Add lint configuration and CI and fix the identified errors #14

Merged
june merged 10 commits from lint_and_ci into main 2024-12-01 22:26:24 +01:00
21 changed files with 837 additions and 763 deletions

6
.ansible-lint Normal file
View file

@ -0,0 +1,6 @@
skip_list:
- "yaml[line-length]"
- "name[casing]"
exclude_paths:
- .forgejo/

15
.editorconfig Normal file
View file

@ -0,0 +1,15 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
indent_style = space
charset = utf-8
[*.md]
indent_size = 2
trim_trailing_whitespace = false
[*.yaml]
indent_size = 2

View file

@ -0,0 +1,32 @@
# Links & Resources:
# https://github.com/ansible/ansible-lint?tab=readme-ov-file#using-ansible-lint-as-a-github-action
# https://github.com/ansible/ansible-lint/blob/main/action.yml
on:
pull_request:
push:
jobs:
ansible-lint:
name: Ansible Lint
runs-on: docker
steps:
- uses: actions/checkout@v4
- name: Install pip
run: |
apt update
apt install -y pip
- name: Install python jmespath
run: |
pip install jmespath
env:
PIP_BREAK_SYSTEM_PACKAGES: 1
# Don't let it setup python as the then called setup-python action doesn't
# work in our environmnet.
# Rather manually setup python (pip) before instead.
- name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@main
with:
setup_python: "false"
requirements_file: "requirements.yml"
env:
PIP_BREAK_SYSTEM_PACKAGES: 1

6
.yamllint.yaml Normal file
View file

@ -0,0 +1,6 @@
rules:
brackets:
min-spaces-inside: 1
max-spaces-inside: 1
min-spaces-inside-empty: 1
max-spaces-inside-empty: 1

View file

@ -7,4 +7,3 @@ datasources:
isDefault: true isDefault: true
access: proxy access: proxy
editable: true editable: true

View file

@ -0,0 +1,3 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

View file

@ -9,7 +9,5 @@
ansible.builtin.apt: ansible.builtin.apt:
upgrade: dist upgrade: dist
register: apt_update_and_upgrade__upgrade_result register: apt_update_and_upgrade__upgrade_result
notify:
- name: reboot, after package upgrade - reboot the system
ansible.builtin.reboot:
when: apt_update_and_upgrade__upgrade_result.changed

View file

@ -0,0 +1,3 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

View file

@ -7,17 +7,30 @@
ansible.builtin.template: ansible.builtin.template:
force: true force: true
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
src: sshd_config.j2 src: sshd_config.j2
register: deploy_ssh_server_config__ssh_config_copy_result notify:
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system
- name: deactivate short moduli - name: deactivate short moduli
ansible.builtin.shell: ansible.builtin.shell:
cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli executable: /bin/bash
cmd: |
set -eo pipefail
# Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection. awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
- name: reboot, if ssh server config got changed if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then
ansible.builtin.reboot: rm /etc/ssh/moduli.tmp
when: deploy_ssh_server_config__ssh_config_copy_result.changed else
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
echo "ansible-changed: changed /etc/ssh/moduli"
fi
register: result
changed_when:
- '"ansible-changed" in result.stdout'
notify:
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system

View file

@ -4,4 +4,3 @@
user: chaos user: chaos
exclusive: true exclusive: true
key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys

View file

@ -7,11 +7,11 @@
when: nginx__use_custom_nginx_conf when: nginx__use_custom_nginx_conf
block: block:
- name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf` - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists == false when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/nginx.conf.ansiblesave dest: /etc/nginx/nginx.conf.ansiblesave
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
remote_src: true remote_src: true
@ -22,7 +22,7 @@
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ nginx__custom_nginx_conf }}" content: "{{ nginx__custom_nginx_conf }}"
dest: "/etc/nginx/nginx.conf" dest: "/etc/nginx/nginx.conf"
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
become: true become: true
@ -36,7 +36,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/nginx.conf dest: /etc/nginx/nginx.conf
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
remote_src: true remote_src: true
@ -55,7 +55,7 @@
ansible.builtin.get_url: ansible.builtin.get_url:
force: true force: true
dest: /etc/nginx-mozilla-dhparam dest: /etc/nginx-mozilla-dhparam
mode: 0644 mode: "0644"
url: https://ssl-config.mozilla.org/ffdhe2048.txt url: https://ssl-config.mozilla.org/ffdhe2048.txt
become: true become: true
notify: Restart `nginx.service` notify: Restart `nginx.service`
@ -71,7 +71,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/conf.d/tls.conf dest: /etc/nginx/conf.d/tls.conf
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
src: tls.conf src: tls.conf
@ -89,7 +89,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/conf.d/redirect.conf dest: /etc/nginx/conf.d/redirect.conf
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
src: redirect.conf src: redirect.conf
@ -104,7 +104,7 @@
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ item.content }}" content: "{{ item.content }}"
dest: "/etc/nginx/conf.d/{{ item.name }}.conf" dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
become: true become: true