Switch from using tags to variables

Signed-off-by: Radovan Sroka <[email protected]>
linux-system-roles · Nov 7, 2024 · ce8f25b · ce8f25b
1 parent f852360
commit ce8f25b
Show file tree

Hide file tree

Showing 26 changed files with 157 additions and 92 deletions.
diff --git a/README.md b/README.md
@@ -18,18 +18,12 @@ extreme caution as it might break your system.
 
 ## How does the role do that?
 
-* The role is controlled by using [Ansible Tags](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_tags.html)
-* If you run the playbook without specifying any tag the role will change nothing on your remote nodes
-* To execute some supported use cases you need to explicitly specify one or more of the following tags
+* The role is controlled by using role variables
+* If you run the playbook without specifying any role variable the role will change nothing on your remote nodes
+* To execute some supported use cases you need to explicitly specify one or more of the following variables
 
 ### Available tags to control and use the role
 
-* __install__ - With this tag the role ensures that the `aide` package is installed on the remote nodes
-* __generate_config__ - Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this tag the default configuration file shipped with the `aide` package will be used
-* __init__ - Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node
-* __check__ - Runs an integrity check on the remote nodes
-* __update__ - Updates the AIDE database and stores it on the controller node
-
 ## What does this role not do for you?
 
 * It does not explain how to create a good AIDE configuration that suits your requirements; that task remains for you to accomplish
@@ -51,11 +45,45 @@ same directory as the playbook.
 In case you like to store the fetched AIDE database files somewhere else you
 need to specify a different path here.
 
-Example of setting the variables:
+### aide_install
 
-```yaml
-aide_db_fetch_dir: files
-```
+With this variable the role ensures that the `aide` package is installed on the remote nodes
+
+Default: `false`
+
+Type: `bool`
+
+### aide_generate_config
+
+Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this varable the default configuration file shipped with the `aide` package will be used.
+
+Default: `false`
+
+Type: `bool`
+
+### aide_init
+
+Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node
+
+Default: `false`
+
+Type: `bool`
+
+### aide_check
+
+Runs an integrity check on the remote nodes
+
+Default: `false`
+
+Type: `bool`
+
+### aide_update
+
+Updates the AIDE database and stores it on the controller node
+
+Default: `false`
+
+Type: `bool`
 
 ## Example Playbook
 
@@ -69,16 +97,15 @@ passed in as parameters) is always nice for users too:
   hosts: targets
   tasks:
     - name: Include role aide
-      tags:
-        - install
-        - generate_config
-        - init
-        - check
-        - update
       vars:
         aide_db_fetch_dir: files
+        aide_install: true
+        aide_generate_config: true
+        aide_init: true
+        aide_check: false
+        aide_update: false
       ansible.builtin.include_role:
-        name: aide
+        name: linux-system-roles.aide
 ```
 
 More examples can be found in the [`examples/`](examples) directory.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -5,3 +5,18 @@
 
 # Examples of role input variables:
 aide_db_fetch_dir: files
+
+# Enable install phase
+aide_install: false
+
+# Enable config file generation phase
+aide_generate_config: false
+
+# Enable initialization of the database phase
+aide_init: false
+
+# Enable check database phase
+aide_check: false
+
+# Enable database update phase
+aide_update: false
diff --git a/examples/simple.yml → examples/default.yml b/examples/simple.yml → examples/default.yml
@@ -4,13 +4,12 @@
   hosts: targets
   tasks:
     - name: Include role aide
-      tags:
-        - install
-        - generate_config
-        - init
-        - check
-        - update
       vars:
         aide_db_fetch_dir: files
+        aide_install: true
+        aide_generate_config: true
+        aide_init: true
+        aide_check: false
+        aide_update: false
       ansible.builtin.include_role:
         name: linux-system-roles.aide
diff --git a/examples/deploy.yml b/examples/deploy.yml
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Example aide role invocation
+  hosts: targets
+  tasks:
+    - name: Include role aide
+      vars:
+        aide_db_fetch_dir: files
+        aide_install: true
+        aide_generate_config: true
+        aide_init: true
+        aide_check: false
+        aide_update: false
+      ansible.builtin.include_role:
+        name: linux-system-roles.aide
diff --git a/examples/just_check.yml b/examples/just_check.yml
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Example aide role invocation
+  hosts: targets
+  tasks:
+    - name: Include role aide
+      vars:
+        aide_db_fetch_dir: files
+        aide_install: false
+        aide_generate_config: false
+        aide_init: false
+        aide_check: true
+        aide_update: false
+      ansible.builtin.include_role:
+        name: linux-system-roles.aide
diff --git a/examples/just_update.yml b/examples/just_update.yml
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Example aide role invocation
+  hosts: targets
+  tasks:
+    - name: Include role aide
+      vars:
+        aide_db_fetch_dir: files
+        aide_install: false
+        aide_generate_config: false
+        aide_init: false
+        aide_check: false
+        aide_update: true
+      ansible.builtin.include_role:
+        name: linux-system-roles.aide
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -10,34 +10,28 @@
     state: present
     use: "{{ (__aide_is_ostree | d(false)) |
              ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
-  tags:
-    - never
-    - install
+  when:
+    - aide_install
 
 - name: Ensure required services are enabled and started
   ansible.builtin.service:
     name: "{{ item }}"
     state: started
     enabled: true
   loop: "{{ __aide_services }}"
-  tags:
-    - never
 
 - name: Generate "/etc/{{ __aide_config }}"
   ansible.builtin.template:
     src: "{{ __aide_config }}.j2"
     dest: "/etc/{{ __aide_config }}"
     backup: true
     mode: "0400"
-  tags:
-    - never
-    - generate_config
+  when:
+    - aide_generate_config
 
 - name: Initialize AIDE database and fetch it
-  become: true
-  tags:
-    - never
-    - init
+  when:
+    - aide_init
   block:
     - name: Initialize AIDE database
       ansible.builtin.command:
@@ -55,10 +49,8 @@
         state: absent
 
 - name: Check AIDE integrity
-  become: true
-  tags:
-    - never
-    - check
+  when:
+    - aide_check
   block:
     - name: Copy AIDE reference database to remote
       ansible.builtin.copy:
@@ -76,10 +68,8 @@
       changed_when: true
 
 - name: Update AIDE database and fetch it
-  become: true
-  tags:
-    - never
-    - update
+  when:
+    - aide_update
   block:
     - name: Update AIDE database
       ansible.builtin.command:

diff --git a/tests/tasks/check_not_present_header.yml b/tests/tasks/check_not_present_header.yml
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Get file
+  slurp:
+    path: "{{ __file }}"
+  register: __content
+  when: not __file_content is defined
+
+- name: Check for presence of ansible managed header, fingerprint
+  assert:
+    that:
+      - ansible_managed not in content
+      - __fingerprint not in content
+  vars:
+    content: "{{ (__file_content | d(__content)).content | b64decode }}"
+    ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}"
diff --git a/tests/tests_default.yml b/tests/tests_default.yml
@@ -7,7 +7,7 @@
     - linux-system-roles.aide
   tasks:
     - name: Check header for ansible_managed, fingerprint
-      include_tasks: tasks/check_header.yml
+      include_tasks: tasks/check_not_present_header.yml
       vars:
         __file: /etc/aide.conf
         __fingerprint: system_role:aide
diff --git a/tests/tests_deploy.yml b/tests/tests_deploy.yml
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Ensure that the role runs with default parameters
+  hosts: all
+  gather_facts: false  # test that role works in this case
+  roles:
+    - role: linux-system-roles.aide
+      vars:
+        aide_install: true
+        aide_generate_config: true
+        aide_init: true
+  tasks:
+    - name: Check header for ansible_managed, fingerprint
+      include_tasks: tasks/check_header.yml
+      vars:
+        __file: /etc/aide.conf
+        __fingerprint: system_role:aide
diff --git a/vars/AlmaLinux_10.yml b/vars/AlmaLinux_10.yml
diff --git a/vars/AlmaLinux_8.yml b/vars/AlmaLinux_8.yml
diff --git a/vars/AlmaLinux_9.yml b/vars/AlmaLinux_9.yml
diff --git a/vars/CentOS_10.yml b/vars/CentOS_10.yml
diff --git a/vars/CentOS_7.yml b/vars/CentOS_7.yml
diff --git a/vars/CentOS_8.yml b/vars/CentOS_8.yml
diff --git a/vars/CentOS_9.yml b/vars/CentOS_9.yml
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
diff --git a/vars/RedHat_10.yml b/vars/RedHat_10.yml
diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml
diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
diff --git a/vars/Rocky_10.yml b/vars/Rocky_10.yml
diff --git a/vars/Rocky_8.yml b/vars/Rocky_8.yml
diff --git a/vars/Rocky_9.yml b/vars/Rocky_9.yml
diff --git a/vars/main.yml b/vars/main.yml
@@ -7,6 +7,7 @@
 # Examples of non-distribution specific (generic) internal variables:
 __aide_config: aide.conf
 __aide_packages: ['aide']
+__aide_services: []
 __aide_db_name: /var/lib/aide/aide.db.gz
 __aide_db_new_name: /var/lib/aide/aide.db.new.gz
 # ansible_facts required by the role