Merge pull request 'Ansible-lint and yamllint' (#32) from linting into dev

Reviewed-by: Jérémy Dubois <jdubois@noreply.gitea.evolix.org>
Reviewed-by: Tristan Pilat <drustan@noreply.gitea.evolix.org>

.drone.yml

@@ -0,0 +1,30 @@
+---
+kind: pipeline
+type: docker
+name: default
+
+steps:
+  - name: lint markdown files
+    image: pipelinecomponents/remark-lint:latest
+    commands:
+      - "remark --no-stdout --color  --use preset-lint-recommended ."
+
+  - name: lint yaml files
+    image: pipelinecomponents/yamllint:latest
+    commands:
+      - "yamllint ."
+
+  - name: lint ansible scripts
+    image: pipelinecomponents/ansible-lint:latest
+    commands:
+      - >
+        find . -maxdepth 1 -name '*.yml'
+        | sort
+        | grep -v '.drone.yml'
+        | xargs ansible-playbook --syntax-check --list-tasks
+
+      - >
+        find . -maxdepth 1 -name '*.yml'
+        | sort
+        | grep -v '.drone.yml'
+        | xargs ansible-lint

CONTRIBUTING.md

@@ -10,7 +10,7 @@ created.
  you're updating the CHANGELOG file.
 
 3.  Use feature branches for anything else, once they've passed all
-CI tests and have been reviewed by other contributors through a
+ CI test, lints and have been reviewed by other contributors through a
  pull request, they may be merged into the dev branch.
 
 

README.md

@@ -9,13 +9,13 @@ used by Evolix.
 Put your public key in the remote root's autorized_keys
 (/root/.ssh/authorized_keys)
 
-1 - Install ansible's prerequisites
+1.  Install ansible's prerequisites
 
 ```
 ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
 ```
 
-2 - Run it
+2.  Run it
 
 ```
 ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME

evolixisation.yml

@@ -40,6 +40,5 @@
         tasks_from: exec.yml
 
 #  environment:
+# yamllint disable-line rule:line-length
 # PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
-
-# vim:ft=ansible

prerequisite.yml

@@ -3,14 +3,15 @@
 
 ---
 - hosts: all
-    become: yes
+  become: true
   become_method: su
   user: root
-    gather_facts: no
+  gather_facts: false
 
   tasks:
 
     - name: Install ansible's prerequisite
+      # yamllint disable-line rule:line-length
       raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2
 
 # vim:ft=ansible

roles/accounts/tasks/main.yml

@@ -30,13 +30,15 @@
   check_mode: false
   register: grep_allowusers_ssh
 
-- assert:
+- name: "Check that AllowUsers and AllowGroup do not override each other"
+  assert:
     that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
     msg: "We can't deal with AllowUsers and AllowGroups at the same time"
 
-- set_fact:
+- name: "If AllowGroups is present then use it"
-    # If "AllowGroups is present"
+  set_fact:
-    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
+    ssh_allowgroups:
+      "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
 
 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
   lineinfile:

roles/base/defaults/main.yml

@@ -6,25 +6,30 @@ general_alert_email: "root@localhost"
 general_technical_realm: "example.com"
 
 evomaintenance_realm: "example.com"
-evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
+evomaintenance_alert_email:
-evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
+  "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
-evomaintenance_pg_host: Null
+evomaintenance_hostname:
-evomaintenance_pg_passwd: Null
+  "{{ inventory_hostname }}.{{ general_technical_realm }}"
-evomaintenance_pg_db: Null
+evomaintenance_pg_host: null
-evomaintenance_pg_table: Null
+evomaintenance_pg_passwd: null
+evomaintenance_pg_db: null
+evomaintenance_pg_table: null
 evomaintenance_from_domain: "{{ evomaintenance_realm }}"
 evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
 evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
 evomaintenance_urgency_from: mama.doe@example.com
 evomaintenance_urgency_tel: "06.00.00.00.00"
-evomaintenance_install_vendor: False
+evomaintenance_install_vendor: false
-evomaintenance_force_config: True
+evomaintenance_force_config: true
-evomaintenance_api_endpoint: Null
+evomaintenance_api_endpoint: null
-evomaintenance_api_key: Null
+evomaintenance_api_key: null
-evomaintenance_hook_api: True
+evomaintenance_hook_api: true
-evomaintenance_hook_db: False
+evomaintenance_hook_db: false
-evomaintenance_hook_commit: True
+evomaintenance_hook_commit: true
-evomaintenance_hook_mail: True
+evomaintenance_hook_mail: true
 evomaintenance_default_hosts: []
 evomaintenance_additional_hosts: []
-evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}"
+evomaintenance_hosts: >
+  {{ evomaintenance_default_hosts
+  | union(evomaintenance_additional_hosts)
+  | unique }}

roles/base/tasks/doas.yml

@@ -6,8 +6,6 @@
     owner: root
     group: wheel
     mode: "0640"
-    backup: no
+    backup: false
   tags:
     - doas
-
-

roles/base/tasks/dotfiles.yml

@@ -39,7 +39,7 @@
     dest: /etc/skel/.profile
     insertafter: EOF
     line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0'
-    create: yes
+    create: true
   tags:
     - admin
     - dotfiles

roles/base/tasks/evobackup.yml

@@ -6,7 +6,7 @@
     owner: root
     group: wheel
     mode: "0755"
-    force: no
+    force: false
   tags:
     - evobackup
 
@@ -16,6 +16,6 @@
     line: '#sh /usr/share/scripts/zzz_evobackup'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - evobackup

roles/base/tasks/evomaintenance.yml

@@ -10,7 +10,12 @@
     - evomaintenance
 
 - name: Copy evomaintenance script and template
-  copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755"
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: 'root'
+    group: 'wheel'
+    mode: '0755'
   with_items:
     - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
     - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
@@ -25,6 +30,6 @@
     owner: root
     group: wheel
     mode: "0600"
-    backup: no
+    backup: false
   tags:
     - evomaintenance

roles/base/tasks/mail.yml

@@ -2,8 +2,9 @@
 - name: Configure rc.local
   lineinfile:
     path: /etc/rc.local
-    line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
+    line:
-    create: yes
+      'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
+    create: true
   tags:
     - misc
 
@@ -12,7 +13,7 @@
     dest: /etc/mail/aliases
     regexp: "# root:"
     replace: "root: {{ general_alert_email }}"
-    backup: no
+    backup: false
   notify:
     - newaliases
   tags:

roles/base/tasks/packages.yml

@@ -23,7 +23,7 @@
 - name: Disable sndiod
   service:
     name: sndiod
-    enabled: no
+    enabled: false
     state: stopped
   tags:
     - pkg

roles/base/tasks/sudo.yml

@@ -6,7 +6,7 @@
     insertafter: '# and set environment variables.'
     line: '%wheel   ALL=(ALL) SETENV: ALL'
     validate: 'visudo -cf %s'
-    backup: no
+    backup: false
   tags:
     - sudo
 
@@ -19,8 +19,6 @@
       Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh
       %wheel ALL=NOPASSWD: MAINT
     validate: 'visudo -cf %s'
-    backup: no
+    backup: false
   tags:
     - sudo
-
-

roles/bgp/tasks/main.yml

@@ -29,7 +29,9 @@
     minute: 0
     hour: 4
     weekday: 0
-    job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +\\%F)"
+    job: >
+      /usr/sbin/bgpctl show rib selected
+      > /var/log/bgp/rib-selected-$(date +\\%F)
   when: group_names | select('search','bgp') | list | count > 0
   tags:
     - bgp

roles/etc-git/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 commit_message: Ansible run
 
-etc_git_monitor_status: True
+etc_git_monitor_status: true

roles/etc-git/tasks/commit.yml

@@ -3,10 +3,10 @@
   command: git status --porcelain
   args:
     chdir: /etc
-  changed_when: False
+  changed_when: false
   register: git_status
   when: not ansible_check_mode
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - etc-git
     - commit-etc
@@ -24,26 +24,42 @@
     repo: /etc
     scope: local
   register: git_config_user_email
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - etc-git
     - commit-etc
 
 - name: set commit author
   set_fact:
-    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
+    commit_author: >
-    commit_email:  '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
+      {% if ansible_env.SUDO_USER is not defined %}
+      root
+      {% else %}
+      {{ ansible_env.SUDO_USER }}
+      {% endif %}
+    commit_email: >
+      {% if git_config_user_email.config_value is not defined
+      or git_config_user_email.config_value == "" %}
+      root@localhost
+      {% else %}
+      {{ git_config_user_email.config_value }}
+      {% endif %}
   tags:
     - etc-git
     - commit-etc
 
 - name: /etc modifications are committed
-  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
+  shell: >
+    git add -A .
+    && git commit
+      -m "{{ commit_message | mandatory }}"
+      --author
+      "{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>"
   args:
     chdir: /etc
   register: etc_commit_end_run
   when: not ansible_check_mode and git_status.stdout != ""
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - etc-git
     - commit-etc

roles/etc-git/tasks/main.yml

@@ -12,7 +12,7 @@
   args:
     chdir: /etc
     creates: /etc/.git/
-    warn: no
+    warn: false
   register: git_init
   tags:
     - etc-git
@@ -48,11 +48,11 @@
   command: "git log"
   args:
     chdir: /etc
-    warn: no
+    warn: false
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
   register: git_log
-  check_mode: no
+  check_mode: false
   tags:
     - etc-git
 
@@ -60,7 +60,7 @@
   shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
   args:
     chdir: /etc
-    warn: no
+    warn: false
   register: git_commit
   when: git_log.rc != 0 or (git_init is defined and git_init.changed)
   tags:
@@ -72,7 +72,7 @@
     line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - etc-git
 
@@ -82,7 +82,7 @@
     line: "{{ item }}"
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   when: etc_git_monitor_status
   tags:
     - etc-git
@@ -93,7 +93,8 @@
 - name: cron job for /etc/.git status is removed
   lineinfile:
     path: /etc/daily.local
-    line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
+    line:
+      '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
     owner: root
     mode: "0644"
     state: absent
@@ -105,7 +106,13 @@
   cron:
     name: git status
     minute: 42
-    job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
+    job: >
+      who
+      > /dev/null
+        || /usr/local/bin/git
+          --git-dir=/etc/.git
+          --work-tree=/etc
+          status --short
   when: etc_git_monitor_status
   tags:
     - etc-git
@@ -114,7 +121,13 @@
   cron:
     name: git status
     minute: 42
-    job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
+    job: >
+      who
+      > /dev/null
+        || /usr/local/bin/git
+          --git-dir=/etc/.git
+          --work-tree=/etc
+          status --short
     state: absent
   when: not etc_git_monitor_status
   tags:

roles/evocheck/tasks/exec.yml

@@ -2,9 +2,9 @@
 - name: run evocheck
   command: "{{ evocheck_bin_dir }}/evocheck.sh"
   register: evocheck_run
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   tags:
   - evocheck-exec
 

roles/evocheck/tasks/install.yml

@@ -15,7 +15,7 @@
     dest: "{{ evocheck_bin_dir }}/evocheck.sh"
     mode: "0700"
     owner: root
-    force: yes
+    force: true
   tags:
     - evocheck
 
@@ -23,7 +23,7 @@
   copy:
     src: evocheck.cf
     dest: /etc/evocheck.cf
-    force: no
+    force: false
   tags:
     - evocheck
 
@@ -33,6 +33,6 @@
     line: 'sh /usr/share/scripts/evocheck.sh --verbose --cron'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - evocheck

roles/forwarding/tasks/main.yml

@@ -4,7 +4,7 @@
     name: net.inet.ip.forwarding
     value: 1
     state: present
-    reload: yes
+    reload: true
   tags:
     - net
 
@@ -13,6 +13,6 @@
     name: net.inet6.ip6.forwarding
     value: 1
     state: present
-    reload: yes
+    reload: true
   tags:
     - net

roles/nagios-nrpe/defaults/main.yml

@@ -2,7 +2,8 @@
 evolix_trusted_ips: []
 additional_trusted_ips: []
 # Let's merge evolix_trusted_ips with additional_trusted_ips
-nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+nagios_nrpe_allowed_hosts:
+  "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
 nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
 nagios_nrpe_ldap_passwd: LDAP_PASSWD
 nagios_nrpe_pgsql_passwd: PGSQL_PASSWD

roles/nagios-nrpe/tasks/main.yml

@@ -54,5 +54,5 @@
 - name: Starting and enabling nrpe
   service:
     name: nrpe
-    enabled: yes
+    enabled: true
     state: started

roles/openvpn/tasks/main.yml

@@ -27,7 +27,7 @@
 - name: Enabling OpenVPN
   service:
     name: openvpn
-    enabled: yes
+    enabled: true
   tags:
     - openvpn
 
@@ -39,9 +39,8 @@
 - name: Create shellpki user
   user:
     name: "_shellpki"
-    system: yes
+    system: true
     state: present
-    system: yes
     home: "/etc/shellpki/"
     shell: "/sbin/nologin"
   tags:
@@ -54,10 +53,14 @@
     owner: root
     group: wheel
     mode: "{{ item.mode }}"
-    force: yes                 
+    force: true
   with_items:
-          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
+    - src: 'files/shellpki/openssl.cnf'
-          - { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' }
+      dest: '/etc/shellpki/openssl.cnf'
+      mode: '0640'
+    - src: 'files/shellpki/shellpki'
+      dest: '/usr/local/sbin/shellpki'
+      mode: '0755'
   tags:
     - openvpn
 
@@ -103,8 +106,10 @@
     owner: root
     group: wheel
     mode: "{{ item.mode }}"
-    force: yes                 
+    force: true
   with_items:
-          - { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' }
+    - src: 'files/check_openvpn.pl'
+      dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl'
+      mode: '0755'
   tags:
     - openvpn

roles/pf/tasks/main.yml

@@ -4,4 +4,4 @@
     src: pf.conf.j2
     dest: /etc/pf.conf
     mode: "0600"
-    backup: yes
+    backup: true

tasks/commit_etc_git.yml

@@ -3,19 +3,25 @@
   command: git status --porcelain
   args:
     chdir: /etc
-  changed_when: False
+  changed_when: false
   register: git_status
   when: not ansible_check_mode
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - commit-etc
-
+# yamllint disable rule:line-length
 - name: /etc modifications are committed
-  shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\""
+  shell: >
+    git add -A .
+    && git commit
+      -m "{{ commit_message | default('Ansible run') }}"
+      --author="{{ ansible_env.SUDO_USER | default('Root') }}"
+     < "{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>"
   args:
     chdir: /etc
   register: etc_commit_end_evolinux
   when: not ansible_check_mode and git_status.stdout != ""
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - commit-etc
+# yamllint enable rule:line-length

vars/main.yml

@@ -13,8 +13,10 @@ evolinux_sudo_group: "evolinux-sudo"
 evolinux_root_disable_ssh: true
 #
 # evomaintenance_realm: "example.com"
-#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
+# evomaintenance_alert_email:
-#evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
+# "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
+# evomaintenance_hostname:
+# "{{ inventory_hostname }}.{{ general_technical_realm }}"
 # evomaintenance_pg_host: Null
 # evomaintenance_pg_passwd: Null
 # evomaintenance_pg_db: Null