diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint new file mode 100644 index 0000000..b89a374 --- /dev/null +++ b/ansible/.ansible-lint @@ -0,0 +1 @@ +profile: production diff --git a/ansible/lint.sh b/ansible/lint.sh new file mode 100755 index 0000000..ba8e687 --- /dev/null +++ b/ansible/lint.sh @@ -0,0 +1 @@ +ansible-lint roles/*/tasks/main.yml tasks/*.yml diff --git a/ansible/roles/auth-server/tasks/keycloak.yml b/ansible/roles/auth-server/tasks/keycloak.yml index 07e127a..20cc722 100644 --- a/ansible/roles/auth-server/tasks/keycloak.yml +++ b/ansible/roles/auth-server/tasks/keycloak.yml @@ -7,7 +7,7 @@ - keycloak.db.password is defined - name: Create PostgreSQL database - ansible.builtin.include_tasks: create_postgres_db.yml + ansible.builtin.include_tasks: tasks/create_postgres_db.yml vars: user: "{{ keycloak.db.user }}" database: "{{ keycloak.db.database }}" @@ -29,6 +29,7 @@ ansible.builtin.file: state: directory path: "{{ item }}" + mode: "755" with_items: - "{{ keycloak.datadir }}/keystore/" @@ -36,6 +37,7 @@ ansible.builtin.template: src: units/sso-keycloak.container.j2 dest: ~/.config/containers/systemd/sso-keycloak.container + mode: "644" become: true become_user: "{{ keycloak.podman.user }}" @@ -55,7 +57,7 @@ keycloak-db-user: "{{ keycloak.db.user }}" keycloak-db-password: "{{ keycloak.db.password }}" with_dict: "{{ secrets }}" - no_log: true # Secret values + no_log: true become: true become_user: "{{ keycloak.podman.user }}" @@ -71,7 +73,7 @@ become_user: "{{ keycloak.podman.user }}" - name: Set up reverse proxy - ansible.builtin.include_tasks: create_vhost.yml + ansible.builtin.include_tasks: tasks/create_vhost.yml vars: external_url: "{{ keycloak.reverse_proxy.external_url }}" proxy_url: "{{ keycloak.reverse_proxy.proxy_url }}" diff --git a/ansible/roles/auth-server/tasks/ldap.yml b/ansible/roles/auth-server/tasks/ldap.yml index 2937a58..1bb7e9f 100644 --- a/ansible/roles/auth-server/tasks/ldap.yml +++ b/ansible/roles/auth-server/tasks/ldap.yml @@ -17,4 +17,4 @@ ansible.builtin.service: name: slapd.service enabled: true - state: started \ No newline at end of file + state: started diff --git a/ansible/roles/auth-server/tasks/main.yml b/ansible/roles/auth-server/tasks/main.yml index f679f30..4527de5 100644 --- a/ansible/roles/auth-server/tasks/main.yml +++ b/ansible/roles/auth-server/tasks/main.yml @@ -1,9 +1,9 @@ --- - name: Set up OpenLDAP - include_tasks: ldap.yml + ansible.builtin.include_tasks: ldap.yml - name: Set up Keycloak - include_tasks: keycloak.yml + ansible.builtin.include_tasks: keycloak.yml vars: keycloak: "{{ keycloak_config }}" diff --git a/ansible/roles/common/tasks/firewall.yml b/ansible/roles/common/tasks/firewall.yml index 36d86bf..59595de 100644 --- a/ansible/roles/common/tasks/firewall.yml +++ b/ansible/roles/common/tasks/firewall.yml @@ -14,12 +14,14 @@ src: nftables.service dest: /etc/systemd/system/nftables.service state: present + mode: "644" when: ansible_facts.services['nftables.service'] is not defined - name: Add config file ansible.builtin.template: src: nftables.conf.j2 dest: "{{ nftables_main_file[ansible_os_family] | default('/etc/nftables.conf') }}" + mode: "644" vars: nftables_main_file: Debian: /etc/nftables.conf @@ -29,6 +31,7 @@ ansible.builtin.file: name: "{{ item }}" state: directory + mode: "755" with_items: - /etc/nftables/input.d - /etc/nftables/forward.d diff --git a/ansible/roles/container-user/tasks/main.yml b/ansible/roles/container-user/tasks/main.yml index 5917c47..a9207a3 100644 --- a/ansible/roles/container-user/tasks/main.yml +++ b/ansible/roles/container-user/tasks/main.yml @@ -20,7 +20,7 @@ ansible.posix.authorized_key: user: "{{ user }}" key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}" - state: present # Note: we don't remove other/existing keys + state: present # Note: we don't remove other/existing keys with_items: "{{ global_ssh_keys + (ssh_keys[user] | default([])) + (ssh_keys['*'] | default([])) }}" @@ -28,10 +28,12 @@ ansible.builtin.file: path: ~/.config/containers/systemd state: directory + mode: "755" become: true become_user: "{{ user }}" -# Note: We check whether lingering is already enabled so we show as OK/skipped instead of changed +# Note: We check whether lingering is already enabled +# so we don't execute the command if not needed - name: Check if user is lingering ansible.builtin.stat: path: "/var/lib/systemd/linger/{{ user }}" @@ -41,3 +43,4 @@ ansible.builtin.command: "loginctl enable-linger {{ user }}" when: - not user_lingering.stat.exists + changed_when: not user_lingering.stat.exists diff --git a/ansible/roles/reverse-proxy/tasks/main.yml b/ansible/roles/reverse-proxy/tasks/main.yml index a0a0ba9..acecfc3 100644 --- a/ansible/roles/reverse-proxy/tasks/main.yml +++ b/ansible/roles/reverse-proxy/tasks/main.yml @@ -9,11 +9,13 @@ ansible.builtin.copy: src: Caddyfile dest: /etc/caddy/Caddyfile + mode: "644" - name: Create site config directories ansible.builtin.file: path: "{{ item }}" state: directory + mode: "755" with_items: - /etc/caddy/sites-available - /etc/caddy/sites-enabled @@ -25,6 +27,7 @@ state: directory owner: caddy group: caddy + mode: "755" with_items: - /var/log/caddy @@ -38,5 +41,6 @@ ansible.builtin.copy: dest: /etc/nftables/input.d/caddy.nft src: caddy.nft + mode: "644" when: firewall is defined notify: Restart nftables diff --git a/ansible/tasks/create_vhost.yml b/ansible/tasks/create_vhost.yml index 46f6688..1e80f6f 100644 --- a/ansible/tasks/create_vhost.yml +++ b/ansible/tasks/create_vhost.yml @@ -8,13 +8,14 @@ - tls.type is not defined or (tls.type in ['auto', 'internal', 'cloudflare', 'file'] ) - name: Set up Caddy - ansible.builtin.include_role: + ansible.builtin.include_role: name: reverse-proxy - name: Template vhost file ansible.builtin.template: src: "{{ template_file | default('vhost.caddy.j2') }}" dest: "/etc/caddy/sites-available/{{ app_name }}.caddy" + mode: "644" - name: Symlink vhost ansible.builtin.file: