Merge branch 'update-2024-01' into 'main'

Update 2024-01

See merge request xebis/xebis-ansible-collection!10

.ansible-lint.yml

@@ -1,5 +1,6 @@
 ---
+profile: production
 exclude_paths:
   - tests/
 skip_list:
-  - galaxy[version-incorrect] # Until the version is less than 1.0.0
+  - galaxy[version-incorrect] # Until the version is 1.0.0

.gitignore

@@ -1,2 +1,3 @@
 .cache/
 .venv/
+.envrc

.gitlab-ci.yml

@@ -17,9 +17,9 @@ variables:
   variables:
     PIP_CACHE_DIR: $CI_PROJECT_DIR/.cache/pip
     PRE_COMMIT_HOME: $CI_PROJECT_DIR/.cache/pre-commit
+    GITLAB_PRIVATE_TOKEN: $GL_TOKEN
     # Skip protect-first-parent pre-commit hook until `[ERROR] caught error 1 on line 69 of ...: FIRST_PARENT="$(git show-ref -s "${BASE}")"` is fixed
-    # Skip gitlab-ci-linter pre-commit hook until `urllib.error.HTTPError: HTTP Error 404: Not Found` is fixed
-    SKIP: check-hooks-apply,protect-first-parent,gitlab-ci-linter
+    SKIP: check-hooks-apply,protect-first-parent
   before_script:
     - *default_before_script
     - apk --no-cache add ansible bash git go grep npm py-pip python3-dev shellcheck shfmt
@@ -53,7 +53,7 @@ variables:
 lint:
   extends: [.lint]
   variables:
-    SKIP: check-hooks-apply,protect-first-parent,gitlab-ci-linter,anti-todo
+    SKIP: check-hooks-apply,protect-first-parent,anti-todo
   rules:
     - if: $CI_PIPELINE_SOURCE != 'merge_request_event'
 

.pre-commit-config.yaml

@@ -53,7 +53,7 @@ repos:
       - id: codespell
         exclude: .*\.conf.j2$
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.37.0
+    rev: v0.38.0
     hooks:
       - id: markdownlint
   - repo: https://github.com/adrienverge/yamllint.git
@@ -65,6 +65,7 @@ repos:
     rev: v1.0.6
     hooks:
       - id: gitlab-ci-linter
+        args: [--project, xebis/xebis-ansible-collection]
   - repo: local
     hooks:
       - id: anti-todo
@@ -89,15 +90,18 @@ repos:
         language: system
         types: [shell]
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.17.0
+    rev: v8.18.1
     hooks:
       - id: gitleaks
   - repo: https://github.com/ansible-community/ansible-lint
-    rev: v6.20.3
+    rev: v6.22.1
     hooks:
       - id: ansible-lint
         args: [-c, .ansible-lint.yml]
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 2.5.8
+    rev: 3.1.50
     hooks:
       - id: checkov
+        args: [--skip-path, .cache/, --skip-path, tests/helpers/, --skip-path, scripts/shellib/]
+        files: .*
+      - id: checkov_secrets

