Initial commit

.gitignore

@@ -0,0 +1,164 @@
+# ---> Ansible
+*.retry
+
+# ---> Python
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# ---> Vim
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+

README.md

@@ -0,0 +1,39 @@
+deapparmor
+==========
+
+Deactivate and uninstall AppArmor
+
+Requirements
+------------
+
+- None
+
+Role Variables
+--------------
+
+Defaults:
+- `deapparmor_reboot`: False - Reboot machine if necessary
+
+Dependencies
+------------
+
+- None
+
+Example Playbook
+----------------
+
+    - hosts: servers
+      roles:
+         - { role: deapparmor }
+
+License
+-------
+
+AGPL3.0-or-later
+
+Author Information
+------------------
+
+- Sven Velt <sven-ansiblerole@velt.biz>
+- https://git.velt.biz/
+

deapparmor.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+
+  roles:
+    - role: deapparmor
+

defaults/main.yml

@@ -0,0 +1,3 @@
+---
+deapparmor_reboot: False
+

handlers/main.yml

@@ -0,0 +1,36 @@
+---
+- name: "[GRUB] update-grub"
+  listen:
+    - update-grub for DeAppArmor
+  ansible.builtin.command:
+    cmd: update-grub
+  ignore_errors: True
+  register: deapparmor_update_grub
+
+
+- name: "[GRUB] Do NOT reboot machine"
+  listen:
+    - update-grub for DeAppArmor
+  set_fact:
+    deapparmor_reboot: False
+  when: deapparmor_update_grub is failed
+
+
+- name: "[GRUB] Attention to update-grub"
+  listen:
+    - update-grub for DeAppArmor
+  pause:
+    prompt: "'update-grub' failed! Please check contents of /etc/default/grub"
+    minutes: 1
+  when: deapparmor_update_grub is failed
+
+
+- name: Reboot machine for DeAppArmor
+  ansible.builtin.reboot:
+    msg: Rebooting for changes taking effect
+    search_paths:
+      - /lib/molly-guard
+      - /usr/sbin
+  when: deapparmor_reboot == True
+
+

meta/main.yml

@@ -0,0 +1,22 @@
+galaxy_info:
+  author: Sven Velt
+  description: Deinstall AppArmor
+  company: velt.biz
+  issue_tracker_url: https://git.velt.biz/Ansible/deapparmor/issues
+  license: AGPL-3.0-or-later
+  min_ansible_version: '2.10'
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+        - trixie
+    - name: Devuan
+      versions:
+        - chimaera
+        - daedalus
+  galaxy_tags: []
+  namespace: velt
+
+dependencies: []
+

tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Sanity checks
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family|default("N/A") in ["Debian"]
+
+
+- name: Get distribution variables
+  ansible.builtin.include_vars:
+    file: "os_{{ ansible_os_family|lower }}.yml"
+
+
+- name: Remove packages
+  ansible.builtin.package:
+    name: "{{ deapparmor_packages }}"
+    state: absent
+  notify: "Reboot machine for DeAppArmor"
+
+
+- name: "[GRUB] Look for disabled AppArmor"
+  ansible.builtin.shell:
+    cmd: 'grep "^GRUB_CMDLINE_LINUX=.*apparmor=0" /etc/default/grub || true'
+  changed_when: False
+  register: deapparmor_grub_comdline
+
+
+- name: "[GRUB] Add apparmor=0"
+  ansible.builtin.lineinfile:
+    path: /etc/default/grub
+    line: 'GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} apparmor=0"'
+    insertafter: '^GRUB_CMDLINE_LINUX='
+    owner: root
+    group: root
+    mode: 0644
+    backup: yes
+  when: deapparmor_grub_comdline.stdout_lines|length == 0
+  notify:
+    - "update-grub for DeAppArmor"
+    - "Reboot machine for DeAppArmor"
+
+

vars/os_debian.yml

@@ -0,0 +1,4 @@
+---
+deapparmor_packages:
+  - apparmor
+