Merge pull request #13 from punktDe/molecule

Add CI/CD, fix linting errors

.ansible-lint

@@ -0,0 +1,11 @@
+---
+skip_list:
+  - 'risky-shell-pipe'
+  - 'role-name'
+  - var-naming[no-reserved]
+
+warn_list:
+  - package-latest
+  - unnamed-task
+  - command-instead-of-shell
+  - no-handler

.github/workflows/test.yml

@@ -0,0 +1,47 @@
+---
+name: Test
+run-name: Run molecule tests on the role
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies.
+        run: pip install yamllint ansible-lint ansible
+
+      - name: Run ansible-lint
+        run: "ansible-lint"
+
+  molecule:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies.
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible docker molecule molecule-plugins
+          sudo apt install rsync
+
+      - name: Install Galaxy dependencies.
+        run: ansible-galaxy collection install community.general ansible.posix
+
+      - name: Run molecule
+        run: "molecule test"

.pre-commit-config.yaml

@@ -0,0 +1,6 @@
+---
+repos:
+  - repo: https://github.com/ansible/ansible-lint.git
+    rev: v6.17.2
+    hooks:
+      - id: ansible-lint

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

defaults/main.yaml

@@ -44,7 +44,7 @@ system:
   timezone:
   netplan: {}
   ufw:
-    reset: "{{ system_ufw_reset|bool }}"
+    reset: "{{ system_ufw_reset | bool }}"
     state:
     policy:
     rules: {}
@@ -77,5 +77,5 @@ system:
       | |_) | | | (_) |__) |  __/ |   \ V /  __/ |
       | .__/|_|  \___/____/ \___|_|    \_/ \___|_|
       |_|
-    details: "{{ (((dehydrated|default({})).domains|default({})).keys()|list + ((dehydrated|default({})).domains|default({})).values()|list|sum(start=[]))|reject('eq', inventory_hostname)|reject('eq', ansible_nodename)|system_motd_sort_fqdns }}"
+    details: "{{ (((dehydrated | default({})).domains | default({})).keys() | list + ((dehydrated | default({})).domains | default({})).values() | list | sum(start=[])) | reject('eq', inventory_hostname) | reject('eq', ansible_nodename) | system_motd_sort_fqdns }}"
 system_ufw_reset: no

handlers/main.yaml

@@ -1,4 +1,4 @@
 - name: Restart Postfix
-  service:
+  ansible.builtin.service:
     name: postfix
     state: restarted

meta/main.yml

@@ -0,0 +1,8 @@
+---
+galaxy_info:
+  author: "Punkt.de"
+  license: ""
+  description: "System role for Proserver"
+  role_name: "proserver_system"
+  namespace: "punktde"
+  min_ansible_version: "2.15"

molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include ansible-proserver-system"
+      ansible.builtin.include_role:
+        name: "ansible-proserver-system"

molecule/default/molecule.yml

@@ -0,0 +1,27 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: geerlingguy/docker-ubuntu2204-ansible
+    command: /lib/systemd/systemd
+    pre_build_image: true
+    privileged: true
+    cgroupns_mode: host
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+provisioner:
+  name: ansible
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}
+verifier:
+  name: ansible
+scenario:
+  name: default
+  test_sequence:
+    - destroy
+    - create
+    - converge
+    - verify

molecule/default/verify.yml

@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Example assertion
+      ansible.builtin.assert:
+        that: true

tasks/apt.yaml

@@ -1,42 +1,43 @@
 - name: Install GPG on Ubuntu
-  apt:
+  ansible.builtin.package:
     name: gpg
-  when: ansible_distribution == 'Ubuntu'
 
 - name: Remove legacy NodeSource repository
-  file:
+  ansible.builtin.file:
     path: /etc/apt/sources.list.d/deb_nodesource_com_node_14_x.list
     state: absent
   when: nodejs.version is defined
 
 - name: Add NodeSource package signing key
-  apt_key:
+  ansible.builtin.apt_key:
     id: 9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280
     url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
     keyring: /usr/share/keyrings/nodesource.gpg
   when: nodejs.version is defined
 
 - name: Add NodeSource repository
-  copy:
+  ansible.builtin.copy:
     content: "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_{{ nodejs.version }}.x {{ ansible_distribution_release }} main"
     dest: /etc/apt/sources.list.d/nodesource.list
+    mode: "0644"
+    owner: root
   when: nodejs.version is defined
 
 - name: Update apt cache and remove unneeded packages
-  apt:
+  ansible.builtin.apt:
     update_cache: yes
     autoremove: yes
   changed_when: false
 
 - name: Configure apt proxy
   when: system.apt.proxy
-  loop:
-    - /etc/apt/apt.conf.d/proxy.conf
-  copy:
+  ansible.builtin.copy:
+    owner: root
+    mode: "0644"
     content: |
       Acquire::http::Proxy "{{ system.apt.proxy }}";
-    dest: "{{ item }}"
+    dest: "/etc/apt/apt.conf.d/proxy.conf"
 
 - name: Install apt packages
-  apt:
-    name: "{{ system.apt.packages.items()|selectattr('1', 'eq', true)|map(attribute='0')|list }}"
+  ansible.builtin.apt:
+    name: "{{ system.apt.packages.items() | selectattr('1', 'eq', true) | map(attribute='0') | list }}"

tasks/authorized_keys.yaml

@@ -25,7 +25,7 @@
   loop: "{{ user_authorized_keys }}"
   loop_control:
     label: '{{ item.user }} public_keys="{{ item.key }}"'
-  ansible.builtin.authorized_key:
+  ansible.posix.authorized_key:
     user: "{{ item.user }}"
     key: "{{ item.key }}"
     exclusive: "{{ system.features.authorized_keys_delete | default(False) }}"

tasks/environment.yaml

@@ -1,11 +1,11 @@
 - name: Set global environment variables
-  loop: "{{ system.environment|dict2items }}"
+  loop: "{{ system.environment | dict2items }}"
   loop_control:
-    label: "{{ path }} {{ item.key }}={% if item.value is not none %}{{ item.value|quote }}{% endif %}"
+    label: "{{ path }} {{ item.key }}={% if item.value is not none %}{{ item.value | quote }}{% endif %}"
   vars:
     path: /etc/environment
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ path }}"
-    regexp: "^{{ item.key|regex_escape }}="
-    line: "{{ item.key }}={{ item.value|quote }}"
+    regexp: "^{{ item.key | regex_escape }}="
+    line: "{{ item.key }}={{ item.value | quote }}"
     state: "{{ 'absent' if item.value is none else 'present' }}"

tasks/hostname.yaml

@@ -1,4 +1,4 @@
 - name: Set hostname
   when: system.hostname
-  hostname:
+  ansible.builtin.hostname:
     name: "{{ system.hostname }}"

tasks/hosts.yaml

@@ -1,10 +1,10 @@
 - name: Update hosts file
   vars:
-    hosts: "{{ system.hosts.values()|select('string')|reject('eq', '')|list }}"
+    hosts: "{{ system.hosts.values() | select('string') | reject('eq', '') | list }}"
   loop:
     - /etc/hosts
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: "{{ item }}"
-    block: "{{ hosts|join('\n') }}"
+    block: "{{ hosts | join('\n') }}"
     marker: "# {mark} ANSIBLE MANAGED BLOCK (system)"
-    state: "{{ 'present' if hosts|length > 0 else 'absent' }}"
+    state: "{{ 'present' if hosts | length > 0 else 'absent' }}"

