Merge branch 'fix-ci' into 'master'

Fix CI

See merge request aurore/ansible!48

.drone.yml

@@ -0,0 +1,19 @@
+---
+kind: pipeline
+type: docker
+name: check
+
+steps:
+  - name: yamllint
+    image: python:3.9-alpine
+    commands:
+      - pip install yamllint==1.25.0
+      - yamllint -c .yamllint.yml .
+
+  - name: ansible-lint
+    image: python:3.9-alpine
+    commands:
+      - apk add --no-cache gcc libc-dev libffi-dev openssl-dev
+      - pip install ansible-lint==4.3.7
+      - ansible-lint *.yml
+...

.gitlab-ci.yml

@@ -1,5 +1,5 @@
 ---
-image: python:3.6
+image: python:3.9-alpine
 
 stages:
   - lint
@@ -7,12 +7,13 @@ stages:
 yamllint:
   stage: lint
   script:
-    - pip install yamllint==1.15.0
+    - pip install yamllint==1.25.0
     - yamllint -c .yamllint.yml .
 
 ansible-lint:
   stage: lint
   script:
-    - pip install ansible-lint==4.0.0
+    - apk add gcc libc-dev libffi-dev openssl-dev
+    - pip install ansible-lint==4.3.7
     - ansible-lint *.yml
 ...

.yamllint.yml

@@ -3,5 +3,6 @@ extends: default
 
 rules:
   line-length:
+    max: 120
     level: warning
 ...

base.yml

@@ -9,5 +9,4 @@
 # Plug LDAP on all servers
 - hosts: all,!unifi
   roles:
-    - ldap-client
-
+    - ldap_client

group_vars/all/vault.yml

@@ -1,3 +1,4 @@
+---
 $ANSIBLE_VAULT;1.1;AES256
 61333538366635353537346231363235653162356330396434383631656465616330363136306563
 3861333166386536633437386335613461646466346239360a643139303037613937373631313661

group_vars/edc/ldap_local_replica.yml

@@ -1,4 +1,3 @@
 ---
 ldap_local_replica_uri:
   - 'ldap://ldap-replica-edc.adm.auro.re'
-

ldap_replica.yml

@@ -4,4 +4,4 @@
 # DON'T DO THIS AS IT RECREATES THE REPLICA
 - hosts: ldap_replica
   roles:
-    - ldap-replica
+    - ldap_replica

matrix.yml

@@ -6,13 +6,13 @@
     mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
     mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb"
   roles:
-    - debian-backports
+    - debian_backports
     - nodejs
-    - matrix-synapse
-    - matrix-appservice-irc
-    - matrix-appservice-webhooks
+    - matrix_synapse
+    - matrix_appservice_irc
+    - matrix_appservice_webhooks
 
 # Install Matrix services
 - hosts: matrix-services.adm.auro.re
   roles:
-    - debian-backports
+    - debian_backports

monitoring.yml

@@ -59,4 +59,4 @@
 # Monitor all hosts
 - hosts: all,!unifi,!ovh
   roles:
-    - prometheus-node
+    - prometheus_node

network.yml

@@ -3,7 +3,7 @@
 # Set up DHCP servers.
 - hosts: dhcp-*.adm.auro.re
   roles:
-    - isc-dhcp-server
+    - isc_dhcp_server
 
 
 # Deploy unbound DNS server (recursive).
@@ -24,7 +24,7 @@
 - hosts: ~routeur-aurore.*\.adm\.auro\.re
   roles:
     - router
-    - ipv6-edge-router
+    - ipv6_edge_router
 
 # Radius (backup only for now)
 - hosts: radius-*.adm.auro.re

roles/baseconfig/tasks/apt-listchanges.yml

@@ -19,6 +19,7 @@
     option: "{{ item.option }}"
     value: "{{ item.value }}"
     state: present
+    mode: 0644
   loop:
     - option: confirm
       value: "true"

roles/baseconfig/tasks/main.yml

@@ -77,6 +77,7 @@
   copy:
     src: "skel/dot_{{ item }}"
     dest: "/etc/skel/.{{ item }}"
+    mode: 0644
   loop:
     - zshrc
     - zshrc.local

roles/basesecurity/tasks/main.yml

@@ -54,6 +54,7 @@
     option: "{{ item.option }}"
     value: "{{ item.value }}"
     state: present
+    mode: 0644
   notify: Restart fail2ban service
   loop:
     - section: sshd

roles/certbot/tasks/main.yml

@@ -26,6 +26,7 @@
   file:
     path: /etc/letsencrypt/conf.d
     state: directory
+    mode: 0755
 
 - name: Add Certbot configuration
   template:

roles/ipv6_edge_router/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: install GPG
   apt:
     name: gnupg
@@ -23,16 +22,18 @@
   template:
     src: daemons.j2
     dest: /etc/frr/daemons
+    mode: 0644
   notify: restart frr
 
 - name: setup frr.conf
   template:
     src: frr.conf.j2
     dest: /etc/frr/frr.conf
+    mode: 0644
   notify: restart frr
 
 - name: enable+start frr
   service:
     name: frr
     state: started
-    enabled: yes
+    enabled: true

roles/isc_dhcp_server/handlers/main.yml

@@ -1,5 +1,6 @@
+---
 - name: force run dhcp re2o-service
-  shell: /var/local/re2o-services/dhcp/main.py --force
+  command: /var/local/re2o-services/dhcp/main.py --force
   become_user: re2o-services
 
 - name: restart dhcpd
@@ -11,4 +12,3 @@
   systemd:
     name: rsyslog
     state: restarted
-

roles/isc_dhcp_server/tasks/main.yml

@@ -17,7 +17,8 @@
     state: directory
     owner: re2o-services
     group: nogroup
-    recurse: yes
+    recurse: true
+    mode: u=rwX,g=rX,o=rX
 
 - name: Install isc-dhcp-server
   apt:
@@ -101,7 +102,7 @@
   when: is_aurore_host
 
 - name: force run dhcp re2o-service
-  shell: /var/local/re2o-services/dhcp/main.py --force
+  command: /var/local/re2o-services/dhcp/main.py --force
 
 - name: Ensure dhcpd is running
   service:

roles/ldap_replica/tasks/main.yml

@@ -40,6 +40,7 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: 0755
   loop:
     - /etc/ldap/slapd.d
     - /var/lib/ldap

roles/nginx_reverseproxy/tasks/main.yml

@@ -11,6 +11,7 @@
   template:
     src: "nginx/snippets/{{ item }}.j2"
     dest: "/etc/nginx/snippets/{{ item }}"
+    mode: 0644
   loop:
     - options-ssl.conf
     - options-proxypass.conf
@@ -19,11 +20,13 @@
   template:
     src: letsencrypt/dhparam.j2
     dest: /etc/letsencrypt/dhparam
+    mode: 0644
 
 - name: Copy reverse proxy sites
   template:
     src: "nginx/sites-available/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
+    mode: 0644
   loop:
     - reverseproxy
     - reverseproxy_redirect_dname
@@ -35,6 +38,7 @@
     src: "/etc/nginx/sites-available/{{ item }}"
     dest: "/etc/nginx/sites-enabled/{{ item }}"
     state: link
+    mode: 0644
   loop:
     - reverseproxy
     - reverseproxy_redirect_dname
@@ -45,6 +49,7 @@
   template:
     src: www/html/50x.html.j2
     dest: /var/www/html/50x.html
+    mode: 0644
 
 - name: Indicate role in motd
   template:

roles/prometheus/tasks/main.yml

@@ -13,12 +13,14 @@
   template:
     src: prometheus/prometheus.yml.j2
     dest: /etc/prometheus/prometheus.yml
+    mode: 0644
   notify: Restart Prometheus
 
 - name: Configure Prometheus alert rules
   template:
     src: "prometheus/{{ item }}.j2"
     dest: "/etc/prometheus/{{ item }}"
+    mode: 0644
   notify: Restart Prometheus
   loop:
     - alert.rules.yml
@@ -45,12 +47,14 @@
   copy:
     content: "{{ prometheus_targets | to_nice_json }}"
     dest: /etc/prometheus/targets.json
+    mode: 0644
 
 # We don't need to restart Prometheus when updating nodes
 - name: Configure Prometheus Ubiquity Unifi SNMP devices
   copy:
     content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
     dest: /etc/prometheus/targets_unifi_snmp.json
+    mode: 0644
 
 - name: Activate prometheus service
   systemd:

roles/radius/tasks/main.yml

@@ -1,3 +1,4 @@
+---
 - name: Add backports repositories
   apt_repository:
     repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
@@ -5,11 +6,11 @@
     - "deb"
     - "deb-src"
 
-
 - name: Ensure /var/www exists
   file:
     name: "/var/www"
     state: directory
+    mode: 0755
 
 - name: Clone re2o repo
   git:
@@ -22,11 +23,11 @@
   template:
     src: "{{ item }}.j2"
     dest: "/var/www/re2o/re2o/{{ item }}"
+    mode: 0644
   loop:
     - settings_local.py
     - local_routers.py
 
-
 # What follows is a hideous abomination.
 # Blame freeradius-python3 on backports.
 
@@ -34,27 +35,28 @@
   apt:
     name: freeradius-python3
     default_release: buster-backports
-    update_cache: yes
-  ignore_errors: yes
+    update_cache: true
+  ignore_errors: true
 
 - name: fix freeradius-python3 postinstall script
   template:
     src: freeradius-python3.postinst.j2
     dest: /var/lib/dpkg/info/freeradius-python3.postinst
+    mode: 0644
 
 - name: reinstall broken package (this might fail too, for different reasons)
   apt:
     name: freeradius-python3
     default_release: buster-backports
-    force: yes
-  ignore_errors: yes
+    force: true
+  ignore_errors: true
 
 - name: Setup radius symlinks
   file:
     src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
     dest: "/etc/freeradius/3.0/{{ item.filename }}"
     state: link
-    force: yes
+    force: true
   loop:
     - local_prefix: ""
       filename: auth.py
@@ -69,6 +71,7 @@
   template:
     src: "{{ item }}.j2"
     dest: "/etc/freeradius/3.0/{{ item }}"
+    mode: 0640
   loop:
     - sites-enabled/default
     - sites-enabled/inner-tunnel
@@ -77,6 +80,7 @@
   template:
     src: "{{ item }}.j2"
     dest: "/etc/freeradius/3.0/{{ item }}"
+    mode: 0640
   loop:
     - clients.conf
     - proxy.conf
@@ -99,7 +103,7 @@
   when: "'aurore_vm' in group_names"
 
 - name: Install radius requirements (except freeradius-python3)
-  shell:
+  command:
     cmd: "{{ item }}"
     chdir: /var/www/re2o/
   loop:
@@ -113,6 +117,7 @@
   template:
     src: "freeradius-logrotate.j2"
     dest: "/etc/logrotate.d/freeradius"
+    mode: 0644
 
 
 # Database setup
@@ -154,7 +159,7 @@
     state: absent
   become_user: postgres
   when: nuke_radius|default(false)
-  ignore_errors: yes
+  ignore_errors: true
 
 - name: Nuking - Destroy old local DB if it exists
   community.general.postgresql_db:
@@ -251,6 +256,6 @@
 - name: Restart freeradius, ensure enabled
   systemd:
     name: freeradius
-    enabled: yes
+    enabled: true
     state: restarted
-    daemon_reload: yes
+    daemon_reload: true

roles/radvd/handlers/main.yml

@@ -1,5 +1,6 @@
+---
 - name: restart radvd
   systemd:
     state: restarted
     name: radvd
-    enabled: yes
+    enabled: true

roles/radvd/tasks/main.yml

@@ -1,6 +1,4 @@
 ---
-
-
 # Warning: radvd installation seems to fail if the configuration
 # file doesn't already exist when the package is installed,
 # so the order is important.
@@ -19,4 +17,3 @@
     name: radvd
     state: present
   notify: restart radvd
-

roles/router/handlers/main.yml

@@ -1,8 +1,9 @@
+---
 - name: restart keepalived
   systemd:
     state: restarted
     name: keepalived
-    enabled: yes
+    enabled: true
 
 - name: run aurore-firewall
   command: python3 main.py --force

roles/router/tasks/main.yml

@@ -15,13 +15,13 @@
   ansible.posix.sysctl:
     name: net.ipv4.ip_forward
     value: '1'
-    sysctl_set: yes
+    sysctl_set: true
 
 - name: Enable IPv6 packet forwarding
   ansible.posix.sysctl:
     name: net.ipv6.conf.all.forwarding
     value: '1'
-    sysctl_set: yes
+    sysctl_set: true
 
 - name: Configure /etc/network/interfaces for routeur-aurore*
   template:

roles/unbound/handlers/main.yml

@@ -1,3 +1,4 @@
+---
 - name: restart unbound
   systemd:
     state: restarted

services_web.yml

@@ -54,4 +54,4 @@
         - {from: auro.re, to: www.auro.re}
   roles:
     - certbot
-    - nginx-reverseproxy
+    - nginx_reverseproxy