roles: run ansible-lint --write

This commit is contained in:
Alan Orth 2023-08-23 22:22:51 +03:00
parent 7a9a24ef5d
commit 06416a3b64
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
11 changed files with 200 additions and 209 deletions

View File

@ -18,7 +18,7 @@
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
owner: root
group: root
mode: 0644
mode: "0644"
register: download_caddy_signing_key
when: not caddy_signing_key_stat.stat.exists
tags:
@ -27,7 +27,7 @@
- name: Add Caddy stable repo
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main'
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
filename: caddy-stable
state: present
register: add_caddy_apt_repository
@ -38,9 +38,7 @@
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
(download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or
add_caddy_apt_repository is changed
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
tags:
- packages
- caddy
@ -59,7 +57,7 @@
ansible.builtin.template:
src: etc/caddy/Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: 0755
mode: "0755"
owner: root
group: root
notify:
@ -70,7 +68,7 @@
ansible.builtin.file:
path: /etc/caddy/conf.d
state: directory
mode: 0755
mode: "0755"
owner: root
group: root

View File

@ -1,10 +1,9 @@
---
- name: Configure vhosts
ansible.builtin.template:
src: etc/caddy/conf.d/vhost.j2
dest: /etc/caddy/conf.d/{{ item.domain_name }}
mode: 0644
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"

View File

@ -1,7 +1,7 @@
---
- name: Remove MariaDB key from apt-key
ansible.builtin.apt_key:
id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
id: "013577200103762554506315430003013705453362230723150730"
state: absent
tags:
- packages
@ -21,7 +21,7 @@
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
owner: root
group: root
mode: 0644
mode: "0644"
register: download_mariadb_signing_key
when: not mariadb_signing_key_stat.stat.exists
tags:
@ -30,7 +30,8 @@
- name: Add MariaDB 10.6 repo
ansible.builtin.apt_repository:
repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release
}} main
filename: mariadb
state: present
register: add_mariadb_apt_repository
@ -41,16 +42,14 @@
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
(download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
add_mariadb_apt_repository is changed
when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
tags:
- packages
- mariadb
- name: Install mariadb-server
ansible.builtin.apt:
name: ['mariadb-server', 'python3-pymysql']
name: [mariadb-server, python3-pymysql]
state: present
cache_valid_time: 3600
tags: mariadb, packages
@ -61,7 +60,7 @@
dest: /etc/mysql/my.cnf
owner: root
group: root
mode: 0644
mode: "0644"
notify:
- restart mariadb
tags: mariadb
@ -83,7 +82,7 @@
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: 0600
mode: "0600"
tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html

View File

@ -14,11 +14,11 @@ nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!)
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
nginx_ssl_protocols: TLSv1.2 TLSv1.3
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/

View File

@ -1,5 +1,4 @@
---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block:
@ -25,7 +24,7 @@
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700
mode: "0700"
register: acme_download
when: not acme_home.stat.exists
@ -64,7 +63,7 @@
ansible.builtin.template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644
mode: "0644"
owner: root
group: root
@ -72,7 +71,7 @@
ansible.builtin.copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644
mode: "0644"
owner: root
group: root
@ -84,8 +83,8 @@
enabled: true
daemon_reload: true
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
is version('11', '>='))
tags: letsencrypt
# vim: set ts=2 sw=2:

View File

@ -1,7 +1,7 @@
---
- name: Remove nginx apt signing key from apt-key
ansible.builtin.apt_key:
id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
id: "053473772654754373614404074646527257655730117366337542"
state: absent
tags:
- packages
@ -21,7 +21,7 @@
dest: /usr/share/keyrings/nginx_signing.key
owner: root
group: root
mode: 0644
mode: "0644"
register: download_nginx_signing_key
when: not nginx_signing_key_stat.stat.exists
tags:
@ -34,7 +34,7 @@
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: 0644
mode: "0644"
register: add_nginx_apt_repository
tags:
- nginx
@ -43,9 +43,7 @@
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
(download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or
add_nginx_apt_repository is changed
when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
- name: Install nginx
ansible.builtin.apt:
@ -60,7 +58,7 @@
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: 0644
mode: "0644"
owner: root
group: root
notify:
@ -70,8 +68,8 @@
- name: Copy extra nginx configs
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/nginx/{{ item }}"
mode: 0644
dest: /etc/nginx/{{ item }}
mode: "0644"
owner: root
group: root
loop:
@ -93,7 +91,7 @@
state: directory
owner: nginx
group: nginx
mode: 0755
mode: "0755"
tags: nginx
- name: Configure nginx virtual hosts
@ -110,7 +108,7 @@
ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: 0644
mode: "0644"
owner: root
group: root
notify:
@ -121,7 +119,7 @@
ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: 0644
mode: "0644"
owner: root
group: root
notify:

View File

@ -1,5 +1,4 @@
---
- block:
- name: Configure https vhosts
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
@ -8,7 +7,8 @@
- reload nginx
- name: Generate self-signed TLS cert
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx

View File

@ -1,8 +1,8 @@
---
- block:
- name: Install WordPress
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
}} depth=1 force=true
when:
- item.has_wordpress is defined
- item.has_wordpress

View File

@ -1,5 +1,4 @@
---
- block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
@ -24,7 +23,7 @@
dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
owner: root
group: root
mode: 0644
mode: "0644"
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php8.2-fpm
@ -42,7 +41,7 @@
dest: /etc/php/8.2/fpm/php.ini
owner: root
group: root
mode: 0644
mode: "0644"
notify: reload php8.2-fpm
tags: php-fpm

View File

@ -1,5 +1,4 @@
---
- block:
- name: Set php-fpm packages
ansible.builtin.set_fact:

View File

@ -11,13 +11,13 @@
- name: Check if any vhost needs WordPress
ansible.builtin.set_fact:
install_php: true
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
# Legacy, was only for Piwik, but leaving for now.
- name: Check if any vhost needs PHP
ansible.builtin.set_fact:
install_php: true
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
# If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else.
@ -31,7 +31,7 @@
when:
- ansible_distribution == 'Ubuntu'
- ansible_distribution_version is version('20.04', '==')
- install_php == true
- install_php
tags: php-fpm
- name: Configure php-fpm on Debian 11
@ -39,7 +39,7 @@
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version is version('11', '==')
- install_php == true
- install_php
tags: php-fpm
- name: Configure php-fpm on Debian 12
@ -47,7 +47,7 @@
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version is version('12', '==')
- install_php == true
- install_php
tags: php-fpm
# vim: set ts=2 sw=2: