Add ansible-lint configuration file, lintify

myllynen · May 24, 2023 · de0210e · de0210e
1 parent 6b59af2
commit de0210e
Show file tree

Hide file tree

Showing 29 changed files with 91 additions and 44 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -0,0 +1,19 @@
+---
+offline: true
+profile: production
+strict: true
+
+# Additional rules to enable if no profile set
+enable_list:
+  - args
+  - empty-string-compare
+  - no-log-password
+  - no-same-owner
+  - yaml
+
+skip_list:
+  - fqcn[action-core]
+  - galaxy[no-changelog]
+  - no-handler
+  - var-naming[no-role-prefix]
+  - yaml[comments]
diff --git a/galaxy.yml b/galaxy.yml
@@ -11,8 +11,10 @@ license:
   - GPL-3.0-or-later
 tags:
   - rhel
+  - linux
   - centos
   - configuration
+  - infrastructure
 dependencies:
   ansible.posix: ">=1.4.0"
   community.general: ">=5.5.0"

diff --git a/meta/runtime.yml b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9"
+requires_ansible: ">=2.9.10"
diff --git a/roles/aide_setup/tasks/main.yml b/roles/aide_setup/tasks/main.yml
@@ -30,10 +30,12 @@
 
 - name: Initialize new aide database
   command: /usr/sbin/aide --init
+  register: aide_database
+  changed_when: true
   when:
     - "'aide' in ansible_facts.packages"
-    - not aide_database.stat.exists
     - aide_setup_initialize_database | bool
+    - not aide_database.stat.exists
 
 - name: Copy new aide database as current aide database
   copy:
@@ -43,13 +45,13 @@
     remote_src: true
   when:
     - "'aide' in ansible_facts.packages"
-    - not aide_database.stat.exists
     - aide_setup_initialize_database | bool
+    - aide_database is changed
 
 # Configure cron in OpenSCAP-compatible manner
 - name: Update aide check cron configuration
   vars:
-    entry_prefix: "{{ '' if aide_setup_cron_setup|bool else '#' }}"
+    entry_prefix: "{{ '' if aide_setup_cron_setup | bool else '#' }}"
   lineinfile:
     path: /etc/crontab
     regexp: '^(#|)05 4 \* \* \* root /usr/sbin/aide --check'

diff --git a/roles/boot_parameters/tasks/main.yml b/roles/boot_parameters/tasks/main.yml
@@ -39,26 +39,29 @@
     --args="{{ boot_parameters_enable | join(' ') }}"
     --remove-args="{{ boot_parameters_disable | join(' ') }}"
   register: boot_config
+  changed_when: true
   when: (0 in enable_check.results | map(attribute='found') | list) or
         (1 in disable_check.results | map(attribute='found') | list)
 
 - name: Fix default kernel boot parameters (RHEL 7)
   shell: |
+    set -o pipefail
     eval $(grubby --info=DEFAULT | awk '/^args/ {print $0}')
     sed -i -e "s,^GRUB_CMDLINE_LINUX=.*,GRUB_CMDLINE_LINUX=\"$args\"," /etc/default/grub
+  changed_when: true
   when:
-    - ansible_facts.distribution_major_version|int == 7
+    - ansible_facts.distribution_major_version | int == 7
     - boot_config is changed
 
 - name: Update boot loader timeout configuration
   replace:
     path: /etc/default/grub
     regexp: '^GRUB_TIMEOUT=.*'
     replace: 'GRUB_TIMEOUT={{ boot_parameters_timeout }}'
+  register: boot_timeout
   when:
     - boot_parameters_timeout is integer
     - boot_parameters_timeout | int >= 1
-  register: boot_timeout
 
 - name: Determine platform type
   stat:
@@ -67,7 +70,7 @@
 
 - name: Set boot loader configuration files
   vars:
-    old_rhel: "{{ true if ansible_facts.distribution_major_version|int < 9 else false }}"
+    old_rhel: "{{ true if ansible_facts.distribution_major_version | int < 9 else false }}"
     efi_path: "{{ true if old_rhel and efi_dir.stat.exists else false }}"
   set_fact:
     grub_config: "{{ '/boot/grub2/grub.cfg' if not efi_path else '/boot/efi/EFI/redhat/grub.cfg' }}"
@@ -91,6 +94,7 @@
 
 - name: Write boot loader configuration
   command: grub2-mkconfig -o {{ grub_config }}
+  changed_when: true
   when: boot_timeout is changed or
         password_remove is changed or
         password_update is changed

diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml
@@ -17,4 +17,5 @@
 
 - name: Write trusted certificate bundles
   command: update-ca-trust extract
+  changed_when: true
   when: ca_files is changed
diff --git a/roles/dns_cache/tasks/disable.yml b/roles/dns_cache/tasks/disable.yml
@@ -28,7 +28,7 @@
     - not dns_cache_enable | bool or
       dns_cache_component != 'nscd'
 
-- name: Check NetworkManager DNS configuration
+- name: Read NetworkManager DNS configuration
   slurp:
     src: /etc/NetworkManager/conf.d/50-dns.conf
   register: current_config
@@ -45,7 +45,7 @@
   when:
     - not dns_cache_enable | bool or
       (current_config.content is defined and
-       dns_cache_component not in current_config.content|b64decode)
+       dns_cache_component not in current_config.content | b64decode)
 
 - name: Disable systemd-resolved service
   service:
@@ -74,7 +74,7 @@
     state: absent
   register: resolved_package
   when:
-    - ansible_facts.distribution_major_version|int == 7
+    - ansible_facts.distribution_major_version | int == 7
     - not dns_cache_enable | bool or
       dns_cache_component != 'systemd-resolved'
 

diff --git a/roles/dns_cache/tasks/systemd_resolved.yml b/roles/dns_cache/tasks/systemd_resolved.yml
@@ -11,7 +11,7 @@
   yum:
     name: systemd-resolved
     state: present
-  when: ansible_facts.distribution_major_version|int != 8
+  when: ansible_facts.distribution_major_version | int != 8
 
 - name: Gather service facts
   service_facts:

diff --git a/roles/insights_client/README.md b/roles/insights_client/README.md
@@ -10,7 +10,7 @@ Below are the role default values from defaults/main.yml:
 
 <pre>
 ---
-# Register or unregister the system for Red Hat Insights
+# Register or unregister the system with Red Hat Insights
 # See https://access.redhat.com/products/red-hat-insights
 insights_client_register: true
 
@@ -20,7 +20,7 @@ insights_client_tags:
 #  security: strict
 #  network_performance: latency
 
-# Enable Red Hat connector (rhc) when needed
+# Enable remote host configuration (rhc)
 # See https://access.redhat.com/articles/rhc
 insights_client_rhc_enable: true
 

diff --git a/roles/insights_client/defaults/main.yml b/roles/insights_client/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-# Register or unregister the system for Red Hat Insights
+# Register or unregister the system with Red Hat Insights
 # See https://access.redhat.com/products/red-hat-insights
 insights_client_register: true
 
@@ -9,7 +9,7 @@ insights_client_tags:
 #  security: strict
 #  network_performance: latency
 
-# Enable Red Hat connector (rhc) when needed
+# Enable remote host configuration (rhc)
 # See https://access.redhat.com/articles/rhc
 insights_client_rhc_enable: true
 

diff --git a/roles/insights_client/tasks/enable.yml b/roles/insights_client/tasks/enable.yml
@@ -13,7 +13,7 @@
   vars:
     rhc_packages:
       - "{{ 'rhc' if insights_client_rhc_enable | bool else '' }}"
-      - "{{ 'rhc-worker-playbook' if ansible_facts.distribution_major_version|int >= 8 else '' }}"
+      - "{{ 'rhc-worker-playbook' if ansible_facts.distribution_major_version | int >= 8 else '' }}"
     openscap_packages:
       - scap-security-guide
     required_packages:
@@ -59,6 +59,7 @@
 
 - name: Upload new data to Red Hat Insights
   command: insights-client --silent
+  changed_when: true
   when: tags_file is changed
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=2175793

diff --git a/roles/multipath_setup/tasks/main.yml b/roles/multipath_setup/tasks/main.yml
@@ -38,6 +38,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: multipath_config is changed
 
 - name: Reboot system

diff --git a/roles/packages_remove/tasks/main.yml b/roles/packages_remove/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Remove unwanted packages
   yum:
-    name: "{{ packages_remove }}"
+    name: "{{ packages_remove | select() | list }}"
     autoremove: "{{ packages_remove_autoremove }}"
     #cacheonly: true
     state: absent
diff --git a/roles/performance_tuning/tasks/main.yml b/roles/performance_tuning/tasks/main.yml
@@ -27,14 +27,15 @@
     state: started
   when: "'tuned' in ansible_facts.packages"
 
-- name: Check current tuned profile
+- name: Read current tuned profile
   slurp:
     src: /etc/tuned/active_profile
   register: active_profile
   when: "'tuned' in ansible_facts.packages"
 
 - name: Configure tuned profile
   command: tuned-adm profile {{ tuned_profile }}
+  changed_when: true
   when:
     - "'tuned' in ansible_facts.packages"
-    - active_profile.content|b64decode|trim != tuned_profile
+    - active_profile.content | b64decode | trim != tuned_profile
diff --git a/roles/rescue_image/tasks/disable.yml b/roles/rescue_image/tasks/disable.yml
@@ -47,10 +47,11 @@
 
 - name: Write boot loader configuration
   vars:
-    old_rhel: "{{ true if ansible_facts.distribution_major_version|int < 9 else false }}"
+    old_rhel: "{{ true if ansible_facts.distribution_major_version | int < 9 else false }}"
     efi_path: "{{ true if old_rhel and efi_dir.stat.exists else false }}"
     grub_config: "{{ '/boot/grub2/grub.cfg' if not efi_path else '/boot/efi/EFI/redhat/grub.cfg' }}"
   command: grub2-mkconfig -o {{ grub_config }}
+  changed_when: true
   when:
     - not entries_dir.stat.exists
     - remove_images is changed
diff --git a/roles/splunk_forwarder/README.md b/roles/splunk_forwarder/README.md
@@ -10,7 +10,7 @@ Below are the role default values from defaults/main.yml:
 
