lint yaml files

.yamllint

+---
+
+extends: default
+
+rules:
+  comments-indentation:
+    level: warning
+  document-start:
+    level: error
+  empty-lines:
+    max: 1
+  empty-values:
+    forbid-in-flow-mappings: true
+    forbid-in-block-mappings: true
+  line-length:
+    level: warning
+  octal-values:
+    forbid-implicit-octal: true
+    level: warning

ad-auth/tasks/kerberos.yml

@@ -2,14 +2,18 @@
 # file: roles/ad-auth/tasks/kerberos.yml
 
 - name: ensure kerberos is installed
-  apt: name=krb5-user state=present
+  apt:
+    name: krb5-user
+    state: present
   tags:
     - kerberos
-    - packages
 
 - name: ensure kerberos is configured
-  template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: '0644'
   tags:
     - kerberos
-    - config
-

ad-auth/tasks/ldap.yml

@@ -2,14 +2,18 @@
 # file: roles/ad-auth/tasks/ldap.yml
 
 - name: ensure ldap-utils is installed
-  apt: name=ldap-utils state=present
+  apt:
+    name: ldap-utils
+    state: present
   tags:
     - ldap
-    - packages
 
 - name: ensure proper global ldap configuration
-  template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
+  template:
+    src: ldap.conf.j2
+    dest: /etc/ldap/ldap.conf
+    owner: root
+    group: root
+    mode: '0644'
   tags:
     - ldap
-    - config
-

ad-auth/tasks/main.yml

@@ -18,8 +18,10 @@
 - meta: flush_handlers
 
 - name: ensure there is no local users group
-  lineinfile: path=/etc/group state=absent regexp="^users:"
+  lineinfile:
+    path: /etc/group
+    state: absent
+    regexp: "^users:"
   tags:
     - groups
-    - config
     - ad-auth

ad-auth/tasks/pam.yml

@@ -2,9 +2,13 @@
 # file: roles/ad-auth/tasks/pam.yml
 
 - name: ensure pam applies a general umask
-  copy: src=pam/umask dest=/usr/share/pam-configs/umask owner=root group=root mode=0644
+  copy:
+    src: pam/umask
+    dest: /usr/share/pam-configs/umask
+    owner: root
+    group: root
+    mode: '0644'
   notify:
     - regenerate pam config
   tags:
     - pam
-    - config

ad-auth/tasks/sssd.yml

@@ -9,41 +9,60 @@
       - libnss-sss
       - sssd-tools
       - realmd
+      # yamllint disable rule:line-length
       - policykit-1  # this is required for realm to discover realms...
       - adcli  # this is required for realm to join realms...
       - packagekit  # this is required for realm to i don't know and don't even care anymore...
+      # yamllint enable rule:line-length
       - cracklib-runtime
     state: present
-    install_recommends: no
+    install_recommends: false
   notify:
     - clear sssd cache
   tags:
     - sssd
-    - packages
 
 - name: check if our realm is configured
   shell: realm list | grep "{{ domain }}"
   register: current_realms
   changed_when: "current_realms.rc != 0"
   failed_when: "current_realms.rc != 0 and current_realms.rc != 1"
+  tags:
+    - sssd
 
 - block:
     - name: discover our realm
       command: realm discover -v "{{ domain }}"
+      tags:
+        - sssd
+
     - name: get a kerberos ticket
+      # yamllint disable-line rule:line-length
       shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
       when: debian_version == "jessie"
-      no_log: True
+      no_log: true
+      tags:
+        - sssd
+
     - name: ensure pexpect is installed
-      apt: name=python-pexpect state=present
+      apt:
+        name: python-pexpect
+        state: present
       when: debian_version == "stretch"
+      tags:
+        - sssd
+
     - name: get a kerberos ticket
       expect:
         command: kinit Administrator
         responses:
+          # yamllint disable-line rule:line-length
           "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
       when: debian_version == "stretch"
-      no_log: True
+      no_log: true
+      tags:
+        - sssd
+
     - name: leave any other realm
       command: realm leave
       register: result
@@ -51,38 +70,50 @@
       retries: 9001
       delay: 0
       failed_when: "result.rc != 0 and result.rc != 1"
+      tags:
+        - sssd
+
     - name: join our realm
       command: realm join -v "{{ domain }}"
       notify:
         - clear sssd cache
         - restart sssd
+      tags:
+        - sssd
+
     - name: destroy kerberos ticket
       command: kdestroy
+      tags:
+        - sssd
   when: "current_realms.rc != 0"
 
 - name: ensure sssd is configured
-  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=0600
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    owner: root
+    group: root
+    mode: '0600'
   notify:
     - restart sssd
     - clear sssd cache
   tags:
     - sssd
-    - config
 
 - name: ensure sssd is enabled and running
-  service: name=sssd state=started enabled=yes
+  service:
+    name: sssd
+    state: started
+    enabled: true
   tags:
     - sssd
-    - service
 
 - name: ensure we have a cronjob which renews krb credenitials once a day
   template:
     src: templates/renew_krb5.j2
     dest: /etc/cron.daily/renew_krb5
-    mode: 0755
+    mode: '0755'
     owner: root
     group: root
   tags:
     - sssd
-
-

ad-auth/tasks/sudo.yml

@@ -2,10 +2,13 @@
 # file: roles/ad-auth/tasks/sudo.yml
 
 - name: ensure users of group admin are in the sudoers
-  template: src=sudo.j2 dest=/etc/sudoers.d/admin owner=root group=root mode=0440
+  template:
+    src: sudo.j2
+    dest: /etc/sudoers.d/admin
+    owner: root
+    group: root
+    mode: '0440'
   notify:
     - check sudo config
   tags:
     - sudo
-    - config
-

ad-server-replication/defaults/main.yml

+---
+
+ad_admin_password: samba-admin

ad-server-replication/handlers/main.yml

@@ -3,4 +3,3 @@
 
 - name: restart samba-ad-dc server
   service: name=samba-ad-dc state=restarted
-

ad-server-replication/tasks/kerberos.yml

@@ -2,14 +2,18 @@
 # file: roles/ad-auth/tasks/kerberos.yml
 
 - name: ensure kerberos is installed
-  apt: name=krb5-user state=present
+  apt:
+    name: krb5-user
+    state: present
   tags:
     - kerberos
-    - packages
 
 - name: ensure kerberos is configured
-  template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: '0644'
   tags:
     - kerberos
-    - config
-

ad-server-replication/tasks/main.yml

@@ -4,34 +4,33 @@
 - import_tasks: kerberos.yml
 
 - name: ensure ad-server is installed
-  apt: name=samba state=latest
+  apt:
+    name: samba
+    state: present
   tags:
-    - packages
     - ad-server
 
-    #- name: ensure winbind is for some reasons installed
-    #  apt: name=winbind state=latest
-    #  tags: 
-    #    - packages
-    #    - ad-server
-
 - name: figure out if domain is provisioned
-  stat: path=/var/lib/samba/sysvol/{{ domain }}
+  stat:
+    path: "/var/lib/samba/sysvol/{{ domain }}"
   register: domain_provisioned
   tags:
     - ad-server
     - domain-provision
 
-
 - block:
     - name: ensure smb.conf is absent for provision
-    file: path=/etc/samba/smb.conf state=absent
+      file:
+        path: /etc/samba/smb.conf
+        state: absent
       tags:
         - ad-server
         - domain-provision
 
     - name: ensure pexpect is installed
-    apt: name=python-pexpect state=present
+      apt:
+        name: python-pexpect
+        state: present
       tags:
         - ad-server
         - domain-provision
@@ -39,10 +38,11 @@
 
     - name: ensure domain is provisioned
       expect:
-      shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option='idmap_ldb:use rfc2307=yes' 2> /root/provision.log
+        # yamllint disable-line rule:line-length
+        shell: samba-tool domain join "{{ domain }}" DC -U"{{ domain }}/Administrator" --dns-backend=NONE --option="idmap_ldb:use rfc2307=yes" 2> /root/provision.log
         responses:
-        "Password for.*": "{{ lookup('passwordstore', 'samba-admin') }}"
-    no_log: True
+          "Password for.*": "{{ lookup('passwordstore', ad_admin_password) }}"
+      no_log: true
       tags:
         - ad-server
         - domain-provision
@@ -53,7 +53,6 @@
       tags:
         - ad-server
         - domain-provision
-      #  when: domain_provisioned.stat.exists == False
 
     - name: ensure the idmap library is copied to secondary
       synchronize:
@@ -63,50 +62,56 @@
       tags:
         - ad-server
         - domain-provision
-  
   when: domain_provisioned.stat.exists == False
 
-
-#- name: ensure the id library is rted to secondary
-#  shell: samba-tool ntacl sysvolreset
-#  tags: 
-#    - ad-server
-#    - domain-provision
-#    #when: domain_provisioned.stat.exists == False
-
 - name: ensure smb.conf is correct
-  template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
+  template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+    owner: root
+    group: root
+    mode: '0644'
   notify: restart samba-ad-dc server
   tags:
     - ad-server
-    - config
 
 - name: ensure smbd is stopped and disabled
-  service: name=smbd state=stopped enabled=no
+  service:
+    name: smbd
+    state: stopped
+    enabled: false
   tags:
     - ad-server
-    - service
 
 - name: ensure nmbd is stopped and disabled
-  service: name=nmbd state=stopped enabled=no
+  service:
+    name: nmbd
+    state: stopped
+    enabled: false
   tags:
     - ad-server
-    - service
 
 - name: ensure samba-ad-dc unit is running, enabled and not masked
-  systemd: name=samba-ad-dc masked=no 
+  systemd:
+    name: samba-ad-dc
+    masked: false
+    state: started
+    enabled: true
   tags:
     - ad-server
-    - service
 
 - name: ensure samba-ad-dc is running and enabled
-  service: name=samba-ad-dc state=started enabled=yes
+  service:
+    name: samba-ad-dc
+    state: started
+    enabled: true
   tags:
     - ad-server
-    - service
 
 - name: ensure we have a replication cronjob for sysvol
-  template: src=templates/replication-cron dest=/etc/cron.d/samba-replication-cron
+  template:
+    src: replication-cron
+    dest: /etc/cron.d/samba-replication-cron
   delegate_to: "{{ ad_primary }}"
   tags:
     - ad-server

ad-server/defaults/main.yml

+---
+
+ad_admin_password: samba-admin

ad-server/handlers/main.yml

@@ -3,4 +3,3 @@
 
 - name: restart samba-ad-dc server
   service: name=samba-ad-dc state=restarted
-

ad-server/tasks/main.yml

@@ -2,81 +2,88 @@
 # file: roles/ad-server/tasks/main.yml
 
 - name: ensure ad-server is installed
-  apt: name=samba state=latest
+  apt:
+    name: samba
+    state: present
   tags:
-    - packages
     - ad-server
 
 - name: ensure winbind is for some reasons installed
-  apt: name=winbind state=latest
+  apt:
+    name: winbind
+    state: present
   tags:
-    - packages
     - ad-server
 
 - name: figure out if domain is provisioned
-  stat: path=/var/lib/samba/sysvol/{{ domain }}
+  stat:
+    path: "/var/lib/samba/sysvol/{{ domain }}"
   register: domain_provisioned
   tags:
     - ad-server
     - domain-provision
 
-
 - name: ensure smb.conf is absent for provision
-  file: path=/etc/samba/smb.conf state=absent
+  file:
+    path: /etc/samba/smb.conf
+    state: absent
   when: domain_provisioned.stat.exists == False
   tags:
     - ad-server
     - domain-provision
 
-- name: get admin password for SAMBA
-  local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
-  register: adminpass
-  when: domain_provisioned.stat.exists == False
-  no_log: True
-  tags:
-    - ad-server
-    - domain-provision
-    - password
-
-# provision smb-domain. passwords will be selected at random and safed to /root/smb-provision.log)
-
+# passwords will be selected at random and safed to /root/smb-provision.log)
 - name: ensure domain is provisioned
-  shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ adminpass.password }}  2> /root/smb-provision.log
+  # yamllint disable-line rule:line-length
+  shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=NONE --adminpass={{ lookup('passwordstore', ad_admin_password) }} 2>/root/smb-provision.log
   when: domain_provisioned.stat.exists == False
-  no_log: True
+  no_log: true
   tags:
     - ad-server
     - domain-provision
 
 - name: ensure smb.conf is correct
-  template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
+  template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+    owner: root
+    group: root
+    mode: '0644'
   notify: restart samba-ad-dc server
   tags:
     - ad-server
-    - config
 
 - name: ensure smbd is stopped and disabled
-  service: name=smbd state=stopped enabled=no
+  service:
+    name: smbd
+    state: stopped
+    enabled: false
   tags:
     - ad-server
-    - service
 
 - name: ensure nmbd is stopped and disabled
-  service: name=nmbd state=stopped enabled=no
+  service:
+    name: nmbd
+    state: stopped
+    enabled: false
   tags:
     - ad-server
-    - service
 
 - name: ensure samba-ad-dc unit is running, enabled and not masked
-  systemd: name=samba-ad-dc masked=no state=started enabled=yes
+  systemd:
+    name: samba-ad-dc
+    masked: false
+    state: started
+    enabled: true
   tags:
     - ad-server
-    - service
 
 - name: ensure samba-ad-dc is running and enabled
-  service: name=samba-ad-dc state=started enabled=yes
+  service:
+    name: samba-ad-dc
+    state: started
+    enabled: true
   tags:
     - ad-server
-    - service
 
 - meta: flush_handlers

lvm-snapshots/tasks/main.yml

@@ -2,10 +2,14 @@
 # file: roles/lvm-snapshots/tasks/main.yml
 
 - name: ensure we have the target folder
-  file: path="{{program_dir}}" state=directory owner=root group=root mode=0755
+  file:
+    path: "{{program_dir}}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
   tags:
     - lvm-snapshots
-    - directory
 
 - name: ensure our deploy key is present
   copy:
@@ -13,11 +17,10 @@
     dest: /root/.ssh/lvm-snapshots.key
     owner: root
     group: root
-    mode: 0600
-  no_log: True
+    mode: '0600'
+  no_log: true
   tags:
     - lvm-snapshots
-    - ssh
 
 - name: ensure our public deploy key is present
   copy:
@@ -25,11 +28,10 @@
     dest: /root/.ssh/lvm-snapshots.pub
     owner: root
     group: root
-    mode: 0644
-  no_log: True
+    mode: '0644'
+  no_log: true
   tags:
     - lvm-snapshots
-    - ssh
 
 - name: ensure we have our lvm-snapshots ssh config
   copy:
@@ -37,31 +39,26 @@
     dest: /root/.ssh/config.lvm-snapshots
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   tags:
     - lvm-snapshots
-    - ssh
-    - config
 
 - name: ensure our lvm-snapshots ssh config is included
   lineinfile:
     dest: /root/.ssh/config
     line: "Include config.lvm-snapshots"
-    create: yes
+    create: true
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   tags:
     - lvm-snapshots
-    - ssh
-    - config
 
 - name: ensure we have the program
   git:
     repo: git@git.fsmpi.rwth-aachen.de:infra/lvm-snapshots.git
     dest: "{{program_dir}}"
   tags:
-    - git
     - lvm-snapshots
 
 - name: ensure the necessary programs are installed
@@ -71,7 +68,6 @@
       - virtualenv
     state: present
   tags: