Add lint configuration and CI and fix the identified errors #14

Merged
june merged 10 commits from lint_and_ci into main 2024-12-01 22:26:24 +01:00
21 changed files with 837 additions and 763 deletions

6
.ansible-lint Normal file
View file

@ -0,0 +1,6 @@
skip_list:
- "yaml[line-length]"
- "name[casing]"
exclude_paths:
- .forgejo/

15
.editorconfig Normal file
View file

@ -0,0 +1,15 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
indent_style = space
charset = utf-8
[*.md]
indent_size = 2
trim_trailing_whitespace = false
[*.yaml]
indent_size = 2

View file

@ -0,0 +1,32 @@
# Links & Resources:
# https://github.com/ansible/ansible-lint?tab=readme-ov-file#using-ansible-lint-as-a-github-action
# https://github.com/ansible/ansible-lint/blob/main/action.yml
on:
pull_request:
push:
jobs:
ansible-lint:
name: Ansible Lint
runs-on: docker
steps:
- uses: actions/checkout@v4
- name: Install pip
run: |
apt update
apt install -y pip
- name: Install python jmespath
run: |
pip install jmespath
env:
PIP_BREAK_SYSTEM_PACKAGES: 1
# Don't let it setup python as the then called setup-python action doesn't
# work in our environmnet.
# Rather manually setup python (pip) before instead.
- name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@main
with:
setup_python: "false"
requirements_file: "requirements.yml"
env:
PIP_BREAK_SYSTEM_PACKAGES: 1

6
.yamllint.yaml Normal file
View file

@ -0,0 +1,6 @@
rules:
brackets:
min-spaces-inside: 1
max-spaces-inside: 1
min-spaces-inside-empty: 1
max-spaces-inside-empty: 1

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/ccchoir/compose.yaml.j2') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/ccchoir/compose.yaml.j2') }}"
docker_compose__configuration_files: [] docker_compose__configuration_files: [ ]
certbot__version_spec: "" certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pad/compose.yaml.j2') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pad/compose.yaml.j2') }}"
docker_compose__configuration_files: [] docker_compose__configuration_files: [ ]
certbot__version_spec: "" certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pretalx/compose.yaml.j2') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pretalx/compose.yaml.j2') }}"
docker_compose__configuration_files: [] docker_compose__configuration_files: [ ]
certbot__version_spec: "" certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/zammad/compose.yaml.j2') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/zammad/compose.yaml.j2') }}"
docker_compose__configuration_files: [] docker_compose__configuration_files: [ ]
certbot__version_spec: "" certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,10 +1,9 @@
apiVersion: 1 apiVersion: 1
datasources: datasources:
- name: Prometheus - name: Prometheus
type: prometheus type: prometheus
url: http://prometheus:9090 url: http://prometheus:9090
isDefault: true isDefault: true
access: proxy access: proxy
editable: true editable: true

View file

@ -15,21 +15,21 @@ rule_files:
- "/etc/prometheus/rules/*.rules.yaml" - "/etc/prometheus/rules/*.rules.yaml"
scrape_configs: scrape_configs:
- job_name: prometheus - job_name: prometheus
honor_timestamps: true honor_timestamps: true
metrics_path: /metrics metrics_path: /metrics
scheme: http scheme: http
static_configs: static_configs:
- targets: - targets:
- localhost:9090 - localhost:9090
- job_name: alertmanager - job_name: alertmanager
honor_timestamps: true honor_timestamps: true
metrics_path: /metrics metrics_path: /metrics
scheme: http scheme: http
static_configs: static_configs:
- targets: - targets:
- alertmanager:9093 - alertmanager:9093
- job_name: c3lingo - job_name: c3lingo
honor_timestamps: true honor_timestamps: true
scrape_interval: 5s scrape_interval: 5s
scrape_timeout: 1s scrape_timeout: 1s
@ -38,7 +38,7 @@ scrape_configs:
static_configs: static_configs:
- targets: - targets:
- mumble.c3lingo.org:443 - mumble.c3lingo.org:443
- job_name: mumble - job_name: mumble
honor_timestamps: true honor_timestamps: true
scrape_interval: 5s scrape_interval: 5s
scrape_timeout: 1s scrape_timeout: 1s
@ -47,14 +47,14 @@ scrape_configs:
static_configs: static_configs:
- targets: - targets:
- mumble.hamburg.ccc.de:443 - mumble.hamburg.ccc.de:443
- job_name: opnsense-ccchh - job_name: opnsense-ccchh
honor_timestamps: true honor_timestamps: true
metrics_path: /metrics metrics_path: /metrics
scheme: http scheme: http
static_configs: static_configs:
- targets: - targets:
- 185.161.129.132:9100 - 185.161.129.132:9100
- job_name: jitsi - job_name: jitsi
honor_timestamps: true honor_timestamps: true
scrape_interval: 5s scrape_interval: 5s
scrape_timeout: 1s scrape_timeout: 1s
@ -63,23 +63,23 @@ scrape_configs:
static_configs: static_configs:
- targets: - targets:
- jitsi.hamburg.ccc.de:9888 # Jitsi Video Bridge - jitsi.hamburg.ccc.de:9888 # Jitsi Video Bridge
- job_name: 'pve' - job_name: 'pve'
static_configs: static_configs:
- targets: - targets:
- 212.12.48.126 # chaosknoten - 212.12.48.126 # chaosknoten
metrics_path: /pve metrics_path: /pve
params: params:
module: [default] module: [ default ]
cluster: ['1'] cluster: [ '1' ]
node: ['1'] node: [ '1' ]
relabel_configs: relabel_configs:
- source_labels: [__address__] - source_labels: [ __address__ ]
target_label: __param_target target_label: __param_target
- source_labels: [__param_target] - source_labels: [ __param_target ]
target_label: instance target_label: instance
- target_label: __address__ - target_label: __address__
replacement: pve-exporter:9221 replacement: pve-exporter:9221
- job_name: hosts - job_name: hosts
static_configs: static_configs:
# Wieske Chaosknoten VMs # Wieske Chaosknoten VMs
- labels: - labels:

View file

@ -1,7 +1,7 @@
# Links & Resources: # Links & Resources:
# - https://samber.github.io/awesome-prometheus-alerts/rules # - https://samber.github.io/awesome-prometheus-alerts/rules
groups: groups:
- name: node-exporter - name: node-exporter
rules: rules:
- alert: HostOutOfMemory - alert: HostOutOfMemory
expr: (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"} expr: (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
@ -362,7 +362,7 @@ groups:
annotations: annotations:
summary: Host requires reboot (instance {{ $labels.instance }}) summary: Host requires reboot (instance {{ $labels.instance }})
description: "{{ $labels.instance }} requires a reboot.\n VALUE = {{ $value }}" description: "{{ $labels.instance }} requires a reboot.\n VALUE = {{ $value }}"
- name: prometheus - name: prometheus
rules: rules:
- alert: PrometheusJobMissing - alert: PrometheusJobMissing
expr: absent(up{job="prometheus"}) expr: absent(up{job="prometheus"})

View file

@ -0,0 +1,3 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

View file

@ -9,7 +9,5 @@
ansible.builtin.apt: ansible.builtin.apt:
upgrade: dist upgrade: dist
register: apt_update_and_upgrade__upgrade_result register: apt_update_and_upgrade__upgrade_result
notify:
- name: reboot, after package upgrade - reboot the system
ansible.builtin.reboot:
when: apt_update_and_upgrade__upgrade_result.changed

View file

@ -0,0 +1,3 @@
- name: reboot the system
become: true
ansible.builtin.reboot:

View file

@ -7,17 +7,30 @@
ansible.builtin.template: ansible.builtin.template:
force: true force: true
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
src: sshd_config.j2 src: sshd_config.j2
register: deploy_ssh_server_config__ssh_config_copy_result notify:
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system
- name: deactivate short moduli - name: deactivate short moduli
ansible.builtin.shell: ansible.builtin.shell:
cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli executable: /bin/bash
cmd: |
set -eo pipefail
# Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection. awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
- name: reboot, if ssh server config got changed if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then
ansible.builtin.reboot: rm /etc/ssh/moduli.tmp
when: deploy_ssh_server_config__ssh_config_copy_result.changed else
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
echo "ansible-changed: changed /etc/ssh/moduli"
fi
register: result
changed_when:
- '"ansible-changed" in result.stdout'
notify:
# Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- reboot the system

View file

@ -4,4 +4,3 @@
user: chaos user: chaos
exclusive: true exclusive: true
key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys

View file

@ -17,4 +17,4 @@ dependencies:
- role: docker_compose - role: docker_compose
vars: vars:
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
docker_compose__configuration_files: [] docker_compose__configuration_files: [ ]

View file

@ -1,5 +1,5 @@
nginx__deploy_redirect_conf: true nginx__deploy_redirect_conf: true
nginx__deploy_tls_conf: true nginx__deploy_tls_conf: true
nginx__configurations: [] nginx__configurations: [ ]
nginx__use_custom_nginx_conf: false nginx__use_custom_nginx_conf: false
nginx__custom_nginx_conf: "" nginx__custom_nginx_conf: ""

View file

@ -7,11 +7,11 @@
when: nginx__use_custom_nginx_conf when: nginx__use_custom_nginx_conf
block: block:
- name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf` - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists == false when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/nginx.conf.ansiblesave dest: /etc/nginx/nginx.conf.ansiblesave
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
remote_src: true remote_src: true
@ -22,7 +22,7 @@
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ nginx__custom_nginx_conf }}" content: "{{ nginx__custom_nginx_conf }}"
dest: "/etc/nginx/nginx.conf" dest: "/etc/nginx/nginx.conf"
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
become: true become: true
@ -36,7 +36,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/nginx.conf dest: /etc/nginx/nginx.conf
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
remote_src: true remote_src: true
@ -55,7 +55,7 @@
ansible.builtin.get_url: ansible.builtin.get_url:
force: true force: true
dest: /etc/nginx-mozilla-dhparam dest: /etc/nginx-mozilla-dhparam
mode: 0644 mode: "0644"
url: https://ssl-config.mozilla.org/ffdhe2048.txt url: https://ssl-config.mozilla.org/ffdhe2048.txt
become: true become: true
notify: Restart `nginx.service` notify: Restart `nginx.service`
@ -71,7 +71,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/conf.d/tls.conf dest: /etc/nginx/conf.d/tls.conf
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
src: tls.conf src: tls.conf
@ -89,7 +89,7 @@
ansible.builtin.copy: ansible.builtin.copy:
force: true force: true
dest: /etc/nginx/conf.d/redirect.conf dest: /etc/nginx/conf.d/redirect.conf
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
src: redirect.conf src: redirect.conf
@ -104,7 +104,7 @@
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ item.content }}" content: "{{ item.content }}"
dest: "/etc/nginx/conf.d/{{ item.name }}.conf" dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
become: true become: true