Skip to content

fix: add explicit bool filters for Ansible 12 jinja2_native compatibility#14963

Merged
dguido merged 3 commits into
mainfrom
fix/ansible12-jinja2-native-bool-filters
Feb 8, 2026
Merged

fix: add explicit bool filters for Ansible 12 jinja2_native compatibility#14963
dguido merged 3 commits into
mainfrom
fix/ansible12-jinja2-native-bool-filters

Conversation

@dguido
Copy link
Copy Markdown
Member

@dguido dguido commented Feb 8, 2026
edited
Loading

Summary

  • Add | bool filters to all boolean variable references in when: conditions and Jinja2 if statements across 31 files
  • Ansible 12 enables jinja2_native by default, so string values "true"/"false" are no longer auto-coerced to booleans — bare when: ipsec_enabled silently evaluates truthy for any non-empty string
  • Reformat long single-line Jinja2 conditionals into multi-line for readability (input.yml, users.yml, all cloud provider prompts)
  • Fix GCE default() calls to pass true parameter (empty strings don't trigger default() in native mode)
  • Add help|-h|--help command to the algo shell script
  • Update test fixtures to register bool filter in Jinja2 environment
  • Add j2lint (Jinja2 template linter) to pre-commit hooks, lint.yml CI, and smart-tests.yml — catches syntax errors, spacing issues, and operator formatting in .j2 templates

j2lint configuration

Rules ignored (incompatible with Ansible config-file-embedded templates):

Rule Reason
S3 (indentation) Output format dictates indentation, not Jinja style
S5 (no tabs) Some config formats (strongswan.conf) require tabs
S6 (no {%-/-%}) Whitespace-control delimiters are standard Ansible
S7 (single statement per line) Inline Jinja is necessary for config output
V1 (lowercase variables) Existing names like IP_subject_alt_name

Affected areas

Area Files Change
Firewall templates rules.v4.j2, rules.v6.j2 | bool on ipsec_enabled, wireguard_enabled, snat_aipv4, alternative_ingress_ip
Server playbook server.yml | bool on cloudinit, wireguard_enabled, ipsec_enabled, algo_dns_adblocking, dns_encryption, algo_ssh_tunneling
DNS role dns/tasks/main.yml, dns/handlers/main.yml, templates | bool on is_debian_based, uses_systemd_socket, algo_dns_adblocking, ipv6_support
WireGuard role wireguard/defaults/main.yml, tasks/main.yml, server.conf.j2 | bool on ipv6_support, is_debian_based; fix int+1 spacing
StrongSwan role strongswan/defaults/main.yml, tasks/, ipsec.conf.j2 | bool on ipv6_support, algo_dns_adblocking, dns_encryption, is_debian_based
Cloud providers All prompts.yml + main.yml Multi-line Jinja2 reformatting, | bool on alternative_ingress_ip
Input/Users input.yml, users.yml Multi-line Jinja2 reformatting, | bool on ipsec_enabled, wireguard_enabled
Tests test_iptables_rules.py, test_wireguard_key_generation.py Register bool filter, rename unused var
CI/Tooling lint.yml, smart-tests.yml, .pre-commit-config.yaml, pyproject.toml Add j2lint to all lint pipelines

Test plan

  • j2lint roles/ --ignore S3 S5 S6 S7 V1 — passed (0 errors)
  • ansible-lint . — passed (production profile)
  • yamllint . — passed
  • ruff check . — passed
  • shellcheck algo — passed
  • actionlint .github/workflows/lint.yml .github/workflows/smart-tests.yml — passed
  • ansible-playbook main.yml --syntax-check — passed
  • ansible-playbook users.yml --syntax-check — passed
  • pytest tests/unit/ -q — 90 passed
  • All pre-commit hooks passed (including new j2lint hook)

🤖 Generated with Claude Code

@dguido @claude
fix: add explicit bool filters for Ansible 12 jinja2_native compatibi…
e30ffc0 
…lity

Ansible 12 enables jinja2_native by default, which means string values
like "true"/"false" are no longer automatically coerced to booleans in
when: conditions and Jinja2 if statements. Add | bool filters to all
boolean variable references in tasks, templates, and handlers.

Also reformats long single-line Jinja2 conditionals into multi-line for
readability, fixes GCE default() calls for native mode, adds help
command to the algo script, and updates test fixtures to register the
bool filter.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dguido dguido requested a review from jackivanov as a code owner February 8, 2026 15:39
dguido and others added 2 commits February 8, 2026 10:46
@dguido @claude
ci: add j2lint for Jinja2 template linting
1743bc2 
Add j2lint (aristanetworks/j2lint) to catch syntax errors, spacing
issues, and operator formatting in Jinja2 templates. Integrated into
pre-commit hooks, lint.yml CI, and smart-tests.yml.

Rules S3/S5/S6/S7/V1 are ignored — they enforce conventions
incompatible with Ansible's config-file-embedded templates.

Also fixes int+1 → int + 1 operator spacing in server.conf.j2.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dguido @claude
fix: resolve all ansible-lint warnings and enforce zero-tolerance policy
2350e48 
Fix 18 jinja[spacing] errors across 12 files by moving Jinja2 block
delimiters to prevent YAML >- folding from introducing trailing spaces.

Fix 27 key-order[task] warnings across 17 files by reordering task keys
to canonical order (name → when → tags → environment → become → block).

Promote key-order[task] and yaml[line-length] from warn_list to hard
errors by removing warn_list entirely from .ansible-lint.

Add zero-tolerance warning policy to CLAUDE.md explaining why warnings
are unacceptable in a security tool and documenting resolution order.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dguido dguido merged commit 984831b into main Feb 8, 2026
26 checks passed
@dguido dguido deleted the fix/ansible12-jinja2-native-bool-filters branch February 8, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jackivanov jackivanov Awaiting requested review from jackivanov jackivanov is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dguido