From 340a2879eb1af1ef17c31b0f98943766b06432f0 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Tue, 5 Sep 2023 16:16:44 +0100
Subject: [PATCH] lint

---
 deployment/site.yml | 64 ++++++++++++++++++++++++---------------------
 1 file changed, 34 insertions(+), 30 deletions(-)

diff --git a/deployment/site.yml b/deployment/site.yml
index 245fb34..0d85232 100644
--- a/deployment/site.yml
+++ b/deployment/site.yml
@@ -65,13 +65,13 @@
     step_ca_root_cert_local_path: "{{ lookup('env', 'PWD') ~ '/root.crt' }}"
   tasks:
     - name: Assert that there is only one CA server
-      assert:
+      ansible.builtin.assert:
         that:
           groups['step-ca'] | length == 1
 
-    - name: REMOVE!
-      shell: docker rm -f step-ca; docker volume rm step; rm -rf /root/.step
-      failed_when: false
+    #- name: REMOVE!
+    #  ansible.builtin.shell: docker rm -f step-ca; docker volume rm step; rm -rf /root/.step
+    #  failed_when: false
 
     - name: Ensure step-ca container is running
       community.docker.docker_container:
@@ -88,7 +88,7 @@
           - "step:/home/step"
 
     - name: Check health
-      uri:
+      ansible.builtin.uri:
         url: https://localhost:9999/health
         validate_certs: false
       register: health_result
@@ -97,40 +97,40 @@
         - health_result.json.status == "ok"
 
     - name: Stat provisioner password file
-      stat:
+      ansible.builtin.stat:
         path: /root/.step/provisioner-password
       register: provisioner_password_stat
 
     - name: Get provisioner password
-      shell: docker logs step-ca 2>&1 | awk '/Your CA administrative password is/ { print $7 }'
+      ansible.builtin.shell: docker logs step-ca 2>&1 | awk '/Your CA administrative password is/ { print $7 }'
       register: provisioner_password
       when: not provisioner_password_stat.stat.exists
 
     - name: Create .step directory
-      file:
+      ansible.builtin.file:
         path: /root/.step
         state: directory
         mode: "0700"
       when: not provisioner_password_stat.stat.exists
 
     - name: Assert provisioner password found
-      assert:
+      ansible.builtin.assert:
         that: provisioner_password.stdout | length > 0
 
     - name: Write provisioner password
-      copy:
+      ansible.builtin.copy:
         content: "{{ provisioner_password.stdout }}"
         dest: /root/.step/provisioner-password
         mode: "0600"
       when: not provisioner_password_stat.stat.exists
 
     - name: Get root CA certificate
-      command: docker exec step-ca step ca root
+      ansible.builtin.command: docker exec step-ca step ca root
       changed_when: false
       register: step_ca_root
 
     - name: Save root CA certificate to localhost
-      copy:
+      ansible.builtin.copy:
         content: "{{ step_ca_root.stdout }}"
         dest: "{{ step_ca_root_cert_local_path }}"
       delegate_to: localhost
@@ -146,23 +146,23 @@
   tasks:
     - name: Ensure step Deb is installed
       when: ansible_facts["os_family"] | lower == "debian"
-      package:
+      ansible.builtin.package:
         deb: "https://dl.smallstep.com/gh-release/cli/docs-cli-install/v0.24.4/step-cli_0.24.4_amd64.deb"
         state: present
         update_cache: true
 
     - name: Ensure step RPM is installed
       when: ansible_facts["os_family"] | lower == "redhat"
-      package:
+      ansible.builtin.package:
         name: "https://dl.smallstep.com/gh-release/cli/docs-ca-install/v0.24.4/step-cli_0.24.4_amd64.rpm"
         state: present
 
     - name: Test step
-      command: step certificate inspect https://smallstep.com
+      ansible.builtin.command: step certificate inspect https://smallstep.com
       changed_when: false
 
     - name: Regenerate step config if requested
-      file:
+      ansible.builtin.file:
         path: "/root/.step/{{ item }}"
         state: absent
       loop:
@@ -171,12 +171,12 @@
       when: step_config_regenerate | bool
 
     - name: Check whether step has been bootstrapped
-      stat:
+      ansible.builtin.stat:
         path: /root/.step/config/defaults.json
       register: step_stat
 
     - name: Get CA fingerprint
-      command: docker exec step-ca step certificate fingerprint certs/root_ca.crt
+      ansible.builtin.command: docker exec step-ca step certificate fingerprint certs/root_ca.crt
       register: ca_fingerprint
       changed_when: false
       delegate_to: "{{ groups['step-ca'][0] }}"
@@ -184,12 +184,12 @@
       when: not step_stat.stat.exists
 
     - name: Bootstrap CA
-      command: step ca bootstrap --ca-url https://{{ hostvars[groups['step-ca'][0]].ansible_facts.nodename }}:9999 --fingerprint {{ ca_fingerprint.stdout }} --install
+      ansible.builtin.command: step ca bootstrap --ca-url https://{{ hostvars[groups['step-ca'][0]].ansible_facts.nodename }}:9999 --fingerprint {{ ca_fingerprint.stdout }} --install
       changed_when: true
       when: not step_stat.stat.exists
 
     - name: Install root certificate to system
-      shell: step certificate install $(step path)/certs/root_ca.crt
+      ansible.builtin.shell: step certificate install $(step path)/certs/root_ca.crt
       changed_when: false
       when: not step_stat.stat.exists
 
@@ -200,14 +200,14 @@
   become: true
   tasks:
     - name: Assert that there is only one Minio server
-      assert:
+      ansible.builtin.assert:
         that:
           groups['minio'] | length == 1
 
     - name: Ensure minio container is running
       community.docker.docker_container:
         name: minio-server
-        command: server data --console-address ":9001"
+        ansible.builtin.command: server data --console-address ":9001"
         image: minio/minio
         keep_volumes: false
         networks:
@@ -231,7 +231,7 @@
     prometheus_cacert: "{{ lookup('env', 'PWD') ~ '/root.crt' }}"
   tasks:
     - name: Assert that there is only one Prometheus server
-      assert:
+      ansible.builtin.assert:
         that:
           groups['prometheus'] | length == 1
 
@@ -273,7 +273,7 @@
 #  become: true
 #  tasks:
 #    - name: Assert that there is only one Jaeger server
-#      assert:
+#      ansible.builtin.assert:
 #        that:
 #          groups['jaeger'] | length == 1
 #
@@ -315,25 +315,27 @@
     reductionist_cert_not_after: "24h"
   tasks:
     - name: Check whether certificate exists
-      stat:
+      ansible.builtin.stat:
         path: "{{ reductionist_remote_certs_path }}/cert.pem"
       register: reductionist_cert_stat
 
     - name: Ensure remote certificate path exists
-      file:
+      ansible.builtin.file:
         path: "{{ reductionist_remote_certs_path }}"
         state: directory
+        mode: "0700"
 
     - name: Generate a step token
-      command: >-
+      ansible.builtin.command: >-
         step ca token
         --provisioner-password-file /root/.step/provisioner-password
         {{ reductionist_host }}
       delegate_to: "{{ groups['step-ca'][0] }}"
+      changed_when: false
       register: reductionist_step_token
 
     - name: Generate an initial certificate
-      command: >-
+      ansible.builtin.command: >-
         step ca certificate
         --token {{ reductionist_step_token.stdout }}
         --not-after {{ reductionist_cert_not_after }}
@@ -341,18 +343,20 @@
         {{ reductionist_host }}
         {{ reductionist_remote_certs_path }}/cert.pem
         {{ reductionist_remote_certs_path }}/key.pem
+      changed_when: true
       when: not reductionist_cert_stat.stat.exists
 
     - name: Ensure certificate renewal systemd units exist
-      template:
+      ansible.builtin.template:
         src: "{{ item }}.j2"
         dest: "/etc/systemd/system/{{ item }}"
+        mode: "0600"
       loop:
         - reductionist-cert-renewer.service
         - reductionist-cert-renewer.timer
 
     - name: Ensure certificate renewal systemd units are running
-      service:
+      ansible.builtin.service:
         name: "{{ item }}"
         state: started
         enabled: true