diff --git a/.ansible-lint b/.ansible-lint index f615bf2..7766ad4 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,2 +1,5 @@ exclude_paths: - .github/ +skip_list: + - name[casing] + - var-naming[no-role-prefix] diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..8d0160d --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,8 @@ +--- +collections: + - name: community.general + version: 7.5.0 + - name: community.mysql + version: 3.7.2 + - name: ansible.posix + version: 1.5.4 diff --git a/playbook.yml b/playbook.yml index 5e438fd..cdc22f0 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,4 +1,5 @@ -- hosts: app +- name: deploy zds-site + hosts: app become: true roles: - role: common diff --git a/roles/app/tasks/fixtures.yml b/roles/app/tasks/fixtures.yml index b229e96..1549116 100644 --- a/roles/app/tasks/fixtures.yml +++ b/roles/app/tasks/fixtures.yml @@ -1,4 +1,5 @@ - name: install requirements in virtualenv to load fixtures + become: true become_user: "{{ appuser }}" ansible.builtin.pip: requirements: "{{ appdir }}/requirements-dev.txt" diff --git a/roles/app/tasks/main.yml b/roles/app/tasks/main.yml index 6c10884..8cbd110 100644 --- a/roles/app/tasks/main.yml +++ b/roles/app/tasks/main.yml @@ -30,7 +30,7 @@ # User, directories, files and symlink creation -- name: should have a {{ appuser }} user +- name: should have a user named {{ appuser }} ansible.builtin.user: name: "{{ appuser }}" shell: /bin/false @@ -60,6 +60,7 @@ - bootstrap - name: checkout the application + become: true become_user: "{{ appuser }}" vars: refspec: "{{ '+refs/pull/*:refs/pull/*' if 'pull/' in appversion else '+refs/heads/*:refs/remotes/origin/*' }}" @@ -176,6 +177,7 @@ # Installation of backend, frontend and zmd dependencies - name: update pip in virtualenv # some dependencies (like rust ones) require a recent pip + become: true become_user: "{{ appuser }}" ansible.builtin.pip: name: @@ -187,6 +189,7 @@ - bootstrap - name: install wheel and sqlparse in virtualenv + become: true become_user: "{{ appuser }}" ansible.builtin.pip: name: @@ -198,6 +201,7 @@ - bootstrap - name: install requirements in virtualenv + become: true become_user: "{{ appuser }}" ansible.builtin.pip: requirements: "{{ appdir }}/requirements-prod.txt" @@ -208,13 +212,14 @@ - upgrade - name: include nodejs installation - include_role: + ansible.builtin.include_role: name: common tasks_from: nodejs tags: - bootstrap - name: install frontend # noqa no-changed-when + become: true become_user: "{{ appuser }}" ansible.builtin.command: yarn install --frozen-lockfile args: @@ -224,6 +229,7 @@ - upgrade - name: install zmarkdown + become: true become_user: "{{ appuser }}" community.general.npm: path: "{{ zmarkdown_dir }}" @@ -235,6 +241,7 @@ # Frontend building - name: build frontend # noqa no-changed-when + become: true become_user: "{{ appuser }}" ansible.builtin.command: npm run build args: @@ -244,6 +251,7 @@ - upgrade - name: collect static files + become: true become_user: "{{ appuser }}" environment: DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" @@ -260,6 +268,7 @@ # Start of maintenance, if needed - name: check if database migration is needed + become: true become_user: "{{ appuser }}" environment: DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" @@ -284,6 +293,7 @@ - upgrade - name: migrate database + become: true become_user: "{{ appuser }}" environment: DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" @@ -298,6 +308,7 @@ - upgrade - name: clear cache + become: true become_user: "{{ appuser }}" environment: DJANGO_SETTINGS_MODULE: "zds.settings.{{ env }}" @@ -373,12 +384,14 @@ - bootstrap - upgrade -- include_tasks: fixtures.yml +- name: load fixtures + ansible.builtin.include_tasks: fixtures.yml when: load_fixtures tags: - bootstrap -- include_tasks: geodata.yml +- name: setup geodata + ansible.builtin.include_tasks: geodata.yml when: secrets.geolite.license_key is defined tags: - bootstrap diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index ef1b632..2faaba6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -30,7 +30,7 @@ src: "{{ item.src }}" dest: "/etc/zsh/{{ item.path }}" mode: u=rw,g=r,o=r - with_filetree: zsh/ + with_community.general.filetree: zsh/ when: item.state == 'file' - name: ensure the system can use the HTTPS transport for APT diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 836727c..a15998f 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -26,7 +26,7 @@ - name: Log firewall only in /var/log/ufw.log # otherwise /var/log/{kern.log,messages,syslog} get full of [UFW BLOCK] messages - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.d/20-ufw.conf search_string: "#& stop" line: "& stop" diff --git a/roles/latex/handlers/main.yml b/roles/latex/handlers/main.yml index 749f0b9..9b757f4 100644 --- a/roles/latex/handlers/main.yml +++ b/roles/latex/handlers/main.yml @@ -1,7 +1,7 @@ -- name: run texhash +- name: run texhash # noqa no-changed-when become: true become_user: "{{ appuser }}" ansible.builtin.shell: texhash $HOME/texmf -- name: refresh font-config cache +- name: refresh font-config cache # noqa no-changed-when ansible.builtin.command: fc-cache -f diff --git a/roles/latex/tasks/main.yml b/roles/latex/tasks/main.yml index 6887f4c..f6fd052 100644 --- a/roles/latex/tasks/main.yml +++ b/roles/latex/tasks/main.yml @@ -16,17 +16,18 @@ - bootstrap - name: install pygments - pip: + ansible.builtin.pip: name: Pygments executable: pip3 tags: - bootstrap -- include_tasks: packages.yml +- name: install latex packages + ansible.builtin.include_tasks: packages.yml tags: - bootstrap -- name: clone the template # noqa git-latest +- name: clone the template # noqa latest[git] become: true become_user: "{{ appuser }}" ansible.builtin.git: @@ -52,6 +53,7 @@ ansible.builtin.get_url: url: "{{ item[0].url }}/{{ item[1].ext | upper }}/{{ item[0].name }}-{{ item[2] }}.{{ item[1].ext }}" dest: /usr/local/share/fonts/{{ item[1].path }}/{{ item[0].slug }}/{{ item[0].name }}-{{ item[2] }}.{{ item[1].ext }} + mode: u=rw,g=r,o=r with_nested: - "{{ fonts }}" - "{{ fonttypes }}" diff --git a/roles/latex/tasks/packages.yml b/roles/latex/tasks/packages.yml index 4dd6c81..95da2db 100644 --- a/roles/latex/tasks/packages.yml +++ b/roles/latex/tasks/packages.yml @@ -16,10 +16,11 @@ - bootstrap - name: check ansible state - ansible.builtin.slurp: src=/opt/zds/texmf/ansible-state + ansible.builtin.slurp: + src: /opt/zds/texmf/ansible-state register: installed_packages -- name: install packages # noqa risky-shell-pipe +- name: install packages # noqa risky-shell-pipe no-changed-when become: true become_user: "{{ appuser }}" ansible.builtin.shell: > @@ -53,5 +54,6 @@ ansible.builtin.get_url: url: https://raw.githubusercontent.com/tabu-issues-for-future-maintainer/tabu/master/tabu.sty dest: /opt/zds/texmf/tex/latex/tabu/tabu.sty + mode: u=rw,g=r,o=r tags: - bootstrap diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml index 75a84cf..d932099 100644 --- a/roles/mysql/tasks/main.yml +++ b/roles/mysql/tasks/main.yml @@ -32,7 +32,7 @@ enabled: true - name: install MySQLdb-python - pip: + ansible.builtin.pip: name: mysqlclient executable: pip3 diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml index ae40b16..b4f3578 100644 --- a/roles/web/tasks/main.yml +++ b/roles/web/tasks/main.yml @@ -36,7 +36,7 @@ src: "{{ item.src }}" dest: "/etc/nginx/{{ item.path }}" mode: u=rw,g=r,o=r - with_filetree: nginx/ + with_community.general.filetree: nginx/ when: item.state == 'file' notify: reload nginx