rename default variables to manage_

Signed-off-by: Thomas Sjögren <[email protected]>

Vagrantfile

@@ -25,7 +25,7 @@ Vagrant.configure("2") do |config|
         "sshd_admin_net" => ["0.0.0.0/0"],
         "sshd_allow_groups" => ["vagrant", "sudo", "debian", "ubuntu"],
         "system_upgrade" => "false",
-        "install_aide" => "false",
+        "manage_aide" => "false",
       }
     end
   end

defaults/main/aide.yml

@@ -1,3 +1,4 @@
 ---
-install_aide: true
+manage_aide: true
+
 aide_checksums: sha512

defaults/main/auditd.yml

@@ -1,4 +1,6 @@
 ---
+manage_auditd: true
+
 auditd_apply_audit_rules: true
 auditd_action_mail_acct: root
 auditd_admin_space_left_action: suspend

defaults/main/ntp.yml

@@ -1,5 +1,6 @@
 ---
-enable_timesyncd: true
+manage_timesyncd: true
+
 fallback_ntp:
   - ntp.netnod.se
   - ntp.ubuntu.com

defaults/main/password.yml

@@ -1,5 +1,6 @@
 ---
-faillock_enable: true
+manage_faillock: true
+
 faillock:
   admin_group: []
   audit: true

defaults/main/sshd.yml

@@ -1,4 +1,6 @@
 ---
+manage_ssh: true
+
 sshd_accept_env: LANG LC_*
 sshd_admin_net:
   - 192.168.0.0/24

defaults/main/ufw.yml

@@ -1,5 +1,6 @@
 ---
 manage_ufw: true
+
 ufw_outgoing_traffic:
   - 22
   - 53

defaults/main/usbguard.yml

@@ -1,5 +1,6 @@
 ---
-enable_usbguard: true
+manage_usbguard: true
+
 usbguard_configuration_file: /etc/usbguard/usbguard-daemon.conf
 usbguard_rulefile: /etc/usbguard/rules.conf
 

molecule/almalinux/molecule.yml

@@ -18,15 +18,15 @@ provisioner:
   inventory:
     host_vars:
       almalinux8:
-        enable_timesyncd: false
+        manage_timesyncd: false
         sshd_admin_net:
           - "0.0.0.0/0"
         sshd_allow_groups:
           - vagrant
           - sudo
         suid_sgid_permissions: false
       almalinux9:
-        enable_timesyncd: false
+        manage_timesyncd: false
         sshd_admin_net:
           - "0.0.0.0/0"
         sshd_allow_groups:

molecule/default/molecule.yml

@@ -16,7 +16,7 @@ provisioner:
     host_vars:
       almalinux8:
         disable_wireless: true
-        enable_timesyncd: false
+        manage_timesyncd: false
         sshd_admin_net:
           - "0.0.0.0/0"
         sshd_allow_groups:
@@ -26,7 +26,7 @@ provisioner:
         sshd_update_moduli: true
         suid_sgid_permissions: false
       almalinux9:
-        enable_timesyncd: false
+        manage_timesyncd: false
         sshd_admin_net:
           - "0.0.0.0/0"
         sshd_allow_groups:
@@ -38,7 +38,7 @@ provisioner:
         ansible_become_pass: vagrant
         ansible_python_interpreter: /usr/bin/python3
         disable_wireless: false
-        enable_usbguard: false
+        manage_usbguard: false
         sshd_admin_net:
           - "0.0.0.0/0"
         sshd_allow_groups:

molecule/default/verify.yml

@@ -761,7 +761,7 @@
         - NTP={{ ntp | join(' ') }}
         - FallbackNTP={{ fallback_ntp | join(' ') }}
       when:
-        - enable_timesyncd
+        - manage_timesyncd
         - ansible_virtualization_type not in ["container", "docker", "podman"]
 
     - name: Stat /etc/default/motd-news
@@ -994,7 +994,7 @@
     - name: Verify aide configuration
       become: true
       when:
-        - install_aide
+        - manage_aide
       block:
         - name: Aide config check
           become: true

molecule/docker/molecule.yml

@@ -16,7 +16,7 @@ provisioner:
   inventory:
     host_vars:
       almalinux9:
-        enable_timesyncd: false
+        manage_timesyncd: false
         sshd_admin_net:
           - "0.0.0.0/0"
         sshd_allow_groups:

tasks/kernelmodules.yml

@@ -73,7 +73,7 @@
     state: present
     create: true
   with_items:
-    - "{{ misc_modules_usbguard if enable_usbguard else misc_modules_blocklist }}"
+    - "{{ misc_modules_usbguard if manage_usbguard else misc_modules_blocklist }}"
   tags:
     - modprobe
     - CCE-80832-9

tasks/main.yml

@@ -43,7 +43,7 @@
   ansible.builtin.include_tasks:
     file: usbguard.yml
   when:
-    - enable_usbguard
+    - manage_usbguard
     - ansible_virtualization_type not in ["container", "docker", "podman"]
 
 - name: Configure systemd system and users
@@ -58,7 +58,7 @@
   ansible.builtin.include_tasks:
     file: timesyncd.yml
   when:
-    - enable_timesyncd
+    - manage_timesyncd
     - ansible_virtualization_type not in ["container", "docker", "podman"]
 
 - name: Clean fstab
@@ -110,6 +110,8 @@
 - name: Configure ssh server and client
   ansible.builtin.include_tasks:
     file: sshconfig.yml
+  when:
+    - manage_ssh
 
 - name: Configure PAM
   ansible.builtin.include_tasks:
@@ -128,6 +130,8 @@
 - name: Configure auditd
   ansible.builtin.include_tasks:
     file: auditd.yml
+  when:
+    - manage_auditd
 
 - name: Configure AppArmor
   ansible.builtin.include_tasks:
@@ -147,7 +151,7 @@
   ansible.builtin.include_tasks:
     file: aide.yml
   when: >
-    install_aide | bool and
+    manage_aide | bool and
     (not (ansible_os_family == "Debian" and
     (ansible_lsb.codename == "groovy" or
     ansible_lsb.codename == "hirsute")))

tasks/password.yml

@@ -8,7 +8,7 @@
     owner: root
     group: root
   when:
-    - faillock_enable | bool
+    - manage_faillock | bool
   tags:
     - common-account
     - common-auth

templates/etc/pam.d/common-account.j2

@@ -4,6 +4,6 @@
 account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
 account requisite     pam_deny.so
 account required      pam_permit.so
-{% if (faillock_enable | bool) %}
+{% if (manage_faillock | bool) %}
 account required      pam_faillock.so
 {% endif %}

templates/etc/pam.d/common-auth.j2

@@ -1,7 +1,7 @@
 # {{ ansible_managed }}
 # Generated by Ansible role {{ ansible_role_name }}
 
-{% if (faillock_enable | bool) %}
+{% if (manage_faillock | bool) %}
 auth required pam_faillock.so preauth
 auth [success=1 default=ignore] pam_unix.so
 auth [default=die] pam_faillock.so authfail