From ca10dca26a9f44828d2031d7bf0c150da9cf9f7c Mon Sep 17 00:00:00 2001 From: Lenka Segura Date: Mon, 11 Aug 2025 13:06:25 +0200 Subject: [PATCH] distgit: fix lint errors in distgit role Signed-off-by: Lenka Segura --- roles/distgit/tasks/main.yml | 245 ++++++++++++++++++++++++++--------- 1 file changed, 181 insertions(+), 64 deletions(-) diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 6e5ce2872f..f7c35142c7 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -14,9 +14,12 @@ stream=2.3 profiles= state=enabled + mode: '0644' - name: Install the needed packages - ansible.builtin.package: name={{item}} state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - git - httpd @@ -28,31 +31,42 @@ - distgit - name: Install the mod_auth_openidc configuration - ansible.builtin.template: src=auth_openidc.conf dest=/etc/httpd/conf.d/auth_openidc.conf + ansible.builtin.template: + src: auth_openidc.conf + dest: /etc/httpd/conf.d/auth_openidc.conf + mode: '0644' notify: - Reload httpd tags: - distgit - name: Install the http push configuration - ansible.builtin.template: src=httppush.conf dest=/etc/httpd/conf.d/httpush.conf + ansible.builtin.template: + src: httppush.conf + dest: /etc/httpd/conf.d/httpush.conf + mode: '0644' notify: - Reload httpd tags: - distgit - name: Create suexec wrapper directory - ansible.builtin.file: path=/var/www/bin state=directory owner=pagure group=packager + ansible.builtin.file: + path: /var/www/bin + state: directory + owner: pagure + group: packager + mode: '0755' tags: - distgit - name: Install suexec wrappers ansible.builtin.copy: - src=suexec-{{item}}.sh - dest=/var/www/bin/suexec-{{item}}.sh - owner=pagure - group=packager - mode=0755 + src: "suexec-{{ item }}.sh" + dest: "/var/www/bin/suexec-{{ item }}.sh" + owner: pagure + group: packager + mode: '0755' with_items: - gitolite - upload @@ -60,19 +74,26 @@ - distgit - name: Put in git service config - ansible.builtin.copy: src=git@.service dest=/etc/systemd/system/git@.service + ansible.builtin.copy: + src: git@.service + dest: /etc/systemd/system/git@.service + mode: '0644' tags: - distgit - name: Install the mod_ssl configuration - ansible.builtin.copy: src=ssl.conf dest=/etc/httpd/conf.d/ssl.conf + ansible.builtin.copy: + src: ssl.conf + dest: /etc/httpd/conf.d/ssl.conf + mode: '0644' notify: - Reload httpd tags: - distgit - name: Letsencrypt for pkgs.stg.fedoraproject.org - include_role: name=letsencrypt + ansible.builtin.include_role: + name: letsencrypt vars: site_name: pkgs.stg.fedoraproject.org when: env == 'staging' @@ -81,28 +102,40 @@ - letsencrypt - name: Install the keytab - ansible.builtin.copy: src="{{ private }}/files/keytabs/{{env}}/pkgs" - dest=/etc/httpd.keytab - owner=apache - group=apache - mode=0600 + ansible.builtin.copy: + src: "{{ private }}/files/keytabs/{{ env }}/pkgs" + dest: /etc/httpd.keytab + owner: apache + group: apache + mode: '0600' notify: - Reload httpd tags: - distgit - name: Allow httpd to access the files on NFS - seboolean: name=httpd_use_nfs state=yes persistent=yes + ansible.posix.seboolean: + name: httpd_use_nfs + state: yes + persistent: yes tags: - distgit - name: Allow httpd to access git user content - seboolean: name=httpd_read_user_content state=yes persistent=yes + ansible.posix.seboolean: + name: httpd_read_user_content + state: yes + persistent: yes tags: - distgit - name: Secure tmpfs read only - mount: name=/dev/shm src=tmpfs fstype=tmpfs opts=defaults,size=40G state=present + ansible.posix.mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + opts: defaults,size=40G + state: present tags: - distgit @@ -111,7 +144,10 @@ # do, this installs that wrapper (which is otherwise configured in sshd_config) - name: Install the ssh_wrapper wrapper script - ansible.builtin.copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755 + ansible.builtin.copy: + src: ssh_wrapper + dest: /usr/local/bin/ssh_wrapper + mode: '0755' tags: - config - distgit @@ -121,7 +157,9 @@ # -- Dist Git -------------------------------------------- # This is the Git setup itself: group, root directory, scripts,... - name: Install dist-git - ansible.builtin.package: name={{item}} state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - dist-git - dist-git-selinux @@ -129,33 +167,42 @@ - distgit - name: Install the dist-git config - ansible.builtin.copy: src=dist-git.conf dest=/etc/dist-git/dist-git.conf + ansible.builtin.copy: + src: dist-git.conf + dest: /etc/dist-git/dist-git.conf + mode: '0644' tags: - config - distgit - name: Dploy the Fedora messaging config. file for uploads - ansible.builtin.copy: src=git-hooks-messaging.toml dest=/etc/fedora-messaging/git-hooks-messaging.toml + ansible.builtin.copy: + src: git-hooks-messaging.toml + dest: /etc/fedora-messaging/git-hooks-messaging.toml + mode: '0644' tags: - config - distgit - name: Deploy the Fedora messaging certificate - ansible.builtin.copy: src={{ item.src }} - dest=/etc/pki/rabbitmq/{{ item.dest }} - owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }} + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "/etc/pki/rabbitmq/{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" with_items: - - src: "{{private}}/files/rabbitmq/production/pki/issued/git-hooks.crt" + - src: "{{ private }}/files/rabbitmq/production/pki/issued/git-hooks.crt" dest: git-hooks.crt owner: root group: root mode: "444" - - src: "{{private}}/files/rabbitmq/production/pki/private/git-hooks.key" + - src: "{{ private }}/files/rabbitmq/production/pki/private/git-hooks.key" dest: git-hooks.key owner: root group: root mode: "440" - - src: "{{private}}/files/rabbitmq/production/pki/reqs/git-hooks.req" + - src: "{{ private }}/files/rabbitmq/production/pki/reqs/git-hooks.req" dest: git-hooks.ca owner: root group: root @@ -165,13 +212,20 @@ - fedora-messaging - name: Create the distgit root directory (/srv/git) - ansible.builtin.file: dest=/srv/git state=directory mode=0755 + ansible.builtin.file: + dest: /srv/git + state: directory + mode: '0755' tags: - distgit # These should all map to pkgdb namespaces - name: Create our namespace directories inside there.. - ansible.builtin.file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=packager + ansible.builtin.file: + dest: "/srv/git/repositories/{{ item }}" + state: directory + mode: '2775' + group: packager with_items: - rpms - docker @@ -185,7 +239,10 @@ - distgit - name: Install robots.txt files - ansible.builtin.copy: src={{item}} dest=/var/www/{{item}} + ansible.builtin.copy: + src: "{{ item }}" + dest: "/var/www/{{ item }}" + mode: '0644' with_items: - robots-pkgs.txt - robots-src.txt @@ -193,35 +250,54 @@ - distgit - name: Install the DistGit related httpd config - ansible.builtin.copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf + ansible.builtin.copy: + src: git-smart-http.conf + dest: /etc/httpd/conf.d/dist-git/git-smart-http.conf + mode: '0644' notify: - Reload httpd tags: - distgit - name: Symlink pkgs-git-repos-list - ansible.builtin.copy: src=repolist.conf dest=/etc/httpd/conf.d/dist-git/repolist.conf + ansible.builtin.copy: + src: repolist.conf + dest: /etc/httpd/conf.d/dist-git/repolist.conf + mode: '0644' notify: - Reload httpd tags: - distgit - name: Schedule the update hook check - cron: > - name="check-update-hooks" cron_file="ansible-check-update-hooks" - minute=0 hour=0 weekday=3 - user=nobody - job="/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories" + ansible.builtin.cron: + name: "check-update-hooks" + cron_file: "ansible-check-update-hooks" + minute: 0 + hour: 0 + weekday: 3 + user: nobody + job: "/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories" tags: - distgit - name: Schedule the script to get retired packages - ansible.builtin.copy: src="retired-packages.cron" dest="/etc/cron.d/retired-packages.cron" mode=644 owner=root group=root + ansible.builtin.copy: + src: "retired-packages.cron" + dest: "/etc/cron.d/retired-packages.cron" + mode: '644' + owner: root + group: root tags: - distgit - name: Install the two scripts needed for mass-branching - ansible.builtin.copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 + ansible.builtin.copy: + src: "{{ item }}" + dest: "/usr/local/bin/{{ item }}" + owner: root + group: root + mode: '0755' with_items: - mass-branching-git.py - mass-branching-gitolite.py @@ -233,7 +309,10 @@ # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. - name: Install the Lookaside Cache httpd configs - ansible.builtin.template: src={{item}} dest=/etc/httpd/conf.d/dist-git/{{item}} + ansible.builtin.template: + src: "{{ item }}" + dest: "/etc/httpd/conf.d/dist-git/{{ item }}" + mode: '0644' with_items: - lookaside.conf - lookaside-upload.conf @@ -244,13 +323,20 @@ - sslciphers - name: Create the Lookaside Cache root directory - ansible.builtin.file: dest=/srv/cache/lookaside/pkgs state=directory - owner=apache group=apache + ansible.builtin.file: + dest: /srv/cache/lookaside/pkgs + state: directory + owner: apache + group: apache + mode: '0755' tags: - distgit - name: Set the selinux boolean git_cgi_use_nfs - seboolean: name=git_cgi_use_nfs persistent=yes state=yes + ansible.posix.seboolean: + name: git_cgi_use_nfs + persistent: yes + state: yes tags: - distgit - config @@ -258,7 +344,10 @@ # Not sure why, but fixes https://fedorahosted.org/fedora-infrastructure/ticket/4825 - name: Set the selinux boolean git_system_enable_homedirs - seboolean: name=git_system_enable_homedirs persistent=yes state=yes + ansible.posix.seboolean: + name: git_system_enable_homedirs + persistent: yes + state: yes tags: - distgit - config @@ -278,6 +367,7 @@ - name: Set the SELinux policy for the Lookaside Cache root directory ansible.builtin.command: semanage fcontext -a -t nfs_t "/srv/cache(/.*)?" when: lcachecontext.stdout.find('nfs_t') == -1 and env != "staging" + changed_when: true tags: - config - lookaside @@ -285,53 +375,71 @@ - distgit - name: Install the fedora-ca.cert - ansible.builtin.copy: src={{private}}/files/fedora-ca.cert dest=/etc/httpd/conf/cacert.pem + ansible.builtin.copy: + src: "{{ private }}/files/fedora-ca.cert" + dest: /etc/httpd/conf/cacert.pem + mode: '0644' tags: - distgit - name: Install the pkgs cert - ansible.builtin.copy: src={{private}}/files/pkgs.fedoraproject.org_key_and_cert.pem - dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem - owner=apache mode=0400 + ansible.builtin.copy: + src: "{{ private }}/files/pkgs.fedoraproject.org_key_and_cert.pem" + dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem + owner: apache + mode: '0400' when: env != "staging" tags: - distgit - name: Install the pkgs.stg cert - ansible.builtin.copy: src={{private}}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem - dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem - owner=apache mode=0400 + ansible.builtin.copy: + src: "{{ private }}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem" + dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem + owner: apache + mode: '0400' when: env == "staging" tags: - distgit # Three tasks for handling our selinux policy for upload.cgi - name: Ensure a directory exists for our SELinux policy - ansible.builtin.file: dest=/usr/local/share/selinux/ state=directory + ansible.builtin.file: + dest: /usr/local/share/selinux/ + state: directory + mode: '0755' tags: selinux - name: Copy over our custom selinux policy - ansible.builtin.copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp + ansible.builtin.copy: + src: upload_cgi.pp + dest: /usr/local/share/selinux/upload_cgi.pp + mode: '0644' register: selinux_module tags: selinux -- name: Install our custom selinux policy +- name: Install our custom selinux policy # noqa no-handler ansible.builtin.command: semodule -i /usr/local/share/selinux/upload_cgi.pp when: selinux_module is changed + changed_when: true tags: selinux - name: Copy over our custom nfs selinux policy - ansible.builtin.copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp + ansible.builtin.copy: + src: cgi-nfs.pp + dest: /usr/local/share/selinux/cgi-nfs.pp + mode: '0644' register: nfs_selinux_module tags: selinux -- name: Install our custom nfs selinux policy +- name: Install our custom nfs selinux policy # noqa no-handler ansible.builtin.command: semodule -i /usr/local/share/selinux/cgi-nfs.pp when: nfs_selinux_module is changed + changed_when: true tags: selinux - name: Install another one of our own SELinux policy - include_role: + ansible.builtin.include_role: name: selinux/module vars: policy_file: files/http_policy.te @@ -340,19 +448,26 @@ - selinux - name: Setup grokmirror for repos - ansible.builtin.package: name=python3-grokmirror state=installed + ansible.builtin.package: + name: python3-grokmirror + state: installed tags: - grokmirror - pkgs - name: Make dir for grokmirror manifest - ansible.builtin.file: path=/srv/git/grokmirror state=directory owner=root group=packager mode=2775 + ansible.builtin.file: + path: /srv/git/grokmirror + state: directory + owner: root + group: packager + mode: '2775' tags: - grokmirror - pkgs - name: Set acls for grokmirror - acl: + ansible.posix.acl: path: /srv/git/grokmirror etype: group permissions: rwx @@ -362,7 +477,9 @@ - pkgs - name: Run initial grokmirror run - ansible.builtin.command: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/ creates=/srv/git/grokmirror/manifest.js.gz + ansible.builtin.command: + cmd: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/ + creates: /srv/git/grokmirror/manifest.js.gz when: env != "staging" tags: - grokmirror