 <pre>
 ---
-splunk_deployment_server: splunk.example.com
+splunk_deployment_server:
 splunk_deployment_server_port: 8089
 splunk_deployment_server_check: true
 

diff --git a/roles/splunk_forwarder/defaults/main.yml b/roles/splunk_forwarder/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-splunk_deployment_server: splunk.example.com
+splunk_deployment_server:
 splunk_deployment_server_port: 8089
 splunk_deployment_server_check: true
 

diff --git a/roles/splunk_forwarder/tasks/main.yml b/roles/splunk_forwarder/tasks/main.yml
@@ -73,10 +73,12 @@
 
 - name: Stop Splunk legacy service
   command: /opt/splunkforwarder/bin/splunk stop
+  changed_when: true
   when: legacy_init.stat.exists
 
 - name: Disable Splunk legacy service
   command: /opt/splunkforwarder/bin/splunk disable boot-start
+  changed_when: true
   when: legacy_init.stat.exists
 
 - name: Check Splunk Forwarder systemd service file
@@ -89,6 +91,7 @@
     /opt/splunkforwarder/bin/splunk enable boot-start
     -systemd-managed 1 -user splunk -group splunk
     --accept-license --no-prompt --answer-yes
+  changed_when: true
   when: not systemd_service.stat.exists
 
 - name: Enable Splunk Forwarder service

diff --git a/roles/system_init/tasks/init.yml b/roles/system_init/tasks/init.yml
@@ -12,12 +12,14 @@
 
 - name: Remove old kernel packages (RHEL 7)
   command: package-cleanup -C --oldkernels --count=1 -y
+  changed_when: true
   when:
     - ansible_facts.pkg_mgr == 'yum'
     - ansible_facts.packages['kernel'] | length > 1
 
 - name: Remove old kernel packages
   command: dnf -C remove --oldinstallonly -y
+  changed_when: true
   when:
     - ansible_facts.pkg_mgr == 'dnf'
     - ansible_facts.packages['kernel'] | length > 1
@@ -41,6 +43,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: nic_config is changed
 
 - name: Check installer log directory
@@ -123,6 +126,7 @@
     cmd: subscription-manager facts --update
     removes: /var/lib/rhsm/facts/facts.json
   failed_when: false
+  changed_when: true
 
 - name: Mark system initialized
   copy:
@@ -131,6 +135,6 @@
     mode: '0644'
 
 - name: Log initialization message
-  syslogger:
+  community.general.syslogger:
     msg: "System initialized by system_init role."
   when: "'syslog' in system_init_final_actions"
diff --git a/roles/system_keyboard/tasks/main.yml b/roles/system_keyboard/tasks/main.yml
@@ -19,6 +19,7 @@
 - name: Configure system keyboard
   command: localectl set-keymap {{ system_keyboard }}
   register: keyboard_config
+  changed_when: true
   when: not keyboard_check.found
 
 - name: Check system console font configuration
@@ -40,10 +41,12 @@
 
 - name: Configure system console font
   command: setfont {{ system_font }}
+  changed_when: true
   when: font_config is changed
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: package_install is changed or
         keyboard_config is changed or
         font_config is changed
diff --git a/roles/system_locale/tasks/main.yml b/roles/system_locale/tasks/main.yml
@@ -9,11 +9,11 @@
 
 - name: Check langpack support
   set_fact:
-    langpacks: "{{ true if ansible_facts.distribution_major_version|int >= 8 else false }}"
+    langpacks: "{{ true if ansible_facts.distribution_major_version | int >= 8 else false }}"
 
 - name: Check C.UTF-8 support
   set_fact:
-    c_utf_8: "{{ true if ansible_facts.distribution_major_version|int >= 9 else false }}"
+    c_utf_8: "{{ true if ansible_facts.distribution_major_version | int >= 9 else false }}"
 
 - name: Install locale packages
   vars:
@@ -36,6 +36,7 @@
 
 - name: Rebuild initramfs
   command: dracut -f --regenerate-all
+  changed_when: true
   when: locale_config is changed
 
 - name: Reboot system

diff --git a/roles/system_unregister/tasks/main.yml b/roles/system_unregister/tasks/main.yml
@@ -30,10 +30,11 @@
 
 # Use removes: to only run on registered systems
 - name: Clean package manager caches (RHEL 7)
+  # noqa: command-instead-of-module
   command:
     cmd: yum -C clean all
     removes: /etc/rhsm/ca/katello-server-ca.pem
-  when: ansible_facts.distribution_major_version|int < 8
+  when: ansible_facts.distribution_major_version | int < 8
 
 - name: Unregister from Red Hat Subscription Management
   command: subscription-manager unregister
@@ -78,7 +79,8 @@
 
 - name: Clean package manager caches
   command: dnf -C clean all
-  when: ansible_facts.distribution_major_version|int >= 8
+  changed_when: true
+  when: ansible_facts.distribution_major_version | int >= 8
 
 - name: Check RHSM configuration backup file
   stat: