.ansible-lint

@@ -0,0 +1,126 @@
+---
+# .ansible-lint
+
+profile: null   # min, basic, moderate,safety, shared, production
+
+# Allows dumping of results in SARIF format
+# sarif_file: result.sarif
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option are parsed relative to the CWD of execution.
+exclude_paths:
+  - .cache/ # implicit unless exclude_paths is defined in config
+  - test/fixtures/formatting-before/
+  - test/fixtures/formatting-prettier/
+  - .ansible-lint
+  - roles/geerlingguy.docker
+# parseable: true
+# quiet: true
+# strict: true
+# verbosity: 1
+
+# Mock modules or roles in order to pass ansible-playbook --syntax-check
+mock_modules:
+  - zuul_return
+  # note the foo.bar is invalid as being neither a module or a collection
+  - fake_namespace.fake_collection.fake_module
+  - fake_namespace.fake_collection.fake_module.fake_submodule
+mock_roles:
+  - mocked_role
+  - author.role_name # old standalone galaxy role
+  - fake_namespace.fake_collection.fake_role # role within a collection
+
+# Enable checking of loop variable prefixes in roles
+loop_var_prefix: "^(__|{role}_)"
+
+# Enforce variable names to follow pattern below, in addition to Ansible own
+# requirements, like avoiding python identifiers. To disable add `var-naming`
+# to skip_list.
+var_naming_pattern: "^[a-z_][a-z0-9_]*$"
+
+use_default_rules: true
+# Load custom rules from this specific folder
+# rulesdir:
+#   - ./rule/directory/
+
+# Ansible-lint is able to recognize and load skip rules stored inside
+# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files.
+# To skip a rule just enter filename and tag, like "playbook.yml package-latest"
+# on a new line.
+# Optionally you can add comments after the tag, prefixed by "#". We discourage
+# the use of skip_list below because that will hide violations from the output.
+# When putting ignores inside the ignore file, they are marked as ignored, but
+# still visible, making it easier to address later.
+skip_list:
+  - skip_this_tag
+
+# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
+# You must enable opt-in rules by listing each rule 'id' below.
+enable_list:
+  - args
+  - empty-string-compare # opt-in
+  - no-log-password # opt-in
+  - no-same-owner # opt-in
+  - name[prefix] # opt-in
+  # add yaml here if you want to avoid ignoring yaml checks when yamllint
+  # library is missing. Normally its absence just skips using that rule.
+  - yaml
+# Report only a subset of tags and fully ignore any others
+# tags:
+#   - jinja[spacing]
+
+# Ansible-lint does not fail on warnings from the rules or tags listed below
+warn_list:
+  - skip_this_tag
+  - experimental # experimental is included in the implicit list
+  # - role-name
+  # - yaml[document-start]  # you can also use sub-rule matches
+
+# Some rules can transform files to fix (or make it easier to fix) identified
+# errors. `ansible-lint --fix` will reformat YAML files and run these transforms.
+# By default it will run all transforms (effectively `write_list: ["all"]`).
+# You can disable running transforms by setting `write_list: ["none"]`.
+# Or only enable a subset of rule transforms by listing rules/tags here.
+# write_list:
+#   - all
+
+# Offline mode disables installation of requirements.yml and schema refreshing
+offline: true
+
+# Define required Ansible's variables to satisfy syntax check
+extra_vars:
+  foo: bar
+  multiline_string_variable: |
+    line1
+    line2
+  complex_variable: ":{;\t$()"
+
+# Uncomment to enforce action validation with tasks, usually is not
+# needed as Ansible syntax check also covers it.
+# skip_action_validation: false
+
+# List of additional kind:pattern to be added at the top of the default
+# match list, first match determines the file kind.
+kinds:
+  # - playbook: "**/examples/*.{yml,yaml}"
+  # - galaxy: "**/folder/galaxy.yml"
+  # - tasks: "**/tasks/*.yml"
+  # - vars: "**/vars/*.yml"
+  # - meta: "**/meta/main.yml"
+  - yaml: "**/*.yaml-too"
+
+# List of additional collections to allow in only-builtins rule.
+# only_builtins_allow_collections:
+#   - example_ns.example_collection
+
+# List of additions modules to allow in only-builtins rule.
+# only_builtins_allow_modules:
+#   - example_module
+
+# Allow setting custom prefix for name[prefix] rule
+task_name_prefix: "{stem} | "
+# Complexity related settings
+
+# Limit the depth of the nested blocks:
+# max_block_depth: 20

.gitea/workflows/on_pr.yml

@@ -0,0 +1,28 @@
+---
+name: "Pull Request: build & lint"
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10.13'
+      - name: "Creates virtual environment"
+        run: make venv
+      - name: Activate virtualenv
+        run: |
+          source venv/bin/activate
+          echo PATH=$PATH >> $GITHUB_ENV
+      - name: Install galaxy requirements
+        run: ansible-galaxy install -r requirements.yml
+      - name: "Run YAML linting"
+        run: yamllint -c .yamllint.yml .
+      - name: "Run Ansible linting"
+        run: ansible-lint

.gitea/workflows/on_push_master.yml

@@ -0,0 +1,30 @@
+---
+name: "Master branch: build & lint"
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10.13'
+      - name: "Creates virtual environment"
+        run: make venv
+      - name: Activate virtualenv
+        run: |
+          source venv/bin/activate
+          echo PATH=$PATH >> $GITHUB_ENV
+      - name: Install galaxy requirements
+        run: ansible-galaxy install -r requirements.yml
+      - name: "Run YAML linting"
+        run: yamllint -c .yamllint.yml .
+      - name: "Run Ansible linting"
+        run: ansible-lint

.gitignore

@@ -3,3 +3,6 @@ bin
 *.crt
 *.pem
 synapse-data
+geerlingguy.docker
+geerlingguy.certbot
+venv

.yamllint.yml

@@ -0,0 +1,41 @@
+---
+yaml-files:
+  - '*.yaml'
+  - '*.yml'
+  - '.yamllint'
+
+ignore:
+  - venv
+  - geerlingguy.docker
+  - geerlingguy.certbot
+
+rules:
+  anchors: enable
+  braces: enable
+  brackets: enable
+  colons: enable
+  commas: enable
+  comments:
+    level: warning
+  comments-indentation:
+    level: warning
+  document-end: disable
+  document-start:
+    level: warning
+  empty-lines: enable
+  empty-values: disable
+  float-values: disable
+  hyphens: enable
+  indentation: enable
+  key-duplicates: enable
+  key-ordering: disable
+  line-length:
+    max: 160
+    level: warning
+  new-line-at-end-of-file: enable
+  new-lines: enable
+  octal-values: disable
+  quoted-strings: disable
+  trailing-spaces: enable
+  truthy:
+    level: warning

Makefile

@@ -1,2 +1,9 @@
+venv:
+	if ! [ -d venv ]; then python3 -m venv venv; fi;
+	./venv/bin/pip install -r requirements.txt
+
 install:
 	ansible-galaxy install -r requirements.yml
+
+action:
+	act -W .gitea/workflows/on_pr.yml

ansible.cfg

@@ -2,11 +2,7 @@
 remote_user = root
 remote_port = 22
 host_key_checking = False
-#hash_behaviour = merge
 pipelining=True
-fact_path = facts.d
-gathering = implicit
-gather_subset = all
 inject_facts_as_vars = True
 roles_path = roles
 inventory = inventory.ini

group_vars/all.yml

@@ -1,6 +1,7 @@
 ---
 # Standard variables
-os: "{{ ansible_system|lower }}"
+os: "{{ ansible_system | lower }}"
+# yamllint disable-line rule:line-length
 arch: "{% if ansible_architecture == 'aarch64' %}arm64{% elif ansible_architecture == 'amd64' or ansible_architecture == 'x86_64' %}amd64{% elif ansible_architecture == 'armhf' %}armhf{% else %}{{ ansible_architecture }}{% endif %}"
 
 # Docker stuff

playbooks/base.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: "Install the base playbook"
+  hosts: all
   roles:
     - role: root_user
       tags: root_user

playbooks/docker.yml

@@ -1,4 +1,5 @@
 ---
-- hosts: all
+- name: "Install docker"
+  hosts: all
   roles:
     - geerlingguy.docker

playbooks/reboot.yml

@@ -1,6 +1,7 @@
 ---
-- hosts: all
+- name: "Reboot hosts"
+  hosts: all
   tasks:
     - name: Reboot
-    reboot:
+      ansible.builtin.reboot:
         reboot_timeout: 3600

playbooks/upgrade.yml

@@ -1,9 +1,17 @@
 ---
-- hosts: all
+- name: "Upgrade hosts"
+  hosts: all
   tasks:
-  - name: "update apt cache"
-    apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
-  - name: "upgrade packages"
-    apt: upgrade=safe force_apt_get=yes
-  - name: "upgrade dist packages"
-    apt: upgrade=dist force_apt_get=yes
+    - name: "Run update apt cache"
+      ansible.builtin.apt:
+        update_cache: true
+        force_apt_get: true
+        cache_valid_time: 3600
+    - name: "Run upgrade packages"
+      ansible.builtin.apt:
+        upgrade: safe
+        force_apt_get: true
+    - name: "Run upgrade dist packages"
+      ansible.builtin.apt:
+        upgrade: dist
+        force_apt_get: true

requirements.txt

@@ -1,10 +1,33 @@
-ansible==7.1.0
-ansible-core==2.14.1
+ansible==9.2.0
+ansible-compat==4.1.11
+ansible-core==2.16.3
+ansible-lint==24.2.0
+attrs==23.2.0
+black==24.2.0
+bracex==2.4
 cffi==1.15.1
+click==8.1.7
 cryptography==39.0.0
+filelock==3.13.1
 Jinja2==3.1.2
+jsonschema==4.21.1
+jsonschema-specifications==2023.12.1
+markdown-it-py==3.0.0
 MarkupSafe==2.1.1
+mdurl==0.1.2
+mypy-extensions==1.0.0
 packaging==23.0
+pathspec==0.12.1
+platformdirs==4.2.0
 pycparser==2.21
+Pygments==2.17.2
 PyYAML==6.0
+referencing==0.33.0
 resolvelib==0.8.1
+rich==13.7.0
+rpds-py==0.18.0
+ruamel.yaml==0.18.6
+ruamel.yaml.clib==0.2.8
+subprocess-tee==0.4.1
+wcmatch==8.5
+yamllint==1.35.1

roles/base/tasks/main.yml

@@ -13,7 +13,7 @@
 # the packages you want to install just as you would pass them
 # to `apt install`.
 - name: "Install wanted packages"
-  apt:
+  ansible.builtin.apt:
     name:
       - apt-transport-https
       - arptables
@@ -70,7 +70,7 @@
       - zip
     # state: latest will update the package everytime the
     # role is ran against a host
-    state: latest
+    state: present
     # Update the cache before trying to update ?
     # You generally want this because it's not updating itself
     update_cache: true
@@ -82,7 +82,7 @@
   until: apt_res is success
 # Same as above, except you *remove* packages instead of installing them
 - name: "Remove unanted packages"
-  apt:
+  ansible.builtin.apt:
     name:
       - ntpdate
     # note the value of `state` here
@@ -91,7 +91,7 @@
 # that is golbally available. It will map to the hostname you
 # assigned your host in the `inventory` file
 - name: "Hard set hostname"
-  template:
+  ansible.builtin.template:
     src: hostname.j2
     dest: /etc/hostname
     owner: root
@@ -101,14 +101,14 @@
     # more info https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html#parameter-mode
     mode: "0644"
 - name: "Setup motd"
-  template:
+  ansible.builtin.template:
     src: motd.j2
     dest: /etc/motd
     owner: root
     group: root
     mode: "0644"
 - name: "Setup hosts"
-  template:
+  ansible.builtin.template:
     src: hosts.j2
     dest: /etc/hosts
     owner: root

roles/ntp/handlers/main.yml

@@ -3,6 +3,6 @@
 # in this example you want to invoke this restart handler when the
 # configuration of the service changes for example.
 - name: "Restart ntp"
-  service:
+  ansible.builtin.service:
     name: ntp
     state: restarted

roles/ntp/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
 - name: "Install ntp"
-  apt:
+  ansible.builtin.apt:
     name: ntp
     state: present
 - name: "Configure ntp"
-  copy:
+  ansible.builtin.copy:
     src: ntp.conf
     dest: /etc/ntp.conf
     owner: root
@@ -17,8 +17,8 @@
   notify: "Restart ntp"
 # Here you say that you want the NTP service to be restarted as well
 # as enabled on boot.
-- name: "ntp service"
-  service:
+- name: "NTP service"
+  ansible.builtin.service:
     name: ntp
     state: restarted
     enabled: true

roles/root_user/tasks/main.yml

@@ -1,14 +1,14 @@
 ---
 # Ensures the .ssh directory exists
-- name: "creates the .ssh root directory"
-  file:
+- name: "Creates the .ssh root directory"
+  ansible.builtin.file:
     path: "/root/.ssh"
     state: directory
     owner: root
     group: root
     mode: 0700
 - name: "Install root SSH keys"
-  template:
+  ansible.builtin.template:
     src: authorized_keys.j2
     dest: /root/.ssh/authorized_keys
     owner: root
@@ -17,8 +17,8 @@
 # Delete users you don't need
 # respectively you can also *add* users
 # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html#ansible-collections-ansible-builtin-user-module
-- name: "Delete usual cloud users user"
-  user:
+- name: "Delete usual cloud users user"  # noqa: loop-var-prefix
+  ansible.builtin.user:
     name: "{{ item }}"
     state: absent
     remove: true

roles/vim/tasks/main.yml

@@ -1,12 +1,13 @@
 ---
 - name: Install vim
-  apt:
+  ansible.builtin.apt:
     name: vim-nox
-    state: latest
+    state: present
 # use the `copy` module to copy files to the remote host
 - name: Configure vim
-  copy:
+  ansible.builtin.copy:
     src: vimrc
     dest: /etc/vim/vimrc
     owner: root
     group: root
+    mode: "0650"