Merge branch 'fix-linting' into 'master'

Fix linting (ansible-lint v5.0.0)

See merge request !305

.ansible-lint

 exclude_paths:
   - misc
+  # FIXME: parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
+  - playbooks/tasks
 skip_list:
-  # Ignore lines longer than 160 chars
-  - '204'
+  # line too long (x > 80 characters) (line-length)
+  - 'line-length'
+  # yaml: too many spaces inside braces (braces)
+  - 'braces'
   # Do not recommend running tasks as handlers
-  - '503'
+  - 'no-handler'
   # Do not force galaxy info in meta/main.yml
-  - '701'
+  - 'meta-no-info'
   # Allow package versions to be specified as 'latest'
-  - '403'
+  - 'package-latest'

.gitlab-ci.yml

 image: "archlinux:latest"
 
 before_script:
-  - pacman -Syu --needed --noconfirm ansible-lint terraform
+  - pacman -Syu --needed --noconfirm ansible-lint yamllint terraform
 
 ansible-lint:
   script:
     # Fix weird ansible bug: https://github.com/trailofbits/algo/issues/1637
     # This probably happens due to gitlab-runner mounting the git repo into the container
     - chmod o-w .
-    - ansible-lint
+    # Fix syntax-check rule (https://github.com/ansible-community/ansible-lint/issues/1350#issuecomment-778764110)
+    - sed "s/,hcloud_inventory.py//" -i ansible.cfg
+    - sed "/^vault_password_file/d" -i ansible.cfg
+    # Fix load-failure: Failed to load or parse file
+    - ansible-lint $(printf -- "--exclude %s " */*/vault_*)
 
 terraform-validate:
   script:

group_vars/all/archusers.yml

@@ -222,7 +222,7 @@ arch_users:
     ssh_key: foxxx0.pub
     shell: /bin/zsh
     groups:
-       - tu
+      - tu
   fukawi2:
     name: "Phillip Smith"
     ssh_key: fukawi2.pub

group_vars/all/root_access.yml

@@ -24,10 +24,10 @@ root_ssh_keys:
 # run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
 # before running it, make sure to gpg --lsign-key all of the below keys
 root_gpgkeys:
-  - 86CFFCA918CF3AF47147588051E8B148A9999C34 # foutrelis
-  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A # freswa
-  - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB # grazzolini
-  - A2FF3A36AAA56654109064AB19802F8B0D70FC30 # heftig
-  - E499C79F53C96A54E572FEE1C06086337C50773E # jelle
-  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915 # svenstaro
-  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8 # anthraxx
+  - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
+  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
+  - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
+  - A2FF3A36AAA56654109064AB19802F8B0D70FC30  # heftig
+  - E499C79F53C96A54E572FEE1C06086337C50773E  # jelle
+  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
+  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx

one-shots/keycloak-importer/archusers.yml

@@ -295,194 +295,194 @@ arch_users:
       - devops
       - tu
       - multilib
-  # jgc:
-  #   name: "Jan de Groot"
-  #   ssh_key: jgc.pub
-  #   groups:
-  #     - dev
-  #     - multilib
-  #     - tu
-  # jleclanche:
-  #   name: "Jerome Leclanche"
-  #   ssh_key: jleclanche.pub
-  #   shell: /bin/zsh
-  #   groups:
-  #     - tu
-  # jlichtblau:
-  #   name: "Jaroslav Lichtblau"
-  #   ssh_key: jlichtblau.pub
-  #   groups:
-  #     - tu
-  # jouke:
-  #   name: "Jouke Witteveen"
-  #   ssh_key: jouke.pub
-  #   groups:
-  #     - ""
-  # jsteel:
-  #   name: "Jonathan Steel"
-  #   ssh_key: jsteel.pub
-  #   groups:
-  #     - tu
-  # juergen:
-  #   name: "Jürgen Hötzel"
-  #   ssh_key: juergen.pub
-  #   groups:
-  #     - dev
-  #     - multilib
-  #     - tu
-  # kgizdov:
-  #   name: "Konstantin Gizdov"
-  #   ssh_key: kgizdov.pub
-  #   groups:
-  #     - tu
-  # kkeen:
-  #   name: "Kyle Keen"
-  #   ssh_key: kkeen.pub
-  #   groups:
-  #     - tu
-  #     - multilib
-  # lcarlier:
-  #   name: "Laurent Carlier"
-  #   ssh_key: lcarlier.pub
-  #   groups:
-  #     - dev
-  #     - tu
-  #     - multilib
-  # lfleischer:
-  #   name: "Lukas Fleischer"
-  #   ssh_key: lfleischer.pub
-  #   shell: /bin/zsh
-  #   groups:
-  #     - dev
-  #     - tu
-  #     - multilib
-  # maximbaz:
-  #   name: "Maxim Baz"
-  #   ssh_key: maximbaz.pub
-  #   groups:
-  #     - tu
-  # mtorromeo:
-  #   name: "Massimiliano Torromeo"
-  #   ssh_key: mtorromeo.pub
-  #   groups:
-  #     - tu
-  # muflone:
-  #   name: "Fabio Castelli"
-  #   ssh_key: muflone.pub
-  #   groups:
-  #     - tu
-  # nicohood:
-  #   name: "NicoHood"
-  #   ssh_key: nicohood.pub
-  #   groups:
-  #     - tu
-  # pierre:
-  #   name: "Pierre Schmitz"
-  #   ssh_key: pierre.pub
-  #   groups:
-  #     - dev
-  #     - multilib
-  #     - tu
-  # polyzen:
-  #   name: "Daniel M. Capella"
-  #   ssh_key: polyzen.pub
-  #   groups:
-  #     - tu
-  # remy:
-  #   name: "Rémy Oudompheng"
-  #   ssh_key: remy.pub
-  #   groups:
-  #     - dev
-  #     - tu
-  # ronald:
-  #   name: "Ronald van Haren"
-  #   ssh_key: ronald.pub
-  #   groups:
-  #     - dev
-  #     - tu
-  # sangy:
-  #   name: "Santiago Torres-Arias"
-  #   ssh_key: sangy.pub
-  #   groups:
-  #     - tu
-  #     - docker-image-sudo
-  # schuay:
-  #   name: "Jakob Gruber"
-  #   ssh_key: schuay.pub
-  #   groups:
-  #     - tu
-  #     - multilib
-  # scimmia:
-  #   name: "Doug Newgard"
-  #   ssh_key: scimmia.pub
-  #   groups: []
-  # morganamilo:
-  #   name: "Morgan Adamiec"
-  #   ssh_key: morganamilo.pub
-  #   groups: []
-  # seblu:
-  #   name: "Sébastien Luttringer"
-  #   ssh_key: seblu.pub
-  #   shell: /bin/zsh
-  #   groups:
-  #     - dev
-  #     - tu
-  #     - multilib
-  # shibumi:
-  #   name: "Christian Rebischke"
-  #   ssh_key: shibumi.pub
-  #   shell: /bin/zsh
-  #   groups:
-  #     - tu
-  #     - archboxes-sudo
-  # kpcyrd:
-  #   name: "Kpcyrd"
-  #   ssh_key: kpcyrd.pub
-  #   groups:
-  #     - tu
-  # spupykin:
-  #   name: "Sergej Pupykin"
-  #   ssh_key: spupykin.pub
-  #   groups:
-  #     - tu
-  #     - multilib
-  # svenstaro:
-  #   name: "Sven-Hendrik Haase"
-  #   ssh_key: svenstaro.pub
-  #   groups:
-  #     - dev
-  #     - devops
-  #     - tu
-  #     - multilib
-  # tensor5:
-  #   name: "Nicola Squartini"
-  #   ssh_key: tensor5.pub
-  #   groups:
-  #     - tu
-  # tpowa:
-  #   name: "Tobias Powalowski"
-  #   ssh_key: tpowa.pub
-  #   groups:
-  #     - dev
-  #     - multilib
-  #     - tu
-  # wild:
-  #   name: "Dan Printzell"
-  #   ssh_key: wild.pub
-  #   groups:
-  #     - tu
-  # xyne:
-  #   name: "Xyne"
-  #   ssh_key: xyne.pub
-  #   groups:
-  #     - tu
-  # yan12125:
-  #   name: "Chih-Hsuan Yen"
-  #   ssh_key: yan12125.pub
-  #   groups:
-  #     - tu
-  # zorun:
-  #   name: "Baptiste Jonglez"
-  #   ssh_key: zorun.pub
-  #   groups:
-  #     - tu
+# jgc:
+#   name: "Jan de Groot"
+#   ssh_key: jgc.pub
+#   groups:
+#     - dev
+#     - multilib
+#     - tu
+# jleclanche:
+#   name: "Jerome Leclanche"
+#   ssh_key: jleclanche.pub
+#   shell: /bin/zsh
+#   groups:
+#     - tu
+# jlichtblau:
+#   name: "Jaroslav Lichtblau"
+#   ssh_key: jlichtblau.pub
+#   groups:
+#     - tu
+# jouke:
+#   name: "Jouke Witteveen"
+#   ssh_key: jouke.pub
+#   groups:
+#     - ""
+# jsteel:
+#   name: "Jonathan Steel"
+#   ssh_key: jsteel.pub
+#   groups:
+#     - tu
+# juergen:
+#   name: "Jürgen Hötzel"
+#   ssh_key: juergen.pub
+#   groups:
+#     - dev
+#     - multilib
+#     - tu
+# kgizdov:
+#   name: "Konstantin Gizdov"
+#   ssh_key: kgizdov.pub
+#   groups:
+#     - tu
+# kkeen:
+#   name: "Kyle Keen"
+#   ssh_key: kkeen.pub
+#   groups:
+#     - tu
+#     - multilib
+# lcarlier:
+#   name: "Laurent Carlier"
+#   ssh_key: lcarlier.pub
+#   groups:
+#     - dev
+#     - tu
+#     - multilib
+# lfleischer:
+#   name: "Lukas Fleischer"
+#   ssh_key: lfleischer.pub
+#   shell: /bin/zsh
+#   groups:
+#     - dev
+#     - tu
+#     - multilib
+# maximbaz:
+#   name: "Maxim Baz"
+#   ssh_key: maximbaz.pub
+#   groups:
+#     - tu
+# mtorromeo:
+#   name: "Massimiliano Torromeo"
+#   ssh_key: mtorromeo.pub
+#   groups:
+#     - tu
+# muflone:
+#   name: "Fabio Castelli"
+#   ssh_key: muflone.pub
+#   groups:
+#     - tu
+# nicohood:
+#   name: "NicoHood"
+#   ssh_key: nicohood.pub
+#   groups:
+#     - tu
+# pierre:
+#   name: "Pierre Schmitz"
+#   ssh_key: pierre.pub
+#   groups:
+#     - dev
+#     - multilib
+#     - tu
+# polyzen:
+#   name: "Daniel M. Capella"
+#   ssh_key: polyzen.pub
+#   groups:
+#     - tu
+# remy:
+#   name: "Rémy Oudompheng"
+#   ssh_key: remy.pub
+#   groups:
+#     - dev
+#     - tu
+# ronald:
+#   name: "Ronald van Haren"
+#   ssh_key: ronald.pub
+#   groups:
+#     - dev
+#     - tu
+# sangy:
+#   name: "Santiago Torres-Arias"
+#   ssh_key: sangy.pub
+#   groups:
+#     - tu
+#     - docker-image-sudo
+# schuay:
+#   name: "Jakob Gruber"
+#   ssh_key: schuay.pub
+#   groups:
+#     - tu
+#     - multilib
+# scimmia:
+#   name: "Doug Newgard"
+#   ssh_key: scimmia.pub
+#   groups: []
+# morganamilo:
+#   name: "Morgan Adamiec"
+#   ssh_key: morganamilo.pub
+#   groups: []
+# seblu:
+#   name: "Sébastien Luttringer"
+#   ssh_key: seblu.pub
+#   shell: /bin/zsh
+#   groups:
+#     - dev
+#     - tu
+#     - multilib
+# shibumi:
+#   name: "Christian Rebischke"
+#   ssh_key: shibumi.pub
+#   shell: /bin/zsh
+#   groups:
+#     - tu
+#     - archboxes-sudo
+# kpcyrd:
+#   name: "Kpcyrd"
+#   ssh_key: kpcyrd.pub
+#   groups:
+#     - tu
+# spupykin:
+#   name: "Sergej Pupykin"
+#   ssh_key: spupykin.pub
+#   groups:
+#     - tu
+#     - multilib
+# svenstaro:
+#   name: "Sven-Hendrik Haase"
+#   ssh_key: svenstaro.pub
+#   groups:
+#     - dev
+#     - devops
+#     - tu
+#     - multilib
+# tensor5:
+#   name: "Nicola Squartini"
+#   ssh_key: tensor5.pub
+#   groups:
+#     - tu
+# tpowa:
+#   name: "Tobias Powalowski"
+#   ssh_key: tpowa.pub
+#   groups:
+#     - dev
+#     - multilib
+#     - tu
+# wild:
+#   name: "Dan Printzell"
+#   ssh_key: wild.pub
+#   groups:
+#     - tu
+# xyne:
+#   name: "Xyne"
+#   ssh_key: xyne.pub
+#   groups:
+#     - tu
+# yan12125:
+#   name: "Chih-Hsuan Yen"
+#   ssh_key: yan12125.pub
+#   groups:
+#     - tu
+# zorun:
+#   name: "Baptiste Jonglez"
+#   ssh_key: zorun.pub
+#   groups:
+#     - tu

playbooks/all-hosts-basic.yml

@@ -9,7 +9,7 @@
     - { role: firewalld }
     - { role: unbound }
     # reconfiguring sshd may break the AUR on luna (unchecked)
-    #- { role: sshd, tags: ['sshd'] }
+    # - { role: sshd, tags: ['sshd'] }
     - { role: root_ssh }
     - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
     - { role: hardening }

playbooks/archlinux.org.yml

@@ -3,18 +3,18 @@
 - name: "prepare postgres ssl hosts list"
   hosts: archlinux.org
   tasks:
-      - name: assign ipv4 addresses to fact postgres_ssl_hosts4
-        set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
-        vars:
-            gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
-            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
-        tags: ["postgres", "firewall"]
-      - name: assign ipv6 addresses to fact postgres_ssl_hosts6
-        set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
-        vars:
-            gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
-            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
-        tags: ["postgres", "firewall"]
+    - name: assign ipv4 addresses to fact postgres_ssl_hosts4
+      set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
+      vars:
+        gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
+        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
+      tags: ["postgres", "firewall"]
+    - name: assign ipv6 addresses to fact postgres_ssl_hosts6
+      set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
+      vars:
+        gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
+        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
+      tags: ["postgres", "firewall"]
 
 - name: setup archlinux.org
   hosts: archlinux.org

playbooks/aur-dev.archlinux.org.yml

@@ -10,7 +10,7 @@
     - { role: root_ssh }
     - { role: certbot }
     - { role: nginx }
-    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
+    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true }
     - { role: sudo }
     - { role: php_fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] }
     - { role: memcached }

playbooks/aur.archlinux.org.yml

@@ -11,7 +11,7 @@
     - { role: prometheus_exporters }
     - { role: certbot }
     - { role: nginx }
-    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True, mariadb_innodb_buffer_pool_size: '1G' }
+    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true, mariadb_innodb_buffer_pool_size: '1G' }
     - { role: sudo }
     - { role: php_fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] }
     - { role: memcached }

playbooks/bbs.archlinux.org.yml

@@ -10,7 +10,7 @@
     - { role: root_ssh }
     - { role: certbot }
     - { role: nginx }
-    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
+    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true }
     - { role: sudo }
     - { role: php_fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli'], zend_extensions: ['opcache'] }
     - { role: fluxbb }

playbooks/bugs.archlinux.org.yml

@@ -10,7 +10,7 @@
     - { role: root_ssh }
     - { role: certbot }
     - { role: nginx }
-    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
+    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true }
     - { role: sudo }
     - { role: php7_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
     - { role: flyspray }

playbooks/gitlab.archlinux.org.yml

@@ -13,8 +13,7 @@
         gitlab_domain: "gitlab.archlinux.org",
         gitlab_primary_addresses: ['159.69.41.129', '[2a01:4f8:c2c:5d2d::1]', '127.0.0.1', '[::1]'],
         gitlab_pages_http_addresses: ['116.203.6.156:80', '[2a01:4f8:c2c:5d2d::2]:80'],
-        gitlab_pages_https_addresses: ['116.203.6.156:443', '[2a01:4f8:c2c:5d2d::2]:443']
-      }
+        gitlab_pages_https_addresses: ['116.203.6.156:443', '[2a01:4f8:c2c:5d2d::2]:443']}
     - { role: borg_client, tags: ["borg"] }
     - { role: prometheus_exporters }
     - { role: fail2ban }

playbooks/hetzner_storagebox.yml

@@ -2,6 +2,6 @@
 
 - name: setup Hetzner storagebox account
   hosts: u236610.your-storagebox.de
-  gather_facts: False
+  gather_facts: false
   roles:
     - { role: hetzner_storagebox, backup_dir: "backup", backup_clients: "{{ groups['borg_clients'] }}", tags: ["borg"] }

playbooks/luna.yml

@@ -27,7 +27,7 @@
   roles:
     - nginx
     - rspamd
-    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
+    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: true }
     - { role: prometheus_exporters }
 # luna is hosting mailman lists; this postfix role does not cater to this yet
 # TODO: make postfix role handle mailman config?

playbooks/rsync.net.yml

@@ -2,6 +2,6 @@
 
 - name: setup rsync.net account
   hosts: prio.ch-s012.rsync.net
-  gather_facts: False
+  gather_facts: false
   roles:
     - { role: rsync_net, backup_dir: "backup", backup_clients: "{{ groups['borg_clients'] }}", tags: ["borg"] }

playbooks/tasks/fetch-borg-keys.yml

@@ -3,36 +3,36 @@
 - name: prepare local storage directory
   hosts: 127.0.0.1
   tasks:
-      - name: create borg-keys directory
-        file: path="{{ playbook_dir }}/../../borg-keys/" state=directory # noqa 208
+    - name: create borg-keys directory
+      file: path="{{ playbook_dir }}/../../borg-keys/" state=directory  # noqa 208
 
 - name: fetch borg keys
   hosts: borg_clients