Debsecan: Configuration

CHANGELOG.md

@@ -2,3 +2,4 @@
 
 ### Features
 * Install debsecan
+* Debsecan: Configuration

README.md

@@ -15,9 +15,13 @@ A role that provide some security tools for Debian.
 
 ## Role Variables
 
-* **deb_sec__required_packages** : List of required packages [default : `debsecan`]
-* **deb_sec__deploy_state** : The desired state this role should achieve. [default : `present`].
-
+* **deb_sec__required_packages** : List of required packages [default : `debsecan`].
+* **deb_sec__deploy_state** : The desired state this role should achieve [default : `present`].
+* **deb_sec__debsecan_report** : If daily reports should be enable [default : `true`].
+* **deb_sec__debsecan_suite** : Suite name used to produce more informative output [default : `{{ ansible_distribution_release }}`].
+* **deb_sec__debsecan_mailto** : Mail address to which reports are sent [default : `root`].
+* **deb_sec__debsecan_source** : The URL from which vulnerability data is downloaded [default : `''`].
+*
 ## Example Playbook
 
 * Default behaviour :
@@ -32,6 +36,7 @@ A role that provide some security tools for Debian.
 
 This role will :
 * Install some security tools (eg. Debsecan,…).
+* Configure Debsecan.
 
 ## Development
 

defaults/main.yml

@@ -27,3 +27,47 @@ deb_sec__required_packages:
 deb_sec__deploy_state: 'present'
                                                                    # ]]]
                                                                    # ]]]
+# Debsecan [[[
+# ------------
+
+# .. envvar:: deb_sec__debsecan_report [[[
+#
+# If daily reports should be enable. Possible options :
+#
+# ``true``
+#   Default.
+#
+# ``false``
+#
+deb_sec__debsecan_report: true
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_suite [[[
+#
+# The suite name used to produce more informative output. Possible options are
+# all Debian (and derivative) codename (eg. stretch) not the temporal
+# name (eg. stable,…).
+#
+# ``ansible_distribution_release``
+#   Default. Use ansible variable to determine the current codename.
+#
+deb_sec__debsecan_suite: '{{ ansible_distribution_release }}'
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_mailto [[[
+#
+# Mail address to which reports are sent.
+#
+# ``root``
+#   Default.
+#
+deb_sec__debsecan_mailto: 'root'
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_source [[[
+#
+# The URL from which vulnerability data is downloaded.
+
+# ``''``
+#   Default. Empty for the built-in default.
+#
+deb_sec__debsecan_source: ''
+                                                                   # ]]]
+                                                                   # ]]]

tasks/main.yml

@@ -12,3 +12,12 @@
     install_recommends: False
   with_flattened:
     - '{{ deb_sec__required_packages }}'
+# Debsecan [[[1
+- name: Debsecan configuration
+  template:
+    src: 'etc/default/debsecan.j2'
+    dest: '/etc/default/debsecan'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: (deb_sec__deploy_state == "present")

templates/etc/default/debsecan.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+#
+# Configuration file for debsecan.  Contents of this file should
+# adhere to the KEY=VALUE shell syntax.  This file may be edited by
+# debsecan's scripts, but your modifications are preserved.
+
+# If true, enable daily reports, sent by email.
+REPORT={{ deb_sec__debsecan_report }}
+
+# For better reporting, specify the correct suite here, using the code
+# name (that is, "sid" instead of "unstable").
+SUITE={{ deb_sec__debsecan_suite }}
+
+# Mail address to which reports are sent.
+MAILTO={{ deb_sec__debsecan_mailto }}
+
+# The URL from which vulnerability data is downloaded.  Empty for the
+# built-in default.
+SOURCE={{ deb_sec__debsecan_source }}