From 93bb0b07420de53f952ea263e718367296fb6559 Mon Sep 17 00:00:00 2001 From: Thomas Maurice Date: Tue, 20 Feb 2024 17:46:29 +0000 Subject: [PATCH] feat(actions): Adds actions & lint (#1) Adds an action to perform some linting actions on ansible and the yaml files, both on push onto master and on pull requests Reviewed-on: https://git.maurice.fr/thomas/polytech-ansible-2023/pulls/1 --- .ansible-lint | 126 ++++++++++++++++++++++++++++ .gitea/workflows/on_pr.yml | 28 +++++++ .gitea/workflows/on_push_master.yml | 30 +++++++ .gitignore | 3 + .yamllint.yml | 41 +++++++++ Makefile | 7 ++ ansible.cfg | 4 - group_vars/all.yml | 3 +- playbooks/base.yml | 3 +- playbooks/docker.yml | 3 +- playbooks/reboot.yml | 9 +- playbooks/upgrade.yml | 22 +++-- requirements.txt | 27 +++++- roles/base/tasks/main.yml | 12 +-- roles/ntp/handlers/main.yml | 2 +- roles/ntp/tasks/main.yml | 8 +- roles/root_user/tasks/main.yml | 10 +-- roles/vim/tasks/main.yml | 7 +- 18 files changed, 306 insertions(+), 39 deletions(-) create mode 100644 .ansible-lint create mode 100644 .gitea/workflows/on_pr.yml create mode 100644 .gitea/workflows/on_push_master.yml create mode 100644 .yamllint.yml diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..7434f60 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,126 @@ +--- +# .ansible-lint + +profile: null # min, basic, moderate,safety, shared, production + +# Allows dumping of results in SARIF format +# sarif_file: result.sarif + +# exclude_paths included in this file are parsed relative to this file's location +# and not relative to the CWD of execution. CLI arguments passed to the --exclude +# option are parsed relative to the CWD of execution. +exclude_paths: + - .cache/ # implicit unless exclude_paths is defined in config + - test/fixtures/formatting-before/ + - test/fixtures/formatting-prettier/ + - .ansible-lint + - roles/geerlingguy.docker +# parseable: true +# quiet: true +# strict: true +# verbosity: 1 + +# Mock modules or roles in order to pass ansible-playbook --syntax-check +mock_modules: + - zuul_return + # note the foo.bar is invalid as being neither a module or a collection + - fake_namespace.fake_collection.fake_module + - fake_namespace.fake_collection.fake_module.fake_submodule +mock_roles: + - mocked_role + - author.role_name # old standalone galaxy role + - fake_namespace.fake_collection.fake_role # role within a collection + +# Enable checking of loop variable prefixes in roles +loop_var_prefix: "^(__|{role}_)" + +# Enforce variable names to follow pattern below, in addition to Ansible own +# requirements, like avoiding python identifiers. To disable add `var-naming` +# to skip_list. +var_naming_pattern: "^[a-z_][a-z0-9_]*$" + +use_default_rules: true +# Load custom rules from this specific folder +# rulesdir: +# - ./rule/directory/ + +# Ansible-lint is able to recognize and load skip rules stored inside +# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files. +# To skip a rule just enter filename and tag, like "playbook.yml package-latest" +# on a new line. +# Optionally you can add comments after the tag, prefixed by "#". We discourage +# the use of skip_list below because that will hide violations from the output. +# When putting ignores inside the ignore file, they are marked as ignored, but +# still visible, making it easier to address later. +skip_list: + - skip_this_tag + +# Ansible-lint does not automatically load rules that have the 'opt-in' tag. +# You must enable opt-in rules by listing each rule 'id' below. +enable_list: + - args + - empty-string-compare # opt-in + - no-log-password # opt-in + - no-same-owner # opt-in + - name[prefix] # opt-in + # add yaml here if you want to avoid ignoring yaml checks when yamllint + # library is missing. Normally its absence just skips using that rule. + - yaml +# Report only a subset of tags and fully ignore any others +# tags: +# - jinja[spacing] + +# Ansible-lint does not fail on warnings from the rules or tags listed below +warn_list: + - skip_this_tag + - experimental # experimental is included in the implicit list + # - role-name + # - yaml[document-start] # you can also use sub-rule matches + +# Some rules can transform files to fix (or make it easier to fix) identified +# errors. `ansible-lint --fix` will reformat YAML files and run these transforms. +# By default it will run all transforms (effectively `write_list: ["all"]`). +# You can disable running transforms by setting `write_list: ["none"]`. +# Or only enable a subset of rule transforms by listing rules/tags here. +# write_list: +# - all + +# Offline mode disables installation of requirements.yml and schema refreshing +offline: true + +# Define required Ansible's variables to satisfy syntax check +extra_vars: + foo: bar + multiline_string_variable: | + line1 + line2 + complex_variable: ":{;\t$()" + +# Uncomment to enforce action validation with tasks, usually is not +# needed as Ansible syntax check also covers it. +# skip_action_validation: false + +# List of additional kind:pattern to be added at the top of the default +# match list, first match determines the file kind. +kinds: + # - playbook: "**/examples/*.{yml,yaml}" + # - galaxy: "**/folder/galaxy.yml" + # - tasks: "**/tasks/*.yml" + # - vars: "**/vars/*.yml" + # - meta: "**/meta/main.yml" + - yaml: "**/*.yaml-too" + +# List of additional collections to allow in only-builtins rule. +# only_builtins_allow_collections: +# - example_ns.example_collection + +# List of additions modules to allow in only-builtins rule. +# only_builtins_allow_modules: +# - example_module + +# Allow setting custom prefix for name[prefix] rule +task_name_prefix: "{stem} | " +# Complexity related settings + +# Limit the depth of the nested blocks: +# max_block_depth: 20 \ No newline at end of file diff --git a/.gitea/workflows/on_pr.yml b/.gitea/workflows/on_pr.yml new file mode 100644 index 0000000..9424d0c --- /dev/null +++ b/.gitea/workflows/on_pr.yml @@ -0,0 +1,28 @@ +--- +name: "Pull Request: build & lint" +# yamllint disable-line rule:truthy +on: + pull_request: + +jobs: + build: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: actions/setup-python@v5 + with: + python-version: '3.10.13' + - name: "Creates virtual environment" + run: make venv + - name: Activate virtualenv + run: | + source venv/bin/activate + echo PATH=$PATH >> $GITHUB_ENV + - name: Install galaxy requirements + run: ansible-galaxy install -r requirements.yml + - name: "Run YAML linting" + run: yamllint -c .yamllint.yml . + - name: "Run Ansible linting" + run: ansible-lint diff --git a/.gitea/workflows/on_push_master.yml b/.gitea/workflows/on_push_master.yml new file mode 100644 index 0000000..76fb2f4 --- /dev/null +++ b/.gitea/workflows/on_push_master.yml @@ -0,0 +1,30 @@ +--- +name: "Master branch: build & lint" +# yamllint disable-line rule:truthy +on: + push: + branches: + - master + +jobs: + build: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: actions/setup-python@v5 + with: + python-version: '3.10.13' + - name: "Creates virtual environment" + run: make venv + - name: Activate virtualenv + run: | + source venv/bin/activate + echo PATH=$PATH >> $GITHUB_ENV + - name: Install galaxy requirements + run: ansible-galaxy install -r requirements.yml + - name: "Run YAML linting" + run: yamllint -c .yamllint.yml . + - name: "Run Ansible linting" + run: ansible-lint diff --git a/.gitignore b/.gitignore index 1bc1426..d875a55 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,6 @@ bin *.crt *.pem synapse-data +geerlingguy.docker +geerlingguy.certbot +venv diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 0000000..ae15d5f --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,41 @@ +--- +yaml-files: + - '*.yaml' + - '*.yml' + - '.yamllint' + +ignore: + - venv + - geerlingguy.docker + - geerlingguy.certbot + +rules: + anchors: enable + braces: enable + brackets: enable + colons: enable + commas: enable + comments: + level: warning + comments-indentation: + level: warning + document-end: disable + document-start: + level: warning + empty-lines: enable + empty-values: disable + float-values: disable + hyphens: enable + indentation: enable + key-duplicates: enable + key-ordering: disable + line-length: + max: 160 + level: warning + new-line-at-end-of-file: enable + new-lines: enable + octal-values: disable + quoted-strings: disable + trailing-spaces: enable + truthy: + level: warning diff --git a/Makefile b/Makefile index 92b9595..9227d03 100644 --- a/Makefile +++ b/Makefile @@ -1,2 +1,9 @@ +venv: + if ! [ -d venv ]; then python3 -m venv venv; fi; + ./venv/bin/pip install -r requirements.txt + install: ansible-galaxy install -r requirements.yml + +action: + act -W .gitea/workflows/on_pr.yml \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg index 865284a..e031fc6 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,11 +2,7 @@ remote_user = root remote_port = 22 host_key_checking = False -#hash_behaviour = merge pipelining=True -fact_path = facts.d -gathering = implicit -gather_subset = all inject_facts_as_vars = True roles_path = roles inventory = inventory.ini diff --git a/group_vars/all.yml b/group_vars/all.yml index 9947b69..ac2fc20 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,6 +1,7 @@ --- # Standard variables -os: "{{ ansible_system|lower }}" +os: "{{ ansible_system | lower }}" +# yamllint disable-line rule:line-length arch: "{% if ansible_architecture == 'aarch64' %}arm64{% elif ansible_architecture == 'amd64' or ansible_architecture == 'x86_64' %}amd64{% elif ansible_architecture == 'armhf' %}armhf{% else %}{{ ansible_architecture }}{% endif %}" # Docker stuff diff --git a/playbooks/base.yml b/playbooks/base.yml index bf23827..643462a 100644 --- a/playbooks/base.yml +++ b/playbooks/base.yml @@ -1,5 +1,6 @@ --- -- hosts: all +- name: "Install the base playbook" + hosts: all roles: - role: root_user tags: root_user diff --git a/playbooks/docker.yml b/playbooks/docker.yml index debda70..116a9e8 100644 --- a/playbooks/docker.yml +++ b/playbooks/docker.yml @@ -1,4 +1,5 @@ --- -- hosts: all +- name: "Install docker" + hosts: all roles: - geerlingguy.docker diff --git a/playbooks/reboot.yml b/playbooks/reboot.yml index bd59e96..6e77292 100644 --- a/playbooks/reboot.yml +++ b/playbooks/reboot.yml @@ -1,6 +1,7 @@ --- -- hosts: all +- name: "Reboot hosts" + hosts: all tasks: - - name: Reboot - reboot: - reboot_timeout: 3600 \ No newline at end of file + - name: Reboot + ansible.builtin.reboot: + reboot_timeout: 3600 diff --git a/playbooks/upgrade.yml b/playbooks/upgrade.yml index f3414ab..3bb01fa 100644 --- a/playbooks/upgrade.yml +++ b/playbooks/upgrade.yml @@ -1,9 +1,17 @@ --- -- hosts: all +- name: "Upgrade hosts" + hosts: all tasks: - - name: "update apt cache" - apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 - - name: "upgrade packages" - apt: upgrade=safe force_apt_get=yes - - name: "upgrade dist packages" - apt: upgrade=dist force_apt_get=yes + - name: "Run update apt cache" + ansible.builtin.apt: + update_cache: true + force_apt_get: true + cache_valid_time: 3600 + - name: "Run upgrade packages" + ansible.builtin.apt: + upgrade: safe + force_apt_get: true + - name: "Run upgrade dist packages" + ansible.builtin.apt: + upgrade: dist + force_apt_get: true diff --git a/requirements.txt b/requirements.txt index 0d48dfc..6fe9594 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,10 +1,33 @@ -ansible==7.1.0 -ansible-core==2.14.1 +ansible==9.2.0 +ansible-compat==4.1.11 +ansible-core==2.16.3 +ansible-lint==24.2.0 +attrs==23.2.0 +black==24.2.0 +bracex==2.4 cffi==1.15.1 +click==8.1.7 cryptography==39.0.0 +filelock==3.13.1 Jinja2==3.1.2 +jsonschema==4.21.1 +jsonschema-specifications==2023.12.1 +markdown-it-py==3.0.0 MarkupSafe==2.1.1 +mdurl==0.1.2 +mypy-extensions==1.0.0 packaging==23.0 +pathspec==0.12.1 +platformdirs==4.2.0 pycparser==2.21 +Pygments==2.17.2 PyYAML==6.0 +referencing==0.33.0 resolvelib==0.8.1 +rich==13.7.0 +rpds-py==0.18.0 +ruamel.yaml==0.18.6 +ruamel.yaml.clib==0.2.8 +subprocess-tee==0.4.1 +wcmatch==8.5 +yamllint==1.35.1 diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 0adeb9c..4418e83 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -13,7 +13,7 @@ # the packages you want to install just as you would pass them # to `apt install`. - name: "Install wanted packages" - apt: + ansible.builtin.apt: name: - apt-transport-https - arptables @@ -70,7 +70,7 @@ - zip # state: latest will update the package everytime the # role is ran against a host - state: latest + state: present # Update the cache before trying to update ? # You generally want this because it's not updating itself update_cache: true @@ -82,7 +82,7 @@ until: apt_res is success # Same as above, except you *remove* packages instead of installing them - name: "Remove unanted packages" - apt: + ansible.builtin.apt: name: - ntpdate # note the value of `state` here @@ -91,7 +91,7 @@ # that is golbally available. It will map to the hostname you # assigned your host in the `inventory` file - name: "Hard set hostname" - template: + ansible.builtin.template: src: hostname.j2 dest: /etc/hostname owner: root @@ -101,14 +101,14 @@ # more info https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html#parameter-mode mode: "0644" - name: "Setup motd" - template: + ansible.builtin.template: src: motd.j2 dest: /etc/motd owner: root group: root mode: "0644" - name: "Setup hosts" - template: + ansible.builtin.template: src: hosts.j2 dest: /etc/hosts owner: root diff --git a/roles/ntp/handlers/main.yml b/roles/ntp/handlers/main.yml index 7bddadd..ec5d7f2 100644 --- a/roles/ntp/handlers/main.yml +++ b/roles/ntp/handlers/main.yml @@ -3,6 +3,6 @@ # in this example you want to invoke this restart handler when the # configuration of the service changes for example. - name: "Restart ntp" - service: + ansible.builtin.service: name: ntp state: restarted diff --git a/roles/ntp/tasks/main.yml b/roles/ntp/tasks/main.yml index 205077b..ea74084 100644 --- a/roles/ntp/tasks/main.yml +++ b/roles/ntp/tasks/main.yml @@ -1,10 +1,10 @@ --- - name: "Install ntp" - apt: + ansible.builtin.apt: name: ntp state: present - name: "Configure ntp" - copy: + ansible.builtin.copy: src: ntp.conf dest: /etc/ntp.conf owner: root @@ -17,8 +17,8 @@ notify: "Restart ntp" # Here you say that you want the NTP service to be restarted as well # as enabled on boot. -- name: "ntp service" - service: +- name: "NTP service" + ansible.builtin.service: name: ntp state: restarted enabled: true diff --git a/roles/root_user/tasks/main.yml b/roles/root_user/tasks/main.yml index 4d91c30..0a13d24 100644 --- a/roles/root_user/tasks/main.yml +++ b/roles/root_user/tasks/main.yml @@ -1,14 +1,14 @@ --- # Ensures the .ssh directory exists -- name: "creates the .ssh root directory" - file: +- name: "Creates the .ssh root directory" + ansible.builtin.file: path: "/root/.ssh" state: directory owner: root group: root mode: 0700 - name: "Install root SSH keys" - template: + ansible.builtin.template: src: authorized_keys.j2 dest: /root/.ssh/authorized_keys owner: root @@ -17,8 +17,8 @@ # Delete users you don't need # respectively you can also *add* users # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html#ansible-collections-ansible-builtin-user-module -- name: "Delete usual cloud users user" - user: +- name: "Delete usual cloud users user" # noqa: loop-var-prefix + ansible.builtin.user: name: "{{ item }}" state: absent remove: true diff --git a/roles/vim/tasks/main.yml b/roles/vim/tasks/main.yml index 5cdccff..cb18ee1 100644 --- a/roles/vim/tasks/main.yml +++ b/roles/vim/tasks/main.yml @@ -1,12 +1,13 @@ --- - name: Install vim - apt: + ansible.builtin.apt: name: vim-nox - state: latest + state: present # use the `copy` module to copy files to the remote host - name: Configure vim - copy: + ansible.builtin.copy: src: vimrc dest: /etc/vim/vimrc owner: root group: root + mode: "0650"