From a94c94018c893dd64e59adc98b2881db605def80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 1 Jan 2019 20:02:50 +0100 Subject: [PATCH] normalize some arguments positions --- evolinux-base/tasks/ssh.yml | 4 ++-- minifirewall/tasks/config.yml | 26 +++++++++++++------------- munin/tasks/main.yml | 1 + rbenv/tasks/main.yml | 2 +- 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 225add01..fd93c4e0 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -16,12 +16,12 @@ - name: "Security directives for Evolinux (Debian 10 or later)" blockinfile: dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" block: | Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes Match Group evolix PasswordAuthentication no - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd @@ -32,10 +32,10 @@ - name: Security directives for Evolinux (Jessie/Stretch) blockinfile: dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" block: | Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index bd71cb48..13cb6145 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -26,9 +26,9 @@ - name: Begin marker for IP addresses lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' + create: no - name: End marker for IP addresses lineinfile: @@ -47,7 +47,6 @@ - name: Configure IP addresses blockinfile: dest: "{{ minifirewall_main_file }}" - create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" content: | # Main interface @@ -66,26 +65,26 @@ # Privilegied IPv4 addresses for semi-public services # (no need to add again TRUSTEDIPS) PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' + create: no register: minifirewall_config_ips - name: Begin marker for ports lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' + create: no - name: End marker for ports lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' + create: no - name: Configure ports blockinfile: dest: "{{ minifirewall_main_file }}" - create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" content: | # Protected services @@ -104,70 +103,71 @@ # Private services (IPv4) SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}' SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' + create: no register: minifirewall_config_ports - name: Configure DNSSERVEURS lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" regexp: "DNSSERVEURS='.*'" + create: no when: minifirewall_dns_servers is not none - name: Configure HTTPSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" + create: no when: minifirewall_http_sites is not none - name: Configure HTTPSSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" regexp: "HTTPSSITES='.*'" + create: no when: minifirewall_https_sites is not none - name: Configure FTPSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" regexp: "FTPSITES='.*'" + create: no when: minifirewall_ftp_sites is not none - name: Configure SSHOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" regexp: "SSHOK='.*'" + create: no when: minifirewall_ssh_ok is not none - name: Configure SMTPOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" regexp: "SMTPOK='.*'" + create: no when: minifirewall_smtp_ok is not none - name: Configure SMTPSECUREOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" regexp: "SMTPSECUREOK='.*'" + create: no when: minifirewall_smtp_secure_ok is not none - name: Configure NTPOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" regexp: "NTPOK='.*'" + create: no when: minifirewall_ntp_ok is not none - name: evomaintenance diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index f08f2005..2219cf17 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -77,6 +77,7 @@ - name: adjustments for grsec kernel blockinfile: dest: /etc/munin/plugin-conf.d/munin-node + marker: "# {mark} GRSECURITY CUSTOMIZATIONS" block: | [processes] diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 693ff0f6..47e1f0cc 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -78,10 +78,10 @@ - name: "Rbenv is initialized in profile for {{ username }}" blockinfile: dest: '~{{ username }}/.profile' + marker: "# {mark} ANSIBLE MANAGED RBENV INIT" block: | export PATH="{{ rbenv_root }}/bin:$PATH" eval "$(rbenv init -)" - marker: "# {mark} ANSIBLE MANAGED RBENV INIT" become_user: "{{ username }}" become: yes tags: