commit 0963335a015e28c32783d7e6f7d16a772a711858
parent cc2efa7f162215d0ca26de42185787b4eda2a5aa
Author: Florian Dold <florian@dold.me>
Date: Thu, 27 Feb 2025 16:09:14 +0100
address some linter warnings
Diffstat:
16 files changed, 142 insertions(+), 139 deletions(-)
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,5 @@
./inventories/production/hosts
./inventories/staging/hosts
-*~
exports
# Preferred name for secrets in inventories/host_vars/$HOST/
@@ -9,3 +8,7 @@ prod-secrets.yml
# This used to be the name of the secrets file,
# keep ignoring it to prevent accidental commits of it.
tops-secrets.yml
+
+# Text editor files
+*~
+.vscode
diff --git a/playbooks/pixel-borg.yml b/playbooks/pixel-borg.yml
@@ -2,4 +2,4 @@
- name: Setup Borg repository on spec to receive backups from pixel
hosts: all
roles:
- - pixel-borg
+ - pixel_borg
diff --git a/roles/common_packages/tasks/main.yml b/roles/common_packages/tasks/main.yml
@@ -7,7 +7,7 @@
dest: /etc/apt/keyrings/taler-systems.gpg
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Deploy TSYS nightly signing key
copy:
@@ -15,7 +15,7 @@
dest: /etc/apt/keyrings/taler-systems-nightly.gpg
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Add GNU Taler repo
deb822_repository:
@@ -46,7 +46,7 @@
dest: /etc/apt/preferences.d/limit-taler-repo
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Deploy current base distro
apt:
@@ -81,8 +81,8 @@
- name: Generate dhparam.pem
command: openssl dhparam -out dhparam.pem 4096
args:
- chdir: /etc/ssl/private/
- creates: /etc/ssl/private/dhparam.pem
+ chdir: /etc/ssl/private/
+ creates: /etc/ssl/private/dhparam.pem
when: (USE_PREGENERATED_DHPARAM | default(False)) == False
- name: Deploy pregenerated dhparam.pem
@@ -91,5 +91,5 @@
dest: /etc/ssl/private/dhparam.pem
owner: root
group: root
- mode: 0644
- when: (USE_PREGENERATED_DHPARAM | default(False)) == True
+ mode: "0644"
+ when: (USE_PREGENERATED_DHPARAM | default(False))
diff --git a/roles/exchange-sanctionlist-import/tasks/main.yml b/roles/exchange-sanctionlist-import/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Get current date
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: "date +%F"
register: today
@@ -16,16 +16,16 @@
src: "{{ SANCTION_LIST }}"
dest: "{{ importfile.path }}"
owner: taler-exchange-httpd
- mode: 400
+ mode: "400"
- name: Check sanction list
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: "taler-exchange-sanctionscheck -- {{ EXCHANGE_SANCTION_HELPER }} {{ importfile.path }}"
- become: yes
+ become: true
become_user: taler-exchange-httpd
-#- name: Remove the temporary file on the server
-# ansible.builtin.file:
-# path: "{{ importfile.path }}"
-# state: absent
-# when: importfile.path is defined
+# - name: Remove the temporary file on the server
+# ansible.builtin.file:
+# path: "{{ importfile.path }}"
+# state: absent
+# when: importfile.path is defined
diff --git a/roles/exchange/handlers/main.yml b/roles/exchange/handlers/main.yml
@@ -1,4 +1,4 @@
-- name: restart nginx
+- name: Restart nginx
service:
name: nginx
state: restarted
diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml
@@ -23,7 +23,7 @@
dest: /etc/nginx/sites-available/exchange-nginx.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Ensure Taler exchange HTTP virtualhost configuration file exists
template:
@@ -31,7 +31,7 @@
dest: /etc/nginx/sites-available/exchange-http.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Enable Taler exchange HTTP reverse proxy configuration
file:
@@ -85,7 +85,7 @@
dest: /etc/taler-exchange/conf.d/exchange-business.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Place taler-exchange denominations config
ansible.builtin.template:
@@ -93,7 +93,7 @@
dest: /etc/taler-exchange/conf.d/denominations.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Ensure /etc/taler-exchange/secrets/ directory exists
file:
@@ -106,7 +106,7 @@
dest: /etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf
owner: taler-exchange-wire
group: root
- mode: 0400
+ mode: "0400"
- name: Place taler-exchange external individual KYC provider configuration
ansible.builtin.template:
@@ -114,7 +114,7 @@
dest: /etc/taler-exchange/secrets/exchange-kyc-provider-individual.secret.conf
owner: taler-exchange-httpd
group: taler-exchange-kyc
- mode: 0440
+ mode: "0440"
- name: Place taler-exchange external KYC provider configuration
ansible.builtin.template:
@@ -122,7 +122,7 @@
dest: /etc/taler-exchange/secrets/exchange-kyc-provider-business.secret.conf
owner: taler-exchange-httpd
group: taler-exchange-kyc
- mode: 0440
+ mode: "0440"
- name: Place taler-exchange AML program environment
ansible.builtin.template:
@@ -130,7 +130,7 @@
dest: /etc/taler-exchange/taler-exchange.env
owner: taler-exchange-httpd
group: root
- mode: 0400
+ mode: "0400"
- name: Check if we have kyc-rules (depends on branch)
delegate_to: localhost
@@ -145,7 +145,7 @@
when: have_kycrules.stat.exists
- name: Setup Taler Exchange database
- shell:
+ ansible.builtin.command:
cmd: taler-exchange-dbconfig -c /etc/taler-exchange/taler-exchange.conf
chdir: /tmp
@@ -155,7 +155,7 @@
state: directory
owner: taler-exchange-httpd
group: root
- mode: 0755
+ mode: "0755"
- name: Check if we have terms of service in English
stat:
@@ -163,7 +163,7 @@
register: have_terms_en
- name: Build terms of service (EN)
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: taler-terms-generator -i {{ EXCHANGE_TERMS_ETAG }} -l en
when: have_terms_en.stat.exists
@@ -173,7 +173,7 @@
register: have_pp_en
- name: Build privacy policy (EN)
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: taler-terms-generator -i {{ EXCHANGE_PP_ETAG }} -l en
when: have_pp_en.stat.exists
@@ -183,7 +183,7 @@
register: have_terms_fr
- name: Build terms of service (FR)
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: taler-terms-generator -i {{ EXCHANGE_TERMS_ETAG }} -l fr
when: have_terms_fr.stat.exists
@@ -193,7 +193,7 @@
register: have_pp_fr
- name: Build privacy policy (FR)
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: taler-terms-generator -i {{ EXCHANGE_PP_ETAG }} -l fr
when: have_pp_fr.stat.exists
@@ -203,7 +203,7 @@
register: have_terms_de
- name: Build terms of service (DE)
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: taler-terms-generator -i {{ EXCHANGE_TERMS_ETAG }} -l de
when: have_terms_de.stat.exists
@@ -213,7 +213,7 @@
register: have_pp_de
- name: Build privacy policy (DE)
- ansible.builtin.shell:
+ ansible.builtin.command:
cmd: taler-terms-generator -i {{ EXCHANGE_PP_ETAG }} -l de
when: have_pp_de.stat.exists
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -34,12 +34,12 @@
path: "/etc/ansible/facts.d/"
state: directory
-- name: libeufin-nexus access secret setup
+- name: Libeufin-nexus access secret setup
ansible.builtin.shell:
cmd: echo "[libeufin-nexus]\nAUTH_BEARER_TOKEN=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/libeufin-nexus-access-token.fact
creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact
-- name: libeufin-nexus force ansible to regather just created fact(s)
+- name: Libeufin-nexus force ansible to regather just created fact(s)
ansible.builtin.setup:
- name: Place libeufin-nexus config
@@ -60,20 +60,20 @@
when: use_ebics
- name: Setup libeufin database
- shell:
+ ansible.builtin.command:
cmd: libeufin-dbconfig --only-nexus
# FIXME: pass "--bank-config=/etc/libeufin/libeufin-nexus.conf" once libeufin 0.14.x is out!
chdir: /tmp
-- name: show vars
+- name: Show vars
ansible.builtin.setup:
# FIXME: this step currently fails with pofi, seems command wants
# extra arguments to do PDF letter generation?
- name: EBICS setup
- become: yes
+ become: true
become_user: libeufin-nexus
- shell:
+ ansible.builtin.command:
cmd: libeufin-nexus ebics-setup
when: use_ebics
diff --git a/roles/monitoring/files/etc/prometheus/prometheus.yml b/roles/monitoring/files/etc/prometheus/prometheus.yml
@@ -13,7 +13,7 @@ alerting:
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
- - "alert_rules.yml"
+ - "alert_rules.yml"
# - "second_rules.yml"
# A scrape configuration containing exactly one endpoint to scrape:
@@ -43,7 +43,7 @@ scrape_configs:
# Job, for local postgres_exporter
- job_name: 'postgres_exporter'
static_configs:
- - targets: ['localhost:9187']
+ - targets: ['localhost:9187']
# Job, for prometheus_process_exporter
- job_name: 'process_exporter'
diff --git a/roles/monitoring/handlers/main.yml b/roles/monitoring/handlers/main.yml
@@ -1,20 +1,20 @@
---
-- name: restart nginx
+- name: Restart nginx
service:
name: nginx
state: restarted
-- name: restart postgres-exporter
+- name: Restart postgres-exporter
service:
name: prometheus-postgres-exporter
state: restarted
-- name: restart node-exporter
+- name: Restart node-exporter
service:
name: prometheus-node-exporter
state: restarted
-- name: restart nginx-exporter
+- name: Restart nginx-exporter
service:
name: prometheus-nginx-exporter
state: restarted
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
@@ -8,7 +8,7 @@
dest: /etc/apt/keyrings/grafana.gpg
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Add grafana repo
deb822_repository:
@@ -39,7 +39,7 @@
- name: Stop monitoring services before update or reconfiguration
service:
- name: "{{item}}"
+ name: "{{ item }}"
state: stopped
enabled: false
with_items:
@@ -57,7 +57,7 @@
- prometheus-postgres-exporter
- prometheus
- alloy
- install_recommends: no
+ install_recommends: false
- name: Ensure Taler monitoring virtualhost configuration file exists
template:
@@ -65,7 +65,7 @@
dest: /etc/nginx/sites-available/monitoring-nginx.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
notify: restart nginx
- name: Ensure Taler monitoring HTTP virtualhost configuration file exists
@@ -74,7 +74,7 @@
dest: /etc/nginx/sites-available/monitoring-http.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
notify: restart nginx
- name: Enable Taler monitoring HTTP reverse proxy configuration
@@ -121,11 +121,11 @@
- name: Create prometheus database user
community.postgresql.postgresql_user:
name: prometheus
- become: yes
+ become: true
become_user: postgres
- name: Grant access to canonical postgres databases to the postgres-exporter
- become: yes
+ become: true
become_user: postgres
community.postgresql.postgresql_query:
login_user: postgres
@@ -139,7 +139,7 @@
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO prometheus;
- name: Grant access to challengers databases to the postgres-exporter
- become: yes
+ become: true
become_user: postgres
community.postgresql.postgresql_query:
login_user: postgres
@@ -156,7 +156,7 @@
dest: /etc/default/prometheus-node-exporter
owner: root
group: root
- mode: 0644
+ mode: "0644"
notify: restart node-exporter
- name: Configure postgres-exporter
@@ -165,7 +165,7 @@
dest: /etc/default/prometheus-postgres-exporter
owner: root
group: root
- mode: 0644
+ mode: "0644"
notify: restart postgres-exporter
- name: Configure nginx-exporter
@@ -174,7 +174,7 @@
dest: /etc/default/prometheus-nginx-exporter
owner: root
group: root
- mode: 0644
+ mode: "0644"
notify: restart nginx-exporter
- name: Configure prometheus master
@@ -183,7 +183,7 @@
dest: /etc/default/prometheus
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Configure prometheus
copy:
@@ -191,7 +191,7 @@
dest: /etc/prometheus/prometheus.yml
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Configure alloy service
copy:
@@ -199,7 +199,7 @@
dest: /etc/default/alloy
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Configure alloy log export
template:
@@ -207,11 +207,11 @@
dest: /etc/alloy/config.alloy
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Ensure exporter services are enabled and started
service:
- name: "{{item}}"
+ name: "{{ item }}"
state: started
enabled: true
with_items:
diff --git a/roles/pixel-borg/tasks/main.yml b/roles/pixel-borg/tasks/main.yml
@@ -1,62 +0,0 @@
----
-- name: Install Borg package
- apt:
- name:
- - borgbackup
- state: latest
- when: ansible_os_family == 'Debian'
-
-- name: Setup group for borg backups from spec
- ansible.builtin.group:
- name: borg
- state: present
- system: false
-
-- name: Setup user for borg backups from spec
- ansible.builtin.user:
- name: borg
- group: borg
- password: !
- system: false
- create_home: true
- state: present
-
-- name: Ensure /home/borg/.ssh/ directory exists
- file:
- path: "/home/borg/.ssh/"
- state: directory
- owner: borg
- group: borg
- mode: 0755
-
-- name: Place SSH public key for access by pixel
- ansible.builtin.template:
- src: files/home/borg/.ssh/authorized_keys
- dest: /home/borg/.ssh/authorized_keys
- owner: borg
- group: borg
- mode: 0644
-
-- name: Initialize borg repository
- ansible.builtin.shell:
- cmd: borg init --encryption=repokey pixel-backup
- chdir: /home/borg
- environment:
- BORG_PASSPHRASE: "{{ PIXEL_BORG_KEY }}"
- become: yes
- become_user: borg
-
-- name: Export borg repository key
- ansible.builtin.shell:
- cmd: borg key export pixel-backup/ > borg-repo.key
- chdir: /home/borg
- creates: /home/borg/borg-repo.key
- environment:
- BORG_PASSPHRASE: "{{ PIXEL_BORG_KEY }}"
- become: yes
- become_user: borg
-
-- name: Export borg-repo.key to caller
- fetch:
- src: /home/borg/borg-repo.key
- dest: ../borg-repokey
diff --git a/roles/pixel-borg/files/home/borg/.ssh/authorized_keys b/roles/pixel_borg/files/home/borg/.ssh/authorized_keys
diff --git a/roles/pixel_borg/tasks/main.yml b/roles/pixel_borg/tasks/main.yml
@@ -0,0 +1,62 @@
+---
+- name: Install Borg package
+ apt:
+ name:
+ - borgbackup
+ state: latest
+ when: ansible_os_family == 'Debian'
+
+- name: Setup group for borg backups from spec
+ ansible.builtin.group:
+ name: borg
+ state: present
+ system: false
+
+- name: Setup user for borg backups from spec
+ ansible.builtin.user:
+ name: borg
+ group: borg
+ password: !
+ system: false
+ create_home: true
+ state: present
+
+- name: Ensure /home/borg/.ssh/ directory exists
+ file:
+ path: "/home/borg/.ssh/"
+ state: directory
+ owner: borg
+ group: borg
+ mode: "0755"
+
+- name: Place SSH public key for access by pixel
+ ansible.builtin.template:
+ src: files/home/borg/.ssh/authorized_keys
+ dest: /home/borg/.ssh/authorized_keys
+ owner: borg
+ group: borg
+ mode: "0644"
+
+- name: Initialize borg repository
+ ansible.builtin.command:
+ cmd: borg init --encryption=repokey pixel-backup
+ chdir: /home/borg
+ environment:
+ BORG_PASSPHRASE: "{{ PIXEL_BORG_KEY }}"
+ become: true
+ become_user: borg
+
+- name: Export borg repository key
+ ansible.builtin.shell:
+ cmd: borg key export pixel-backup/ > borg-repo.key
+ chdir: /home/borg
+ creates: /home/borg/borg-repo.key
+ environment:
+ BORG_PASSPHRASE: "{{ PIXEL_BORG_KEY }}"
+ become: true
+ become_user: borg
+
+- name: Export borg-repo.key to caller
+ fetch:
+ src: /home/borg/borg-repo.key
+ dest: ../borg-repokey
diff --git a/roles/webserver/handlers/main.yml b/roles/webserver/handlers/main.yml
@@ -1,5 +1,5 @@
---
-- name: restart nginx
+- name: Restart nginx
service:
name: nginx
state: restarted
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
@@ -5,19 +5,19 @@
apt:
name: nginx
state: present
- update_cache: yes
+ update_cache: true
when: ansible_os_family == 'Debian'
-#- name: Obtain or renew SSL certificate using Certbot with Nginx
-# command: certbot --nginx --domain "{{ SUBDOMAIN }}.{{ DOMAIN_NAME }}" --redirect --non-interactive --agree-tos --email "{{ ACME_EMAIL }}"
-# register: certbot_result
-# changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
+# - name: Obtain or renew SSL certificate using Certbot with Nginx
+# command: certbot --nginx --domain "{{ SUBDOMAIN }}.{{ DOMAIN_NAME }}" --redirect --non-interactive --agree-tos --email "{{ ACME_EMAIL }}"
+# register: certbot_result
+# changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
#
-#- name: Reload Nginx configuration if certificates were obtained or renewed
-# service:
-# name: nginx
-# state: restarted
-# when: certbot_result.changed
+# - name: Reload Nginx configuration if certificates were obtained or renewed
+# service:
+# name: nginx
+# state: restarted
+# when: certbot_result.changed
- name: Remove default nginx configuration
file:
@@ -30,10 +30,10 @@
dest: /etc/nginx/conf.d/log-format-apm.conf
owner: root
group: root
- mode: 0644
+ mode: "0644"
- name: Ensure Nginx service is enabled and started
service:
name: nginx
state: started
- enabled: yes
+ enabled: true
diff --git a/setup-pixel-borg.sh b/setup-pixel-borg.sh
@@ -12,7 +12,7 @@ ansible-playbook \
--inventory inventories/default \
--limit "${1:-spec}" \
--user root \
- playbooks/pixel-borg.yml
+ playbooks/pixel_borg.yml
mv borg-repokey/*/home/borg/borg-repo.key .
rm -rf borg-repokey/
echo "Make sure to back up the borg-repo.key to admin-log/pixel/borg-repo.key"
