From a079b3f1172e2f8004f128f532cc434bb698bbf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Fri, 15 Jun 2018 16:21:09 +0200
Subject: [PATCH] Debsecan: Configuration

---
 CHANGELOG.md                      |  1 +
 README.md                         | 11 +++++---
 defaults/main.yml                 | 44 +++++++++++++++++++++++++++++++
 tasks/main.yml                    |  9 +++++++
 templates/etc/default/debsecan.j2 | 19 +++++++++++++
 5 files changed, 81 insertions(+), 3 deletions(-)
 create mode 100644 templates/etc/default/debsecan.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 678aea2..6971816 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,3 +2,4 @@
 
 ### Features
 * Install debsecan
+* Debsecan: Configuration
diff --git a/README.md b/README.md
index c856495..c09b362 100644
--- a/README.md
+++ b/README.md
@@ -15,9 +15,13 @@ A role that provide some security tools for Debian.
 
 ## Role Variables
 
-* **deb_sec__required_packages** : List of required packages [default : `debsecan`]
-* **deb_sec__deploy_state** : The desired state this role should achieve. [default : `present`].
-
+* **deb_sec__required_packages** : List of required packages [default : `debsecan`].
+* **deb_sec__deploy_state** : The desired state this role should achieve [default : `present`].
+* **deb_sec__debsecan_report** : If daily reports should be enable [default : `true`].
+* **deb_sec__debsecan_suite** : Suite name used to produce more informative output [default : `{{ ansible_distribution_release }}`].
+* **deb_sec__debsecan_mailto** : Mail address to which reports are sent [default : `root`].
+* **deb_sec__debsecan_source** : The URL from which vulnerability data is downloaded [default : `''`].
+*
 ## Example Playbook
 
 * Default behaviour :
@@ -32,6 +36,7 @@ A role that provide some security tools for Debian.
 
 This role will :
 * Install some security tools (eg. Debsecan,…).
+* Configure Debsecan.
 
 ## Development
 
diff --git a/defaults/main.yml b/defaults/main.yml
index d58d06c..21dca39 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -27,3 +27,47 @@ deb_sec__required_packages:
 deb_sec__deploy_state: 'present'
                                                                    # ]]]
                                                                    # ]]]
+# Debsecan [[[
+# ------------
+
+# .. envvar:: deb_sec__debsecan_report [[[
+#
+# If daily reports should be enable. Possible options :
+#
+# ``true``
+#   Default.
+#
+# ``false``
+#
+deb_sec__debsecan_report: true
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_suite [[[
+#
+# The suite name used to produce more informative output. Possible options are
+# all Debian (and derivative) codename (eg. stretch) not the temporal
+# name (eg. stable,…).
+#
+# ``ansible_distribution_release``
+#   Default. Use ansible variable to determine the current codename.
+#
+deb_sec__debsecan_suite: '{{ ansible_distribution_release }}'
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_mailto [[[
+#
+# Mail address to which reports are sent.
+#
+# ``root``
+#   Default.
+#
+deb_sec__debsecan_mailto: 'root'
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_source [[[
+#
+# The URL from which vulnerability data is downloaded.
+
+# ``''``
+#   Default. Empty for the built-in default.
+#
+deb_sec__debsecan_source: ''
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/tasks/main.yml b/tasks/main.yml
index 8a84514..3b2e368 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -12,3 +12,12 @@
     install_recommends: False
   with_flattened:
     - '{{ deb_sec__required_packages }}'
+# Debsecan [[[1
+- name: Debsecan configuration
+  template:
+    src: 'etc/default/debsecan.j2'
+    dest: '/etc/default/debsecan'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: (deb_sec__deploy_state == "present")
diff --git a/templates/etc/default/debsecan.j2 b/templates/etc/default/debsecan.j2
new file mode 100644
index 0000000..326e705
--- /dev/null
+++ b/templates/etc/default/debsecan.j2
@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+#
+# Configuration file for debsecan.  Contents of this file should
+# adhere to the KEY=VALUE shell syntax.  This file may be edited by
+# debsecan's scripts, but your modifications are preserved.
+
+# If true, enable daily reports, sent by email.
+REPORT={{ deb_sec__debsecan_report }}
+
+# For better reporting, specify the correct suite here, using the code
+# name (that is, "sid" instead of "unstable").
+SUITE={{ deb_sec__debsecan_suite }}
+
+# Mail address to which reports are sent.
+MAILTO={{ deb_sec__debsecan_mailto }}
+
+# The URL from which vulnerability data is downloaded.  Empty for the
+# built-in default.
+SOURCE={{ deb_sec__debsecan_source }}