ansible-lint with production profile (#2)

Tina-pm · Aug 22, 2024 · c23702e · c23702e
2 parents 3cecfbc + f87ec2d
commit c23702e
Show file tree

Hide file tree

Showing 9 changed files with 127 additions and 66 deletions.
diff --git a/.config/ansible-lint.yaml b/.config/ansible-lint.yaml
@@ -0,0 +1,6 @@
+# vim:ts=2:sw=2:et:ai:sts=2
+---
+profile: production
+skip_list:
+  - no-handler    # TODO: fix
+  - name[casing]  # TODO: fix
diff --git a/.github/workflows/ansible-lint.yaml b/.github/workflows/ansible-lint.yaml
@@ -0,0 +1,24 @@
+---
+name: ansible-lint
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - force_ci/ansible-lint/**  # For development/debugging of the workflow.
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  lint:
+    name: Ansible lint
+    runs-on: ubuntu-latest
+    steps:
+      - id: checkout
+        uses: actions/checkout@v4
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@v24
diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -0,0 +1,23 @@
+# vim:ts=2:sw=2:et:ai:sts=2
+---
+extends: default
+rules:
+  comments:
+    min-spaces-from-content: 1  # Required by ansible-lint
+  comments-indentation: false  # Required by ansible-lint
+  document-start: disable
+  line-length:
+    max: 80
+  braces:
+    min-spaces-inside: 0  # Required by ansible-lint
+    max-spaces-inside: 1  # Required by ansible-lint
+  octal-values:
+    forbid-implicit-octal: true  # Required by ansible-lint
+    forbid-explicit-octal: true  # Required by ansible-lint
+  quoted-strings:
+    quote-type: single
+    required: only-when-needed
+    extra-required:
+      - ^[0-9:]+$  # IPv6 addresses containing only numbers 0-9 are misparsed
+    extra-allowed:
+      - ^\^   # regular expression
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -2,7 +2,7 @@
 # vim:ts=2:sw=2:et:ai:sts=2
 
 # Set to True to disable and remove tinc from a host.
-tinc__remove: False
+tinc__remove: false
 
 tinc__netname: tinc
 
@@ -14,7 +14,7 @@ tinc__netname: tinc
 #        - 1.2.3.4
 #      tinc__vpn_addresses:
 #        - 192.168.128.1/32
-#      tinc__allow_incoming_connections: True
+#      tinc__allow_incoming_connections: true
 #      tinc__host_conf: |
 #        Address = 1.2.3.4
 #        Subnet = 192.168.128.1/32
@@ -24,18 +24,18 @@ tinc__netname: tinc
 tinc__external_hosts: {}
 
 # Per-host
-tinc__public_addresses: "{{ [ansible_host] }}"
+tinc__public_addresses: '{{ [ansible_host] }}'
 tinc__port: 655
-tinc__allow_incoming_connections: True
+tinc__allow_incoming_connections: true
 
-tinc__vpn_interface: "{{ tinc__netname }}"
+tinc__vpn_interface: '{{ tinc__netname }}'
 
 # IP addresses to assign to the VPN interface.
 tinc__vpn_addresses: []
 
 # Export the local IP addresses as single-host networks.
 tinc__vpn_local_subnets:
-  "{{ tinc__vpn_addresses | ipaddr('address') | ipaddr('host') }}"
+  '{{ tinc__vpn_addresses | ipaddr("address") | ipaddr("host") }}'
 
 # Extra networks to export.
 tinc__vpn_extra_subnets:

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -2,20 +2,20 @@
 # vim:ts=2:sw=2:et:ai:sts=2
 
 - name: reload tinc
-  service:
-    name: "{{ tinc__service_name }}"
+  ansible.builtin.service:
+    name: '{{ tinc__service_name }}'
     state: reloaded
 
 - name: restart tinc
-  service:
-    name: "{{ tinc__service_name }}"
+  ansible.builtin.service:
+    name: '{{ tinc__service_name }}'
     state: restarted
 
 - name: reload systemd
-  systemd:
-    daemon_reload: yes
+  ansible.builtin.systemd:
+    daemon_reload: true
 
 - name: reload ferm
-  service:
+  ansible.builtin.service:
     name: ferm
     state: reloaded
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
 # vim:ts=2:sw=2:et:ai:sts=2
 
-- include_tasks: remove.yml
+- ansible.builtin.include_tasks: remove.yml  # noqa: name[missing]
   when: tinc__remove
 
-- include_tasks: setup.yml
+- ansible.builtin.include_tasks: setup.yml   # noqa: name[missing]
   when: not tinc__remove
diff --git a/tasks/remove.yml b/tasks/remove.yml
@@ -2,42 +2,42 @@
 # vim:ts=2:sw=2:et:ai:sts=2
 
 - name: check tinc uses systemd units
-  stat:
+  ansible.builtin.stat:
     path: /lib/systemd/system/tinc@.service
   register: tinc__tinc_unit
 
 - name: set fact about systemd unit
-  set_fact:
-    tinc__use_systemd: False
+  ansible.builtin.set_fact:
+    tinc__use_systemd: false
   when: not tinc__tinc_unit.stat.exists
 
 - name: stop and disable tinc
-  service:
-    name: "{{ tinc__service_name }}"
-    enabled: no
+  ansible.builtin.service:
+    name: '{{ tinc__service_name }}'
+    enabled: false
     state: stopped
 
 - name: delete tinc netname directory
-  file:
+  ansible.builtin.file:
     path: /etc/tinc/{{ tinc__netname }}
     state: absent
 
 - name: delete nets.boot
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/tinc/nets.boot
-    line: "{{ tinc__netname }}"
+    line: '{{ tinc__netname }}'
     state: absent
 
 - name: delete systemd unit override
-  file:
+  ansible.builtin.file:
     path: /etc/systemd/system/{{ tinc__service_name }}.service.d/override.conf
     state: absent
   notify:
     - reload systemd
   when: tinc__use_systemd
 
 - name: delete local configuration copy
-  local_action:
-    module: file
+  ansible.builtin.file:
     path: fetch/{{ tinc__netname }}/{{ inventory_hostname }}
     state: absent
+  delegate_to: localhost
diff --git a/tasks/setup.yml b/tasks/setup.yml
@@ -2,57 +2,59 @@
 # vim:ts=2:sw=2:et:ai:sts=2
 
 - name: install tinc
-  package:
+  ansible.builtin.package:
     name: tinc
-    state: latest
+    state: present
 
 - name: check tinc uses systemd units
-  stat:
+  ansible.builtin.stat:
     path: /lib/systemd/system/tinc@.service
   register: tinc__tinc_unit
 
 - name: set fact about systemd unit
-  set_fact:
-    tinc__use_systemd: False
+  ansible.builtin.set_fact:
+    tinc__use_systemd: false
   when: not tinc__tinc_unit.stat.exists
 
 - name: set daemon parameters in /etc/default/tinc
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/default/tinc
-    line: "EXTRA='-d -L'"
+    line: EXTRA='-d -L'
     regexp: '^EXTRA\s*='
     insertbefore: BOF
-    create: no
+    create: false
   notify:
     - restart tinc
 
 - name: ensure tinc network directory exists
-  file:
+  ansible.builtin.file:
     path: /etc/tinc/{{ tinc__netname }}/hosts
-    recurse: True
+    recurse: true
     state: directory
 
 - name: add network to /etc/tinc/nets.boot
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/tinc/nets.boot
-    line: "{{ tinc__netname }}"
-    create: yes
+    line: '{{ tinc__netname }}'
+    mode: '0644'
+    create: true
   notify:
     - restart tinc
   when: not tinc__use_systemd
 
 - name: create tinc.conf file from template
-  template:
+  ansible.builtin.template:
     src: tinc.conf.j2
     dest: /etc/tinc/{{ tinc__netname }}/tinc.conf
+    mode: '0644'
   notify:
     - reload tinc
 
 - name: create network configuration scripts
-  template:
+  ansible.builtin.template:
     src: '{{ item }}.j2'
     dest: /etc/tinc/{{ tinc__netname }}/{{ item }}
-    mode: 0755
+    mode: '0755'
   loop:
     - tinc-up
     - tinc-down
@@ -62,95 +64,98 @@
     - restart tinc
 
 - name: check for crypto key pair
-  command: >-
+  ansible.builtin.command: >-
     awk '/^-----BEGIN RSA PUBLIC KEY-----$/,/^-----END RSA PUBLIC KEY-----$/'
     /etc/tinc/{{ tinc__netname }}/hosts/{{ inventory_hostname }}
   register: tinc__public_key
   changed_when: >
     not tinc__public_key.stdout.endswith('-----END RSA PUBLIC KEY-----')
   failed_when: tinc__public_key.rc not in (0, 1, 2)
-  check_mode: no
+  check_mode: false
 
 - name: set host parameters
-  template:
+  ansible.builtin.template:
     src: host.conf.j2
     dest: /etc/tinc/{{ tinc__netname }}/hosts/{{ inventory_hostname }}
+    mode: '0644'
   notify:
     - restart tinc
 
-# this is necessary because the public key will not be generated (non-interactively) if the private key already exists
+# this is necessary because the public key will not be generated
+# (non-interactively) if the private key already exists
 - name: delete private key and regenerate keypair
-  file:
+  ansible.builtin.file:
     path: /etc/tinc/{{ tinc__netname }}/rsa_key.priv
     state: absent
   when: tinc__public_key.changed
   notify:
     - restart tinc
 
 - name: delete private key and regenerate keypair
-  command: tincd -n {{ tinc__netname }} -K4096
+  ansible.builtin.command: tincd -n {{ tinc__netname }} -K4096
   args:
     creates: /etc/tinc/{{ tinc__netname }}/rsa_key.priv
   when: tinc__public_key.changed
   notify:
     - restart tinc
 
 - name: find obsolete tinc host files
-  command: ls /etc/tinc/{{ tinc__netname }}/hosts/
+  ansible.builtin.command: ls /etc/tinc/{{ tinc__netname }}/hosts/
   register: tinc__host_files
-  changed_when: False
-  check_mode: no
+  changed_when: false
+  check_mode: false
 
 - name: remove obsolete tinc host files
-  file:
+  ansible.builtin.file:
     path: /etc/tinc/{{ tinc__netname }}/hosts/{{ item }}
     state: absent
   with_items: '{{ tinc__host_files.stdout_lines }}'
   when: >-
     item not in tinc__hostvars or tinc__hostvars[item].tinc__remove
 
 - name: fetch tinc hosts file after key creation
-  fetch:
+  ansible.builtin.fetch:
     src: /etc/tinc/{{ tinc__netname }}/hosts/{{ inventory_hostname }}
     dest: fetch/{{ tinc__netname }}/{{ inventory_hostname }}
-    flat: yes
+    flat: true
 
 - name: create tinc hosts file for hosts outside of ansible
-  copy:
+  ansible.builtin.copy:
     dest: /etc/tinc/{{ item.value.tinc__netname }}/hosts/{{ item.key }}
     content: '{{ item.value.tinc__host_conf }}'
+    mode: '0644'
   with_dict: '{{ tinc__external_hosts }}'
   when: >-
     item.value.tinc__host_conf is defined and
     item.value.tinc__netname is defined
 
 - name: sync the fetched tinc hosts files on each host
-  copy:
+  ansible.builtin.copy:
     src: fetch/{{ tinc__netname }}/
     dest: /etc/tinc/{{ tinc__netname }}/hosts/
-    mode: 0644
+    mode: '0644'
   notify:
     - reload tinc
 
 - name: ensure tinc meta-service is started
-  service:
+  ansible.builtin.service:
     name: tinc
-    enabled: yes
+    enabled: true
     state: started
   when: tinc__use_systemd
 
 - name: ensure tinc is started
-  service:
-    name: "{{ tinc__service_name }}"
-    enabled: yes
+  ansible.builtin.service:
+    name: '{{ tinc__service_name }}'
+    enabled: true
     state: started
 
 - name: install ferm configuration
-  template:
+  ansible.builtin.template:
     src: ferm.conf.j2
     dest: /etc/ferm/ferm.d/tinc.conf
     owner: root
     group: adm
-    mode: 0644
+    mode: '0644'
   notify: reload ferm
   when: tinc__install_ferm_svc and tinc__allow_incoming_connections