From 117098be39ae73524ef983758e4b1e22ea5c8705 Mon Sep 17 00:00:00 2001 From: Julien D Date: Fri, 19 Jul 2024 17:51:12 +0200 Subject: [PATCH] fix/improve-ci-and-resources-used (#16) CI improvments: * removed main branch CI because it is not used. Branch PR tests are currently enough. * removed cache apt step due to erroring and general complexity / unstability. * add linting and remove unused linting elements. * only run the linting related tasks on linting PRs to save resources. --- .ansible-lint | 1 + .../workflows/ci-vagrant-playbook-test.yml | 103 ------------------ .github/workflows/deps-new-version-test.yml | 15 +-- .github/workflows/lint.yml | 18 +++ README.md | 19 +++- action-lint/Dockerfile | 24 ---- action-lint/entrypoint.sh | 11 -- setup-playbook.yml | 1 + testing/vars.yml | 2 +- 9 files changed, 37 insertions(+), 157 deletions(-) delete mode 100644 .github/workflows/ci-vagrant-playbook-test.yml create mode 100644 .github/workflows/lint.yml delete mode 100644 action-lint/Dockerfile delete mode 100755 action-lint/entrypoint.sh diff --git a/.ansible-lint b/.ansible-lint index e17f481..2fd0854 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -4,5 +4,6 @@ exclude_paths: - .git/ - .github/ - .pre-commit-config.yaml + - testing/test-new-version-hardening.yml warn_list: - var-naming[no-role-prefix] diff --git a/.github/workflows/ci-vagrant-playbook-test.yml b/.github/workflows/ci-vagrant-playbook-test.yml deleted file mode 100644 index 7624fb6..0000000 --- a/.github/workflows/ci-vagrant-playbook-test.yml +++ /dev/null @@ -1,103 +0,0 @@ -name: "ci: Vagrant playbooks test" - -on: - workflow_dispatch: # Allows manual trigger of the workflow - schedule: - - cron: "30 5 * * */3" # Scheduled to run every three months at 5:30 AM - pull_request: # Triggered on pull request events for the specified branches - branches: - - main - -jobs: - ci-vagrant-playbook-test: - if: ${{ !startsWith(github.head_ref, 'renovate/') }} # Checks if the source branch starts with "renovate/" - runs-on: ubuntu-22.04 - env: - VAGRANT_DIR: ~/.vagrant.d/boxes - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - # Checks out the repository code for use in actions, ensuring actions can interact with repository content - - - name: Install Dependencies for this to run - run: | - sudo apt update - sudo apt -y install apt-transport-https ca-certificates curl software-properties-common - wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg - echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list - sudo apt-get update - sudo apt-get install -y virtualbox virtualbox-dkms vagrant python3-pip - vagrant plugin install vagrant-vbguest - vagrant plugin install vagrant-disksize - - - name: Cache apt packages - uses: actions/cache@v4 - with: - path: | - /var/cache/apt/archives - /var/lib/apt/lists - key: ${{ runner.os }}-apt-${{ hashFiles('**/Dockerfile') }} - restore-keys: | - ${{ runner.os }}-apt- - # Caches the downloaded apt packages to save time and bandwidth on subsequent runs - - - name: Install requirements for Python and Ansible - run: | - pip install -r requirements.txt - ansible-galaxy install -r requirements.yml --force - - - name: Cache Python packages - uses: actions/cache@v4 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt', '**/requirements.yml') }} - restore-keys: | - ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} - ${{ runner.os }}-pip- - # Caches the downloaded Python packages to save time and bandwidth on subsequent runs - - - name: Prepare Ansible playbook for testing - run: cp setup-playbook.yml testing/being_tested.yml - # Copies the setup-playbook.yml to the testing directory and renames it for test execution - - - name: Inject vars_files into Playbook - run: | - cat testing/being_tested.yml - sed -i '/any_errors_fatal: true/a \ - vars_files:\ - - vars.yml' testing/being_tested.yml - cat testing/being_tested.yml - - - name: Remove blocking lines from testing/being_tested.yml for vagrant testing - run: | - sed -i '/sshd_allow_users:/d' testing/being_tested.yml - sed -i '/sshd_allow_groups:/d' testing/being_tested.yml - - - name: Run vagrant up - run: vagrant up - # Initializes and provisions the Vagrant environment as defined in Vagrantfile - - - name: SSH into the box after boot - run: | - vms=$(vagrant status | grep 'running (' | cut -d' ' -f1) - - for vm in $vms; do - echo "Running command on VM: $vm" - vagrant ssh $vm -c "echo 'hello world!'" - done - # Tests SSH into the Vagrant boxex and runs a simple echo command to ensure functionality - - - name: Cache Vagrant boxes - uses: actions/cache@v4 - with: - path: ${{ env.VAGRANT_DIR }} - key: ${{ runner.os }}-vagrant-${{ hashFiles('**/Vagrantfile') }} - restore-keys: | - ${{ runner.os }}-vagrant- - # Caches the downloaded Vagrant boxes to save time and bandwidth on subsequent runs - - - name: Clean up Vagrant session - run: vagrant halt && vagrant destroy -f - if: always() - # Gracefully shuts down and cleans up the Vagrant environment, ensuring no resources are left running diff --git a/.github/workflows/deps-new-version-test.yml b/.github/workflows/deps-new-version-test.yml index 916b9f0..96ddbbe 100644 --- a/.github/workflows/deps-new-version-test.yml +++ b/.github/workflows/deps-new-version-test.yml @@ -6,7 +6,7 @@ on: - main jobs: vagrant-test-new-deps-version: - if: startsWith(github.head_ref, 'renovate/') # Checks if the source branch starts with "renovate/" + if: (!contains(github.event.pull_request.title, 'dependency ansible-lint')) # Checks the merge request except on some specific deps update runs-on: ubuntu-22.04 env: VAGRANT_DIR: ~/.vagrant.d/boxes @@ -27,17 +27,6 @@ jobs: vagrant plugin install vagrant-vbguest vagrant plugin install vagrant-disksize - - name: Cache apt packages - uses: actions/cache@v4 - with: - path: | - /var/cache/apt/archives - /var/lib/apt/lists - key: ${{ runner.os }}-apt-${{ hashFiles('**/Dockerfile') }} - restore-keys: | - ${{ runner.os }}-apt- - # Caches the downloaded apt packages to save time and bandwidth on subsequent runs - - name: Install requirements for Python and Ansible run: | pip install -r requirements.txt @@ -91,7 +80,7 @@ jobs: update-version-in-playbook: needs: vagrant-test-new-deps-version # This job runs after vagrant-test-new-deps-version succeeds runs-on: ubuntu-latest - if: success() && contains(github.event.pull_request.title, 'konstruktoid.hardening') + if: success() && contains(github.event.pull_request.title, 'dependency konstruktoid.hardening') steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..c767e5e --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,18 @@ +on: [push, pull_request] +name: Ansible Lint + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@eb92667e07cc18e1d115ff02e5f07126310cec11 # main \ No newline at end of file diff --git a/README.md b/README.md index e53cb68..52f3b19 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,26 @@ -# deb-server-management -Server management playbooks +# linux-server-management +Server management playbooks for Debian/Ubuntu based Linux. ### Pre-requisites + Pre-requisite commands depends on your OS. +Install the software needed to launch this and its automated testing scripts: + +#### Debian-based Linux +``` +sudo apt update +sudo apt install virtualbox vagrant python3-pip +``` #### Mac OS -Then, install the software needed to launch this and its automatic testing: ``` -brew install vagrant +brew install python +python3 -m ensurepip --upgrade brew install --cask virtualbox +brew install vagrant ``` -### Before running anything from this repository +### Before running anything Before running anything from this repository, install the following (after the Pre-requisites specific to your OS) ``` pip install -r requirements.txt diff --git a/action-lint/Dockerfile b/action-lint/Dockerfile deleted file mode 100644 index 4ad72a9..0000000 --- a/action-lint/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -FROM konstruktoid/alpine - -LABEL "com.github.actions.name"="Lint - Upstream main" -LABEL "com.github.actions.description"="Upstream main ansible-lint" -LABEL "com.github.actions.icon"="shield" -LABEL "com.github.actions.color"="purple" - -LABEL "repository"="https://github.com/konstruktoid/ansible-role-hardening" -LABEL "homepage"="https://github.com/konstruktoid/ansible-role-hardening" -LABEL "maintainer"="Thomas Sjögren " - -ENV CRYPTOGRAPHY_DONT_BUILD_RUST 1 -ENV PATH="${PATH}:/root/.local/bin" - -RUN apk --update --no-cache add cargo gcc git g++ libffi-dev openssl-dev \ - musl-dev python3-dev py3-pip && \ - if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \ - python3 -m pip install --break-system-packages --no-cache-dir --upgrade pipx && \ - python3 -m pipx install git+https://github.com/ansible/ansible-lint.git && \ - apk del gcc musl-dev python3-dev && \ - rm -rf /var/cache/* - -COPY entrypoint.sh /entrypoint.sh -ENTRYPOINT ["/entrypoint.sh"] diff --git a/action-lint/entrypoint.sh b/action-lint/entrypoint.sh deleted file mode 100755 index 7a2e187..0000000 --- a/action-lint/entrypoint.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -l - -export PATH="${PATH}:/root/.local/bin" - -echo "# Running ansible-lint" -ansible-lint --version - -if ! ansible-lint --exclude .git --exclude .github -v; then - echo 'ansible-lint failed.' - exit 1 -fi diff --git a/setup-playbook.yml b/setup-playbook.yml index 12becdf..cde4692 100644 --- a/setup-playbook.yml +++ b/setup-playbook.yml @@ -39,6 +39,7 @@ ansible.builtin.include_role: name: konstruktoid.hardening vars: + # noqa: var-naming[no-role-prefix] auditd_action_mail_acct: "{{ AUDITD_ACTION_MAIL_ACCT }}" manage_ufw: "{{ MANAGE_UFW }}" ufw_outgoing_traffic: "{{ UFW_OUTGOING_TRAFFIC }}" diff --git a/testing/vars.yml b/testing/vars.yml index e229249..e42e25c 100644 --- a/testing/vars.yml +++ b/testing/vars.yml @@ -1,4 +1,4 @@ -# This file is not automatically injected during the testing. +# This file is not automatically injected during the testing. # You must add vars_files: # - vars.yml # in testing/being_tested.yml for it to be considered.