fix E301 'Commands should not change things if nothing needs doing'

fc769a7b · Frederik Schwan · Sven-Hendrik Haase · 631e8ba0 · fc769a7b · fc769a7b
Verified Commit fc769a7b authored Jun 12, 2020 by Frederik Schwan Committed by Sven-Hendrik Haase Jun 17, 2020
--- a/playbooks/tasks/fetch-borg-keys.yml
+++ b/playbooks/tasks/fetch-borg-keys.yml
@@ -12,10 +12,12 @@
      - name: fetch borg key
        command: "/usr/local/bin/borg key export :: /dev/stdout"
        register: borg_key
+        changed_when: "borg_key.rc == 0"

      - name: fetch borg offsite key
        command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
        register: borg_offsite_key
+        changed_when: "borg_offsite_key.rc == 0"

      - name: save borg key
        shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
@@ -23,6 +25,8 @@
            stdin: "{{ borg_key.stdout }}"
            chdir: "{{ playbook_dir }}/../.."
        delegate_to: localhost
+        register: gpg_key
+        changed_when: "gpg_key.rc == 0"

      - name: save borg offsite key
        shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %}
@@ -30,3 +34,5 @@
            stdin: "{{ borg_offsite_key.stdout }}"
            chdir: "{{ playbook_dir }}/../.."
        delegate_to: localhost
+        register: gpg_offsite_key
+        changed_when: "gpg_offsite_key.rc == 0"
--- a/playbooks/tasks/reencrypt-vault-key.yml
+++ b/playbooks/tasks/reencrypt-vault-key.yml
@@ -3,4 +3,5 @@
  hosts: 127.0.0.1
  tasks:
      - name: reencrypt vault key
-        shell: set -o pipefail && gpg --decrypt --batch --quiet "{{playbook_dir}}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{userid}} {% endfor %} | sponge "{{playbook_dir}}/../../misc/vault-password.gpg"
+        shell: set -o pipefail && gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-password.gpg" | gpg --batch --armor --encrypt --output - {% for userid in root_gpgkeys %}--recipient {{ userid }} {% endfor %} | sponge "{{ playbook_dir }}/../../misc/vault-password.gpg"
+        changed_when: false
--- a/playbooks/tasks/sync-ssh-hostkeys.yml
+++ b/playbooks/tasks/sync-ssh-hostkeys.yml
@@ -6,9 +6,11 @@
      - name: fetch hostkey checksums
        shell: "for type in sha256 md5; do for file in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $file -E $type; done; echo; done"
        register: ssh_hostkeys
+        changed_when: ssh_hostkeys | length > 0
      - name: fetch known_hosts
        shell: "set -o pipefail && ssh-keyscan 127.0.0.1 2>/dev/null | sed 's#^127.0.0.1#{{ inventory_hostname }}#'"
        register: known_hosts
+        changed_when: known_hosts | length > 0

 - name: store hostkeys
  hosts: localhost

--- a/roles/borg-client/tasks/main.yml
+++ b/roles/borg-client/tasks/main.yml
@@ -11,6 +11,7 @@
  register: borg_list
  ignore_errors: True
  loop: "{{ backup_hosts }}"
+  changed_when: borg_list.stdout | length > 0

 - name: init borg repository
  command: borg init -e keyfile {{ item['host'] }}:{{ item['dir'] }}
@@ -36,6 +37,7 @@
  command: getent passwd postgres
  register: check_postgres_user
  ignore_errors: True
+  changed_when: check_postgres_user.stdout | length > 0

 - name: make postgres backup directory
  file: path={{ postgres_backup_dir }} owner=root group=root state=directory

--- a/roles/borg-server/tasks/main.yml
+++ b/roles/borg-server/tasks/main.yml
@@ -30,6 +30,7 @@
  register: ssh_keys
  delegate_to: "{{ item }}"
  with_items: "{{ backup_clients }}"
+  changed_when: ssh_keys.stdout | length > 0

 - name: allow certain clients to connect
  authorized_key:

--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -186,6 +186,8 @@

 - name: generate mirror config
  command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
+  register: gen_rsyncd
+  changed_when: "gen_rsyncd.rc == 0"

 - name: install svnlog
  copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
@@ -197,11 +199,15 @@
  command: git config --global user.name = 'svntogit'
  become: yes
  become_user: svntogit
+  register: git_config_username
+  changed_when: "git_config_username.rc == 0"

 - name: configure svntogit git user email
  command: git config --global user.name = 'svntogit@repos.archlinux.org'
  become: yes
  become_user: svntogit
+  register: git_config_email
+  changed_when: "git_config_email.rc == 0"

 - name: template arch-svntogit
  copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
@@ -225,6 +231,8 @@
  become: yes
  become_user: svntogit
  ignore_errors: yes
+  register: git_public_remote
+  changed_when: "git_public_remote.rc == 0"

  # The following command also serves as a way to get the data the first time the repo is set up
 - name: configure svntogit pull upstream branch
@@ -234,6 +242,8 @@
    - packages
  become: yes
  become_user: svntogit
+  register: git_pull_upstream
+  changed_when: "git_pull_upstream.rc == 0"

 - name: configure svntogit push upstream branch
  command: git push -u public master chdir=/srv/svntogit/repos/{{ item }}
@@ -242,6 +252,8 @@
    - packages
  become: yes
  become_user: svntogit
+  register: git_push_master
+  changed_when: "git_push_master.rc == 0"

 - name: fix svntogit home permissions
  file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775

--- a/roles/install_arch/tasks/main.yml
+++ b/roles/install_arch/tasks/main.yml
@@ -3,6 +3,7 @@
 - name: read /etc/motd
  command: cat /etc/motd
  register: motd_contents
+  changed_when: cat.stdout | length > 0

 - name: check whether we're running in the Hetzner rescue system
  fail: msg="Not running in Hetzner rescue system!"
@@ -12,11 +13,13 @@
  command: sgdisk -g --clear -n 1:0:+10M {{ item }} -c 1:boot -t 1:ef02
  with_items:
    - "{{ system_disks }}"
+  changed_when: "sgdisk.rc == 0"

 - name: create root partitions
  command: sgdisk -n 2:0:0 {{ item }} -c 2:root
  with_items:
    - "{{ system_disks }}"
+  changed_when: "sgdisk.rc == 0"

 - name: partition and format the disks (btrfs)
  command: mkfs.btrfs -f -L root -d {{ raid_level|default(raid1) }} -m {{ raid_level|default(raid1) }} -O no-holes /dev/sda2 /dev/sdb2
@@ -76,9 +79,13 @@

 - name: initialize pacman keyring inside bootstrap chroot
  command: chroot /tmp/root.x86_64 pacman-key --init
+  register: chroot_pacman_key_init
+  changed_when: "chroot_pacman_key_init.rc == 0"

 - name: populate pacman keyring inside bootstrap chroot
  command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
+  register: chroot_pacman_key_populate
+  changed_when: "chroot_pacman_key_populate.rc == 0"

 - name: install ucode update for Intel
  set_fact: ucode="intel-ucode"
@@ -111,9 +118,13 @@

 - name: run locale-gen inside chroot
  command: chroot /mnt locale-gen
+  register: chroot_locale_gen
+  changed_when: "chroot_locale_gen.rc == 0"

 - name: run systemd-firstboot
  command: chroot /mnt systemd-firstboot --locale=en_US.UTF-8 --timezone=UTC --hostname={{ hostname }}
+  register: chroot_systemd_firstboot
+  changed_when: "chroot_systemd_firstboot.rc == 0"

 - name: add mdadm_udev to mkinitcpio.conf
  lineinfile:
@@ -125,6 +136,8 @@

 - name: run mkinitcpio
  command: chroot /mnt mkinitcpio -p linux
+  register: chroot_mkinitcpio
+  changed_when: "chroot_mkinitcpio.rc == 0"

 - name: configure network (static)
  template: src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
@@ -151,12 +164,18 @@
  command: chroot /mnt grub-install --recheck {{ item }}
  with_items:
    - "{{ system_disks }}"
+  register: chroot_grub_install
+  changed_when: "chroot_grub_install.rc == 0"

 - name: configure grub
  command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
+  register: chroot_grub_mkconfig
+  changed_when: "chroot_grub_mkconfig.rc == 0"

 - name: enable services inside chroot
  command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer hcloud-init
+  register: chroot_systemd_services
+  changed_when: "chroot_systemd_services.rc == 0"

 - name: assign pubkey list to fact
  set_fact: pubkey_list="{{ lookup('file', "{{ playbook_dir }}/../../pubkeys/" + item) }}"
@@ -177,6 +196,8 @@

 - name: clean pacman cache
  shell: yes | chroot /mnt pacman -Scc
+  register: chroot_pacman_clean_cache
+  changed_when: "chroot_pacman_clean_cache.rc == 0"

 - name: remove LOCK file on mountpoint
  file: path=/mnt/LOCK state=absent
--- a/roles/opendkim/tasks/main.yml
+++ b/roles/opendkim/tasks/main.yml
@@ -30,6 +30,7 @@
  command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
  tags:
    - dkimverify
+  changed_when: false

 - name: start and enable opendkim
  service: name=opendkim enabled=yes state=started

--- a/roles/rsync_net/tasks/main.yml
+++ b/roles/rsync_net/tasks/main.yml
@@ -11,6 +11,7 @@
  delegate_to: "{{ item }}"
  with_items: "{{ backup_clients }}"
  remote_user: root
+  changed_when: client_ssh_keys.changed

 - local_action: tempfile state=file
  register: tempfile
@@ -19,3 +20,5 @@

 - name: upload authorized_keys file
  local_action: command scp "{{ tempfile.path }}" "{{ rsync_net_username }}@{{ inventory_hostname }}":.ssh/authorized_keys
+  register: scp
+  changed_when: "scp.rc == 0"
--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -54,6 +54,8 @@
  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
  with_items:
    - E240B57E2C4630BA768E2F26FC1B547C8D8172C8
+  register: gpg
+  changed_when: "gpg.rc == 0"

 - name: clone security-tracker repo
  git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true

--- a/roles/spampd/tasks/main.yml
+++ b/roles/spampd/tasks/main.yml
@@ -39,6 +39,8 @@
  with_items:
    - yerp.gpg.key
    - zmi.gpg.key
+  register: sa-update
+  changed_when: "sa-update.rc == 0"

 - name: install SA configs
  template: src={{ item }}.j2 dest=/etc/mail/spamassassin/{{ item }} owner=root group=root mode=0644
@@ -50,6 +52,7 @@

 - name: check SA config validity
  command: /usr/bin/vendor_perl/spamassassin --lint
+  changed_when: false

 - name: activate systemd timers
  service: name={{ item }} enabled=yes state=started

--- a/roles/sudo/tasks/main.yml
+++ b/roles/sudo/tasks/main.yml
@@ -6,6 +6,8 @@
 # https://github.com/ansible/ansible/issues/11024
 - name: remove all users from wheel group
  command: groupmems -g wheel --purge
+  register: groupmems
+  changed_when: "groupmems.rc == 0"

 - name: add sudo users to wheel
  user: name="{{ item }}" append=yes groups=wheel