Merge branch 'collection'

Author: Sebastian Gumprich

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,7 +1,6 @@
 ---
 name: Bug report
 about: Create a report to help us improve
-
 ---
 
 **Describe the bug**
@@ -11,27 +10,37 @@ A clear and concise description of what the bug is.
 A clear and concise description of what you expected to happen.
 
 **Actual behavior**
+
 <!--- Paste verbatim command output between quotes -->
+
 ```paste below
 
 ```
+
 **Example Playbook**
+
 <!--- Paste an example playbook that can be used to reproduce the problem between quotes -->
+
 ```paste below
 
 ```
 
 **OS / Environment**
+
 <!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
 
 **Ansible Version**
+
 <!--- Paste verbatim output from "ansible --version" between quotes -->
+
 ```paste below
 
 ```
 
 **Role Version**
+
 <!--- Paste version of the role between quotes -->
+
 ```paste below
 
 ```

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,7 +1,6 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-
 ---
 
 **Is your feature request related to a problem? Please describe.**

.github/labeler.yml

@@ -0,0 +1,20 @@
+---
+mysql_hardening:
+  - 'roles/mysql_hardening/**'
+  - 'molecule/mysql_hardening/**'
+  - '.github/workflows/mysql_hardening.yml'
+
+os_hardening:
+  - 'roles/os_hardening/**'
+  - 'molecule/os_hardening/**'
+  - '.github/workflows/os_hardening.yml'
+
+ssh_hardening:
+  - 'roles/ssh_hardening/**'
+  - 'molecule/ssh_hardening/**'
+  - '.github/workflows/ssh_hardening.yml'
+
+nginx_hardening:
+  - 'roles/nginx_hardening/**'
+  - 'molecule/nginx_hardening/**'
+  - '.github/workflows/nginx_hardening.yml'

.github/workflows/enforce-labels.yml

@@ -0,0 +1,12 @@
+name: "Enforce PR labels"
+
+on:
+  pull_request:
+    types: [labeled, unlabeled, opened, edited, synchronize]
+jobs:
+  enforce-label:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@main
+      with:
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/galaxy.yml

@@ -0,0 +1,39 @@
+---
+name: Publish collection to Ansible Galaxy
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      # deploy the collection first, because if it fails, we don't want
+      # to update the galaxy.yml
+      - name: Deploy the collection
+        uses: artis3n/ansible_galaxy_collection@v2
+        with:
+          api_key: ${{ secrets.GALAXY_API_KEY }}
+          galaxy_version: ${{ github.event.release.tag_name }}
+
+      - name: update galaxy.yml with new version
+        uses: microsoft/variable-substitution@v1
+        with:
+          files: 'galaxy.yml'
+        env:
+          version: "${{ github.event.release.tag_name }}"
+
+      - name: push galaxy.yml
+        uses: github-actions-x/[email protected]
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          push-branch: 'master'
+          commit-message: 'update galaxy.yml with new version'
+          force-add: 'true'
+          files: galaxy.yml
+          name: dev-sec CI
+          email: [email protected]

