Merge branch 'ansible-lint'

osm-fr · Jan 6, 2024 · 2e4311f · lafeychine · Jan 6, 2024 · jocelynj
2 parents 41579f7 + 9b4ed3b
commit 2e4311f
Show file tree

Hide file tree

Showing 33 changed files with 214 additions and 124 deletions.
diff --git a/.config/ansible-lint-ignore.txt b/.config/ansible-lint-ignore.txt
@@ -66,19 +66,15 @@ roles/common/handlers/main.yml fqcn[action-core]
 roles/common/handlers/main.yml name[casing]
 roles/common/handlers/main.yml name[missing]
 roles/common/handlers/main.yml no-changed-when
-roles/common/handlers/main.yml no-free-form
 roles/common/handlers/munin-node.yml fqcn[action-core]
 roles/common/handlers/munin-node.yml name[casing]
-roles/common/handlers/munin-node.yml no-free-form
 roles/common/handlers/sysctl.yml fqcn[action-core]
 roles/common/handlers/sysctl.yml name[casing]
 roles/common/handlers/sysctl.yml no-changed-when
 roles/common/handlers/sysstat.yml fqcn[action-core]
 roles/common/handlers/sysstat.yml name[casing]
-roles/common/handlers/sysstat.yml no-free-form
 roles/common/tasks/apache2-monit.yml fqcn[action-core]
 roles/common/tasks/apache2-monit.yml name[casing]
-roles/common/tasks/apache2-monit.yml no-free-form
 roles/common/tasks/apache2.yml fqcn[action-core]
 roles/common/tasks/apache2.yml name[casing]
 roles/common/tasks/apache2.yml no-changed-when
@@ -88,41 +84,30 @@ roles/common/tasks/main.yml deprecated-local-action
 roles/common/tasks/main.yml deprecated-module
 roles/common/tasks/main.yml fqcn[action-core]
 roles/common/tasks/main.yml fqcn[action]
-roles/common/tasks/main.yml jinja[spacing]
 roles/common/tasks/main.yml name[casing]
 roles/common/tasks/main.yml name[missing]
 roles/common/tasks/main.yml no-changed-when
-roles/common/tasks/main.yml no-free-form
 roles/common/tasks/main.yml no-handler
-roles/common/tasks/main.yml risky-file-permissions
 roles/common/tasks/main.yml risky-shell-pipe
 roles/common/tasks/munin-node.yml fqcn[action-core]
-roles/common/tasks/munin-node.yml jinja[spacing]
 roles/common/tasks/munin-node.yml name[casing]
 roles/common/tasks/munin-node.yml no-changed-when
 roles/common/tasks/nginx.yml fqcn[action-core]
 roles/common/tasks/nginx.yml name[casing]
 roles/common/tasks/nginx.yml no-changed-when
 roles/common/tasks/ntp.yml fqcn[action-core]
 roles/common/tasks/ntp.yml name[casing]
-roles/common/tasks/ntp.yml no-free-form
 roles/common/tasks/ssh-tunnel.yml command-instead-of-shell
 roles/common/tasks/ssh-tunnel.yml fqcn[action-core]
 roles/common/tasks/ssh-tunnel.yml fqcn[action]
-roles/common/tasks/ssh-tunnel.yml jinja[spacing]
 roles/common/tasks/ssh-tunnel.yml name[casing]
 roles/common/tasks/ssh-tunnel.yml name[missing]
-roles/common/tasks/ssh-tunnel.yml no-free-form
 roles/common/tasks/ssh-tunnel.yml no-handler
-roles/common/tasks/ssh-tunnel.yml risky-file-permissions
 roles/common/tasks/sysctl.yml fqcn[action-core]
 roles/common/tasks/sysctl.yml fqcn[action]
-roles/common/tasks/sysctl.yml jinja[spacing]
 roles/common/tasks/sysctl.yml name[casing]
-roles/common/tasks/sysctl.yml risky-file-permissions
 roles/common/tasks/sysstat.yml fqcn[action-core]
 roles/common/tasks/sysstat.yml name[casing]
-roles/common/tasks/sysstat.yml no-free-form
 roles/drupal/handlers/main.yml fqcn[action-core]
 roles/drupal/handlers/main.yml name[casing]
 roles/drupal/handlers/main.yml no-free-form
@@ -445,12 +430,6 @@ shared/osmosis.yml fqcn[action-core]
 shared/osmosis.yml name[casing]
 shared/osmosis.yml no-free-form
 shared/osmosis.yml risky-file-permissions
-shared/project-account.yml command-instead-of-shell
-shared/project-account.yml fqcn[action-core]
-shared/project-account.yml name[casing]
-shared/project-account.yml no-free-form
-shared/project-account.yml no-handler
-shared/project-account.yml risky-file-permissions
 sympa.yml name[casing]
 taginfo.yml name[casing]
 unattended-upgrades.yml name[casing]

diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml
@@ -3,9 +3,12 @@ profile: production
 
 enable_list:
   - empty-string-compare
+  - jinja
+  - no-free-form
   - no-log-password
   - no-prompting
   - no-same-owner
+  - risky-file-permissions
 
 offline: true
 ...
diff --git a/roles/comcommaker/tasks/main.yml b/roles/comcommaker/tasks/main.yml
@@ -11,7 +11,7 @@
       - libapache2-mod-wsgi-py3
 
 
-- include: ../../../shared/project-account.yml
+- include_tasks: ../../../shared/project-account.yml
   vars:
     user: "{{ comcommaker_user }}"
 

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
@@ -4,30 +4,31 @@
     state: reloaded
 
 - name: restart apache
-  service: name=apache2 state=restarted
+  systemd:
+    name: apache2
+    state: restarted
 
 - name: reload nginx
   systemd:
     name: nginx
     state: reloaded
 
-- name: restart denyhosts
-  service: name=denyhosts state=restarted
-
 - name: restart monit
-  service: name=monit state=restarted
+  systemd:
+    name: monit
+    state: restarted
 
 - name: generate locales
   command: /usr/sbin/locale-gen
 
 - name: detect sensors
   shell: /usr/sbin/sensors-detect < /dev/null
 
-- include: munin-node.yml
+- import_tasks: munin-node.yml
 
-- include: sysstat.yml
+- import_tasks: sysstat.yml
 
-- include: sysctl.yml
+- import_tasks: sysctl.yml
 
 - name: restart systemd-hostnamed
   systemd:

diff --git a/roles/common/handlers/munin-node.yml b/roles/common/handlers/munin-node.yml
@@ -1,2 +1,4 @@
 - name: restart munin-node
-  service: name=munin-node state=restarted
+  systemd:
+    name: munin-node
+    state: restarted
diff --git a/roles/common/handlers/sysstat.yml b/roles/common/handlers/sysstat.yml
@@ -1,2 +1,4 @@
 - name: restart sysstat
-  service: name=sysstat state=restarted
+  systemd:
+    name: sysstat
+    state: restarted
diff --git a/roles/common/tasks/apache2-monit.yml b/roles/common/tasks/apache2-monit.yml
@@ -1,23 +1,38 @@
 - name: add apache proxy module
-  file: src="/etc/apache2/mods-available/{{ item }}" dest="/etc/apache2/mods-enabled/{{ item }}" state=link
+  file:
+    src: "/etc/apache2/mods-available/{{ item }}"
+    dest: "/etc/apache2/mods-enabled/{{ item }}"
+    state: link
   notify: restart apache
   with_items:
     - proxy.conf
     - proxy_http.load
     - proxy.load
 
 - name: configure monit in apache
-  copy: src="apache-monit" dest="/etc/apache2/sites-available/monit.conf" owner=root group=root mode=0644
+  copy:
+    src: "apache-monit"
+    dest: "/etc/apache2/sites-available/monit.conf"
+    owner: root
+    group: root
+    mode: 0644
   notify: restart apache
 
 - name: enable monit in apache
-  file: src="/etc/apache2/sites-available/monit.conf" dest="/etc/apache2/sites-enabled/monit.conf" state=link
+  file:
+    src: "/etc/apache2/sites-available/monit.conf"
+    dest: "/etc/apache2/sites-enabled/monit.conf"
+    state: link
   notify: restart apache
 
 - name: remove /etc/apache2/sites-available/monit
-  file: path="/etc/apache2/sites-available/monit" state=absent
+  file:
+    path: "/etc/apache2/sites-available/monit"
+    state: absent
   notify: restart apache
 
 - name: remove /etc/apache2/sites-enabled/monit
-  file: path="/etc/apache2/sites-enabled/monit" state=absent
+  file:
+    path: "/etc/apache2/sites-enabled/monit"
+    state: absent
   notify: restart apache
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -1,6 +1,6 @@
 - name: set proxmox password
   set_fact:
-    proxmox_password: "{{ lookup('env','PROXMOX_PASSWORD_'+proxmox_var.host.split('.')[0]) }}"
+    proxmox_password: "{{ lookup('env', 'PROXMOX_PASSWORD_' + proxmox_var.host.split('.')[0]) }}"
   when: proxmox_var is defined and vm_host is defined and lookup('env','PROXMOX_PASSWORD_'+proxmox_var.host.split('.')[0])
 
 - name: init cache/templates/
@@ -9,6 +9,7 @@
     path: "cache/templates/"
     state: directory
     force: no
+    mode: 0755
   when: proxmox_password is defined
   become: no
 
@@ -25,6 +26,7 @@
     module: get_url
     dest: "cache/templates/{{ item }}"
     url: "http://download.proxmox.com/images/system/{{ item }}"
+    mode: 0644
   with_items:
     - "{{ proxmox_var.ostemplate }}"
     - "{{ '.'.join(proxmox_var.ostemplate.split('.')[0:-2]) + '.aplinfo' }}"
@@ -69,7 +71,7 @@
     onboot: yes
     ostemplate: "local:vztmpl/{{ proxmox_var.ostemplate }}"
     password: "{{ lookup('password', 'credentials/proxmox/' + inventory_hostname) }}"
-    pubkey: "{{ lookup('file', lookup('env','PROXMOX_SSHPUBKEY')) }}"
+    pubkey: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}"
     state: present
     storage: "{{ proxmox_var.storage }}"
     swap: "{{ proxmox_var.swap }}"
@@ -111,7 +113,7 @@
     ostype: "l26"
     scsi:
       scsi0: "{{ proxmox_var.storage }}:{{ proxmox_var.disk }},format=raw"
-    sshkeys: "{{ lookup('file', lookup('env','PROXMOX_SSHPUBKEY')) }}"
+    sshkeys: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}"
     state: present
   when: proxmox_password is defined and (proxmox_var.kvm is defined and proxmox_var.kvm == 1)
   register: create_vm
@@ -137,7 +139,7 @@
     ostype: "l26"
     scsi:
       scsi0: "{{ proxmox_var.storage }}:{{ proxmox_var.disk }},format=raw"
-    sshkeys: "{{ lookup('file', lookup('env','PROXMOX_SSHPUBKEY')) }}"
+    sshkeys: "{{ lookup('file', lookup('env', 'PROXMOX_SSHPUBKEY')) }}"
     state: present
     update: yes
   when: proxmox_password is defined and (proxmox_var.kvm is defined and proxmox_var.kvm == 1)
@@ -230,7 +232,7 @@
     block: |
       Host {{ item }}
         Hostname {{ hostvars[item].proxmox_var.ipv6 }}
-  with_items: '{{play_hosts}}'
+  with_items: '{{ play_hosts }}'
   when: proxmox_password is defined and (create_ct.changed or create_vm.changed)
   become: no
 
