From 3372639eca7e8f5583e6e2cbc38f99c5e26438c9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 12 Feb 2025 09:54:25 +0100 Subject: [PATCH 01/11] The mysql_client role assumes the deploy user exists, so it should depend on user_deploy. --- roles/debian/mysql_client/meta/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/debian/mysql_client/meta/main.yml diff --git a/roles/debian/mysql_client/meta/main.yml b/roles/debian/mysql_client/meta/main.yml new file mode 100644 index 000000000..0a46a8c7d --- /dev/null +++ b/roles/debian/mysql_client/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian/user_deploy From 1ec73f429dc80d07aa6ddd412d8de5146714c348 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 12 Feb 2025 10:06:17 +0100 Subject: [PATCH 02/11] Fixing pre-push git hooks. --- git-hooks/pre-push.d/ansible-lint.hook | 2 +- git-hooks/pre-push.d/yamllint.hook | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/git-hooks/pre-push.d/ansible-lint.hook b/git-hooks/pre-push.d/ansible-lint.hook index 11a2d51cf..2d978cb81 100755 --- a/git-hooks/pre-push.d/ansible-lint.hook +++ b/git-hooks/pre-push.d/ansible-lint.hook @@ -3,7 +3,7 @@ # Rename to ansible-lint.hook and alter to your needs. GIT_DIR=$(git rev-parse --show-toplevel 2> /dev/null) ROLES_LIST=$(cd "$GIT_DIR" && find roles/ -type d -name "tasks" -exec dirname {} \;) -ANSIBLE_LINT="/usr/local/bin/ansible-lint" +ANSIBLE_LINT="/home/ce-dev/ce-python/bin/ansible-lint" PROVISION_CONTAINER="provision-controller" CONTAINER_BASE_PATH="/home/ce-dev/ce-provision" OS=$(uname -s) diff --git a/git-hooks/pre-push.d/yamllint.hook b/git-hooks/pre-push.d/yamllint.hook index ca6824ec5..38cfbd9d9 100755 --- a/git-hooks/pre-push.d/yamllint.hook +++ b/git-hooks/pre-push.d/yamllint.hook @@ -5,6 +5,7 @@ PROVISION_CONTAINER="provision-controller" CONTAINER_BASE_PATH="/home/ce-dev/ce-provision" OS=$(uname -s) DOCKER_USER="ce-dev" +YAMLLINT_PATH="/home/ce-dev/ce-python/bin/yamllint" if [ "$OS" = "Darwin" ]; then DOCKER_BIN="docker" else @@ -12,7 +13,7 @@ else fi DOCKER_CMD="$DOCKER_BIN exec --user $DOCKER_USER --workdir $CONTAINER_BASE_PATH -i $PROVISION_CONTAINER" printf "\e[36m Running Yaml linter \n" -YAML_LINT_CMD="$DOCKER_CMD yamllint roles" +YAML_LINT_CMD="$DOCKER_CMD $YAMLLINT_PATH roles" ERRORS=$($YAML_LINT_CMD | wc -l) if [ "$ERRORS" != "0" ]; then $YAML_LINT_CMD From 91fc16ac574a94b88a9bb985a0fd355bd92d57b5 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Feb 2025 10:22:27 +0100 Subject: [PATCH 03/11] Trying to fix ACL linting issue. --- roles/aws/aws_acl/tasks/create_acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index 8b1f1db36..57ca9b287 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -96,7 +96,7 @@ sampled_requests: false cloudwatch_metrics: true # or "false" to disable metrics metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) - rules: "{{ _rules }}" + rules: "{{ _rules | list }}" purge_rules: true tags: "{{ _acl.tags }}" state: present From ce147302fd2e25dd9e2f3d346a6138a3e01586d6 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 18 Feb 2025 19:32:44 +0100 Subject: [PATCH 04/11] Adding default portpathwhitelist variable to rkhunter. --- roles/debian/rkhunter/defaults/main.yml | 1 + roles/debian/rkhunter/tasks/main.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/roles/debian/rkhunter/defaults/main.yml b/roles/debian/rkhunter/defaults/main.yml index 0a7c0943f..9950494d5 100644 --- a/roles/debian/rkhunter/defaults/main.yml +++ b/roles/debian/rkhunter/defaults/main.yml @@ -13,6 +13,7 @@ rkhunter: allow_ssh_root_user: "{{ sshd.PermitRootLogin | default('prohibit-password') }}" disable_tests: "suspscan hidden_procs deleted_files packet_cap_apps apps os_specific" os_package_manager: "NONE" # PKGMGR=NONE is default for Debian, set it to what you need. + portpathwhitelist: [] scriptwhitelist: - /bin/egrep - /bin/fgrep diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml index 76942cca0..c8aee927c 100644 --- a/roles/debian/rkhunter/tasks/main.yml +++ b/roles/debian/rkhunter/tasks/main.yml @@ -12,24 +12,28 @@ path: "{{ item }}" register: _rkhunter_existing_scripts_to_whitelist loop: "{{ rkhunter.scriptwhitelist }}" + when: rkhunter.scriptwhitelist | length > 0 - name: Filter existing scripts set_fact: existing_scripts: "{{ existing_scripts | default([]) + [item.item] }}" when: item.stat.exists loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}" + when: _rkhunter_existing_scripts_to_whitelist is defined - name: Check paths for portpath existence ansible.builtin.stat: path: "{{ item.split(':')[0] }}" register: _rkhunter_existing_portpaths_to_whitelist loop: "{{ rkhunter.portpathwhitelist }}" + when: rkhunter.portpathwhitelist | length > 0 - name: Filter existing portpath set_fact: existing_portpaths: "{{ existing_portpaths | default([]) + [item.item] }}" when: item.stat.exists loop: "{{ _rkhunter_existing_portpaths_to_whitelist.results }}" + when: _rkhunter_existing_portpaths_to_whitelist is defined - name: Copy rkhunter configuration. ansible.builtin.template: From 7cbfea49d7c2a81e9fa78907e4cc22043155d320 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 18 Feb 2025 22:08:04 +0100 Subject: [PATCH 05/11] Accidentally doubled up on when clauses. --- roles/debian/rkhunter/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml index c8aee927c..118827f8a 100644 --- a/roles/debian/rkhunter/tasks/main.yml +++ b/roles/debian/rkhunter/tasks/main.yml @@ -19,7 +19,6 @@ existing_scripts: "{{ existing_scripts | default([]) + [item.item] }}" when: item.stat.exists loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}" - when: _rkhunter_existing_scripts_to_whitelist is defined - name: Check paths for portpath existence ansible.builtin.stat: @@ -33,7 +32,6 @@ existing_portpaths: "{{ existing_portpaths | default([]) + [item.item] }}" when: item.stat.exists loop: "{{ _rkhunter_existing_portpaths_to_whitelist.results }}" - when: _rkhunter_existing_portpaths_to_whitelist is defined - name: Copy rkhunter configuration. ansible.builtin.template: From 13683217b31725000d3d05d00322cd29fb63d73f Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 19 Feb 2025 10:44:03 +0100 Subject: [PATCH 06/11] Adding another when to rkhunter tasks for when no port paths or scripts are defined. --- roles/debian/rkhunter/tasks/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/debian/rkhunter/tasks/main.yml b/roles/debian/rkhunter/tasks/main.yml index 118827f8a..ec936bf6d 100644 --- a/roles/debian/rkhunter/tasks/main.yml +++ b/roles/debian/rkhunter/tasks/main.yml @@ -17,7 +17,9 @@ - name: Filter existing scripts set_fact: existing_scripts: "{{ existing_scripts | default([]) + [item.item] }}" - when: item.stat.exists + when: + - item.stat.exists + - _rkhunter_existing_scripts_to_whitelist is defined loop: "{{ _rkhunter_existing_scripts_to_whitelist.results }}" - name: Check paths for portpath existence @@ -30,7 +32,9 @@ - name: Filter existing portpath set_fact: existing_portpaths: "{{ existing_portpaths | default([]) + [item.item] }}" - when: item.stat.exists + when: + - item.stat.exists + - _rkhunter_existing_portpaths_to_whitelist is defined loop: "{{ _rkhunter_existing_portpaths_to_whitelist.results }}" - name: Copy rkhunter configuration. From 957aafa4ca160aef7e5503fbbf82e9dda172b80d Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 5 Mar 2025 16:14:33 +0100 Subject: [PATCH 07/11] Making the Postfix reload handler properly use the service module. --- roles/debian/postfix/handlers/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/debian/postfix/handlers/main.yml b/roles/debian/postfix/handlers/main.yml index 570618703..7f26ef942 100644 --- a/roles/debian/postfix/handlers/main.yml +++ b/roles/debian/postfix/handlers/main.yml @@ -3,4 +3,6 @@ ansible.builtin.command: /usr/sbin/postmap /etc/postfix/virtual - name: Reload Postfix configuration. - ansible.builtin.command: /usr/sbin/postfix reload + ansible.builtin.service: + name: postfix + state: reloaded From 8d876263e72ff68844404467f4b1a869ca258d2e Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Tue, 11 Mar 2025 17:54:53 +0100 Subject: [PATCH 08/11] Adding handling for starting nodejs corepack on boot. --- roles/debian/ansible/tasks/main.yml | 1 + roles/debian/nodejs/defaults/main.yml | 3 ++- .../nodejs/files/node-corepack-start.service | 11 +++++++++++ roles/debian/nodejs/tasks/main.yml | 16 ++++++++++++++++ 4 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 roles/debian/nodejs/files/node-corepack-start.service diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index f876b55cb..57af8cbf0 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -77,6 +77,7 @@ ansible.builtin.copy: content: "export PATH=$PATH:{{ ce_ansible.venv_path | default(_venv_path) }}/bin" dest: "/etc/profile.d/ansible-path.sh" + mode: '0644' - name: Install systemd timer. when: diff --git a/roles/debian/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml index a5abfea38..f53b7afd0 100644 --- a/roles/debian/nodejs/defaults/main.yml +++ b/roles/debian/nodejs/defaults/main.yml @@ -6,7 +6,8 @@ nodejs: apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg - version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ + version: 22.x # LTS - see https://nodejs.dev/en/about/releases/ + start_corepack: false npm_packages: [] #npm_packages: # - name: coffee-script # required diff --git a/roles/debian/nodejs/files/node-corepack-start.service b/roles/debian/nodejs/files/node-corepack-start.service new file mode 100644 index 000000000..833a1ebb9 --- /dev/null +++ b/roles/debian/nodejs/files/node-corepack-start.service @@ -0,0 +1,11 @@ +[Unit] +Description=Enable node corepack on boot. +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/corepack enable +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml index 185bcb6e3..03eb7af75 100644 --- a/roles/debian/nodejs/tasks/main.yml +++ b/roles/debian/nodejs/tasks/main.yml @@ -137,3 +137,19 @@ when: - nodejs.npm_packages | length > 0 - item.path is defined + +- name: Start corepack on boot. + when: nodejs.start_corepack + block: + - name: Place service definition file for node corepack. + ansible.builtin.copy: + src: node-corepack-start.service + dest: /etc/systemd/system/node-corepack-start.service + + - name: Enable the corepack service. + ansible.builtin.systemd: + name: node-corepack-start.service + state: restarted + enabled: true + masked: false + daemon_reload: true From ef813285ebe8afddfd427445ce8f7e1650d58e2b Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Mar 2025 12:45:40 +0100 Subject: [PATCH 09/11] Adding comment to nodejs var. --- roles/debian/nodejs/defaults/main.yml | 2 +- roles/debian/nodejs/files/node-corepack.service | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 roles/debian/nodejs/files/node-corepack.service diff --git a/roles/debian/nodejs/defaults/main.yml b/roles/debian/nodejs/defaults/main.yml index f53b7afd0..74ca44913 100644 --- a/roles/debian/nodejs/defaults/main.yml +++ b/roles/debian/nodejs/defaults/main.yml @@ -7,7 +7,7 @@ nodejs: apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg version: 22.x # LTS - see https://nodejs.dev/en/about/releases/ - start_corepack: false + start_corepack: false # corepack is shipped with nodejs and enables a core set of packages npm_packages: [] #npm_packages: # - name: coffee-script # required diff --git a/roles/debian/nodejs/files/node-corepack.service b/roles/debian/nodejs/files/node-corepack.service new file mode 100644 index 000000000..833a1ebb9 --- /dev/null +++ b/roles/debian/nodejs/files/node-corepack.service @@ -0,0 +1,11 @@ +[Unit] +Description=Enable node corepack on boot. +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/corepack enable +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target From ef6382ed2e16b7bffee4dbb763b4a9d4be22d0f1 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Mar 2025 12:46:39 +0100 Subject: [PATCH 10/11] Ensuring ce-provision is forced to run in local ce-dev containers. --- roles/_init/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index ac996f250..93cf3e4ad 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -107,6 +107,7 @@ - current_play_dir_md5 == previous_play_dir_md5 - not _init.force_play - not _ce_provision_force_play + - not is_local - name: Include vars directories. ansible.builtin.include_vars: From 1de52f13fe3a5473fb14c02f53e9ee15a9d29c31 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 13 Mar 2025 12:52:35 +0100 Subject: [PATCH 11/11] Removing duplicate service file. --- roles/debian/nodejs/files/node-corepack.service | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 roles/debian/nodejs/files/node-corepack.service diff --git a/roles/debian/nodejs/files/node-corepack.service b/roles/debian/nodejs/files/node-corepack.service deleted file mode 100644 index 833a1ebb9..000000000 --- a/roles/debian/nodejs/files/node-corepack.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Enable node corepack on boot. -After=network.target - -[Service] -Type=oneshot -ExecStart=/usr/bin/corepack enable -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target