Follow linter suggestions

.ansible-lint-ignore

@@ -0,0 +1 @@
+tasks/ssl.yml schema[tasks] # no idea why the linter complains on this one, the whole thing works

.github/workflows/devskim.yml

@@ -27,6 +27,8 @@ jobs:
 
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
+        with:
+          exclude-rules: DS126858,DS137138,DS162092,DS169125,DS169126
 
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2

.github/workflows/linter.yml

@@ -63,3 +63,4 @@ jobs:
           # Change to 'master' if your main branch differs
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ANSIBLE_DIRECTORY: .

collections/requirements.yml

@@ -0,0 +1,10 @@
+---
+collections:
+  - name: ansible.posix
+    version: 1.5.4
+  - name: community.general
+    version: 7.5.0
+  - name: community.mysql
+    version: 3.7.2
+  - name: community.crypto
+    version: 2.15.1

defaults/main.yml

@@ -39,19 +39,20 @@
   - { type: "score", key: "CUSTOM_DMARC_FAIL", value: "3.0"}
   - type: "body"
     key: "BE_POLITE"
+    # noqa jinja[spacing] some pipes here are for regex purposes and not for Jinja2
     value: >
       /(hi|hello|dear) (
       {%- set mail_users = ['root','postmaster','abuse','hostmaster','webmaster','dmarc-reports'] %}
-      {%- for user in users|default([]) %}
+      {%- for user in users | default( [] ) %}
       {%- set mail_users = mail_users.append( user['name'] ) %}
       {%- endfor %}
-      {{- mail_users|join('|') -}}
+      {{- mail_users | join('|') -}}
       )@(
       {%- set domains = [mailserver_domain] %}
-      {%- for domain in custom_domains|default([]) %}
+      {%- for domain in custom_domains | default( [] ) %}
       {%- set domains = domains.append( domain ) %}
       {%- endfor %}
-      {{- domains|join('|') -}}
+      {{- domains | join('|') -}}
       )/i
   - { type: "describe", key: "BE_POLITE", value: "This email doesn't use a proper name for the recipient" }
   - { type: "score", key: "BE_POLITE", value: "5.0" }
@@ -76,31 +77,33 @@
   - { type: "allow_user_rules", key: "1", value: "# Allow user rules"}
   - type: "header"
     key: "SUBJECT_SPAM"
+    # noqa jinja[spacing] some pipes here are as plain text and not for Jinja2
     value: >
       Subject =~ /(
       {%- set mail_users = ['root','postmaster','abuse','hostmaster','webmaster','dmarc-reports'] %}
-      {%- for user in users|default([]) %}
+      {%- for user in users | default( [] ) %}
       {%- set mail_users = mail_users.append( user['name'] ) %}
       {%- endfor %}
-      {{- mail_users|join('|') -}}
+      {{- mail_users | join('|') -}}
       )@(
       {%- set domains = [mailserver_domain] %}
-      {%- for domain in custom_domains|default([]) %}
+      {%- for domain in custom_domains | default( [] ) %}
       {%- set domains = domains.append( domain ) %}
       {%- endfor %}
-      {{- domains|join('|') -}}
+      {{- domains | join('|') -}}
       )/i
   - { type: "describe", key: "SUBJECT_SPAM", value: "Subject contains my email address."}
   - { type: "score", key: "SUBJECT_SPAM", value: "4.0" }
   - type: "header"
     key: "__DOMAIN_IN_TO"
+    # noqa jinja[spacing] some pipes here are as plain text and not for Jinja2
     value: >
       To =~ /(
       {%- set domains = [mailserver_domain] %}
-      {%- for domain in custom_domains|default([]) %}
+      {%- for domain in custom_domains | default( [] ) %}
       {%- set domains = domains.append( domain ) %}
       {%- endfor %}
-      {{- domains|join('|') -}}
+      {{- domains | join('|') -}}
       )/
   - { type: "meta", key: "NO_DOMAIN_IN_TO", value: "!__DOMAIN_IN_TO" }
   - { type: "score", key: "NO_DOMAIN_IN_TO", value: "3.0" }

handlers/main.yml

@@ -1,90 +1,90 @@
 ---
 - name: Restart amavisd
-  systemd:
+  ansible.builtin.systemd_service:
     name: amavisd
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart clamav-freshclam
-  systemd:
+  ansible.builtin.systemd_service:
     name: clamav-freshclam
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: "Restart dirsrv@{{ mailserver_hostname }}"
-  systemd:
+  ansible.builtin.systemd_service:
     name: "dirsrv@{{ mailserver_hostname }}"
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart dnsdist
-  systemd:
+  ansible.builtin.systemd_service:
     name: dnsdist
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart dovecot
-  systemd:
+  ansible.builtin.systemd_service:
     name: dovecot
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart fail2ban
-  systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart firewalld
-  systemd:
+  ansible.builtin.systemd_service:
     name: firewalld
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart httpd
-  systemd:
+  ansible.builtin.systemd_service:
     name: httpd
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart mongod
-  systemd:
+  ansible.builtin.systemd_service:
     name: mongod
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart NetworkManager
-  systemd:
+  ansible.builtin.systemd_service:
     name: NetworkManager
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart opendkim
-  systemd:
+  ansible.builtin.systemd_service:
     name: opendkim
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart opendmarc
-  systemd:
+  ansible.builtin.systemd_service:
     name: opendmarc
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart pdns
-  systemd:
+  ansible.builtin.systemd_service:
     name: pdns
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart pdns-recursor
-  systemd:
+  ansible.builtin.systemd_service:
     name: pdns-recursor
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart php-fpm
-  systemd:
+  ansible.builtin.systemd_service:
     name: "{{ php_fpm_service }}"
     daemon_reload: yes
     enabled: yes
@@ -95,55 +95,55 @@
   loop_control:
     loop_var: php_fpm_service
 - name: Restart postfix
-  systemd:
+  ansible.builtin.systemd_service:
     name: postfix
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart postgrey
-  systemd:
+  ansible.builtin.systemd_service:
     name: postgrey
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart spamassassin
-  systemd:
+  ansible.builtin.systemd_service:
     name: spamassassin
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart spamass-milter
-  systemd:
+  ansible.builtin.systemd_service:
     name: spamass-milter
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Default to localhost in resolv.conf
-  copy:
+  ansible.builtin.copy:
     dest: /etc/resolv.conf
     content: |
       nameserver 127.0.0.1
       nameserver ::1
-      search {{ ([mailserver_domain] + custom_domains)|join(' ') }}
+      search {{ ([mailserver_domain] + custom_domains) | join(' ') }}
     backup: true
     force: true
     owner: root
     group: root
     mode: 0644
 - name: Restart systemd-resolved
-  systemd:
+  ansible.builtin.systemd_service:
     name: systemd-resolved
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart vsftpd
-  systemd:
+  ansible.builtin.systemd_service:
     name: vsftpd
     daemon_reload: yes
     enabled: yes
     state: restarted
 - name: Restart WireGuard
-  systemd:
+  ansible.builtin.systemd_service:
     name: "wg_vpn.{{ systemd_unit_type }}"
     daemon_reload: yes
     state: started
@@ -153,5 +153,5 @@
   loop_control:
     loop_var: systemd_unit_type
 - name: Warn on passwords
-  debug:
+  ansible.builtin.debug:
     msg: "!!!WARNING!!! All web UI admin passwords are set to the same as your admin user's password. For your own safety, change them before going live"

meta/main.yml

@@ -19,7 +19,7 @@ galaxy_info:
   # - CC-BY-4.0
   license: GPL-3.0-only
 
-  min_ansible_version: 2.9
+  min_ansible_version: "2.9"
 
   # If this a Container Enabled role, provide the minimum Ansible Container version.
   # min_ansible_container_version:
@@ -54,7 +54,8 @@ dependencies: []
   # List your role dependencies here, one per line. Be sure to remove the '[]' above,
   # if you add dependencies to this list.
 collections:
-  - community.crypto
+  - ansible.posix
   - community.general
+  - community.crypto
   - community.dns
   - community.mysql

tasks/add_dns_record.yml

@@ -1,22 +1,32 @@
 ---
-- name: 'Quote and escape record content "{{ record.content }}"'
-  set_fact:
+- name: 'Quote and escape record content "{{ record.content }}"' # noqa name[template] we need to be informative, even if we deviate from the standards
+  ansible.builtin.set_fact:
     record_content: '"{{ record.content }}"'
 - name: Add DNS record
-  when: "{{ (record.append is defined and record.append) and (record.content not in lookup('community.general.dig', record.name ~ '.' ~ record.zone ~ './' ~ record.type)|split(',')) }}"
+  when: (record.append is defined and record.append) and (record.content not in lookup('community.general.dig', record.name ~ '.' ~ record.zone ~ './' ~ record.type) | split(','))
   block:
-    - name: 'Add DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl|default("3600") }} IN {{ record.type }} {{ record.content }}'
-      command: "pdnsutil add-record {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl|default('3600') }} '{{ record.content }}'"
+    - name: 'Add DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl | default("3600") }} IN {{ record.type }} {{ record.content }}' # noqa name[template] we need to be informative, even if we deviate from the standards
+      ansible.builtin.command: "pdnsutil add-record {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl | default('3600') }} '{{ record.content }}'"
+      register: add_record
+      changed_when: add_record.rc == 0
   rescue:
-    - name: 'Add DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl|default("3600") }} IN {{ record.type }} {{ record.content }}'
-      command: "pdnsutil add-record {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl|default('3600') }} '{{ record_content }}'"
+    - name: 'Add DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl | default("3600") }} IN {{ record.type }} {{ record.content }}' # noqa name[template] we need to be informative, even if we deviate from the standards
+      ansible.builtin.command: "pdnsutil add-record {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl | default('3600') }} '{{ record_content }}'"
+      register: add_record
+      changed_when: add_record.rc == 0
 - name: Update or add DNS record
   when: record.append is not defined or not record.append
   block:
-    - name: 'Update DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl|default("3600") }} IN {{ record.type }} {{ record.content }}'
-      command: "pdnsutil replace-rrset {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl|default('3600') }} '{{ record.content }}'"
+    - name: 'Update DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl | default("3600") }} IN {{ record.type }} {{ record.content }}' # noqa name[template] we need to be informative, even if we deviate from the standards
+      ansible.builtin.command: "pdnsutil replace-rrset {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl | default('3600') }} '{{ record.content }}'"
+      register: update_record
+      changed_when: update_record.rc == 0
   rescue:
-    - name: 'Update DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl|default("3600") }} IN {{ record.type }} {{ record.content }}'
-      command: "pdnsutil replace-rrset {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl|default('3600') }} '{{ record_content }}'"
+    - name: 'Update DNS record {{ record.name }}.{{ record.zone }} {{ record.ttl | default("3600") }} IN {{ record.type }} {{ record.content }}' # noqa name[template] we need to be informative, even if we deviate from the standards
+      ansible.builtin.command: "pdnsutil replace-rrset {{ record.zone }} {{ record.name }} {{ record.type }} {{ record.ttl | default('3600') }} '{{ record_content }}'"
+      register: update_record
+      changed_when: update_record.rc == 0
 - name: Rectify all zones
-  command: pdnsutil rectify-all-zones
+  ansible.builtin.command: pdnsutil rectify-all-zones
+  register: rectify_zones
+  changed_when: rectify_zones.rc == 0

tasks/antivirus.yml

@@ -1,12 +1,12 @@
 ---
 - name: Set SELinux booleans
-  when: "{{ getenforce.stdout != 'Disabled' }}"
-  seboolean:
+  when: getenforce.stdout != 'Disabled'
+  ansible.posix.seboolean:
     name: antivirus_can_scan_system
     state: yes
     persistent: yes
 - name: Render AMAVISD config
-  template:
+  ansible.builtin.template:
     src: amavisd/amavisd.conf.j2
     dest: /etc/amavisd/amavisd.conf
     mode: u=rw,og=r
@@ -15,15 +15,17 @@
     backup: yes
   notify: Restart amavisd
 - name: Refresh ClamAV database
-  command: freshclam
+  ansible.builtin.command: freshclam
+  register: start_freshclam
+  changed_when: start_freshclam.rc == 0
   notify: Restart clamav-freshclam
 - name: Update SPAMAssassin's signatures
-  command: sa-update -D
+  ansible.builtin.command: sa-update -D
   register: sa_update
   failed_when: "{{ sa_update.rc >= 4 }}"
   notify: Restart spamassassin
 - name: Enable systemd services
-  systemd:
+  ansible.builtin.systemd_service:
     name: "{{ item }}"
     daemon_reload: yes
     enabled: yes

tasks/autorestart.yml

@@ -1,13 +1,13 @@
 ---
-- name: "Create restart directories for {{ service }}"
-  file:
+- name: "Create restart directories for {{ service }}" # noqa name[template] we need to be informative, even if we deviate from the standards
+  ansible.builtin.file:
     state: directory
     path: "/etc/systemd/system/{{ service }}.service.d"
     mode: u=rwX,og=rX
     owner: root
     group: root
-- name: "Deploy restart files for {{ service }}"
-  copy:
+- name: "Deploy restart files for {{ service }}" # noqa name[template] we need to be informative, even if we deviate from the standards
+  ansible.builtin.copy:
     src: systemd/restart.conf
     dest: "/etc/systemd/system/{{ service }}.service.d/restart.conf"
     mode: u=rw,og=r