From f033c92278bf303d3c4808c2d3f4a5d1cc79a724 Mon Sep 17 00:00:00 2001 From: Juan Ferrer Toribio Date: Tue, 24 Sep 2024 10:37:09 +0200 Subject: [PATCH] refs #8025 Code reorganization --- group_vars/all.yml | 7 ++++++- roles/debian-base/tasks/root.yaml | 4 ++-- roles/debian-base/tasks/sudoers.yml | 2 +- roles/debian-base/tasks/vim.yml | 2 +- roles/debian-base/templates/jail.local.j2 | 2 +- roles/debian-upgrade/tasks/main.yaml | 11 ++++------- roles/linux-hostname/tasks/main.yml | 4 ++-- roles/linux-secure-grub/handlers/main.yml | 2 +- roles/linux-secure-grub/tasks/main.yml | 8 +++----- roles/linux-secure-grub/vars/main.yaml | 3 +-- 10 files changed, 22 insertions(+), 23 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 09b751b..796f56d 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -50,4 +50,9 @@ awx_smtp_password: !vault | 3631616362363163393036613564623864383365633634660a366563363836363061623566393361 37633364633631333130346332613235303762316435313535613664323830656363353237373561 3866653365636431630a303262666662376662623862663461633361333037643863353135343836 - 61383730366664353730616331666139376234313562383163613736353231666533 \ No newline at end of file + 61383730366664353730616331666139376234313562383163613736353231666533 +grub_code: > + grub.pbkdf2.sha512.10000.C91C8756466E7DB535C77DB7FBDBF3D33A39A0712DE3A9AFD38BE22 + 29139E86F23C4E007E6B76DDFDBBE4B2B32764B4EFFECF208C70BA9FECC6BB3FF68A6BA05.8EA385 + 7B795AF29FF5C6E003E31EC4D79B84813175C7A56A8A12F3F30A19B501D7127C0307277FB37073EE + 0246BCFDA9BD4EDDC3A1EE8176D25CD37B7FB07AF7 diff --git a/roles/debian-base/tasks/root.yaml b/roles/debian-base/tasks/root.yaml index ad4407d..6e42647 100644 --- a/roles/debian-base/tasks/root.yaml +++ b/roles/debian-base/tasks/root.yaml @@ -1,6 +1,6 @@ - name: Delete default user user: - name: "{{ name_user }}" + name: "{{ default_user }}" state: absent remove: yes - name: Change root password @@ -9,7 +9,7 @@ password: "{{ ssh_password | password_hash('sha512') }}" - name: Configure bashrc lineinfile: - dest: "/root/.bashrc" + dest: /root/.bashrc regexp: "{{item.regexp}}" line: "{{item.line}}" state: present diff --git a/roles/debian-base/tasks/sudoers.yml b/roles/debian-base/tasks/sudoers.yml index 83bee94..e31f0eb 100644 --- a/roles/debian-base/tasks/sudoers.yml +++ b/roles/debian-base/tasks/sudoers.yml @@ -5,7 +5,7 @@ - name: Copy sudoers configuration file copy: src: sudoers - dest: "/etc/sudoers.d/vn" + dest: /etc/sudoers.d/vn mode: u=rw,g=r owner: root group: root diff --git a/roles/debian-base/tasks/vim.yml b/roles/debian-base/tasks/vim.yml index aa5ed3c..3b4a32a 100644 --- a/roles/debian-base/tasks/vim.yml +++ b/roles/debian-base/tasks/vim.yml @@ -5,7 +5,7 @@ - name: Copy vim configuration file copy: src: vimrc.local - dest: "/etc/vim/" + dest: /etc/vim/ mode: '644' owner: root group: root \ No newline at end of file diff --git a/roles/debian-base/templates/jail.local.j2 b/roles/debian-base/templates/jail.local.j2 index 74a65ce..838b4ed 100644 --- a/roles/debian-base/templates/jail.local.j2 +++ b/roles/debian-base/templates/jail.local.j2 @@ -7,7 +7,7 @@ bantime = {{ fail2ban.bantime }} findtime = {{ fail2ban.bantime }} maxretry = {{ fail2ban.maxretry }} destemail = {{ fail2ban.email }} -sender = root@ +sender = root@{{ ansible_fqdn }} banaction = nftables-multiport action = %(action_)s diff --git a/roles/debian-upgrade/tasks/main.yaml b/roles/debian-upgrade/tasks/main.yaml index 0674f4b..1949907 100644 --- a/roles/debian-upgrade/tasks/main.yaml +++ b/roles/debian-upgrade/tasks/main.yaml @@ -1,20 +1,17 @@ -- name: Checking if it's necessary to update - meta: end_host - when: update_enabled is not defined or not update_enabled -- name: update index of all packages +- name: Update APT package index ansible.builtin.apt: update_cache: true force_apt_get: true -- name: update all packages to their latest version +- name: Update all packages to their latest version ansible.builtin.apt: name: "*" state: latest force_apt_get: true -- name: upgrade the OS (apt-get full-upgrade) +- name: Upgrade the OS (apt-get full-upgrade) ansible.builtin.apt: upgrade: full force_apt_get: true -- name: autoremove packages unused dependency packages +- name: Autoremove unused packages ansible.builtin.apt: autoremove: true force_apt_get: true diff --git a/roles/linux-hostname/tasks/main.yml b/roles/linux-hostname/tasks/main.yml index 773e7d6..e052922 100644 --- a/roles/linux-hostname/tasks/main.yml +++ b/roles/linux-hostname/tasks/main.yml @@ -7,7 +7,7 @@ - name: Replace /etc/hosts template: src: hosts.j2 - dest: "/etc/hosts" + dest: /etc/hosts owner: root group: root mode: '0644' @@ -15,7 +15,7 @@ - name: Replace /etc/resolv.conf template: src: resolv.j2 - dest: "/etc/resolv.conf" + dest: /etc/resolv.conf owner: root group: root mode: '0644' diff --git a/roles/linux-secure-grub/handlers/main.yml b/roles/linux-secure-grub/handlers/main.yml index 9f3d6e6..5b3125c 100644 --- a/roles/linux-secure-grub/handlers/main.yml +++ b/roles/linux-secure-grub/handlers/main.yml @@ -1,2 +1,2 @@ - name: grub-register - command: update-grub \ No newline at end of file + command: update-grub diff --git a/roles/linux-secure-grub/tasks/main.yml b/roles/linux-secure-grub/tasks/main.yml index d2876e3..dd4acb3 100644 --- a/roles/linux-secure-grub/tasks/main.yml +++ b/roles/linux-secure-grub/tasks/main.yml @@ -1,9 +1,7 @@ -- name: GRUB password boot protection +- name: GRUB boot password protection blockinfile: path: /etc/grub.d/40_custom block: | - set superusers="{{ user_grub }}" - password_pbkdf2 {{ user_grub }} {{ code_grub }} + set superusers="{{ grub_user }}" + password_pbkdf2 {{ grub_user }} {{ grub_code }} notify: grub-register - when: secure_grub_enabled - diff --git a/roles/linux-secure-grub/vars/main.yaml b/roles/linux-secure-grub/vars/main.yaml index d61c32d..875fc0c 100644 --- a/roles/linux-secure-grub/vars/main.yaml +++ b/roles/linux-secure-grub/vars/main.yaml @@ -1,2 +1 @@ -user_grub: admin -code_grub: grub.pbkdf2.sha512.10000.C91C8756466E7DB535C77DB7FBDBF3D33A39A0712DE3A9AFD38BE2229139E86F23C4E007E6B76DDFDBBE4B2B32764B4EFFECF208C70BA9FECC6BB3FF68A6BA05.8EA3857B795AF29FF5C6E003E31EC4D79B84813175C7A56A8A12F3F30A19B501D7127C0307277FB37073EE0246BCFDA9BD4EDDC3A1EE8176D25CD37B7FB07AF7 +grub_user: admin