From 2af9f8529d45b93325eded719d2cb6823455ad6f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 15 Jun 2023 15:16:19 +0100 Subject: [PATCH] Fix new ansible-lint errors Quite a few changes here, hopefully they work! --- ansible/.ansible-lint | 4 ++++ ansible/group_vars/all/docker.yml | 4 ++-- ansible/group_vars/all/me.yml | 4 ++++ ansible/group_vars/all/user.yml | 3 --- ansible/group_vars/all/{hosts.yml => vps-hosts.yml} | 2 +- ansible/group_vars/all/wireguard.yml | 2 +- ansible/main.yml | 2 +- ansible/roles/aurto/tasks/nginx.yml | 4 ++-- ansible/roles/base/files/sshd_config | 2 +- ansible/roles/base/tasks/ssh.yml | 4 ++-- ansible/roles/base/tasks/user.yml | 8 ++++---- ansible/roles/docker_cleanup/tasks/main.yml | 8 ++++---- ansible/roles/fail2ban_ssh/tasks/main.yml | 4 ++-- ansible/roles/forrest/files/prometheus/prometheus.yml | 2 +- ansible/roles/gateway/files/nginx-fail2ban-jail.conf | 4 ++-- ansible/roles/gateway/tasks/wireguard.yml | 10 +++++----- ansible/roles/mastodon/tasks/main.yml | 2 +- ansible/roles/nebula/vars/main.yml | 2 +- ansible/roles/pihole/files/internal-alias.conf | 2 +- ansible/roles/pihole/tasks/main.yml | 4 ++-- ansible/roles/qbittorrent/tasks/qbittorrent.yml | 2 +- ansible/roles/traefik/files/fail2ban/traefik-jail.conf | 2 +- ansible/roles/traefik/tasks/fail2ban.yml | 6 +++--- ansible/roles/upload/tasks/main.yml | 4 ++-- ansible/roles/zfs/tasks/main.yml | 2 +- terraform/context.tf | 4 ++-- yamllint.yml | 2 +- 27 files changed, 52 insertions(+), 47 deletions(-) create mode 100644 ansible/group_vars/all/me.yml delete mode 100644 ansible/group_vars/all/user.yml rename ansible/group_vars/all/{hosts.yml => vps-hosts.yml} (88%) diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint index a71ef2b..2a7e639 100644 --- a/ansible/.ansible-lint +++ b/ansible/.ansible-lint @@ -2,6 +2,10 @@ skip_list: - command-instead-of-shell - no-handler - git-latest + - fqcn + - name[casing] + - name[play] + - no-changed-when exclude_paths: - galaxy_roles/ diff --git a/ansible/group_vars/all/docker.yml b/ansible/group_vars/all/docker.yml index 684e714..9bd3658 100644 --- a/ansible/group_vars/all/docker.yml +++ b/ansible/group_vars/all/docker.yml @@ -2,7 +2,7 @@ docker_user: id: 3000 name: dockeruser -docker_compose_file_mask: 0664 -docker_compose_directory_mask: 0775 +docker_compose_file_mask: "664" +docker_compose_directory_mask: "775" docker_update_command: docker-compose pull && docker-compose down --remove-orphans && docker-compose rm && docker-compose up -d diff --git a/ansible/group_vars/all/me.yml b/ansible/group_vars/all/me.yml new file mode 100644 index 0000000..62fece7 --- /dev/null +++ b/ansible/group_vars/all/me.yml @@ -0,0 +1,4 @@ +me: + user: jake + home: /home/jake + name: Jake Howard diff --git a/ansible/group_vars/all/user.yml b/ansible/group_vars/all/user.yml deleted file mode 100644 index 938ba9d..0000000 --- a/ansible/group_vars/all/user.yml +++ /dev/null @@ -1,3 +0,0 @@ -user: jake -home: /home/{{ user }} -name: Jake Howard diff --git a/ansible/group_vars/all/hosts.yml b/ansible/group_vars/all/vps-hosts.yml similarity index 88% rename from ansible/group_vars/all/hosts.yml rename to ansible/group_vars/all/vps-hosts.yml index e528f25..af4a4e8 100755 --- a/ansible/group_vars/all/hosts.yml +++ b/ansible/group_vars/all/vps-hosts.yml @@ -1,4 +1,4 @@ -"hosts": +"vps_hosts": "casey_ip": "213.219.38.11" "grimes_ip": "104.238.172.209" "walker_ip": "192.248.168.230" diff --git a/ansible/group_vars/all/wireguard.yml b/ansible/group_vars/all/wireguard.yml index 90f4f64..2f3f4b9 100644 --- a/ansible/group_vars/all/wireguard.yml +++ b/ansible/group_vars/all/wireguard.yml @@ -1,5 +1,5 @@ wireguard: - public_ip: "{{ hosts.casey_ip }}" + public_ip: "{{ vps_hosts.casey_ip }}" port: 51820 cidr: 10.23.0.0/24 server: diff --git a/ansible/main.yml b/ansible/main.yml index 9573444..b121910 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -40,7 +40,7 @@ vars: docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}" docker_users: - - "{{ user }}" + - "{{ me.user }}" - docker_cleanup - hosts: diff --git a/ansible/roles/aurto/tasks/nginx.yml b/ansible/roles/aurto/tasks/nginx.yml index 376d338..0e0e6ea 100644 --- a/ansible/roles/aurto/tasks/nginx.yml +++ b/ansible/roles/aurto/tasks/nginx.yml @@ -16,7 +16,7 @@ password: aurto owner: http group: http - mode: 0600 + mode: "600" become: true notify: restart nginx @@ -24,6 +24,6 @@ template: src: files/nginx.conf dest: /etc/nginx/nginx.conf - mode: "0600" + mode: "600" become: true notify: restart nginx diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config index e537032..17951c6 100644 --- a/ansible/roles/base/files/sshd_config +++ b/ansible/roles/base/files/sshd_config @@ -2,7 +2,7 @@ # Change to a high/odd port if this server is exposed to the internet directly Port {{ ssh_port }} -AllowUsers {% if hostname_slug in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }} +AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }} # Bind to all interfaces (change to specific interface if needed) ListenAddress 0.0.0.0 diff --git a/ansible/roles/base/tasks/ssh.yml b/ansible/roles/base/tasks/ssh.yml index c1ea135..4ff6fec 100644 --- a/ansible/roles/base/tasks/ssh.yml +++ b/ansible/roles/base/tasks/ssh.yml @@ -21,13 +21,13 @@ dest: /etc/ssh/sshd_config validate: /usr/sbin/sshd -t -f %s backup: true - mode: 0644 + mode: "644" become: true register: sshd_config - name: Set up authorized keys ansible.posix.authorized_key: - user: "{{ user }}" + user: "{{ me.user }}" state: present key: "{{ lookup('file', item) }}" loop: diff --git a/ansible/roles/base/tasks/user.yml b/ansible/roles/base/tasks/user.yml index 120b1e0..aa4c2ad 100644 --- a/ansible/roles/base/tasks/user.yml +++ b/ansible/roles/base/tasks/user.yml @@ -1,15 +1,15 @@ - name: Make me user: - name: "{{ user }}" - home: "{{ home }}" - comment: "{{ name }}" + name: "{{ me.user }}" + home: "{{ me.home }}" + comment: "{{ me.name }}" shell: /bin/bash system: true become: true - name: Give user sudo access user: - name: "{{ user }}" + name: "{{ me.user }}" groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}" append: true become: true diff --git a/ansible/roles/docker_cleanup/tasks/main.yml b/ansible/roles/docker_cleanup/tasks/main.yml index 581fb06..331ec8c 100644 --- a/ansible/roles/docker_cleanup/tasks/main.yml +++ b/ansible/roles/docker_cleanup/tasks/main.yml @@ -21,14 +21,14 @@ - name: Add user to docker user group user: - name: "{{ user }}" + name: "{{ me.user }}" groups: "{{ docker_user.name }}" append: true become: true - name: Add user to docker group user: - name: "{{ user }}" + name: "{{ me.user }}" groups: docker append: true become: true @@ -44,8 +44,8 @@ copy: src: ./files/docker-utils dest: "{{ home }}" - mode: 0755 - directory_mode: 0755 + mode: "755" + directory_mode: "755" - name: override docker service for zfs dependencies include_tasks: zfs-override.yml diff --git a/ansible/roles/fail2ban_ssh/tasks/main.yml b/ansible/roles/fail2ban_ssh/tasks/main.yml index e8e9226..1163d77 100644 --- a/ansible/roles/fail2ban_ssh/tasks/main.yml +++ b/ansible/roles/fail2ban_ssh/tasks/main.yml @@ -1,7 +1,7 @@ - name: Make user user: name: "{{ f2b_user }}" - comment: "{{ name }}" + comment: "{{ me.user }}" shell: /home/{{ f2b_user }}/f2b-entrypoint.sh system: false become: true @@ -22,7 +22,7 @@ template: src: files/f2b-entrypoint.sh dest: /home/{{ f2b_user }}/f2b-entrypoint.sh - mode: 0755 + mode: "755" become: true register: sshd_config diff --git a/ansible/roles/forrest/files/prometheus/prometheus.yml b/ansible/roles/forrest/files/prometheus/prometheus.yml index b74242a..9bc7b84 100644 --- a/ansible/roles/forrest/files/prometheus/prometheus.yml +++ b/ansible/roles/forrest/files/prometheus/prometheus.yml @@ -98,7 +98,7 @@ scrape_configs: module: [https_redir] static_configs: - targets: - - http://{{ hosts.casey_ip }} + - http://{{ vps_hosts.casey_ip }} relabel_configs: - source_labels: [__address__] target_label: __param_target diff --git a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf index d518fdd..523b7ae 100644 --- a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf +++ b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf @@ -6,9 +6,9 @@ maxretry = 100 filter = nginx-tcp logpath = /var/log/nginx/ips.log port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ hosts.values()|sort|join(",") }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }} [traefik] enabled = true port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ hosts.values()|sort|join(",") }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }} diff --git a/ansible/roles/gateway/tasks/wireguard.yml b/ansible/roles/gateway/tasks/wireguard.yml index 5b15893..af94f43 100644 --- a/ansible/roles/gateway/tasks/wireguard.yml +++ b/ansible/roles/gateway/tasks/wireguard.yml @@ -32,16 +32,16 @@ file: path: "{{ home }}/wireguard-clients" state: directory - owner: "{{ user }}" - mode: 0700 + owner: "{{ me.user }}" + mode: "700" - name: Wireguard client configuration template: src: files/wireguard-client.conf dest: "{{ home }}/wireguard-clients/{{ item.key }}.conf" - owner: "{{ user }}" - mode: 0600 - loop: "{{ wireguard.clients|dict2items }}" + owner: "{{ me.user }}" + mode: "600" + loop: "{{ wireguard.clients | dict2items }}" loop_control: label: "{{ item.key }}" diff --git a/ansible/roles/mastodon/tasks/main.yml b/ansible/roles/mastodon/tasks/main.yml index ae0bd98..9a173a6 100644 --- a/ansible/roles/mastodon/tasks/main.yml +++ b/ansible/roles/mastodon/tasks/main.yml @@ -34,5 +34,5 @@ minute: 0 weekday: 1 job: /opt/mastodon/purge-media.sh - user: "{{ user }}" + user: "{{ me.user }}" become: true diff --git a/ansible/roles/nebula/vars/main.yml b/ansible/roles/nebula/vars/main.yml index 9e7c1b7..916d45b 100644 --- a/ansible/roles/nebula/vars/main.yml +++ b/ansible/roles/nebula/vars/main.yml @@ -1,4 +1,4 @@ -nebula_lighthouse_public_ip: "{{ hosts.casey_ip }}" +nebula_lighthouse_public_ip: "{{ vps_hosts.casey_ip }}" nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}" nebula_lighthouse_port: 6328 diff --git a/ansible/roles/pihole/files/internal-alias.conf b/ansible/roles/pihole/files/internal-alias.conf index 15c55d2..2cf7993 100644 --- a/ansible/roles/pihole/files/internal-alias.conf +++ b/ansible/roles/pihole/files/internal-alias.conf @@ -1 +1 @@ -alias={{ hosts.casey_ip }},{{ pve_hosts.ingress.external_ip }} +alias={{ vps_hosts.casey_ip }},{{ pve_hosts.ingress.external_ip }} diff --git a/ansible/roles/pihole/tasks/main.yml b/ansible/roles/pihole/tasks/main.yml index e6153be..f2c8e74 100644 --- a/ansible/roles/pihole/tasks/main.yml +++ b/ansible/roles/pihole/tasks/main.yml @@ -5,7 +5,7 @@ template: src: files/internal-alias.conf dest: /etc/dnsmasq.d/internal-alias.conf - mode: 0644 + mode: "644" notify: restart pihole FTL become: true @@ -13,6 +13,6 @@ template: src: files/setup-vars.conf dest: /etc/pihole/setupVars.conf - mode: 0644 + mode: "644" notify: restart pihole FTL become: true diff --git a/ansible/roles/qbittorrent/tasks/qbittorrent.yml b/ansible/roles/qbittorrent/tasks/qbittorrent.yml index 3e557f7..fefc05b 100644 --- a/ansible/roles/qbittorrent/tasks/qbittorrent.yml +++ b/ansible/roles/qbittorrent/tasks/qbittorrent.yml @@ -19,7 +19,7 @@ - name: Set configuration ini_file: path: "{{ qbittorrent_user.home }}/.config/qBittorrent/qBittorrent.conf" - mode: 0700 + mode: "700" owner: "{{ qbittorrent_user.name }}" section: "{{ item.section }}" option: "{{ item.option }}" diff --git a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf index 83118bc..66efcbf 100644 --- a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf +++ b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf @@ -6,5 +6,5 @@ maxretry = 5 filter = traefik logpath = /tmp/traefik-logs/access.log port = http,https -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ hosts.values()|sort|join(",") }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }} action = gateway diff --git a/ansible/roles/traefik/tasks/fail2ban.yml b/ansible/roles/traefik/tasks/fail2ban.yml index 3a6b375..36ee69f 100644 --- a/ansible/roles/traefik/tasks/fail2ban.yml +++ b/ansible/roles/traefik/tasks/fail2ban.yml @@ -2,7 +2,7 @@ template: src: files/fail2ban/traefik-jail.conf dest: /etc/fail2ban/jail.d/traefik.conf - mode: 0644 + mode: "644" become: true notify: restart fail2ban @@ -10,7 +10,7 @@ template: src: files/fail2ban/traefik-filter.conf dest: /etc/fail2ban/filter.d/traefik.conf - mode: 0644 + mode: "644" become: true notify: restart fail2ban @@ -18,7 +18,7 @@ template: src: files/fail2ban/remote-action.conf dest: /etc/fail2ban/action.d/gateway.conf - mode: 0644 + mode: "644" become: true notify: restart fail2ban diff --git a/ansible/roles/upload/tasks/main.yml b/ansible/roles/upload/tasks/main.yml index e67debd..873ea7c 100644 --- a/ansible/roles/upload/tasks/main.yml +++ b/ansible/roles/upload/tasks/main.yml @@ -24,7 +24,7 @@ path: /opt/upload/htpasswd.txt name: jake password: "{{ superuser_upload_password }}" - mode: 0640 + mode: "640" owner: "{{ docker_user.name }}" become: true @@ -33,5 +33,5 @@ path: /opt/upload/htpasswd.txt name: nextcloud password: "{{ nextcloud_upload_password }}" - mode: 0640 + mode: "640" become: true diff --git a/ansible/roles/zfs/tasks/main.yml b/ansible/roles/zfs/tasks/main.yml index 334724f..2bd7f4e 100644 --- a/ansible/roles/zfs/tasks/main.yml +++ b/ansible/roles/zfs/tasks/main.yml @@ -18,7 +18,7 @@ - name: Give user passwordless access to ZFS commands lineinfile: path: /etc/sudoers - line: "{{ user }} ALL=(ALL) NOPASSWD: /usr/sbin/zfs,/usr/sbin/zpool" + line: "{{ me.user }} ALL=(ALL) NOPASSWD: /usr/sbin/zfs,/usr/sbin/zpool" become: true - name: Sanoid diff --git a/terraform/context.tf b/terraform/context.tf index 808a6f3..75993d1 100644 --- a/terraform/context.tf +++ b/terraform/context.tf @@ -1,10 +1,10 @@ resource "local_file" "hosts" { content = yamlencode({ - hosts : { + vps_hosts : { casey_ip : linode_instance.casey.ip_address, walker_ip : vultr_instance.walker.main_ip, grimes_ip : vultr_instance.grimes.main_ip, } }) - filename = "${path.module}/../ansible/group_vars/all/hosts.yml" + filename = "${path.module}/../ansible/group_vars/all/vps-hosts.yml" } diff --git a/yamllint.yml b/yamllint.yml index 2dd2400..ff893fd 100644 --- a/yamllint.yml +++ b/yamllint.yml @@ -3,7 +3,7 @@ extends: default ignore: | ansible/galaxy_roles ansible/galaxy_collections - ansible/group_vars/all/hosts.yml + ansible/group_vars/all/vps-hosts.yml ansible/roles/traefik/files/traefik.yml ansible/roles/nebula/files/nebula.yml