diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000000000000000000000000000000000000..cca80e2e16c9ee5298e8a5bcf9f77c130fdc3d8e
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,19 @@
+---
+
+extends: default
+
+rules:
+ comments-indentation:
+ level: warning
+ document-start:
+ level: error
+ empty-lines:
+ max: 1
+ empty-values:
+ forbid-in-flow-mappings: true
+ forbid-in-block-mappings: true
+ line-length:
+ level: warning
+ octal-values:
+ forbid-implicit-octal: true
+ level: warning
diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml
index 85c9282092cd3a71289d385a24ac8c029defc327..f9033c39018dc1cdaa014fcc4692e79a9e2ed246 100644
--- a/apt/defaults/main.yml
+++ b/apt/defaults/main.yml
@@ -1,9 +1,9 @@
---
# file: common/apt/defaults/main.yml
-apt_mirror: "http://ftp.halifax.rwth-aachen.de/debian/"
-apt_mirror_security: "http://security.debian.org/"
+apt_mirror: 'http://ftp.halifax.rwth-aachen.de/debian/'
+apt_mirror_security: 'http://security.debian.org/'
apt_repos: ['main', 'contrib', 'non-free']
-apt_sets: ['', '-updates'] # ['-backports', '-proposed-updates']
-apt_src_enable: True
-raspbian_has_no_security: False
+apt_sets: ['', '-updates'] # ['-backports', '-proposed-updates']
+apt_src_enable: true
+raspbian_has_no_security: false
diff --git a/apt/handlers/main.yml b/apt/handlers/main.yml
index a86fe24c57f806f3960ab1311fe34f60adbcfd1a..7f85265d8b294c5b73bfaadcfe2c9623bcfe134b 100644
--- a/apt/handlers/main.yml
+++ b/apt/handlers/main.yml
@@ -3,4 +3,3 @@
- name: update apt cache
apt: update_cache=yes
-
diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml
index 175fc119e74d142b8463ffbc669c4b462844d56c..3af814ecc856194847c67b3f5c0268be3a330d55 100644
--- a/apt/tasks/main.yml
+++ b/apt/tasks/main.yml
@@ -6,7 +6,7 @@
dest: /etc/apt/sources.list
owner: root
group: root
- mode: 0644
+ mode: '0644'
notify:
- update apt cache
tags:
@@ -30,7 +30,7 @@
dest: /etc/apt/apt.conf.d/
owner: root
group: root
- mode: 0644
+ mode: '0644'
tags:
- config
- apt
diff --git a/apt/tasks/repositories.yml b/apt/tasks/repositories.yml
index 099f7560ea732570ed528f37c31fc641d0489505..f65bf981a2ac45e82f53ccdaa7cf8548eb442111 100644
--- a/apt/tasks/repositories.yml
+++ b/apt/tasks/repositories.yml
@@ -1,5 +1,6 @@
---
# file: roles/common/tasks/repositories.yml
+# yamllint disable rule:line-length
- name: enable debian repositories
apt_repository:
diff --git a/basic-system/defaults/main.yml b/basic-system/defaults/main.yml
index 4e43757ca3c9c09e6d7ee8a020bb1c13f43bd879..eda3f1326c123c6e3cfbaa62d58345423aaaee5b 100644
--- a/basic-system/defaults/main.yml
+++ b/basic-system/defaults/main.yml
@@ -1,5 +1,5 @@
---
-dns_hostname_fqdn: False
+dns_hostname_fqdn: false
hosts_alternates: []
hosts_additionals: []
diff --git a/basic-system/handlers/main.yml b/basic-system/handlers/main.yml
index 612fa5bd221419f9bddfdf47adfcf5e7b21358f3..b63cc133cf5128de1efb3446147a6f10960a5d94 100644
--- a/basic-system/handlers/main.yml
+++ b/basic-system/handlers/main.yml
@@ -12,4 +12,3 @@
- name: gather network facts once again
setup: gather_subset=network
-
diff --git a/basic-system/tasks/logging.yml b/basic-system/tasks/logging.yml
index e4167d79db3bed7416e7ba79a02c02295ede30b5..4a4aa5e302f0cb3187b3b8cf2223e4634befa483 100644
--- a/basic-system/tasks/logging.yml
+++ b/basic-system/tasks/logging.yml
@@ -2,54 +2,71 @@
# file: roles/common/task/logging.yml
- name: restrict dmesg access to only root
- sysctl: name=kernel.dmesg_restrict value=1 state=present sysctl_set=yes
- tags:
+ sysctl:
+ name: kernel.dmesg_restrict
+ value: 1
+ state: present
+ sysctl_set: true
+ tags:
- security
- sysctl
- - config
-
+
- name: ensure system journal is a system-log-daemon with our package
- apt: name=systemd-journal-persistent state=present
- when:
+ apt:
+ name: systemd-journal-persistent
+ state: present
+ when:
- syslogserver is not defined or syslogserver.split(":")[0] != ansible_fqdn
- ansible_distribution_major_version|int >= 9
register: syslog_provider
tags:
- - config
- syslog
+ - journal
- name: ensure systemd journal is presistent
- file: path=/var/log/journal state=directory
+ file:
+ path: /var/log/journal
+ state: directory
when:
- ansible_distribution_major_version|int < 9
notify:
- configure journal directory
tags:
- - config
- syslog
+ - journal
-- name: ensure rsyslog is absent without broken dependecies
- apt: name=rsyslog state=absent purge=yes dpkg_options="force-confdef,force-confold,force-depends"
- when:
+- name: ensure rsyslog is absent without broken dependecies
+ apt:
+ name: rsyslog
+ state: absent
+ purge: true
+ dpkg_options: "force-confdef,force-confold,force-depends"
+ when:
- not syslog_provider is skipped
- ansible_distribution_major_version|int >= 9
- syslogserver is not defined or syslogserver.split(":")[0] != ansible_fqdn
tags:
- - config
- syslog
- name: ensure rsyslog is running and enabled
- service: name=rsyslog state=started enabled=yes
+ service:
+ name: rsyslog
+ state: started
+ enabled: true
when:
- syslogserver is defined
- syslogserver|length > 0
- ansible_distribution_major_version|int < 9
tags:
- syslog
- - service
- name: ensure that central logging works
- template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf owner=root group=root mode=0644
+ template:
+ src: rsyslog.conf.j2
+ dest: /etc/rsyslog.conf
+ owner: root
+ group: root
+ mode: '0644'
when:
- syslogserver is defined
- syslogserver|length > 0
@@ -59,11 +76,13 @@
- restart rsyslogd
tags:
- syslog
- - config
- name: ensure our logrotate.conf is present
- copy: src=logrotate.conf dest=/etc/logrotate.conf owner=root group=root mode=0644
+ copy:
+ src: logrotate.conf
+ dest: /etc/logrotate.conf
+ owner: root
+ group: root
+ mode: '0644'
tags:
- syslog
- - config
-
diff --git a/basic-system/tasks/network.yml b/basic-system/tasks/network.yml
index c2c78141e50b94bc2b82047c57f4a444c5b43bfb..321430559285e991270a1ef7aca3c15c26d9fcf1 100644
--- a/basic-system/tasks/network.yml
+++ b/basic-system/tasks/network.yml
@@ -1,38 +1,43 @@
---
# file: roles/common/tasks/dns.yml
-
+
- name: ensure dns is configured
- template: src=resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=0644
+ template:
+ src: resolv.conf.j2
+ dest: /etc/resolv.conf
+ owner: root
+ group: root
+ mode: '0644'
tags:
- dns
- - config
- name: ensure dbus is installed, since hostnamectl needs this
- apt: name=dbus state=present
+ apt:
+ name: dbus
+ state: present
tags:
- - packages
- dns
- network
- name: ensure the hostname is not a fqdn
- hostname: name="{{ inventory_hostname }}"
+ hostname:
+ name: "{{ inventory_hostname }}"
when: not dns_hostname_fqdn
notify:
- gather network facts once again
tags:
- dns
- network
- - config
- name: ensure the hostname is a fqdn
- hostname: name="{{ ansible_fqdn }}"
+ hostname:
+ name: "{{ ansible_fqdn }}"
when: dns_hostname_fqdn
notify:
- gather network facts once again
tags:
- dns
- network
- - config
- meta: flush_handlers
@@ -47,28 +52,38 @@
- network
- name: ensure deactivation of tcp_timestamps
- sysctl: name=net.ipv4.tcp_timestamps value=0 state=present sysctl_set=yes
- tags:
+ sysctl:
+ name: net.ipv4.tcp_timestamps
+ value: 0
+ state: present
+ sysctl_set: true
+ tags:
- security
- sysctl
- - config
- name: ensure deactivation of ipv6 tempaddr (all)
