diff --git a/.ansible-lint b/.ansible-lint index ad32a73..6e03ce5 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,5 +1,6 @@ --- warn_list: - role-name + - name[play] - name[casing] - - '503' + - no-handler diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7d526c..1f7278a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,9 @@ jobs: python-version: '3.x' - name: Install test dependencies - run: pip install ansible-lint[community,yamllint] + run: | + pip install ansible-lint + ansible-galaxy install -r requirements.yml - name: Lint code run: | @@ -43,11 +45,8 @@ jobs: matrix: include: - distro: debian8 - ansible-version: '<2.10' - distro: debian9 - distro: debian10 - - distro: ubuntu1604 - ansible-version: '>=2.9, <2.10' - distro: ubuntu1604 ansible-version: '>=2.10, <2.11' - distro: ubuntu1604 @@ -73,7 +72,7 @@ jobs: molecule test env: ANSIBLE_FORCE_COLOR: '1' - ANSIBLE_VERBOSITY: '3' + ANSIBLE_VERBOSITY: '2' MOLECULE_DEBUG: '1' MOLECULE_DISTRO: "${{ matrix.distro }}" PY_COLORS: '1' diff --git a/Dockerfile b/Dockerfile index b179278..6ebe0c4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,20 @@ -FROM ubuntu:16.04 +FROM ubuntu:18.04 MAINTAINER Mischa ter Smitten +ENV LANG C.UTF-8 +ENV LC_ALL C.UTF-8 + # python RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y python-minimal python-dev curl && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y python3-minimal python3-dev curl && \ apt-get clean -RUN curl -sL https://bootstrap.pypa.io/pip/2.7/get-pip.py | python - +RUN curl -sL https://bootstrap.pypa.io/pip/3.6/get-pip.py | python3 - RUN rm -rf $HOME/.cache # ansible -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y gcc libffi-dev libssl-dev && \ +RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python3-apt && \ apt-get clean -RUN pip install ansible==2.9.15 +RUN pip3 install ansible==2.10.7 RUN rm -rf $HOME/.cache # provision diff --git a/handlers/main.yml b/handlers/main.yml index 6ed70a2..a792e1b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,5 @@ # handlers file --- - name: reload ufw - ufw: + community.general.ufw: state: reloaded diff --git a/meta/main.yml b/meta/main.yml index fa5a4de..6381dbf 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: company: Oefenweb.nl B.V. description: Set up ufw in Debian-like systems license: MIT - min_ansible_version: 2.9.0 + min_ansible_version: 2.10.0 platforms: - name: Ubuntu versions: diff --git a/molecule/default/collections.yml b/molecule/default/collections.yml new file mode 100644 index 0000000..c3d7e2a --- /dev/null +++ b/molecule/default/collections.yml @@ -0,0 +1,6 @@ +--- +collections: + - name: community.docker + version: '>=1.2.0,<2' + - name: community.general + version: '>=2,<3' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 73043c4..8596f09 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -4,6 +4,6 @@ become: true pre_tasks: - name: include vars - include_vars: "{{ playbook_dir }}/../../tests/vars/main.yml" + ansible.builtin.include_vars: "{{ playbook_dir }}/../../tests/vars/main.yml" roles: - ../../../ diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 1bebe43..8841165 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -8,11 +8,11 @@ platforms: image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu1604}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - /var/lib/containerd + cgroupns_mode: host privileged: true pre_build_image: true - capabilities: - - NET_ADMIN provisioner: name: ansible playbooks: diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..2c8b79d --- /dev/null +++ b/requirements.yml @@ -0,0 +1,5 @@ +# requirements file +--- +collections: + - name: community.general + - name: ansible.posix diff --git a/tasks/configure.yml b/tasks/configure.yml index 4a26c62..ce203ac 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,7 +1,7 @@ # tasks file --- - name: configure | create (local facts) directory - file: + ansible.builtin.file: path: /etc/ansible/facts.d/ state: directory owner: root @@ -11,7 +11,7 @@ - ufw-configure-facts - name: configure | update configuration file(s) - template: + ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root @@ -27,14 +27,14 @@ - ufw-configure-facts - name: configure | reset - ufw: + community.general.ufw: state: reset when: configuration is changed tags: - ufw-configure-reset - name: configure | default (incoming) policy - ufw: + community.general.ufw: policy: "{{ ufw_default_incoming_policy }}" direction: incoming notify: reload ufw @@ -43,7 +43,7 @@ - ufw-configure-default-policy-incoming - name: configure | default (outgoing) policy - ufw: + community.general.ufw: policy: "{{ ufw_default_outgoing_policy }}" direction: outgoing notify: reload ufw @@ -52,7 +52,7 @@ - ufw-configure-default-policy-outgoing - name: configure | rules - ufw: + community.general.ufw: rule: "{{ item.rule }}" interface: "{{ item.interface | default('') }}" direction: "{{ item.direction | default('in') }}" @@ -70,7 +70,7 @@ - ufw-configure-rules - name: configure | logging - ufw: + community.general.ufw: logging: "{{ ufw_logging }}" notify: reload ufw tags: diff --git a/tasks/fix-dropped-ssh-sessions.yml b/tasks/fix-dropped-ssh-sessions.yml index df773f6..71c7f72 100644 --- a/tasks/fix-dropped-ssh-sessions.yml +++ b/tasks/fix-dropped-ssh-sessions.yml @@ -1,12 +1,12 @@ # tasks file --- - name: check if conntrack exists - stat: + ansible.builtin.stat: path: /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal register: _nf_conntrack_tcp_be_liberal - name: fix dropped ssh sessions | configure kernel - sysctl: + ansible.posix.sysctl: name: net.netfilter.nf_conntrack_tcp_be_liberal value: '1' state: present diff --git a/tasks/install.yml b/tasks/install.yml index a45c140..e321c34 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,7 +1,7 @@ # tasks file --- - name: install | dependencies - apt: + ansible.builtin.apt: name: "{{ ufw_dependencies }}" state: "{{ apt_install_state | default('latest') }}" update_cache: true diff --git a/tasks/main.yml b/tasks/main.yml index 21bfd3a..8f642f0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ # tasks file --- - name: facts | set - set_fact: + ansible.builtin.set_fact: kernel_version: "{{ ansible_kernel | regex_search('^([0-9]+\\.[0-9]+\\.[0-9]+)') }}" tags: - configuration @@ -9,7 +9,8 @@ - ufw-facts # see https://askubuntu.com/a/1064533/261010, https://www.spinics.net/lists/netfilter-devel/msg55682.html -- include: fix-dropped-ssh-sessions.yml +- name: fix dropped ssh sessions + ansible.builtin.import_tasks: fix-dropped-ssh-sessions.yml when: - kernel_version is version('4.14', '>=') - kernel_version is version('5', '<') @@ -18,20 +19,22 @@ - ufw - ufw-fix-dropped-ssh-sessions -- include: install.yml +- name: install + ansible.builtin.import_tasks: install.yml tags: - configuration - ufw - ufw-install -- include: configure.yml +- name: configure + ansible.builtin.import_tasks: configure.yml tags: - configuration - ufw - ufw-configure - name: start and enable service - ufw: + community.general.ufw: state: enabled tags: - configuration diff --git a/templates/etc/default/ufw.j2 b/templates/etc/default/ufw.j2 index 4b00d50..99d1fe8 100644 --- a/templates/etc/default/ufw.j2 +++ b/templates/etc/default/ufw.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed }} +{{ ansible_managed | comment }} # /etc/default/ufw # diff --git a/tests/test.yml b/tests/test.yml index c2fbb9f..8d7cd5f 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -5,6 +5,6 @@ become: true pre_tasks: - name: include vars - include_vars: "{{ playbook_dir }}/vars/main.yml" + ansible.builtin.include_vars: "{{ playbook_dir }}/vars/main.yml" roles: - ../../