commit 75193aceb38788c8790c93bf74cbfe79f20da483 parent 0963335a015e28c32783d7e6f7d16a772a711858 Author: Florian Dold <florian@dold.me> Date: Thu, 27 Feb 2025 17:35:50 +0100 address more linter warnings Diffstat:
22 files changed, 188 insertions(+), 117 deletions(-)
diff --git a/.ansible-lint b/.ansible-lint @@ -7,3 +7,6 @@ exclude_paths: skip_list: - var-naming + - role-name + - package-latest + - yaml[line-length] diff --git a/README b/README @@ -93,7 +93,7 @@ the setup playbook will be run on the container via ssh. ## Roles -### ansible-pull +### ansible_pull This role setups an ansible-pull script on the host, as well as cronjob which runs the ansible-pull script on regular interval. diff --git a/local.yml b/local.yml @@ -1,9 +1,12 @@ --- -- hosts: all + +# FIXME(dold): What does this file do / why do we need it? +# FIXME(dold): Seems incomplete. + +- name: Local setup + hosts: all roles: - common_packages - - ansible-pull + - ansible_pull - webserver - database - - taler-packages - - configuration diff --git a/playbooks/setup.yml b/playbooks/setup.yml @@ -3,11 +3,12 @@ hosts: all pre_tasks: - name: "Fail if secrets are not defined" - ansible.builtin.fail: msg="Secrets are not defined (HAVE_SECRETS not set)" + ansible.builtin.fail: + msg: "Secrets are not defined (HAVE_SECRETS not set)" when: HAVE_SECRETS is undefined roles: - role: common_packages - - role: ansible-pull + - role: ansible_pull - role: webserver - role: database - role: libeufin-nexus diff --git a/roles/ansible-pull/tasks/main.yml b/roles/ansible-pull/tasks/main.yml @@ -1,42 +0,0 @@ -- name: Update apt cache - apt: update_cache=yes - -- name: Install depends - apt: - name: [ansible, git] - state: present - -- name: Ensure /etc/ansible/facts.d exists - file: - path: /etc/ansible/facts.d - state: directory - recurse: yes - -- name: Make /etc/ansible/facts.d/pull.fact - template: - src: pull.fact - dest: /etc/ansible/facts.d/pull.fact - -- name: recollect facts - setup: - -- name: Install the ansible-pull script - template: src=ansible-pull.sh dest=/usr/sbin/run-ansible-pull mode=0755 owner=root group=root - -- name: Install cronjob - cron: name="Ansible Pull" minute="{{ ansible_local.pull.minute | default(59 | random) }}" job="/usr/sbin/run-ansible-pull" - -- name: remove old ansible-pull on boot cronjob - cron: - name: run ansible on reboot - state: absent - -- name: Install service to run ansible-pull on boot - template: - src: ansible-on-boot.service - dest: /etc/systemd/system/ansible-on-boot.service - -- name: Enable ansible pull on boot - service: - name: ansible-on-boot - enabled: yes diff --git a/roles/ansible_pull/tasks/main.yml b/roles/ansible_pull/tasks/main.yml @@ -0,0 +1,60 @@ +- name: Update apt cache + apt: + update_cache: true + +- name: Install depends + apt: + name: [ansible, git] + state: present + +- name: Ensure /etc/ansible/facts.d exists + file: + path: /etc/ansible/facts.d + state: directory + recurse: true + mode: "0700" + owner: root + group: root + +- name: Make /etc/ansible/facts.d/pull.fact + template: + src: pull.fact + dest: /etc/ansible/facts.d/pull.fact + mode: "0700" + owner: root + group: root + +- name: Recollect facts + setup: + +- name: Install the ansible-pull script + template: + src: ansible-pull.sh + dest: /usr/sbin/run-ansible-pull + mode: "0755" + owner: root + group: root + +- name: Install cronjob + cron: + name: "Ansible Pull" + minute: "{{ ansible_local.pull.minute | default(59 | random) }}" + job: /usr/sbin/run-ansible-pull + +- name: Remove old ansible-pull on boot cronjob + cron: + name: run ansible on reboot + state: absent + +- name: Install service to run ansible-pull on boot + template: + src: ansible-on-boot.service + dest: /etc/systemd/system/ansible-on-boot.service + mode: "0755" + owner: root + group: root + +- name: Enable ansible pull on boot + service: + name: ansible-on-boot + enabled: true diff --git a/roles/ansible-pull/templates/ansible-on-boot.service b/roles/ansible_pull/templates/ansible-on-boot.service diff --git a/roles/ansible-pull/templates/ansible-pull.sh b/roles/ansible_pull/templates/ansible-pull.sh diff --git a/roles/ansible-pull/templates/pull.fact b/roles/ansible_pull/templates/pull.fact diff --git a/roles/ansible-pull/vars/main.yaml b/roles/ansible_pull/vars/main.yaml diff --git a/roles/auditor/handlers/main.yml b/roles/auditor/handlers/main.yml @@ -1,4 +1,4 @@ -- name: restart nginx +- name: Restart nginx service: name: nginx state: restarted diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml @@ -17,9 +17,10 @@ when: ansible_os_family == 'Debian' - name: Ensure Taler auditor config dir exists from installation - file: + ansible.builtin.stat: path: "/etc/taler-auditor" - state: directory + register: st + failed_when: not (st.stat.exists is defined and st.stat.exists) - name: Ensure Taler letsencrypt auditor dir exists from installation file: @@ -27,7 +28,7 @@ state: directory owner: www-data group: www-data - mode: 0755 + mode: "0755" - name: Ensure Taler auditor virtualhost configuration file exists template: @@ -35,7 +36,7 @@ dest: "/etc/nginx/sites-available/auditor-nginx.conf" owner: root group: root - mode: 0644 + mode: "0644" notify: restart nginx - name: Ensure Taler auditor HTTP virtualhost configuration file exists @@ -44,7 +45,7 @@ dest: "/etc/nginx/sites-available/auditor-http.conf" owner: root group: root - mode: 0644 + mode: "0644" notify: restart nginx - name: Enable Taler HTTP auditor reverse proxy configuration @@ -89,9 +90,10 @@ notify: restart nginx - name: Ensure /etc/taler-auditor/conf.d/ directory exists - file: + ansible.builtin.stat: path: "/etc/taler-auditor/conf.d/" - state: directory + register: st + failed_when: not (st.stat.exists is defined and st.stat.exists) - name: Place taler-auditor master config template: @@ -99,10 +101,10 @@ dest: "/etc/taler-auditor/conf.d/taler-auditor-master.conf" owner: root group: root - mode: 0644 + mode: "0644" - name: Setup Taler Auditor database - shell: + ansible.builtin.command: cmd: taler-auditor-dbconfig -c /etc/taler-auditor/taler-auditor.conf chdir: /tmp @@ -112,7 +114,7 @@ dest: /etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf owner: taler-auditor-httpd group: root - mode: 0400 + mode: "0400" - name: Grant access to exchange database community.postgresql.postgresql_privs: @@ -123,7 +125,7 @@ objs: ALL_IN_SCHEMA role: taler-auditor-httpd grant_option: false - become: yes + become: true become_user: postgres - name: Grant access to exchange database versioning @@ -135,7 +137,7 @@ objs: ALL_IN_SCHEMA role: taler-auditor-httpd grant_option: false - become: yes + become: true become_user: postgres - name: Grant usage to exchange database versioning @@ -147,7 +149,7 @@ objs: _v role: taler-auditor-httpd grant_option: false - become: yes + become: true become_user: postgres - name: Ensure taler-auditor service is enabled and started diff --git a/roles/borg-ssh-export/tasks/main.yml b/roles/borg-ssh-export/tasks/main.yml @@ -13,12 +13,15 @@ file: path: "/root/.ssh/" state: directory + owner: root + group: root + mode: "0744" - name: Create SSH key pair for use for backups by root - ansible.builtin.shell: + ansible.builtin.command: cmd: "ssh-keygen -P '' -t ed25519 -f /root/.ssh/borg" creates: /root/.ssh/borg.pub - become: yes + become: true become_user: root - name: Fetch file to local system diff --git a/roles/borg-start/tasks/main.yml b/roles/borg-start/tasks/main.yml @@ -3,6 +3,9 @@ file: path: "/root/bin/" state: directory + owner: root + group: root + mode: "0700" - name: Place shell script to do backups ansible.builtin.template: @@ -10,7 +13,7 @@ dest: /root/bin/borg-backup.sh owner: root group: root - mode: 0700 + mode: "0700" - name: Check SSH key for backups exists stat: @@ -23,7 +26,7 @@ dest: /root/.ssh/config owner: root group: root - mode: 0600 + mode: "0600" - name: Add host key for borg server ansible.builtin.shell: diff --git a/roles/challenger/handlers/main.yml b/roles/challenger/handlers/main.yml @@ -1,4 +1,4 @@ -- name: restart nginx +- name: Restart nginx service: name: nginx state: restarted diff --git a/roles/challenger/tasks/post-exchange.yml b/roles/challenger/tasks/post-exchange.yml @@ -5,7 +5,7 @@ dest: /etc/taler-exchange/secrets/challenger-sms.secret.conf owner: taler-exchange-httpd group: taler-exchange-kyc - mode: 0440 + mode: "0440" - name: Place email challenger exchange config ansible.builtin.template: @@ -13,7 +13,7 @@ dest: /etc/taler-exchange/secrets/challenger-email.secret.conf owner: taler-exchange-httpd group: taler-exchange-kyc - mode: 0440 + mode: "0440" - name: Place postal challenger exchange config ansible.builtin.template: @@ -21,12 +21,15 @@ dest: /etc/taler-exchange/secrets/challenger-postal.secret.conf owner: taler-exchange-httpd group: taler-exchange-kyc - mode: 0440 + mode: "0440" - name: Place general challenger exchange config copy: src: files/etc/taler-exchange/conf.d/challenger.conf dest: /etc/taler-exchange/conf.d/challenger.conf + owner: taler-exchange-httpd + group: taler-exchange-kyc + mode: "0740" - name: Ensure taler-exchange service is is restarted with new configuration service: diff --git a/roles/challenger/tasks/pre-exchange.yml b/roles/challenger/tasks/pre-exchange.yml @@ -34,7 +34,7 @@ ansible.builtin.group: name: challenger-sms state: present - + - name: Ensure user "challenger-sms" exists ansible.builtin.user: name: challenger-sms @@ -47,7 +47,7 @@ ansible.builtin.group: name: challenger-postal state: present - + - name: Ensure user "challenger-postal" exists ansible.builtin.user: name: challenger-postal @@ -60,7 +60,7 @@ ansible.builtin.group: name: challenger-email state: present - + - name: Ensure user "challenger-email" exists ansible.builtin.user: name: challenger-email @@ -75,7 +75,7 @@ state: directory owner: challenger-email group: www-data - mode: 0755 + mode: "0755" - name: Ensure /var/run/challenger-sms/ directory exists file: @@ -83,7 +83,7 @@ state: directory owner: challenger-sms group: www-data - mode: 0755 + mode: "0755" - name: Ensure /var/run/challenger-postal/ directory exists file: @@ -91,12 +91,15 @@ state: directory owner: challenger-postal group: www-data - mode: 0755 + mode: "0755" - name: Ensure Ansible facts directory exists file: path: "/etc/ansible/facts.d/" state: directory + owner: root + group: root + mode: "0700" - name: Ensure /etc/taler-exchange/secrets directory exists file: @@ -104,24 +107,30 @@ state: directory owner: root group: root - mode: 0755 + mode: "0750" -- name: sms-challenger access secret setup +- name: Secret setup for sms-challenger ansible.builtin.shell: - cmd: echo "[sms-challenger]\nCLIENT_SECRET=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/sms-challenger-client-secret.fact + cmd: | + set -o pipefail + echo "[sms-challenger]\nCLIENT_SECRET=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/sms-challenger-client-secret.fact creates: /etc/ansible/facts.d/sms-challenger-client-secret.fact -- name: email-challenger access secret setup +- name: Secret setup for email-challenger ansible.builtin.shell: - cmd: echo "[email-challenger]\nCLIENT_SECRET=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/email-challenger-client-secret.fact + cmd: | + set -o pipefail + echo "[email-challenger]\nCLIENT_SECRET=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/email-challenger-client-secret.fact creates: /etc/ansible/facts.d/email-challenger-client-secret.fact -- name: postal-challenger access secret setup +- name: Secret setup for postal-challenger ansible.builtin.shell: - cmd: echo "[postal-challenger]\nCLIENT_SECRET=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/postal-challenger-client-secret.fact + cmd: | + set -o pipefail + echo "[postal-challenger]\nCLIENT_SECRET=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/postal-challenger-client-secret.fact creates: /etc/ansible/facts.d/postal-challenger-client-secret.fact -- name: sms-challenger force ansible to regather just created fact(s) +- name: Force ansible to regather just created fact(s) about challenger ansible.builtin.setup: filter: - 'sms-challenger-client-secret' @@ -134,7 +143,7 @@ dest: "/etc/challenger/challenger-sms.conf" owner: root group: challenger-sms - mode: 0640 + mode: "0640" - name: Place Postal challenger config ansible.builtin.template: @@ -142,7 +151,7 @@ dest: "/etc/challenger/challenger-postal.conf" owner: root group: challenger-postal - mode: 0640 + mode: "0640" - name: Place email challenger config ansible.builtin.template: @@ -150,7 +159,7 @@ dest: "/etc/challenger/challenger-email.conf" owner: root group: challenger-email - mode: 0640 + mode: "0640" - name: Place SMS challenger environment data ansible.builtin.template: @@ -158,7 +167,7 @@ dest: /etc/challenger/sms-challenger.env owner: root group: challenger-sms - mode: 0640 + mode: "0640" - name: Place postal challenger environment data ansible.builtin.template: @@ -166,61 +175,74 @@ dest: /etc/challenger/postal-challenger.env owner: root group: challenger-postal - mode: 0640 + mode: "0640" - name: Setup SMS Challenger database - shell: + ansible.builtin.command: cmd: challenger-dbconfig -c /etc/challenger/challenger-sms.conf -u challenger-sms -n challenger-sms chdir: /tmp - name: Setup Postal Challenger database - shell: + ansible.builtin.command: cmd: challenger-dbconfig -c /etc/challenger/challenger-postal.conf -u challenger-postal -n challenger-postal chdir: /tmp - name: Setup email Challenger database - shell: + ansible.builtin.command: cmd: challenger-dbconfig -c /etc/challenger/challenger-email.conf -u challenger-email -n challenger-email chdir: /tmp -- name: sms-challenger force ansible to regather just created fact(s) +- name: Force ansible to regather newly created fact(s) about sms-challenger ansible.builtin.setup: - name: Setup SMS Challenger exchange account - shell: - cmd: sudo -u challenger-sms challenger-admin -c /etc/challenger/challenger-sms.conf --quiet --add={{ ansible_facts['ansible_local']['sms-challenger-client-secret']['sms-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/sms-challenger | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger-client-id.fact + ansible.builtin.command: + cmd: | + set -o pipefail + sudo -u challenger-sms challenger-admin -c /etc/challenger/challenger-sms.conf --quiet --add={{ ansible_facts['ansible_local']['sms-challenger-client-secret']['sms-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/sms-challenger | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger-client-id.fact chdir: /tmp creates: /etc/ansible/facts.d/sms-challenger-client-id.fact - name: Setup Email Challenger exchange account - shell: - cmd: sudo -u challenger-email challenger-admin -c /etc/challenger/challenger-email.conf --quiet --add={{ ansible_facts['ansible_local']['email-challenger-client-secret']['email-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/email-challenger | awk '{print "[email-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/email-challenger-client-id.fact + ansible.builtin.command: + cmd: | + set -o pipefail + sudo -u challenger-email challenger-admin -c /etc/challenger/challenger-email.conf --quiet --add={{ ansible_facts['ansible_local']['email-challenger-client-secret']['email-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/email-challenger | awk '{print "[email-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/email-challenger-client-id.fact chdir: /tmp creates: /etc/ansible/facts.d/email-challenger-client-id.fact - name: Setup Postal Challenger exchange account - shell: - cmd: sudo -u challenger-postal challenger-admin -c /etc/challenger/challenger-postal.conf --quiet --add={{ ansible_facts['ansible_local']['postal-challenger-client-secret']['postal-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/postal-challenger | awk '{print "[postal-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/postal-challenger-client-id.fact + ansible.builtin.command: + cmd: | + set -o pipefail + sudo -u challenger-postal challenger-admin -c /etc/challenger/challenger-postal.conf --quiet --add={{ ansible_facts['ansible_local']['postal-challenger-client-secret']['postal-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/postal-challenger | awk '{print "[postal-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/postal-challenger-client-id.fact chdir: /tmp creates: /etc/ansible/facts.d/postal-challenger-client-id.fact -- name: sms-challenger force ansible to regather just created fact(s) +- name: Force ansible to regather fact(s) just created about sms-challenger ansible.builtin.setup: - name: Place sms-challenger systemd service file copy: src: etc/systemd/system/sms-challenger-httpd.service dest: /etc/systemd/system/sms-challenger-httpd.service + owner: root + group: root + mode: "0700" - name: Place postal-challenger systemd service file copy: src: etc/systemd/system/postal-challenger-httpd.service dest: /etc/systemd/system/postal-challenger-httpd.service + owner: root + group: root + mode: "0700" - name: Place email-challenger systemd service file copy: src: etc/systemd/system/email-challenger-httpd.service dest: /etc/systemd/system/email-challenger-httpd.service + mode: "0700" - name: Ensure SMS challenger service is enabled and started ansible.builtin.systemd_service: @@ -247,7 +269,7 @@ dest: /etc/nginx/sites-available/sms-challenger-http.conf owner: root group: root - mode: 0644 + mode: "0644" - name: Place SMS challenger Nginx configuration ansible.builtin.template: @@ -255,7 +277,7 @@ dest: /etc/nginx/sites-available/sms-challenger-nginx.conf owner: root group: root - mode: 0644 + mode: "0644" - name: Enable SMS challenger HTTP reverse proxy configuration file: @@ -270,7 +292,7 @@ dest: /etc/nginx/sites-available/email-challenger-http.conf owner: root group: root - mode: 0644 + mode: "0644" - name: Place email challenger Nginx configuration ansible.builtin.template: @@ -278,7 +300,7 @@ dest: /etc/nginx/sites-available/email-challenger-nginx.conf owner: root group: root - mode: 0644 + mode: "0644" - name: Enable email challenger HTTP reverse proxy configuration file: @@ -293,7 +315,7 @@ dest: /etc/nginx/sites-available/postal-challenger-http.conf owner: root group: root - mode: 0644 + mode: "0644" - name: Place postal challenger Nginx configuration ansible.builtin.template: @@ -301,7 +323,7 @@ dest: /etc/nginx/sites-available/postal-challenger-nginx.conf owner: root group: root - mode: 0644 + mode: "0644" - name: Enable postal challenger HTTP reverse proxy configuration file: @@ -404,4 +426,3 @@ dest: /etc/nginx/sites-enabled/postal-challenger-nginx.conf state: link notify: restart nginx - diff --git a/roles/common_packages/tasks/main.yml b/roles/common_packages/tasks/main.yml @@ -83,7 +83,7 @@ args: chdir: /etc/ssl/private/ creates: /etc/ssl/private/dhparam.pem - when: (USE_PREGENERATED_DHPARAM | default(False)) == False + when: not (USE_PREGENERATED_DHPARAM | default(False)) - name: Deploy pregenerated dhparam.pem copy: diff --git a/roles/database/handlers/main.yml b/roles/database/handlers/main.yml @@ -1,4 +1,4 @@ -- name: restart postgresql +- name: Restart postgresql service: name: postgresql state: restarted diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml @@ -75,9 +75,10 @@ notify: restart nginx - name: Ensure /etc/taler-exchange/config.d/ directory exists - file: + ansible.builtin.stat: path: "/etc/taler-exchange/conf.d/" - state: directory + register: st + failed_when: not (st.stat.exists defined and st.stat.exists) - name: Place taler-exchange business config ansible.builtin.template: @@ -95,10 +96,11 @@ group: root mode: "0644" -- name: Ensure /etc/taler-exchange/secrets/ directory exists - file: +- name: Check that /etc/taler-exchange/secrets/ directory exists + ansible.builtin.stat: path: "/etc/taler-exchange/secrets/" - state: directory + register: st + failed_when: not (st.stat.exists is defined and st.stat.exists) - name: Place taler-exchange account credentials ansible.builtin.template: @@ -142,6 +144,10 @@ copy: src: files/etc/taler-exchange/conf.d/kyc-rules.conf dest: /etc/taler-exchange/conf.d/kyc-rules.conf + owner: root + group: root + mode: "0744" + when: have_kycrules.stat.exists - name: Setup Taler Exchange database diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml @@ -27,16 +27,24 @@ file: path: "/etc/libeufin" state: directory + mode: "0755" + owner: root + group: root # FIXME: is this needed or always there in Ansible? - name: Ensure Ansible facts directory dir exists file: path: "/etc/ansible/facts.d/" state: directory + mode: "0755" + owner: root + group: root - name: Libeufin-nexus access secret setup ansible.builtin.shell: - cmd: echo "[libeufin-nexus]\nAUTH_BEARER_TOKEN=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/libeufin-nexus-access-token.fact + cmd: | + set -o pipefail + echo "[libeufin-nexus]\nAUTH_BEARER_TOKEN=secret-token:$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/libeufin-nexus-access-token.fact creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact - name: Libeufin-nexus force ansible to regather just created fact(s) diff --git a/roles/pixel_borg/tasks/main.yml b/roles/pixel_borg/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install Borg package - apt: + ansible.builtin.apt: name: - borgbackup state: latest