From 3e05012d8399ac63665f3bf11194a037e890716e Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Thu, 13 Dec 2018 02:35:45 +0100
Subject: [PATCH] lint yaml files
---
.yamllint | 19 ++++++++++
apt/defaults/main.yml | 10 ++---
apt/handlers/main.yml | 1 -
apt/tasks/main.yml | 4 +-
apt/tasks/repositories.yml | 1 +
basic-system/defaults/main.yml | 2 +-
basic-system/handlers/main.yml | 1 -
basic-system/tasks/logging.yml | 59 ++++++++++++++++++++----------
basic-system/tasks/network.yml | 51 +++++++++++++++++---------
hostkey-provider/handlers/main.yml | 1 -
hostkey-provider/tasks/main.yml | 14 ++++---
localization/defaults/main.yml | 2 +-
localization/tasks/locale.yml | 26 +++++++++----
localization/tasks/ntpd.yml | 4 +-
localization/tasks/timesyncd.yml | 4 +-
localization/tasks/timezone.yml | 4 +-
shell/handlers/main.yml | 1 -
shell/tasks/shell.yml | 12 +++---
shell/tasks/sudo.yml | 21 +++++++----
ssh-server/defaults/main.yml | 8 ++--
ssh-server/tasks/main.yml | 36 +++++++-----------
21 files changed, 171 insertions(+), 110 deletions(-)
create mode 100644 .yamllint
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..cca80e2
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,19 @@
+---
+
+extends: default
+
+rules:
+ comments-indentation:
+ level: warning
+ document-start:
+ level: error
+ empty-lines:
+ max: 1
+ empty-values:
+ forbid-in-flow-mappings: true
+ forbid-in-block-mappings: true
+ line-length:
+ level: warning
+ octal-values:
+ forbid-implicit-octal: true
+ level: warning
diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml
index 85c9282..f9033c3 100644
--- a/apt/defaults/main.yml
+++ b/apt/defaults/main.yml
@@ -1,9 +1,9 @@
---
# file: common/apt/defaults/main.yml
-apt_mirror: "http://ftp.halifax.rwth-aachen.de/debian/"
-apt_mirror_security: "http://security.debian.org/"
+apt_mirror: 'http://ftp.halifax.rwth-aachen.de/debian/'
+apt_mirror_security: 'http://security.debian.org/'
apt_repos: ['main', 'contrib', 'non-free']
-apt_sets: ['', '-updates'] # ['-backports', '-proposed-updates']
-apt_src_enable: True
-raspbian_has_no_security: False
+apt_sets: ['', '-updates'] # ['-backports', '-proposed-updates']
+apt_src_enable: true
+raspbian_has_no_security: false
diff --git a/apt/handlers/main.yml b/apt/handlers/main.yml
index a86fe24..7f85265 100644
--- a/apt/handlers/main.yml
+++ b/apt/handlers/main.yml
@@ -3,4 +3,3 @@
- name: update apt cache
apt: update_cache=yes
-
diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml
index 175fc11..3af814e 100644
--- a/apt/tasks/main.yml
+++ b/apt/tasks/main.yml
@@ -6,7 +6,7 @@
dest: /etc/apt/sources.list
owner: root
group: root
- mode: 0644
+ mode: '0644'
notify:
- update apt cache
tags:
@@ -30,7 +30,7 @@
dest: /etc/apt/apt.conf.d/
owner: root
group: root
- mode: 0644
+ mode: '0644'
tags:
- config
- apt
diff --git a/apt/tasks/repositories.yml b/apt/tasks/repositories.yml
index 099f756..f65bf98 100644
--- a/apt/tasks/repositories.yml
+++ b/apt/tasks/repositories.yml
@@ -1,5 +1,6 @@
---
# file: roles/common/tasks/repositories.yml
+# yamllint disable rule:line-length
- name: enable debian repositories
apt_repository:
diff --git a/basic-system/defaults/main.yml b/basic-system/defaults/main.yml
index 4e43757..eda3f13 100644
--- a/basic-system/defaults/main.yml
