ansible
/
xoxys.users
0
0
Fork 0
Code Issues Pull Requests Releases Activity

ci: migrate to woodpecker
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/push/notify Pipeline was successful Details

This commit is contained in:
Robert Kaussow 2024-02-18 13:27:45 +01:00
parent 4c84f84a22
commit 7fdae47263
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
37 changed files with 299 additions and 1028 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
.drone.jsonnet
View File

@ -1,161 +0,0 @@
local PipelineLinting = {
kind: 'pipeline',
name: 'linting',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'ansible-later',
image: 'thegeeklab/ansible-later',
commands: [
'ansible-later',
],
},
{
name: 'python-format',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq yapf',
'[ -z "$(find . -type f -name *.py)" ] || (yapf -rd ./)',
],
},
{
name: 'python-flake8',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq flake8',
'flake8',
],
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDeployment(scenario='centos7') = {
kind: 'pipeline',
name: 'testing-' + scenario,
platform: {
os: 'linux',
arch: 'amd64',
},
concurrency: {
limit: 1,
},
workspace: {
base: '/drone/src',
path: '${DRONE_REPO_NAME}',
},
steps: [
{
name: 'ansible-molecule',
image: 'thegeeklab/molecule:4',
environment: {
HCLOUD_TOKEN: { from_secret: 'hcloud_token' },
},
commands: [
'molecule test -s ' + scenario,
],
},
],
depends_on: [
'linting',
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDocumentation = {
kind: 'pipeline',
name: 'documentation',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'generate',
image: 'thegeeklab/ansible-doctor',
environment: {
ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO',
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true,
ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/',
ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book',
ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}',
ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/',
},
},
{
name: 'publish',
image: 'plugins/gh-pages',
settings: {
remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}',
netrc_machine: 'gitea.rknet.org',
username: { from_secret: 'gitea_username' },
password: { from_secret: 'gitea_token' },
pages_directory: '_docs/',
target_branch: 'docs',
},
when: {
ref: ['refs/heads/main'],
},
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
depends_on: [
'testing-centos7',
'testing-rocky8',
],
};
local PipelineNotification = {
kind: 'pipeline',
name: 'notification',
platform: {
os: 'linux',
arch: 'amd64',
},
clone: {
disable: true,
},
steps: [
{
name: 'matrix',
image: 'thegeeklab/drone-matrix',
settings: {
homeserver: { from_secret: 'matrix_homeserver' },
roomid: { from_secret: 'matrix_roomid' },
template: 'Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}',
username: { from_secret: 'matrix_username' },
password: { from_secret: 'matrix_password' },
},
},
],
depends_on: [
'documentation',
],
trigger: {
status: ['success', 'failure'],
ref: ['refs/heads/main', 'refs/tags/**'],
},
};
[
PipelineLinting,
PipelineDeployment(scenario='centos7'),
PipelineDeployment(scenario='rocky8'),
PipelineDocumentation,
PipelineNotification,
]

187
.drone.yml
View File

@ -1,187 +0,0 @@
---
kind: pipeline
name: linting
platform:
os: linux
arch: amd64
steps:
- name: ansible-later
image: thegeeklab/ansible-later
commands:
- ansible-later
- name: python-format
image: python:3.11
commands:
- pip install -qq yapf
- "[ -z \"$(find . -type f -name *.py)\" ] || (yapf -rd ./)"
environment:
PY_COLORS: 1
- name: python-flake8
image: python:3.11
commands:
- pip install -qq flake8
- flake8
environment:
PY_COLORS: 1
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
---
kind: pipeline
name: testing-centos7
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:4
commands:
- molecule test -s centos7
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- linting
---
kind: pipeline
name: testing-rocky8
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:4
commands:
- molecule test -s rocky8
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- linting
---
kind: pipeline
name: documentation
platform:
os: linux
arch: amd64
steps:
- name: generate
image: thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
ANSIBLE_DOCTOR_OUTPUT_DIR: _docs/
ANSIBLE_DOCTOR_ROLE_NAME: ${DRONE_REPO_NAME#*.}
ANSIBLE_DOCTOR_TEMPLATE: hugo-book
- name: publish
image: plugins/gh-pages
settings:
netrc_machine: gitea.rknet.org
pages_directory: _docs/
password:
from_secret: gitea_token
remote_url: https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}
target_branch: docs
username:
from_secret: gitea_username
when:
ref:
- refs/heads/main
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- testing-centos7
- testing-rocky8
---
kind: pipeline
name: notification
platform:
os: linux
arch: amd64
clone:
disable: true
steps:
- name: matrix
image: thegeeklab/drone-matrix
settings:
homeserver:
from_secret: matrix_homeserver
password:
from_secret: matrix_password
roomid:
from_secret: matrix_roomid
template: "Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}"
username:
from_secret: matrix_username
trigger:
ref:
- refs/heads/main
- refs/tags/**
status:
- success
- failure
depends_on:
- documentation
---
kind: signature
hmac: 81c9c0b1581b8c2c8be514ee0386aec1d8f55d536deeefbbd6c05b1bdcc993c5
...

2
.gitignore vendored
View File

@ -9,5 +9,3 @@ __pycache__/
*.py[cod]
*$py.class
# ---> Docs
/_docs

4
.later.yml
View File

@ -10,10 +10,6 @@ ansible:
rules:
exclude_files:
- molecule/
- "LICENSE*"
- "**/*.md"
- "**/*.ini"
exclude_filter:
- LINT0009

7
.markdownlint.yml Normal file
View File

@ -0,0 +1,7 @@
---
default: True
MD013: False
MD041: False
MD024: False
MD004:
style: dash

1
.prettierignore Normal file
View File

@ -0,0 +1 @@
LICENSE

47
.woodpecker/docs.yaml Normal file
View File

@ -0,0 +1,47 @@
---
when:
- event: [pull_request]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: generate
image: quay.io/thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
ANSIBLE_DOCTOR_FORCE_OVERWRITE: "true"
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
ANSIBLE_DOCTOR_ROLE_NAME: ${CI_REPO_NAME}
ANSIBLE_DOCTOR_TEMPLATE: readme
- name: format
image: quay.io/thegeeklab/alpine-tools
commands:
- prettier -w README.md
- name: diff
image: quay.io/thegeeklab/alpine-tools
commands:
- git diff --color=always README.md
- name: publish
image: quay.io/thegeeklab/wp-git-action
settings:
action:
- commit
- push
author_email: ci-bot@rknet.org
author_name: ci-bot
branch: main
message: "[skip ci] automated docs update"
netrc_machine: gitea.rknet.org
netrc_password:
from_secret: gitea_token
when:
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
depends_on:
- test

30
.woodpecker/lint.yaml Normal file
View File

@ -0,0 +1,30 @@
---
when:
- event: [pull_request, tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: ansible-later
image: quay.io/thegeeklab/ansible-later:4
commands:
- ansible-later
environment:
FORCE_COLOR: "1"
- name: python-format
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff format --check --diff .
environment:
PY_COLORS: "1"
- name: python-lint
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff .
environment:
PY_COLORS: "1"

26
.woodpecker/notify.yml Normal file
View File

@ -0,0 +1,26 @@
---
when:
- event: [tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
runs_on: [success, failure]
steps:
- name: matrix
image: quay.io/thegeeklab/wp-matrix
settings:
homeserver:
from_secret: matrix_homeserver
password:
from_secret: matrix_password
roomid:
from_secret: matrix_roomid
username:
from_secret: matrix_username
when:
- status: [success, failure]
depends_on:
- docs

25
.woodpecker/test.yaml Normal file
View File

@ -0,0 +1,25 @@
---
when:
- event: [pull_request, tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
variables:
- &molecule_base
image: quay.io/thegeeklab/molecule:6
group: molecule
secrets:
- source: molecule_hcloud_token
target: HCLOUD_TOKEN
environment:
PY_COLORS: "1"
steps:
- name: molecule-default
<<: *molecule_base
commands:
- molecule test -s default
depends_on:
- lint

11
README.md
View File

@ -1,12 +1 @@
# xoxys.users
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.users?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.users)
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
Manage users and default bash environment.
You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/system/users/).
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

9
meta/main.yml
View File

@ -6,19 +6,18 @@ galaxy_info:
namespace: xoxys
role_name: users
# @meta description: >
# [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.users)
# [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.users?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.users)
# [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.users/src/branch/main/LICENSE)
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.users/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.users)
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.users/src/branch/main/LICENSE)
#
# Manage users and default bash environment.
# @end
description: Manage users and default bash environment
license: MIT
min_ansible_version: 2.10
min_ansible_version: "2.10"
platforms:
- name: EL
versions:
- 7
- "9"
galaxy_tags:
- user
dependencies: []

15
molecule/centos7/converge.yml
View File

@ -1,15 +0,0 @@
---
- name: Converge
hosts: all
vars:
users_global_umask: "027"
users_default_users:
- name: demouser
groups:
- wheel
shell: /bin/sh
users_default_groups:
- demogroup
roles:
- role: xoxys.users

120
molecule/centos7/create.yml
View File

@ -1,120 +0,0 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/centos7/destroy.yml
View File

@ -1,78 +0,0 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/centos7/molecule.yml
View File

@ -1,24 +0,0 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: centos7-users
image: centos-7
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/centos7/prepare.yml
View File

@ -1,15 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

1
molecule/default
View File

@ -1 +0,0 @@
rocky8

1
molecule/rocky8/converge.yml → molecule/default/converge.yml
View File

@ -10,6 +10,5 @@
shell: /bin/sh
users_default_groups:
- demogroup
roles:
- role: xoxys.users

17
molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,17 @@
---
driver:
name: molecule_hetznercloud
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
platforms:
- name: "rocky9-users"
server_type: "cx11"
image: "rocky-9"
provisioner:
name: ansible
log: False
verifier:
name: testinfra

11
molecule/default/prepare.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Prepare
hosts: all
gather_facts: False
tasks:
- name: Bootstrap Python for Ansible
ansible.builtin.raw: |
command -v python3 python ||
((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
echo "Warning: Python not boostrapped due to unknown platform.")
changed_when: False

0
molecule/centos7/tests/test_default.py → molecule/default/tests/test_default.py
View File

3
molecule/pytest.ini
View File

@ -1,3 +0,0 @@
[pytest]
filterwarnings =
ignore::DeprecationWarning

5
molecule/requirements.yml
View File

@ -1,6 +1,3 @@
---
collections:
- name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
- name: community.general
collections: []
roles: []

120
molecule/rocky8/create.yml
View File

@ -1,120 +0,0 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/rocky8/destroy.yml
View File

@ -1,78 +0,0 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/rocky8/molecule.yml
View File

@ -1,24 +0,0 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: rocky8-users
image: rocky-8
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/rocky8/prepare.yml
View File

@ -1,15 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

19
molecule/rocky8/tests/test_default.py
View File

@ -1,19 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_users_create_user(host):
user = host.user("demouser")
assert user.name == "demouser"
assert user.shell == "/bin/sh"
assert "wheel" in user.groups
def test_users_create_group(host):
assert host.group("demogroup").exists

17
pyproject.toml Normal file
View File

@ -0,0 +1,17 @@
[tool.ruff]
exclude = [".git", "__pycache__"]
line-length = 99
indent-width = 4
[tool.ruff.lint]
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
select = ["F", "E", "I", "W", "S"]
[tool.ruff.format]
quote-style = "double"
indent-style = "space"
line-ending = "lf"
[tool.pytest.ini_options]
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]

12
setup.cfg
View File

@ -1,12 +0,0 @@
[flake8]
ignore = D100, D101, D102, D103, D105, D107, E402, W503
max-line-length = 99
inline-quotes = double
exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env*
[yapf]
based_on_style = google
column_limit = 99
dedent_closing_brackets = true
coalesce_brackets = true
split_before_logical_operator = true

33
tasks/bash.yml
View File

@ -1,20 +1,17 @@
---
- block:
- name: Override default .bashrc
template:
src: etc/bashrc.j2
dest: "{{ item }}"
owner: root
group: root
mode: 0644
loop: "{{ users_bash_bashrc_overrides }}"
- name: Override default .bashrc
ansible.builtin.template:
src: etc/bashrc.j2
dest: "{{ item }}"
owner: root
group: root
mode: "0644"
loop: "{{ users_bash_bashrc_overrides }}"
- name: Setup custom bash profile
template:
src: etc/profile.d/custom.sh.j2
dest: /etc/profile.d/custom.sh
owner: root
group: root
mode: 0644
become: True
become_user: root
- name: Setup custom bash profile
ansible.builtin.template:
src: etc/profile.d/custom.sh.j2
dest: /etc/profile.d/custom.sh
owner: root
group: root
mode: "0644"

11
tasks/main.yml
View File

@ -1,5 +1,5 @@
---
- include_vars: "{{ lookup('first_found', params) }}"
- ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
@ -8,10 +8,9 @@
paths:
- "vars"
errors: "ignore"
- include_tasks: security.yml
- include_tasks: bash.yml
- include_tasks: "{{ lookup('first_found', params) }}"
- ansible.builtin.include_tasks: security.yml
- ansible.builtin.include_tasks: bash.yml
- ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
vars:
params:
files:
@ -20,4 +19,4 @@
- "users_default.yml"
paths:
- "tasks"
- include_tasks: users_keys.yml
- ansible.builtin.include_tasks: users_keys.yml

97
tasks/security.yml
View File

@ -1,57 +1,54 @@
---
- block:
- name: Stat umask files
stat:
path: "{{ item }}"
loop:
- /etc/bashrc
- /etc/csh.cshrc
- /etc/profile
register: __users_umask_files
- name: Stat umask files
ansible.builtin.stat:
path: "{{ item }}"
loop:
- /etc/bashrc
- /etc/csh.cshrc
- /etc/profile
register: __users_umask_files
- name: Stat pwquality files
stat:
path: "/etc/security/pwquality.conf"
register: __users_pwquality_file
- name: Stat pwquality files
ansible.builtin.stat:
path: "/etc/security/pwquality.conf"
register: __users_pwquality_file
- name: Set global umask
replace:
path: "{{ item }}"
regexp: '(?i)^(?P<umask>\s+UMASK\s+).+'
replace: \g<umask>{{ users_global_umask }}
loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
- name: Set global umask
ansible.builtin.replace:
path: "{{ item }}"
regexp: '(?i)^(?P<umask>\s+UMASK\s+).+'
replace: \g<umask>{{ users_global_umask }}
loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
- name: Set umask in /etc/login.defs
lineinfile:
path: /etc/login.defs
regexp: '^(?P<umask>UMASK\s+).+'
line: \g<umask>{{ users_global_umask }}
backrefs: yes
state: present
- name: Set umask in /etc/login.defs
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^(?P<umask>UMASK\s+).+'
line: \g<umask>{{ users_global_umask }}
backrefs: True
state: present
- name: Enforce minimum password lifetime
lineinfile:
path: /etc/login.defs
regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
line: \g<passmin>{{ users_pass_min_day }}
backrefs: yes
state: present
- name: Enforce minimum password lifetime
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
line: \g<passmin>{{ users_pass_min_day }}
backrefs: True
state: present
- name: Set default account expiration after inactivity
lineinfile:
path: /etc/default/useradd
regexp: "^(?P<inactive>INACTIVE=).+"
line: \g<inactive>{{ users_default_inactive }}
backrefs: yes
state: present
- name: Set default account expiration after inactivity
ansible.builtin.lineinfile:
path: /etc/default/useradd
regexp: "^(?P<inactive>INACTIVE=).+"
line: \g<inactive>{{ users_default_inactive }}
backrefs: True
state: present
- name: Set pwquality if available
template:
src: etc/security/pwquality.conf.j2
dest: /etc/security/pwquality.conf
owner: root
group: root
mode: 0644
when: __users_pwquality_file.stat.exists | bool
become: True
become_user: root
- name: Set pwquality if available
ansible.builtin.template:
src: etc/security/pwquality.conf.j2
dest: /etc/security/pwquality.conf
owner: root
group: root
mode: "0644"
when: __users_pwquality_file.stat.exists | bool

35
tasks/users_default.yml
View File

@ -1,21 +1,18 @@
---
- block:
- name: Create groups
group:
name: "{{ item }}"
state: present
loop: "{{ users_default_groups }}"
- name: Create groups
ansible.builtin.group:
name: "{{ item }}"
state: present
loop: "{{ users_default_groups }}"
- name: Create users
user:
name: "{{ item.name }}"
groups: "{{ item.groups | default([]) | join(',') or omit }}"
append: "{{ True if (item.groups | default([]) | length > 0) else False }}"
password: "{{ item.password | password_hash('sha512',65534 | random(seed=inventory_hostname) | string) if item.password is defined else '*' }}"
password_expire_min: "{{ item.password_expire_min | default(users_pass_min_day) }}"
shell: "{{ item.shell | default('/bin/bash') }}"
loop: "{{ users_default_users }}"
loop_control:
label: "{{ item.name }}"
become: True
become_user: root
- name: Create users
ansible.builtin.user:
name: "{{ item.name }}"
groups: "{{ item.groups | default([]) | join(',') or omit }}"
append: "{{ True if (item.groups | default([]) | length > 0) else False }}"
password: "{{ item.password | password_hash('sha512',65534 | random(seed=inventory_hostname) | string) if item.password is defined else '*' }}"
password_expire_min: "{{ item.password_expire_min | default(users_pass_min_day) }}"
shell: "{{ item.shell | default('/bin/bash') }}"
loop: "{{ users_default_users }}"
loop_control:
label: "{{ item.name }}"

23
tasks/users_keys.yml
View File

@ -1,14 +1,11 @@
---
- block:
- name: Set authorized_key for ssh users
authorized_key:
user: "{{ item.name }}"
key: "{{ item.sshkeys }}"
exclusive: True
state: present
loop: "{{ users_default_users }}"
loop_control:
label: "{{ item.name }}"
when: item.sshkeys is defined
become: True
become_user: root
- name: Set authorized_key for ssh users
ansible.posix.authorized_key:
user: "{{ item.name }}"
key: "{{ item.sshkeys }}"
exclusive: True
state: present
loop: "{{ users_default_users }}"
loop_control:
label: "{{ item.name }}"
when: item.sshkeys is defined

43
tasks/users_univention.yml
View File

@ -1,25 +1,22 @@
---
- block:
# use system users and groups to prevent duplicate ids
# this is a workaround because udm_user not working
- name: Create groups
group:
name: "{{ item }}"
system: "yes"
state: present
loop: "{{ users_default_groups }}"
# use system users and groups to prevent duplicate ids
# this is a workaround because udm_user not working
- name: Create groups
ansible.builtin.group:
name: "{{ item }}"
system: "yes"
state: present
loop: "{{ users_default_groups }}"
- name: Create users
user:
name: "{{ item.name }}"
groups: "{{ item.groups | default([]) | join(',') or omit }}"
append: "{{ True if (item.groups | default([]) | length > 0) else False }}"
password: "{{ item.password | password_hash('sha512',65534 | random(seed=inventory_hostname) | string) if item.password is defined else '*' }}"
password_expire_min: "{{ item.password_expire_min | default(users_pass_min_day) }}"
shell: "{{ item.shell | default('/bin/bash') }}"
system: "yes"
loop: "{{ users_default_users }}"
loop_control:
label: "{{ item.name }}"
become: True
become_user: root
- name: Create users
ansible.builtin.user:
name: "{{ item.name }}"
groups: "{{ item.groups | default([]) | join(',') or omit }}"
append: "{{ True if (item.groups | default([]) | length > 0) else False }}"
password: "{{ item.password | password_hash('sha512',65534 | random(seed=inventory_hostname) | string) if item.password is defined else '*' }}"
password_expire_min: "{{ item.password_expire_min | default(users_pass_min_day) }}"
shell: "{{ item.shell | default('/bin/bash') }}"
system: "yes"
loop: "{{ users_default_users }}"
loop_control:
label: "{{ item.name }}"