.github/workflows/mysql_hardening.yml

@@ -0,0 +1,76 @@
+---
+name: "devsec.mysql_hardening"
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  push:
+    paths:
+      - 'roles/mysql_hardening/**'
+      - 'molecule/mysql_hardening/**'
+      - '.github/workflows/mysql_hardening.yml'
+  pull_request:
+    paths:
+      - 'roles/mysql_hardening/**'
+      - 'molecule/mysql_hardening/**'
+      - '.github/workflows/mysql_hardening.yml'
+jobs:
+  build:
+    runs-on: ubuntu-18.04
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        molecule_distro:
+          - centos7
+          - centos8
+          - ubuntu1604
+          - ubuntu1804
+          - ubuntu2004
+          - debian9
+          - debian10
+          # - amazon  # geerlingguy.mysql does not support fedora
+          # - arch  # needs to be fixed
+          # - opensuse_tumbleweed  # needs to be fixed
+          # - fedora  # geerlingguy.mysql does not support fedora
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/devsec/hardening
+          submodules: true
+
+      - name: Set up Python 3.7
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+
+      - name: Install dependencies
+        run: |
+          sudo apt install git
+          python -m pip install --no-cache-dir --upgrade pip
+          pip install -r requirements.txt
+        working-directory: ansible_collections/devsec/hardening
+
+      - name: Create default collection path symlink
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
+
+      # that was a hard one to fix. robert did it thankfully
+      # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212
+      - name: disable apparmor on debian systems
+        run: |
+            set -x
+            sudo apt-get install apparmor-profiles
+            sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
+            sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
+        if: ${{ startsWith(matrix.molecule_distro, 'Debian') }}
+
+      - name: Test with molecule
+        run: |
+          molecule --version
+          molecule test -s mysql_hardening
+        env:
+          MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+        working-directory: ansible_collections/devsec/hardening

.github/workflows/nginx_hardening.yml

@@ -0,0 +1,66 @@
+---
+name: "devsec.nginx_hardening"
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  push:
+    paths:
+      - 'roles/nginx_hardening/**'
+      - 'molecule/nginx_hardening/**'
+      - '.github/workflows/nginx_hardening.yml'
+  pull_request:
+    paths:
+      - 'roles/nginx_hardening/**'
+      - 'molecule/nginx_hardening/**'
+      - '.github/workflows/nginx_hardening.yml'
+jobs:
+  build:
+    runs-on: ubuntu-18.04
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        molecule_distro:
+          - centos7
+          - centos8
+          - ubuntu1604
+          - ubuntu1804
+          - ubuntu2004
+          - debian9
+          - debian10
+          - amazon
+          # - arch  # needs to be fixed
+          # - opensuse_tumbleweed  # needs to be fixed
+          # - fedora  # no support from geerlingguy role
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/devsec/hardening
+          submodules: true
+
+      - name: Set up Python 3.7
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+
+      - name: Install dependencies
+        run: |
+          sudo apt install git
+          python -m pip install --no-cache-dir --upgrade pip
+          pip install -r requirements.txt
+        working-directory: ansible_collections/devsec/hardening
+
+      - name: Create default collection path symlink
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
+
+      - name: Test with molecule
+        run: |
+          molecule --version
+          molecule test -s nginx_hardening
+        env:
+          MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+        working-directory: ansible_collections/devsec/hardening

.github/workflows/os_hardening.yml

@@ -0,0 +1,68 @@
+---
+name: "devsec.os_hardening"
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  push:
+    paths:
+      - 'roles/os_hardening/**'
+      - 'molecule/os_hardening/**'
+      - '.github/workflows/os_hardening.yml'
+  pull_request:
+    paths:
+      - 'roles/os_hardening/**'
+      - 'molecule/os_hardening/**'
+      - '.github/workflows/os_hardening.yml'
+jobs:
+  build:
+    runs-on: ubuntu-18.04
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        molecule_distro:
+          - centos7
+          - centos8
+          - ubuntu1604
+          - ubuntu1804
+          - ubuntu2004
+          - debian9
+          - debian10
+          - amazon
+          - opensuse_tumbleweed
+          # - arch  # needs to be fixed
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/devsec/hardening
+          submodules: true
+
+      - name: Set up Python 3.7
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+
+      - name: Install dependencies
+        run: |
+          sudo apt install git
+          python -m pip install --no-cache-dir --upgrade pip
+          pip install -r requirements.txt
+        working-directory: ansible_collections/devsec/hardening
+
+      - name: Create default collection path symlink
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
+
+      - name: Test with molecule
+        run: |
+          if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
+            export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd"
+          fi
+          molecule --version
+          molecule test -s os_hardening
+        env:
+          MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+        working-directory: ansible_collections/devsec/hardening