From a0046b5b4b7571b171efe9687e4d3a62e2a0c4d9 Mon Sep 17 00:00:00 2001 From: Michal Konecny Date: Wed, 30 Apr 2025 11:57:57 +0200 Subject: [PATCH] [distgit] Fixing ansible lint errors This commit is fixing ansible lint errors for distgit role. It also introduces two new addition to skip list as the structure of our ansible repository doesn't adhere to ansible standards. The errors that will be now skipped are: - role-name[path] - we have plenty of roles that have sub-roles inside them and we need to access them - var-naming[no-role-prefix] - variables for roles are not usually prefixed correctly in our repository and forcing people to change that will introduce more issues than what it solves --- .ansible-lint | 2 + roles/distgit/pagure/tasks/main.yml | 215 ++++++++++++++++++---------- roles/pagure/tasks/selinux.yml | 43 +++--- 3 files changed, 167 insertions(+), 93 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 6954c4c552..397b347d2c 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -64,3 +64,5 @@ kinds: skip_list: - yaml + - role-name[path] + - var-naming[no-role-prefix] diff --git a/roles/distgit/pagure/tasks/main.yml b/roles/distgit/pagure/tasks/main.yml index da4d01f4a8..1d10cd18c0 100644 --- a/roles/distgit/pagure/tasks/main.yml +++ b/roles/distgit/pagure/tasks/main.yml @@ -2,7 +2,9 @@ # Configuration for the pagure webapp - name: Install needed packages - ansible.builtin.package: name={{ item }} state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - pagure - pagure-ev @@ -20,7 +22,9 @@ - packages - name: Install needed packages - ansible.builtin.package: name={{ item }} state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - pagure-theme-srcfpo tags: @@ -30,7 +34,7 @@ - name: >- Set httpd_can_network_connect flag on and keep it persistent across reboots so apache can talk to redis - seboolean: + ansible.posix.seboolean: name: httpd_can_network_connect state: yes persistent: yes @@ -38,32 +42,43 @@ # Set-up Pagure - name: Create a group pagure we can use - group: name=pagure + ansible.builtin.group: + name: pagure tags: - pagure - name: Create an user we can run pagure under - user: name=pagure group=packager append=yes + ansible.builtin.user: + name: pagure + group: packager + append: yes tags: - pagure - name: Create the "git" user - ansible.builtin.command: useradd --create-home --home-dir=/srv/git/ git - creates=/srv/git/ + ansible.builtin.command: + cmd: useradd --create-home --home-dir=/srv/git/ git + creates: /srv/git/ when: env == 'staging' tags: - pagure - name: Add the git user to the packager group - user: name=git group=packager append=yes + ansible.builtin.user: + name: git + group: packager + append: yes when: env == 'staging' tags: - pagure - name: Create the /var/log/pagure folder where to store the logs - ansible.builtin.file: state=directory - path=/var/log/pagure - owner=pagure group=packager mode=u+rwx,g+rwxs,o+rx + ansible.builtin.file: + state: directory + path: /var/log/pagure + owner: pagure + group: packager + mode: u+rwx,g+rwxs,o+rx tags: - pagure - hotfix @@ -81,16 +96,22 @@ - fix_log - name: Create the /srv/tmp folder where to clone repos - ansible.builtin.file: state=directory - path=/srv/tmp - owner=pagure group=pagure mode=0775 + ansible.builtin.file: + state: directory + path: /srv/tmp + owner: pagure + group: pagure + mode: "0775" tags: - pagure - name: Copy sundry pagure configuration - ansible.builtin.template: src={{ item.file }} - dest={{ item.location }}/{{ item.file }} - owner=pagure group=postfix mode=0640 + ansible.builtin.template: + src: "{{ item.file }}" + dest: "{{ item.location }}/{{ item.file }}" + owner: pagure + group: postfix + mode: "0640" with_items: - file: pagure.cfg location: /etc/pagure @@ -108,9 +129,12 @@ - Restart apache - name: Pagure configuration for the hooks - ansible.builtin.template: src={{ item.file }} - dest={{ item.location }}/{{ item.file }} - owner=pagure group=packager mode=0640 + ansible.builtin.template: + src: "{{ item.file }}" + dest: "{{ item.location }}/{{ item.file }}" + owner: pagure + group: packager + mode: "0640" with_items: - file: pagure_hook.cfg location: /etc/pagure @@ -131,9 +155,12 @@ - pagure - name: Create all the directories where we store the git repos - ansible.builtin.file: state=directory - path={{ item }} - owner=root group=packager mode=2775 + ansible.builtin.file: + state: directory + path: "{{ item }}" + owner: root + group: packager + mode: "2775" with_items: - /srv/git/repositories/ - /srv/git/repositories/forks @@ -144,9 +171,12 @@ - pagure - name: Create the remotes folder so pagure can clone remote repos - ansible.builtin.file: state=directory - path={{ item }} - owner=root group=packager mode=2775 + ansible.builtin.file: + state: directory + path: "{{ item }}" + owner: root + group: packager + mode: "2775" with_items: - /srv/git/remotes tags: @@ -155,7 +185,7 @@ # On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it. - name: Configure git directories as safe - git_config: + community.general.git_config: name: safe.directory scope: system value: "*" @@ -163,8 +193,12 @@ - pagure - name: Install the apache configuration file - ansible.builtin.template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} - owner=root group=root mode=0644 + ansible.builtin.template: + src: "{{ item }}" + dest: "/etc/httpd/conf.d/{{ item }}" + owner: root + group: root + mode: "0644" with_items: - z_pagure.conf tags: @@ -175,9 +209,12 @@ - Restart apache - name: Install the wsgi file - ansible.builtin.template: src={{ item }} - dest=/var/www/{{ item }} - owner=pagure group=pagure mode=0644 + ansible.builtin.template: + src: "{{ item }}" + dest: "/var/www/{{ item }}" + owner: pagure + group: pagure + mode: "0644" with_items: - pagure.wsgi tags: @@ -188,27 +225,25 @@ - Restart apache - name: Add default facl so apache can read git repos - acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present + ansible.posix.acl: + default: yes + etype: user + entity: apache + permissions: "rx" + name: /srv/git + state: present + recursive: yes register: acl_updates tags: - pagure -- name: Manually fix current default ACLs since Ansible doesnt know recursive acls - when: acl_updates.changed - ansible.builtin.command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git - tags: - - pagure - -- name: Manually fix current ACLs since Ansible doesnt know recursive acls - when: acl_updates.changed - ansible.builtin.command: /usr/bin/setfacl -Rm user:apache:rx /srv/git - tags: - - pagure - - name: Override the default pagure_worker.service file to change the user it is run under - ansible.builtin.copy: src={{ item }}.service - dest=/etc/systemd/system/{{ item }}.service - owner=root group=root mode=0755 + ansible.builtin.copy: + src: "{{ item }}.service" + dest: "/etc/systemd/system/{{ item }}.service" + owner: root + group: root + mode: "0755" with_items: - pagure_ev - pagure_logcom @@ -219,16 +254,19 @@ tags: - pagure -# Configure SELinux in dist-git/pagure - -- import_tasks: selinux.yml +- nanme: Configure SELinux in dist-git/pagure + ansible.builtin.import_tasks: selinux.yml tags: - selinux # Cron job to export extras information from the pagure DB - name: Install the apache configuration file for /extras - ansible.builtin.copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} - owner=root group=root mode=0644 + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/httpd/conf.d/{{ item }}" + owner: root + group: root + mode: "0644" with_items: - pagure_cron.conf tags: @@ -239,14 +277,17 @@ - Restart apache - name: Create the /srv/cache/extras folder for the crons - ansible.builtin.file: state=directory - path=/srv/cache/extras - owner=apache group=apache mode=0775 + ansible.builtin.file: + state: directory + path: /srv/cache/extras + owner: apache + group: apache + mode: "0775" tags: - pagure - name: Configure cron job for a hourly pagure_poc - cron: + ansible.builtin.cron: name: pagure-poc user: root minute: 0 @@ -257,7 +298,7 @@ - pagure - name: Configure cron job for a hourly pagure_bz - cron: + ansible.builtin.cron: name: pagure-poc user: root minute: 0 @@ -268,7 +309,7 @@ - pagure - name: Configure cron job for a hourly pagure_owner_alias - cron: + ansible.builtin.cron: name: pagure-poc user: root minute: 0 @@ -281,7 +322,9 @@ # setup fedora-messaging - name: Install fedora-messaging as a dependency - ansible.builtin.package: name={{ item }} state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - fedora-messaging tags: @@ -289,41 +332,55 @@ - fedora-messaging - name: Create the config folder for fedora-messaging - ansible.builtin.file: path=/etc/fedora-messaging/ owner=root group=root mode=0755 state=directory + ansible.builtin.file: + path: /etc/fedora-messaging/ + owner: root + group: root + mode: "0755" + state: directory tags: - pagure - fedora-messaging - name: Install the configuration file for fedora-messaging ansible.builtin.template: - src=fedora-messaging.toml - dest=/etc/fedora-messaging/config.toml + src: fedora-messaging.toml + dest: /etc/fedora-messaging/config.toml + mode: "0644" tags: - pagure - fedora-messaging - name: Create folder where we'll place the certs - ansible.builtin.file: path=/etc/pki/rabbitmq/pagurecert/ owner=root group=root mode=0755 state=directory + ansible.builtin.file: + path: /etc/pki/rabbitmq/pagurecert/ + owner: root + group: root + mode: "0755" + state: directory tags: - pagure - fedora-messaging - name: Deploy pagure/rabbitmq certificate - ansible.builtin.copy: src={{ item.src }} - dest=/etc/pki/rabbitmq/pagurecert/{{ item.dest }} - owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }} + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "/etc/pki/rabbitmq/pagurecert/{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" with_items: - - src: "{{private}}/files/rabbitmq/{{env}}/pki/issued/pagure{{ env_suffix }}.crt" + - src: "{{ private }}/files/rabbitmq/{{ env }}/pki/issued/pagure{{ env_suffix }}.crt" dest: src.fp.o.crt owner: pagure group: packager mode: "444" - - src: "{{private}}/files/rabbitmq/{{env}}/pki/private/pagure{{ env_suffix }}.key" + - src: "{{ private }}/files/rabbitmq/{{ env }}/pki/private/pagure{{ env_suffix }}.key" dest: src.fp.o.key owner: pagure group: packager mode: "440" - - src: "{{private}}/files/rabbitmq/{{env}}/ca-combined.crt" + - src: "{{ private }}/files/rabbitmq/{{ env }}/ca-combined.crt" dest: src.fp.o.ca owner: pagure group: packager @@ -336,7 +393,10 @@ # Ensure all the services are up and running - name: Start and enable httpd, postfix, pagure_milter - service: name={{ item }} enabled=yes state=started + ansible.builtin.service: + name: "{{ item }}" + enabled: yes + state: started with_items: - httpd - postfix @@ -354,16 +414,21 @@ - postfix - name: Add SAR script for pagure - ansible.builtin.copy: src={{ roles_path }}/pagure/files/pagure_sar.py - dest=/usr/local/bin/pagure_sar.py - owner=root mode=0700 + ansible.builtin.copy: + src: "{{ roles_path }}/pagure/files/pagure_sar.py" + dest: /usr/local/bin/pagure_sar.py + owner: root + mode: "0700" tags: - SAR - GDPR - pagure - name: Override the default syslog logrotate file - ansible.builtin.copy: src=syslog-logrotate dest=/etc/logrotate.d/syslog + ansible.builtin.copy: + src: syslog-logrotate + dest: /etc/logrotate.d/syslog + mode: "0644" tags: - pagure - logrotate diff --git a/roles/pagure/tasks/selinux.yml b/roles/pagure/tasks/selinux.yml index 2e71976e04..2c65e2ffca 100644 --- a/roles/pagure/tasks/selinux.yml +++ b/roles/pagure/tasks/selinux.yml @@ -10,13 +10,13 @@ - selinux - name: Show the output of distgitcontext - debug: + ansible.builtin.debug: var: distgitcontext.stdout tags: - selinux - name: Show if we find gitosis_var_lib_t in distgitcontext - debug: + ansible.builtin.debug: var: distgitcontext.stdout.find('gitosis_var_lib_t') tags: - selinux @@ -24,6 +24,7 @@ - name: Set the SELinux policy for the distgit root directory ansible.builtin.command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 + changed_when: false tags: - config - pagure @@ -43,13 +44,14 @@ - name: Set the SELinux policy for the releases directory ansible.builtin.command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 + changed_when: false tags: - config - pagure - selinux - name: Install the pagure SELinux policy - include_role: + ansible.builtin.include_role: name: selinux/module vars: policy_file: files/selinux/pagure.te @@ -60,45 +62,50 @@ - pagure - name: Set sebooleans so pagure can talk to the network (db + redis) - seboolean: name=httpd_can_network_connect - state=true - persistent=true + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true tags: - config - selinux - pagure - name: Set sebooleans so apache can send emails - seboolean: name=httpd_can_sendmail - state=true - persistent=true + ansible.posix.seboolean: + name: httpd_can_sendmail + state: true + persistent: true tags: - config - selinux - pagure - name: Set sebooleans so pygit2 can read the git repos - seboolean: name=httpd_execmem - state=true - persistent=true + ansible.posix.seboolean: + name: httpd_execmem + state: true + persistent: true tags: - config - selinux - pagure - name: Set sebooleans so ssh can retrieve access info from apache - seboolean: name=nis_enabled - state=true - persistent=true + ansible.posix.seboolean: + name: nis_enabled + state: true + persistent: true tags: - config - selinux - pagure - name: Set sebooleans so allow nagios/nrpe to call sudo from NRPE utils scripts - seboolean: name=nagios_run_sudo - state=true - persistent=true + ansible.posix.seboolean: + name: nagios_run_sudo + state: true + persistent: true tags: - config - selinux