diff --git a/.drone.jsonnet b/.drone.jsonnet deleted file mode 100644 index a4051ea..0000000 --- a/.drone.jsonnet +++ /dev/null @@ -1,161 +0,0 @@ -local PipelineLinting = { - kind: 'pipeline', - name: 'linting', - platform: { - os: 'linux', - arch: 'amd64', - }, - steps: [ - { - name: 'ansible-later', - image: 'thegeeklab/ansible-later', - commands: [ - 'ansible-later', - ], - }, - { - name: 'python-format', - image: 'python:3.11', - environment: { - PY_COLORS: 1, - }, - commands: [ - 'pip install -qq yapf', - '[ -z "$(find . -type f -name *.py)" ] || (yapf -rd ./)', - ], - }, - { - name: 'python-flake8', - image: 'python:3.11', - environment: { - PY_COLORS: 1, - }, - commands: [ - 'pip install -qq flake8', - 'flake8', - ], - }, - ], - trigger: { - ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], - }, -}; - -local PipelineDeployment(scenario='centos7') = { - kind: 'pipeline', - name: 'testing-' + scenario, - platform: { - os: 'linux', - arch: 'amd64', - }, - concurrency: { - limit: 1, - }, - workspace: { - base: '/drone/src', - path: '${DRONE_REPO_NAME}', - }, - steps: [ - { - name: 'ansible-molecule', - image: 'thegeeklab/molecule:4', - environment: { - HCLOUD_TOKEN: { from_secret: 'hcloud_token' }, - }, - commands: [ - 'molecule test -s ' + scenario, - ], - }, - ], - depends_on: [ - 'linting', - ], - trigger: { - ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], - }, -}; - -local PipelineDocumentation = { - kind: 'pipeline', - name: 'documentation', - platform: { - os: 'linux', - arch: 'amd64', - }, - steps: [ - { - name: 'generate', - image: 'thegeeklab/ansible-doctor', - environment: { - ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO', - ANSIBLE_DOCTOR_FORCE_OVERWRITE: true, - ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/', - ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book', - ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}', - ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/', - }, - }, - { - name: 'publish', - image: 'plugins/gh-pages', - settings: { - remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}', - netrc_machine: 'gitea.rknet.org', - username: { from_secret: 'gitea_username' }, - password: { from_secret: 'gitea_token' }, - pages_directory: '_docs/', - target_branch: 'docs', - }, - when: { - ref: ['refs/heads/main'], - }, - }, - ], - trigger: { - ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], - }, - depends_on: [ - 'testing-centos7', - 'testing-rocky8', - ], -}; - -local PipelineNotification = { - kind: 'pipeline', - name: 'notification', - platform: { - os: 'linux', - arch: 'amd64', - }, - clone: { - disable: true, - }, - steps: [ - { - name: 'matrix', - image: 'thegeeklab/drone-matrix', - settings: { - homeserver: { from_secret: 'matrix_homeserver' }, - roomid: { from_secret: 'matrix_roomid' }, - template: 'Status: **{{ .Build.Status }}**
Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}
Message: {{ .Commit.Message.Title }}', - username: { from_secret: 'matrix_username' }, - password: { from_secret: 'matrix_password' }, - }, - }, - ], - depends_on: [ - 'documentation', - ], - trigger: { - status: ['success', 'failure'], - ref: ['refs/heads/main', 'refs/tags/**'], - }, -}; - -[ - PipelineLinting, - PipelineDeployment(scenario='centos7'), - PipelineDeployment(scenario='rocky8'), - PipelineDocumentation, - PipelineNotification, -] diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 086f58c..0000000 --- a/.drone.yml +++ /dev/null @@ -1,187 +0,0 @@ ---- -kind: pipeline -name: linting - -platform: - os: linux - arch: amd64 - -steps: - - name: ansible-later - image: thegeeklab/ansible-later - commands: - - ansible-later - - - name: python-format - image: python:3.11 - commands: - - pip install -qq yapf - - "[ -z \"$(find . -type f -name *.py)\" ] || (yapf -rd ./)" - environment: - PY_COLORS: 1 - - - name: python-flake8 - image: python:3.11 - commands: - - pip install -qq flake8 - - flake8 - environment: - PY_COLORS: 1 - -trigger: - ref: - - refs/heads/main - - refs/tags/** - - refs/pull/** - ---- -kind: pipeline -name: testing-centos7 - -platform: - os: linux - arch: amd64 - -concurrency: - limit: 1 - -workspace: - base: /drone/src - path: ${DRONE_REPO_NAME} - -steps: - - name: ansible-molecule - image: thegeeklab/molecule:4 - commands: - - molecule test -s centos7 - environment: - HCLOUD_TOKEN: - from_secret: hcloud_token - -trigger: - ref: - - refs/heads/main - - refs/tags/** - - refs/pull/** - -depends_on: - - linting - ---- -kind: pipeline -name: testing-rocky8 - -platform: - os: linux - arch: amd64 - -concurrency: - limit: 1 - -workspace: - base: /drone/src - path: ${DRONE_REPO_NAME} - -steps: - - name: ansible-molecule - image: thegeeklab/molecule:4 - commands: - - molecule test -s rocky8 - environment: - HCLOUD_TOKEN: - from_secret: hcloud_token - -trigger: - ref: - - refs/heads/main - - refs/tags/** - - refs/pull/** - -depends_on: - - linting - ---- -kind: pipeline -name: documentation - -platform: - os: linux - arch: amd64 - -steps: - - name: generate - image: thegeeklab/ansible-doctor - environment: - ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/ - ANSIBLE_DOCTOR_FORCE_OVERWRITE: true - ANSIBLE_DOCTOR_LOG_LEVEL: INFO - ANSIBLE_DOCTOR_OUTPUT_DIR: _docs/ - ANSIBLE_DOCTOR_ROLE_NAME: ${DRONE_REPO_NAME#*.} - ANSIBLE_DOCTOR_TEMPLATE: hugo-book - - - name: publish - image: plugins/gh-pages - settings: - netrc_machine: gitea.rknet.org - pages_directory: _docs/ - password: - from_secret: gitea_token - remote_url: https://gitea.rknet.org/ansible/${DRONE_REPO_NAME} - target_branch: docs - username: - from_secret: gitea_username - when: - ref: - - refs/heads/main - -trigger: - ref: - - refs/heads/main - - refs/tags/** - - refs/pull/** - -depends_on: - - testing-centos7 - - testing-rocky8 - ---- -kind: pipeline -name: notification - -platform: - os: linux - arch: amd64 - -clone: - disable: true - -steps: - - name: matrix - image: thegeeklab/drone-matrix - settings: - homeserver: - from_secret: matrix_homeserver - password: - from_secret: matrix_password - roomid: - from_secret: matrix_roomid - template: "Status: **{{ .Build.Status }}**
Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}
Message: {{ .Commit.Message.Title }}" - username: - from_secret: matrix_username - -trigger: - ref: - - refs/heads/main - - refs/tags/** - status: - - success - - failure - -depends_on: - - documentation - ---- -kind: signature -hmac: 23c37a2530b7492cca4f9ea82c7c1340f0bd603450caa8b7c4a872565fbeb72c - -... diff --git a/.gitignore b/.gitignore index f64e8e3..d97b7cd 100644 --- a/.gitignore +++ b/.gitignore @@ -9,5 +9,3 @@ __pycache__/ *.py[cod] *$py.class -# ---> Docs -/_docs diff --git a/.later.yml b/.later.yml index 0efe5d5..2703cb9 100644 --- a/.later.yml +++ b/.later.yml @@ -10,10 +10,6 @@ ansible: rules: exclude_files: - - molecule/ - "LICENSE*" - "**/*.md" - "**/*.ini" - - exclude_filter: - - LINT0009 diff --git a/.markdownlint.yml b/.markdownlint.yml new file mode 100644 index 0000000..da116c7 --- /dev/null +++ b/.markdownlint.yml @@ -0,0 +1,7 @@ +--- +default: True +MD013: False +MD041: False +MD024: False +MD004: + style: dash diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..6b1d0bf --- /dev/null +++ b/.prettierignore @@ -0,0 +1 @@ +LICENSE diff --git a/.woodpecker/docs.yaml b/.woodpecker/docs.yaml new file mode 100644 index 0000000..f053ca8 --- /dev/null +++ b/.woodpecker/docs.yaml @@ -0,0 +1,47 @@ +--- +when: + - event: [pull_request] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +steps: + - name: generate + image: quay.io/thegeeklab/ansible-doctor + environment: + ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/ + ANSIBLE_DOCTOR_FORCE_OVERWRITE: "true" + ANSIBLE_DOCTOR_LOG_LEVEL: INFO + ANSIBLE_DOCTOR_ROLE_NAME: ${CI_REPO_NAME} + ANSIBLE_DOCTOR_TEMPLATE: readme + + - name: format + image: quay.io/thegeeklab/alpine-tools + commands: + - prettier -w README.md + + - name: diff + image: quay.io/thegeeklab/alpine-tools + commands: + - git diff --color=always README.md + + - name: publish + image: quay.io/thegeeklab/wp-git-action + settings: + action: + - commit + - push + author_email: ci-bot@rknet.org + author_name: ci-bot + branch: main + message: "[skip ci] automated docs update" + netrc_machine: gitea.rknet.org + netrc_password: + from_secret: gitea_token + when: + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +depends_on: + - test diff --git a/.woodpecker/lint.yaml b/.woodpecker/lint.yaml new file mode 100644 index 0000000..ca4facd --- /dev/null +++ b/.woodpecker/lint.yaml @@ -0,0 +1,30 @@ +--- +when: + - event: [pull_request, tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +steps: + - name: ansible-later + image: quay.io/thegeeklab/ansible-later:4 + commands: + - ansible-later + environment: + FORCE_COLOR: "1" + + - name: python-format + image: docker.io/python:3.12 + commands: + - pip install -qq ruff + - ruff format --check --diff . + environment: + PY_COLORS: "1" + + - name: python-lint + image: docker.io/python:3.12 + commands: + - pip install -qq ruff + - ruff . + environment: + PY_COLORS: "1" diff --git a/.woodpecker/notify.yml b/.woodpecker/notify.yml new file mode 100644 index 0000000..9957125 --- /dev/null +++ b/.woodpecker/notify.yml @@ -0,0 +1,26 @@ +--- +when: + - event: [tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +runs_on: [success, failure] + +steps: + - name: matrix + image: quay.io/thegeeklab/wp-matrix + settings: + homeserver: + from_secret: matrix_homeserver + password: + from_secret: matrix_password + roomid: + from_secret: matrix_roomid + username: + from_secret: matrix_username + when: + - status: [success, failure] + +depends_on: + - docs diff --git a/.woodpecker/test.yaml b/.woodpecker/test.yaml new file mode 100644 index 0000000..a4991f7 --- /dev/null +++ b/.woodpecker/test.yaml @@ -0,0 +1,25 @@ +--- +when: + - event: [pull_request, tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +variables: + - &molecule_base + image: quay.io/thegeeklab/molecule:6 + group: molecule + secrets: + - source: molecule_hcloud_token + target: HCLOUD_TOKEN + environment: + PY_COLORS: "1" + +steps: + - name: molecule-default + <<: *molecule_base + commands: + - molecule test -s default + +depends_on: + - lint diff --git a/README.md b/README.md index be52290..69d62fb 100644 --- a/README.md +++ b/README.md @@ -1,12 +1 @@ # xoxys.sshd - -[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.sshd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.sshd) -[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE) - -Configure sshd server. - -You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/system/sshd/). - -## License - -This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. diff --git a/handlers/main.yml b/handlers/main.yml index 30baeb0..4ca7a20 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,8 +1,6 @@ --- - name: Restart ssh server - service: + ansible.builtin.service: name: sshd state: restarted listen: __sshd_restart - become: True - become_user: root diff --git a/meta/main.yml b/meta/main.yml index 7ae8933..2416881 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,19 +6,18 @@ galaxy_info: namespace: xoxys role_name: sshd # @meta description: > - # [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.sshd) - # [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.sshd?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.sshd) - # [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE) + # [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.sshd/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.sshd) + # [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.sshd/src/branch/main/LICENSE) # # Configure sshd server. # @end description: Configure sshd server license: MIT - min_ansible_version: 2.10 + min_ansible_version: "2.10" platforms: - name: EL versions: - - 7 + - "9" galaxy_tags: - sshd - security diff --git a/molecule/centos7/create.yml b/molecule/centos7/create.yml deleted file mode 100644 index 8b945cd..0000000 --- a/molecule/centos7/create.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - vars: - ssh_port: 22 - ssh_user: root - ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key" - tasks: - - name: Create SSH key - user: - name: "{{ lookup('env', 'USER') }}" - generate_ssh_key: true - ssh_key_file: "{{ ssh_path }}" - force: true - register: generated_ssh_key - - - name: Register the SSH key name - set_fact: - ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}" - - - name: Register SSH key for test instance(s) - hcloud_ssh_key: - name: "{{ ssh_key_name }}" - public_key: "{{ generated_ssh_key.ssh_public_key }}" - state: present - - - name: Create molecule instance(s) - hcloud_server: - name: "{{ item.name }}" - server_type: "{{ item.server_type }}" - ssh_keys: - - "{{ ssh_key_name }}" - image: "{{ item.image }}" - location: "{{ item.location | default(omit) }}" - datacenter: "{{ item.datacenter | default(omit) }}" - user_data: "{{ item.user_data | default(omit) }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: present - register: server - loop: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_jobs - until: hetzner_jobs.finished - retries: 300 - loop: "{{ server.results }}" - - - name: Create volume(s) - hcloud_volume: - name: "{{ item.name }}" - server: "{{ item.name }}" - location: "{{ item.location | default(omit) }}" - size: "{{ item.volume_size | default(10) }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: "present" - loop: "{{ molecule_yml.platforms }}" - when: item.volume | default(False) | bool - register: volumes - async: 7200 - poll: 0 - - - name: Wait for volume(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_volumes - until: hetzner_volumes.finished - retries: 300 - when: volumes.changed - loop: "{{ volumes.results }}" - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config dict - set_fact: - instance_conf_dict: - { - "instance": "{{ item.hcloud_server.name }}", - "ssh_key_name": "{{ ssh_key_name }}", - "address": "{{ item.hcloud_server.ipv4_address }}", - "user": "{{ ssh_user }}", - "port": "{{ ssh_port }}", - "identity_file": "{{ ssh_path }}", - "volume": "{{ item.item.item.volume | default(False) | bool }}", - } - loop: "{{ hetzner_jobs.results }}" - register: instance_config_dict - when: server.changed | bool - - - name: Convert instance config dict to a list - set_fact: - instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}" - when: server.changed | bool - - - name: Dump instance config - copy: - content: | - # Molecule managed - - {{ instance_conf | to_nice_yaml(indent=2) }} - dest: "{{ molecule_instance_config }}" - when: server.changed | bool - - - name: Wait for SSH - wait_for: - port: "{{ ssh_port }}" - host: "{{ item.address }}" - search_regex: SSH - delay: 10 - loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}" - - - name: Wait for VM to settle down - pause: - seconds: 30 diff --git a/molecule/centos7/destroy.yml b/molecule/centos7/destroy.yml deleted file mode 100644 index 6454c71..0000000 --- a/molecule/centos7/destroy.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - tasks: - - name: Check existing instance config file - stat: - path: "{{ molecule_instance_config }}" - register: cfg - - - name: Populate the instance config - set_fact: - instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}" - - - name: Destroy molecule instance(s) - hcloud_server: - name: "{{ item.instance }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: absent - register: server - loop: "{{ instance_conf }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_jobs - until: hetzner_jobs.finished - retries: 300 - loop: "{{ server.results }}" - - - pause: - seconds: 5 - - - name: Destroy volume(s) - hcloud_volume: - name: "{{ item.instance }}" - server: "{{ item.instance }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: "absent" - register: volumes - loop: "{{ instance_conf }}" - when: item.volume | default(False) | bool - async: 7200 - poll: 0 - - - name: Wait for volume(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_volumes - until: hetzner_volumes.finished - retries: 300 - when: volumes.changed - loop: "{{ volumes.results }}" - - - name: Remove registered SSH key - hcloud_ssh_key: - name: "{{ instance_conf[0].ssh_key_name }}" - state: absent - when: (instance_conf | default([])) | length > 0 - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config - set_fact: - instance_conf: {} - - - name: Dump instance config - copy: - content: | - # Molecule managed - - {{ instance_conf | to_nice_yaml(indent=2) }} - dest: "{{ molecule_instance_config }}" - when: server.changed | bool diff --git a/molecule/centos7/molecule.yml b/molecule/centos7/molecule.yml deleted file mode 100644 index d113133..0000000 --- a/molecule/centos7/molecule.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -dependency: - name: galaxy - options: - role-file: molecule/requirements.yml - requirements-file: molecule/requirements.yml - env: - ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false" -driver: - name: delegated -platforms: - - name: centos7-sshd - image: centos-7 - server_type: cx11 -lint: | - /usr/local/bin/flake8 -provisioner: - name: ansible - env: - ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter} - ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library} - log: False -verifier: - name: testinfra diff --git a/molecule/centos7/prepare.yml b/molecule/centos7/prepare.yml deleted file mode 100644 index 183f4d3..0000000 --- a/molecule/centos7/prepare.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: false - tasks: - - name: Bootstrap python for Ansible - raw: | - command -v python3 python || ( - (test -e /usr/bin/dnf && sudo dnf install -y python3) || - (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) || - (test -e /usr/bin/yum && sudo yum -y -qq install python3) || - echo "Warning: Python not boostrapped due to unknown platform." - ) - become: true - changed_when: false diff --git a/molecule/default b/molecule/default deleted file mode 120000 index 62ea184..0000000 --- a/molecule/default +++ /dev/null @@ -1 +0,0 @@ -rocky8 \ No newline at end of file diff --git a/molecule/centos7/converge.yml b/molecule/default/converge.yml similarity index 100% rename from molecule/centos7/converge.yml rename to molecule/default/converge.yml diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..da95c31 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +driver: + name: molecule_hetznercloud +dependency: + name: galaxy + options: + role-file: molecule/requirements.yml + requirements-file: molecule/requirements.yml +platforms: + - name: "rocky9-sshd" + server_type: "cx11" + image: "rocky-9" +provisioner: + name: ansible + log: False +verifier: + name: testinfra diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..0df1d77 --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,11 @@ +--- +- name: Prepare + hosts: all + gather_facts: False + tasks: + - name: Bootstrap Python for Ansible + ansible.builtin.raw: | + command -v python3 python || + ((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) || + echo "Warning: Python not boostrapped due to unknown platform.") + changed_when: False diff --git a/molecule/centos7/tests/test_default.py b/molecule/default/tests/test_default.py similarity index 100% rename from molecule/centos7/tests/test_default.py rename to molecule/default/tests/test_default.py diff --git a/molecule/pytest.ini b/molecule/pytest.ini deleted file mode 100644 index c24fe5b..0000000 --- a/molecule/pytest.ini +++ /dev/null @@ -1,3 +0,0 @@ -[pytest] -filterwarnings = - ignore::DeprecationWarning diff --git a/molecule/requirements.yml b/molecule/requirements.yml index 46da115..7d35793 100644 --- a/molecule/requirements.yml +++ b/molecule/requirements.yml @@ -1,6 +1,3 @@ --- -collections: - - name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz - - name: community.general - +collections: [] roles: [] diff --git a/molecule/rocky8/converge.yml b/molecule/rocky8/converge.yml deleted file mode 100644 index ae4e544..0000000 --- a/molecule/rocky8/converge.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: xoxys.sshd diff --git a/molecule/rocky8/create.yml b/molecule/rocky8/create.yml deleted file mode 100644 index 8b945cd..0000000 --- a/molecule/rocky8/create.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - vars: - ssh_port: 22 - ssh_user: root - ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key" - tasks: - - name: Create SSH key - user: - name: "{{ lookup('env', 'USER') }}" - generate_ssh_key: true - ssh_key_file: "{{ ssh_path }}" - force: true - register: generated_ssh_key - - - name: Register the SSH key name - set_fact: - ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}" - - - name: Register SSH key for test instance(s) - hcloud_ssh_key: - name: "{{ ssh_key_name }}" - public_key: "{{ generated_ssh_key.ssh_public_key }}" - state: present - - - name: Create molecule instance(s) - hcloud_server: - name: "{{ item.name }}" - server_type: "{{ item.server_type }}" - ssh_keys: - - "{{ ssh_key_name }}" - image: "{{ item.image }}" - location: "{{ item.location | default(omit) }}" - datacenter: "{{ item.datacenter | default(omit) }}" - user_data: "{{ item.user_data | default(omit) }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: present - register: server - loop: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_jobs - until: hetzner_jobs.finished - retries: 300 - loop: "{{ server.results }}" - - - name: Create volume(s) - hcloud_volume: - name: "{{ item.name }}" - server: "{{ item.name }}" - location: "{{ item.location | default(omit) }}" - size: "{{ item.volume_size | default(10) }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: "present" - loop: "{{ molecule_yml.platforms }}" - when: item.volume | default(False) | bool - register: volumes - async: 7200 - poll: 0 - - - name: Wait for volume(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_volumes - until: hetzner_volumes.finished - retries: 300 - when: volumes.changed - loop: "{{ volumes.results }}" - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config dict - set_fact: - instance_conf_dict: - { - "instance": "{{ item.hcloud_server.name }}", - "ssh_key_name": "{{ ssh_key_name }}", - "address": "{{ item.hcloud_server.ipv4_address }}", - "user": "{{ ssh_user }}", - "port": "{{ ssh_port }}", - "identity_file": "{{ ssh_path }}", - "volume": "{{ item.item.item.volume | default(False) | bool }}", - } - loop: "{{ hetzner_jobs.results }}" - register: instance_config_dict - when: server.changed | bool - - - name: Convert instance config dict to a list - set_fact: - instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}" - when: server.changed | bool - - - name: Dump instance config - copy: - content: | - # Molecule managed - - {{ instance_conf | to_nice_yaml(indent=2) }} - dest: "{{ molecule_instance_config }}" - when: server.changed | bool - - - name: Wait for SSH - wait_for: - port: "{{ ssh_port }}" - host: "{{ item.address }}" - search_regex: SSH - delay: 10 - loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}" - - - name: Wait for VM to settle down - pause: - seconds: 30 diff --git a/molecule/rocky8/destroy.yml b/molecule/rocky8/destroy.yml deleted file mode 100644 index 6454c71..0000000 --- a/molecule/rocky8/destroy.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - tasks: - - name: Check existing instance config file - stat: - path: "{{ molecule_instance_config }}" - register: cfg - - - name: Populate the instance config - set_fact: - instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}" - - - name: Destroy molecule instance(s) - hcloud_server: - name: "{{ item.instance }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: absent - register: server - loop: "{{ instance_conf }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_jobs - until: hetzner_jobs.finished - retries: 300 - loop: "{{ server.results }}" - - - pause: - seconds: 5 - - - name: Destroy volume(s) - hcloud_volume: - name: "{{ item.instance }}" - server: "{{ item.instance }}" - api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}" - state: "absent" - register: volumes - loop: "{{ instance_conf }}" - when: item.volume | default(False) | bool - async: 7200 - poll: 0 - - - name: Wait for volume(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: hetzner_volumes - until: hetzner_volumes.finished - retries: 300 - when: volumes.changed - loop: "{{ volumes.results }}" - - - name: Remove registered SSH key - hcloud_ssh_key: - name: "{{ instance_conf[0].ssh_key_name }}" - state: absent - when: (instance_conf | default([])) | length > 0 - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config - set_fact: - instance_conf: {} - - - name: Dump instance config - copy: - content: | - # Molecule managed - - {{ instance_conf | to_nice_yaml(indent=2) }} - dest: "{{ molecule_instance_config }}" - when: server.changed | bool diff --git a/molecule/rocky8/molecule.yml b/molecule/rocky8/molecule.yml deleted file mode 100644 index 0b47461..0000000 --- a/molecule/rocky8/molecule.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -dependency: - name: galaxy - options: - role-file: molecule/requirements.yml - requirements-file: molecule/requirements.yml - env: - ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false" -driver: - name: delegated -platforms: - - name: rocky8-sshd - image: rocky-8 - server_type: cx11 -lint: | - /usr/local/bin/flake8 -provisioner: - name: ansible - env: - ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter} - ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library} - log: False -verifier: - name: testinfra diff --git a/molecule/rocky8/prepare.yml b/molecule/rocky8/prepare.yml deleted file mode 100644 index 183f4d3..0000000 --- a/molecule/rocky8/prepare.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: false - tasks: - - name: Bootstrap python for Ansible - raw: | - command -v python3 python || ( - (test -e /usr/bin/dnf && sudo dnf install -y python3) || - (test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) || - (test -e /usr/bin/yum && sudo yum -y -qq install python3) || - echo "Warning: Python not boostrapped due to unknown platform." - ) - become: true - changed_when: false diff --git a/molecule/rocky8/tests/test_default.py b/molecule/rocky8/tests/test_default.py deleted file mode 100644 index 5460f39..0000000 --- a/molecule/rocky8/tests/test_default.py +++ /dev/null @@ -1,16 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ["MOLECULE_INVENTORY_FILE"] -).get_hosts("all") - - -def test_sshd_config_file(host): - sshd = host.file("/etc/ssh/sshd_config") - - assert sshd.exists - assert sshd.user == "root" - assert sshd.group == "root" - assert sshd.mode == 0o600 diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..7193140 --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,17 @@ +[tool.ruff] +exclude = [".git", "__pycache__"] + +line-length = 99 +indent-width = 4 + +[tool.ruff.lint] +ignore = ["W191", "E111", "E114", "E117", "S101", "S105"] +select = ["F", "E", "I", "W", "S"] + +[tool.ruff.format] +quote-style = "double" +indent-style = "space" +line-ending = "lf" + +[tool.pytest.ini_options] +filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"] diff --git a/setup.cfg b/setup.cfg deleted file mode 100644 index 2bb8674..0000000 --- a/setup.cfg +++ /dev/null @@ -1,12 +0,0 @@ -[flake8] -ignore = D100, D101, D102, D103, D105, D107, E402, W503 -max-line-length = 99 -inline-quotes = double -exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env* - -[yapf] -based_on_style = google -column_limit = 99 -dedent_closing_brackets = true -coalesce_brackets = true -split_before_logical_operator = true diff --git a/tasks/main.yml b/tasks/main.yml index 918a0fb..eed93c4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ --- -- include_tasks: "{{ lookup('first_found', params) }}" +- ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}" vars: params: files: @@ -8,6 +8,5 @@ - "ssh_default.yml" paths: - "tasks" - -- include_tasks: ssh_2fa.yml +- ansible.builtin.include_tasks: ssh_2fa.yml when: sshd_google_auth_enabled | bool diff --git a/tasks/ssh_2fa.yml b/tasks/ssh_2fa.yml index 95eba77..d959514 100644 --- a/tasks/ssh_2fa.yml +++ b/tasks/ssh_2fa.yml @@ -1,42 +1,39 @@ --- -- block: - - name: Install google authenticator PAM module - package: - name: google-authenticator - state: present +- name: Install google authenticator PAM module + ansible.builtin.package: + name: google-authenticator + state: present - - name: Add google auth module to PAM - pamd: - name: sshd - type: account - control: required - module_path: pam_nologin.so - new_type: auth - new_control: required - new_module_path: pam_google_authenticator.so - state: before +- name: Add google auth module to PAM + community.general.pamd: + name: sshd + type: account + control: required + module_path: pam_nologin.so + new_type: auth + new_control: required + new_module_path: pam_google_authenticator.so + state: before - - name: Skip google auth for specific group - pamd: - name: sshd - type: auth - control: required - module_path: pam_google_authenticator.so - new_type: auth - new_control: "[success=done default=ignore]" - new_module_path: pam_succeed_if.so - module_arguments: - - user - - ingroup - - "{{ sshd_google_auth_exclude_group }}" - state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}" +- name: Skip google auth for specific group + community.general.pamd: + name: sshd + type: auth + control: required + module_path: pam_google_authenticator.so + new_type: auth + new_control: "[success=done default=ignore]" + new_module_path: pam_succeed_if.so + module_arguments: + - user + - ingroup + - "{{ sshd_google_auth_exclude_group }}" + state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}" - - name: Remove password auth from PAM - pamd: - name: sshd - type: auth - control: substack - module_path: password-auth - state: absent - become: True - become_user: root +- name: Remove password auth from PAM + community.general.pamd: + name: sshd + type: auth + control: substack + module_path: password-auth + state: absent diff --git a/tasks/ssh_default.yml b/tasks/ssh_default.yml index 82260c0..ba3bab2 100644 --- a/tasks/ssh_default.yml +++ b/tasks/ssh_default.yml @@ -1,44 +1,41 @@ --- - name: Gather package facts - package_facts: + ansible.builtin.package_facts: check_mode: False -- block: - - name: Hardening sshd config - template: - src: etc/ssh/sshd_config.j2 - dest: /etc/ssh/sshd_config - owner: root - group: root - mode: 0600 - notify: __sshd_restart +- name: Hardening sshd config + ansible.builtin.template: + src: etc/ssh/sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: "0600" + notify: __sshd_restart - - name: Check if /etc/ssh/moduli contains weak DH parameters - shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli - register: __sshd_register_moduli - changed_when: False - check_mode: no +- name: Check if /etc/ssh/moduli contains weak DH parameters + ansible.builtin.shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli + register: __sshd_register_moduli + changed_when: False + check_mode: False - - name: Remove all small primes - shell: - awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; - [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true - notify: __sshd_restart - when: __sshd_register_moduli.stdout +- name: Remove all small primes + ansible.builtin.shell: + awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; + [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true + notify: __sshd_restart + when: __sshd_register_moduli.stdout - - name: Create SSH usergroup - group: - name: "{{ item }}" - state: present - loop: "{{ sshd_allow_groups }}" +- name: Create SSH usergroup + ansible.builtin.group: + name: "{{ item }}" + state: present + loop: "{{ sshd_allow_groups }}" - - name: Configure SSH crypto policy usage - template: - src: etc/sysconfig/sshd.j2 - dest: /etc/sysconfig/sshd - owner: root - group: root - mode: 0640 - when: ('crypto-policies' in ansible_facts.packages) - become: True - become_user: root +- name: Configure SSH crypto policy usage + ansible.builtin.template: + src: etc/sysconfig/sshd.j2 + dest: /etc/sysconfig/sshd + owner: root + group: root + mode: "0640" + when: ('crypto-policies' in ansible_facts.packages) diff --git a/tasks/ssh_univention.yml b/tasks/ssh_univention.yml index a07d12f..6f77b1b 100644 --- a/tasks/ssh_univention.yml +++ b/tasks/ssh_univention.yml @@ -1,49 +1,46 @@ --- -- block: - - name: Hardening sshd config - ucr: - path: "{{ item.path }}" - value: "{{ item.value }}" - loop: - - path: sshd/permitroot - value: "{{ sshd_permit_root_login | default('') }}" - - path: sshd/PermitEmptyPasswords - value: "{{ sshd_permit_empty_passwords | default('') }}" - - path: sshd/permitroot - value: "{{ sshd_permit_root_login | default('') }}" - - path: sshd/passwordauthentication - value: "{{ sshd_password_authentication | default('') }}" - - path: sshd/challengeresponse - value: "{{ sshd_password_authentication | default('') }}" - - path: sshd/IgnoreRhosts - value: "{{ sshd_ignore_rhosts | default('') }}" - - path: sshd/HostbasedAuthentication - value: "{{ sshd_hostbased_authentication | default('') }}" - - path: sshd/ClientAliveInterval - value: "{{ sshd_client_alive_interval | default('') }}" - - path: sshd/ClientAliveCountMax - value: "{{ sshd_client_alive_count_max | default('') }}" - - path: sshd/Ciphers - value: "{{ sshd_ciphers | default('[]') | join(',') }}" - - path: sshd/KexAlgorithms - value: "{{ sshd_kex | default('[]') | join(',') }}" - - path: sshd/MACs - value: "{{ sshd_macs | default('[]') | join(',') }}" - loop_control: - label: "variable: {{ item.path }}={{ item.value }}" - notify: __sshd_restart +- name: Hardening sshd config + ucr: + path: "{{ item.path }}" + value: "{{ item.value }}" + loop: + - path: sshd/permitroot + value: "{{ sshd_permit_root_login | default('') }}" + - path: sshd/PermitEmptyPasswords + value: "{{ sshd_permit_empty_passwords | default('') }}" + - path: sshd/permitroot + value: "{{ sshd_permit_root_login | default('') }}" + - path: sshd/passwordauthentication + value: "{{ sshd_password_authentication | default('') }}" + - path: sshd/challengeresponse + value: "{{ sshd_password_authentication | default('') }}" + - path: sshd/IgnoreRhosts + value: "{{ sshd_ignore_rhosts | default('') }}" + - path: sshd/HostbasedAuthentication + value: "{{ sshd_hostbased_authentication | default('') }}" + - path: sshd/ClientAliveInterval + value: "{{ sshd_client_alive_interval | default('') }}" + - path: sshd/ClientAliveCountMax + value: "{{ sshd_client_alive_count_max | default('') }}" + - path: sshd/Ciphers + value: "{{ sshd_ciphers | default('[]') | join(',') }}" + - path: sshd/KexAlgorithms + value: "{{ sshd_kex | default('[]') | join(',') }}" + - path: sshd/MACs + value: "{{ sshd_macs | default('[]') | join(',') }}" + loop_control: + label: "variable: {{ item.path }}={{ item.value }}" + notify: __sshd_restart - - name: Set allowed ssh groups - ucr: - path: "auth/sshd/group/{{ item }}" - value: "yes" - loop: "{{ sshd_allow_groups }}" +- name: Set allowed ssh groups + ucr: + path: "auth/sshd/group/{{ item }}" + value: "yes" + loop: "{{ sshd_allow_groups }}" - - name: Create SSH Usergroup - group: - name: "{{ item }}" - system: "yes" - state: present - loop: "{{ sshd_allow_groups }}" - become: True - become_user: root +- name: Create SSH Usergroup + ansible.builtin.group: + name: "{{ item }}" + system: "yes" + state: present + loop: "{{ sshd_allow_groups }}"