ansible: Global Lint

Author: the-maldridge

ansible/.ansible-lint-ignore

@@ -0,0 +1,19 @@
+# This file contains ignores rule violations for ansible-lint
+group_vars/netlogon.yml var-naming[pattern]
+group_vars/netlogon.yml yaml[line-length]
+hashi-worker.yml syntax-check[specific]
+host_vars/a-fsn-de.m.voidlinux.org.yml var-naming[pattern]
+host_vars/a-hel-fi.m.voidlinux.org.yml var-naming[pattern]
+host_vars/b-fsn-de.m.voidlinux.org.yml var-naming[pattern]
+network.yml risky-shell-pipe
+roles/netauth-config role-name
+roles/netauth-ldap role-name
+roles/netauthd/handlers/main.yml syntax-check[specific]
+roles/node_exporter/meta/main.yml schema[meta]
+roles/nomad_client/tasks/main.yml jinja[spacing]
+roles/nomad_client/tasks/main.yml risky-file-permissions
+roles/nomad_client/vars/main.yml var-naming[no-role-prefix]
+roles/sshd/defaults/main.yml var-naming[pattern]
+roles/sshd/meta/main.yml schema[meta]
+roles/void_mesh/handlers/main.yml syntax-check[specific]
+roles/xbps-repoconf role-name

ansible/base.yml

@@ -1,22 +1,25 @@
 ---
-- hosts: net_static
-  become: yes
-  become_method: sudo
+- name: Hosts with Static Networking
+  hosts: net_static
+  become: true
   become_user: root
+  become_method: ansible.builtin.sudo
   roles:
     - void.network.static
 
-- hosts: "!net_static"
-  become: yes
-  become_method: sudo
+- name: Hosts with Dynamic Networking
+  hosts: "!net_static"
+  become: true
   become_user: root
+  become_method: ansible.builtin.sudo
   roles:
     - dhcpcd
 
-- hosts: all:!unmanaged
-  become: yes
-  become_method: sudo
+- name: Base Machine Configuration
+  hosts: all:!unmanaged
+  become: true
   become_user: root
+  become_method: ansible.builtin.sudo
   vars:
     node_exporter_consul_token: "{{lookup('file', 'secret/node_exporter_consul_token')}}"
   roles:

ansible/group_vars/all.yml

@@ -1,14 +1,14 @@
 ---
 xbps_repository_address: repo-de.voidlinux.org
-xbps_repository_main: https://{{xbps_repository_address}}/current
-xbps_repository_nonfree: https://{{xbps_repository_address}}/current/nonfree
-xbps_repository_multilib: https://{{xbps_repository_address}}/current/multilib
-xbps_repository_multilib_nonfree: https://{{xbps_repository_address}}/current/multilib/nonfree
+xbps_repository_main: https://{{ xbps_repository_address }}/current
+xbps_repository_nonfree: https://{{ xbps_repository_address }}/current/nonfree
+xbps_repository_multilib: https://{{ xbps_repository_address }}/current/multilib
+xbps_repository_multilib_nonfree: https://{{ xbps_repository_address }}/current/multilib/nonfree
 xbps_repository_port: 443
 
-metal_domain_root: '.m.voidlinux.org'
+metal_domain_root: ".m.voidlinux.org"
 network_hostname: '{{ inventory_hostname | regex_replace(metal_domain_root, "") | regex_replace("\.", "-") }}'
-network_fqdn: '{{ inventory_hostname }}'
+network_fqdn: "{{ inventory_hostname }}"
 network_boot_hosts:
   - name: netauth.voidlinux.org
     addr: 95.216.191.60

ansible/group_vars/hashimaster.yml

@@ -2,5 +2,4 @@
 network_input_policy: DROP
 network_output_policy: ACCEPT
 
-
 nomad_datacenter: VOID-CONTROL

ansible/group_vars/md.yml

@@ -4,8 +4,8 @@ grafana:
     name: grafana
     urls:
       - monitoring.voidlinux.org
-    static_root: no
+    static_root: false
     tls:
-      stapling: yes
+      stapling: true
       certificate: /var/lib/acme/live/monitoring.voidlinux.org/fullchain
       key: /var/lib/acme/live/monitoring.voidlinux.org/privkey

ansible/group_vars/netlogon.yml

@@ -1,3 +1,4 @@
+---
 sshd_AuthorizedKeysCommand: /usr/bin/netkeys --ID %u
 sshd_AllowGroupsAlways:
   - wheel

ansible/hashi-controller.yml

@@ -1,13 +1,14 @@
 ---
-- hosts: hashimaster
-  become: yes
+- name: Hashicorp Control Plane Servers
+  hosts: hashimaster
+  become: true
   become_user: root
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   vars:
     nomad_role: server
   roles:
-    - consul-server
+    - consul_server
     - vault
-    - nomad-server
-    - nomad-client
-    - hashi-ws-fw
+    - nomad_server
+    - nomad_client
+    - hashi_ws_fw

ansible/hashi-worker.yml

@@ -1,42 +1,43 @@
 ---
-- hosts: hashiworker,hashimirror,hashimx
-  become: yes
+- name: Common Hashiorp Worker Services
+  hosts: hashiworker,hashimirror,hashimx
+  become: true
   become_user: root
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   vars:
     nomad_role: client
   roles:
     - consul
     - nomad-client
 
-
-- hosts: hashimirror
-  become: yes
+- name: Nomad-based Mirrors
+  hosts: hashimirror
+  become: true
   become_user: root
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Accept IPv4 Traffic
-      lineinfile:
-        line: "{{item}}"
+      ansible.builtin.lineinfile:
+        line: "{{ item }}"
         path: /etc/iptables.d/proxy.rules
-        create: yes
+        create: true
         owner: root
         group: root
-        mode: 0640
+        mode: "0640"
       with_items:
         - "*filter"
         - "-A INPUT -p tcp --dport 80 -j ACCEPT"
         - "-A INPUT -p tcp --dport 443 -j ACCEPT"
         - "-A INPUT -p tcp --dport 873 -j ACCEPT"
         - "COMMIT"
     - name: Accept IPv6 Traffic
-      lineinfile:
-        line: "{{item}}"
+      ansible.builtin.lineinfile:
+        line: "{{ item }}"
         path: /etc/ip6tables.d/proxy.6rules
-        create: yes
+        create: true
         owner: root
         group: root
-        mode: 0640
+        mode: "0640"
       with_items:
         - "*filter"
         - "-A INPUT -p tcp --dport 80 -j ACCEPT"
@@ -46,52 +47,53 @@
 
 - name: Special rules for d-hel-fi
   hosts: d-hel-fi.m.voidlinux.org
-  become: yes
+  become: true
   become_user: root
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Accept IPv4 Traffic
-      lineinfile:
-        line: "{{item}}"
+      ansible.builtin.lineinfile:
+        line: "{{ item }}"
         path: /etc/iptables.d/root_mirror.rules
-        create: yes
+        create: true
         owner: root
         group: root
-        mode: 0640
+        mode: "0640"
       with_items:
         - "*filter"
         - "-A INPUT -p tcp --dport 2022 -j ACCEPT"
         - "-A INPUT -p tcp --dport 8001 -j ACCEPT"
         - "-A INPUT -p tcp --dport 8003 -j ACCEPT"
         - "COMMIT"
     - name: Accept IPv6 Traffic
-      lineinfile:
-        line: "{{item}}"
+      ansible.builtin.lineinfile:
+        line: "{{ item }}"
         path: /etc/ip6tables.d/root_mirror.6rules
-        create: yes
+        create: true
         owner: root
         group: root
-        mode: 0640
+        mode: "0640"
       with_items:
         - "*filter"
         - "-A INPUT -p tcp --dport 2022 -j ACCEPT"
         - "-A INPUT -p tcp --dport 8001 -j ACCEPT"
         - "-A INPUT -p tcp --dport 8003 -j ACCEPT"
         - "COMMIT"
 
-- hosts: hashimx
-  become: yes
+- name: Additional tasks for MX hosts
+  hosts: hashimx
+  become: true
   become_user: root
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   tasks:
     - name: Accept IPv4 Traffic
-      lineinfile:
-        line: "{{item}}"
+      ansible.builtin.lineinfile:
+        line: "{{ item }}"
         path: /etc/iptables.d/maddy.rules
-        create: yes
+        create: true
         owner: root
         group: root
-        mode: 0640
+        mode: "0640"
       with_items:
         - "*filter"
         - "-A INPUT -p tcp --dport 25 -j ACCEPT"
@@ -101,13 +103,13 @@
         - "-A INPUT -p tcp --dport 993 -j ACCEPT"
         - "COMMIT"
     - name: Accept IPv6 Traffic
-      lineinfile:
-        line: "{{item}}"
+      ansible.builtin.lineinfile:
+        line: "{{ item }}"
         path: /etc/ip6tables.d/maddy.6rules
-        create: yes
+        create: true
         owner: root
         group: root
-        mode: 0640
+        mode: "0640"
       with_items:
         - "*filter"
         - "-A INPUT -p tcp --dport 25 -j ACCEPT"
@@ -117,9 +119,10 @@
         - "-A INPUT -p tcp --dport 993 -j ACCEPT"
         - "COMMIT"
 
-- hosts: buildworker
-  become: yes
+- name: Build Servers
+  hosts: buildworker
+  become: true
   become_user: root
-  become_method: sudo
+  become_method: ansible.builtin.sudo
   roles:
     - buildworker

ansible/netauth.yml

@@ -1,7 +1,8 @@
 ---
-- hosts: netauth
-  become: yes
-  become_method: sudo
+- name: NetAuth Servers
+  hosts: netauth
+  become: true
   become_user: root
+  become_method: ansible.builtin.sudo
   roles:
     - netauthd

ansible/network.yml

@@ -1,24 +1,29 @@
 ---
-- hosts: localhost
-  gather_facts: no
+- name: Generate Network Keys
+  hosts: localhost
+  gather_facts: true
   tasks:
     - name: Create secret directory
-      file:
+      ansible.builtin.file:
         path: secret/vpn
         state: directory
+        owner: "{{ ansible_facts['user_id'] }}"
+        group: "{{ ansible_facts['user_id'] }}"
+        mode: "0750"
 
     - name: Create wireguard keys
-      shell: wg genkey | tee {{item}} | wg pubkey > {{item}}.pub
+      ansible.builtin.shell: wg genkey | tee {{ item }} | wg pubkey > {{ item }}.pub
       args:
-        creates: "{{item}}.pub"
+        creates: "{{ item }}.pub"
         chdir: secret/vpn
       with_items: "{{ groups['prod'] | difference(groups['unmanaged']) }}"
 
-- hosts: prod:!unmanaged
-  become: yes
+- name: Install Mesh Network Configuration
+  hosts: prod:!unmanaged
+  become: true
   become_user: root
-  become_method: sudo
-  gather_facts: no
+  become_method: ansible.builtin.sudo
+  gather_facts: false
   strategy: ansible.builtin.host_pinned
   roles:
-    - void-mesh
+    - void_mesh