Merge pull request #8 from guillaumebriday/cleaning-tasks

guillaumebriday · web-flow · commit 8abacf0d3f0c · 2024-11-18T13:50:53.000-05:00
Cleaning tasks
diff --git a/.ansible-lint b/.ansible-lint
@@ -0,0 +1,7 @@
+---
+skip_list:
+  - package-latest
+  - run-once[play]
+
+enable_list:
+  - fqcn-builtins
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
@@ -0,0 +1,13 @@
+name: ansible-lint
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  build:
+    name: Ansible Lint # Naming the build is important to use it as a status check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ansible/ansible-lint@main
diff --git a/playbook.yml b/playbook.yml
@@ -7,4 +7,3 @@
     - docker
     - firewall
     - ssh
-    - snap
diff --git a/requirements.yml b/requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
-- name: restart docker
-  service:
+- name: Restart docker
+  ansible.builtin.service:
     name: docker
     state: restarted
-    enabled: yes
+    enabled: true
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
@@ -1,32 +1,46 @@
 ---
+# See: https://docs.docker.com/engine/install/ubuntu/
+
 - name: Ensure old versions of Docker are not installed
-  package:
+  ansible.builtin.apt:
     name:
+      - containerd
       - docker
-      - docker.io
+      - docker-compose
+      - docker-compose-v2
+      - docker-doc
       - docker-engine
+      - docker.io
+      - podman-docker
+      - runc
     state: absent
 
-- name: Add Docker apt key
-  get_url:
+- name: Create directory for Docker GPG key
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: "0755"
+
+- name: Add Docker GPG apt key
+  ansible.builtin.get_url:
     url: "https://download.docker.com/linux/ubuntu/gpg"
-    dest: /etc/apt/trusted.gpg.d/docker.asc
-    mode: 0644
+    dest: /etc/apt/keyrings/docker.asc
+    mode: "0644"
     force: false
 
 - name: Add Docker repository
-  apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
     state: present
     filename: docker
     update_cache: true
 
 - name: Install Docker packages
-  package:
+  ansible.builtin.apt:
     name:
       - docker-ce
       - docker-ce-cli
       - containerd.io
     state: present
   notify:
-    - restart docker
+    - Restart docker
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure ufw defaults
-  ufw:
+  community.general.ufw:
     direction: "{{ item.direction }}"
     policy: "{{ item.policy }}"
   loop:
@@ -10,7 +10,7 @@
       policy: allow
 
 - name: Configure ufw rules
-  ufw:
+  community.general.ufw:
     rule: "{{ item.rule }}"
     port: "{{ item.port }}"
     proto: "{{ item.proto }}"
@@ -26,5 +26,5 @@
       proto: 'tcp'
 
 - name: Enable ufw
-  ufw:
+  community.general.ufw:
     state: enabled
diff --git a/roles/packages/handlers/main.yml b/roles/packages/handlers/main.yml
@@ -1,12 +1,12 @@
 ---
-- name: start ntp
-  service:
+- name: Start ntp
+  ansible.builtin.service:
     name: ntp
     state: started
-    enabled: yes
+    enabled: true
 
-- name: start fail2ban
-  service:
+- name: Start fail2ban
+  ansible.builtin.service:
     name: fail2ban
     state: started
-    enabled: yes
+    enabled: true
diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
 - name: Upgrade packages
-  apt:
-    update_cache: yes
-    upgrade: yes
+  ansible.builtin.apt:
+    update_cache: true
+    upgrade: true
 
 - name: Install packages
-  apt:
+  ansible.builtin.apt:
     name:
       - apt-transport-https
       - build-essential
@@ -20,9 +20,17 @@
       - unattended-upgrades
       - vim
     state: latest
-    update_cache: yes
-    autoremove: yes
-    autoclean: yes
+    update_cache: true
+    autoremove: true
+    autoclean: true
   notify:
-    - start ntp
-    - start fail2ban
+    - Start ntp
+    - Start fail2ban
+
+- name: Remove snap
+  ansible.builtin.apt:
+    name:
+      - snapd
+      - snap
+    state: absent
+    purge: true
diff --git a/roles/snap/tasks/main.yml b/roles/snap/tasks/main.yml
diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: restart ssh
-  service:
+- name: Restart ssh
+  ansible.builtin.service:
     name: ssh
     state: restarted
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
@@ -1,28 +1,20 @@
 ---
 - name: Update SSH configuration to be more secure
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "/etc/ssh/sshd_config"
-    regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
+    regexp: "^(#)?{{ item.key }}"
+    line: "{{ item.key }} {{ item.value }}"
     state: present
     validate: 'sshd -T -f %s'
-    mode: 0644
-  with_items:
-    - regexp: "^PasswordAuthentication"
-      line: "PasswordAuthentication no"
-    - regexp: "^PermitRootLogin"
-      line: "PermitRootLogin prohibit-password"
-    - regexp: "^Port"
-      line: "Port 22"
-    - regexp: "^UseDNS"
-      line: "UseDNS no"
-    - regexp: "^PermitEmptyPasswords"
-      line: "PermitEmptyPasswords no"
-    - regexp: "^ChallengeResponseAuthentication"
-      line: "ChallengeResponseAuthentication no"
-    - regexp: "^GSSAPIAuthentication"
-      line: "GSSAPIAuthentication no"
-    - regexp: "^X11Forwarding"
-      line: "X11Forwarding no"
+    mode: "0644"
+  loop:
+    - { key: "PasswordAuthentication", value: "no" }
+    - { key: "PermitRootLogin", value: "prohibit-password" }
+    - { key: "Port", value: "22" }
+    - { key: "UseDNS", value: "no" }
+    - { key: "PermitEmptyPasswords", value: "no" }
+    - { key: "ChallengeResponseAuthentication", value: "no" }
+    - { key: "GSSAPIAuthentication", value: "no" }
+    - { key: "X11Forwarding", value: "no" }
   notify:
-    - restart ssh
+    - Restart ssh

-Original file line number
+Diff line change
     - docker
     - firewall
     - ssh
 -    - snap
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+collections:`
	`3`	`+ - community.general`