Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

[distgit] Fixing ansible lint errors

Browse source 
This commit is fixing ansible lint errors for distgit role.

It also introduces two new addition to skip list as the structure of our
ansible repository doesn't adhere to ansible standards.

The errors that will be now skipped are:
- role-name[path] - we have plenty of roles that have sub-roles inside
  them and we need to access them
- var-naming[no-role-prefix] - variables for roles are not usually
  prefixed correctly in our repository and forcing people to change that
  will introduce more issues than what it solves
This commit is contained in:
Michal Konecny 2025-04-30 11:57:57 +02:00 committed by zlopez
parent 3965fb9a04
commit a0046b5b4b
3 changed files with 167 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.ansible-lint
View file

@ -64,3 +64,5 @@ kinds:
skip_list: skip_list:
- yaml - yaml
- role-name[path]
- var-naming[no-role-prefix]

215
roles/distgit/pagure/tasks/main.yml
View file

@ -2,7 +2,9 @@
# Configuration for the pagure webapp # Configuration for the pagure webapp
- name: Install needed packages - name: Install needed packages
ansible.builtin.package: name={{ item }} state=present ansible.builtin.package:
name: "{{ item }}"
state: present
with_items: with_items:
- pagure - pagure
- pagure-ev - pagure-ev
@ -20,7 +22,9 @@
- packages - packages
- name: Install needed packages - name: Install needed packages
ansible.builtin.package: name={{ item }} state=present ansible.builtin.package:
name: "{{ item }}"
state: present
with_items: with_items:
- pagure-theme-srcfpo - pagure-theme-srcfpo
tags: tags:
@ -30,7 +34,7 @@
- name: >- - name: >-
Set httpd_can_network_connect flag on and keep it persistent across reboots so apache can talk Set httpd_can_network_connect flag on and keep it persistent across reboots so apache can talk
to redis to redis
seboolean: ansible.posix.seboolean:
name: httpd_can_network_connect name: httpd_can_network_connect
state: yes state: yes
persistent: yes persistent: yes
@ -38,32 +42,43 @@
# Set-up Pagure # Set-up Pagure
- name: Create a group pagure we can use - name: Create a group pagure we can use
group: name=pagure ansible.builtin.group:
name: pagure
tags: tags:
- pagure - pagure
- name: Create an user we can run pagure under - name: Create an user we can run pagure under
user: name=pagure group=packager append=yes ansible.builtin.user:
name: pagure
group: packager
append: yes
tags: tags:
- pagure - pagure
- name: Create the "git" user - name: Create the "git" user
ansible.builtin.command: useradd --create-home --home-dir=/srv/git/ git ansible.builtin.command:
creates=/srv/git/ cmd: useradd --create-home --home-dir=/srv/git/ git
creates: /srv/git/
when: env == 'staging' when: env == 'staging'
tags: tags:
- pagure - pagure
- name: Add the git user to the packager group - name: Add the git user to the packager group
user: name=git group=packager append=yes ansible.builtin.user:
name: git
group: packager
append: yes
when: env == 'staging' when: env == 'staging'
tags: tags:
- pagure - pagure
- name: Create the /var/log/pagure folder where to store the logs - name: Create the /var/log/pagure folder where to store the logs
ansible.builtin.file: state=directory ansible.builtin.file:
path=/var/log/pagure state: directory
owner=pagure group=packager mode=u+rwx,g+rwxs,o+rx path: /var/log/pagure
owner: pagure
group: packager
mode: u+rwx,g+rwxs,o+rx
tags: tags:
- pagure - pagure
- hotfix - hotfix
@ -81,16 +96,22 @@
- fix_log - fix_log
- name: Create the /srv/tmp folder where to clone repos - name: Create the /srv/tmp folder where to clone repos
ansible.builtin.file: state=directory ansible.builtin.file:
path=/srv/tmp state: directory
owner=pagure group=pagure mode=0775 path: /srv/tmp
owner: pagure
group: pagure
mode: "0775"
tags: tags:
- pagure - pagure
- name: Copy sundry pagure configuration - name: Copy sundry pagure configuration
ansible.builtin.template: src={{ item.file }} ansible.builtin.template:
dest={{ item.location }}/{{ item.file }} src: "{{ item.file }}"
owner=pagure group=postfix mode=0640 dest: "{{ item.location }}/{{ item.file }}"
owner: pagure
group: postfix
mode: "0640"
with_items: with_items:
- file: pagure.cfg - file: pagure.cfg
location: /etc/pagure location: /etc/pagure
@ -108,9 +129,12 @@
- Restart apache - Restart apache
- name: Pagure configuration for the hooks - name: Pagure configuration for the hooks
ansible.builtin.template: src={{ item.file }} ansible.builtin.template:
dest={{ item.location }}/{{ item.file }} src: "{{ item.file }}"
owner=pagure group=packager mode=0640 dest: "{{ item.location }}/{{ item.file }}"
owner: pagure
group: packager
mode: "0640"
with_items: with_items:
- file: pagure_hook.cfg - file: pagure_hook.cfg
location: /etc/pagure location: /etc/pagure
@ -131,9 +155,12 @@
- pagure - pagure
- name: Create all the directories where we store the git repos - name: Create all the directories where we store the git repos
ansible.builtin.file: state=directory ansible.builtin.file:
path={{ item }} state: directory
owner=root group=packager mode=2775 path: "{{ item }}"
owner: root
group: packager
mode: "2775"
with_items: with_items:
- /srv/git/repositories/ - /srv/git/repositories/
- /srv/git/repositories/forks - /srv/git/repositories/forks
@ -144,9 +171,12 @@
- pagure - pagure
- name: Create the remotes folder so pagure can clone remote repos - name: Create the remotes folder so pagure can clone remote repos
ansible.builtin.file: state=directory ansible.builtin.file:
path={{ item }} state: directory
owner=root group=packager mode=2775 path: "{{ item }}"
owner: root
group: packager
mode: "2775"
with_items: with_items:
- /srv/git/remotes - /srv/git/remotes
tags: tags:
@ -155,7 +185,7 @@
# On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it. # On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it.
- name: Configure git directories as safe - name: Configure git directories as safe
git_config: community.general.git_config:
name: safe.directory name: safe.directory
scope: system scope: system
value: "*" value: "*"
@ -163,8 +193,12 @@
- pagure - pagure
- name: Install the apache configuration file - name: Install the apache configuration file
ansible.builtin.template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} ansible.builtin.template:
owner=root group=root mode=0644 src: "{{ item }}"
dest: "/etc/httpd/conf.d/{{ item }}"
owner: root
group: root
mode: "0644"
with_items: with_items:
- z_pagure.conf - z_pagure.conf
tags: tags:
@ -175,9 +209,12 @@
- Restart apache - Restart apache
- name: Install the wsgi file - name: Install the wsgi file
ansible.builtin.template: src={{ item }} ansible.builtin.template:
dest=/var/www/{{ item }} src: "{{ item }}"
owner=pagure group=pagure mode=0644 dest: "/var/www/{{ item }}"
owner: pagure
group: pagure
mode: "0644"
with_items: with_items:
- pagure.wsgi - pagure.wsgi
tags: tags:
@ -188,27 +225,25 @@
- Restart apache - Restart apache
- name: Add default facl so apache can read git repos - name: Add default facl so apache can read git repos
acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present ansible.posix.acl:
default: yes
etype: user
entity: apache
permissions: "rx"
name: /srv/git
state: present
recursive: yes
register: acl_updates register: acl_updates
tags: tags:
- pagure - pagure
- name: Manually fix current default ACLs since Ansible doesnt know recursive acls
when: acl_updates.changed
ansible.builtin.command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git
tags:
- pagure
- name: Manually fix current ACLs since Ansible doesnt know recursive acls
when: acl_updates.changed
ansible.builtin.command: /usr/bin/setfacl -Rm user:apache:rx /srv/git
tags:
- pagure
- name: Override the default pagure_worker.service file to change the user it is run under - name: Override the default pagure_worker.service file to change the user it is run under
ansible.builtin.copy: src={{ item }}.service ansible.builtin.copy:
dest=/etc/systemd/system/{{ item }}.service src: "{{ item }}.service"
owner=root group=root mode=0755 dest: "/etc/systemd/system/{{ item }}.service"
owner: root
group: root
mode: "0755"
with_items: with_items:
- pagure_ev - pagure_ev
- pagure_logcom - pagure_logcom
@ -219,16 +254,19 @@
tags: tags:
- pagure - pagure
# Configure SELinux in dist-git/pagure - nanme: Configure SELinux in dist-git/pagure
ansible.builtin.import_tasks: selinux.yml
- import_tasks: selinux.yml
tags: tags:
- selinux - selinux
# Cron job to export extras information from the pagure DB # Cron job to export extras information from the pagure DB
- name: Install the apache configuration file for /extras - name: Install the apache configuration file for /extras
ansible.builtin.copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} ansible.builtin.copy:
owner=root group=root mode=0644 src: "{{ item }}"
dest: "/etc/httpd/conf.d/{{ item }}"
owner: root
group: root
mode: "0644"
with_items: with_items:
- pagure_cron.conf - pagure_cron.conf
tags: tags:
@ -239,14 +277,17 @@
- Restart apache - Restart apache
- name: Create the /srv/cache/extras folder for the crons - name: Create the /srv/cache/extras folder for the crons
ansible.builtin.file: state=directory ansible.builtin.file:
path=/srv/cache/extras state: directory
owner=apache group=apache mode=0775 path: /srv/cache/extras
owner: apache
group: apache
mode: "0775"
tags: tags:
- pagure - pagure
- name: Configure cron job for a hourly pagure_poc - name: Configure cron job for a hourly pagure_poc
cron: ansible.builtin.cron:
name: pagure-poc name: pagure-poc
user: root user: root
minute: 0 minute: 0
@ -257,7 +298,7 @@
- pagure - pagure
- name: Configure cron job for a hourly pagure_bz - name: Configure cron job for a hourly pagure_bz
cron: ansible.builtin.cron:
name: pagure-poc name: pagure-poc
user: root user: root
minute: 0 minute: 0
@ -268,7 +309,7 @@
- pagure - pagure
- name: Configure cron job for a hourly pagure_owner_alias - name: Configure cron job for a hourly pagure_owner_alias
cron: ansible.builtin.cron:
name: pagure-poc name: pagure-poc
user: root user: root
minute: 0 minute: 0
@ -281,7 +322,9 @@
# setup fedora-messaging # setup fedora-messaging
- name: Install fedora-messaging as a dependency - name: Install fedora-messaging as a dependency
ansible.builtin.package: name={{ item }} state=present ansible.builtin.package:
name: "{{ item }}"
state: present
with_items: with_items:
- fedora-messaging - fedora-messaging
tags: tags:
@ -289,41 +332,55 @@
- fedora-messaging - fedora-messaging
- name: Create the config folder for fedora-messaging - name: Create the config folder for fedora-messaging
ansible.builtin.file: path=/etc/fedora-messaging/ owner=root group=root mode=0755 state=directory ansible.builtin.file:
path: /etc/fedora-messaging/
owner: root
group: root
mode: "0755"
state: directory
tags: tags:
- pagure - pagure
- fedora-messaging - fedora-messaging
- name: Install the configuration file for fedora-messaging - name: Install the configuration file for fedora-messaging
ansible.builtin.template: ansible.builtin.template:
src=fedora-messaging.toml src: fedora-messaging.toml
dest=/etc/fedora-messaging/config.toml dest: /etc/fedora-messaging/config.toml
mode: "0644"
tags: tags:
- pagure - pagure
- fedora-messaging - fedora-messaging
- name: Create folder where we'll place the certs - name: Create folder where we'll place the certs
ansible.builtin.file: path=/etc/pki/rabbitmq/pagurecert/ owner=root group=root mode=0755 state=directory ansible.builtin.file:
path: /etc/pki/rabbitmq/pagurecert/
owner: root
group: root
mode: "0755"
state: directory
tags: tags:
- pagure - pagure
- fedora-messaging - fedora-messaging
- name: Deploy pagure/rabbitmq certificate - name: Deploy pagure/rabbitmq certificate
ansible.builtin.copy: src={{ item.src }} ansible.builtin.copy:
dest=/etc/pki/rabbitmq/pagurecert/{{ item.dest }} src: "{{ item.src }}"
owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }} dest: "/etc/pki/rabbitmq/pagurecert/{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items: with_items:
- src: "{{private}}/files/rabbitmq/{{env}}/pki/issued/pagure{{ env_suffix }}.crt" - src: "{{ private }}/files/rabbitmq/{{ env }}/pki/issued/pagure{{ env_suffix }}.crt"
dest: src.fp.o.crt dest: src.fp.o.crt
owner: pagure owner: pagure
group: packager group: packager
mode: "444" mode: "444"
- src: "{{private}}/files/rabbitmq/{{env}}/pki/private/pagure{{ env_suffix }}.key" - src: "{{ private }}/files/rabbitmq/{{ env }}/pki/private/pagure{{ env_suffix }}.key"
dest: src.fp.o.key dest: src.fp.o.key
owner: pagure owner: pagure
group: packager group: packager
mode: "440" mode: "440"
- src: "{{private}}/files/rabbitmq/{{env}}/ca-combined.crt" - src: "{{ private }}/files/rabbitmq/{{ env }}/ca-combined.crt"
dest: src.fp.o.ca dest: src.fp.o.ca
owner: pagure owner: pagure
group: packager group: packager
@ -336,7 +393,10 @@
# Ensure all the services are up and running # Ensure all the services are up and running
- name: Start and enable httpd, postfix, pagure_milter - name: Start and enable httpd, postfix, pagure_milter
service: name={{ item }} enabled=yes state=started ansible.builtin.service:
name: "{{ item }}"
enabled: yes
state: started
with_items: with_items:
- httpd - httpd
- postfix - postfix
@ -354,16 +414,21 @@
- postfix - postfix
- name: Add SAR script for pagure - name: Add SAR script for pagure
ansible.builtin.copy: src={{ roles_path }}/pagure/files/pagure_sar.py ansible.builtin.copy:
dest=/usr/local/bin/pagure_sar.py src: "{{ roles_path }}/pagure/files/pagure_sar.py"
owner=root mode=0700 dest: /usr/local/bin/pagure_sar.py
owner: root
mode: "0700"
tags: tags:
- SAR - SAR
- GDPR - GDPR
- pagure - pagure
- name: Override the default syslog logrotate file - name: Override the default syslog logrotate file
ansible.builtin.copy: src=syslog-logrotate dest=/etc/logrotate.d/syslog ansible.builtin.copy:
src: syslog-logrotate
dest: /etc/logrotate.d/syslog
mode: "0644"
tags: tags:
- pagure - pagure
- logrotate - logrotate

43
roles/pagure/tasks/selinux.yml
View file

@ -10,13 +10,13 @@
- selinux - selinux
- name: Show the output of distgitcontext - name: Show the output of distgitcontext
debug: ansible.builtin.debug:
var: distgitcontext.stdout var: distgitcontext.stdout
tags: tags:
- selinux - selinux
- name: Show if we find gitosis_var_lib_t in distgitcontext - name: Show if we find gitosis_var_lib_t in distgitcontext
debug: ansible.builtin.debug:
var: distgitcontext.stdout.find('gitosis_var_lib_t') var: distgitcontext.stdout.find('gitosis_var_lib_t')
tags: tags:
- selinux - selinux
@ -24,6 +24,7 @@
- name: Set the SELinux policy for the distgit root directory - name: Set the SELinux policy for the distgit root directory
ansible.builtin.command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?" ansible.builtin.command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"
when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1 when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1
changed_when: false
tags: tags:
- config - config
- pagure - pagure
@ -43,13 +44,14 @@
- name: Set the SELinux policy for the releases directory - name: Set the SELinux policy for the releases directory
ansible.builtin.command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?" ansible.builtin.command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"
when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1 when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1
changed_when: false
tags: tags:
- config - config
- pagure - pagure
- selinux - selinux
- name: Install the pagure SELinux policy - name: Install the pagure SELinux policy
include_role: ansible.builtin.include_role:
name: selinux/module name: selinux/module
vars: vars:
policy_file: files/selinux/pagure.te policy_file: files/selinux/pagure.te
@ -60,45 +62,50 @@
- pagure - pagure
- name: Set sebooleans so pagure can talk to the network (db + redis) - name: Set sebooleans so pagure can talk to the network (db + redis)
seboolean: name=httpd_can_network_connect ansible.posix.seboolean:
state=true name: httpd_can_network_connect
persistent=true state: true
persistent: true
tags: tags:
- config - config
- selinux - selinux
- pagure - pagure
- name: Set sebooleans so apache can send emails - name: Set sebooleans so apache can send emails
seboolean: name=httpd_can_sendmail ansible.posix.seboolean:
state=true name: httpd_can_sendmail
persistent=true state: true
persistent: true
tags: tags:
- config - config
- selinux - selinux
- pagure - pagure
- name: Set sebooleans so pygit2 can read the git repos - name: Set sebooleans so pygit2 can read the git repos
seboolean: name=httpd_execmem ansible.posix.seboolean:
state=true name: httpd_execmem
persistent=true state: true
persistent: true
tags: tags:
- config - config
- selinux - selinux
- pagure - pagure
- name: Set sebooleans so ssh can retrieve access info from apache - name: Set sebooleans so ssh can retrieve access info from apache
seboolean: name=nis_enabled ansible.posix.seboolean:
state=true name: nis_enabled
persistent=true state: true
persistent: true
tags: tags:
- config - config
- selinux - selinux
- pagure - pagure
- name: Set sebooleans so allow nagios/nrpe to call sudo from NRPE utils scripts - name: Set sebooleans so allow nagios/nrpe to call sudo from NRPE utils scripts
seboolean: name=nagios_run_sudo ansible.posix.seboolean:
state=true name: nagios_run_sudo
persistent=true state: true
persistent: true
tags: tags:
- config - config
- selinux - selinux