From f1774b4a3870bf8decd8ec675ebb57ec91fab4b7 Mon Sep 17 00:00:00 2001
From: Thomas Schneider <thomas@fsmpi.rwth-aachen.de>
Date: Tue, 13 Jun 2023 13:46:00 +0200
Subject: [PATCH] *: Fix or document ansible-lint violations

---
 .ansible-lint-ignore               |  4 ++++
 apt/defaults/main.yml              |  1 -
 apt/handlers/main.yml              |  4 ++--
 apt/tasks/repositories.yml         |  1 -
 basic-system/handlers/main.yml     | 19 ++++++++++++-------
 basic-system/tasks/logging.yml     |  5 +++--
 basic-system/tasks/main.yml        |  3 +++
 basic-system/tasks/network.yml     |  3 +++
 hostkey-provider/handlers/main.yml |  3 ++-
 hostkey-provider/tasks/main.yml    |  3 +++
 localization/handlers/main.yml     |  9 ++++++---
 localization/tasks/ntpd.yml        |  4 +++-
 localization/tasks/timesyncd.yml   |  4 +++-
 shell/handlers/main.yml            |  1 -
 shell/tasks/shell.yml              |  8 ++++++--
 shell/tasks/sudo.yml               |  1 -
 ssh-server/defaults/main.yml       |  1 -
 ssh-server/tasks/main.yml          |  1 -
 18 files changed, 50 insertions(+), 25 deletions(-)
 create mode 100644 .ansible-lint-ignore

diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore
new file mode 100644
index 0000000..ea75a28
--- /dev/null
+++ b/.ansible-lint-ignore
@@ -0,0 +1,4 @@
+# This file contains ignores rule violations for ansible-lint
+hostkey-provider/tasks/main.yml ignore-errors
+shell/tasks/shell.yml schema[moves]
+ssh-server/tasks/main.yml no-changed-when
diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml
index 8194ece..8909284 100644
--- a/apt/defaults/main.yml
+++ b/apt/defaults/main.yml
@@ -1,5 +1,4 @@
 ---
-# file: common/apt/defaults/main.yml
 
 apt_mirror: 'http://ftp.halifax.rwth-aachen.de/debian/'
 apt_mirror_security: 'http://security.debian.org/debian-security/'
diff --git a/apt/handlers/main.yml b/apt/handlers/main.yml
index 7f85265..5f9a2a5 100644
--- a/apt/handlers/main.yml
+++ b/apt/handlers/main.yml
@@ -1,5 +1,5 @@
 ---
-# file: roles/common/handlers/main.yml
 
 - name: update apt cache
-  apt: update_cache=yes
+  apt:
+    update_cache: true
diff --git a/apt/tasks/repositories.yml b/apt/tasks/repositories.yml
index 5c48ba2..88ec283 100644
--- a/apt/tasks/repositories.yml
+++ b/apt/tasks/repositories.yml
@@ -1,5 +1,4 @@
 ---
-# file: roles/common/tasks/repositories.yml
 # yamllint disable rule:line-length
 
 - name: enable debian repositories
diff --git a/basic-system/handlers/main.yml b/basic-system/handlers/main.yml
index 4213194..aec3244 100644
--- a/basic-system/handlers/main.yml
+++ b/basic-system/handlers/main.yml
@@ -1,11 +1,14 @@
 ---
-# file: roles/common/handlers/main.yml
 
 - name: restart rsyslogd
-  service: name=rsyslog state=restarted
+  service:
+    name: rsyslog
+    state: restarted
 
 - name: restart systemd-journald
-  systemd: name=systemd-journald.service state=restarted
+  systemd:
+    name: systemd-journald.service
+    state: restarted
 
 - name: configure journal directory
   command: systemd-tmpfiles --create --prefix /var/log/journal
@@ -14,14 +17,16 @@
   command: update-initramfs -u
 
 - name: gather network facts once again
-  setup: gather_subset=network
+  setup:
+    gather_subset: network
 
 - name: gather minimal standard facts once again
-  setup: gather_subset=min
+  setup:
+    gather_subset: min
 
 - name: Remove pve directory from etckeeper repo
-  # 303 wants us to use the ansible git module, but it doesn’t
+  # ansible-lint wants us to use the ansible git module, but it doesn’t
   # provide that feature
-  shell:  # noqa 303
+  shell:  # noqa: command-instead-of-module
     chdir: /etc
     cmd: git rm --cached -r -- pve && git commit -m "'Remove pve directory'"
diff --git a/basic-system/tasks/logging.yml b/basic-system/tasks/logging.yml
index f375326..3692cfb 100644
--- a/basic-system/tasks/logging.yml
+++ b/basic-system/tasks/logging.yml
@@ -1,5 +1,4 @@
 ---
-# file: roles/common/task/logging.yml
 
 - name: restrict dmesg access to only root
   sysctl:
@@ -24,7 +23,9 @@
     - journal
 
 - name: ensure systemd journal is persistent
-  file:
+  # Not setting permissions here is okay because the handler will correct it via
+  # tmpfiles
+  file:  # noqa: risky-file-permissions
     path: /var/log/journal
     state: directory
   when:
diff --git a/basic-system/tasks/main.yml b/basic-system/tasks/main.yml
index 0781cb0..349bee9 100644
--- a/basic-system/tasks/main.yml
+++ b/basic-system/tasks/main.yml
@@ -32,6 +32,9 @@
     path: /etc/.gitignore
     line: /pve
     create: true
+    owner: root
+    group: root
+    mode: "0600"
   when: etckeeper and pve_present.stat.exists
   notify:
     - Remove pve directory from etckeeper repo
diff --git a/basic-system/tasks/network.yml b/basic-system/tasks/network.yml
index 35b4795..dd9f6cf 100644
--- a/basic-system/tasks/network.yml
+++ b/basic-system/tasks/network.yml
@@ -52,6 +52,9 @@
   template:
     src: hosts.j2
     dest: /etc/hosts
+    owner: root
+    group: root
+    mode: "0644"
   when: not hosts_precious
   notify:
     - gather network facts once again
diff --git a/hostkey-provider/handlers/main.yml b/hostkey-provider/handlers/main.yml
index c451577..de09f51 100644
--- a/hostkey-provider/handlers/main.yml
+++ b/hostkey-provider/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
 
 - name: re-read local facts for new hostkeys
-  setup: filter=ansible_local
+  setup:
+    filter: ansible_local
diff --git a/hostkey-provider/tasks/main.yml b/hostkey-provider/tasks/main.yml
index 2256bfe..7e29307 100644
--- a/hostkey-provider/tasks/main.yml
+++ b/hostkey-provider/tasks/main.yml
@@ -6,6 +6,9 @@
     section: collected
     option: "{{ item.key }}"
     value: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0644"
   with_items:
     - {key: 'ipv4', value: "{{ ansible_all_ipv4_addresses|join(',') }}"}
     - {key: 'ipv6', value: "{{ ansible_all_ipv6_addresses|join(',') }}"}
diff --git a/localization/handlers/main.yml b/localization/handlers/main.yml
index cc5308c..edcbd1d 100644
--- a/localization/handlers/main.yml
+++ b/localization/handlers/main.yml
@@ -1,11 +1,14 @@
 ---
-# file: roles/common/handlers/main.yml
 
 - name: restart ntpd
-  service: name=ntp state=restarted
+  service:
+    name: ntp
+    state: restarted
 
 - name: restart timesyncd
-  service: name=systemd-timesyncd state=restarted
+  service:
+    name: systemd-timesyncd
+    state: restarted
 
 - name: update timezone
   command: dpkg-reconfigure --frontend noninteractive tzdata
diff --git a/localization/tasks/ntpd.yml b/localization/tasks/ntpd.yml
index fe7922c..68e4890 100644
--- a/localization/tasks/ntpd.yml
+++ b/localization/tasks/ntpd.yml
@@ -1,5 +1,4 @@
 ---
-# file: localization/tasks/ntpd.yml
 
 - name: ensure ntpd is installed
   apt:
@@ -29,6 +28,9 @@
   template:
     src: ntp.conf.j2
     dest: /etc/ntp.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
     - restart ntpd
   tags:
diff --git a/localization/tasks/timesyncd.yml b/localization/tasks/timesyncd.yml
index 0dfa012..384edb9 100644
--- a/localization/tasks/timesyncd.yml
+++ b/localization/tasks/timesyncd.yml
@@ -1,5 +1,4 @@
 ---
-# file: roles/common/tasks/ntp.yml
 
 - name: ensure there is no ntpd interfering
   apt:
@@ -13,6 +12,9 @@
   template:
     src: timesyncd.conf.j2
     dest: /etc/systemd/timesyncd.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
     - restart timesyncd
   tags:
diff --git a/shell/handlers/main.yml b/shell/handlers/main.yml
index 4a2bbc1..193f481 100644
--- a/shell/handlers/main.yml
+++ b/shell/handlers/main.yml
@@ -1,5 +1,4 @@
 ---
-# file: roles/common/handlers/main.yml
 
 - name: rerun depmod
   command: depmod -ae
diff --git a/shell/tasks/shell.yml b/shell/tasks/shell.yml
index a0f7911..bf794cd 100644
--- a/shell/tasks/shell.yml
+++ b/shell/tasks/shell.yml
@@ -1,5 +1,4 @@
 ---
-# file: roles/common/tasks/shell.yml
 
 - name: ensure installation of basic shell commands
   apt:
@@ -69,7 +68,9 @@
     - shell
 
 - name: ensure we have an up-to-date version of grml-zsh-config
-  get_url:
+  # Skip risky-file-permissions check because this runs locally, and we don’t
+  # even know who the local user running Ansible is.
+  get_url:  # noqa: risky-file-permissions
     url: https://www.archlinux.org/packages/extra/any/grml-zsh-config/download/
     dest: "{{ role_path }}/files/"
   delegate_to: localhost
@@ -99,6 +100,9 @@
   copy:
     src: /etc/skel/.zshrc
     dest: /root/.zshrc
+    owner: root
+    group: root
+    mode: "0644"
     remote_src: true
   tags:
     - config
diff --git a/shell/tasks/sudo.yml b/shell/tasks/sudo.yml
index 5f65bd4..517f004 100644
--- a/shell/tasks/sudo.yml
+++ b/shell/tasks/sudo.yml
@@ -1,5 +1,4 @@
 ---
-# file: roles/common/tasks/sudo.yml
 
 - name: ensure sudo is installed
   apt:
diff --git a/ssh-server/defaults/main.yml b/ssh-server/defaults/main.yml
index 90fc1a5..ac01ab4 100644
--- a/ssh-server/defaults/main.yml
+++ b/ssh-server/defaults/main.yml
@@ -1,5 +1,4 @@
 ---
-# file: common/ssh-server/defaults/main.yml
 
 ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
 ssh_mkhomedir: true
diff --git a/ssh-server/tasks/main.yml b/ssh-server/tasks/main.yml
index ef491fd..c547c9a 100644
--- a/ssh-server/tasks/main.yml
+++ b/ssh-server/tasks/main.yml
@@ -1,5 +1,4 @@
 ---
-# file: roles/common/tasks/sshd.yml
 
 - name: ensure sshd is installed
   apt:
-- 
GitLab