" + domain full chain certificate "{{ acme__certificates_dir }}/{{ rule.domain }}.crt" + sign with {{ acme__authority_name }} } {% endfor %} {%- endcall %} diff --git a/roles/cgit/meta/main.yml b/roles/cgit/meta/main.yml index ddd865d..1efbc4b 100644 --- a/roles/cgit/meta/main.yml +++ b/roles/cgit/meta/main.yml @@ -2,7 +2,7 @@ dependencies: - role: git - - role: httpd_pre + - role: httpd__pre argument_specs: main: diff --git a/roles/git/meta/main.yml b/roles/git/meta/main.yml index 1117027..8877ff2 100644 --- a/roles/git/meta/main.yml +++ b/roles/git/meta/main.yml @@ -1,8 +1,8 @@ --- dependencies: - - role: sshd_keys - sshd_keys_users: + - role: sshd__keys + sshd__keys_users: - "{{ git_user }}" argument_specs: diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml index f5e0a43..c0f92ed 100644 --- a/roles/httpd/defaults/main.yml +++ b/roles/httpd/defaults/main.yml @@ -1,15 +1,6 @@ --- -httpd_configuration_file: /etc/httpd.conf -httpd_configuration_dir: /etc/httpd.d -httpd_chroot_dir: /var/www -httpd_passwords_dir: "{{ httpd_chroot_dir }}/htpasswd" -httpd_sites_dir: "{{ httpd_chroot_dir }}/htdocs" - -httpd_user: www -httpd_group: www - -httpd_supported_types: +httpd__supported_types: - application/xml xml rss - image/gif gif - image/jpeg jpeg jpg diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml index 584ae0b..194f198 100644 --- a/roles/httpd/tasks/main.yml +++ b/roles/httpd/tasks/main.yml @@ -1,39 +1,25 @@ --- -- name: create httpd directory +- name: create static sites directories ansible.builtin.file: - path: "{{ httpd_configuration_dir }}" + path: "{{ httpd_pre__sites_dir }}/{{ item.domain }}" state: directory - owner: 0 - group: 0 - mode: "0644" - -- name: create passwords directory - ansible.builtin.file: - path: "{{ httpd_passwords_dir }}" - state: directory - owner: "{{ httpd_user }}" - group: "{{ httpd_group }}" - mode: "0700" - -- name: create sites directory - ansible.builtin.file: - path: "{{ httpd_sites_dir }}" - state: directory - owner: 0 - group: 0 + owner: "{{ httpd_pre__user }}" + group: "{{ httpd_pre__group }}" mode: "0755" + loop: "{{ httpd__rules }}" + when: item.extra.type is defined and item.extra.type == "static" - name: retrieve all configuration files ansible.builtin.find: - path: "{{ httpd_configuration_dir }}" + path: "{{ httpd_pre__configuration_dir }}" patterns: "*.conf" - register: httpd_configuration_files + register: httpd__configuration_files - name: generate httpd configuration ansible.builtin.template: src: httpd.conf.j2 - dest: "{{ httpd_configuration_file }}" + dest: "{{ httpd_pre__configuration_file }}" owner: 0 group: 0 mode: "0644" diff --git a/roles/httpd/templates/httpd.conf.j2 b/roles/httpd/templates/httpd.conf.j2 index 49e928d..9225244 100644 --- a/roles/httpd/templates/httpd.conf.j2 +++ b/roles/httpd/templates/httpd.conf.j2 @@ -1,24 +1,38 @@ # managed by Ansible types { -{% for type in httpd_supported_types %} +{% for type in httpd__supported_types %} {{ type }} {% endfor %} } -server "acme" { - listen on localhost port 8888 +server "default" { + listen on * port 8888 + log style {{ httpd__log_format }} + # acme tls challenge location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } + # redirection location * { block return 302 "https://$HTTP_HOST$REQUEST_URI" } } -{% for file in httpd_configuration_files.files %} +{% for item in httpd__rules %} +{% if item.extra.type is defined and item.extra.type == "static" %} +server "{{ item.domain }}" { + listen on localhost port {{ item.port }} + log style {{ httpd__log_format }} + root "{{ httpd_pre__chroot_sites_dir }}/{{ item.domain }}" +} + +{% endif %} +{% endfor %} + +{% for file in httpd__configuration_files.files %} include "{{ file.path }}" {% endfor %} diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml index 90b4c7e..7e8ac41 100644 --- a/roles/pf/defaults/main.yml +++ b/roles/pf/defaults/main.yml @@ -1,8 +1,8 @@ --- -pf_rules: null +pf__rules: null -pf_configuration_file: /etc/pf.conf -pf_test_delay: 2 -pf_test_ports: +pf__configuration_file: /etc/pf.conf +pf__test_delay: 2 +pf__test_ports: - "{{ ansible_port }}" diff --git a/roles/pf/meta/main.yml b/roles/pf/meta/main.yml index 8a6aa88..9c02951 100644 --- a/roles/pf/meta/main.yml +++ b/roles/pf/meta/main.yml @@ -5,7 +5,7 @@ argument_specs: short_description: pf main entrypoint. options: - pf_rules: + pf__rules: type: list elements: dict required: true @@ -25,17 +25,17 @@ argument_specs: required: true description: Port to be configured - pf_configuration_file: + pf__configuration_file: type: path required: true description: Pf configuration file - pf_test_delay: + pf__test_delay: type: int required: true description: Pf test delay - pf_test_ports: + pf__test_ports: type: list element: int required: true diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 4fba69e..9737315 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -3,35 +3,35 @@ - name: generate pf configuration ansible.builtin.template: src: pf.conf.j2 - dest: "{{ pf_configuration_file }}" + dest: "{{ pf__configuration_file }}" owner: 0 group: 0 mode: "0600" - register: pf_result_generate_configuration + register: pf__result_generate_configuration - name: lint pf configuration # noqa: no-handler - ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}" - register: pf_result_lint_configuration + ansible.builtin.command: "pfctl -nf {{ pf__configuration_file }}" + register: pf__result_lint_configuration changed_when: - - pf_result_generate_configuration.changed - - pf_result_lint_configuration.rc != 0 + - pf__result_generate_configuration.changed + - pf__result_lint_configuration.rc != 0 - name: restart pf # noqa: no-handler - ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}" - when: pf_result_generate_configuration.changed + ansible.builtin.command: pfctl -f "{{ pf__configuration_file }}" + when: pf__result_generate_configuration.changed - name: test pf rules ansible.builtin.wait_for: port: "{{ item }}" - delay: "{{ pf_test_delay }}" + delay: "{{ pf__test_delay }}" state: started - loop: "{{ pf_test_ports }}" + loop: "{{ pf__test_ports }}" - name: enable pf ansible.builtin.command: pfctl -e - register: pf_result_enable + register: pf__result_enable changed_when: - - "'already enabled' not in pf_result_enable.stderr" + - "'already enabled' not in pf__result_enable.stderr" failed_when: - - pf_result_enable.rc != 0 - - "'already enabled' not in pf_result_enable.stderr" + - pf__result_enable.rc != 0 + - "'already enabled' not in pf__result_enable.stderr" diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 index 193c9d2..2f159b4 100644 --- a/roles/pf/templates/pf.conf.j2 +++ b/roles/pf/templates/pf.conf.j2 @@ -11,7 +11,7 @@ block all pass in quick on egress proto tcp to port {{ ansible_port }} # host services -{% for rule in pf_rules %} +{% for rule in pf__rules %} # {{ rule.name }} pass in quick on egress proto {{ rule.protocol }} to port {{ rule.port }} {% endfor %} diff --git a/roles/prerequisites/tasks/main.yml b/roles/prerequisites/tasks/main.yml index b1f4215..cd241a6 100644 --- a/roles/prerequisites/tasks/main.yml +++ b/roles/prerequisites/tasks/main.yml @@ -2,8 +2,8 @@ - name: retrieve python installation ansible.builtin.raw: command -v python3 - register: prerequisites_register_python_present - changed_when: prerequisites_register_python_present.rc != 0 + register: prerequisites__register_python_present + changed_when: prerequisites__register_python_present.rc != 0 - name: bruteforce python installation with all packages possiblity ansible.builtin.raw: | @@ -14,4 +14,4 @@ ignore_errors: true failed_when: result.rc not in [0, 1] poll: 0 - when: prerequisites_register_python_present.rc != 0 + when: prerequisites__register_python_present.rc != 0 diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml index 998ff5c..17d325d 100644 --- a/roles/relayd/defaults/main.yml +++ b/roles/relayd/defaults/main.yml @@ -1,19 +1,19 @@ --- -relayd_rules: {} +relayd__rules: {} -relayd_configuration_file: /etc/relayd.conf -relayd_block_msg: aah! +relayd__configuration_file: /etc/relayd.conf +relayd__block_msg: aah! -relayd_ssl_certificates_dir: /etc/ssl -relayd_ssl_keys_dir: /etc/ssl/private +relayd__ssl_certificates_dir: /etc/ssl +relayd__ssl_keys_dir: /etc/ssl/private -relayd_tls_ciphers: +relayd__tls_ciphers: - HIGH - "!AES128" - "!kRSA" - "!aNULL" -relayd_tls_elliptic_curves: +relayd__tls_elliptic_curves: - P-384 - P-256 - X25519 diff --git a/roles/relayd/meta/main.yml b/roles/relayd/meta/main.yml index e2da9c2..64efc3a 100644 --- a/roles/relayd/meta/main.yml +++ b/roles/relayd/meta/main.yml @@ -5,7 +5,7 @@ argument_specs: short_description: relayd main entrypoint. options: - relayd_rules: + relayd__rules: type: list elements: dict required: true @@ -23,22 +23,22 @@ argument_specs: required: true description: Port to be configured - relayd_configuration_file: + relayd__configuration_file: type: path required: true description: Relayd configuration file - relayd_domain_name: + relayd__domain_name: type: str required: true description: Relayd domain name - relayd_connected_hosts: + relayd__connected_hosts: type: str required: true description: Group name of hosts that are behind relayd - relayd_tls_ciphers: + relayd__tls_ciphers: type: list elements: str required: true diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml index 1346675..6485eb2 100644 --- a/roles/relayd/tasks/main.yml +++ b/roles/relayd/tasks/main.yml @@ -8,57 +8,57 @@ -newkey rsa:4096 -nodes -subj "/CN={{ item.domain }}" - -keyout {{ relayd_ssl_keys_dir }}/{{ item.domain }}.key - -out {{ relayd_ssl_certificates_dir }}/{{ item.domain }}.pem - creates: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key" - loop: "{{ relayd_rules }}" + -keyout {{ relayd__ssl_keys_dir }}/{{ item.domain }}.key + -out {{ relayd__ssl_certificates_dir }}/{{ item.domain }}.pem + creates: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key" + loop: "{{ relayd__rules }}" - name: apply restrictive permissions on ssl keys ansible.builtin.file: - path: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key" + path: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key" owner: 0 group: 0 mode: "0600" - loop: "{{ relayd_rules }}" + loop: "{{ relayd__rules }}" - name: retrieve certificate files ansible.builtin.stat: - path: "{{ relayd_ssl_certificates_dir }}/{{ item.domain }}.crt" - loop: "{{ relayd_rules }}" - register: relayd_result_stat_certificates + path: "{{ relayd__ssl_certificates_dir }}/{{ item.domain }}.crt" + loop: "{{ relayd__rules }}" + register: relayd__result_stat_certificates - name: link pem files to certificate files if required ansible.builtin.file: - src: "{{ relayd_ssl_certificates_dir }}/{{ item.item.domain }}.pem" + src: "{{ relayd__ssl_certificates_dir }}/{{ item.item.domain }}.pem" dest: "{{ item.invocation.module_args.path }}" owner: 0 group: 0 state: link when: not item.stat.exists - loop: "{{ relayd_result_stat_certificates.results }}" + loop: "{{ relayd__result_stat_certificates.results }}" - name: generate relayd configuration ansible.builtin.template: src: relayd.conf.j2 - dest: "{{ relayd_configuration_file }}" + dest: "{{ relayd__configuration_file }}" owner: 0 group: 0 mode: "0640" - register: relayd_result_generate_configuration + register: relayd__result_generate_configuration - name: lint relayd configuration - ansible.builtin.command: "relayd -nf {{ relayd_configuration_file }}" - register: relayd_result_lint_configuration + ansible.builtin.command: "relayd -nf {{ relayd__configuration_file }}" + register: relayd__result_lint_configuration changed_when: - - relayd_result_generate_configuration.changed - - relayd_result_lint_configuration.rc != 0 + - relayd__result_generate_configuration.changed + - relayd__result_lint_configuration.rc != 0 - name: restart relayd # noqa: no-handler ansible.builtin.service: name: relayd state: restarted - when: relayd_result_generate_configuration.changed - or relayd_result_lint_configuration.changed + when: relayd__result_generate_configuration.changed + or relayd__result_lint_configuration.changed - name: enable relayd ansible.builtin.service: diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 67b9e13..4169251 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -6,11 +6,11 @@ log connection errors # hosts table <local> { 127.0.0.1 } -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} -table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} } -{% for rule in h.relayd_rules %} -table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} +table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} } +{% for rule in h.relayd__rules %} +table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} } {% endfor %} {%- endcall %} @@ -18,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } http protocol "https" { - tls ciphers "{{ relayd_tls_ciphers | join(':') }}" - tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}" + tls ciphers "{{ relayd__tls_ciphers | join(':') }}" + tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}" tcp { sack, backlog 128 } @@ -27,19 +27,20 @@ http protocol "https" { match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" - match request header set "X-Forwarded-Port" value "443" + match request header set "X-Forwarded-For" value "$REMOTE_ADDR" + match request header set "X-Forwarded-Port" value "$REMOTE_PORT" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" match response header set "Referrer-Policy" value "no-referrer" match response header set "X-XSS-Protection" value "1; mode=block" -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} tls keypair "{{ rule.domain }}" pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} - block label "{{ relayd_block_msg }}" + block label "{{ relayd__block_msg }}" return error } @@ -48,8 +49,8 @@ http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to <local> -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} @@ -70,8 +71,8 @@ relay "wwwtls" { listen on egress port 443 tls protocol "https" forward to <local> port 80 check http "/" code 200 -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp {% endfor %} {%- endcall %} diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 87933b9..85df472 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -1,5 +1,5 @@ --- -sshd_configuration_file: /etc/ssh/sshd_config -sshd_listen_port: 22 -sshd_enable_x11_forwarding: false +sshd__configuration_file: /etc/ssh/sshd_config +sshd__listen_port: 22 +sshd__enable_x11_forwarding: false diff --git a/roles/sshd/meta/main.yml b/roles/sshd/meta/main.yml index e0d60ee..7edf5cf 100644 --- a/roles/sshd/meta/main.yml +++ b/roles/sshd/meta/main.yml @@ -5,17 +5,17 @@ argument_specs: short_description: sshd main entrypoint. options: - sshd_configuration_file: + sshd__configuration_file: type: path required: true description: Sshd configuration file - sshd_listen_port: + sshd__listen_port: type: int required: true description: Sshd listen port - sshd_enable_x11_forwarding: + sshd__enable_x11_forwarding: type: bool required: true description: Enable X11 forwarding diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 6a622d2..05221fd 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -9,22 +9,22 @@ - name: generate sshd configuration ansible.builtin.template: src: sshd_config.j2 - dest: "{{ sshd_configuration_file }}" + dest: "{{ sshd__configuration_file }}" owner: 0 group: 0 mode: "0644" - register: sshd_result_generate_configuration + register: sshd__result_generate_configuration - name: lint sshd configuration - ansible.builtin.command: "sshd -tf {{ sshd_configuration_file }}" - register: sshd_result_lint + ansible.builtin.command: "sshd -tf {{ sshd__configuration_file }}" + register: sshd__result_lint changed_when: false - name: restart sshd # noqa: no-handler ansible.builtin.service: name: sshd state: restarted - when: sshd_result_generate_configuration.changed + when: sshd__result_generate_configuration.changed - name: enable sshd ansible.builtin.service: @@ -33,6 +33,6 @@ - name: check ssh connection ansible.builtin.wait_for: - port: "{{ sshd_listen_port }}" + port: "{{ sshd__listen_port }}" delay: 1 state: started diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index b8affa8..179738a 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -1,7 +1,7 @@ # managed by Ansible # network -Port {{ sshd_listen_port }} +Port {{ sshd__listen_port }} # security PermitRootLogin yes @@ -13,7 +13,7 @@ AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ClientAliveInterval 180 -X11Forwarding {{ "yes" if sshd_enable_x11_forwarding else "no" }} +X11Forwarding {{ "yes" if sshd__enable_x11_forwarding else "no" }} {% if ansible_distribution == "Debian" %} Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/roles/sshd_keys/defaults/main.yml b/roles/sshd_keys/defaults/main.yml index 1b97a4a..d0b5466 100644 --- a/roles/sshd_keys/defaults/main.yml +++ b/roles/sshd_keys/defaults/main.yml @@ -1,13 +1,4 @@ --- -sshd_keys_users: null -sshd_keys_dir: files/keys -sshd_keys_paths: "[ - {% if sshd_keys_users is none %} - '{{ sshd_keys_dir }}', - {% else %} - {% for user in sshd_keys_users %} - '{{ sshd_keys_dir }}/{{ user }}', - {% endfor %} - {% endif %} - ]" +sshd_keys__users: null +sshd_keys__dir: null diff --git a/roles/sshd_keys/meta/main.yml b/roles/sshd_keys/meta/main.yml index e790d71..ccf16eb 100644 --- a/roles/sshd_keys/meta/main.yml +++ b/roles/sshd_keys/meta/main.yml @@ -1,27 +1,17 @@ --- -dependencies: - - role: sshd - tags: dependency - argument_specs: main: - short_description: sshd_keys main entrypoint. + short_description: sshd__keys main entrypoint. options: - sshd_keys_users: + sshd_keys__users: type: list elements: str required: true description: Users to be synced - sshd_keys_dir: + sshd_keys__dir: type: path required: true description: Local directory with public keys - - sshd_keys_paths: - type: list - elements: path - required: true - description: Local directory with public keys diff --git a/roles/sshd_keys/tasks/main.yml b/roles/sshd_keys/tasks/main.yml index 5d45e34..168f64d 100644 --- a/roles/sshd_keys/tasks/main.yml +++ b/roles/sshd_keys/tasks/main.yml @@ -2,34 +2,21 @@ - name: get ssh keys for all users ansible.builtin.find: - paths: "{{ sshd_keys_paths }}" + paths: "{{ sshd__keys_paths }}" file_type: link recurse: true delegate_to: localhost run_once: true - register: sshd_keys_result_find + register: sshd__keys_result_find -- name: set sshd_keys_found_users variable +- name: set sshd__keys_found_users variable ansible.builtin.set_fact: - sshd_keys_found_users: "{{ sshd_keys_result_find.files + sshd__keys_found_users: "{{ sshd__keys_result_find.files | map(attribute='path') | map('dirname') | map('basename') | unique }}" -- name: create groups for users with ssh keys - ansible.builtin.group: - name: "{{ item }}" - state: present - loop: "{{ sshd_keys_found_users }}" - -- name: create users with ssh keys - ansible.builtin.user: - name: "{{ item }}" - group: "{{ item }}" - state: present - loop: "{{ sshd_keys_found_users }}" - - name: synchronize ssh keys ansible.posix.authorized_key: user: "{{ item.path | dirname | basename }}" @@ -37,5 +24,5 @@ key: "{{ lookup('file', item.path) }}" loop_control: label: "{{ item.path }}: {{ item.path | dirname | basename }}" - loop: "{{ sshd_keys_result_find.files }}" + loop: "{{ sshd__keys_result_find.files }}" failed_when: false diff --git a/roles/update/tasks/main.yml b/roles/update/tasks/main.yml index 1719611..0c10aa7 100644 --- a/roles/update/tasks/main.yml +++ b/roles/update/tasks/main.yml @@ -2,12 +2,12 @@ - name: apply system update ansible.builtin.command: syspatch - register: update_result_system_update + register: update__result_system_update failed_when: - - update_result_system_update.rc > 0 - - update_result_system_update.rc != 2 + - update__result_system_update.rc > 0 + - update__result_system_update.rc != 2 changed_when: - - update_result_system_update.rc == 0 + - update__result_system_update.rc == 0 when: ansible_distribution == "OpenBSD" - name: apply package update diff --git a/roles/vmm/meta/main.yml b/roles/vmm/meta/main.yml index dd93239..4bf5e0a 100644 --- a/roles/vmm/meta/main.yml +++ b/roles/vmm/meta/main.yml @@ -1,5 +1,5 @@ --- dependencies: - - role: httpd_pre + - role: httpd__pre tags: dependency diff --git a/roles/vmm/tasks/autoinstall_configuration.yml b/roles/vmm/tasks/autoinstall_configuration.yml index 4901b61..a131cb3 100644 --- a/roles/vmm/tasks/autoinstall_configuration.yml +++ b/roles/vmm/tasks/autoinstall_configuration.yml @@ -40,7 +40,7 @@ ansible.builtin.template: <<: *generation_steps src: httpd.conf.j2 - dest: "{{ httpd_configuration_dir }}/autoinstall.conf" + dest: "{{ httpd__configuration_dir }}/autoinstall.conf" owner: 0 group: 0 |