README.md

@@ -24,6 +24,7 @@ A collection of Xebis shared Ansible roles.
   - [Supported OS](#supported-os)
 - [Installation and Configuration](#installation-and-configuration)
 - [Usage](#usage)
+  - [Caveats](#caveats)
 - [Contributing](#contributing)
   - [Development](#development)
   - [Testing](#testing)
@@ -44,7 +45,7 @@ A collection of Xebis shared Ansible roles.
 | Role | Description | Documentation | Dependencies | |
 |---|---|---|---|---|
 | [`xebis.ansible.system`](roles/system) | Well maintained operating system | Updates and upgrades `deb` packages including autoremove and autoclean, reboots the system (when necessary), provides `Reboot machine` handler |
-| [`xebis.ansible.firewall`](roles/firewall) | Extensible nftables firewall | Installs `nftables` and sets up basic extensible nftables chains and rules, provides `Reload nftables` handler, see [Firewall role README.md](roles/firewall/README.md) for usage, configuration, and examples | [`xebis.ansible.system`](roles/system) |
+| [`xebis.ansible.firewall`](roles/firewall) | Extensible nftables firewall | Installs `nftables` and sets up basic extensible nftables chains and rules, provides `Revalidate and reload nftables` and `Reload nftables` handlers, see [Firewall role README.md](roles/firewall/README.md) for usage, configuration, and examples | [`xebis.ansible.system`](roles/system) |
 | [`xebis.ansible.fail2ban`](roles/fail2ban) | Fail2ban service | Installs `fail2ban` and sets it up as a systemd service | [`xebis.ansible.system`](roles/system) [`xebis.ansible.firewall`](roles/firewall) |
 | [`xebis.ansible.iam`](roles/iam) | IAM | Creates user groups and users as regular users or admins, their public SSH keys, disables password remote logins, provides `Restart sshd` handler, see [IAM role README.md](roles/iam/README.md) for usage, configuration, and examples | [`xebis.ansible.system`](roles/system) [`xebis.ansible.firewall`](roles/firewall) [`xebis.ansible.fail2ban`](roles/fail2ban) |
 | [`xebis.ansible.bash`](roles/bash) | Extensible Bash | Installs `~/.bash_aliases` and sets up basic extensible Bash aliases, see [Bash role README.md](roles/bash/README.md) for usage, configuration, and examples | [`xebis.ansible.system`](roles/system) |
@@ -56,6 +57,10 @@ A collection of Xebis shared Ansible roles.
 | [`xebis.ansible.engineering`](roles/engineering) | Engineering essentials | Installs and sets up `direnv` | [`xebis.ansible.system`](roles/system) |
 | [`xebis.ansible.kde`](roles/kde/) | KDE essentials | Installs `krusader` (including recommended dependencies `kdiff3`, `kget`, and `krename`), `kwin-bismuth`, sets up `nftables` firewall for KDE, and provides `Plasma Reload` desktop icon | [`xebis.ansible.system`](roles/system) [`xebis.ansible.firewall`](roles/firewall) |
 | [`xebis.ansible.multimedia`](roles/multimedia) | Multimedia essentials | Installs `audacity`, `darktable`, `digikam`, `exfat-fuse`, `exfatprogs`, `gimp`, and `rawtherapee` |[`xebis.ansible.system`](roles/system) |
+| [`xebis.ansible.slack`](roles/slack) | Slack | Installs `slack` ||
+| [`xebis.ansible.thunderbird`](roles/thunderbird) | Thunderbird | Installs `thunderbird` and sets up `nftables` firewall for Thunderbird | [`xebis.ansible.system`](roles/system) [`xebis.ansible.firewall`](roles/firewall) |
+| [`xebis.ansible.obsidian`](roles/xmind) | Obsidian | Installs `obsidian` ||
+| [`xebis.ansible.xmind`](roles/xmind) | Xmind | Installs `xmind` | [`xebis.ansible.flatpak`](roles/flatpak) |
 | [`xebis.ansible.steam`](roles/steam) | Steam | Installs `steam-installer` | [`xebis.ansible.system`](roles/system) [`xebis.ansible.firewall`](roles/firewall) |
 | [`xebis.ansible.openttd`](roles/openttd) | OpenTTD (transport simulation game) | Installs `OpenTTD` including `openttd-opensfx` | [`xebis.ansible.system`](roles/system) |
 | [`xebis.ansible.widelands`](roles/widelands) | Widelands (real-time strategy game) | Installs `Widelands` and setups firewall | [`xebis.ansible.system`](roles/system) [`xebis.ansible.firewall`](roles/firewall) [`xebis.ansible.flatpak`](roles/flatpak) |
@@ -85,6 +90,14 @@ In an Ansible playbook:
 - [IAM usage, configuration, and examples](roles/iam/README.md)
 - [Firewall usage, configuration, and examples](roles/firewall/README.md)
 
+### Caveats
+
+When a role is removed from a playbook, actions performed by the role are not reverted. This might lead to security risks and unexpected results, for example:
+
+- `xebis.ansible.iam` might leave users and their access on the system
+- `xebis.ansible.firewall` leaves firewall installed on the system
+- a role with dependency on `xebis.ansible.firewall` might leave unwanted firewall rules on the system
+
 ## Contributing
 
 Please read [CONTRIBUTING](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting merge requests to us.

cspell.config.yaml

@@ -57,5 +57,6 @@ words:
   - virtualenv
   - Widelands
   - Xebis
+  - Xmind
   - xonsh
 flagWords: []

roles/docker/tasks/firewall.yml

@@ -5,7 +5,7 @@
     src: inet-fwd-docker.conf
     dest: /etc/nftables/inet-fwd-docker.conf
     mode: u=rw,g=r,o=r
-  notify: Reload nftables
+  notify: Revalidate and reload nftables
 
 - name: Enforce firewall reload now
   ansible.builtin.meta: flush_handlers

roles/firewall/README.md

@@ -2,7 +2,7 @@
 
 <!-- cSpell:ignore inet, igmp, icmpv6, ruleset, dport, Netfilter -->
 
-The role installs `nftables` and sets up basic extensible nftables chains and rules, provides `Reload nftables` handler.
+The role installs `nftables` and sets up basic extensible nftables chains and rules, provides `Revalidate and reload nftables` and `Reload nftables` handlers.
 
 ## Default Firewall Rules
 
@@ -77,24 +77,36 @@ sudo watch -d -n 1 'nft list ruleset | grep counter\.*rejected' # Watch rejected
 
 ## Extending The Firewall
 
+### Temporary Rules and Chains
+
+Example:
+
+```shell
+sudo nft insert rule inet filter inet-out tcp dport 8080 accept
+```
+
+To get rid of temporary rules and chains run `sudo /etc/nftables.conf`, or reload nftables service, reboot, etc.
+
+### Permanent Rules and Chains
+
 To extend rules and chains in a hook:
 
 1. Put nftables files to `/etc/nftables/` directory, the file naming convention:
     - `hook-name.conf`, only `inet-in`, `inet-fwd`, and `inet-out` are currently processed
     - `chain-name.conf`, only `inet-chain` is currently processed
-2. Reload nftables ruleset
-    - manually by the `/etc/nftables.conf` command
-    - in an Ansible role by calling `Reload nftables` handler
+2. Revalidate and reload nftables ruleset
+    - manually by the `sudo nft -c -f /etc/nftables.conf && sudo /etc/nftables.conf` command
+    - in an Ansible role by calling `Revalidate and reload nftables` handler
 
-### Example of Rules Extension
+#### Example of Rules Extension
 
 In `inet-in-my-app.conf`:
 
 ```nft
 tcp dport 8080 counter accept # Allow testing HTTP traffic
 ```
 
-### Example of Using a Chain
+#### Example of Using a Chain
 
 The rules file should point traffic to a chain in `inet-in-my-app.conf`:
 
@@ -112,7 +124,7 @@ chain inet-in-my-app {
 }
 ```
 
-### Example of Use in a Role
+#### Example of Use in a Role
 
 Add a role dependency in `meta` file:
 
@@ -136,7 +148,7 @@ Add Ansible task to copy files to `/etc/nftables` and reload firewall rules, for
   with_items:
     - inet-in-role.conf
     - inet-out-role.conf
-  notify: Reload nftables
+  notify: Revalidate and reload nftables
 ```
 
 ## References

roles/firewall/handlers/main.yml

@@ -1,8 +1,15 @@
 ---
+- name: Revalidate all nftables firewall rules
+  become: true
+  ansible.builtin.command:
+    cmd: nft -c -f /etc/nftables.conf
+  changed_when: true
+  listen: Revalidate and reload nftables
+  notify: Reload nftables
+
 - name: Reload all nftables firewall rules
   become: true
   ansible.builtin.command:
     cmd: /etc/nftables.conf
-  register: output
   changed_when: true
   listen: Reload nftables

roles/firewall/tasks/main.yml

@@ -19,7 +19,7 @@
     dest: /etc/nftables.conf
     mode: u=rwx,g=r,o=r
     validate: nft -c -f %s
-  notify: Reload nftables
+  notify: Revalidate and reload nftables
 
 - name: Start and enable nftables service
   become: true

roles/kde/tasks/firewall.yml

@@ -8,4 +8,4 @@
   with_items:
     - inet-in-desktop.conf
     - inet-out-desktop.conf
-  notify: Reload nftables
+  notify: Revalidate and reload nftables

roles/obsidian/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Install Obsidian Snap package
+  become: true
+  community.general.snap:
+    name: obsidian
+    classic: true
+    state: present

roles/slack/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Install Slack Snap package
+  become: true
+  community.general.snap:
+    name: slack
+    classic: true
+    state: present

roles/steam/tasks/firewall.yml

@@ -9,4 +9,4 @@
   with_items:
     - inet-in-steam.conf
     - inet-out-steam.conf
-  notify: Reload nftables
+  notify: Revalidate and reload nftables

roles/thunderbird/files/inet-out-thunderbird.conf

@@ -0,0 +1,3 @@
+tcp dport 143 counter accept # Allow IMAP traffic
+tcp dport 587 counter accept # Allow Email Submission traffic
+tcp dport 993 counter accept # Allow IMAPS traffic

roles/thunderbird/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: xebis.ansible.system # Expects updated and upgraded system
+  - role: xebis.ansible.firewall # Expects extensible nftables firewall

roles/thunderbird/tasks/firewall.yml

@@ -0,0 +1,8 @@
+---
+- name: Copy Thunderbird firewall rules
+  become: true
+  ansible.builtin.copy:
+    src: inet-out-thunderbird.conf
+    dest: /etc/nftables/inet-out-thunderbird.conf
+    mode: u=rw,g=r,o=r
+  notify: Revalidate and reload nftables

roles/thunderbird/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Import firewall tasks
+  ansible.builtin.import_tasks: firewall.yml
+
+- name: Install Thunderbird deb packages
+  become: true
+  ansible.builtin.apt:
+    name:
+      - thunderbird
+    state: present

roles/widelands/tasks/firewall.yml

@@ -9,4 +9,4 @@
   with_items:
     - inet-in-widelands.conf
     - inet-out-widelands.conf
-  notify: Reload nftables
+  notify: Revalidate and reload nftables

roles/xmind/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: xebis.ansible.flatpak

roles/xmind/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Install Xmind flatpak package
+  community.general.flatpak:
+    name: net.xmind.XMind
+    method: user
+    state: present
+  when: not ansible_check_mode

scripts/setup

@@ -50,8 +50,8 @@ function setup() {
 
     popd 1>/dev/null
 
-    # Install Ansible Galaxy ansible.posix collection
-    ansible-galaxy collection install community.general
+    # Install Ansible Galaxy dependencies
+    ansible-galaxy collection install -r requirements.yml
 
     # Check if GL_TOKEN is set
     if [ -z "${GL_TOKEN:-}" ]; then

tests/setup.bats

@@ -128,7 +128,7 @@ setup() {
 
     assert_success
     assert_line -n 0 'scripts/setup ✓ commit-msg hook is installed'
-    assert_line -n 1 'collection install community.general'
+    assert_line -n 1 'collection install -r requirements.yml'
     assert_line -n 2 'scripts/setup 🛈 environment variable GL_TOKEN is not set, pre-commit hook gitlab-ci-linter will be skipped'
     assert_line -n 3 'scripts/setup 💡 You might set up environment variable GL_TOKEN'
 }
@@ -160,7 +160,7 @@ setup() {
 
     assert_success
     assert_line -n 0 'scripts/setup ✓ commit-msg hook is installed'
-    assert_line -n 1 'collection install community.general'
+    assert_line -n 1 'collection install -r requirements.yml'
     assert_line -n 2 'scripts/setup ✓ GL_TOKEN is set'
 }