+++ b/basic-system/defaults/main.yml
@@ -1,5 +1,5 @@
---
-dns_hostname_fqdn: False
+dns_hostname_fqdn: false
hosts_alternates: []
hosts_additionals: []
diff --git a/basic-system/handlers/main.yml b/basic-system/handlers/main.yml
index 612fa5b..b63cc13 100644
--- a/basic-system/handlers/main.yml
+++ b/basic-system/handlers/main.yml
@@ -12,4 +12,3 @@
- name: gather network facts once again
setup: gather_subset=network
-
diff --git a/basic-system/tasks/logging.yml b/basic-system/tasks/logging.yml
index e4167d7..4a4aa5e 100644
--- a/basic-system/tasks/logging.yml
+++ b/basic-system/tasks/logging.yml
@@ -2,54 +2,71 @@
# file: roles/common/task/logging.yml
- name: restrict dmesg access to only root
- sysctl: name=kernel.dmesg_restrict value=1 state=present sysctl_set=yes
- tags:
+ sysctl:
+ name: kernel.dmesg_restrict
+ value: 1
+ state: present
+ sysctl_set: true
+ tags:
- security
- sysctl
- - config
-
+
- name: ensure system journal is a system-log-daemon with our package
- apt: name=systemd-journal-persistent state=present
- when:
+ apt:
+ name: systemd-journal-persistent
+ state: present
+ when:
- syslogserver is not defined or syslogserver.split(":")[0] != ansible_fqdn
- ansible_distribution_major_version|int >= 9
register: syslog_provider
tags:
- - config
- syslog
+ - journal
- name: ensure systemd journal is presistent
- file: path=/var/log/journal state=directory
+ file:
+ path: /var/log/journal
+ state: directory
when:
- ansible_distribution_major_version|int < 9
notify:
- configure journal directory
tags:
- - config
- syslog
+ - journal
-- name: ensure rsyslog is absent without broken dependecies
- apt: name=rsyslog state=absent purge=yes dpkg_options="force-confdef,force-confold,force-depends"
- when:
+- name: ensure rsyslog is absent without broken dependecies
+ apt:
+ name: rsyslog
+ state: absent
+ purge: true
+ dpkg_options: "force-confdef,force-confold,force-depends"
+ when:
- not syslog_provider is skipped
- ansible_distribution_major_version|int >= 9
- syslogserver is not defined or syslogserver.split(":")[0] != ansible_fqdn
tags:
- - config
- syslog
- name: ensure rsyslog is running and enabled
- service: name=rsyslog state=started enabled=yes
+ service:
+ name: rsyslog
+ state: started
+ enabled: true
when:
- syslogserver is defined
- syslogserver|length > 0
- ansible_distribution_major_version|int < 9
tags:
- syslog
- - service
- name: ensure that central logging works
- template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf owner=root group=root mode=0644
+ template:
+ src: rsyslog.conf.j2
+ dest: /etc/rsyslog.conf
+ owner: root
+ group: root
+ mode: '0644'
when:
- syslogserver is defined
- syslogserver|length > 0
@@ -59,11 +76,13 @@
- restart rsyslogd
tags:
- syslog
- - config
- name: ensure our logrotate.conf is present
- copy: src=logrotate.conf dest=/etc/logrotate.conf owner=root group=root mode=0644
+ copy:
+ src: logrotate.conf
+ dest: /etc/logrotate.conf
+ owner: root
+ group: root
+ mode: '0644'
tags:
- syslog
- - config
-
diff --git a/basic-system/tasks/network.yml b/basic-system/tasks/network.yml
index c2c7814..3214305 100644
--- a/basic-system/tasks/network.yml
+++ b/basic-system/tasks/network.yml
@@ -1,38 +1,43 @@
---
# file: roles/common/tasks/dns.yml
-
+
- name: ensure dns is configured
- template: src=resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=0644
+ template:
+ src: resolv.conf.j2
+ dest: /etc/resolv.conf
+ owner: root
+ group: root
+ mode: '0644'
tags:
- dns
- - config
- name: ensure dbus is installed, since hostnamectl needs this
- apt: name=dbus state=present
+ apt:
+ name: dbus
+ state: present
tags:
- - packages
- dns
- network
- name: ensure the hostname is not a fqdn
- hostname: name="{{ inventory_hostname }}"
+ hostname:
+ name: "{{ inventory_hostname }}"
when: not dns_hostname_fqdn
notify:
- gather network facts once again
tags:
- dns
- network
- - config
- name: ensure the hostname is a fqdn
- hostname: name="{{ ansible_fqdn }}"
+ hostname:
+ name: "{{ ansible_fqdn }}"
when: dns_hostname_fqdn
notify:
- gather network facts once again
tags:
- dns
- network
- - config
- meta: flush_handlers
@@ -47,28 +52,38 @@
- network
- name: ensure deactivation of tcp_timestamps
- sysctl: name=net.ipv4.tcp_timestamps value=0 state=present sysctl_set=yes
- tags:
+ sysctl:
+ name: net.ipv4.tcp_timestamps
+ value: 0
+ state: present
+ sysctl_set: true
+ tags:
- security
- sysctl
- - config
- name: ensure deactivation of ipv6 tempaddr (all)
- sysctl: name=net.ipv6.conf.all.use_tempaddr value=0 state=present sysctl_set=yes
+ sysctl:
+ name: net.ipv6.conf.all.use_tempaddr
+ value: 0
+ state: present
+ sysctl_set: true
tags:
- security
- sysctl
- - config
- name: ensure deactivation of ipv6 tempaddr (default)
- sysctl: name=net.ipv6.conf.default.use_tempaddr value=0 state=present sysctl_set=yes
+ sysctl:
+ name: net.ipv6.conf.default.use_tempaddr
+ value: 0
+ state: present
+ sysctl_set: true
tags:
- security
- sysctl
- - config
- name: ensure openssl is installed
- apt: name=openssl state=latest
+ apt:
+ name: openssl
+ state: present
tags:
- - packages
- tls
diff --git a/hostkey-provider/handlers/main.yml b/hostkey-provider/handlers/main.yml
index fd97a01..c451577 100644
--- a/hostkey-provider/handlers/main.yml
+++ b/hostkey-provider/handlers/main.yml
@@ -2,4 +2,3 @@
- name: re-read local facts for new hostkeys
setup: filter=ansible_local
-
diff --git a/hostkey-provider/tasks/main.yml b/hostkey-provider/tasks/main.yml
index 67f2cde..2256bfe 100644
--- a/hostkey-provider/tasks/main.yml
+++ b/hostkey-provider/tasks/main.yml
@@ -7,12 +7,12 @@
option: "{{ item.key }}"
value: "{{ item.value }}"
with_items:
- - { key: 'ipv4', value: "{{ ansible_all_ipv4_addresses|join(',') }}" }
- - { key: 'ipv6', value: "{{ ansible_all_ipv6_addresses|join(',') }}" }
- - { key: 'ed25519', value: "{{ ansible_ssh_host_key_ed25519_public }}" }
- - { key: 'rsa', value: "{{ ansible_ssh_host_key_rsa_public }}" }
+ - {key: 'ipv4', value: "{{ ansible_all_ipv4_addresses|join(',') }}"}
+ - {key: 'ipv6', value: "{{ ansible_all_ipv6_addresses|join(',') }}"}
+ - {key: 'ed25519', value: "{{ ansible_ssh_host_key_ed25519_public }}"}
+ - {key: 'rsa', value: "{{ ansible_ssh_host_key_rsa_public }}"}
delegate_to: "{{ hostvars[hostkeys_collector]['ansible_fqdn'] }}"
- ignore_errors: True
+ ignore_errors: true
notify:
- re-read local facts for new hostkeys
@@ -24,10 +24,11 @@
dest: /etc/ssh/ssh_known_hosts
owner: root
group: root
- mode: 0644
+ mode: '0644'
tags:
- hostkeys
+# yamllint disable rule:line-length rule:comments
# This results in spurious changed messages. Using template module for now.
#
#- name: ensure all ed25519 host keys are collected
@@ -51,3 +52,4 @@
# - all
# tags:
# - hostkeys
+# yamllint enable rule:line-length rule:comments
diff --git a/localization/defaults/main.yml b/localization/defaults/main.yml
index 128eec5..808188a 100644
--- a/localization/defaults/main.yml
+++ b/localization/defaults/main.yml
@@ -7,6 +7,6 @@ localization_enabled_locales:
localization_locale: locales/en
localization_vconsole: vconsole.conf
-localization_prefer_timesyncd: False
+localization_prefer_timesyncd: false
localization_timezone: Europe/Berlin
diff --git a/localization/tasks/locale.yml b/localization/tasks/locale.yml
index eb74143..288ef22 100644
--- a/localization/tasks/locale.yml
+++ b/localization/tasks/locale.yml
@@ -1,26 +1,36 @@
---
- name: ensure locale support is installed
- apt: name=locales state=latest
+ apt:
+ name: locales
+ state: present
tags:
- - packages
- locale
- name: ensure the default languages are enabled
- locale_gen: name="{{item}}.UTF-8" state=present
+ locale_gen:
+ name: "{{item}}.UTF-8"
+ state: present
with_items: "{{ localization_enabled_locales }}"
tags:
- - config
- locale
- name: ensure our default locale is default
- copy: src="{{ localization_locale }}" dest=/etc/default/locale owner=root group=root mode=0644
+ copy:
+ src: "{{ localization_locale }}"
+ dest: /etc/default/locale
+ owner: root
+ group: root
+ mode: '0644'
tags:
- - config
- locale
- name: ensure our vconsole config is present
- copy: src="{{ localization_vconsole }}" dest=/etc/vconsole.conf owner=root group=root mode=0644
+ copy:
+ src: "{{ localization_vconsole }}"
+ dest: /etc/vconsole.conf
+ owner: root
+ group: root
+ mode: '0644'
tags:
- - config
- locale
diff --git a/localization/tasks/ntpd.yml b/localization/tasks/ntpd.yml
index 9a1a56a..c7ca28c 100644
--- a/localization/tasks/ntpd.yml
+++ b/localization/tasks/ntpd.yml
@@ -5,7 +5,7 @@
service:
name: systemd-timesyncd
state: stopped
- enabled: no
+ enabled: false
tags:
- ntpd
@@ -29,6 +29,6 @@
service:
name: ntp
state: started
- enabled: yes
+ enabled: true
tags:
- ntpd
diff --git a/localization/tasks/timesyncd.yml b/localization/tasks/timesyncd.yml
index 5462076..0dfa012 100644
--- a/localization/tasks/timesyncd.yml
+++ b/localization/tasks/timesyncd.yml
@@ -5,7 +5,7 @@
apt:
name: ntp
state: absent
- purge: yes
+ purge: true
tags:
- timesyncd
@@ -22,6 +22,6 @@
service:
name: systemd-timesyncd
state: started
- enabled: yes
+ enabled: true
tags:
- timesyncd
diff --git a/localization/tasks/timezone.yml b/localization/tasks/timezone.yml
index 08cd455..0955d88 100644
--- a/localization/tasks/timezone.yml
+++ b/localization/tasks/timezone.yml
@@ -7,6 +7,7 @@
value: "{{ item.1 }}"
vtype: select
with_together:
+ # yamllint disable-line rule:line-length
- "{{ ['tzdata/Areas', 'tzdata/Zones/'~localization_timezone.split('/')[0]] }}"
- "{{ localization_timezone.split('/') }}"
notify:
@@ -24,7 +25,7 @@
dest: /etc/timezone
owner: root
group: root
- mode: 0644
+ mode: '0644'
notify:
- update timezone
tags:
@@ -39,4 +40,3 @@
- update timezone
tags:
- timezone
-
diff --git a/shell/handlers/main.yml b/shell/handlers/main.yml
index e1cc447..4a2bbc1 100644
--- a/shell/handlers/main.yml
+++ b/shell/handlers/main.yml
@@ -6,4 +6,3 @@
- name: update initramfs
command: update-initramfs -u
-
diff --git a/shell/tasks/shell.yml b/shell/tasks/shell.yml
index 8c3c62a..665c00c 100644
--- a/shell/tasks/shell.yml
+++ b/shell/tasks/shell.yml
@@ -9,7 +9,7 @@
- vim-scripts
- zsh
state: present
- install_recommends: no
+ install_recommends: false
tags:
- packages
- shell
@@ -61,7 +61,7 @@
url: https://www.archlinux.org/packages/extra/any/grml-zsh-config/download/
dest: "{{ role_path }}/files/"
delegate_to: localhost
- run_once: True
+ run_once: true
register: grml_zsh
tags:
- config
@@ -87,7 +87,7 @@
copy:
src: /etc/skel/.zshrc
dest: /root/.zshrc
- remote_src: yes
+ remote_src: true
