feat(security): update apt source lists to use https instead of http

collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml

@@ -1,5 +1,8 @@
 ---
 security:
+  apt:
+    force_https: true
+    https_ignore_list: []
   clamav:
     version: 1.2.1
 

collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml

@@ -31,3 +31,9 @@
     name: clamav-clamd.service
     enabled: true
     state: restarted
+
+- name: '[apt] update sources'
+  become: true
+  ansible.builtin.apt:
+    update_cache: true
+    force_apt_get: true

collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml

@@ -9,6 +9,24 @@
     security: "{{ security | combine(custom_security, recursive=recursive_combine) }}"
   changed_when: false
 
+- name: '[apt] force HTTPS sources'
+  become: true
+  when: security.apt.force_https is truthy
+  block:
+    - name: '[apt] fetch apt information'
+      ansible.builtin.command:
+        cmd: find /etc/apt -maxdepth 2 -path \*sources.list -o -path \*sources.list.d\* -type f
+      register: apt_source_files
+      changed_when: false
+    - name: '[apt] updating sources'
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: 'http://'
+        replace: 'https://'
+      loop: "{{ apt_source_files.stdout_lines | difference(security.apt.https_ignore_list) }}"
+      notify:
+        - 'security : [apt] update sources'
+
 - name: '[ssh] hardening sshd'
   become: true
   block: