diff --git a/roles/dovecot/tasks/check/auth.yml b/roles/dovecot/tasks/check/auth.yml index 8f25cce31..297a76919 100644 --- a/roles/dovecot/tasks/check/auth.yml +++ b/roles/dovecot/tasks/check/auth.yml @@ -1,6 +1,7 @@ --- - name: Test authentication on the first user + when: system.devel ansible.builtin.shell: >- set -o pipefail ; doveadm auth login -- '{{ user0_uid }}' '{{ user0_password }}' diff --git a/roles/dovecot/tasks/check/fts.yml b/roles/dovecot/tasks/check/fts.yml index ffcc820af..3db49df9b 100644 --- a/roles/dovecot/tasks/check/fts.yml +++ b/roles/dovecot/tasks/check/fts.yml @@ -4,7 +4,6 @@ # These tests are sending and receiving emails # They need to be done on development servers only - name: Test parsing script ({{ attachment.description }}) - when: system.devel ansible.builtin.include_tasks: ./fts-test-script.yml loop: '{{ attachments | selectattr("script_test", "equalto", true) | list }}' loop_control: diff --git a/roles/dovecot/tasks/check/main.yml b/roles/dovecot/tasks/check/main.yml index 0ecd4c9c3..0bf7604c1 100644 --- a/roles/dovecot/tasks/check/main.yml +++ b/roles/dovecot/tasks/check/main.yml @@ -16,5 +16,5 @@ ansible.builtin.include_tasks: check/apparmor.yml - name: Run full text search checks - when: mail.fts.active + when: mail.fts.active and system.devel ansible.builtin.include_tasks: check/fts.yml diff --git a/roles/ldap-openldap/vars/main.yml b/roles/ldap-openldap/vars/main.yml index 71d8f8cf8..bec2ea5d9 100644 --- a/roles/ldap-openldap/vars/main.yml +++ b/roles/ldap-openldap/vars/main.yml @@ -10,7 +10,6 @@ ldap_packages: install: - cracklib-runtime - ldap-utils - - ldapscripts - ldapvi - libldap-common - libpam-pwquality diff --git a/roles/mta-sts/tasks/install/nginx.yml b/roles/mta-sts/tasks/install/nginx.yml index f624633c5..240572927 100644 --- a/roles/mta-sts/tasks/install/nginx.yml +++ b/roles/mta-sts/tasks/install/nginx.yml @@ -15,7 +15,7 @@ loop: - name: index.html - name: mta-sts.txt - grafana.grafana.folder: .well-known/ + folder: .well-known/ loop_control: loop_var: file tags: nginx diff --git a/roles/nginx/tasks/check/apparmor.yml b/roles/nginx/tasks/check/apparmor.yml index 2762ea243..e276b9ea2 100644 --- a/roles/nginx/tasks/check/apparmor.yml +++ b/roles/nginx/tasks/check/apparmor.yml @@ -5,6 +5,8 @@ ansible.builtin.shell: >- set -o pipefail; aa-status --json | jq '.profiles["/usr/sbin/nginx"]' + args: + executable: /bin/bash changed_when: false failed_when: > aa_status.stdout | trim('"') != "enforce" diff --git a/roles/opendkim/tasks/check/apparmor.yml b/roles/opendkim/tasks/check/apparmor.yml index ad773aa06..941bc517c 100644 --- a/roles/opendkim/tasks/check/apparmor.yml +++ b/roles/opendkim/tasks/check/apparmor.yml @@ -5,6 +5,8 @@ ansible.builtin.shell: >- set -o pipefail; aa-status --json | jq '.profiles["/usr/sbin/opendkim"]' + args: + executable: /bin/bash changed_when: false failed_when: > {{ aa_status.stdout | trim('"') != "enforce" }} diff --git a/roles/opendmarc/tasks/check/apparmor.yml b/roles/opendmarc/tasks/check/apparmor.yml index b5524749e..4018b1e3a 100644 --- a/roles/opendmarc/tasks/check/apparmor.yml +++ b/roles/opendmarc/tasks/check/apparmor.yml @@ -5,6 +5,8 @@ ansible.builtin.shell: >- set -o pipefail; aa-status --json | jq '.profiles["/usr/sbin/opendmarc"]' + args: + executable: /bin/bash changed_when: false failed_when: > {{ aa_status.stdout | trim('"') != "enforce" }} diff --git a/roles/postfix/tasks/check/apparmor.yml b/roles/postfix/tasks/check/apparmor.yml index 249b938d1..97d8b1192 100644 --- a/roles/postfix/tasks/check/apparmor.yml +++ b/roles/postfix/tasks/check/apparmor.yml @@ -1,13 +1,16 @@ --- -- name: Check that opendkim is running in enforced mode +- name: Check that postfix kbinary is running in enforced mode register: aa_status ansible.builtin.shell: >- set -o pipefail; - aa-status --json | jq '.profiles["{{ sogo_binary }}"]' + aa-status --json | jq '.profiles["{{ postfix_binary }}"]' changed_when: false - loop: '{{ sogo_binaries }}' + args: + executable: /bin/bash + loop: '{{ postfix_binaries }}' loop_control: - loop_var: sogo_binary + loop_var: postfix_binary failed_when: > aa_status.stdout | trim('"') != "enforce" + tags: apparmor diff --git a/roles/postfix/tasks/check/main.yml b/roles/postfix/tasks/check/main.yml index eb629409b..0b503d299 100644 --- a/roles/postfix/tasks/check/main.yml +++ b/roles/postfix/tasks/check/main.yml @@ -12,14 +12,21 @@ - name: Check the LDAP mapping ansible.builtin.include_tasks: check/ldap-mapping.yml +- name: Check AppArmor + ansible.builtin.include_tasks: check/apparmor.yml + tags: apparmor + +- name: Check TLS settings + ansible.builtin.include_tasks: check/tls.yml + - name: Check simple email reception + when: system.devel ansible.builtin.include_tasks: check/simple-email.yml - name: Check email reception with UTF8 email address + when: system.devel ansible.builtin.include_tasks: check/utf8-email.yml - name: Check email reception with extension + when: system.devel ansible.builtin.include_tasks: check/extension-email.yml - -- name: Check TLS settings - ansible.builtin.include_tasks: check/tls.yml diff --git a/roles/postfix/vars/main.yml b/roles/postfix/vars/main.yml index 2f9129b7f..bd25385fb 100644 --- a/roles/postfix/vars/main.yml +++ b/roles/postfix/vars/main.yml @@ -89,3 +89,31 @@ exim_packages: - exim4-base - exim4-config - exim4-daemon-light + + +postfix_binaries: + - /usr/lib/postfix/anvil + - /usr/lib/postfix/bounce + - /usr/lib/postfix/cleanup + - /usr/lib/postfix/discard + - /usr/lib/postfix/error + - /usr/lib/postfix/flush + - /usr/lib/postfix/lmtp + - /usr/lib/postfix/local + - /usr/lib/postfix/master + - /usr/lib/postfix/nqmgr + - /usr/lib/postfix/oqmgr + - /usr/lib/postfix/pickup + - /usr/lib/postfix/pipe + - /usr/lib/postfix/proxymap + - /usr/lib/postfix/qmgr + - /usr/lib/postfix/qmqpd + - /usr/lib/postfix/scache + - /usr/lib/postfix/showq + - /usr/lib/postfix/smtp + - /usr/lib/postfix/smtpd + - /usr/lib/postfix/spawn + - /usr/lib/postfix/tlsmgr + - /usr/lib/postfix/trivial-rewrite + - /usr/lib/postfix/verify + - /usr/lib/postfix/virtual diff --git a/roles/prometheus/tasks/check/nginx.yml b/roles/prometheus/tasks/check/nginx.yml index ec47c4a77..402ff9c52 100644 --- a/roles/prometheus/tasks/check/nginx.yml +++ b/roles/prometheus/tasks/check/nginx.yml @@ -1,8 +1,8 @@ --- -- name: Load prometheus home page +- name: Ensure prometheus is not publicly accessible delegate_to: localhost become: false ansible.builtin.uri: url: https://prometheus.{{ network.domain }}/ - return_content: true + status_code: [ 401 ] diff --git a/roles/rspamd/tasks/check/apparmor.yml b/roles/rspamd/tasks/check/apparmor.yml index 987b67ed2..f4c9a851e 100644 --- a/roles/rspamd/tasks/check/apparmor.yml +++ b/roles/rspamd/tasks/check/apparmor.yml @@ -5,6 +5,8 @@ ansible.builtin.shell: >- set -o pipefail; aa-status --json | jq '.profiles["/usr/bin/rspamd"]' + args: + executable: /bin/bash changed_when: false failed_when: >- {{ aa_status.stdout | trim('"') != "enforce" }} diff --git a/roles/sogo/tasks/check/apparmor.yml b/roles/sogo/tasks/check/apparmor.yml index af15ab584..9184ae6af 100644 --- a/roles/sogo/tasks/check/apparmor.yml +++ b/roles/sogo/tasks/check/apparmor.yml @@ -5,6 +5,8 @@ ansible.builtin.shell: >- set -o pipefail; aa-status --json | jq '.profiles["{{ sogo_binary }}"]' + args: + executable: /bin/bash changed_when: false loop: '{{ sogo_binaries }}' loop_control: diff --git a/roles/user-setup/tasks/check/main.yml b/roles/user-setup/tasks/check/main.yml index 3f384ce67..46516b697 100644 --- a/roles/user-setup/tasks/check/main.yml +++ b/roles/user-setup/tasks/check/main.yml @@ -1,12 +1,19 @@ --- -- name: Check that every user is in the system, with the correct attributes - ansible.builtin.shell: >- - set -o pipefail ; - getent passwd {{ user.uid }} - changed_when: false - args: - executable: /bin/bash +- name: Check that every user is in the system + ansible.builtin.getent: + key: '{{ user.uid }}' + service: ldap + database: passwd + loop: '{{ users }}' + loop_control: + loop_var: user + +- name: Check that every user has a specific group + ansible.builtin.getent: + key: '{{ user.uid }}' + service: ldap + database: group loop: '{{ users }}' loop_control: loop_var: user diff --git a/roles/webdav/tasks/check/dns.yml b/roles/webdav/tasks/check/dns.yml index 8979e83a7..156873891 100644 --- a/roles/webdav/tasks/check/dns.yml +++ b/roles/webdav/tasks/check/dns.yml @@ -3,4 +3,4 @@ - name: Check the DNS entry ansible.builtin.getent: database: hosts - key: 'autodiscover.{{ network.domain }}' + key: 'webdav.{{ network.domain }}' diff --git a/roles/webdav/tasks/check/grade.yml b/roles/webdav/tasks/check/grade.yml index 283f6f881..d3bc69730 100644 --- a/roles/webdav/tasks/check/grade.yml +++ b/roles/webdav/tasks/check/grade.yml @@ -2,7 +2,7 @@ - name: Load TLS ciphers used register: tls_ciphers_report - ansible.builtin.shell: sslscan --no-colour autodiscover.{{ network.domain }}:443 + ansible.builtin.shell: sslscan --no-colour webdav.{{ network.domain }}:443 changed_when: false - name: Ensure authorised TLS cipher are used diff --git a/roles/webdav/tasks/check/nginx.yml b/roles/webdav/tasks/check/nginx.yml index bf84ab7bd..d8bd3f45e 100644 --- a/roles/webdav/tasks/check/nginx.yml +++ b/roles/webdav/tasks/check/nginx.yml @@ -1,28 +1,9 @@ --- -- name: Check if the autodiscover site is active +- name: Ensure the server is not in public access ansible.builtin.uri: - url: 'https://autodiscover.{{ network.domain }}/' + url: 'https://webdav.{{ network.domain }}/' method: HEAD body: '' - status_code: 200 + status_code: 401 return_content: true - -- name: Download the XML autodiscover file - vars: - email: 'postmaster@{{ network.domain }}' - ansible.builtin.uri: - url: 'https://autodiscover.{{ network.domain }}/autodiscover/autodiscover.xml' - method: POST - body: '' - status_code: 200 - dest: /tmp/autodiscover.xml - -- name: Check the autodiscover answer is valid - ansible.builtin.shell: xmllint /tmp/autodiscover.xml - changed_when: false - -- name: Remove the downloaded file - ansible.builtin.file: - path: /tmp/autodiscover.xml - state: absent diff --git a/roles/website-simple/tasks/check/dns.yml b/roles/website-simple/tasks/check/dns.yml index 2808f95cb..4f2cb2587 100644 --- a/roles/website-simple/tasks/check/dns.yml +++ b/roles/website-simple/tasks/check/dns.yml @@ -1,6 +1,6 @@ --- -- name: Check the DNS entry +- name: Check that the DNS entry exists ansible.builtin.getent: database: hosts key: 'www.{{ network.domain }}'