Update security role to latest version.

Author: geerlingguy

provisioning/requirements.yml

@@ -75,7 +75,7 @@ roles:
   - name: geerlingguy.ruby
     version: 2.6.0
   - name: geerlingguy.security
-    version: 1.9.0
+    version: 2.0.0
   - name: geerlingguy.solr
     version: 5.1.0
   - name: geerlingguy.varnish

provisioning/roles/geerlingguy.security/.github/stale.yml

@@ -0,0 +1,56 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 90
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+daysUntilClose: 30
+
+# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
+onlyLabels: []
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels:
+  - pinned
+  - security
+  - planned
+
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: false
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Set to true to ignore issues with an assignee (defaults to false)
+exemptAssignees: false
+
+# Label to use when marking as stale
+staleLabel: stale
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 30
+
+pulls:
+  markComment: |-
+    This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
+
+    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
+
+  unmarkComment: >-
+    This pull request is no longer marked for closure.
+
+  closeComment: >-
+    This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
+
+issues:
+  markComment: |-
+    This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
+
+    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
+
+  unmarkComment: >-
+    This issue is no longer marked for closure.
+
+  closeComment: >-
+    This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

provisioning/roles/geerlingguy.security/.travis.yml

@@ -13,7 +13,7 @@ env:
 
 install:
   # Install test dependencies.
-  - pip install molecule docker
+  - pip install molecule yamllint ansible-lint docker
 
 before_script:
   # Use actual Ansible Galaxy role name for the project directory.

….security/molecule/default/yaml-lint.yml …ing/roles/geerlingguy.security/.yamllintprovisioning/roles/geerlingguy.security/molecule/default/yaml-lint.yml renamed to provisioning/roles/geerlingguy.security/.yamllint provisioning/roles/geerlingguy.security/molecule/default/yaml-lint.yml renamed to provisioning/roles/geerlingguy.security/.yamllint

@@ -44,6 +44,10 @@ The port through which you'd like SSH to be accessible. The default is port 22,
 
 Security settings for SSH authentication. It's best to leave these set to `"no"`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to `'yes'`. **NOTE: It is _very_ important that you quote the 'yes' or 'no' values. Failure to do so may lock you out of your server.**
 
+    security_sshd_state: started
+
+The state of the SSH daemon. Typically this should remain `started`.
+
     security_ssh_restart_handler_state: restarted
 
 The state of the `restart ssh` handler. Typically this should remain `restarted`.
@@ -76,7 +80,11 @@ Whether to install/enable `yum-cron` (RedHat-based systems) or `unattended-upgra
 
     security_fail2ban_enabled: true
 
-Wether to install/enable `fail2ban`. You might not want to use fail2ban if you're already using some other service for login and intrusion detection (e.g. [ConfigServer](http://configserver.com/cp/csf.html)).
+Whether to install/enable `fail2ban`. You might not want to use fail2ban if you're already using some other service for login and intrusion detection (e.g. [ConfigServer](http://configserver.com/cp/csf.html)).
+
+    security_fail2ban_custom_configuration_template: "jail.local.j2"
+
+The name of the template file used to generate `fail2ban`'s configuration.
 
 ## Dependencies
 

provisioning/roles/geerlingguy.security/README.md

@@ -7,6 +7,7 @@ security_ssh_permit_empty_password: "no"
 security_ssh_challenge_response_auth: "no"
 security_ssh_gss_api_authentication: "no"
 security_ssh_x11_forwarding: "no"
+security_sshd_state: started
 security_ssh_restart_handler_state: restarted
 
 security_sudoers_passwordless: []
@@ -22,3 +23,4 @@ security_autoupdate_mail_to: ""
 security_autoupdate_mail_on_error: true
 
 security_fail2ban_enabled: true
+security_fail2ban_custom_configuration_template: "jail.local.j2"

provisioning/roles/geerlingguy.security/defaults/main.yml

@@ -1,3 +1,5 @@
 ---
 - name: restart ssh
-  service: "name={{ security_sshd_name }} state={{ security_ssh_restart_handler_state }}"
+  service:
+    name: "{{ security_sshd_name }}"
+    state: "{{ security_ssh_restart_handler_state }}"

provisioning/roles/geerlingguy.security/handlers/main.yml

@@ -2,6 +2,7 @@
 dependencies: []
 
 galaxy_info:
+  role_name: security
   author: geerlingguy
   description: Security software installation and configuration.
   company: "Midwestern Mac, LLC"

provisioning/roles/geerlingguy.security/meta/main.yml

@@ -5,7 +5,9 @@
 
   pre_tasks:
     - name: Update apt cache.
-      package: update_cache=true cache_valid_time=600
+      package:
+        update_cache: true
+        cache_valid_time: 600
       when: ansible_os_family == 'Debian'
 
     - name: Ensure build dependencies are installed (RedHat).
@@ -17,7 +19,9 @@
       when: ansible_os_family == 'RedHat'
 
     - name: Ensure build dependencies are installed (Fedora).
-      package: name=procps state=present
+      package:
+        name: procps
+        state: present
       when: ansible_distribution == 'Fedora'
 
     - name: Ensure build dependencies are installed (Debian).
@@ -33,9 +37,7 @@
         dest: /var/log/auth.log
         content: ""
         force: false
-      when: >
-        (ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04') or
-        (ansible_distribution == 'Debian')
+      when: ansible_distribution == 'Debian'
 
   roles:
     - role: geerlingguy.security

…y.security/molecule/default/playbook.yml …y.security/molecule/default/converge.ymlprovisioning/roles/geerlingguy.security/molecule/default/playbook.yml renamed to provisioning/roles/geerlingguy.security/molecule/default/converge.yml provisioning/roles/geerlingguy.security/molecule/default/playbook.yml renamed to provisioning/roles/geerlingguy.security/molecule/default/converge.yml

@@ -3,10 +3,10 @@ dependency:
   name: galaxy
 driver:
   name: docker
-lint:
-  name: yamllint
-  options:
-    config-file: molecule/default/yaml-lint.yml
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
 platforms:
   - name: instance
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
@@ -17,13 +17,5 @@ platforms:
     pre_build_image: true
 provisioner:
   name: ansible
-  lint:
-    name: ansible-lint
   playbooks:
-    converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
-scenario:
-  name: default
-verifier:
-  name: testinfra
-  lint:
-    name: flake8
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}