From c7d19228e33fc62aaace2975a929238fa9f51864 Mon Sep 17 00:00:00 2001 From: Philippe MILINK Date: Sat, 23 Mar 2024 21:33:10 +0100 Subject: [PATCH] Applique ansible-lint --- .ansible-lint | 1 + .pre-commit-config.yaml | 3 +- group_vars/all/vars.yml | 1 + group_vars/beta/vars.yml | 11 +- group_vars/production/vars.yml | 1 + group_vars/test/vars.yml | 1 + playbook.yml | 1 + roles/app/defaults/main.yml | 3 +- roles/app/tasks/fixtures.yml | 3 +- roles/app/tasks/geodata.yml | 5 +- roles/app/tasks/main.yml | 49 ++++---- roles/backup/tasks/beta.yml | 9 +- roles/backup/tasks/main.yml | 5 +- roles/common/handlers/main.yml | 1 + roles/common/tasks/main.yml | 5 +- roles/common/tasks/nodejs.yml | 1 + roles/common/tasks/sshd.yml | 9 +- roles/elasticsearch/handlers/main.yml | 1 + roles/elasticsearch/tasks/main.yml | 5 +- roles/firewall/handlers/main.yml | 1 + roles/firewall/tasks/main.yml | 15 +-- roles/latex/handlers/main.yml | 1 + roles/latex/tasks/main.yml | 7 +- roles/latex/tasks/packages.yml | 3 +- roles/latex/vars/main.yml | 5 +- roles/munin/handlers/main.yml | 1 + roles/munin/tasks/main.yml | 15 +-- roles/munin/vars/main.yml | 173 +++++++++++++------------- roles/mysql/handlers/main.yml | 1 + roles/mysql/tasks/main.yml | 7 +- roles/web/defaults/main.yml | 1 + roles/web/handlers/main.yml | 1 + roles/web/tasks/main.yml | 39 +++--- roles/zdsantispam/tasks/main.yml | 7 +- 34 files changed, 213 insertions(+), 179 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 7766ad4..3f6470b 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,4 @@ +--- exclude_paths: - .github/ skip_list: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5d68485..87aee08 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,7 @@ +--- repos: - repo: https://github.com/ansible-community/ansible-lint.git - rev: v24.2.1 # doit aussi être mis à jour dans requirements.txt + rev: v24.2.1 # doit aussi être mis à jour dans requirements.txt hooks: - id: ansible-lint files: \.(yaml|yml)$ diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 41b9072..a67e6ee 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -1,3 +1,4 @@ +--- workdir: /opt/zds rundir: "{{ workdir }}/run" appdir: "{{ workdir }}/app" diff --git a/group_vars/beta/vars.yml b/group_vars/beta/vars.yml index 03d1b6a..3a81de6 100644 --- a/group_vars/beta/vars.yml +++ b/group_vars/beta/vars.yml @@ -1,3 +1,4 @@ +--- # For a PR: pull/xxxx/head # For a branch or a tag: just its name appversion: dev @@ -12,8 +13,8 @@ munin_certificate: cert: /etc/letsencrypt/live/munin.beta.zestedesavoir.com/fullchain.pem key: /etc/letsencrypt/live/munin.beta.zestedesavoir.com/privkey.pem very_top_banner: - background_color: '#800' - border_color: '#450000' - color: 'white' - message: 'Version bêta' - slug: 'version-beta' + background_color: "#800" + border_color: "#450000" + color: white + message: Version bêta + slug: version-beta diff --git a/group_vars/production/vars.yml b/group_vars/production/vars.yml index e33c52a..1f31a63 100644 --- a/group_vars/production/vars.yml +++ b/group_vars/production/vars.yml @@ -1,3 +1,4 @@ +--- appversion: v30.6-ostara env: prod public: true diff --git a/group_vars/test/vars.yml b/group_vars/test/vars.yml index 0d95f0e..5e03170 100644 --- a/group_vars/test/vars.yml +++ b/group_vars/test/vars.yml @@ -1,3 +1,4 @@ +--- # Load a specific zds configuration to make it work in Vagrant, and it is also # what is executed on GitHub Actions diff --git a/playbook.yml b/playbook.yml index 758d499..65a42bc 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,3 +1,4 @@ +--- - name: deploy zds-site hosts: app become: true diff --git a/roles/app/defaults/main.yml b/roles/app/defaults/main.yml index 2a7e547..a45d4af 100644 --- a/roles/app/defaults/main.yml +++ b/roles/app/defaults/main.yml @@ -1,4 +1,5 @@ -apprepo: "https://github.com/zestedesavoir/zds-site.git" +--- +apprepo: https://github.com/zestedesavoir/zds-site.git env: dev secrets: [] zmarkdown_sentry_dsn: "" diff --git a/roles/app/tasks/fixtures.yml b/roles/app/tasks/fixtures.yml index 359c34b..3267d53 100644 --- a/roles/app/tasks/fixtures.yml +++ b/roles/app/tasks/fixtures.yml @@ -1,3 +1,4 @@ +--- - name: install requirements in virtualenv to load fixtures become: true become_user: "{{ appuser }}" @@ -6,7 +7,7 @@ virtualenv: "{{ virtualenv }}" virtualenv_command: /usr/bin/python3 -m venv -- name: load fixtures # noqa no-changed-when +- name: load fixtures # noqa no-changed-when become: true become_user: "{{ appuser }}" ansible.builtin.shell: > diff --git a/roles/app/tasks/geodata.yml b/roles/app/tasks/geodata.yml index 42cb54a..88963b6 100644 --- a/roles/app/tasks/geodata.yml +++ b/roles/app/tasks/geodata.yml @@ -1,3 +1,4 @@ +--- - name: Create Geodata folder ansible.builtin.file: path: "{{ appdir }}/geodata" @@ -18,14 +19,14 @@ tags: - bootstrap -- name: Initial download of GeoLite data # noqa command-instead-of-shell no-changed-when +- name: Initial download of GeoLite data # noqa command-instead-of-shell no-changed-when ansible.builtin.shell: "{{ workdir }}/update-geolite.sh" tags: - bootstrap - name: Setup cron to daily update GeoLite data ansible.builtin.cron: - name: "Update GeoLite data" + name: Update GeoLite data special_time: daily job: "{{ workdir }}/update-geolite.sh" tags: diff --git a/roles/app/tasks/main.yml b/roles/app/tasks/main.yml index dcae183..76582dc 100644 --- a/roles/app/tasks/main.yml +++ b/roles/app/tasks/main.yml @@ -1,3 +1,4 @@ +--- # Basic dependencies installation - name: install app dependencies @@ -10,13 +11,13 @@ - libffi-dev - libssl-dev - libmariadb-dev - - autoconf # for gulp-imagemin Node.js package - - automake # for gulp-imagemin Node.js package - - rustc # for cryptography Python package - - optipng # for easy-thumbnails Python package - - jpegoptim # for easy-thumbnails Python package - - memcached # for cache storage in prod configuration - - pkg-config # for mysqlclient since version 2.2.0 + - autoconf # for gulp-imagemin Node.js package + - automake # for gulp-imagemin Node.js package + - rustc # for cryptography Python package + - optipng # for easy-thumbnails Python package + - jpegoptim # for easy-thumbnails Python package + - memcached # for cache storage in prod configuration + - pkg-config # for mysqlclient since version 2.2.0 state: present cache_valid_time: 3600 tags: @@ -36,7 +37,7 @@ name: "{{ appuser }}" shell: /bin/false home: "{{ workdir }}" - comment: "Zeste de Savoir" + comment: Zeste de Savoir tags: - bootstrap @@ -137,11 +138,11 @@ state: link with_items: - src: "{{ appdir }}/errors" - dest: "errors" + dest: errors - src: "{{ datadir }}/media" - dest: "media" + dest: media - src: "{{ datadir }}/static" - dest: "static" + dest: static tags: - bootstrap @@ -156,7 +157,7 @@ - name: create robots.txt in webroot for beta ansible.builtin.copy: - src: "robots-deny.txt" + src: robots-deny.txt dest: "{{ webroot }}/robots.txt" mode: u=rw,g=r,o=r when: env == "beta" @@ -174,7 +175,7 @@ # Installation of backend, frontend and zmd dependencies -- name: update pip in virtualenv # some dependencies (like rust ones) require a recent pip +- name: update pip in virtualenv # some dependencies (like rust ones) require a recent pip become: true become_user: "{{ appuser }}" ansible.builtin.pip: @@ -214,8 +215,8 @@ become_user: "{{ appuser }}" ansible.builtin.lineinfile: path: "{{ virtualenv }}/lib/python3.11/site-packages/elasticsearch_dsl/{{ item }}" - regexp: "^import collections$" - line: "import collections.abc as collections" + regexp: ^import collections$ + line: import collections.abc as collections firstmatch: true with_items: - search.py @@ -237,7 +238,7 @@ tags: - bootstrap -- name: install frontend # noqa no-changed-when +- name: install frontend # noqa no-changed-when become: true become_user: "{{ appuser }}" ansible.builtin.command: yarn install --frozen-lockfile @@ -259,7 +260,7 @@ # Frontend building -- name: build frontend # noqa no-changed-when +- name: build frontend # noqa no-changed-when become: true become_user: "{{ appuser }}" ansible.builtin.command: npm run build @@ -273,7 +274,7 @@ become: true become_user: "{{ appuser }}" environment: - DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" + DJANGO_SETTINGS_MODULE: zds.settings.