lint: ansible-lint suggested updates

2025-11-01 15:07:36 +00:00 · 2025-11-01 15:07:36 +00:00 · 5217ffad5b
commit 5217ffad5b
parent 2ba6c6691b
20 changed files with 137 additions and 56 deletions
--- a/roles/baseline/handlers/main.yml
+++ b/roles/baseline/handlers/main.yml
@ -4,6 +4,7 @@
    cmd: grub2-mkconfig -o /boot/grub2/grub.cfg

 - name: Restart systemd-resolved
-  service:
+  ansible.builtin.systemd_service:
    name: systemd-resolved
    state: restarted
+    daemon_reload: true
--- a/roles/baseline/tasks/disk_partitions.yml
+++ b/roles/baseline/tasks/disk_partitions.yml
@ -20,7 +20,7 @@
  community.general.parted:
    device: "{{ baseline_second_disk_device }}"
    number: 1
-    flags: [ lvm ]
+    flags: [lvm]
    state: present
    part_start: "0%"
    part_end: "100%"
@ -138,6 +138,8 @@
    - name: Disk Partitions | PATCH | Enter emergency mode
      ansible.builtin.command:
        cmd: systemctl isolate emergency.target
+      tags:
+        - skip_ansible_lint  # Not possible with ansible.builtin.systemd_service

    - name: Disk Partitions | PATCH | Unmount /var/lib/nfs/rpc_pipefs if mounted
      ansible.posix.mount:
@ -158,3 +160,5 @@
    - name: Disk Partitions | PATCH | Restore default mode
      ansible.builtin.command:
        cmd: systemctl isolate default.target
+      tags:
+        - skip_ansible_lint  # Not possible with ansible.builtin.systemd_service
--- a/roles/baseline/tasks/disk_partitions_migrate.yml
+++ b/roles/baseline/tasks/disk_partitions_migrate.yml
@ -1,18 +1,18 @@
 ---
- name: 'Disk Partitions | PATCH | Rename {{ baseline_second_disk_migrate_path }} to {{ baseline_second_disk_migrate_path }}.old'
+- name: 'Disk Partitions | PATCH | Rename directory to directory.old | {{ baseline_second_disk_migrate_path }}'
  ansible.builtin.command:
    cmd: 'mv {{ baseline_second_disk_migrate_path }} {{ baseline_second_disk_migrate_path }}.old'

 - name: 'Disk Partitions | PATCH | Mount {{ baseline_second_disk_migrate_path }}'
  ansible.posix.mount:
-    src: "/dev/mapper/datavg-{{ baseline_second_disk_migrate_path  | replace('/', '', 1) | replace('/', '_') }}"
+    src: "/dev/mapper/datavg-{{ baseline_second_disk_migrate_path | replace('/', '', 1) | replace('/', '_') }}"
    path: '{{ baseline_second_disk_migrate_path }}'
    fstype: 'xfs'
    opts: 'rw,{{ "noexec," if baseline_second_disk_migrate_path != "/var" else "" }}nosuid,nodev'
    state: mounted
  # TODO: systemctl daemon-reload after modifying /etc/fstab

- name: 'Disk Partitions | PATCH | Set {{ baseline_second_disk_migrate_path }} permissions'
+- name: 'Disk Partitions | PATCH | Set permissions | {{ baseline_second_disk_migrate_path }}'
  ansible.builtin.file:
    path: '{{ baseline_second_disk_migrate_path }}'
    owner: root
@ -20,12 +20,12 @@
    mode: '0755'
    state: directory

- name: 'Disk Partitions | PATCH | Move {{ baseline_second_disk_migrate_path }} content'
+- name: 'Disk Partitions | PATCH | Move content | {{ baseline_second_disk_migrate_path }}'
  ansible.builtin.shell:
    cmd: 'cp -ax * {{ baseline_second_disk_migrate_path }}/'
    chdir: '{{ baseline_second_disk_migrate_path }}.old'

- name: 'Disk Partitions | PATCH | Delete {{ baseline_second_disk_migrate_path }}.old'
+- name: 'Disk Partitions | PATCH | Delete directory.old | {{ baseline_second_disk_migrate_path }}'
  ansible.builtin.file:
    path: '{{ baseline_second_disk_migrate_path }}.old'
    state: absent
--- a/roles/baseline/tasks/ipaclient.yml
+++ b/roles/baseline/tasks/ipaclient.yml
@ -7,15 +7,15 @@

 - name: FreeIPA Client | AUDIT | Check current authselect configuration
  ansible.builtin.command: authselect current
-  register: freeipa_authselect_status
+  register: _baseline_freeipa_authselect_status
  changed_when: false

 - name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir --force
  when: >
-    'Profile ID: sssd' not in freeipa_authselect_status.stdout or
-    'with-sudo' not in freeipa_authselect_status.stdout or
-    'with-mkhomedir' not in freeipa_authselect_status.stdout
+    'Profile ID: sssd' not in _baseline_freeipa_authselect_status.stdout or
+    'with-sudo' not in _baseline_freeipa_authselect_status.stdout or
+    'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout

 - name: FreeIPA Client | PATCH | Enable oddjobd.service (for with-mkhomedir feature)
  ansible.builtin.systemd_service:
--- a/roles/baseline/tasks/lockdown.yml
+++ b/roles/baseline/tasks/lockdown.yml
@ -1,15 +1,10 @@
 ---
 - name: Lockdown | AUDIT | Check current authselect configuration
-  command: authselect current
+  ansible.builtin.command: authselect current
  register: baseline_lockdown_authselect_status
  failed_when: false  # Exit code is 2 when not configured
  changed_when: false

- name: Lockdown | AUDIT | Do not disable root login if no authselect profile configured
-  ansible.builtin.set_fact:
-    rhel9cis_rule_5_1_20: false
-  when: baseline_lockdown_authselect_status.rc == 2
-
 - name: Lockdown | PATCH | Run Ansible Lockdown (RHEL9-CIS)
  ansible.builtin.include_role:
    name: RHEL9-CIS
@ -19,11 +14,12 @@
    rhel9cis_rule_1_7_4: false
    # Don't restrict user SSH access in sshd_config - this is managed by FreeIPA
    rhel9cis_rule_5_1_7: false
+    # Only disable root login once authselect is configured
+    rhel9cis_rule_5_1_20: "{{ baseline_lockdown_authselect_status.rc != 2 }}"
    # TODO: figure out boot password
    rhel9cis_set_boot_pass: false
    # TODO: We intend to later deploy a remote rsyslog sink
    rhel9cis_syslog: rsyslog
    rhel9cis_time_synchronization_servers: "{{ baseline_ntp_servers }}"
    rhel9cis_warning_banner: "{{ baseline_warning_banner }}"
-    rhel9cis_sshd_denyusers: "admin nobody"
  when: (ansible_distribution == "Rocky") and (ansible_distribution_major_version == "9")
--- a/roles/baseline/tasks/main.yml
+++ b/roles/baseline/tasks/main.yml
@ -20,6 +20,7 @@
  when: baseline_second_disk_device is defined

 - name: Baseline | PATCH | Enable EPEL repository
+  when: (baseline_epel_packages_allowed is defined) and (baseline_epel_packages_allowed | length > 0)
  block:
    - name: Baseline | PATCH | Install epel-release
      ansible.builtin.dnf:
@ -37,7 +38,6 @@
        section: epel-cisco-openh264
        option: enabled
        value: 0
-  when: (baseline_epel_packages_allowed is defined) and (baseline_epel_packages_allowed | length > 0)

 - name: Baseline | PATCH | Remove EPEL repository
  ansible.builtin.dnf:
--- a/roles/baseline/tasks/solusvm.yml
+++ b/roles/baseline/tasks/solusvm.yml
@ -19,14 +19,14 @@

 - name: SolusVM Guest | AUDIT | Check for tuned profile
  ansible.builtin.command: tuned-adm active
-  register: vps_tuned_profile
+  register: _baseline_solusvm_tuned_profile
  become: true
  changed_when: false

 - name: SolusVM Guest | PATCH | Start tuned profile (virtual-guest)
-  ansible.builtin.shell: tuned-adm profile virtual-guest
+  ansible.builtin.command: tuned-adm profile virtual-guest
  become: true
-  when: "'virtual-guest' not in vps_tuned_profile.stdout"
+  when: "'virtual-guest' not in _baseline_solusvm_tuned_profile.stdout"

 - name: SolusVM Guest | PATCH | Remove console=ttyS0,115200n8 from bootloader configurations
  ansible.builtin.replace: