Merge pull request 'Ansible-lint and yamllint' (#32) from linting into dev

Reviewed-by: Jérémy Dubois <jdubois@noreply.gitea.evolix.org>
Reviewed-by: Tristan Pilat <drustan@noreply.gitea.evolix.org>

.drone.yml

@@ -0,0 +1,30 @@
+---
+kind: pipeline
+type: docker
+name: default
+
+steps:
+  - name: lint markdown files
+    image: pipelinecomponents/remark-lint:latest
+    commands:
+      - "remark --no-stdout --color  --use preset-lint-recommended ."
+
+  - name: lint yaml files
+    image: pipelinecomponents/yamllint:latest
+    commands:
+      - "yamllint ."
+
+  - name: lint ansible scripts
+    image: pipelinecomponents/ansible-lint:latest
+    commands:
+      - >
+        find . -maxdepth 1 -name '*.yml'
+        | sort
+        | grep -v '.drone.yml'
+        | xargs ansible-playbook --syntax-check --list-tasks
+
+      - >
+        find . -maxdepth 1 -name '*.yml'
+        | sort
+        | grep -v '.drone.yml'
+        | xargs ansible-lint

CONTRIBUTING.md

@@ -3,15 +3,15 @@
 Contributions are welcome, as long as they respect our current workflow:
 
 1.  The master branch is only for releases. Once properly tested,
-the dev branch can be merged, the release tagged and a tar archive
-created.
+ the dev branch can be merged, the release tagged and a tar archive
+ created.
 
 2.  The dev branch should never be commited to directly, unless
-you're updating the CHANGELOG file.
+ you're updating the CHANGELOG file.
 
 3.  Use feature branches for anything else, once they've passed all
-CI tests and have been reviewed by other contributors through a
-pull request, they may be merged into the dev branch.
+ CI test, lints and have been reviewed by other contributors through a
+ pull request, they may be merged into the dev branch.
 
 
 Open issues liberally, but please review closed and opened issues

README.md

@@ -9,13 +9,13 @@ used by Evolix.
 Put your public key in the remote root's autorized_keys
 (/root/.ssh/authorized_keys)
 
-1 - Install ansible's prerequisites
+1.  Install ansible's prerequisites
 
 ```
 ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
 ```
 
-2 - Run it
+2.  Run it
 
 ```
 ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME

evolixisation.yml

@@ -10,13 +10,13 @@
   become: true
   become_user: root
   become_method: sudo
-#  become_method: su
+  # become_method: su
 
 
   vars_files:
     - vars/main.yml
-#    - vars/secrets.yml
-#    - vars/openbsd-secret.yml
+  # - vars/secrets.yml
+  # - vars/openbsd-secret.yml
 
   roles:
     - etc-git
@@ -27,9 +27,9 @@
     - nagios-nrpe
     - evocheck
     - post-install
-    #- openvpn
-    #- ospf
-    #- bgp
+    # - openvpn
+    # - ospf
+    # - bgp
 
   post_tasks:
     - include: "tasks/commit_etc_git.yml"
@@ -40,6 +40,5 @@
         tasks_from: exec.yml
 
 #  environment:
+# yamllint disable-line rule:line-length
 # PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
-
-# vim:ft=ansible

prerequisite.yml

@@ -2,15 +2,16 @@
 # ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
 
 ---
-  - hosts: all
-    become: yes
+- hosts: all
+  become: true
   become_method: su
   user: root
-    gather_facts: no
+  gather_facts: false
 
   tasks:
 
     - name: Install ansible's prerequisite
+      # yamllint disable-line rule:line-length
       raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2
 
 # vim:ft=ansible

roles/accounts/tasks/main.yml

@@ -30,13 +30,15 @@
   check_mode: false
   register: grep_allowusers_ssh
 
-- assert:
+- name: "Check that AllowUsers and AllowGroup do not override each other"
+  assert:
     that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
     msg: "We can't deal with AllowUsers and AllowGroups at the same time"
 
-- set_fact:
-    # If "AllowGroups is present"
-    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
+- name: "If AllowGroups is present then use it"
+  set_fact:
+    ssh_allowgroups:
+      "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
 
 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
   lineinfile:

roles/base/defaults/main.yml

@@ -1,30 +1,35 @@
 ---
 ntpd_servers:
-- "ntp.evolix.net"
+  - "ntp.evolix.net"
 
 general_alert_email: "root@localhost"
 general_technical_realm: "example.com"
 
 evomaintenance_realm: "example.com"
-evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
-evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
-evomaintenance_pg_host: Null
-evomaintenance_pg_passwd: Null
-evomaintenance_pg_db: Null
-evomaintenance_pg_table: Null
+evomaintenance_alert_email:
+  "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
+evomaintenance_hostname:
+  "{{ inventory_hostname }}.{{ general_technical_realm }}"
+evomaintenance_pg_host: null
+evomaintenance_pg_passwd: null
+evomaintenance_pg_db: null
+evomaintenance_pg_table: null
 evomaintenance_from_domain: "{{ evomaintenance_realm }}"
 evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
 evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
 evomaintenance_urgency_from: mama.doe@example.com
 evomaintenance_urgency_tel: "06.00.00.00.00"
-evomaintenance_install_vendor: False
-evomaintenance_force_config: True
-evomaintenance_api_endpoint: Null
-evomaintenance_api_key: Null
-evomaintenance_hook_api: True
-evomaintenance_hook_db: False
-evomaintenance_hook_commit: True
-evomaintenance_hook_mail: True
+evomaintenance_install_vendor: false
+evomaintenance_force_config: true
+evomaintenance_api_endpoint: null
+evomaintenance_api_key: null
+evomaintenance_hook_api: true
+evomaintenance_hook_db: false
+evomaintenance_hook_commit: true
+evomaintenance_hook_mail: true
 evomaintenance_default_hosts: []
 evomaintenance_additional_hosts: []
-evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}"
+evomaintenance_hosts: >
+  {{ evomaintenance_default_hosts
+  | union(evomaintenance_additional_hosts)
+  | unique }}

roles/base/tasks/doas.yml

@@ -6,8 +6,6 @@
     owner: root
     group: wheel
     mode: "0640"
-    backup: no
+    backup: false
   tags:
     - doas
-
-

roles/base/tasks/dotfiles.yml

@@ -39,7 +39,7 @@
     dest: /etc/skel/.profile
     insertafter: EOF
     line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0'
-    create: yes
+    create: true
   tags:
     - admin
     - dotfiles

roles/base/tasks/evobackup.yml

@@ -6,7 +6,7 @@
     owner: root
     group: wheel
     mode: "0755"
-    force: no
+    force: false
   tags:
     - evobackup
 
@@ -16,6 +16,6 @@
     line: '#sh /usr/share/scripts/zzz_evobackup'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - evobackup

roles/base/tasks/evomaintenance.yml

@@ -10,10 +10,15 @@
     - evomaintenance
 
 - name: Copy evomaintenance script and template
-  copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755"
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: 'root'
+    group: 'wheel'
+    mode: '0755'
   with_items:
-          - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/' }
-          - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/' }
+    - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
+    - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
   tags:
     - evomaintenance
     - script-evomaintenance
@@ -25,6 +30,6 @@
     owner: root
     group: wheel
     mode: "0600"
-    backup: no
+    backup: false
   tags:
     - evomaintenance

roles/base/tasks/mail.yml

@@ -2,8 +2,9 @@
 - name: Configure rc.local
   lineinfile:
     path: /etc/rc.local
-    line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
-    create: yes
+    line:
+      'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
+    create: true
   tags:
     - misc
 
@@ -12,7 +13,7 @@
     dest: /etc/mail/aliases
     regexp: "# root:"
     replace: "root: {{ general_alert_email }}"
-    backup: no
+    backup: false
   notify:
     - newaliases
   tags:

roles/base/tasks/packages.yml

@@ -23,7 +23,7 @@
 - name: Disable sndiod
   service:
     name: sndiod
-    enabled: no
+    enabled: false
     state: stopped
   tags:
     - pkg

roles/base/tasks/sudo.yml

@@ -6,7 +6,7 @@
     insertafter: '# and set environment variables.'
     line: '%wheel   ALL=(ALL) SETENV: ALL'
     validate: 'visudo -cf %s'
-    backup: no
+    backup: false
   tags:
     - sudo
 
@@ -19,8 +19,6 @@
       Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh
       %wheel ALL=NOPASSWD: MAINT
     validate: 'visudo -cf %s'
-    backup: no
+    backup: false
   tags:
     - sudo
-
-

roles/bgp/tasks/main.yml

@@ -29,7 +29,9 @@
     minute: 0
     hour: 4
     weekday: 0
-    job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +\\%F)"
+    job: >
+      /usr/sbin/bgpctl show rib selected
+      > /var/log/bgp/rib-selected-$(date +\\%F)
   when: group_names | select('search','bgp') | list | count > 0
   tags:
     - bgp

roles/etc-git/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 commit_message: Ansible run
 
-etc_git_monitor_status: True
+etc_git_monitor_status: true

roles/etc-git/tasks/commit.yml

@@ -3,10 +3,10 @@
   command: git status --porcelain
   args:
     chdir: /etc
-  changed_when: False
+  changed_when: false
   register: git_status
   when: not ansible_check_mode
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - etc-git
     - commit-etc
@@ -24,26 +24,42 @@
     repo: /etc
     scope: local
   register: git_config_user_email
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - etc-git
     - commit-etc
 
 - name: set commit author
   set_fact:
-    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
-    commit_email:  '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
+    commit_author: >
+      {% if ansible_env.SUDO_USER is not defined %}
+      root
+      {% else %}
+      {{ ansible_env.SUDO_USER }}
+      {% endif %}
+    commit_email: >
+      {% if git_config_user_email.config_value is not defined
+      or git_config_user_email.config_value == "" %}
+      root@localhost
+      {% else %}
+      {{ git_config_user_email.config_value }}
+      {% endif %}
   tags:
     - etc-git
     - commit-etc
 
 - name: /etc modifications are committed
-  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
+  shell: >
+    git add -A .
+    && git commit
+      -m "{{ commit_message | mandatory }}"
+      --author
+      "{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>"
   args:
     chdir: /etc
   register: etc_commit_end_run
   when: not ansible_check_mode and git_status.stdout != ""
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - etc-git
     - commit-etc

roles/etc-git/tasks/main.yml

@@ -12,7 +12,7 @@
   args:
     chdir: /etc
     creates: /etc/.git/
-    warn: no
+    warn: false
   register: git_init
   tags:
     - etc-git
@@ -48,11 +48,11 @@
   command: "git log"
   args:
     chdir: /etc
-    warn: no
-  changed_when: False
-  failed_when: False
+    warn: false
+  changed_when: false
+  failed_when: false
   register: git_log
-  check_mode: no
+  check_mode: false
   tags:
     - etc-git
 
@@ -60,7 +60,7 @@
   shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
   args:
     chdir: /etc
-    warn: no
+    warn: false
   register: git_commit
   when: git_log.rc != 0 or (git_init is defined and git_init.changed)
   tags:
@@ -72,7 +72,7 @@
     line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - etc-git
 
@@ -82,7 +82,7 @@
     line: "{{ item }}"
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   when: etc_git_monitor_status
   tags:
     - etc-git
@@ -93,7 +93,8 @@
 - name: cron job for /etc/.git status is removed
   lineinfile:
     path: /etc/daily.local
-    line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
+    line:
+      '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
     owner: root
     mode: "0644"
     state: absent
@@ -105,7 +106,13 @@
   cron:
     name: git status
     minute: 42
-    job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
+    job: >
+      who
+      > /dev/null
+        || /usr/local/bin/git
+          --git-dir=/etc/.git
+          --work-tree=/etc
+          status --short
   when: etc_git_monitor_status
   tags:
     - etc-git
@@ -114,7 +121,13 @@
   cron:
     name: git status
     minute: 42
-    job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
+    job: >
+      who
+      > /dev/null
+        || /usr/local/bin/git
+          --git-dir=/etc/.git
+          --work-tree=/etc
+          status --short
     state: absent
   when: not etc_git_monitor_status
   tags:

roles/evocheck/tasks/exec.yml

@@ -2,9 +2,9 @@
 - name: run evocheck
   command: "{{ evocheck_bin_dir }}/evocheck.sh"
   register: evocheck_run
-  changed_when: False
-  failed_when: False
-  check_mode: no
+  changed_when: false
+  failed_when: false
+  check_mode: false
   tags:
   - evocheck-exec
 

roles/evocheck/tasks/install.yml

@@ -15,7 +15,7 @@
     dest: "{{ evocheck_bin_dir }}/evocheck.sh"
     mode: "0700"
     owner: root
-    force: yes
+    force: true
   tags:
     - evocheck
 
@@ -23,7 +23,7 @@
   copy:
     src: evocheck.cf
     dest: /etc/evocheck.cf
-    force: no
+    force: false
   tags:
     - evocheck
 
@@ -33,6 +33,6 @@
     line: 'sh /usr/share/scripts/evocheck.sh --verbose --cron'
     owner: root
     mode: "0644"
-    create: yes
+    create: true
   tags:
     - evocheck

roles/forwarding/tasks/main.yml

@@ -4,7 +4,7 @@
     name: net.inet.ip.forwarding
     value: 1
     state: present
-    reload: yes
+    reload: true
   tags:
     - net
 
@@ -13,6 +13,6 @@
     name: net.inet6.ip6.forwarding
     value: 1
     state: present
-    reload: yes
+    reload: true
   tags:
     - net

roles/nagios-nrpe/defaults/main.yml

@@ -2,7 +2,8 @@
 evolix_trusted_ips: []
 additional_trusted_ips: []
 # Let's merge evolix_trusted_ips with additional_trusted_ips
-nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+nagios_nrpe_allowed_hosts:
+  "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
 nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
 nagios_nrpe_ldap_passwd: LDAP_PASSWD
 nagios_nrpe_pgsql_passwd: PGSQL_PASSWD

roles/nagios-nrpe/tasks/main.yml

@@ -54,5 +54,5 @@
 - name: Starting and enabling nrpe
   service:
     name: nrpe
-    enabled: yes
+    enabled: true
     state: started

roles/openvpn/tasks/main.yml

@@ -27,7 +27,7 @@
 - name: Enabling OpenVPN
   service:
     name: openvpn
-    enabled: yes
+    enabled: true
   tags:
     - openvpn
 
@@ -39,9 +39,8 @@
 - name: Create shellpki user
   user:
     name: "_shellpki"
-    system: yes
+    system: true
     state: present
-    system: yes
     home: "/etc/shellpki/"
     shell: "/sbin/nologin"
   tags:
@@ -54,10 +53,14 @@
     owner: root
     group: wheel
     mode: "{{ item.mode }}"
-    force: yes                 
+    force: true
   with_items:
-          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
-          - { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' }
+    - src: 'files/shellpki/openssl.cnf'
+      dest: '/etc/shellpki/openssl.cnf'
+      mode: '0640'
+    - src: 'files/shellpki/shellpki'
+      dest: '/usr/local/sbin/shellpki'
+      mode: '0755'
   tags:
     - openvpn
 
@@ -103,8 +106,10 @@
     owner: root
     group: wheel
     mode: "{{ item.mode }}"
-    force: yes                 
+    force: true
   with_items:
-          - { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' }
+    - src: 'files/check_openvpn.pl'
+      dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl'
+      mode: '0755'
   tags:
     - openvpn

roles/pf/tasks/main.yml

@@ -4,4 +4,4 @@
     src: pf.conf.j2
     dest: /etc/pf.conf
     mode: "0600"
-    backup: yes
+    backup: true

tasks/commit_etc_git.yml

@@ -3,19 +3,25 @@
   command: git status --porcelain
   args:
     chdir: /etc
-  changed_when: False
+  changed_when: false
   register: git_status
   when: not ansible_check_mode
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - commit-etc
-
+# yamllint disable rule:line-length
 - name: /etc modifications are committed
-  shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\""
+  shell: >
+    git add -A .
+    && git commit
+      -m "{{ commit_message | default('Ansible run') }}"
+      --author="{{ ansible_env.SUDO_USER | default('Root') }}"
+     < "{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>"
   args:
     chdir: /etc
   register: etc_commit_end_evolinux
   when: not ansible_check_mode and git_status.stdout != ""
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - commit-etc
+# yamllint enable rule:line-length

vars/main.yml

@@ -3,29 +3,31 @@
 ## Edit and uncomment to overwrite the default values ##
 ########################################################
 
-#ntpd_servers:
-#- "ntp.evolix.net"
+# ntpd_servers:
+# - "ntp.evolix.net"
 #
-#general_alert_email: "root@localhost"
-#general_technical_realm: "example.com"
+# general_alert_email: "root@localhost"
+# general_technical_realm: "example.com"
 evolinux_ssh_group: "evolinux-ssh"
 evolinux_sudo_group: "evolinux-sudo"
 evolinux_root_disable_ssh: true
 #
-#evomaintenance_realm: "example.com"
-#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
-#evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
-#evomaintenance_pg_host: Null
-#evomaintenance_pg_passwd: Null
-#evomaintenance_pg_db: Null
-#evomaintenance_pg_table: Null
-#evomaintenance_from_domain: "{{ evomaintenance_realm }}"
-#evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
-#evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
-#evomaintenance_urgency_from: mama.doe@example.com
-#evomaintenance_urgency_tel: "06.00.00.00.00"
+# evomaintenance_realm: "example.com"
+# evomaintenance_alert_email:
+# "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
+# evomaintenance_hostname:
+# "{{ inventory_hostname }}.{{ general_technical_realm }}"
+# evomaintenance_pg_host: Null
+# evomaintenance_pg_passwd: Null
+# evomaintenance_pg_db: Null
+# evomaintenance_pg_table: Null
+# evomaintenance_from_domain: "{{ evomaintenance_realm }}"
+# evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
+# evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
+# evomaintenance_urgency_from: mama.doe@example.com
+# evomaintenance_urgency_tel: "06.00.00.00.00"
 #
-#evolix_users:
+# evolix_users:
 #  foo:
 #    name: foo
 #    uid: 1042