From a577af133d8647728264d2a72ebc6facd5fc8f5a Mon Sep 17 00:00:00 2001
From: NaeiKinDus <git@0x2a.ninja>
Date: Wed, 29 Nov 2023 00:00:00 +0000
Subject: [PATCH] feat(security): update apt source lists to use https instead
 of http

---
 .../roles/security/defaults/main.yml           |  3 +++
 .../roles/security/handlers/main.yml           |  6 ++++++
 .../roles/security/tasks/main.yml              | 18 ++++++++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
index 5fbd7e0..b79ba88 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
@@ -1,5 +1,8 @@
 ---
 security:
+  apt:
+    force_https: true
+    https_ignore_list: []
   clamav:
     version: 1.2.1
 
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml
index 988ebab..3dd7388 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml
@@ -31,3 +31,9 @@
     name: clamav-clamd.service
     enabled: true
     state: restarted
+
+- name: '[apt] update sources'
+  become: true
+  ansible.builtin.apt:
+    update_cache: true
+    force_apt_get: true
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
index 880d882..355566d 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
@@ -9,6 +9,24 @@
     security: "{{ security | combine(custom_security, recursive=recursive_combine) }}"
   changed_when: false
 
+- name: '[apt] force HTTPS sources'
+  become: true
+  when: security.apt.force_https is truthy
+  block:
+    - name: '[apt] fetch apt information'
+      ansible.builtin.command:
+        cmd: find /etc/apt -maxdepth 2 -path \*sources.list -o -path \*sources.list.d\* -type f
+      register: apt_source_files
+      changed_when: false
+    - name: '[apt] updating sources'
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: 'http://'
+        replace: 'https://'
+      loop: "{{ apt_source_files.stdout_lines | difference(security.apt.https_ignore_list) }}"
+      notify:
+        - 'security : [apt] update sources'
+
 - name: '[ssh] hardening sshd'
   become: true
   block: