feat(security): update apt source lists to use https instead of http

2023-11-29 00:00:00 +00:00 · 2023-11-29 00:00:00 +00:00 · a577af133d
commit a577af133d
parent 8a8d69d173
3 changed files with 27 additions and 0 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
@ -1,5 +1,8 @@
 ---
 security:
+  apt:
+    force_https: true
+    https_ignore_list: []
  clamav:
    version: 1.2.1

--- a/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml
@ -31,3 +31,9 @@
    name: clamav-clamd.service
    enabled: true
    state: restarted
+
+- name: '[apt] update sources'
+  become: true
+  ansible.builtin.apt:
+    update_cache: true
+    force_apt_get: true
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
@ -9,6 +9,24 @@
    security: "{{ security | combine(custom_security, recursive=recursive_combine) }}"
  changed_when: false

+- name: '[apt] force HTTPS sources'
+  become: true
+  when: security.apt.force_https is truthy
+  block:
+    - name: '[apt] fetch apt information'
+      ansible.builtin.command:
+        cmd: find /etc/apt -maxdepth 2 -path \*sources.list -o -path \*sources.list.d\* -type f
+      register: apt_source_files
+      changed_when: false
+    - name: '[apt] updating sources'
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: 'http://'
+        replace: 'https://'
+      loop: "{{ apt_source_files.stdout_lines | difference(security.apt.https_ignore_list) }}"
+      notify:
+        - 'security : [apt] update sources'
+
 - name: '[ssh] hardening sshd'
  become: true
  block: