update cert references for renewal; ansible-lint cleanup

2024-09-04 17:09:27 -04:00 · 2024-09-04 17:09:27 -04:00 · 4646e5cf23
commit 4646e5cf23
parent b71c656e6a
6 changed files with 110 additions and 40 deletions
--- a/.yamllint
+++ b/.yamllint
@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable
--- a/defaults/main/proxy_site_defs.yml
+++ b/defaults/main/proxy_site_defs.yml
@ -39,12 +39,12 @@


  proxy_site_ssl_directory           : /etc/nginx/ssl
-  proxy_site_ssl_certificate         : "{{ proxy_site_ssl_directory }}/thezengarden.net/fullchain25.pem"
-  proxy_site_ssl_certificate_key     : "{{ proxy_site_ssl_directory }}/thezengarden.net/privkey25.pem"
-  proxy_site_ssl_certificate_ch      : "{{ proxy_site_ssl_directory }}/chris-hammer.com/fullchain14.pem"
-  proxy_site_ssl_certificate_key_ch  : "{{ proxy_site_ssl_directory }}/chris-hammer.com/privkey14.pem"
-  proxy_site_ssl_certificate_cht     : "{{ proxy_site_ssl_directory }}/christian-hammer.com/fullchain23.pem"
-  proxy_site_ssl_certificate_key_cht : "{{ proxy_site_ssl_directory }}/christian-hammer.com/privkey23.pem"
+  proxy_site_ssl_certificate         : "{{ proxy_site_ssl_directory }}/thezengarden.net/fullchain26.pem"
+  proxy_site_ssl_certificate_key     : "{{ proxy_site_ssl_directory }}/thezengarden.net/privkey26.pem"
+  proxy_site_ssl_certificate_ch      : "{{ proxy_site_ssl_directory }}/chris-hammer.com/fullchain15.pem"
+  proxy_site_ssl_certificate_key_ch  : "{{ proxy_site_ssl_directory }}/chris-hammer.com/privkey15.pem"
+  proxy_site_ssl_certificate_cht     : "{{ proxy_site_ssl_directory }}/christian-hammer.com/fullchain24.pem"
+  proxy_site_ssl_certificate_key_cht : "{{ proxy_site_ssl_directory }}/christian-hammer.com/privkey24.pem"
  proxy_site_ssl_protocols           : TLSv1.2
  proxy_site_ssl_ciphers             : ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256

@ -60,5 +60,5 @@


  # git repo vars for ssl certs
-  ssl_repo        : git@gitlab.thezengarden.net:zen/le-ssl-certs.git
-  ssl_repo_branch : master
+  ssl_repo        : gitea@gitea.thezengarden.net:SSL/le.git
+  ssl_repo_branch : main
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -0,0 +1,12 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    # replace these tasks with whatever you find suitable to test
+    - name: Copy something to test use of synchronize module
+      ansible.builtin.copy:
+        src: /etc/hosts
+        dest: /tmp/hosts-from-controller
+    - name: "Include jchristianh.zen_rev_proxy"
+      ansible.builtin.include_role:
+        name: "jchristianh.zen_rev_proxy"
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -0,0 +1,14 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: podman
+platforms:
+  - name: proxy1
+    image: quay.io/centos/centos:stream8
+    pre_build_image: true
+
+provisioner:
+  name: ansible
+verifier:
+  name: ansible
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Example assertion
+    ansible.builtin.assert:
+      that: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,67 +1,68 @@
 ---
- name: install proxy packages
-  package:
-    name  : "{{ proxy_package_list }}"
-    state : present
+- name: Install proxy packages
+  ansible.builtin.package:
+    name: "{{ proxy_package_list }}"
+    state: present
  tags: always


- name: enable nginx at boot time
-  service:
-    name    : nginx
-    enabled : yes
+- name: Enable nginx at boot time
+  ansible.builtin.service:
+    name: nginx
+    enabled: true
  tags: always
  when: ansible_virtualization_type != "docker"


- name: clean conf.d
-  file:
+- name: Clean conf.d
+  ansible.builtin.file:
    path: "{{ proxy_site_conf_dir }}"
    state: absent
-  tags: ['clean_deploy','never']
+  tags: ['clean_deploy', 'never']


- name: create conf.d directory
-  file:
-    path  : "{{ proxy_site_conf_dir }}"
-    state : directory
-    mode  : 0755
+- name: Create conf.d directory
+  ansible.builtin.file:
+    path: "{{ proxy_site_conf_dir }}"
+    state: directory
+    mode: "0755"
  tags: always


- name: create log directory
-  file:
-    path  : "{{ proxy_site_log_path }}"
-    state : directory
-    mode  : 0755
+- name: Create log directory
+  ansible.builtin.file:
+    path: "{{ proxy_site_log_path }}"
+    state: directory
+    mode: "0755"
  tags: always


  ## TODO: fix the perms on ssl certs!!@*&!@^&*

- name: clone ssl certs
-  git:
+- name: Clone ssl certs
+  ansible.builtin.git:
    repo: "{{ ssl_repo }}"
    dest: "{{ proxy_site_ssl_directory }}"
    version: "{{ ssl_repo_branch }}"
+    accept_newhostkey: true
  tags: always
  notify: restart nginx


- name: write configuration file(s)
-  template:
-    src  : proxy_site.j2
-    dest : "{{ proxy_site_conf_dir }}/{{ item.key }}.conf"
-    mode : 0644
+- name: Write configuration file(s)
+  ansible.builtin.template:
+    src: proxy_site.j2
+    dest: "{{ proxy_site_conf_dir }}/{{ item.key }}.conf"
+    mode: "0644"
  with_dict:
    - "{{ proxy_sites }}"
  tags: always
  notify: restart nginx


- name: start nginx
-  service:
-    name  : nginx
-    state : started
+- name: Start nginx
+  ansible.builtin.service:
+    name: nginx
+    state: started
  tags: always
  when: ansible_virtualization_type != "docker"