report changed properly for "deactivate short moduli" task

This fixes the ansible-lint no-changed-when complaint and also allows to
notify the reboot handler.

.ansible-lint

@@ -0,0 +1,6 @@
+skip_list:
+  - "yaml[line-length]"
+  - "name[casing]"
+
+exclude_paths:
+  - .forgejo/

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+charset = utf-8
+
+[*.md]
+indent_size = 2
+trim_trailing_whitespace = false
+
+[*.yaml]
+indent_size = 2

.forgejo/workflows/lint.yaml

@@ -0,0 +1,32 @@
+# Links & Resources:
+# https://github.com/ansible/ansible-lint?tab=readme-ov-file#using-ansible-lint-as-a-github-action
+# https://github.com/ansible/ansible-lint/blob/main/action.yml
+on:
+  pull_request:
+  push:
+
+jobs:
+  ansible-lint:
+    name: Ansible Lint
+    runs-on: docker
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install pip
+        run: |
+          apt update
+          apt install -y pip
+      - name: Install python jmespath
+        run: |
+          pip install jmespath
+        env:
+          PIP_BREAK_SYSTEM_PACKAGES: 1
+      # Don't let it setup python as the then called setup-python action doesn't
+      # work in our environmnet.
+      # Rather manually setup python (pip) before instead.
+      - name: Run ansible-lint
+        uses: https://github.com/ansible/ansible-lint@main
+        with:
+          setup_python: "false"
+          requirements_file: "requirements.yml"
+        env:
+          PIP_BREAK_SYSTEM_PACKAGES: 1

.yamllint.yaml

@@ -0,0 +1,6 @@
+rules:
+  brackets:
+    min-spaces-inside: 1
+    max-spaces-inside: 1
+    min-spaces-inside-empty: 1
+    max-spaces-inside-empty: 1

playbooks/files/chaosknoten/configs/grafana/docker_compose/grafana-datasource.yml

@@ -7,4 +7,3 @@ datasources:
     isDefault: true
     access: proxy
     editable: true
-

playbooks/roles/apt_update_and_upgrade/handlers/main.yaml

@@ -0,0 +1,3 @@
+- name: reboot the system
+  become: true
+  ansible.builtin.reboot:

playbooks/roles/apt_update_and_upgrade/tasks/main.yaml

@@ -9,7 +9,5 @@
       ansible.builtin.apt:
         upgrade: dist
       register: apt_update_and_upgrade__upgrade_result
-
+      notify:
-  - name: reboot, after package upgrade
+        - reboot the system
-    ansible.builtin.reboot:
-    when: apt_update_and_upgrade__upgrade_result.changed

playbooks/roles/deploy_ssh_server_config/handlers/main.yaml

@@ -0,0 +1,3 @@
+- name: reboot the system
+  become: true
+  ansible.builtin.reboot:

playbooks/roles/deploy_ssh_server_config/tasks/main.yaml

@@ -7,17 +7,30 @@
       ansible.builtin.template:
         force: true
         dest: /etc/ssh/sshd_config
-      mode: 0644
+        mode: "0644"
         owner: root
         group: root
         src: sshd_config.j2
-    register: deploy_ssh_server_config__ssh_config_copy_result
+      notify:
+        # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+        - reboot the system
 
     - name: deactivate short moduli
       ansible.builtin.shell:
-      cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+        executable: /bin/bash
+        cmd: |
+          set -eo pipefail
 
-  # Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+          awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
-  - name: reboot, if ssh server config got changed
+          if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then
-    ansible.builtin.reboot:
+            rm /etc/ssh/moduli.tmp
-    when: deploy_ssh_server_config__ssh_config_copy_result.changed
+          else
+            mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+            echo "ansible-changed: changed /etc/ssh/moduli"
+          fi
+      register: result
+      changed_when:
+        - '"ansible-changed" in result.stdout'
+      notify:
+        # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+        - reboot the system

playbooks/roles/infrastructure_authorized_keys/tasks/main.yaml

@@ -4,4 +4,3 @@
     user: chaos
     exclusive: true
     key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys
-    

playbooks/roles/nginx/tasks/main/config_deploy.yaml

@@ -7,11 +7,11 @@
   when: nginx__use_custom_nginx_conf
   block:
     - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
-      when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists == false
+      when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists
       ansible.builtin.copy:
         force: true
         dest: /etc/nginx/nginx.conf.ansiblesave
-        mode: 0644
+        mode: "0644"
         owner: root
         group: root
         remote_src: true
@@ -22,7 +22,7 @@
       ansible.builtin.copy:
         content: "{{ nginx__custom_nginx_conf }}"
         dest: "/etc/nginx/nginx.conf"
-        mode: 0644
+        mode: "0644"
         owner: root
         group: root
       become: true
@@ -36,7 +36,7 @@
       ansible.builtin.copy:
         force: true
         dest: /etc/nginx/nginx.conf
-        mode: 0644
+        mode: "0644"
         owner: root
         group: root
         remote_src: true
@@ -55,7 +55,7 @@
   ansible.builtin.get_url:
     force: true
     dest: /etc/nginx-mozilla-dhparam
-    mode: 0644
+    mode: "0644"
     url: https://ssl-config.mozilla.org/ffdhe2048.txt
   become: true
   notify: Restart `nginx.service`
@@ -71,7 +71,7 @@
       ansible.builtin.copy:
         force: true
         dest: /etc/nginx/conf.d/tls.conf
-        mode: 0644
+        mode: "0644"
         owner: root
         group: root
         src: tls.conf
@@ -89,7 +89,7 @@
       ansible.builtin.copy:
         force: true
         dest: /etc/nginx/conf.d/redirect.conf
-        mode: 0644
+        mode: "0644"
         owner: root
         group: root
         src: redirect.conf
@@ -104,7 +104,7 @@
   ansible.builtin.copy:
     content: "{{ item.content }}"
     dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
-    mode: 0644
+    mode: "0644"
     owner: root
     group: root
   become: true