tasks/main.yaml

@@ -1,32 +1,47 @@
-- import_tasks: proserver_fact.yaml
+- ansible.builtin.include_tasks: proserver_fact.yaml
   when: system.features.proserver_fact
-- import_tasks: hostname.yaml
+
+- ansible.builtin.include_tasks: hostname.yaml
   when: system.features.hostname
-- import_tasks: timezone.yaml
+
+- ansible.builtin.include_tasks: timezone.yaml
   when: system.features.timezone
-- import_tasks: netplan.yaml
+
+- ansible.builtin.include_tasks: netplan.yaml
   when: system.features.netplan
-- import_tasks: systemd_resolved.yaml
+
+- ansible.builtin.include_tasks: systemd_resolved.yaml
   when: system.features.systemd_resolved
-- import_tasks: apt.yaml
+
+- ansible.builtin.include_tasks: apt.yaml
   when: system.features.apt
-- import_tasks: ufw.yaml
+
+- ansible.builtin.include_tasks: ufw.yaml
   when: system.features.ufw
-- import_tasks: sysctl.yaml
+
+- ansible.builtin.include_tasks: sysctl.yaml
   when: system.features.sysctl
-- import_tasks: hosts.yaml
+
+- ansible.builtin.include_tasks: hosts.yaml
   when: system.features.hosts
-- import_tasks: environment.yaml
+
+- ansible.builtin.include_tasks: environment.yaml
   when: system.features.environment
-- import_tasks: proserver_user.yaml
+
+- ansible.builtin.include_tasks: proserver_user.yaml
   when: system.features.proserver_user
-- import_tasks: postfix.yaml
+
+- ansible.builtin.include_tasks: postfix.yaml
   when: system.features.postfix
-- import_tasks: users.yaml
+
+- ansible.builtin.include_tasks: users.yaml
   when: system.features.users
-- import_tasks: sudoers.yaml
+
+- ansible.builtin.include_tasks: sudoers.yaml
   when: system.features.sudoers
-- import_tasks: authorized_keys.yaml
+
+- ansible.builtin.include_tasks: authorized_keys.yaml
   when: system.features.authorized_keys
-- import_tasks: motd.yaml
+
+- ansible.builtin.include_tasks: motd.yaml
   when: system.features.motd

tasks/motd.yaml

@@ -1,16 +1,15 @@
 - name: Get current OS version
   when: ansible_system == 'FreeBSD'
   check_mode: no
-  shell: |
-    uname -v | sed -e 's,^\([^#]*\) #\(.* [1-2][0-9][0-9][0-9]\).*/\([^\]*\) $,\1 (\3) #\2,'
+  ansible.builtin.shell:
+    cmd: >-
+      uname -v | sed -e 's,^\([^#]*\) #\(.* [1-2][0-9][0-9][0-9]\).*/\([^\]*\) $,\1 (\3) #\2,'
   register: system_motd_uname_shell_result
   changed_when: no
 
 - name: Template Message of the Day
-  loop:
-    - /etc/motd
-  loop_control:
-    label: "{{ item }}"
-  template:
+  ansible.builtin.template:
+    owner: root
+    mode: "0644"
     src: motd/motd.j2
-    dest: "{{ item }}"
+    dest: "/etc/motd"

tasks/netplan.yaml

@@ -1,15 +1,19 @@
 - name: Template Netplan config
-  loop: "{{ system.netplan|dict2items }}"
+  loop: "{{ system.netplan | dict2items }}"
   loop_control:
     label: "{{ dest }}"
   vars:
     dest: "/etc/netplan/{{ item.key }}"
-  copy:
+  ansible.builtin.copy:
+    mode: "0644"
+    owner: root
     content: |
-      {{ item.value|to_nice_yaml(indent=2) }}
+      {{ item.value | to_nice_yaml(indent=2) }}
     dest: "{{ dest }}"
   register: system_template_netplan_config_result
 
 - name: Apply Netplan config
   when: system_template_netplan_config_result.changed
-  command: netplan apply
+  changed_when: yes
+  ansible.builtin.command: 
+    cmd: netplan apply