ansible-lint

2 months ago · 7a5b35d625
parent d1cbcde4de
commit 7a5b35d625
9 changed files with 61 additions and 50 deletions
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@ -1,11 +1,11 @@
 ---
 - name: Check if certificate already exists.
-  stat:
+  ansible.builtin.stat:
    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
  register: letsencrypt_cert

 - name: Ensure pre and post hook folders exist.
-  file:
+  ansible.builtin.file:
    path: /etc/letsencrypt/renewal-hooks/{{ item }}
    state: directory
    mode: 0755
@ -16,7 +16,7 @@
    - post

 - name: Create pre hook to stop services.
-  template:
+  ansible.builtin.template:
    src: stop_services.j2
    dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
    owner: root
@ -27,7 +27,7 @@
    - certbot_create_standalone_stop_services

 - name: Create post hook to start services.
-  template:
+  ansible.builtin.template:
    src: start_services.j2
    dest: /etc/letsencrypt/renewal-hooks/post/start_services
    owner: root
@ -38,5 +38,8 @@
    - certbot_create_standalone_stop_services

 - name: Generate new certificate if one doesn't exist.
-  command: "{{ certbot_create_command }}"
+  ansible.builtin.command: "{{ certbot_create_command }}"
+  register: certbot_create_command_result
  when: not letsencrypt_cert.stat.exists
+  changed_when:
+    - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0
--- a/tasks/create-cert-webroot.yml
+++ b/tasks/create-cert-webroot.yml
@ -1,14 +1,20 @@
 ---
 - name: Check if certificate already exists.
-  stat:
+  ansible.builtin.stat:
    path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
  register: letsencrypt_cert

 - name: Create webroot directory if it doesn't exist yet
-  file:
+  ansible.builtin.file:
    path: "{{ cert_item.webroot | default(certbot_webroot) }}"
    state: directory
+    owner: root
+    group: root
+    mode: '0755'

 - name: Generate new certificate if one doesn't exist.
-  command: "{{ certbot_create_command }}"
+  ansible.builtin.command: "{{ certbot_create_command }}"
+  register: certbot_create_command_result
  when: not letsencrypt_cert.stat.exists
+  changed_when:
+    - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0
--- a/tasks/include-vars.yml
+++ b/tasks/include-vars.yml
@ -1,6 +1,6 @@
 ---
 - name: Load a variable file based on the OS type, or a default if not found.
-  include_vars: "{{ item }}"
+  ansible.builtin.include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution }}.yml"
--- a/tasks/install-from-source.yml
+++ b/tasks/install-from-source.yml
@ -1,6 +1,6 @@
 ---
 - name: Clone Certbot into configured directory.
-  git:
+  ansible.builtin.git:
    repo: "{{ certbot_repo }}"
    dest: "{{ certbot_dir }}"
    version: "{{ certbot_version }}"
@ -8,10 +8,10 @@
    force: true

 - name: Set Certbot script variable.
-  set_fact:
+  ansible.builtin.set_fact:
    certbot_script: "{{ certbot_dir }}/certbot-auto"

 - name: Ensure certbot-auto is executable.
-  file:
+  ansible.builtin.file:
    path: "{{ certbot_script }}"
    mode: 0755
--- a/tasks/install-with-package.yml
+++ b/tasks/install-with-package.yml
@ -1,7 +1,9 @@
 ---
 - name: Install Certbot.
-  package: "name={{ certbot_package }} state=present"
+  ansible.builtin.package:
+    name: "{{ certbot_package }}"
+    state: present

 - name: Set Certbot script variable.
-  set_fact:
+  ansible.builtin.set_fact:
    certbot_script: "{{ certbot_package }}"
--- a/tasks/install-with-snap.yml
+++ b/tasks/install-with-snap.yml
@ -1,41 +1,36 @@
 ---
 - name: Ensure snapd is installed.
-  package:
+  ansible.builtin.package:
    name: snapd
    state: present
-  register: snapd_install
+  notify:
+    - Update snap after install

 - name: Ensure snapd is enabled.
-  systemd:
+  ansible.builtin.systemd:
    name: snapd.socket
    enabled: true
    state: started

 - name: Enable classic snap support.
-  file:
+  ansible.builtin.file:
    src: /var/lib/snapd/snap
    dest: /snap
    state: link
  when: ansible_os_family != "Debian"

- name: Update snap after install.
-  shell: snap install core; snap refresh core
-  changed_when: true
-  failed_when: false
-  when: snapd_install is changed
-
 - name: Install certbot via snap.
-  snap:
+  community.general.snap:
    name: certbot
    classic: true

 - name: Symlink certbot into place.
-  file:
+  ansible.builtin.file:
    src: /snap/bin/certbot
    dest: /usr/bin/certbot
    state: link
  ignore_errors: "{{ ansible_check_mode }}"

 - name: Set Certbot script variable.
-  set_fact:
+  ansible.builtin.set_fact:
    certbot_script: /usr/bin/certbot
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,19 +1,25 @@
 ---
- import_tasks: include-vars.yml
+- name: Include vars
+  ansible.builtin.import_tasks: include-vars.yml

- import_tasks: setup-RedHat.yml
+- name: Import Redhat task
+  ansible.builtin.import_tasks: setup-RedHat.yml
  when: ansible_os_family == 'RedHat'

- import_tasks: install-with-package.yml
+- name: Standalone install method choosed
+  ansible.builtin.import_tasks: install-with-package.yml
  when: certbot_install_method == 'package'

- import_tasks: install-with-snap.yml
+- name: Snap install method choosed
+  ansible.builtin.import_tasks: install-with-snap.yml
  when: certbot_install_method == 'snap'

- import_tasks: install-from-source.yml
+- name: Source install method choosed
+  ansible.builtin.import_tasks: install-from-source.yml
  when: certbot_install_method == 'source'

- include_tasks: create-cert-standalone.yml
+- name: Create certs for standalone install
+  ansible.builtin.include_tasks: create-cert-standalone.yml
  with_items: "{{ certbot_certs }}"
  when:
    - certbot_create_if_missing
@ -21,7 +27,8 @@
  loop_control:
    loop_var: cert_item

- include_tasks: create-cert-webroot.yml
+- name: Create certs for webroot install
+  ansible.builtin.include_tasks: create-cert-webroot.yml
  with_items: "{{ certbot_certs }}"
  when:
    - certbot_create_if_missing
@ -29,5 +36,6 @@
  loop_control:
    loop_var: cert_item

- import_tasks: renew-cron.yml
+- name: Check cron jobs
+  ansible.builtin.import_tasks: renew-cron.yml
  when: certbot_auto_renew
--- a/tasks/renew-cron.yml
+++ b/tasks/renew-cron.yml
@ -1,6 +1,6 @@
 ---
 - name: Add cron job for certbot renewal (if configured).
-  cron:
+  ansible.builtin.cron:
    name: Certbot automatic renewal.
    job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}"
    minute: "{{ certbot_auto_renew_minute }}"
--- a/tasks/setup-RedHat.yml
+++ b/tasks/setup-RedHat.yml
@ -1,30 +1,27 @@
 ---
 # See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
- block:
-
+- name: Check dnf modules for Redhat family
+  when:
+  - ansible_distribution == 'CentOS'
+  - ansible_distribution_major_version | int >= 8
+  block:
  - name: Ensure dnf-plugins are installed on CentOS 8+.
-    yum:
+    ansible.builtin.yum:
      name: dnf-plugins-core
      state: present

-  - block:
-
+    when: ansible_facts['distribution_version'] is version('8.2', '<=')
+  - name: Check dnf modules for Centos
+    block:
    - name: Enable DNF module for CentOS 8.3+.
-      shell: |
+      ansible.builtin.shell: |
        dnf config-manager --set-enabled powertools
      register: dnf_module_enable
      changed_when: false
-
      when: ansible_facts['distribution_version'] is version('8.3', '>=')

    - name: Enable DNF module for CentOS 8.0–8.2.
-      shell: |
+      ansible.builtin.shell: |
        dnf config-manager --set-enabled PowerTools
      register: dnf_module_enable
      changed_when: false
-
-    when: ansible_facts['distribution_version'] is version('8.2', '<=')
-
-  when:
-  - ansible_distribution == 'CentOS'
-  - ansible_distribution_major_version | int >= 8