Merge pull request 'Ansible-lint and yamllint' (#32) from linting into dev

Reviewed-by: Jérémy Dubois <jdubois@noreply.gitea.evolix.org>
Reviewed-by: Tristan Pilat <drustan@noreply.gitea.evolix.org>

.drone.yml

@@ -0,0 +1,30 @@
+---
+kind: pipeline
+type: docker
+name: default
+
+steps:
+  - name: lint markdown files
+    image: pipelinecomponents/remark-lint:latest
+    commands:
+      - "remark --no-stdout --color  --use preset-lint-recommended ."
+
+  - name: lint yaml files
+    image: pipelinecomponents/yamllint:latest
+    commands:
+      - "yamllint ."
+
+  - name: lint ansible scripts
+    image: pipelinecomponents/ansible-lint:latest
+    commands:
+      - >
+        find . -maxdepth 1 -name '*.yml'
+        | sort
+        | grep -v '.drone.yml'
+        | xargs ansible-playbook --syntax-check --list-tasks
+
+      - >
+        find . -maxdepth 1 -name '*.yml'
+        | sort
+        | grep -v '.drone.yml'
+        | xargs ansible-lint

CONTRIBUTING.md

@@ -2,17 +2,17 @@
 
 Contributions are welcome, as long as they respect our current workflow:
 
-1. The master branch is only for releases.  Once properly tested,
+1.  The master branch is only for releases. Once properly tested,
-the dev branch can be merged, the release tagged and a tar archive
+ the dev branch can be merged, the release tagged and a tar archive
-created.
+ created.
 
-2. The dev branch should never be commited to directly, unless
+2.  The dev branch should never be commited to directly, unless
-you're updating the CHANGELOG file.
+ you're updating the CHANGELOG file.
 
-3. Use feature branches for anything else, once they've passed all
+3.  Use feature branches for anything else, once they've passed all
-CI tests and have been reviewed by other contributors through a
+ CI test, lints and have been reviewed by other contributors through a
-pull request, they may be merged into the dev branch.
+ pull request, they may be merged into the dev branch.
 
 
 Open issues liberally, but please review closed and opened issues
-for duplicates before hand.
+for duplicates before hand.

README.md

@@ -9,13 +9,13 @@ used by Evolix.
 Put your public key in the remote root's autorized_keys
 (/root/.ssh/authorized_keys)
 
-1 - Install ansible's prerequisites
+1.  Install ansible's prerequisites
 
 ```
 ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
 ```
 
-2 - Run it
+2.  Run it
 
 ```
 ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME
@@ -26,19 +26,19 @@ ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME
 Changes can be tested by using [Packer](https://www.packer.io/) and
 [vmm(4)](https://man.openbsd.org/vmm.4) :
 
-* This process depends on the [Go](https://golang.org/) programming language.
+*   This process depends on the [Go](https://golang.org/) programming language.
 
 ```
 # pkg_add go packer
 ```
 
-* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4)
+*   We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4)
 
 ```
 $ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm
 ```
 
-* Here is an example build file
+*   Here is an example build file
 
 ```
 $ vim openbsd.json
@@ -101,25 +101,25 @@ $ vim openbsd.json
     }
 
 
-* You need your unprivileged user to be able to run vmctl(8) through doas(1)
+*   You need your unprivileged user to be able to run vmctl(8) through doas(1)
 
 ```
 # echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf
 ```
 
-* Build the virtual machine
+*   Build the virtual machine
 
 ```
 $ packer build openbsd.json
 ```
 
-* Start it
+*   Start it
 
 ```
 doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2
 ```
 
-* Enable NAT on your host machine
+*   Enable NAT on your host machine
 
 ```
 pass out on em0 inet from tap0:network to any nat-to (em0)

evolixisation.yml

@@ -10,13 +10,13 @@
   become: true
   become_user: root
   become_method: sudo
-#  become_method: su
+  # become_method: su
 
 
   vars_files:
     - vars/main.yml
-#    - vars/secrets.yml
+  # - vars/secrets.yml
-#    - vars/openbsd-secret.yml
+  # - vars/openbsd-secret.yml
 
   roles:
     - etc-git
@@ -27,9 +27,9 @@
     - nagios-nrpe
     - evocheck
     - post-install
-    #- openvpn
+    # - openvpn
-    #- ospf
+    # - ospf
-    #- bgp
+    # - bgp
 
   post_tasks:
     - include: "tasks/commit_etc_git.yml"
@@ -40,6 +40,5 @@
         tasks_from: exec.yml
 
 #  environment:
-#    PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
+# yamllint disable-line rule:line-length
-
+# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
-# vim:ft=ansible

prerequisite.yml

@@ -2,15 +2,16 @@
 # ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
 
 ---
-  - hosts: all
+- hosts: all
-    become: yes
+  become: true
-    become_method: su
+  become_method: su
-    user: root
+  user: root
-    gather_facts: no
+  gather_facts: false
 
-    tasks:
+  tasks:
 
     - name: Install ansible's prerequisite
+      # yamllint disable-line rule:line-length
       raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2
 
 # vim:ft=ansible

roles/accounts/tasks/main.yml

@@ -30,13 +30,15 @@
   check_mode: false
   register: grep_allowusers_ssh
 
-- assert:
+- name: "Check that AllowUsers and AllowGroup do not override each other"
+  assert:
     that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
     msg: "We can't deal with AllowUsers and AllowGroups at the same time"
 
-- set_fact:
+- name: "If AllowGroups is present then use it"
-    # If "AllowGroups is present"
+  set_fact:
-    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
+    ssh_allowgroups:
+      "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
 
 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
   lineinfile:

roles/base/defaults/main.yml

@@ -1,30 +1,35 @@
 ---
 ntpd_servers:
-- "ntp.evolix.net"
+  - "ntp.evolix.net"
 
 general_alert_email: "root@localhost"
 general_technical_realm: "example.com"
 
 evomaintenance_realm: "example.com"
-evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
+evomaintenance_alert_email:
-evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
+  "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
-evomaintenance_pg_host: Null
+evomaintenance_hostname:
-evomaintenance_pg_passwd: Null
+  "{{ inventory_hostname }}.{{ general_technical_realm }}"
-evomaintenance_pg_db: Null
+evomaintenance_pg_host: null
-evomaintenance_pg_table: Null
+evomaintenance_pg_passwd: null
+evomaintenance_pg_db: null
+evomaintenance_pg_table: null
 evomaintenance_from_domain: "{{ evomaintenance_realm }}"
 evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
 evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
 evomaintenance_urgency_from: mama.doe@example.com
 evomaintenance_urgency_tel: "06.00.00.00.00"
-evomaintenance_install_vendor: False
+evomaintenance_install_vendor: false
-evomaintenance_force_config: True
+evomaintenance_force_config: true
-evomaintenance_api_endpoint: Null
+evomaintenance_api_endpoint: null
-evomaintenance_api_key: Null
+evomaintenance_api_key: null
-evomaintenance_hook_api: True
+evomaintenance_hook_api: true
-evomaintenance_hook_db: False
+evomaintenance_hook_db: false
-evomaintenance_hook_commit: True
+evomaintenance_hook_commit: true
-evomaintenance_hook_mail: True
+evomaintenance_hook_mail: true
 evomaintenance_default_hosts: []
 evomaintenance_additional_hosts: []
-evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}"
+evomaintenance_hosts: >
+  {{ evomaintenance_default_hosts
+  | union(evomaintenance_additional_hosts)
+  | unique }}

roles/base/tasks/doas.yml

@@ -6,8 +6,6 @@
     owner: root
     group: wheel
     mode: "0640"
-    backup: no
+    backup: false
   tags:
-     - doas
+    - doas
-
-

roles/base/tasks/dotfiles.yml

@@ -39,10 +39,10 @@
     dest: /etc/skel/.profile
     insertafter: EOF
     line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0'
-    create: yes
+    create: true
   tags:
-     - admin
+    - admin
-     - dotfiles
+    - dotfiles
 
 - name: Add vim configuration to dotfiles for new users
   copy:

roles/base/tasks/evobackup.yml

@@ -6,7 +6,7 @@
     owner: root
     group: wheel
     mode: "0755"
-    force: no
+    force: false
   tags:
     - evobackup
 
@@ -16,6 +16,6 @@
     line: '#sh /usr/share/scripts/zzz_evobackup'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - evobackup

roles/base/tasks/evomaintenance.yml

@@ -10,10 +10,15 @@
     - evomaintenance
 
 - name: Copy evomaintenance script and template
-  copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755"
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: 'root'
+    group: 'wheel'
+    mode: '0755'
   with_items:
-          - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/' }
+    - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
-          - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/' }
+    - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
   tags:
     - evomaintenance
     - script-evomaintenance
@@ -25,6 +30,6 @@
     owner: root
     group: wheel
     mode: "0600"
-    backup: no
+    backup: false
   tags:
     - evomaintenance

roles/base/tasks/mail.yml

@@ -2,8 +2,9 @@
 - name: Configure rc.local
   lineinfile:
     path: /etc/rc.local
-    line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
+    line:
-    create: yes
+      'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
+    create: true
   tags:
     - misc
 
@@ -12,7 +13,7 @@
     dest: /etc/mail/aliases
     regexp: "# root:"
     replace: "root: {{ general_alert_email }}"
-    backup: no
+    backup: false
   notify:
     - newaliases
   tags:

roles/base/tasks/packages.yml

@@ -10,20 +10,20 @@
 - name: Install packages (vim rsync mtr etc)
   openbsd_pkg:
     name:
-    - wget
+      - wget
-    - vim--no_x11
+      - vim--no_x11
-    - rsync--
+      - rsync--
-    - mtr--
+      - mtr--
-    - iftop
+      - iftop
-    - sudo--
+      - sudo--
-    - postgresql-client
+      - postgresql-client
   tags:
     - pkg
 
 - name: Disable sndiod
   service:
     name: sndiod
-    enabled: no
+    enabled: false
     state: stopped
   tags:
     - pkg

roles/base/tasks/sudo.yml

@@ -4,11 +4,11 @@
   lineinfile:
     dest: /etc/sudoers
     insertafter: '# and set environment variables.'
-    line: '%wheel	ALL=(ALL) SETENV: ALL'
+    line: '%wheel   ALL=(ALL) SETENV: ALL'
     validate: 'visudo -cf %s'
-    backup: no
+    backup: false
   tags:
-     - sudo
+    - sudo
 
 - name: Configure sudoers for evomaintenance and monitoring
   blockinfile:
@@ -19,8 +19,6 @@
       Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh
       %wheel ALL=NOPASSWD: MAINT
     validate: 'visudo -cf %s'
-    backup: no
+    backup: false
   tags:
-     - sudo
+    - sudo
-
-

roles/bgp/README.md

@@ -1,5 +1,5 @@
 # BGP
-  
+
 Deployment of BGP check script with its cron, and a best route log cron.
 
 ## Tasks
@@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file.
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
 
-* `bgp_mailto` : email address the output of the script will be sent to when a change is detected
+*   `bgp_mailto` : email address the output of the script will be sent to when a change is detected
-* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked
+*   `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked

roles/bgp/tasks/main.yml

@@ -5,7 +5,7 @@
     dest: /usr/share/scripts/bgpd-check-peers.sh
   when: group_names | select('search','bgp') | list | count > 0
   tags:
-  - bgp
+    - bgp
 
 - name: Cron job for bgp check script is installed
   cron:
@@ -15,13 +15,13 @@
   tags:
     - bgp
 
-- name: Create bgp log directory 
+- name: Create bgp log directory
   file:
     path: /var/log/bgp
     state: directory
   when: group_names | select('search','bgp') | list | count > 0
   tags:
-  - bgp
+    - bgp
 
 - name: weekly best routes cron job is installed
   cron:
@@ -29,7 +29,9 @@
     minute: 0
     hour: 4
     weekday: 0
-    job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +\\%F)"
+    job: >
+      /usr/sbin/bgpctl show rib selected
+      > /var/log/bgp/rib-selected-$(date +\\%F)
   when: group_names | select('search','bgp') | list | count > 0
   tags:
     - bgp

roles/etc-git/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 commit_message: Ansible run
 
-etc_git_monitor_status: True
+etc_git_monitor_status: true

roles/etc-git/tasks/commit.yml

@@ -3,20 +3,20 @@
   command: git status --porcelain
   args:
     chdir: /etc
-  changed_when: False
+  changed_when: false
   register: git_status
   when: not ansible_check_mode
-  ignore_errors: yes
+  ignore_errors: true
   tags:
-  - etc-git
+    - etc-git
-  - commit-etc
+    - commit-etc
 
 - debug:
     var: git_status
     verbosity: 3
   tags:
-  - etc-git
+    - etc-git
-  - commit-etc
+    - commit-etc
 
 - name: fetch current Git user.email
   git_config:
@@ -24,33 +24,49 @@
     repo: /etc
     scope: local
   register: git_config_user_email
-  ignore_errors: yes
+  ignore_errors: true
   tags:
-  - etc-git
+    - etc-git
-  - commit-etc
+    - commit-etc
 
 - name: set commit author
   set_fact:
-    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
+    commit_author: >
-    commit_email:  '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
+      {% if ansible_env.SUDO_USER is not defined %}
+      root
+      {% else %}
+      {{ ansible_env.SUDO_USER }}
+      {% endif %}
+    commit_email: >
+      {% if git_config_user_email.config_value is not defined
+      or git_config_user_email.config_value == "" %}
+      root@localhost
+      {% else %}
+      {{ git_config_user_email.config_value }}
+      {% endif %}
   tags:
-  - etc-git
+    - etc-git
-  - commit-etc
+    - commit-etc
 
 - name: /etc modifications are committed
-  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
+  shell: >
+    git add -A .
+    && git commit
+      -m "{{ commit_message | mandatory }}"
+      --author
+      "{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>"
   args:
     chdir: /etc
   register: etc_commit_end_run
   when: not ansible_check_mode and git_status.stdout != ""
-  ignore_errors: yes
+  ignore_errors: true
   tags:
-  - etc-git
+    - etc-git
-  - commit-etc
+    - commit-etc
 
 - debug:
     var: etc_commit_end_run
     verbosity: 4
   tags:
-  - etc-git
+    - etc-git
-  - commit-etc
+    - commit-etc

roles/etc-git/tasks/main.yml

@@ -12,7 +12,7 @@
   args:
     chdir: /etc
     creates: /etc/.git/
-    warn: no
+    warn: false
   register: git_init
   tags:
     - etc-git
@@ -48,11 +48,11 @@
   command: "git log"
   args:
     chdir: /etc
-    warn: no
+    warn: false
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
   register: git_log
-  check_mode: no
+  check_mode: false
   tags:
     - etc-git
 
@@ -60,7 +60,7 @@
   shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
   args:
     chdir: /etc
-    warn: no
+    warn: false
   register: git_commit
   when: git_log.rc != 0 or (git_init is defined and git_init.changed)
   tags:
@@ -72,7 +72,7 @@
     line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - etc-git
 
@@ -82,7 +82,7 @@
     line: "{{ item }}"
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   when: etc_git_monitor_status
   tags:
     - etc-git
@@ -93,7 +93,8 @@
 - name: cron job for /etc/.git status is removed
   lineinfile:
     path: /etc/daily.local
-    line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
+    line:
+      '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
     owner: root
     mode: "0644"
     state: absent
@@ -105,7 +106,13 @@
   cron:
     name: git status
     minute: 42
-    job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
+    job: >
+      who
+      > /dev/null
+        || /usr/local/bin/git
+          --git-dir=/etc/.git
+          --work-tree=/etc
+          status --short
   when: etc_git_monitor_status
   tags:
     - etc-git
@@ -114,7 +121,13 @@
   cron:
     name: git status
     minute: 42
-    job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
+    job: >
+      who
+      > /dev/null
+        || /usr/local/bin/git
+          --git-dir=/etc/.git
+          --work-tree=/etc
+          status --short
     state: absent
   when: not etc_git_monitor_status
   tags:

roles/evocheck/tasks/exec.yml

@@ -2,9 +2,9 @@
 - name: run evocheck
   command: "{{ evocheck_bin_dir }}/evocheck.sh"
   register: evocheck_run
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   tags:
   - evocheck-exec
 
@@ -12,4 +12,4 @@
     var: evocheck_run.stdout_lines
   when: evocheck_run.stdout != ""
   tags:
-  - evocheck-exec
+    - evocheck-exec

roles/evocheck/tasks/install.yml

@@ -15,7 +15,7 @@
     dest: "{{ evocheck_bin_dir }}/evocheck.sh"
     mode: "0700"
     owner: root
-    force: yes
+    force: true
   tags:
     - evocheck
 
@@ -23,7 +23,7 @@
   copy:
     src: evocheck.cf
     dest: /etc/evocheck.cf
-    force: no
+    force: false
   tags:
     - evocheck
 
@@ -33,6 +33,6 @@
     line: 'sh /usr/share/scripts/evocheck.sh --verbose --cron'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - evocheck

roles/forwarding/tasks/main.yml

@@ -4,7 +4,7 @@
     name: net.inet.ip.forwarding
     value: 1
     state: present
-    reload: yes
+    reload: true
   tags:
     - net
 
@@ -13,6 +13,6 @@
     name: net.inet6.ip6.forwarding
     value: 1
     state: present
-    reload: yes
+    reload: true
   tags:
     - net

roles/nagios-nrpe/README.md

@@ -8,6 +8,6 @@ Everything is in the `tasks/main.yml` file.
 
 ## Available variables
 
-* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none).
+*   `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none).
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.

roles/nagios-nrpe/defaults/main.yml

@@ -2,7 +2,8 @@
 evolix_trusted_ips: []
 additional_trusted_ips: []
 # Let's merge evolix_trusted_ips with additional_trusted_ips
-nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+nagios_nrpe_allowed_hosts:
+  "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
 nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
 nagios_nrpe_ldap_passwd: LDAP_PASSWD
 nagios_nrpe_pgsql_passwd: PGSQL_PASSWD

roles/nagios-nrpe/tasks/main.yml

@@ -54,5 +54,5 @@
 - name: Starting and enabling nrpe
   service:
     name: nrpe
-    enabled: yes
+    enabled: true
     state: started

roles/openvpn/tasks/main.yml

@@ -3,7 +3,7 @@
   openbsd_pkg:
     name: "openvpn--"
   tags:
-  - openvpn
+    - openvpn
 
 - name: Create /etc/openvpn directory
   file:
@@ -13,59 +13,62 @@
     group: "wheel"
     mode: "0755"
   tags:
-  - openvpn
+    - openvpn
 
 - name: Deploy OpenVPN configuration
-  template:                    
+  template:
-    src: "server.conf.j2" 
+    src: "server.conf.j2"
     dest: "/etc/openvpn/server.conf"
-    mode: "0600"               
+    mode: "0600"
   notify: restart openvpn
   tags:
-  - openvpn
+    - openvpn
 
 - name: Enabling OpenVPN
   service:
     name: openvpn
-    enabled: yes
+    enabled: true
   tags:
-  - openvpn
+    - openvpn
 
 - name: Set OpenVPN flag
   shell: 'rcctl set openvpn flags "--config /etc/openvpn/server.conf"'
   tags:
-  - openvpn
+    - openvpn
 
 - name: Create shellpki user
   user:
     name: "_shellpki"
-    system: yes
+    system: true
-    state: present    
+    state: present
-    system: yes
     home: "/etc/shellpki/"
     shell: "/sbin/nologin"
   tags:
-  - openvpn
+    - openvpn
 
 - name: Copy some shellpki files
-  copy: 
+  copy:
-    src: "{{ item.src }}"      
+    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"    
+    dest: "{{ item.dest }}"
-    owner: root                
+    owner: root
     group: wheel
     mode: "{{ item.mode }}"
-    force: yes                 
+    force: true
   with_items:
-          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
+    - src: 'files/shellpki/openssl.cnf'
-          - { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' }
+      dest: '/etc/shellpki/openssl.cnf'
+      mode: '0640'
+    - src: 'files/shellpki/shellpki'
+      dest: '/usr/local/sbin/shellpki'
+      mode: '0755'
   tags:
     - openvpn
 
 - name: Deploy DH PARAMETERS
-  template:                    
+  template:
-    src: "dh2048.pem.j2" 
+    src: "dh2048.pem.j2"
     dest: "/etc/shellpki/dh2048.pem"
-    mode: "0600"               
+    mode: "0600"
   tags:
     - openvpn
 
@@ -77,7 +80,7 @@
     group: "wheel"
     mode: "0755"
   tags:
-  - openvpn
+    - openvpn
 
 - name: Include /etc/sudoers.d in sudoers configuration file
   lineinfile:
@@ -91,20 +94,22 @@
     src: "sudo_shellpki"
     dest: "/etc/sudoers.d/shellpki"
     force: true
-    mode: "0440"               
+    mode: "0440"
     validate: '/usr/local/sbin/visudo -cf %s'
   tags:
-  - openvpn
+    - openvpn
 
 - name: Copy check_openvpn
-  copy: 
+  copy:
-    src: "{{ item.src }}"      
+    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"    
+    dest: "{{ item.dest }}"
-    owner: root                
+    owner: root
     group: wheel
     mode: "{{ item.mode }}"
-    force: yes                 
+    force: true
   with_items:
-          - { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' }
+    - src: 'files/check_openvpn.pl'
+      dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl'
+      mode: '0755'
   tags:
     - openvpn

roles/ospf/README.md

@@ -1,5 +1,5 @@
 # OSPF
-  
+
 Deployment of OSPF check scripts with their cron.
 
 ## Tasks
@@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file.
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
 
-* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected
+*   `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected
-* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs
+*   `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs

roles/ospf/tasks/main.yml

@@ -8,7 +8,7 @@
     - "ospf6d-check-peers.sh"
   when: group_names | select('search','ospf') | list | count > 0
   tags:
-  - ospf
+    - ospf
 
 - name: Cron job for ospf check scripts is installed
   cron:

roles/pf/tasks/main.yml

@@ -4,4 +4,4 @@
     src: pf.conf.j2
     dest: /etc/pf.conf
     mode: "0600"
-    backup: yes
+    backup: true

tasks/commit_etc_git.yml

@@ -3,19 +3,25 @@
   command: git status --porcelain
   args:
     chdir: /etc
-  changed_when: False
+  changed_when: false
   register: git_status
   when: not ansible_check_mode
-  ignore_errors: yes
+  ignore_errors: true
   tags:
-  - commit-etc
+    - commit-etc
-
+# yamllint disable rule:line-length
 - name: /etc modifications are committed
-  shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\""
+  shell: >
+    git add -A .
+    && git commit
+      -m "{{ commit_message | default('Ansible run') }}"
+      --author="{{ ansible_env.SUDO_USER | default('Root') }}"
+     < "{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>"
   args:
     chdir: /etc
   register: etc_commit_end_evolinux
   when: not ansible_check_mode and git_status.stdout != ""
-  ignore_errors: yes
+  ignore_errors: true
   tags:
-  - commit-etc
+    - commit-etc
+# yamllint enable rule:line-length

vars/main.yml

@@ -3,29 +3,31 @@
 ## Edit and uncomment to overwrite the default values ##
 ########################################################
 
-#ntpd_servers:
+# ntpd_servers:
-#- "ntp.evolix.net"
+# - "ntp.evolix.net"
 #
-#general_alert_email: "root@localhost"
+# general_alert_email: "root@localhost"
-#general_technical_realm: "example.com"
+# general_technical_realm: "example.com"
 evolinux_ssh_group: "evolinux-ssh"
 evolinux_sudo_group: "evolinux-sudo"
 evolinux_root_disable_ssh: true
 #
-#evomaintenance_realm: "example.com"
+# evomaintenance_realm: "example.com"
-#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
+# evomaintenance_alert_email:
-#evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
+# "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
-#evomaintenance_pg_host: Null
+# evomaintenance_hostname:
-#evomaintenance_pg_passwd: Null
+# "{{ inventory_hostname }}.{{ general_technical_realm }}"
-#evomaintenance_pg_db: Null
+# evomaintenance_pg_host: Null
-#evomaintenance_pg_table: Null
+# evomaintenance_pg_passwd: Null
-#evomaintenance_from_domain: "{{ evomaintenance_realm }}"
+# evomaintenance_pg_db: Null
-#evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
+# evomaintenance_pg_table: Null
-#evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
+# evomaintenance_from_domain: "{{ evomaintenance_realm }}"
-#evomaintenance_urgency_from: mama.doe@example.com
+# evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
-#evomaintenance_urgency_tel: "06.00.00.00.00"
+# evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
+# evomaintenance_urgency_from: mama.doe@example.com
+# evomaintenance_urgency_tel: "06.00.00.00.00"
 #
-#evolix_users:
+# evolix_users:
 #  foo:
 #    name: foo
 #    uid: 1042