From c86eb523bb25b5f813c6746bdbfacdafeaf5df60 Mon Sep 17 00:00:00 2001 From: mg Date: Fri, 17 Feb 2023 12:07:48 +0100 Subject: [PATCH] Rolle aktualisiert: ufw (#459) Co-authored-by: Michael Grote Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/459 --- roles/oefenweb.ufw/.ansible-lint | 7 +- roles/oefenweb.ufw/.github/workflows/ci.yml | 79 ++++++++++++++++ .../.github/workflows/release.yml | 20 +++++ roles/oefenweb.ufw/.travis.yml | 89 ------------------- roles/oefenweb.ufw/.yamllint | 15 ++++ roles/oefenweb.ufw/Dockerfile | 20 +++++ roles/oefenweb.ufw/README.md | 2 +- roles/oefenweb.ufw/Vagrantfile | 33 +++---- roles/oefenweb.ufw/defaults/main.yml | 2 +- roles/oefenweb.ufw/handlers/main.yml | 2 +- roles/oefenweb.ufw/meta/main.yml | 10 +-- .../molecule/default/converge.yml | 9 ++ .../molecule/default/molecule.yml | 21 +++++ .../oefenweb.ufw/molecule/default/prepare.yml | 5 ++ .../oefenweb.ufw/molecule/default/verify.yml | 5 ++ roles/oefenweb.ufw/tasks/configure.yml | 2 +- .../tasks/fix-dropped-ssh-sessions.yml | 2 +- roles/oefenweb.ufw/tasks/install.yml | 2 +- roles/oefenweb.ufw/tasks/main.yml | 4 +- roles/oefenweb.ufw/tests/test.yml | 5 +- roles/oefenweb.ufw/tests/vagrant.yml | 2 +- roles/oefenweb.ufw/tests/vars/main.yml | 3 + roles/oefenweb.ufw/vars/main.yml | 4 +- 23 files changed, 216 insertions(+), 127 deletions(-) create mode 100644 roles/oefenweb.ufw/.github/workflows/ci.yml create mode 100644 roles/oefenweb.ufw/.github/workflows/release.yml delete mode 100644 roles/oefenweb.ufw/.travis.yml create mode 100644 roles/oefenweb.ufw/.yamllint create mode 100644 roles/oefenweb.ufw/Dockerfile create mode 100644 roles/oefenweb.ufw/molecule/default/converge.yml create mode 100644 roles/oefenweb.ufw/molecule/default/molecule.yml create mode 100644 roles/oefenweb.ufw/molecule/default/prepare.yml create mode 100644 roles/oefenweb.ufw/molecule/default/verify.yml create mode 100644 roles/oefenweb.ufw/tests/vars/main.yml diff --git a/roles/oefenweb.ufw/.ansible-lint b/roles/oefenweb.ufw/.ansible-lint index cb8e2acf..ad32a73c 100644 --- a/roles/oefenweb.ufw/.ansible-lint +++ b/roles/oefenweb.ufw/.ansible-lint @@ -1,2 +1,5 @@ -skip_list: - - '405' +--- +warn_list: + - role-name + - name[casing] + - '503' diff --git a/roles/oefenweb.ufw/.github/workflows/ci.yml b/roles/oefenweb.ufw/.github/workflows/ci.yml new file mode 100644 index 00000000..b7d526c9 --- /dev/null +++ b/roles/oefenweb.ufw/.github/workflows/ci.yml @@ -0,0 +1,79 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: '30 1 * * 3' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase + uses: actions/checkout@v3 + + - name: Set up Python 3 + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + - name: Install test dependencies + run: pip install ansible-lint[community,yamllint] + + - name: Lint code + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + defaults: + run: + working-directory: "${{ github.repository }}" + needs: + - lint + strategy: + fail-fast: false + matrix: + include: + - distro: debian8 + ansible-version: '<2.10' + - distro: debian9 + - distro: debian10 + - distro: ubuntu1604 + ansible-version: '>=2.9, <2.10' + - distro: ubuntu1604 + ansible-version: '>=2.10, <2.11' + - distro: ubuntu1604 + - distro: ubuntu1804 + - distro: ubuntu2004 + + steps: + - name: Check out the codebase + uses: actions/checkout@v3 + with: + path: "${{ github.repository }}" + + - name: Set up Python 3 + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + - name: Install test dependencies + run: pip install 'ansible${{ matrix.ansible-version }}' molecule[docker] docker + + - name: Run Molecule tests + run: | + molecule test + env: + ANSIBLE_FORCE_COLOR: '1' + ANSIBLE_VERBOSITY: '3' + MOLECULE_DEBUG: '1' + MOLECULE_DISTRO: "${{ matrix.distro }}" + PY_COLORS: '1' diff --git a/roles/oefenweb.ufw/.github/workflows/release.yml b/roles/oefenweb.ufw/.github/workflows/release.yml new file mode 100644 index 00000000..5cc5164e --- /dev/null +++ b/roles/oefenweb.ufw/.github/workflows/release.yml @@ -0,0 +1,20 @@ +--- +name: Release +'on': + push: + tags: + - '*' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase + uses: actions/checkout@v3 + + - name: Publish to Galaxy + uses: robertdebock/galaxy-action@1.2.0 + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/roles/oefenweb.ufw/.travis.yml b/roles/oefenweb.ufw/.travis.yml deleted file mode 100644 index 7fb3b9a2..00000000 --- a/roles/oefenweb.ufw/.travis.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -sudo: required -dist: xenial - -language: python -python: - - "2.7" - - "3.5" - -env: - - ANSIBLE_VERSION=latest - - ANSIBLE_VERSION=2.10.2 - - ANSIBLE_VERSION=2.10.1 - - ANSIBLE_VERSION=2.10.0 - - ANSIBLE_VERSION=2.9.14 - - ANSIBLE_VERSION=2.9.13 - - ANSIBLE_VERSION=2.9.12 - - ANSIBLE_VERSION=2.9.11 - - ANSIBLE_VERSION=2.9.10 - - ANSIBLE_VERSION=2.9.9 - - ANSIBLE_VERSION=2.9.8 - - ANSIBLE_VERSION=2.9.7 - - ANSIBLE_VERSION=2.9.6 - - ANSIBLE_VERSION=2.9.5 - - ANSIBLE_VERSION=2.9.4 - - ANSIBLE_VERSION=2.9.3 - - ANSIBLE_VERSION=2.9.2 - - ANSIBLE_VERSION=2.9.1 - - ANSIBLE_VERSION=2.9.0 - - ANSIBLE_VERSION=2.8.16 - - ANSIBLE_VERSION=2.8.15 - - ANSIBLE_VERSION=2.8.14 - - ANSIBLE_VERSION=2.8.13 - - ANSIBLE_VERSION=2.8.12 - - ANSIBLE_VERSION=2.8.11 - - ANSIBLE_VERSION=2.8.10 - - ANSIBLE_VERSION=2.8.9 - - ANSIBLE_VERSION=2.8.8 - - ANSIBLE_VERSION=2.8.7 - - ANSIBLE_VERSION=2.8.6 - - ANSIBLE_VERSION=2.8.5 - - ANSIBLE_VERSION=2.8.4 - - ANSIBLE_VERSION=2.8.3 - - ANSIBLE_VERSION=2.8.2 - - ANSIBLE_VERSION=2.8.1 - - ANSIBLE_VERSION=2.8.0 - -branches: - only: - - master - -matrix: - allow_failures: - # https://github.com/ansible/ansible/issues/56674 - - env: ANSIBLE_VERSION=2.8.0 - -before_install: - - sudo apt-get update -qq - - # Remove ufw - - sudo apt-get remove --purge --yes ufw - -install: - # Install Ansible. - - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi - - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible-lint; fi - -script: - # Check the role/playbook's syntax. - - ansible-playbook -i tests/inventory tests/test.yml --syntax-check - - # Run the role/playbook with ansible-playbook. - - ansible-playbook -i tests/inventory tests/test.yml -vvvv - - # Run the role/playbook again, checking to make sure it's idempotent. - - > - ansible-playbook -i tests/inventory tests/test.yml - | grep -q 'changed=0.*failed=0' - && (echo 'Idempotence test: pass' && exit 0) - || (echo 'Idempotence test: fail' && exit 1) - - - if [ "$ANSIBLE_VERSION" = "latest" ]; then ansible-lint tests/test.yml; fi - -notifications: - email: false - webhooks: https://galaxy.ansible.com/api/v1/notifications/ - slack: - rooms: - secure: "If2mqrqZs5q6yZ9bs9qq+pmgCEMCTv1Nk3vQjax9N+xFoIvnRi1v0drEekibKgns8eg0Mg/Tya7xxXokqFhs3wVY64r43v86HFLS2MVDTaMYAxK3kRd4x8R5INIAN1U7Dtsk8RQbIngzGJPZwOfmOtY1qQ5p3RLMM+6zEBQOO7U=" diff --git a/roles/oefenweb.ufw/.yamllint b/roles/oefenweb.ufw/.yamllint new file mode 100644 index 00000000..894450cd --- /dev/null +++ b/roles/oefenweb.ufw/.yamllint @@ -0,0 +1,15 @@ +--- +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + truthy: disable + +ignore: | + .tox/ diff --git a/roles/oefenweb.ufw/Dockerfile b/roles/oefenweb.ufw/Dockerfile new file mode 100644 index 00000000..b1792787 --- /dev/null +++ b/roles/oefenweb.ufw/Dockerfile @@ -0,0 +1,20 @@ +FROM ubuntu:16.04 +MAINTAINER Mischa ter Smitten + +# python +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y python-minimal python-dev curl && \ + apt-get clean +RUN curl -sL https://bootstrap.pypa.io/pip/2.7/get-pip.py | python - +RUN rm -rf $HOME/.cache + +# ansible +RUN DEBIAN_FRONTEND=noninteractive apt-get install -y gcc libffi-dev libssl-dev && \ + apt-get clean +RUN pip install ansible==2.9.15 +RUN rm -rf $HOME/.cache + +# provision +COPY . /etc/ansible/roles/ansible-role +WORKDIR /etc/ansible/roles/ansible-role +RUN ansible-playbook -i tests/inventory tests/test.yml --connection=local diff --git a/roles/oefenweb.ufw/README.md b/roles/oefenweb.ufw/README.md index 703ec0df..3d2d43ad 100644 --- a/roles/oefenweb.ufw/README.md +++ b/roles/oefenweb.ufw/README.md @@ -1,6 +1,6 @@ ## ufw -[![Build Status](https://travis-ci.org/Oefenweb/ansible-ufw.svg?branch=master)](https://travis-ci.org/Oefenweb/ansible-ufw) +[![CI](https://github.com/Oefenweb/ansible-ufw/workflows/CI/badge.svg)](https://github.com/Oefenweb/ansible-ufw/actions?query=workflow%3ACI) [![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-ufw-blue.svg)](https://galaxy.ansible.com/Oefenweb/ufw) Set up ufw in Debian-like systems. diff --git a/roles/oefenweb.ufw/Vagrantfile b/roles/oefenweb.ufw/Vagrantfile index 653c851f..a0182a0f 100644 --- a/roles/oefenweb.ufw/Vagrantfile +++ b/roles/oefenweb.ufw/Vagrantfile @@ -4,40 +4,26 @@ role = File.basename(File.expand_path(File.dirname(__FILE__))) boxes = [ - { - :name => "ubuntu-1204", - :box => "bento/ubuntu-12.04", - :ip => '10.0.0.11', - :cpu => "50", - :ram => "256" - }, - { - :name => "ubuntu-1404", - :box => "bento/ubuntu-14.04", - :ip => '10.0.0.12', - :cpu => "50", - :ram => "256" - }, { :name => "ubuntu-1604", :box => "bento/ubuntu-16.04", - :ip => '10.0.0.13', + :ip => '10.0.0.12', :cpu => "50", :ram => "256" }, { :name => "ubuntu-1804", :box => "bento/ubuntu-18.04", - :ip => '10.0.0.14', + :ip => '10.0.0.13', :cpu => "50", :ram => "384" }, { - :name => "debian-7", - :box => "bento/debian-7", - :ip => '10.0.0.15', + :name => "ubuntu-2004", + :box => "bento/ubuntu-20.04", + :ip => '10.0.0.14', :cpu => "50", - :ram => "256" + :ram => "384" }, { :name => "debian-8", @@ -53,6 +39,13 @@ boxes = [ :cpu => "50", :ram => "256" }, + { + :name => "debian-10", + :box => "bento/debian-10", + :ip => '10.0.0.18', + :cpu => "50", + :ram => "256" + }, ] Vagrant.configure("2") do |config| diff --git a/roles/oefenweb.ufw/defaults/main.yml b/roles/oefenweb.ufw/defaults/main.yml index 37730c66..c185d100 100644 --- a/roles/oefenweb.ufw/defaults/main.yml +++ b/roles/oefenweb.ufw/defaults/main.yml @@ -1,4 +1,4 @@ -# defaults file for ufw +# defaults file --- ufw_default_incoming_policy: deny ufw_default_outgoing_policy: allow diff --git a/roles/oefenweb.ufw/handlers/main.yml b/roles/oefenweb.ufw/handlers/main.yml index 2a77d703..6ed70a29 100644 --- a/roles/oefenweb.ufw/handlers/main.yml +++ b/roles/oefenweb.ufw/handlers/main.yml @@ -1,4 +1,4 @@ -# handlers file for ufw +# handlers file --- - name: reload ufw ufw: diff --git a/roles/oefenweb.ufw/meta/main.yml b/roles/oefenweb.ufw/meta/main.yml index d72ba350..fa5a4dea 100644 --- a/roles/oefenweb.ufw/meta/main.yml +++ b/roles/oefenweb.ufw/meta/main.yml @@ -1,24 +1,24 @@ -# meta file for ufw +# meta file --- galaxy_info: + namespace: oefenweb role_name: ufw author: Mischa ter Smitten company: Oefenweb.nl B.V. description: Set up ufw in Debian-like systems license: MIT - min_ansible_version: 2.8.0 + min_ansible_version: 2.9.0 platforms: - name: Ubuntu versions: - - precise - - trusty - xenial - bionic + - focal - name: Debian versions: - - wheezy - jessie - stretch + - buster galaxy_tags: - system - networking diff --git a/roles/oefenweb.ufw/molecule/default/converge.yml b/roles/oefenweb.ufw/molecule/default/converge.yml new file mode 100644 index 00000000..73043c48 --- /dev/null +++ b/roles/oefenweb.ufw/molecule/default/converge.yml @@ -0,0 +1,9 @@ +--- +- name: Converge + hosts: all + become: true + pre_tasks: + - name: include vars + include_vars: "{{ playbook_dir }}/../../tests/vars/main.yml" + roles: + - ../../../ diff --git a/roles/oefenweb.ufw/molecule/default/molecule.yml b/roles/oefenweb.ufw/molecule/default/molecule.yml new file mode 100644 index 00000000..1bebe43a --- /dev/null +++ b/roles/oefenweb.ufw/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu1604}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true + capabilities: + - NET_ADMIN +provisioner: + name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/roles/oefenweb.ufw/molecule/default/prepare.yml b/roles/oefenweb.ufw/molecule/default/prepare.yml new file mode 100644 index 00000000..9a6673d2 --- /dev/null +++ b/roles/oefenweb.ufw/molecule/default/prepare.yml @@ -0,0 +1,5 @@ +--- +- name: Prepare + hosts: all + become: true + tasks: [] diff --git a/roles/oefenweb.ufw/molecule/default/verify.yml b/roles/oefenweb.ufw/molecule/default/verify.yml new file mode 100644 index 00000000..44debad8 --- /dev/null +++ b/roles/oefenweb.ufw/molecule/default/verify.yml @@ -0,0 +1,5 @@ +--- +- name: Verify + hosts: all + become: true + tasks: [] diff --git a/roles/oefenweb.ufw/tasks/configure.yml b/roles/oefenweb.ufw/tasks/configure.yml index aa39ca87..4a26c62f 100644 --- a/roles/oefenweb.ufw/tasks/configure.yml +++ b/roles/oefenweb.ufw/tasks/configure.yml @@ -1,4 +1,4 @@ -# tasks file for ufw +# tasks file --- - name: configure | create (local facts) directory file: diff --git a/roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml b/roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml index d4186e0b..df773f66 100644 --- a/roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml +++ b/roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml @@ -1,4 +1,4 @@ -# tasks file for ufw +# tasks file --- - name: check if conntrack exists stat: diff --git a/roles/oefenweb.ufw/tasks/install.yml b/roles/oefenweb.ufw/tasks/install.yml index 02c34c08..a45c1404 100644 --- a/roles/oefenweb.ufw/tasks/install.yml +++ b/roles/oefenweb.ufw/tasks/install.yml @@ -1,4 +1,4 @@ -# tasks file for ufw +# tasks file --- - name: install | dependencies apt: diff --git a/roles/oefenweb.ufw/tasks/main.yml b/roles/oefenweb.ufw/tasks/main.yml index 5de837c6..21bfd3a2 100644 --- a/roles/oefenweb.ufw/tasks/main.yml +++ b/roles/oefenweb.ufw/tasks/main.yml @@ -1,8 +1,8 @@ -# tasks file for ufw +# tasks file --- - name: facts | set set_fact: - kernel_version: "{{ ansible_kernel | regex_search('^([0-9]+\\.[0-9]+\\.[0-9]+)') }}" + kernel_version: "{{ ansible_kernel | regex_search('^([0-9]+\\.[0-9]+\\.[0-9]+)') }}" tags: - configuration - ufw diff --git a/roles/oefenweb.ufw/tests/test.yml b/roles/oefenweb.ufw/tests/test.yml index 8c28d0f6..c2fbb9f2 100644 --- a/roles/oefenweb.ufw/tests/test.yml +++ b/roles/oefenweb.ufw/tests/test.yml @@ -1,7 +1,10 @@ -# test file for ufw +# test file --- - hosts: localhost connection: local become: true + pre_tasks: + - name: include vars + include_vars: "{{ playbook_dir }}/vars/main.yml" roles: - ../../ diff --git a/roles/oefenweb.ufw/tests/vagrant.yml b/roles/oefenweb.ufw/tests/vagrant.yml index aa0b5e2c..afdaebc1 100644 --- a/roles/oefenweb.ufw/tests/vagrant.yml +++ b/roles/oefenweb.ufw/tests/vagrant.yml @@ -1,4 +1,4 @@ -# test file for ufw +# test file --- - hosts: all remote_user: vagrant diff --git a/roles/oefenweb.ufw/tests/vars/main.yml b/roles/oefenweb.ufw/tests/vars/main.yml new file mode 100644 index 00000000..85b9e9c8 --- /dev/null +++ b/roles/oefenweb.ufw/tests/vars/main.yml @@ -0,0 +1,3 @@ +# vars file +--- +ufw_etc_default_ipv6: false diff --git a/roles/oefenweb.ufw/vars/main.yml b/roles/oefenweb.ufw/vars/main.yml index 63ef6a69..efca2a70 100644 --- a/roles/oefenweb.ufw/vars/main.yml +++ b/roles/oefenweb.ufw/vars/main.yml @@ -1,7 +1,9 @@ -# vars file for ufw +# vars file --- ufw_dependencies: - ufw + - iproute2 + - procps ufw_facts: default_incoming_policy: "{{ ufw_default_incoming_policy }}"