@@ -240,7 +242,7 @@
     module: known_hosts
     name: "{{ hostvars[item].proxmox_var.ipv6 }}"
     key: "{{ lookup('pipe', 'ssh-keyscan {{ hostvars[item].proxmox_var.ipv6 }}') }}"
-  with_items: '{{play_hosts}}'
+  with_items: '{{ play_hosts }}'
   when: proxmox_password is defined and (create_ct.changed or create_vm.changed)
   become: no
 
@@ -266,7 +268,8 @@
          (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '18') or
          (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '20'))
 
-- set_fact: install_apache=false
+- set_fact:
+    install_apache: false
   when: install_apache is undefined
 
 - name: add backports
@@ -340,6 +343,7 @@
     url: "https://download.docker.com/linux/debian/gpg"
     dest: "/usr/share/keyrings/docker-archive-keyring.gpg.tmp"
     checksum: "sha512:d07607e3119181026e3309fb828882a13621960c54290416c2f897e1834f36abdb48d11b6f71aba1d2b9e7dac3f3fe8281c248500cfe13705674a5446826b699"
+    mode: 0644
   when: proxmox_var is defined and proxmox_var.docker is defined and proxmox_var.docker
 
 - name: activate docker apt key
@@ -396,6 +400,7 @@
     owner: root
     group: root
     force: no
+    mode: 0755
   with_items:
     - /data
     - /data/project
@@ -486,21 +491,23 @@
 - name: add ssh key to user backuppc
   authorized_key:
     user: backuppc
-    key: "{{ lookup('file',item) }}"
+    key: "{{ lookup('file', item) }}"
   with_fileglob:
-    - "{{ lookup('env','PWD') }}/public_keys/backuppc-*"
+    - "{{ lookup('env', 'PWD') }}/public_keys/backuppc-*"
 
 - name: create empty /var/www for backuppc
   file:
     path: /var/www/
     state: directory
     force: no
+    mode: 0755
 
 - name: create empty file in backup-ed /var/www
   copy:
     content: ""
     dest: /var/www/.empty-file-for-backuppc
     force: no
+    mode: 0444
 
 - name: update hosts.allow
   lineinfile:
@@ -532,6 +539,7 @@
     dest: /var/lib/locales/supported.d/local
     force: no
     owner: root
+    mode: 0644
   when: ansible_distribution == 'Ubuntu'
 
 - name: configure locales
@@ -577,20 +585,23 @@
     - systemd daemon-reload
   when: "'proxmox' in group_names"
 
-- include: ssh-tunnel.yml user=ssh-tunnel uid=1104
+- ansible.builtin.include_tasks: ssh-tunnel.yml
+  vars:
+    user: "ssh-tunnel"
+    uid: "1104"
   when: "'ssh-tunnel' in group_names"
 
-- include: apache2.yml
+- ansible.builtin.import_tasks: apache2.yml
 
-- include: nginx.yml
+- ansible.builtin.import_tasks: nginx.yml
 
-- include: munin-node.yml
+- ansible.builtin.import_tasks: munin-node.yml
 
-- include: sysstat.yml
+- ansible.builtin.include_tasks: sysstat.yml
   when: "'proxmox' in group_names"
 
-- include: sysctl.yml
+- ansible.builtin.include_tasks: sysctl.yml
   when: "'proxmox' in group_names"
 
-- include: ntp.yml
+- ansible.builtin.include_tasks: ntp.yml
   when: "not 'vm' in group_names"
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
@@ -21,7 +21,7 @@
     dest: /etc/munin/munin-node.conf
     regexp: "^host_name {{ inventory_hostname }}"
     insertafter: "^#host_name"
-    line: "host_name {{ inventory_hostname  }}"
+    line: "host_name {{ inventory_hostname }}"
   notify:
     - restart munin-node
 

diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml
@@ -1,5 +1,10 @@
 - name: install ntp package
-  apt: pkg=ntp
+  apt:
+    pkg:
+      - ntp
 
 - name: launch ntp
-  service: name=ntp state=started enabled=yes
+  systemd:
+    name: ntp
+    state: started
+    enabled: yes