{{ env }} ZDS_CONFIG: "{{ workdir }}/config.toml" community.general.django_manage: app_path: "{{ appdir }}" @@ -290,7 +291,7 @@ become: true become_user: "{{ appuser }}" environment: - DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" + DJANGO_SETTINGS_MODULE: zds.settings.{{ env }} ZDS_CONFIG: "{{ workdir }}/config.toml" community.general.django_manage: app_path: "{{ appdir }}" @@ -315,7 +316,7 @@ become: true become_user: "{{ appuser }}" environment: - DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" + DJANGO_SETTINGS_MODULE: zds.settings.{{ env }} ZDS_CONFIG: "{{ workdir }}/config.toml" community.general.django_manage: app_path: "{{ appdir }}" @@ -330,7 +331,7 @@ become: true become_user: "{{ appuser }}" environment: - DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" + DJANGO_SETTINGS_MODULE: zds.settings.{{ env }} ZDS_CONFIG: "{{ workdir }}/config.toml" community.general.django_manage: app_path: "{{ appdir }}" @@ -345,7 +346,7 @@ - name: create services and timers files ansible.builtin.template: src: templates/{{ item }}.j2 - dest: "/etc/systemd/system/{{ item }}" + dest: /etc/systemd/system/{{ item }} mode: u=rw,g=r,o=r with_items: - zmd.service @@ -427,8 +428,8 @@ - name: create /root/bin/service-zds.sh ansible.builtin.copy: - src: "service-zds.sh" - dest: "/root/bin/service-zds.sh" + src: service-zds.sh + dest: /root/bin/service-zds.sh mode: u=rwx,g=,o= tags: - bootstrap diff --git a/roles/backup/tasks/beta.yml b/roles/backup/tasks/beta.yml index 4632a84..c07b04c 100644 --- a/roles/backup/tasks/beta.yml +++ b/roles/backup/tasks/beta.yml @@ -1,3 +1,4 @@ +--- - name: create backup folder on beta server ansible.builtin.file: path: "{{ backupdir }}" @@ -12,15 +13,15 @@ - name: create backup users on beta server ansible.builtin.user: name: "{{ item }}" - home: "/home/{{ item }}" - password: '!' # will do --disabled-password of adduser + home: /home/{{ item }} + password: "!" # will do --disabled-password of adduser with_items: - zds-prod - zds-matomo - name: create .ssh folders for backup users on beta server ansible.builtin.file: - path: "/home/{{ item }}/.ssh" + path: /home/{{ item }}/.ssh state: directory owner: "{{ item }}" group: "{{ item }}" @@ -31,7 +32,7 @@ - name: create .ssh/authorized_keys files for backup users on beta server ansible.builtin.file: - path: "/home/{{ item }}/.ssh/authorized_keys" + path: /home/{{ item }}/.ssh/authorized_keys state: touch owner: "{{ item }}" group: "{{ item }}" diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml index 7df2383..b606b81 100644 --- a/roles/backup/tasks/main.yml +++ b/roles/backup/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: install borg1.2.6 ansible.builtin.get_url: url: https://github.com/borgbackup/borg/releases/download/1.2.6/borg-linux64 @@ -6,8 +7,8 @@ - name: generate logrotate config file for backup logs ansible.builtin.template: - src: "logrotate_zds-backup.j2" - dest: "/etc/logrotate.d/zds-backup" + src: logrotate_zds-backup.j2 + dest: /etc/logrotate.d/zds-backup mode: u=rw,g=r,o=r - name: configure backups on beta server diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 151cde0..2000127 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: restart sshd ansible.builtin.systemd: name: sshd diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 092637d..4c6e381 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: ensure the system can use the HTTPS transport for APT ansible.builtin.stat: path: /usr/lib/apt/methods/https @@ -12,7 +13,7 @@ - name: should have some base packages ansible.builtin.apt: pkg: - - acl # Allow Ansible to use 'become' command (see https://docs.ansible.com/ansible/latest/user_guide/become.html#risks-and-limitations-of-become) + - acl # Allow Ansible to use 'become' command (see https://docs.ansible.com/ansible/latest/user_guide/become.html#risks-and-limitations-of-become) - git - htop - locales @@ -46,7 +47,7 @@ - name: copy zsh config files ansible.builtin.copy: src: "{{ item.src }}" - dest: "/etc/zsh/{{ item.path }}" + dest: /etc/zsh/{{ item.path }} mode: u=rw,g=r,o=r with_community.general.filetree: zsh/ when: item.state == 'file' diff --git a/roles/common/tasks/nodejs.yml b/roles/common/tasks/nodejs.yml index d6c2baa..f56067d 100644 --- a/roles/common/tasks/nodejs.yml +++ b/roles/common/tasks/nodejs.yml @@ -1,3 +1,4 @@ +--- - name: install Node.js and NPM ansible.builtin.apt: pkg: diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index 650b3f0..6075a1b 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -1,13 +1,14 @@ +--- - name: Disable SSH root login ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin' - line: 'PermitRootLogin no' + regexp: ^PermitRootLogin + line: PermitRootLogin no notify: restart sshd - name: Disable SSH password authentication ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - regexp: '^PasswordAuthentication' - line: 'PasswordAuthentication no' + regexp: ^PasswordAuthentication + line: PasswordAuthentication no notify: restart sshd diff --git a/roles/elasticsearch/handlers/main.yml b/roles/elasticsearch/handlers/main.yml index c6b6a54..2937e19 100644 --- a/roles/elasticsearch/handlers/main.yml +++ b/roles/elasticsearch/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: restart elasticsearch ansible.builtin.systemd: name: elasticsearch.service diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index f9ba1c4..ff5eb13 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -1,12 +1,13 @@ +--- - name: add elasticsearch repository key ansible.builtin.apt_key: id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 - keyserver: "hkp://keyserver.ubuntu.com:80" + keyserver: hkp://keyserver.ubuntu.com:80 - name: add elasticsearch repository ansible.builtin.apt_repository: filename: elasticsearch - repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main state: present - name: install openjdk-17-jre-headless and elasticsearch diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml index f58c625..aad31b8 100644 --- a/roles/firewall/handlers/main.yml +++ b/roles/firewall/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: reload rsyslog ansible.builtin.systemd: name: rsyslog diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index a15998f..8f3a273 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: Install firewall (ufw) ansible.builtin.apt: pkg: ufw @@ -9,13 +10,13 @@ proto: tcp port: "{{ item }}" loop: - - "80" # HTTP - - "443" # HTTPS - - "22" # SSH - - "4949" # Munin - - "25" # SMTP - - "465" # SMTP - - "587" # SMTP + - "80" # HTTP + - "443" # HTTPS + - "22" # SSH + - "4949" # Munin + - "25" # SMTP + - "465" # SMTP + - "587" # SMTP - name: Enable firewall (ufw) community.general.ufw: diff --git a/roles/latex/handlers/main.yml b/roles/latex/handlers/main.yml index fc18daf..90e6501 100644 --- a/roles/latex/handlers/main.yml +++ b/roles/latex/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: run texhash # noqa no-changed-when become: true become_user: "{{ appuser }}" diff --git a/roles/latex/tasks/main.yml b/roles/latex/tasks/main.yml index 7edec39..765f16c 100644 --- a/roles/latex/tasks/main.yml +++ b/roles/latex/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: install texlive packages ansible.builtin.apt: pkg: @@ -10,7 +11,7 @@ - python3-pygments - xzdec - wget - - librsvg2-bin # to convert license icons from SVG to PDF + - librsvg2-bin # to convert license icons from SVG to PDF cache_valid_time: 3600 tags: - bootstrap @@ -20,11 +21,11 @@ tags: - bootstrap -- name: clone the template # noqa latest[git] +- name: clone the template # noqa latest[git] become: true become_user: "{{ appuser }}" ansible.builtin.git: - repo: "https://github.com/zestedesavoir/latex-template/" + repo: https://github.com/zestedesavoir/latex-template/ dest: "{{ workdir }}/texmf/tex/generic/latex-template" notify: run texhash tags: diff --git a/roles/latex/tasks/packages.yml b/roles/latex/tasks/packages.yml index 8f20e18..0bf889f 100644 --- a/roles/latex/tasks/packages.yml +++ b/roles/latex/tasks/packages.yml @@ -1,3 +1,4 @@ +--- - name: create tlmgr usertree become: true become_user: "{{ appuser }}" @@ -20,7 +21,7 @@ src: "{{ workdir }}/texmf/ansible-state" register: installed_packages -- name: install packages # noqa risky-shell-pipe no-changed-when +- name: install packages # noqa risky-shell-pipe no-changed-when become: true become_user: "{{ appuser }}" ansible.builtin.shell: > diff --git a/roles/latex/vars/main.yml b/roles/latex/vars/main.yml index 4cc8b0a..57ce9d2 100644 --- a/roles/latex/vars/main.yml +++ b/roles/latex/vars/main.yml @@ -1,3 +1,4 @@ +--- latex_packages: - adjustbox - blindtext @@ -44,7 +45,7 @@ fonttypes: fonts: - name: SourceCodePro slug: source-code-pro - url: "https://raw.githubusercontent.com/adobe-fonts/source-code-pro/release" + url: https://raw.githubusercontent.com/adobe-fonts/source-code-pro/release - name: SourceSansPro slug: source-sans-pro - url: "https://raw.githubusercontent.com/adobe-fonts/source-sans-pro/3.006R" + url: https://raw.githubusercontent.com/adobe-fonts/source-sans-pro/3.006R diff --git a/roles/munin/handlers/main.yml b/roles/munin/handlers/main.yml index bcb26c2..3c88f93 100644 --- a/roles/munin/handlers/main.yml +++ b/roles/munin/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: restart munin-node ansible.builtin.systemd: name: munin-node diff --git a/roles/munin/tasks/main.yml b/roles/munin/tasks/main.yml index 0661352..b1eae80 100644 --- a/roles/munin/tasks/main.yml +++ b/roles/munin/tasks/main.yml @@ -1,13 +1,14 @@ +--- - name: install munin packages ansible.builtin.apt: pkg: - munin - munin-node - - libcache-cache-perl # for mysql munin plugin - - libdbd-mysql-perl # for mysql munin plugin - - liblwp-protocol-https-perl # for nginx munin plugin - - time # for wget_page munin plugin - - net-tools # for netstat, used by a munin plugin + - libcache-cache-perl # for mysql munin plugin + - libdbd-mysql-perl # for mysql munin plugin + - liblwp-protocol-https-perl # for nginx munin plugin + - time # for wget_page munin plugin + - net-tools # for netstat, used by a munin plugin state: present cache_valid_time: 3600 @@ -129,6 +130,6 @@ - name: use correct MySQL user for Munin plugin ansible.builtin.lineinfile: path: /etc/munin/plugin-conf.d/munin-node - regexp: '^env.mysqluser root' - line: 'env.mysqluser root' + regexp: ^env.mysqluser root + line: env.mysqluser root when: env == "beta" diff --git a/roles/munin/vars/main.yml b/roles/munin/vars/main.yml index 1231c15..dbbaafc 100644 --- a/roles/munin/vars/main.yml +++ b/roles/munin/vars/main.yml @@ -1,89 +1,90 @@ +--- munin_available_plugins_dir: /usr/share/munin/plugins munin_enabled_plugins: - # list generated with - # cd /etc/munin/plugins && ls -l | cut -d " " -f 10- | sed -E "s/(.+) -> \/usr\/share\/munin\/plugins\/(.+)/- { src: \2, dest: \1 }/" - - { src: cpu, dest: cpu } - - { src: df, dest: df } - - { src: df_inode, dest: df_inode } - - { src: diskstats, dest: diskstats } - - { src: elasticsearch_cache, dest: elasticsearch_cache } - - { src: elasticsearch_cluster_shards, dest: elasticsearch_cluster_shards } - - { src: elasticsearch_docs, dest: elasticsearch_docs } - - { src: elasticsearch_gc_time, dest: elasticsearch_gc_time } - - { src: elasticsearch_index_size, dest: elasticsearch_index_size } - - { src: elasticsearch_index_total, dest: elasticsearch_index_total } - - { src: elasticsearch_jvm_memory, dest: elasticsearch_jvm_memory } - - { src: elasticsearch_jvm_pools_size, dest: elasticsearch_jvm_pools_size } - - { src: elasticsearch_jvm_threads, dest: elasticsearch_jvm_threads } - - { src: elasticsearch_open_files, dest: elasticsearch_open_files } - - { src: entropy, dest: entropy } - - { src: forks, dest: forks } - - { src: fw_conntrack, dest: fw_conntrack } - - { src: fw_forwarded_local, dest: fw_forwarded_local } - - { src: fw_packets, dest: fw_packets } - - { src: http_loadtime, dest: http_loadtime } - - { src: if_err_, dest: if_err_eth0 } - - { src: if_, dest: if_eth0 } - - { src: interrupts, dest: interrupts } - - { src: load, dest: load } - - { src: memcached_multi_, dest: memcached_multi_bytes } - - { src: memcached_multi_, dest: memcached_multi_commands } - - { src: memcached_multi_, dest: memcached_multi_conns } - - { src: memcached_multi_, dest: memcached_multi_evictions } - - { src: memcached_multi_, dest: memcached_multi_items } - - { src: memcached_multi_, dest: memcached_multi_memory } - - { src: memcached_multi_, dest: memcached_multi_unfetched } - - { src: memory, dest: memory } - - { src: munin_stats, dest: munin_stats } - - { src: mysql_, dest: mysql_bin_relay_log } - - { src: mysql_, dest: mysql_commands } - - { src: mysql_, dest: mysql_connections } - - { src: mysql_, dest: mysql_files_tables } - - { src: mysql_, dest: mysql_innodb_bpool } - - { src: mysql_, dest: mysql_innodb_bpool_act } - - { src: mysql_, dest: mysql_innodb_insert_buf } - - { src: mysql_, dest: mysql_innodb_io } - - { src: mysql_, dest: mysql_innodb_io_pend } - - { src: mysql_, dest: mysql_innodb_log } - - { src: mysql_, dest: mysql_innodb_rows } - - { src: mysql_, dest: mysql_innodb_semaphores } - - { src: mysql_, dest: mysql_innodb_tnx } - - { src: mysql_, dest: mysql_network_traffic } - - { src: mysql_, dest: mysql_qcache } - - { src: mysql_, dest: mysql_qcache_mem } - - { src: mysql_, dest: mysql_select_types } - - { src: mysql_, dest: mysql_slow } - - { src: mysql_, dest: mysql_sorts } - - { src: mysql_, dest: mysql_table_locks } - - { src: mysql_, dest: mysql_tmp_tables } - - { src: netstat, dest: netstat } - - { src: nginx_request, dest: nginx_request } - - { src: nginx_status, dest: nginx_status } - - { src: open_files, dest: open_files } - - { src: open_inodes, dest: open_inodes } - - { src: processes, dest: processes } - - { src: proc_pri, dest: proc_pri } - - { src: swap, dest: swap } - - { src: threads, dest: threads } - - { src: uptime, dest: uptime } - - { src: users, dest: users } - - { src: vmstat, dest: vmstat } - - { src: wget_page, dest: wget_page } - - { src: django.py, dest: zds_active_sessions } - - { src: django.py, dest: zds_active_users } - - { src: django.py, dest: zds_db_performance } - - { src: django.py, dest: zds_total_articles } - - { src: django.py, dest: zds_total_mps } - - { src: django.py, dest: zds_total_posts } - - { src: django.py, dest: zds_total_sessions } - - { src: django.py, dest: zds_total_topics } - - { src: django.py, dest: zds_total_opinions } - - { src: django.py, dest: zds_total_tutorials } - - { src: django.py, dest: zds_total_users } - - { src: zmd, dest: zmd_avg_per_endpoint } - - { src: zmd, dest: zmd_avg_per_process } - - { src: zmd, dest: zmd_cpu } - - { src: zmd, dest: zmd_event_loop_lag } - - { src: zmd, dest: zmd_memory } - - { src: zmd, dest: zmd_status } + # list generated with + # cd /etc/munin/plugins && ls -l | cut -d " " -f 10- | sed -E "s/(.+) -> \/usr\/share\/munin\/plugins\/(.+)/- { src: \2, dest: \1 }/" + - { src: cpu, dest: cpu } + - { src: df, dest: df } + - { src: df_inode, dest: df_inode } + - { src: diskstats, dest: diskstats } + - { src: elasticsearch_cache, dest: elasticsearch_cache } + - { src: elasticsearch_cluster_shards, dest: elasticsearch_cluster_shards } + - { src: elasticsearch_docs, dest: elasticsearch_docs } + - { src: elasticsearch_gc_time, dest: elasticsearch_gc_time } + - { src: elasticsearch_index_size, dest: elasticsearch_index_size } + - { src: elasticsearch_index_total, dest: elasticsearch_index_total } + - { src: elasticsearch_jvm_memory, dest: elasticsearch_jvm_memory } + - { src: elasticsearch_jvm_pools_size, dest: elasticsearch_jvm_pools_size } + - { src: elasticsearch_jvm_threads, dest: elasticsearch_jvm_threads } + - { src: elasticsearch_open_files, dest: elasticsearch_open_files } + - { src: entropy, dest: entropy } + - { src: forks, dest: forks } + - { src: fw_conntrack, dest: fw_conntrack } + - { src: fw_forwarded_local, dest: fw_forwarded_local } + - { src: fw_packets, dest: fw_packets } + - { src: http_loadtime, dest: http_loadtime } + - { src: if_err_, dest: if_err_eth0 } + - { src: if_, dest: if_eth0 } + - { src: interrupts, dest: interrupts } + - { src: load, dest: load } + - { src: memcached_multi_, dest: memcached_multi_bytes } + - { src: memcached_multi_, dest: memcached_multi_commands } + - { src: memcached_multi_, dest: memcached_multi_conns } + - { src: memcached_multi_, dest: memcached_multi_evictions } + - { src: memcached_multi_, dest: memcached_multi_items } + - { src: memcached_multi_, dest: memcached_multi_memory } + - { src: memcached_multi_, dest: memcached_multi_unfetched } + - { src: memory, dest: memory } + - { src: munin_stats, dest: munin_stats } + - { src: mysql_, dest: mysql_bin_relay_log } + - { src: mysql_, dest: mysql_commands } + - { src: mysql_, dest: mysql_connections } + - { src: mysql_, dest: mysql_files_tables } + - { src: mysql_, dest: mysql_innodb_bpool } + - { src: mysql_, dest: mysql_innodb_bpool_act } + - { src: mysql_, dest: mysql_innodb_insert_buf } + - { src: mysql_, dest: mysql_innodb_io } + - { src: mysql_, dest: mysql_innodb_io_pend } + - { src: mysql_, dest: mysql_innodb_log } + - { src: mysql_, dest: mysql_innodb_rows } + - { src: mysql_, dest: mysql_innodb_semaphores } + - { src: mysql_, dest: mysql_innodb_tnx } + - { src: mysql_, dest: mysql_network_traffic } + - { src: mysql_, dest: mysql_qcache } + - { src: mysql_, dest: mysql_qcache_mem } + - { src: mysql_, dest: mysql_select_types } + - { src: mysql_, dest: mysql_slow } + - { src: mysql_, dest: mysql_sorts } + - { src: mysql_, dest: mysql_table_locks } + - { src: mysql_, dest: mysql_tmp_tables } + - { src: netstat, dest: netstat } + - { src: nginx_request, dest: nginx_request } + - { src: nginx_status, dest: nginx_status } + - { src: open_files, dest: open_files } + - { src: open_inodes, dest: open_inodes } + - { src: processes, dest: processes } + - { src: proc_pri, dest: proc_pri } + - { src: swap, dest: swap } + - { src: threads, dest: threads } + - { src: uptime, dest: uptime } + - { src: users, dest: users } + - { src: vmstat, dest: vmstat } + - { src: wget_page, dest: wget_page } + - { src: django.py, dest: zds_active_sessions } + - { src: django.py, dest: zds_active_users } + - { src: django.py, dest: zds_db_performance } + - { src: django.py, dest: zds_total_articles } + - { src: django.py, dest: zds_total_mps } + - { src: django.py, dest: zds_total_posts } + - { src: django.py, dest: zds_total_sessions } + - { src: django.py, dest: zds_total_topics } + - { src: django.py, dest: zds_total_opinions } + - { src: django.py, dest: zds_total_tutorials } + - { src: django.py, dest: zds_total_users } + - { src: zmd, dest: zmd_avg_per_endpoint } + - { src: zmd, dest: zmd_avg_per_process } + - { src: zmd, dest: zmd_cpu } + - { src: zmd, dest: zmd_event_loop_lag } + - { src: zmd, dest: zmd_memory } + - { src: zmd, dest: zmd_status } diff --git a/roles/mysql/handlers/main.yml b/roles/mysql/handlers/main.yml index bf872ea..d49adc3 100644 --- a/roles/mysql/handlers/main.yml +++ b/roles/mysql/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: restart mariadb ansible.builtin.systemd: name: mariadb diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml index e57c8c2..7632a77 100644 --- a/roles/mysql/tasks/main.yml +++ b/roles/mysql/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: install mariadb-server and mariadb-backup ansible.builtin.apt: pkg: @@ -6,7 +7,7 @@ - python3-mysqldb cache_valid_time: 3600 -- name: create /var/log/mysql folder # seems to be required for mysql_upgrade after restoring backup from prod +- name: create /var/log/mysql folder # seems to be required for mysql_upgrade after restoring backup from prod ansible.builtin.file: path: /var/log/mysql state: directory @@ -31,8 +32,8 @@ community.mysql.mysql_db: name: "{{ mysql.name }}" state: present - encoding: "utf8mb4" - collation: "utf8mb4_unicode_ci" + encoding: utf8mb4 + collation: utf8mb4_unicode_ci - name: create mysql user community.mysql.mysql_user: diff --git a/roles/web/defaults/main.yml b/roles/web/defaults/main.yml index 8090acd..838dd1f 100644 --- a/roles/web/defaults/main.yml +++ b/roles/web/defaults/main.yml @@ -1 +1,2 @@ +--- public: false diff --git a/roles/web/handlers/main.yml b/roles/web/handlers/main.yml index dc329bb..e96eb8e 100644 --- a/roles/web/handlers/main.yml +++ b/roles/web/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: reload nginx ansible.builtin.systemd: name: nginx diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml index 70fe842..8845352 100644 --- a/roles/web/tasks/main.yml +++ b/roles/web/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: install nginx ansible.builtin.apt: pkg: nginx @@ -13,7 +14,7 @@ - name: create config dirs ansible.builtin.file: - path: "/etc/nginx/{{ item }}" + path: /etc/nginx/{{ item }} state: directory mode: u=rwx,g=rx,o=rx with_items: @@ -23,7 +24,7 @@ - name: remove default configuration shipped with nginx package ansible.builtin.file: - path: "/etc/nginx/{{ item }}/default" + path: /etc/nginx/{{ item }}/default state: absent with_items: - sites-available @@ -32,7 +33,7 @@ - name: copy config files ansible.builtin.copy: src: "{{ item.src }}" - dest: "/etc/nginx/{{ item.path }}" + dest: /etc/nginx/{{ item.path }} mode: u=rw,g=r,o=r with_community.general.filetree: nginx/ when: item.state == 'file' @@ -40,60 +41,60 @@ - name: generate zds config file ansible.builtin.template: - src: "nginx/sites-available/zestedesavoir.j2" - dest: "/etc/nginx/sites-available/zestedesavoir" + src: nginx/sites-available/zestedesavoir.j2 + dest: /etc/nginx/sites-available/zestedesavoir mode: u=rw,g=r,o=r notify: reload nginx - name: enable zds site ansible.builtin.file: - src: "/etc/nginx/sites-available/zestedesavoir" - dest: "/etc/nginx/sites-enabled/zestedesavoir" + src: /etc/nginx/sites-available/zestedesavoir + dest: /etc/nginx/sites-enabled/zestedesavoir state: link notify: reload nginx - name: generate prod redirect config file ansible.builtin.template: - src: "nginx/sites-available/prod-redirect.j2" - dest: "/etc/nginx/sites-available/prod-redirect" + src: nginx/sites-available/prod-redirect.j2 + dest: /etc/nginx/sites-available/prod-redirect mode: u=rw,g=r,o=r notify: reload nginx when: env == "prod" - name: enable prod redirect site ansible.builtin.file: - src: "/etc/nginx/sites-available/prod-redirect" - dest: "/etc/nginx/sites-enabled/prod-redirect" + src: /etc/nginx/sites-available/prod-redirect + dest: /etc/nginx/sites-enabled/prod-redirect state: link notify: reload nginx when: env == "prod" - name: generate munin config file ansible.builtin.template: - src: "nginx/sites-available/munin.j2" - dest: "/etc/nginx/sites-available/munin" + src: nginx/sites-available/munin.j2 + dest: /etc/nginx/sites-available/munin mode: u=rw,g=r,o=r notify: reload nginx when: env != "vagrant" - name: enable munin site ansible.builtin.file: - src: "/etc/nginx/sites-available/munin" - dest: "/etc/nginx/sites-enabled/munin" + src: /etc/nginx/sites-available/munin + dest: /etc/nginx/sites-enabled/munin state: link notify: reload nginx when: env != "vagrant" - name: enable status ansible.builtin.file: - src: "/etc/nginx/sites-available/status" - dest: "/etc/nginx/sites-enabled/status" + src: /etc/nginx/sites-available/status + dest: /etc/nginx/sites-enabled/status state: link notify: reload nginx when: env != "vagrant" - name: generate logrotate config file ansible.builtin.template: - src: "logrotate/zds-nginx.j2" - dest: "/etc/logrotate.d/zds-nginx" + src: logrotate/zds-nginx.j2 + dest: /etc/logrotate.d/zds-nginx mode: u=rw,g=r,o=r diff --git a/roles/zdsantispam/tasks/main.yml b/roles/zdsantispam/tasks/main.yml index aa54680..ea0b180 100644 --- a/roles/zdsantispam/tasks/main.yml +++ b/roles/zdsantispam/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: create /opt/zds-antispam folder with correct permissions ansible.builtin.file: path: "{{ zds_antispam_dir }}" @@ -6,14 +7,14 @@ group: "{{ appuser }}" mode: u=rwx,g=rx,o=rx -- name: checkout zds-antispam application # noqa latest[git] +- name: checkout zds-antispam application # noqa latest[git] become: true become_user: "{{ appuser }}" ansible.builtin.git: - repo: "https://github.com/zestedesavoir/zds-antispam.git" + repo: https://github.com/zestedesavoir/zds-antispam.git dest: "{{ zds_antispam_dir }}" -- name: install Python dependencies # this also creates the venv +- name: install Python dependencies # this also creates the venv become: true become_user: "{{ appuser }}" ansible.builtin.pip: