Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
8c5ec566
Commit
8c5ec566
authored
Feb 14, 2021
by
Sven-Hendrik Haase
Browse files
Merge branch 'fix-linting' into 'master'
Fix linting (ansible-lint v5.0.0) See merge request
!305
parents
230cc79a
4112bdf9
Pipeline
#5219
passed with stage
in 51 seconds
Changes
69
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
.ansible-lint
View file @
8c5ec566
exclude_paths:
- misc
# FIXME: parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
- playbooks/tasks
skip_list:
# Ignore lines longer than 160 chars
- '204'
# line too long (x > 80 characters) (line-length)
- 'line-length'
# yaml: too many spaces inside braces (braces)
- 'braces'
# Do not recommend running tasks as handlers
- '
503
'
- '
no-handler
'
# Do not force galaxy info in meta/main.yml
- '
701
'
- '
meta-no-info
'
# Allow package versions to be specified as 'latest'
- '
403
'
- '
package-latest
'
.gitlab-ci.yml
View file @
8c5ec566
image
:
"
archlinux:latest"
before_script
:
-
pacman -Syu --needed --noconfirm ansible-lint terraform
-
pacman -Syu --needed --noconfirm ansible-lint
yamllint
terraform
ansible-lint
:
script
:
# Fix weird ansible bug: https://github.com/trailofbits/algo/issues/1637
# This probably happens due to gitlab-runner mounting the git repo into the container
-
chmod o-w .
-
ansible-lint
# Fix syntax-check rule (https://github.com/ansible-community/ansible-lint/issues/1350#issuecomment-778764110)
-
sed "s/,hcloud_inventory.py//" -i ansible.cfg
-
sed "/^vault_password_file/d" -i ansible.cfg
# Fix load-failure: Failed to load or parse file
-
ansible-lint $(printf -- "--exclude %s " */*/vault_*)
terraform-validate
:
script
:
...
...
group_vars/all/archusers.yml
View file @
8c5ec566
...
...
@@ -222,7 +222,7 @@ arch_users:
ssh_key
:
foxxx0.pub
shell
:
/bin/zsh
groups
:
-
tu
-
tu
fukawi2
:
name
:
"
Phillip
Smith"
ssh_key
:
fukawi2.pub
...
...
group_vars/all/root_access.yml
View file @
8c5ec566
...
...
@@ -24,10 +24,10 @@ root_ssh_keys:
# run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
# before running it, make sure to gpg --lsign-key all of the below keys
root_gpgkeys
:
-
86CFFCA918CF3AF47147588051E8B148A9999C34
# foutrelis
-
05C7775A9E8B977407FE08E69D4C5AA15426DA0A
# freswa
-
ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB
# grazzolini
-
A2FF3A36AAA56654109064AB19802F8B0D70FC30
# heftig
-
E499C79F53C96A54E572FEE1C06086337C50773E
# jelle
-
8FC15A064950A99DD1BD14DD39E4B877E62EB915
# svenstaro
-
E240B57E2C4630BA768E2F26FC1B547C8D8172C8
# anthraxx
-
86CFFCA918CF3AF47147588051E8B148A9999C34
# foutrelis
-
05C7775A9E8B977407FE08E69D4C5AA15426DA0A
# freswa
-
ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB
# grazzolini
-
A2FF3A36AAA56654109064AB19802F8B0D70FC30
# heftig
-
E499C79F53C96A54E572FEE1C06086337C50773E
# jelle
-
8FC15A064950A99DD1BD14DD39E4B877E62EB915
# svenstaro
-
E240B57E2C4630BA768E2F26FC1B547C8D8172C8
# anthraxx
one-shots/keycloak-importer/archusers.yml
View file @
8c5ec566
...
...
@@ -295,194 +295,194 @@ arch_users:
-
devops
-
tu
-
multilib
# jgc:
# name: "Jan de Groot"
# ssh_key: jgc.pub
# groups:
# - dev
# - multilib
# - tu
# jleclanche:
# name: "Jerome Leclanche"
# ssh_key: jleclanche.pub
# shell: /bin/zsh
# groups:
# - tu
# jlichtblau:
# name: "Jaroslav Lichtblau"
# ssh_key: jlichtblau.pub
# groups:
# - tu
# jouke:
# name: "Jouke Witteveen"
# ssh_key: jouke.pub
# groups:
# - ""
# jsteel:
# name: "Jonathan Steel"
# ssh_key: jsteel.pub
# groups:
# - tu
# juergen:
# name: "Jürgen Hötzel"
# ssh_key: juergen.pub
# groups:
# - dev
# - multilib
# - tu
# kgizdov:
# name: "Konstantin Gizdov"
# ssh_key: kgizdov.pub
# groups:
# - tu
# kkeen:
# name: "Kyle Keen"
# ssh_key: kkeen.pub
# groups:
# - tu
# - multilib
# lcarlier:
# name: "Laurent Carlier"
# ssh_key: lcarlier.pub
# groups:
# - dev
# - tu
# - multilib
# lfleischer:
# name: "Lukas Fleischer"
# ssh_key: lfleischer.pub
# shell: /bin/zsh
# groups:
# - dev
# - tu
# - multilib
# maximbaz:
# name: "Maxim Baz"
# ssh_key: maximbaz.pub
# groups:
# - tu
# mtorromeo:
# name: "Massimiliano Torromeo"
# ssh_key: mtorromeo.pub
# groups:
# - tu
# muflone:
# name: "Fabio Castelli"
# ssh_key: muflone.pub
# groups:
# - tu
# nicohood:
# name: "NicoHood"
# ssh_key: nicohood.pub
# groups:
# - tu
# pierre:
# name: "Pierre Schmitz"
# ssh_key: pierre.pub
# groups:
# - dev
# - multilib
# - tu
# polyzen:
# name: "Daniel M. Capella"
# ssh_key: polyzen.pub
# groups:
# - tu
# remy:
# name: "Rémy Oudompheng"
# ssh_key: remy.pub
# groups:
# - dev
# - tu
# ronald:
# name: "Ronald van Haren"
# ssh_key: ronald.pub
# groups:
# - dev
# - tu
# sangy:
# name: "Santiago Torres-Arias"
# ssh_key: sangy.pub
# groups:
# - tu
# - docker-image-sudo
# schuay:
# name: "Jakob Gruber"
# ssh_key: schuay.pub
# groups:
# - tu
# - multilib
# scimmia:
# name: "Doug Newgard"
# ssh_key: scimmia.pub
# groups: []
# morganamilo:
# name: "Morgan Adamiec"
# ssh_key: morganamilo.pub
# groups: []
# seblu:
# name: "Sébastien Luttringer"
# ssh_key: seblu.pub
# shell: /bin/zsh
# groups:
# - dev
# - tu
# - multilib
# shibumi:
# name: "Christian Rebischke"
# ssh_key: shibumi.pub
# shell: /bin/zsh
# groups:
# - tu
# - archboxes-sudo
# kpcyrd:
# name: "Kpcyrd"
# ssh_key: kpcyrd.pub
# groups:
# - tu
# spupykin:
# name: "Sergej Pupykin"
# ssh_key: spupykin.pub
# groups:
# - tu
# - multilib
# svenstaro:
# name: "Sven-Hendrik Haase"
# ssh_key: svenstaro.pub
# groups:
# - dev
# - devops
# - tu
# - multilib
# tensor5:
# name: "Nicola Squartini"
# ssh_key: tensor5.pub
# groups:
# - tu
# tpowa:
# name: "Tobias Powalowski"
# ssh_key: tpowa.pub
# groups:
# - dev
# - multilib
# - tu
# wild:
# name: "Dan Printzell"
# ssh_key: wild.pub
# groups:
# - tu
# xyne:
# name: "Xyne"
# ssh_key: xyne.pub
# groups:
# - tu
# yan12125:
# name: "Chih-Hsuan Yen"
# ssh_key: yan12125.pub
# groups:
# - tu
# zorun:
# name: "Baptiste Jonglez"
# ssh_key: zorun.pub
# groups:
# - tu
# jgc:
# name: "Jan de Groot"
# ssh_key: jgc.pub
# groups:
# - dev
# - multilib
# - tu
# jleclanche:
# name: "Jerome Leclanche"
# ssh_key: jleclanche.pub
# shell: /bin/zsh
# groups:
# - tu
# jlichtblau:
# name: "Jaroslav Lichtblau"
# ssh_key: jlichtblau.pub
# groups:
# - tu
# jouke:
# name: "Jouke Witteveen"
# ssh_key: jouke.pub
# groups:
# - ""
# jsteel:
# name: "Jonathan Steel"
# ssh_key: jsteel.pub
# groups:
# - tu
# juergen:
# name: "Jürgen Hötzel"
# ssh_key: juergen.pub
# groups:
# - dev
# - multilib
# - tu
# kgizdov:
# name: "Konstantin Gizdov"
# ssh_key: kgizdov.pub
# groups:
# - tu
# kkeen:
# name: "Kyle Keen"
# ssh_key: kkeen.pub
# groups:
# - tu
# - multilib
# lcarlier:
# name: "Laurent Carlier"
# ssh_key: lcarlier.pub
# groups:
# - dev
# - tu
# - multilib
# lfleischer:
# name: "Lukas Fleischer"
# ssh_key: lfleischer.pub
# shell: /bin/zsh
# groups:
# - dev
# - tu
# - multilib
# maximbaz:
# name: "Maxim Baz"
# ssh_key: maximbaz.pub
# groups:
# - tu
# mtorromeo:
# name: "Massimiliano Torromeo"
# ssh_key: mtorromeo.pub
# groups:
# - tu
# muflone:
# name: "Fabio Castelli"
# ssh_key: muflone.pub
# groups:
# - tu
# nicohood:
# name: "NicoHood"
# ssh_key: nicohood.pub
# groups:
# - tu
# pierre:
# name: "Pierre Schmitz"
# ssh_key: pierre.pub
# groups:
# - dev
# - multilib
# - tu
# polyzen:
# name: "Daniel M. Capella"
# ssh_key: polyzen.pub
# groups:
# - tu
# remy:
# name: "Rémy Oudompheng"
# ssh_key: remy.pub
# groups:
# - dev
# - tu
# ronald:
# name: "Ronald van Haren"
# ssh_key: ronald.pub
# groups:
# - dev
# - tu
# sangy:
# name: "Santiago Torres-Arias"
# ssh_key: sangy.pub
# groups:
# - tu
# - docker-image-sudo
# schuay:
# name: "Jakob Gruber"
# ssh_key: schuay.pub
# groups:
# - tu
# - multilib
# scimmia:
# name: "Doug Newgard"
# ssh_key: scimmia.pub
# groups: []
# morganamilo:
# name: "Morgan Adamiec"
# ssh_key: morganamilo.pub
# groups: []
# seblu:
# name: "Sébastien Luttringer"
# ssh_key: seblu.pub
# shell: /bin/zsh
# groups:
# - dev
# - tu
# - multilib
# shibumi:
# name: "Christian Rebischke"
# ssh_key: shibumi.pub
# shell: /bin/zsh
# groups:
# - tu
# - archboxes-sudo
# kpcyrd:
# name: "Kpcyrd"
# ssh_key: kpcyrd.pub
# groups:
# - tu
# spupykin:
# name: "Sergej Pupykin"
# ssh_key: spupykin.pub
# groups:
# - tu
# - multilib
# svenstaro:
# name: "Sven-Hendrik Haase"
# ssh_key: svenstaro.pub
# groups:
# - dev
# - devops
# - tu
# - multilib
# tensor5:
# name: "Nicola Squartini"
# ssh_key: tensor5.pub
# groups:
# - tu
# tpowa:
# name: "Tobias Powalowski"
# ssh_key: tpowa.pub
# groups:
# - dev
# - multilib
# - tu
# wild:
# name: "Dan Printzell"
# ssh_key: wild.pub
# groups:
# - tu
# xyne:
# name: "Xyne"
# ssh_key: xyne.pub
# groups:
# - tu
# yan12125:
# name: "Chih-Hsuan Yen"
# ssh_key: yan12125.pub
# groups:
# - tu
# zorun:
# name: "Baptiste Jonglez"
# ssh_key: zorun.pub
# groups:
# - tu
playbooks/all-hosts-basic.yml
View file @
8c5ec566
...
...
@@ -9,7 +9,7 @@
-
{
role
:
firewalld
}
-
{
role
:
unbound
}
# reconfiguring sshd may break the AUR on luna (unchecked)
#- { role: sshd, tags: ['sshd'] }
#
- { role: sshd, tags: ['sshd'] }
-
{
role
:
root_ssh
}
-
{
role
:
borg_client
,
tags
:
[
"
borg"
],
when
:
"
'borg_clients'
in
group_names"
}
-
{
role
:
hardening
}
playbooks/archlinux.org.yml
View file @
8c5ec566
...
...
@@ -3,18 +3,18 @@
-
name
:
"
prepare
postgres
ssl
hosts
list"
hosts
:
archlinux.org
tasks
:
-
name
:
assign ipv4 addresses to fact postgres_ssl_hosts4
set_fact
:
postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
vars
:
gemini4
:
"
{{
hostvars['gemini.archlinux.org']['ipv4_address']
}}/32"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv4_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/32')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact
:
postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars
:
gemini6
:
"
{{
hostvars['gemini.archlinux.org']['ipv6_address']
}}/128"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv6_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/128')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
assign ipv4 addresses to fact postgres_ssl_hosts4
set_fact
:
postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
vars
:
gemini4
:
"
{{
hostvars['gemini.archlinux.org']['ipv4_address']
}}/32"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv4_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/32')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact
:
postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars
:
gemini6
:
"
{{
hostvars['gemini.archlinux.org']['ipv6_address']
}}/128"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv6_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/128')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
setup archlinux.org
hosts
:
archlinux.org
...
...
playbooks/aur-dev.archlinux.org.yml
View file @
8c5ec566
...
...
@@ -10,7 +10,7 @@
-
{
role
:
root_ssh
}
-
{
role
:
certbot
}
-
{
role
:
nginx
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
T
rue
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
t
rue
}
-
{
role
:
sudo
}
-
{
role
:
php_fpm
,
php_extensions
:
[
'
iconv'
,
'
memcached'
,
'
mysqli'
,
'
pdo_mysql'
],
zend_extensions
:
[
'
opcache'
]
}
-
{
role
:
memcached
}
...
...
playbooks/aur.archlinux.org.yml
View file @
8c5ec566
...
...
@@ -11,7 +11,7 @@
-
{
role
:
prometheus_exporters
}
-
{
role
:
certbot
}
-
{
role
:
nginx
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
T
rue
,
mariadb_innodb_buffer_pool_size
:
'
1G'
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
t
rue
,
mariadb_innodb_buffer_pool_size
:
'
1G'
}
-
{
role
:
sudo
}
-
{
role
:
php_fpm
,
php_extensions
:
[
'
iconv'
,
'
memcached'
,
'
mysqli'
,
'
pdo_mysql'
],
zend_extensions
:
[
'
opcache'
]
}
-
{
role
:
memcached
}
...
...
playbooks/bbs.archlinux.org.yml
View file @
8c5ec566
...
...
@@ -10,7 +10,7 @@
-
{
role
:
root_ssh
}
-
{
role
:
certbot
}
-
{
role
:
nginx
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
T
rue
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
t
rue
}
-
{
role
:
sudo
}
-
{
role
:
php_fpm
,
php_extensions
:
[
'
apcu'
,
'
iconv'
,
'
intl'
,
'
mysqli'
],
zend_extensions
:
[
'
opcache'
]
}
-
{
role
:
fluxbb
}
...
...
playbooks/bugs.archlinux.org.yml
View file @
8c5ec566
...
...
@@ -10,7 +10,7 @@
-
{
role
:
root_ssh
}
-
{
role
:
certbot
}
-
{
role
:
nginx
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
T
rue
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
t
rue
}
-
{
role
:
sudo
}
-
{
role
:
php7_fpm
,
php_extensions
:
[
'
mysqli'
],
zend_extensions
:
[
'
opcache'
]
}
-
{
role
:
flyspray
}
...
...
playbooks/gitlab.archlinux.org.yml
View file @
8c5ec566
...
...
@@ -13,8 +13,7 @@
gitlab_domain
:
"
gitlab.archlinux.org"
,
gitlab_primary_addresses
:
[
'
159.69.41.129'
,
'
[2a01:4f8:c2c:5d2d::1]'
,
'
127.0.0.1'
,
'
[::1]'
],
gitlab_pages_http_addresses
:
[
'
116.203.6.156:80'
,
'
[2a01:4f8:c2c:5d2d::2]:80'
],
gitlab_pages_https_addresses
:
[
'
116.203.6.156:443'
,
'
[2a01:4f8:c2c:5d2d::2]:443'
]
}
gitlab_pages_https_addresses
:
[
'
116.203.6.156:443'
,
'
[2a01:4f8:c2c:5d2d::2]:443'
]}
-
{
role
:
borg_client
,
tags
:
[
"
borg"
]
}
-
{
role
:
prometheus_exporters
}
-
{
role
:
fail2ban
}
playbooks/hetzner_storagebox.yml
View file @
8c5ec566
...
...
@@ -2,6 +2,6 @@
-
name
:
setup Hetzner storagebox account
hosts
:
u236610.your-storagebox.de
gather_facts
:
F
alse
gather_facts
:
f
alse
roles
:
-
{
role
:
hetzner_storagebox
,
backup_dir
:
"
backup"
,
backup_clients
:
"
{{
groups['borg_clients']
}}"
,
tags
:
[
"
borg"
]
}
playbooks/luna.yml
View file @
8c5ec566
...
...
@@ -27,7 +27,7 @@
roles
:
-
nginx
-
rspamd
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
T
rue
}
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
t
rue
}
-
{
role
:
prometheus_exporters
}
# luna is hosting mailman lists; this postfix role does not cater to this yet
# TODO: make postfix role handle mailman config?
...
...
playbooks/rsync.net.yml
View file @
8c5ec566
...
...
@@ -2,6 +2,6 @@
-
name
:
setup rsync.net account
hosts
:
prio.ch-s012.rsync.net
gather_facts
:
F
alse
gather_facts
:
f
alse
roles
:
-
{
role
:
rsync_net
,
backup_dir
:
"
backup"
,
backup_clients
:
"
{{
groups['borg_clients']
}}"
,
tags
:
[
"
borg"
]
}
playbooks/tasks/fetch-borg-keys.yml
View file @
8c5ec566
...
...
@@ -3,36 +3,36 @@
-
name
:
prepare local storage directory
hosts
:
127.0.0.1
tasks
:
-
name
:
create borg-keys directory
file
:
path="{{ playbook_dir }}/../../borg-keys/" state=directory
# noqa 208
-
name
:
create borg-keys directory
file
:
path="{{ playbook_dir }}/../../borg-keys/" state=directory
# noqa 208
-
name
:
fetch borg keys
hosts
:
borg_clients
tasks
:
-
name
:
fetch borg key
command
:
"
/usr/local/bin/borg
key
export
::
/dev/stdout"
register
:
borg_key
changed_when
:
"
borg_key.rc
==
0"
-
name
:
fetch borg key
command
:
"
/usr/local/bin/borg
key
export
::
/dev/stdout"
register
:
borg_key
changed_when
:
"
borg_key.rc
==
0"
-
name
:
fetch borg offsite key
command
:
"
/usr/local/bin/borg-offsite
key
export
::
/dev/stdout"
register
:
borg_offsite_key
changed_when
:
"
borg_offsite_key.rc
==
0"
-
name
:
fetch borg offsite key
command
:
"
/usr/local/bin/borg-offsite
key
export
::
/dev/stdout"
register
:
borg_offsite_key
changed_when
:
"
borg_offsite_key.rc
==
0"