Updated self-check tasks on a few roles

roles/dovecot/tasks/check/auth.yml

@@ -1,6 +1,7 @@
 ---
 
 - name: Test authentication on the first user
+  when: system.devel
   ansible.builtin.shell: >-
     set -o pipefail ;
     doveadm auth login -- '{{ user0_uid }}' '{{ user0_password }}'

roles/dovecot/tasks/check/fts.yml

@@ -4,7 +4,6 @@
 # These tests are sending and receiving emails
 # They need to be done on development servers only
 - name: Test parsing script ({{ attachment.description }})
-  when: system.devel
   ansible.builtin.include_tasks: ./fts-test-script.yml
   loop: '{{ attachments | selectattr("script_test", "equalto", true) | list }}'
   loop_control:

roles/dovecot/tasks/check/main.yml

@@ -16,5 +16,5 @@
   ansible.builtin.include_tasks: check/apparmor.yml
 
 - name: Run full text search checks
-  when: mail.fts.active
+  when: mail.fts.active and system.devel
   ansible.builtin.include_tasks: check/fts.yml

roles/ldap-openldap/vars/main.yml

@@ -10,7 +10,6 @@ ldap_packages:
   install:
     - cracklib-runtime
     - ldap-utils
-    - ldapscripts
     - ldapvi
     - libldap-common
     - libpam-pwquality

roles/mta-sts/tasks/install/nginx.yml

@@ -15,7 +15,7 @@
   loop:
     - name: index.html
     - name: mta-sts.txt
-      grafana.grafana.folder: .well-known/
+      folder: .well-known/
   loop_control:
     loop_var: file
   tags: nginx

roles/nginx/tasks/check/apparmor.yml

@@ -5,6 +5,8 @@
   ansible.builtin.shell: >-
     set -o pipefail;
     aa-status --json | jq '.profiles["/usr/sbin/nginx"]'
+  args:
+    executable: /bin/bash
   changed_when: false
   failed_when: >
     aa_status.stdout | trim('"') != "enforce"

roles/opendkim/tasks/check/apparmor.yml

@@ -5,6 +5,8 @@
   ansible.builtin.shell: >-
     set -o pipefail;
     aa-status --json | jq '.profiles["/usr/sbin/opendkim"]'
+  args:
+    executable: /bin/bash
   changed_when: false
   failed_when: >
     {{ aa_status.stdout | trim('"') != "enforce" }}

roles/opendmarc/tasks/check/apparmor.yml

@@ -5,6 +5,8 @@
   ansible.builtin.shell: >-
     set -o pipefail;
     aa-status --json | jq '.profiles["/usr/sbin/opendmarc"]'
+  args:
+    executable: /bin/bash
   changed_when: false
   failed_when: >
     {{ aa_status.stdout | trim('"') != "enforce" }}

roles/postfix/tasks/check/apparmor.yml

@@ -1,13 +1,16 @@
 ---
 
-- name: Check that opendkim is running in enforced mode
+- name: Check that postfix kbinary is running in enforced mode
   register: aa_status
   ansible.builtin.shell: >-
     set -o pipefail;
-    aa-status --json | jq '.profiles["{{ sogo_binary }}"]'
+    aa-status --json | jq '.profiles["{{ postfix_binary }}"]'
   changed_when: false
-  loop: '{{ sogo_binaries }}'
+  args:
+    executable: /bin/bash
+  loop: '{{ postfix_binaries }}'
   loop_control:
-    loop_var: sogo_binary
+    loop_var: postfix_binary
   failed_when: >
     aa_status.stdout | trim('"') != "enforce"
+  tags: apparmor

roles/postfix/tasks/check/main.yml

@@ -12,14 +12,21 @@
 - name: Check the LDAP mapping
   ansible.builtin.include_tasks: check/ldap-mapping.yml
 
+- name: Check AppArmor
+  ansible.builtin.include_tasks: check/apparmor.yml
+  tags: apparmor
+
+- name: Check TLS settings
+  ansible.builtin.include_tasks: check/tls.yml
+
 - name: Check simple email reception
+  when: system.devel
   ansible.builtin.include_tasks: check/simple-email.yml
 
 - name: Check email reception with UTF8 email address
+  when: system.devel
   ansible.builtin.include_tasks: check/utf8-email.yml
 
 - name: Check email reception with extension
+  when: system.devel
   ansible.builtin.include_tasks: check/extension-email.yml
-
-- name: Check TLS settings
-  ansible.builtin.include_tasks: check/tls.yml

roles/postfix/vars/main.yml

@@ -89,3 +89,31 @@ exim_packages:
   - exim4-base
   - exim4-config
   - exim4-daemon-light
+
+
+postfix_binaries:
+  - /usr/lib/postfix/anvil
+  - /usr/lib/postfix/bounce
+  - /usr/lib/postfix/cleanup
+  - /usr/lib/postfix/discard
+  - /usr/lib/postfix/error
+  - /usr/lib/postfix/flush
+  - /usr/lib/postfix/lmtp
+  - /usr/lib/postfix/local
+  - /usr/lib/postfix/master
+  - /usr/lib/postfix/nqmgr
+  - /usr/lib/postfix/oqmgr
+  - /usr/lib/postfix/pickup
+  - /usr/lib/postfix/pipe
+  - /usr/lib/postfix/proxymap
+  - /usr/lib/postfix/qmgr
+  - /usr/lib/postfix/qmqpd
+  - /usr/lib/postfix/scache
+  - /usr/lib/postfix/showq
+  - /usr/lib/postfix/smtp
+  - /usr/lib/postfix/smtpd
+  - /usr/lib/postfix/spawn
+  - /usr/lib/postfix/tlsmgr
+  - /usr/lib/postfix/trivial-rewrite
+  - /usr/lib/postfix/verify
+  - /usr/lib/postfix/virtual

roles/prometheus/tasks/check/nginx.yml

@@ -1,8 +1,8 @@
 ---
 
-- name: Load prometheus home page
+- name: Ensure prometheus is not publicly accessible
   delegate_to: localhost
   become: false
   ansible.builtin.uri:
     url: https://prometheus.{{ network.domain }}/
-    return_content: true
+    status_code: [ 401 ]

roles/rspamd/tasks/check/apparmor.yml

@@ -5,6 +5,8 @@
   ansible.builtin.shell: >-
     set -o pipefail;
     aa-status --json | jq '.profiles["/usr/bin/rspamd"]'
+  args:
+    executable: /bin/bash
   changed_when: false
   failed_when: >-
     {{ aa_status.stdout | trim('"') != "enforce" }}

roles/sogo/tasks/check/apparmor.yml

@@ -5,6 +5,8 @@
   ansible.builtin.shell: >-
     set -o pipefail;
     aa-status --json | jq '.profiles["{{ sogo_binary }}"]'
+  args:
+    executable: /bin/bash
   changed_when: false
   loop: '{{ sogo_binaries }}'
   loop_control:

roles/user-setup/tasks/check/main.yml

@@ -1,12 +1,19 @@
 ---
 
-- name: Check that every user is in the system, with the correct attributes
-  ansible.builtin.shell: >-
-    set -o pipefail ;
-    getent passwd {{ user.uid }}
-  changed_when: false
-  args:
-    executable: /bin/bash
+- name: Check that every user is in the system
+  ansible.builtin.getent:
+    key: '{{ user.uid }}'
+    service: ldap
+    database: passwd
+  loop: '{{ users }}'
+  loop_control:
+    loop_var: user
+
+- name: Check that every user has a specific group
+  ansible.builtin.getent:
+    key: '{{ user.uid }}'
+    service: ldap
+    database: group
   loop: '{{ users }}'
   loop_control:
     loop_var: user

roles/webdav/tasks/check/dns.yml

@@ -3,4 +3,4 @@
 - name: Check the DNS entry
   ansible.builtin.getent:
     database: hosts
-    key: 'autodiscover.{{ network.domain }}'
+    key: 'webdav.{{ network.domain }}'

roles/webdav/tasks/check/grade.yml

@@ -2,7 +2,7 @@
 
 - name: Load TLS ciphers used
   register: tls_ciphers_report
-  ansible.builtin.shell: sslscan --no-colour autodiscover.{{ network.domain }}:443
+  ansible.builtin.shell: sslscan --no-colour webdav.{{ network.domain }}:443
   changed_when: false
 
 - name: Ensure authorised TLS cipher are used

roles/webdav/tasks/check/nginx.yml

@@ -1,28 +1,9 @@
 ---
 
-- name: Check if the autodiscover site is active
+- name: Ensure the server is not in public access
   ansible.builtin.uri:
-    url: 'https://autodiscover.{{ network.domain }}/'
+    url: 'https://webdav.{{ network.domain }}/'
     method: HEAD
     body: ''
-    status_code: 200
+    status_code: 401
     return_content: true
-
-- name: Download the XML autodiscover file
-  vars:
-    email: 'postmaster@{{ network.domain }}'
-  ansible.builtin.uri:
-    url: 'https://autodiscover.{{ network.domain }}/autodiscover/autodiscover.xml'
-    method: POST
-    body: ''
-    status_code: 200
-    dest: /tmp/autodiscover.xml
-
-- name: Check the autodiscover answer is valid
-  ansible.builtin.shell: xmllint /tmp/autodiscover.xml
-  changed_when: false
-
-- name: Remove the downloaded file
-  ansible.builtin.file:
-    path: /tmp/autodiscover.xml
-    state: absent

roles/website-simple/tasks/check/dns.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Check the DNS entry
+- name: Check that the DNS entry exists
   ansible.builtin.getent:
     database: hosts
     key: 'www.{{ network.domain }}'