Fixed ansible-lint problems

dmotte · Jul 20, 2023 · 8da12c3 · 8da12c3
1 parent 4349ec9
commit 8da12c3
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 23 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,2 +1,4 @@
 ---
 strict: true
+exclude_paths:
+  - .github/
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,9 +1,9 @@
 ---
-private_dirs: []
-sshd_addressfamily_inet: false
-sshd_disable_psw_auth: false
-disable_ipv6: false
+hardening_private_dirs: []
+hardening_sshd_addressfamily_inet: false
+hardening_sshd_disable_psw_auth: false
+hardening_disable_ipv6: false
 
-restart_sshd_if_changed: true
-restart_timesyncd_if_changed: true
-reload_sysctl_if_changed: true
+hardening_restart_sshd_if_changed: true
+hardening_restart_timesyncd_if_changed: true
+hardening_reload_sysctl_if_changed: true
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -3,18 +3,18 @@
   ansible.builtin.service:
     name: ssh
     state: restarted
-  when: restart_sshd_if_changed
+  when: hardening_restart_sshd_if_changed
 
 - name: Restart timesyncd
   ansible.builtin.service:
     name: systemd-timesyncd
     state: restarted
-  when: restart_timesyncd_if_changed
+  when: hardening_restart_timesyncd_if_changed
 
 - name: Reload the sysctl configuration
   # We have to use the command here because (to date) the
   # ansible.posix.sysctl module does not allow to force a reload
   ansible.builtin.command:
     cmd: sysctl --system
   changed_when: false
-  when: reload_sysctl_if_changed
+  when: hardening_reload_sysctl_if_changed
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -16,7 +16,7 @@
     path: "{{ item }}"
     state: directory
     mode: "0700"
-  loop: "{{ private_dirs }}"
+  loop: "{{ hardening_private_dirs }}"
 
 - name: Set correct hostname in /etc/hosts
   ansible.builtin.lineinfile:
@@ -42,15 +42,15 @@
         path: /etc/ssh/sshd_config
         regexp: "^#?AddressFamily"
         line: AddressFamily inet
-      when: sshd_addressfamily_inet
+      when: hardening_sshd_addressfamily_inet
       notify: Restart the ssh service
 
     - name: In sshd_config, disable PasswordAuthentication
       ansible.builtin.lineinfile:
         path: /etc/ssh/sshd_config
         regexp: "^#?PasswordAuthentication"
         line: PasswordAuthentication no
-      when: sshd_disable_psw_auth
+      when: hardening_sshd_disable_psw_auth
       notify: Restart the ssh service
 
     - name: Force all notified handlers to run at this point
@@ -111,8 +111,8 @@
 - name: Disable IPv6
   ansible.builtin.include_role: { name: dmotte.disable_ipv6 }
   vars:
-    disable_ipv6_reload_sysctl_if_changed: "{{ reload_sysctl_if_changed }}"
-  when: disable_ipv6
+    disable_ipv6_reload_sysctl_if_changed: "{{ hardening_reload_sysctl_if_changed }}"
+  when: hardening_disable_ipv6
 
 - name: Force all notified handlers to run at this point
   ansible.builtin.meta: flush_handlers
diff --git a/test/playbook.yml b/test/playbook.yml
@@ -6,12 +6,12 @@
   tasks:
     - name: Include the role from the parent directory
       ansible.builtin.include_role: { name: "{{ playbook_dir | dirname }}" }
-      vars:
+      vars: # noqa: var-naming[no-role-prefix]
         ansible_become: true
-        private_dirs: ["/home/{{ ansible_user_id }}"]
-        sshd_addressfamily_inet: true
-        sshd_disable_psw_auth: false
-        disable_ipv6: true
-        restart_sshd_if_changed: true
-        restart_timesyncd_if_changed: true
-        reload_sysctl_if_changed: true
+        hardening_private_dirs: ["/home/{{ ansible_user_id }}"]
+        hardening_sshd_addressfamily_inet: true
+        hardening_sshd_disable_psw_auth: false
+        hardening_disable_ipv6: true
+        hardening_restart_sshd_if_changed: true
+        hardening_restart_timesyncd_if_changed: true
+        hardening_reload_sysctl_if_changed: true