- sysctl: name=net.ipv6.conf.all.use_tempaddr value=0 state=present sysctl_set=yes
+ sysctl:
+ name: net.ipv6.conf.all.use_tempaddr
+ value: 0
+ state: present
+ sysctl_set: true
tags:
- security
- sysctl
- - config
- name: ensure deactivation of ipv6 tempaddr (default)
- sysctl: name=net.ipv6.conf.default.use_tempaddr value=0 state=present sysctl_set=yes
+ sysctl:
+ name: net.ipv6.conf.default.use_tempaddr
+ value: 0
+ state: present
+ sysctl_set: true
tags:
- security
- sysctl
- - config
- name: ensure openssl is installed
- apt: name=openssl state=latest
+ apt:
+ name: openssl
+ state: present
tags:
- - packages
- tls
diff --git a/hostkey-provider/handlers/main.yml b/hostkey-provider/handlers/main.yml
index fd97a01deb43f759b68f3f3d77fc8cc33dd47ccf..c45157784f8c0eea62f12b740279f416ab62f7b8 100644
--- a/hostkey-provider/handlers/main.yml
+++ b/hostkey-provider/handlers/main.yml
@@ -2,4 +2,3 @@
- name: re-read local facts for new hostkeys
setup: filter=ansible_local
-
diff --git a/hostkey-provider/tasks/main.yml b/hostkey-provider/tasks/main.yml
index 67f2cdeda88e414ace5b4fbcc166852af23f5b64..2256bfe820c8ec642b5869ee21b9e22571ca0e54 100644
--- a/hostkey-provider/tasks/main.yml
+++ b/hostkey-provider/tasks/main.yml
@@ -7,12 +7,12 @@
option: "{{ item.key }}"
value: "{{ item.value }}"
with_items:
- - { key: 'ipv4', value: "{{ ansible_all_ipv4_addresses|join(',') }}" }
- - { key: 'ipv6', value: "{{ ansible_all_ipv6_addresses|join(',') }}" }
- - { key: 'ed25519', value: "{{ ansible_ssh_host_key_ed25519_public }}" }
- - { key: 'rsa', value: "{{ ansible_ssh_host_key_rsa_public }}" }
+ - {key: 'ipv4', value: "{{ ansible_all_ipv4_addresses|join(',') }}"}
+ - {key: 'ipv6', value: "{{ ansible_all_ipv6_addresses|join(',') }}"}
+ - {key: 'ed25519', value: "{{ ansible_ssh_host_key_ed25519_public }}"}
+ - {key: 'rsa', value: "{{ ansible_ssh_host_key_rsa_public }}"}
delegate_to: "{{ hostvars[hostkeys_collector]['ansible_fqdn'] }}"
- ignore_errors: True
+ ignore_errors: true
notify:
- re-read local facts for new hostkeys
@@ -24,10 +24,11 @@
dest: /etc/ssh/ssh_known_hosts
owner: root
group: root
- mode: 0644
+ mode: '0644'
tags:
- hostkeys
+# yamllint disable rule:line-length rule:comments
# This results in spurious changed messages. Using template module for now.
#
#- name: ensure all ed25519 host keys are collected
@@ -51,3 +52,4 @@
# - all
# tags:
# - hostkeys
+# yamllint enable rule:line-length rule:comments
diff --git a/localization/defaults/main.yml b/localization/defaults/main.yml
index 128eec56d0865f018f34170b6ef1e23889bffd50..808188ac29a35080bcc1a6e8585f42f297669804 100644
--- a/localization/defaults/main.yml
+++ b/localization/defaults/main.yml
@@ -7,6 +7,6 @@ localization_enabled_locales:
localization_locale: locales/en
localization_vconsole: vconsole.conf
-localization_prefer_timesyncd: False
+localization_prefer_timesyncd: false
localization_timezone: Europe/Berlin
diff --git a/localization/tasks/locale.yml b/localization/tasks/locale.yml
index eb7414364352204b017ed297b6639b8a63a29a43..288ef225020e3c218278bd02132104d400003306 100644
--- a/localization/tasks/locale.yml
+++ b/localization/tasks/locale.yml
@@ -1,26 +1,36 @@
---
- name: ensure locale support is installed
- apt: name=locales state=latest
+ apt:
+ name: locales
+ state: present
tags:
- - packages
- locale
- name: ensure the default languages are enabled
- locale_gen: name="{{item}}.UTF-8" state=present
+ locale_gen:
+ name: "{{item}}.UTF-8"
+ state: present
with_items: "{{ localization_enabled_locales }}"
tags:
- - config
- locale
- name: ensure our default locale is default
- copy: src="{{ localization_locale }}" dest=/etc/default/locale owner=root group=root mode=0644
+ copy:
+ src: "{{ localization_locale }}"
+ dest: /etc/default/locale
+ owner: root
+ group: root
+ mode: '0644'
tags:
- - config
- locale
- name: ensure our vconsole config is present
- copy: src="{{ localization_vconsole }}" dest=/etc/vconsole.conf owner=root group=root mode=0644
+ copy:
+ src: "{{ localization_vconsole }}"
+ dest: /etc/vconsole.conf
+ owner: root
+ group: root
+ mode: '0644'
tags:
- - config
- locale
diff --git a/localization/tasks/ntpd.yml b/localization/tasks/ntpd.yml
index 9a1a56ac397ddf6373036b0fee42e477642eec19..c7ca28cdecbf95aa421655760001440ccb69c514 100644
--- a/localization/tasks/ntpd.yml
+++ b/localization/tasks/ntpd.yml
@@ -5,7 +5,7 @@
service:
name: systemd-timesyncd
state: stopped
- enabled: no
+ enabled: false
tags:
- ntpd
@@ -29,6 +29,6 @@
service:
name: ntp
state: started
- enabled: yes
+ enabled: true
tags:
- ntpd
diff --git a/localization/tasks/timesyncd.yml b/localization/tasks/timesyncd.yml
index 546207638d9900f23e922e806cd9c152762617d0..0dfa0127ed1f1b2b645a75045e22575c2ff67248 100644
--- a/localization/tasks/timesyncd.yml
+++ b/localization/tasks/timesyncd.yml
@@ -5,7 +5,7 @@
apt:
name: ntp
state: absent
- purge: yes
+ purge: true
tags:
- timesyncd
@@ -22,6 +22,6 @@
service:
name: systemd-timesyncd
state: started
- enabled: yes
+ enabled: true
tags:
- timesyncd
diff --git a/localization/tasks/timezone.yml b/localization/tasks/timezone.yml
index 08cd45544e7d6c30801fc48d0a092080ab5fa9c6..0955d88c455148362143534c266770914d4ea8ae 100644
--- a/localization/tasks/timezone.yml
+++ b/localization/tasks/timezone.yml
@@ -7,6 +7,7 @@
value: "{{ item.1 }}"
vtype: select
with_together:
+ # yamllint disable-line rule:line-length
- "{{ ['tzdata/Areas', 'tzdata/Zones/'~localization_timezone.split('/')[0]] }}"
- "{{ localization_timezone.split('/') }}"
notify:
@@ -24,7 +25,7 @@
dest: /etc/timezone
owner: root
group: root
- mode: 0644
+ mode: '0644'
notify:
- update timezone
tags:
@@ -39,4 +40,3 @@
- update timezone
tags:
- timezone
-
diff --git a/shell/handlers/main.yml b/shell/handlers/main.yml
index e1cc447d35156ff34e0ea95c933a9f96a7315220..4a2bbc150b6fc5bbc127f9c9e364db42dc43b84b 100644
--- a/shell/handlers/main.yml
+++ b/shell/handlers/main.yml
@@ -6,4 +6,3 @@
- name: update initramfs
command: update-initramfs -u
-
diff --git a/shell/tasks/shell.yml b/shell/tasks/shell.yml
index 8c3c62a559964563adcdc2aa4ffbb200254b3027..665c00c711510e9d00725208683b41982896d328 100644
--- a/shell/tasks/shell.yml
+++ b/shell/tasks/shell.yml
@@ -9,7 +9,7 @@
- vim-scripts
- zsh
state: present
- install_recommends: no
+ install_recommends: false
tags:
- packages
- shell
@@ -61,7 +61,7 @@
url: https://www.archlinux.org/packages/extra/any/grml-zsh-config/download/
dest: "{{ role_path }}/files/"
delegate_to: localhost
- run_once: True
+ run_once: true
register: grml_zsh
tags:
- config
@@ -87,7 +87,7 @@
copy:
src: /etc/skel/.zshrc
dest: /root/.zshrc
- remote_src: yes
+ remote_src: true
tags:
- config
- shell
@@ -99,7 +99,7 @@
dest: /root/.vimrc
owner: root
group: root
- mode: 0640
+ mode: '0640'
tags:
- config
- shell
@@ -132,7 +132,7 @@
owner: root
group: root
state: directory
- mode: 0755
+ mode: '0755'
with_filetree: terminfo/
when: item.state == "directory"
loop_control:
@@ -148,7 +148,7 @@
dest: "/etc/terminfo/{{item.path}}"
owner: root
group: root
- mode: 0644
+ mode: '0644'
with_filetree: terminfo/
when: item.state == "file"
loop_control:
diff --git a/shell/tasks/sudo.yml b/shell/tasks/sudo.yml
index ab0b52cb572b51ef00d1ac3ea55313f402d8dd00..9154a4cedfbd5016b8109d586e6b3fbdd7e587c5 100644
--- a/shell/tasks/sudo.yml
+++ b/shell/tasks/sudo.yml
@@ -1,20 +1,27 @@
---
# file: roles/common/tasks/sudo.yml
-- name: ensure sudo is installed
- apt: state=present name=sudo
+- name: ensure sudo is installed
+ apt:
+ state: present
+ name: sudo
tags:
- sudo
- - packages
- name: ensure we got a sane sudo config
- copy: src=sudo/default dest=/etc/sudoers owner=root group=root mode=0440 validate='visudo -q -c -f %s'
+ copy:
+ src: sudo/default
+ dest: /etc/sudoers
+ owner: root
+ group: root
+ mode: '0440'
+ validate: 'visudo -q -c -f %s'
tags:
- sudo
- - config
- name: ensure we got root
- user: name=root password={{ rootpassword }}
+ user:
+ name: root
+ password: "{{ rootpassword }}"
tags:
- root
- - config
diff --git a/ssh-server/defaults/main.yml b/ssh-server/defaults/main.yml
index eb600b6f53dae0c3a0653342c8a5193d175fb856..288625a30568f1c8e2fd5d9219f39d6abbbfb287 100644
--- a/ssh-server/defaults/main.yml
+++ b/ssh-server/defaults/main.yml
@@ -2,9 +2,9 @@
# file: common/ssh-server/defaults/main.yml
ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
-ssh_mkhomedir: yes
-ssh_strong_crypto: yes
-ssh_password_auth: yes
-ssh_gssapi: yes
+ssh_mkhomedir: true
+ssh_strong_crypto: true
+ssh_password_auth: true
+ssh_gssapi: true
ssh_sftp_options: ""
ssh_allow_groups: []
diff --git a/ssh-server/tasks/main.yml b/ssh-server/tasks/main.yml
index 9603073e3f6065bccdd708231a6f383c14553794..835011117f56bd34a84ea6137b948119fef629e1 100644
--- a/ssh-server/tasks/main.yml
+++ b/ssh-server/tasks/main.yml
@@ -7,7 +7,6 @@
state: present
tags:
- ssh
- - packages
- name: ensure sshd configured
template:
@@ -15,15 +14,14 @@
dest: /etc/ssh/sshd_config
owner: root
group: root
- mode: 0644
- backup: yes
+ mode: '0644'
+ backup: true
validate: '/usr/sbin/sshd -t -f %s'
when: ansible_distribution_release != "stretch"
notify:
- restart sshd
tags:
- ssh
- - config
- name: ensure sshd configured
template:
@@ -31,15 +29,14 @@
dest: /etc/ssh/sshd_config
owner: root
group: root
- mode: 0644
- backup: yes
+ mode: '0644'
+ backup: true
validate: '/usr/sbin/sshd -t -f %s'
when: ansible_distribution_release == "stretch"
notify:
- restart sshd
tags:
- ssh
- - config
- name: ensure standard pam configuration for sshd
copy:
@@ -47,12 +44,11 @@
dest: /etc/pam.d/sshd
owner: root
group: root
- mode: 0644
+ mode: '0644'
notify:
- restart sshd
tags:
- ssh
- - config
- name: ensure pam creates a home dir if necessary
copy:
@@ -60,22 +56,21 @@
dest: /usr/share/pam-configs/mkhomedir
owner: root
group: root
- mode: 0644
+ mode: '0644'
when: ssh_mkhomedir
notify:
- regenerate pam config
tags:
+ - ssh
- pam
- - config
- name: ensure sshd is running and enabled
service:
name: ssh
state: started
- enabled: yes
+ enabled: true
tags:
- ssh
- - service
- name: ensure a proper ssh environment for root
file:
@@ -83,7 +78,7 @@
path: /root/.ssh
owner: root
group: root
- mode: 0700
+ mode: '0700'
tags:
- ssh
- root
@@ -94,11 +89,11 @@
dest: /root/.ssh/authorized_keys
owner: root
group: root
- mode: 0600
- remote_src: False
+ mode: '0600'
+ remote_src: false
src: "{{ ssh_authorized_keys }}"
- backup: True
- ignore_hidden: True
+ backup: true
+ ignore_hidden: true
regexp: "^([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub$"
tags:
- ssh
@@ -110,7 +105,6 @@
state: present
tags:
- ssh
- - packages
- name: ensure we got ourselves protected from sleepiness
apt:
@@ -118,7 +112,6 @@
state: present
tags:
- molly
- - packages
- shell
- ssh
@@ -128,9 +121,8 @@
dest: /etc/molly-guard/rc
owner: root
group: root
- mode: 0644
+ mode: '0644'
tags:
- molly
- - config
- shell
- ssh