Merge pull request #13 from f500/ansible-lint

Add ansible lint pr workflow

Author: mjmeijerman

.ansible-lint

@@ -0,0 +1,129 @@
+---
+# .ansible-lint
+
+profile: production # min, basic, moderate,safety, shared, production
+
+# Allows dumping of results in SARIF format
+# sarif_file: result.sarif
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option are parsed relative to the CWD of execution.
+exclude_paths:
+  - .github/
+  - .ansible-lint
+# parseable: true
+# quiet: true
+# strict: true
+# verbosity: 1
+
+# Mock modules or roles in order to pass ansible-playbook --syntax-check
+#mock_modules:
+#  - zuul_return
+# note the foo.bar is invalid as being neither a module or a collection
+#  - fake_namespace.fake_collection.fake_module
+#  - fake_namespace.fake_collection.fake_module.fake_submodule
+#mock_roles:
+#  - mocked_role
+#  - author.role_name # old standalone galaxy role
+#  - fake_namespace.fake_collection.fake_role # role within a collection
+
+# Enable checking of loop variable prefixes in roles
+loop_var_prefix: "^(__|{role}_)"
+
+# Enforce variable names to follow pattern below, in addition to Ansible own
+# requirements, like avoiding python identifiers. To disable add `var-naming`
+# to skip_list.
+var_naming_pattern: "^[a-z_][a-z0-9_]*$"
+
+use_default_rules: true
+# Load custom rules from this specific folder
+# rulesdir:
+#   - ./rule/directory/
+
+# Ansible-lint is able to recognize and load skip rules stored inside
+# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files.
+# To skip a rule just enter filename and tag, like "playbook.yml package-latest"
+# on a new line.
+# Optionally you can add comments after the tag, prefixed by "#". We discourage
+# the use of skip_list below because that will hide violations from the output.
+# When putting ignores inside the ignore file, they are marked as ignored, but
+# still visible, making it easier to address later.
+skip_list:
+  - risky-shell-pipe
+#  - skip_this_tag
+
+# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
+# You must enable opt-in rules by listing each rule 'id' below.
+enable_list:
+  - args
+  - empty-string-compare # opt-in
+  - no-log-password # opt-in
+  - no-same-owner # opt-in
+  - name[prefix] # opt-in
+  - galaxy-version-incorrect # opt-in
+  # add yaml here if you want to avoid ignoring yaml checks when yamllint
+  # library is missing. Normally its absence just skips using that rule.
+  - yaml
+# Report only a subset of tags and fully ignore any others
+# tags:
+#   - jinja[spacing]
+
+# Ansible-lint does not fail on warnings from the rules or tags listed below
+#warn_list:
+#  - skip_this_tag
+#  - experimental # experimental is included in the implicit list
+# - role-name
+# - yaml[document-start]  # you can also use sub-rule matches
+
+# Some rules can transform files to fix (or make it easier to fix) identified
+# errors. `ansible-lint --fix` will reformat YAML files and run these transforms.
+# By default it will run all transforms (effectively `write_list: ["all"]`).
+# You can disable running transforms by setting `write_list: ["none"]`.
+# Or only enable a subset of rule transforms by listing rules/tags here.
+# write_list:
+#   - all
+
+# Offline mode disables installation of requirements.yml and schema refreshing
+offline: true
+
+  # Define required Ansible's variables to satisfy syntax check
+  #extra_vars:
+  #  foo: bar
+  #  multiline_string_variable: |
+  #    line1
+  #    line2
+  #  complex_variable: ":{;\t$()"
+
+  # Uncomment to enforce action validation with tasks, usually is not
+  # needed as Ansible syntax check also covers it.
+  # skip_action_validation: false
+
+  # List of additional kind:pattern to be added at the top of the default
+  # match list, first match determines the file kind.
+  #kinds:
+  # - playbook: "**/examples/*.{yml,yaml}"
+  # - galaxy: "**/folder/galaxy.yml"
+  # - tasks: "**/tasks/*.yml"
+  # - vars: "**/vars/*.yml"
+# - meta: "**/meta/main.yml"
+#  - yaml: "**/*.yaml-too"
+
+# List of additional collections to allow in only-builtins rule.
+# only_builtins_allow_collections:
+#   - example_ns.example_collection
+
+# List of additions modules to allow in only-builtins rule.
+# only_builtins_allow_modules:
+#   - example_module
+
+# Allow setting custom prefix for name[prefix] rule
+#task_name_prefix: "{stem} | "
+# Complexity related settings
+
+# Limit the depth of the nested blocks:
+# max_block_depth: 20
+
+# Also recognize these versions of Ansible as supported:
+# supported_ansible_also:
+#   - "2.14"

.github/workflows/pull-request.yml

@@ -0,0 +1,12 @@
+---
+name: Pull request
+
+on: pull_request
+
+jobs:
+  ansible-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@main

.gitignore

@@ -0,0 +1 @@
+.idea

README.md

@@ -155,6 +155,22 @@ Example Playbook
       roles:
       - { role: f500.nginx }
 
+Linting
+-------
+Github actions will check this role with ansible-lint. To run this locally, you will need to follow the following steps:
+
+```bash
+brew install ansible-lint
+brew install yamllint
+ansible-lint
+```
+
+to fix the linting errors, run:
+
+```bash
+ansible-lint --fix
+```
+
 License
 -------
 

defaults/main.yml

@@ -7,35 +7,38 @@ nginx_worker_processes: "{{ ansible_processor_count }}"
 nginx_pid: "/var/run/nginx.pid"
 nginx_www_dir: "/var/www"
 
-nginx_use_realpath_root: no
-nginx_php_force_cgi_redirect: no
-nginx_set_default_server: yes
+nginx_use_realpath_root: false
+nginx_php_force_cgi_redirect: false
+nginx_set_default_server: true
 
 nginx_dhparam_bits: 4096
 
 nginx_http_params_default:
   server_names_hash_bucket_size: 64
-  server_tokens: off
+  server_tokens: false
 
-  sendfile: on
-  tcp_nopush: on
-  tcp_nodelay: on
+  sendfile: true
+  tcp_nopush: true
+  tcp_nodelay: true
 
-  gzip: on
+  gzip: true
   gzip_disable: "msie6"
   gzip_min_length: 256
-  gzip_types: application/json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/xml application/xml+rss font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/xml
+  gzip_types: >
+    application/json application/vnd.ms-fontobject application/x-font-ttf
+    application/x-javascript application/xml application/xml+rss font/opentype  image/svg+xml
+    image/x-icon text/css text/javascript text/plain text/xml
 
   ssl_ciphers: "HIGH:!aNULL:!MD5"
   ssl_dhparam: "/etc/nginx/dh{{ nginx_dhparam_bits }}.pem"
-  ssl_prefer_server_ciphers: on
+  ssl_prefer_server_ciphers: true
   ssl_protocols: TLSv1.2 TLSv1.3
   ssl_session_cache: shared:SSL:50m
-  ssl_session_tickets: off
+  ssl_session_tickets: false
   ssl_session_timeout: 1d
-  ssl_stapling: on
-  ssl_stapling_verify: on
-  resolver: "{{ ansible_dns.nameservers|join(' ') }} valid=300s"
+  ssl_stapling: true
+  ssl_stapling_verify: true
+  resolver: "{{ ansible_dns.nameservers | join(' ') }} valid=300s"
 
 nginx_http_headers_default:
   Content-Security-Policy: "default-src 'self'; form-action 'self'; frame-ancestors 'none'"
@@ -47,5 +50,4 @@ nginx_http_headers_default:
 
 nginx_http_params: {}
 nginx_http_headers: {}
-
 nginx_server_templates: []

handlers/main.yml

@@ -1,6 +1,5 @@
 ---
-
 - name: Restart nginx
-  service:
+  ansible.builtin.service:
     name: nginx
     state: restarted

meta/main.yml

@@ -2,15 +2,16 @@
 galaxy_info:
   author: "Jasper N. Brouwer, Ramon de la Fuente"
   role_name: "nginx"
+  namespace: "f500"
   description: Install and start Nginx
   company: Future500
   license: LGPL-3.0
   min_ansible_version: "1.4"
   platforms:
-  - name: Debian
-    versions:
-      - bullseye
-      - bookworm
+    - name: Debian
+      versions:
+        - bullseye
+        - bookworm
   galaxy_tags:
     - web
 dependencies: []