From 3372639eca7e8f5583e6e2cbc38f99c5e26438c9 Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Wed, 12 Feb 2025 09:54:25 +0100
Subject: [PATCH 1/7] The mysql_client role assumes the deploy user exists, so
 it should depend on user_deploy.

---
 roles/debian/mysql_client/meta/main.yml | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 roles/debian/mysql_client/meta/main.yml

diff --git a/roles/debian/mysql_client/meta/main.yml b/roles/debian/mysql_client/meta/main.yml
new file mode 100644
index 000000000..0a46a8c7d
--- /dev/null
+++ b/roles/debian/mysql_client/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: debian/user_deploy

From 1ec73f429dc80d07aa6ddd412d8de5146714c348 Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Wed, 12 Feb 2025 10:06:17 +0100
Subject: [PATCH 2/7] Fixing pre-push git hooks.

---
 git-hooks/pre-push.d/ansible-lint.hook | 2 +-
 git-hooks/pre-push.d/yamllint.hook     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/git-hooks/pre-push.d/ansible-lint.hook b/git-hooks/pre-push.d/ansible-lint.hook
index 11a2d51cf..2d978cb81 100755
--- a/git-hooks/pre-push.d/ansible-lint.hook
+++ b/git-hooks/pre-push.d/ansible-lint.hook
@@ -3,7 +3,7 @@
 # Rename to ansible-lint.hook and alter to your needs.
 GIT_DIR=$(git rev-parse --show-toplevel 2> /dev/null)
 ROLES_LIST=$(cd "$GIT_DIR" && find roles/ -type d -name "tasks" -exec dirname {} \;)
-ANSIBLE_LINT="/usr/local/bin/ansible-lint"
+ANSIBLE_LINT="/home/ce-dev/ce-python/bin/ansible-lint"
 PROVISION_CONTAINER="provision-controller"
 CONTAINER_BASE_PATH="/home/ce-dev/ce-provision"
 OS=$(uname -s)
diff --git a/git-hooks/pre-push.d/yamllint.hook b/git-hooks/pre-push.d/yamllint.hook
index ca6824ec5..38cfbd9d9 100755
--- a/git-hooks/pre-push.d/yamllint.hook
+++ b/git-hooks/pre-push.d/yamllint.hook
@@ -5,6 +5,7 @@ PROVISION_CONTAINER="provision-controller"
 CONTAINER_BASE_PATH="/home/ce-dev/ce-provision"
 OS=$(uname -s)
 DOCKER_USER="ce-dev"
+YAMLLINT_PATH="/home/ce-dev/ce-python/bin/yamllint"
 if [ "$OS" = "Darwin" ]; then
     DOCKER_BIN="docker"
 else
@@ -12,7 +13,7 @@ else
 fi
 DOCKER_CMD="$DOCKER_BIN exec --user $DOCKER_USER --workdir $CONTAINER_BASE_PATH -i $PROVISION_CONTAINER"
 printf "\e[36m Running Yaml linter \n"
-YAML_LINT_CMD="$DOCKER_CMD yamllint roles"
+YAML_LINT_CMD="$DOCKER_CMD $YAMLLINT_PATH roles"
 ERRORS=$($YAML_LINT_CMD | wc -l)
 if [ "$ERRORS" != "0" ]; then
   $YAML_LINT_CMD

From 91fc16ac574a94b88a9bb985a0fd355bd92d57b5 Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Thu, 13 Feb 2025 10:22:27 +0100
Subject: [PATCH 3/7] Trying to fix ACL linting issue.

---
 roles/aws/aws_acl/tasks/create_acl.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml
index 8b1f1db36..57ca9b287 100644
--- a/roles/aws/aws_acl/tasks/create_acl.yml
+++ b/roles/aws/aws_acl/tasks/create_acl.yml
@@ -96,7 +96,7 @@
     sampled_requests: false
     cloudwatch_metrics: true # or "false" to disable metrics
     metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name)
-    rules: "{{ _rules }}"
+    rules: "{{ _rules | list }}"
     purge_rules: true
     tags: "{{ _acl.tags }}"
     state: present

From ce147302fd2e25dd9e2f3d346a6138a3e01586d6 Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Tue, 18 Feb 2025 19:32:44 +0100
Subject: [PATCH 4/7] Adding default portpathwhitelist variable to rkhunter.

---
 roles/debian/rkhunter/defaults/main.yml | 1 +
 roles/debian/rkhunter/tasks/main.yml    | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/roles/debian/rkhunter/defaults/main.yml b/roles/debian/rkhunter/defaults/main.yml
index 0a7c0943f..9950494d5 100644
--- a/roles/debian/rkhunter/defaults/main.yml
+++ b/roles/debian/rkhunter/defaults/main.yml
@@ -13,6 +13,7 @@ rkhunter:
   allow_ssh_root_user: "{{ sshd.PermitRootLogin | default('prohibit-password') }}"
   disable_tests: "suspscan hidden_procs deleted_files packet_cap_apps apps os_specific"
   os_package_manager: "NONE" # PKGMGR=NONE is default for Debian, set it to what you need.
+  portpathwhitelist: []
   scriptwhitelist:
     - /bin/egrep
     - /bin/fgrep
diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml
index 76942cca0..c8aee927c 100644
--- a/roles/debian/rkhunter/tasks/main.yml
+++ b/roles/debian/rkhunter/tasks/main.yml
@@ -12,24 +12,28 @@
     path: "{{ item }}"
   register: _rkhunter_existing_scripts_to_whitelist
   loop: "{{ rkhunter.scriptwhitelist }}"
+  when: rkhunter.scriptwhitelist | length > 0
 
 - name: Filter existing scripts
   set_fact:
     existing_scripts: "{{ existing_scripts | default([]) + [item.item] }}"
   when: item.stat.exists
   loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}"
+  when: _rkhunter_existing_scripts_to_whitelist is defined
 
 - name: Check paths for portpath existence
   ansible.builtin.stat:
     path: "{{ item.split(':')[0] }}"
   register: _rkhunter_existing_portpaths_to_whitelist
   loop: "{{ rkhunter.portpathwhitelist }}"
+  when: rkhunter.portpathwhitelist | length > 0
 
 - name: Filter existing portpath
   set_fact:
     existing_portpaths: "{{ existing_portpaths | default([]) + [item.item] }}"
   when: item.stat.exists
   loop: "{{ _rkhunter_existing_portpaths_to_whitelist.results }}"
+  when: _rkhunter_existing_portpaths_to_whitelist is defined
 
 - name: Copy rkhunter configuration.
   ansible.builtin.template:

From 7cbfea49d7c2a81e9fa78907e4cc22043155d320 Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Tue, 18 Feb 2025 22:08:04 +0100
Subject: [PATCH 5/7] Accidentally doubled up on when clauses.

---
 roles/debian/rkhunter/tasks/main.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml
index c8aee927c..118827f8a 100644
--- a/roles/debian/rkhunter/tasks/main.yml
+++ b/roles/debian/rkhunter/tasks/main.yml
@@ -19,7 +19,6 @@
     existing_scripts: "{{ existing_scripts | default([]) + [item.item] }}"
   when: item.stat.exists
   loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}"
-  when: _rkhunter_existing_scripts_to_whitelist is defined
 
 - name: Check paths for portpath existence
   ansible.builtin.stat:
@@ -33,7 +32,6 @@
     existing_portpaths: "{{ existing_portpaths | default([]) + [item.item] }}"
   when: item.stat.exists
   loop: "{{ _rkhunter_existing_portpaths_to_whitelist.results }}"
-  when: _rkhunter_existing_portpaths_to_whitelist is defined
 
 - name: Copy rkhunter configuration.
   ansible.builtin.template:

From 13683217b31725000d3d05d00322cd29fb63d73f Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Wed, 19 Feb 2025 10:44:03 +0100
Subject: [PATCH 6/7] Adding another when to rkhunter tasks for when no port
 paths or scripts are defined.

---
 roles/debian/rkhunter/tasks/main.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml
index 118827f8a..ec936bf6d 100644
--- a/roles/debian/rkhunter/tasks/main.yml
+++ b/roles/debian/rkhunter/tasks/main.yml
@@ -17,7 +17,9 @@
 - name: Filter existing scripts
   set_fact:
     existing_scripts: "{{ existing_scripts | default([]) + [item.item] }}"
-  when: item.stat.exists
+  when:
+    - item.stat.exists
+    - _rkhunter_existing_scripts_to_whitelist is defined
   loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}"
 
 - name: Check paths for portpath existence
@@ -30,7 +32,9 @@
 - name: Filter existing portpath
   set_fact:
     existing_portpaths: "{{ existing_portpaths | default([]) + [item.item] }}"
-  when: item.stat.exists
+  when:
+    - item.stat.exists
+    - _rkhunter_existing_portpaths_to_whitelist is defined
   loop: "{{ _rkhunter_existing_portpaths_to_whitelist.results }}"
 
 - name: Copy rkhunter configuration.

From 957aafa4ca160aef7e5503fbbf82e9dda172b80d Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Wed, 5 Mar 2025 16:14:33 +0100
Subject: [PATCH 7/7] Making the Postfix reload handler properly use the
 service module.

---
 roles/debian/postfix/handlers/main.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/debian/postfix/handlers/main.yml b/roles/debian/postfix/handlers/main.yml
index 570618703..7f26ef942 100644
--- a/roles/debian/postfix/handlers/main.yml
+++ b/roles/debian/postfix/handlers/main.yml
@@ -3,4 +3,6 @@
   ansible.builtin.command: /usr/sbin/postmap /etc/postfix/virtual
 
 - name: Reload Postfix configuration.
-  ansible.builtin.command: /usr/sbin/postfix reload
+  ansible.builtin.service:
+    name: postfix
+    state: reloaded