chore: more fix ansible-lint 6.17.2

2025-04-19 15:47:11 +02:00 · 2023-08-26 15:35:39 +00:00 · 2023-08-26 15:35:39 +00:00 · d9fe5e8561
commit d9fe5e8561
parent 0fa40513cd
22 changed files with 134 additions and 97 deletions
--- a/deploy_client.yml
+++ b/deploy_client.yml
@ -7,7 +7,7 @@

  tasks:
    - name: Add the droplet to an inventory group
-      add_host:
+      ansible.builtin.add_host:
        name: "{{ client_ip }}"
        groups: client-host
        ansible_ssh_user: "{{ 'root' if client_ip == 'localhost' else ssh_user }}"
--- a/input.yml
+++ b/input.yml
@ -141,4 +141,4 @@
              {%- elif _store_pki.user_input is defined  %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }}
              {%- else %}false{% endif %}{% endif %}
      rescue:
-        - ansible.builtin.include_tasks: playbooks/rescue.yml
+        - ansible.builtin.include_tasks: tasks/rescue.yml
--- a/main.yml
+++ b/main.yml
@ -1,5 +1,6 @@
 ---
- hosts: localhost
+- name: Main playbook
+  hosts: localhost
  become: false
  tasks:
    - name: Playbook dir stat
--- a/roles/client/handlers/main.yml
+++ b/roles/client/handlers/main.yml
@ -1,3 +1,5 @@
 ---
- name: restart strongswan
-  service: name={{ strongswan_service }} state=restarted
+- name: Restart strongswan
+  ansible.builtin.service:
+    name: "{{ strongswan_service }}"
+    state: restarted
--- a/roles/client/tasks/main.yml
+++ b/roles/client/tasks/main.yml
@ -1,11 +1,13 @@
 ---
 - name: Gather Facts
-  setup:
+  ansible.builtin.setup:
 - name: Include system based facts and tasks
-  import_tasks: systems/main.yml
+  ansible.builtin.import_tasks: systems/main.yml

 - name: Install prerequisites
-  package: name="{{ item }}" state=present
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
  with_items:
    - "{{ prerequisites }}"
  register: result
@ -14,34 +16,36 @@
  delay: 3

 - name: Install strongSwan
-  package: name=strongswan state=present
+  ansible.builtin.package:
+    name: strongswan
+    state: present
  register: result
  until: result is succeeded
  retries: 10
  delay: 3

 - name: Setup the ipsec config
-  template:
+  ansible.builtin.template:
    src: roles/strongswan/templates/client_ipsec.conf.j2
    dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf"
    mode: "0644"
  with_items:
    - "{{ vpn_user }}"
  notify:
-    - restart strongswan
+    - Restart strongswan

 - name: Setup the ipsec secrets
-  template:
+  ansible.builtin.template:
    src: roles/strongswan/templates/client_ipsec.secrets.j2
    dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets"
    mode: "0600"
  with_items:
    - "{{ vpn_user }}"
  notify:
-    - restart strongswan
+    - Restart strongswan

 - name: Include additional ipsec config
-  lineinfile:
+  ansible.builtin.lineinfile:
    dest: "{{ item.dest }}"
    line: "{{ item.line }}"
    create: true
@ -51,26 +55,30 @@
    - dest: "{{ configs_prefix }}/ipsec.secrets"
      line: include ipsec.{{ IP_subject_alt_name }}.secrets
  notify:
-    - restart strongswan
+    - Restart strongswan

 - name: Configure libstrongswan to relax CA constraints
-  copy:
+  ansible.builtin.copy:
    src: libstrongswan-relax-constraints.conf
    dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"

 - name: Setup the certificates and keys
-  template:
+  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
  with_items:
    - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
      dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
+      mode: "0644"
    - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
      dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
+      mode: "0644"
    - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
      dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
+      mode: "0600"
  notify:
-    - restart strongswan
+    - Restart strongswan
--- a/roles/client/tasks/systems/CentOS.yml
+++ b/roles/client/tasks/systems/CentOS.yml
@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    prerequisites:
      - epel-release
    configs_prefix: /etc/strongswan
--- a/roles/client/tasks/systems/Debian.yml
+++ b/roles/client/tasks/systems/Debian.yml
@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    prerequisites:
      - libstrongswan-standard-plugins
    configs_prefix: /etc
--- a/roles/client/tasks/systems/Fedora.yml
+++ b/roles/client/tasks/systems/Fedora.yml
@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    prerequisites:
      - libselinux-python
    configs_prefix: /etc/strongswan
--- a/roles/client/tasks/systems/Ubuntu.yml
+++ b/roles/client/tasks/systems/Ubuntu.yml
@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    prerequisites:
      - libstrongswan-standard-plugins
    configs_prefix: /etc
--- a/roles/client/tasks/systems/main.yml
+++ b/roles/client/tasks/systems/main.yml
@ -1,12 +1,16 @@
 ---
- include_tasks: Debian.yml
+- name: Include Debian
+  ansible.builtin.include_tasks: Debian.yml
  when: ansible_distribution == 'Debian'

- include_tasks: Ubuntu.yml
+- name: Include Ubuntu
+  ansible.builtin.include_tasks: Ubuntu.yml
  when: ansible_distribution == 'Ubuntu'

- include_tasks: CentOS.yml
+- name: Include CentOS
+  ansible.builtin.include_tasks: CentOS.yml
  when: ansible_distribution == 'CentOS'

- include_tasks: Fedora.yml
+- name: Include Fedora
+  ansible.builtin.include_tasks: Fedora.yml
  when: ansible_distribution == 'Fedora'
--- a/roles/common/tasks/facts.yml
+++ b/roles/common/tasks/facts.yml
@ -1,20 +1,20 @@
 ---
 - name: Define facts
-  set_fact:
+  ansible.builtin.set_fact:
    p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
  tags: update-users

 - name: Set facts
-  set_fact:
+  ansible.builtin.set_fact:
    CA_password: "{{ ca_password|default(lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@')) }}"
    IP_subject_alt_name: "{{ IP_subject_alt_name }}"

 - name: Set IPv6 support as a fact
-  set_fact:
+  ansible.builtin.set_fact:
    ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}"
  tags: always

 - name: Check size of MTU
-  set_fact:
+  ansible.builtin.set_fact:
    reduce_mtu: "{{ 1500 - ansible_default_ipv4['mtu']|int if reduce_mtu|int == 0 and ansible_default_ipv4['mtu']|int < 1500 else reduce_mtu|int }}"
  tags: always
--- a/roles/common/tasks/freebsd.yml
+++ b/roles/common/tasks/freebsd.yml
@ -1,6 +1,6 @@
 ---
 - name: FreeBSD | Install prerequisites
-  package:
+  ansible.builtin.package:
    name:
      - python3
      - sudo
@ -8,16 +8,16 @@
    ansible_python_interpreter: /usr/local/bin/python2.7

 - name: Set python3 as the interpreter to use
-  set_fact:
+  ansible.builtin.set_fact:
    ansible_python_interpreter: /usr/local/bin/python3

 - name: Gather facts
-  setup:
+  ansible.builtin.setup:
 - name: Gather additional facts
-  import_tasks: facts.yml
+  ansible.builtin.import_tasks: facts.yml

 - name: Set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    config_prefix: /usr/local/
    strongswan_shell: /usr/sbin/nologin
    strongswan_home: /var/empty
@ -42,12 +42,14 @@
        value: 1

 - name: Install tools
-  package: name="{{ item }}" state=present
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
  with_items:
    - "{{ tools|default([]) }}"

 - name: Loopback included into the rc config
-  blockinfile:
+  ansible.builtin.blockinfile:
    dest: /etc/rc.conf
    create: true
    block: |
@ -58,7 +60,10 @@
    - restart loopback bsd

 - name: Enable the gateway features
-  lineinfile: dest=/etc/rc.conf regexp='^{{ item.param }}.*' line='{{ item.param }}={{ item.value }}'
+  ansible.builtin.lineinfile:
+    dest: /etc/rc.conf
+    regexp: '^{{ item.param }}.*'
+    line: '{{ item.param }}={{ item.value }}'
  with_items:
    - { param: firewall_enable, value: '"YES"' }
    - { param: firewall_type, value: '"open"' }
@ -70,9 +75,10 @@
    - restart ipfw

 - name: FreeBSD | Activate IPFW
-  shell: >
+  ansible.builtin.shell: >
    kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
    bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
  changed_when: false

- meta: flush_handlers
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
--- a/roles/common/tasks/iptables.yml
+++ b/roles/common/tasks/iptables.yml
@ -1,23 +1,23 @@
 ---
 - name: Iptables configured
-  template:
+  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
-    mode: 0640
+    mode: "0640"
  with_items:
    - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
  notify:
    - restart iptables

 - name: Iptables configured
-  template:
+  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
-    mode: 0640
+    mode: "0640"
  when: ipv6_support
  with_items:
    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -1,30 +1,35 @@
 ---
 - name: Check the system
-  raw: uname -a
+  ansible.builtin.raw: uname -a
  register: OS
  changed_when: false
  tags:
    - update-users

- fail:
+- name: Fail
+  ansible.builtin.fail:
  when: cloud_test|default(false)|bool

- include_tasks: ubuntu.yml
+- name: Include ubuntu
+  ansible.builtin.include_tasks: ubuntu.yml
  when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout'
  tags:
    - update-users

- include_tasks: freebsd.yml
+- name: Include freebsd
+  ansible.builtin.include_tasks: freebsd.yml
  when: '"FreeBSD" in OS.stdout'
  tags:
    - update-users

 - name: Sysctl tuning
-  sysctl: name="{{ item.item }}" value="{{ item.value }}"
+  ansible.posix.sysctl:
+    name: "{{ item.item }}"
+    value: "{{ item.value }}"
  when: item.item
  with_items:
    - "{{ sysctl|default([]) }}"
  tags:
    - always

- meta: flush_handlers
+- ansible.builtin.meta: flush_handlers
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@ -1,10 +1,10 @@
 ---
 - name: Gather facts
-  setup:
+  ansible.builtin.setup:
 - name: Cloud only tasks
  block:
    - name: Install software updates
-      apt:
+      ansible.builtin.apt:
        update_cache: true
        install_recommends: true
        upgrade: dist
@ -14,21 +14,21 @@
      delay: 10

    - name: Check if reboot is required
-      shell: >
+      ansible.builtin.shell: >
        if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
      args:
        executable: /bin/bash
      register: reboot_required

    - name: Reboot
-      shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+      ansible.builtin.shell: sleep 2 && shutdown -r now "Ansible updates triggered"
      async: 1
      poll: 0
      when: reboot_required is defined and reboot_required.stdout == 'required'
      ignore_errors: true

    - name: Wait until the server becomes ready...
-      wait_for_connection:
+      ansible.builtin.wait_for_connection:
        delay: 20
        timeout: 320
      when: reboot_required is defined and reboot_required.stdout == 'required'
@ -36,16 +36,19 @@
  when: algo_provider != "local"

 - name: Include unattended upgrades configuration
-  import_tasks: unattended-upgrades.yml
+  ansible.builtin.import_tasks: unattended-upgrades.yml

 - name: Disable MOTD on login and SSHD
-  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
+  ansible.builtin.replace:
+    dest: "{{ item.file }}"
+    regexp: "{{ item.regexp }}"
+    replace: "{{ item.line }}"
  with_items:
    - { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/login }
    - { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/sshd }

 - name: Ensure fallback resolvers are set
-  ini_file:
+  community.general.ini_file:
    path: /etc/systemd/resolved.conf
    section: Resolve
    option: FallbackDNS
@ -54,14 +57,14 @@
    - restart systemd-resolved

 - name: Loopback for services configured
-  template:
+  ansible.builtin.template:
    src: 10-algo-lo100.network.j2
    dest: /etc/systemd/network/10-algo-lo100.network
  notify:
    - restart systemd-networkd

 - name: systemd services enabled and started
-  systemd:
+  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
@ -70,24 +73,24 @@
    - systemd-networkd
    - systemd-resolved

- meta: flush_handlers
+- ansible.builtin.meta: flush_handlers

 - name: Check apparmor support
-  command: apparmor_status
+  ansible.builtin.command: apparmor_status
  ignore_errors: true
  changed_when: false
  register: apparmor_status

 - name: Set fact if apparmor enabled
-  set_fact:
+  ansible.builtin.set_fact:
    apparmor_enabled: true
  when: '"profiles are in enforce mode" in apparmor_status.stdout'

 - name: Gather additional facts
-  import_tasks: facts.yml
+  ansible.builtin.import_tasks: facts.yml

 - name: Set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    tools:
      - git
      - screen
@ -107,13 +110,13 @@
        value: 1

 - name: Install tools
-  apt:
+  ansible.builtin.apt:
    name: "{{ tools|default([]) }}"
    state: present
    update_cache: true

 - name: Install headers
-  apt:
+  ansible.builtin.apt:
    name:
      - linux-headers-generic
      - linux-headers-{{ ansible_kernel }}
@ -121,8 +124,9 @@
  when: install_headers | bool

 - name: Configure the alternative ingress ip
-  include_tasks: aip/main.yml
+  ansible.builtin.include_tasks: aip/main.yml
  when: alternative_ingress_ip

- include_tasks: iptables.yml
+- name: Include iptables
+  ansible.builtin.include_tasks: iptables.yml
  tags: iptables
--- a/roles/common/tasks/unattended-upgrades.yml
+++ b/roles/common/tasks/unattended-upgrades.yml
@ -1,21 +1,21 @@
 ---
 - name: Install unattended-upgrades
-  apt:
+  ansible.builtin.apt:
    name: unattended-upgrades
    state: present

 - name: Configure unattended-upgrades
-  template:
+  ansible.builtin.template:
    src: 50unattended-upgrades.j2
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"

 - name: Periodic upgrades configured
-  template:
+  ansible.builtin.template:
    src: 10periodic.j2
    dest: /etc/apt/apt.conf.d/10periodic
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"
--- a/tasks/cloud-pre.yml
+++ b/tasks/cloud-pre.yml
@ -1,5 +1,7 @@
 ---
 - name: cloud-pre
+  delegate_to: localhost
+  become: false
  block:
    - name: Display the invocation environment
      ansible.builtin.shell: >
@ -26,21 +28,19 @@
      tags:
        - always
        - skip_ansible_lint
-  delegate_to: localhost
-  become: false

 - name: Provider not local
  when: algo_provider != "local"
  block:
    - name: Generate the SSH private key
-      ansible.builtin.openssl_privatekey:
+      community.crypto.openssl_privatekey:
        path: "{{ SSH_keys.private }}"
        size: 2048
        mode: "0600"
        type: RSA

    - name: Generate the SSH public key
-      ansible.builtin.openssl_publickey:
+      community.crypto.openssl_publickey:
        path: "{{ SSH_keys.public }}"
        privatekey_path: "{{ SSH_keys.private }}"
        format: OpenSSH
--- a/tasks/tmpfs/linux.yml
+++ b/tasks/tmpfs/linux.yml
@ -1,5 +1,5 @@
 ---
 - name: Linux | set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
    tmpfs_volume_path: /dev/shm
--- a/tasks/tmpfs/macos.yml
+++ b/tasks/tmpfs/macos.yml
@ -1,11 +1,11 @@
 ---
 - name: MacOS | set OS specific facts
-  set_fact:
+  ansible.builtin.set_fact:
    tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
    tmpfs_volume_path: /Volumes

 - name: MacOS | mount a ram disk
-  shell: >
+  ansible.builtin.shell: >
    /usr/sbin/diskutil info "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/" ||
    /usr/sbin/diskutil erasevolume HFS+ "{{ tmpfs_volume_name }}" $(hdiutil attach -nomount ram://64000)
  args:
--- a/tasks/tmpfs/main.yml
+++ b/tasks/tmpfs/main.yml
@ -1,17 +1,17 @@
 ---
 - name: Include tasks for MacOS
-  import_tasks: macos.yml
+  ansible.builtin.import_tasks: macos.yml
  when: ansible_system == "Darwin"

 - name: Include tasks for Linux
-  import_tasks: linux.yml
+  ansible.builtin.import_tasks: linux.yml
  when: ansible_system == "Linux"

 - name: Set config paths as facts
-  set_fact:
+  ansible.builtin.set_fact:
    ipsec_pki_path: /{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/IPsec/

 - name: Update config paths
-  add_host:
+  ansible.builtin.add_host:
    name: "{{ 'localhost' if cloud_instance_ip == 'localhost' else cloud_instance_ip }}"
    ipsec_pki_path: "{{ ipsec_pki_path }}"
--- a/tasks/tmpfs/umount.yml
+++ b/tasks/tmpfs/umount.yml
@ -1,19 +1,22 @@
 ---
 - name: Linux | Delete the PKI directory
-  file:
+  ansible.builtin.file:
    path: /{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/
    state: absent
  when: facts.ansible_system == "Linux"

- block:
+- name: Darwin
+  when:
+    - facts.ansible_system == "Darwin"
+  block:
    - name: MacOS | check fs the ramdisk exists
-      command: /usr/sbin/diskutil info "{{ facts.tmpfs_volume_name }}"
+      ansible.builtin.command: /usr/sbin/diskutil info "{{ facts.tmpfs_volume_name }}"
      ignore_errors: true
      changed_when: false
      register: diskutil_info

    - name: MacOS | unmount and eject the ram disk
-      shell: >
+      ansible.builtin.shell: >
        /usr/sbin/diskutil umount force "/{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/" &&
        /usr/sbin/diskutil eject "{{ facts.tmpfs_volume_name }}"
      changed_when: false
@ -22,5 +25,4 @@
      until: result.rc == 0
      retries: 5
      delay: 3
-  when:
-    - facts.ansible_system == "Darwin"
+
--- a/users.yml
+++ b/users.yml
@ -98,23 +98,28 @@
  tasks:
    - name: Play roles
      block:
-        - ansible.builtin.import_role:
+        - name: Import common
+          ansible.builtin.import_role:
            name: common

-        - ansible.builtin.import_role:
+        - name: Import wireguard
+          ansible.builtin.import_role:
            name: wireguard
          when: wireguard_enabled

-        - ansible.builtin.import_role:
+        - name: Import strongswan
+          ansible.builtin.import_role:
            name: strongswan
          when: ipsec_enabled
          tags: ipsec

-        - ansible.builtin.import_role:
+        - name: Import ssh_tunneling
+          ansible.builtin.import_role:
            name: ssh_tunneling
          when: algo_ssh_tunneling

-        - ansible.builtin.debug:
+        - name: End message
+          ansible.builtin.debug:
            msg:
              - "{{ congrats.common.split('\n') }}"
              - "    {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"