tags:
- config
- shell
@@ -99,7 +99,7 @@
dest: /root/.vimrc
owner: root
group: root
- mode: 0640
+ mode: '0640'
tags:
- config
- shell
@@ -132,7 +132,7 @@
owner: root
group: root
state: directory
- mode: 0755
+ mode: '0755'
with_filetree: terminfo/
when: item.state == "directory"
loop_control:
@@ -148,7 +148,7 @@
dest: "/etc/terminfo/{{item.path}}"
owner: root
group: root
- mode: 0644
+ mode: '0644'
with_filetree: terminfo/
when: item.state == "file"
loop_control:
diff --git a/shell/tasks/sudo.yml b/shell/tasks/sudo.yml
index ab0b52c..9154a4c 100644
--- a/shell/tasks/sudo.yml
+++ b/shell/tasks/sudo.yml
@@ -1,20 +1,27 @@
---
# file: roles/common/tasks/sudo.yml
-- name: ensure sudo is installed
- apt: state=present name=sudo
+- name: ensure sudo is installed
+ apt:
+ state: present
+ name: sudo
tags:
- sudo
- - packages
- name: ensure we got a sane sudo config
- copy: src=sudo/default dest=/etc/sudoers owner=root group=root mode=0440 validate='visudo -q -c -f %s'
+ copy:
+ src: sudo/default
+ dest: /etc/sudoers
+ owner: root
+ group: root
+ mode: '0440'
+ validate: 'visudo -q -c -f %s'
tags:
- sudo
- - config
- name: ensure we got root
- user: name=root password={{ rootpassword }}
+ user:
+ name: root
+ password: "{{ rootpassword }}"
tags:
- root
- - config
diff --git a/ssh-server/defaults/main.yml b/ssh-server/defaults/main.yml
index eb600b6..288625a 100644
--- a/ssh-server/defaults/main.yml
+++ b/ssh-server/defaults/main.yml
@@ -2,9 +2,9 @@
# file: common/ssh-server/defaults/main.yml
ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
-ssh_mkhomedir: yes
-ssh_strong_crypto: yes
-ssh_password_auth: yes
-ssh_gssapi: yes
+ssh_mkhomedir: true
+ssh_strong_crypto: true
+ssh_password_auth: true
+ssh_gssapi: true
ssh_sftp_options: ""
ssh_allow_groups: []
diff --git a/ssh-server/tasks/main.yml b/ssh-server/tasks/main.yml
index 9603073..8350111 100644
--- a/ssh-server/tasks/main.yml
+++ b/ssh-server/tasks/main.yml
@@ -7,7 +7,6 @@
state: present
tags:
- ssh
- - packages
- name: ensure sshd configured
template:
@@ -15,15 +14,14 @@
dest: /etc/ssh/sshd_config
owner: root
group: root
- mode: 0644
- backup: yes
+ mode: '0644'
+ backup: true
validate: '/usr/sbin/sshd -t -f %s'
when: ansible_distribution_release != "stretch"
notify:
- restart sshd
tags:
- ssh
- - config
- name: ensure sshd configured
template:
@@ -31,15 +29,14 @@
dest: /etc/ssh/sshd_config
owner: root
group: root
- mode: 0644
- backup: yes
+ mode: '0644'
+ backup: true
validate: '/usr/sbin/sshd -t -f %s'
when: ansible_distribution_release == "stretch"
notify:
- restart sshd
tags:
- ssh
- - config
- name: ensure standard pam configuration for sshd
copy:
@@ -47,12 +44,11 @@
dest: /etc/pam.d/sshd
owner: root
group: root
- mode: 0644
+ mode: '0644'
notify:
- restart sshd
tags:
- ssh
- - config
- name: ensure pam creates a home dir if necessary
copy:
@@ -60,22 +56,21 @@
dest: /usr/share/pam-configs/mkhomedir
owner: root
group: root
- mode: 0644
+ mode: '0644'
when: ssh_mkhomedir
notify:
- regenerate pam config
tags:
+ - ssh
- pam
- - config
- name: ensure sshd is running and enabled
service:
name: ssh
state: started
- enabled: yes
+ enabled: true
tags:
- ssh
- - service
- name: ensure a proper ssh environment for root
file:
@@ -83,7 +78,7 @@
path: /root/.ssh
owner: root
group: root
- mode: 0700
+ mode: '0700'
tags:
- ssh
- root
@@ -94,11 +89,11 @@
dest: /root/.ssh/authorized_keys
owner: root
group: root
- mode: 0600
- remote_src: False
+ mode: '0600'
+ remote_src: false
src: "{{ ssh_authorized_keys }}"
- backup: True
- ignore_hidden: True
+ backup: true
+ ignore_hidden: true
regexp: "^([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub$"
tags:
- ssh
@@ -110,7 +105,6 @@
state: present
tags:
- ssh
- - packages
- name: ensure we got ourselves protected from sleepiness
apt:
@@ -118,7 +112,6 @@
state: present
tags:
- molly
- - packages
- shell
- ssh
@@ -128,9 +121,8 @@
dest: /etc/molly-guard/rc
owner: root
group: root
- mode: 0644
+ mode: '0644'
tags:
- molly
- - config
- shell
- ssh
--
GitLab