refs #8025 Code reorganization

group_vars/all.yml

@@ -51,3 +51,8 @@ awx_smtp_password: !vault |
   37633364633631333130346332613235303762316435313535613664323830656363353237373561
   3866653365636431630a303262666662376662623862663461633361333037643863353135343836
   61383730366664353730616331666139376234313562383163613736353231666533
+grub_code: >
+  grub.pbkdf2.sha512.10000.C91C8756466E7DB535C77DB7FBDBF3D33A39A0712DE3A9AFD38BE22
+  29139E86F23C4E007E6B76DDFDBBE4B2B32764B4EFFECF208C70BA9FECC6BB3FF68A6BA05.8EA385
+  7B795AF29FF5C6E003E31EC4D79B84813175C7A56A8A12F3F30A19B501D7127C0307277FB37073EE
+  0246BCFDA9BD4EDDC3A1EE8176D25CD37B7FB07AF7

roles/debian-base/tasks/root.yaml

@@ -1,6 +1,6 @@
 - name: Delete default user
   user:
-    name: "{{ name_user }}"
+    name: "{{ default_user }}"
     state: absent
     remove: yes
 - name: Change root password
@@ -9,7 +9,7 @@
     password: "{{ ssh_password | password_hash('sha512') }}"
 - name: Configure bashrc
   lineinfile:
-    dest: "/root/.bashrc"
+    dest: /root/.bashrc
     regexp: "{{item.regexp}}"
     line: "{{item.line}}"
     state: present

roles/debian-base/tasks/sudoers.yml

@@ -5,7 +5,7 @@
 - name: Copy sudoers configuration file
   copy:
     src: sudoers
-    dest: "/etc/sudoers.d/vn"
+    dest: /etc/sudoers.d/vn
     mode: u=rw,g=r
     owner: root
     group: root

roles/debian-base/tasks/vim.yml

@@ -5,7 +5,7 @@
 - name: Copy vim configuration file
   copy:
     src: vimrc.local
-    dest: "/etc/vim/"
+    dest: /etc/vim/
     mode: '644'
     owner: root
     group: root

roles/debian-base/templates/jail.local.j2

@@ -7,7 +7,7 @@ bantime   = {{ fail2ban.bantime }}
 findtime  = {{ fail2ban.bantime }}
 maxretry  = {{ fail2ban.maxretry }}
 destemail = {{ fail2ban.email }}
-sender    = root@<fq-hostname>
+sender    = root@{{ ansible_fqdn }}
 banaction = nftables-multiport
 action    = %(action_)s
 

roles/debian-upgrade/tasks/main.yaml

@@ -1,20 +1,17 @@
-- name: Checking if it's necessary to update
-  meta: end_host
-  when: update_enabled is not defined or not update_enabled
-- name: update index of all packages
+- name: Update APT package index
   ansible.builtin.apt:
     update_cache: true
     force_apt_get: true
-- name: update all packages to their latest version
+- name: Update all packages to their latest version
   ansible.builtin.apt:
     name: "*"
     state: latest
     force_apt_get: true
-- name: upgrade the OS (apt-get full-upgrade)
+- name: Upgrade the OS (apt-get full-upgrade)
   ansible.builtin.apt:
     upgrade: full
     force_apt_get: true
-- name: autoremove packages unused dependency packages
+- name: Autoremove unused packages
   ansible.builtin.apt:
     autoremove: true
     force_apt_get: true

roles/linux-hostname/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: Replace /etc/hosts
   template:
     src: hosts.j2
-    dest: "/etc/hosts"
+    dest: /etc/hosts
     owner: root
     group: root
     mode: '0644'
@@ -15,7 +15,7 @@
 - name: Replace /etc/resolv.conf
   template:
     src: resolv.j2
-    dest: "/etc/resolv.conf"
+    dest: /etc/resolv.conf
     owner: root
     group: root
     mode: '0644'

roles/linux-secure-grub/tasks/main.yml

@@ -1,9 +1,7 @@
-- name: GRUB password boot protection
+- name: GRUB boot password protection
   blockinfile:
     path: /etc/grub.d/40_custom
     block: |
-      set superusers="{{ user_grub }}"
-      password_pbkdf2 {{ user_grub }} {{ code_grub }}
+      set superusers="{{ grub_user }}"
+      password_pbkdf2 {{ grub_user }} {{ grub_code }}
   notify: grub-register
-  when: secure_grub_enabled
-

roles/linux-secure-grub/vars/main.yaml

@@ -1,2 +1 @@
-user_grub: admin
-code_grub: grub.pbkdf2.sha512.10000.C91C8756466E7DB535C77DB7FBDBF3D33A39A0712DE3A9AFD38BE2229139E86F23C4E007E6B76DDFDBBE4B2B32764B4EFFECF208C70BA9FECC6BB3FF68A6BA05.8EA3857B795AF29FF5C6E003E31EC4D79B84813175C7A56A8A12F3F30A19B501D7127C0307277FB37073EE0246BCFDA9BD4EDDC3A1EE8176D25CD37B7FB07AF7
+grub_user: admin