From 4a51650f1422221dfa3cc2fd38dfdbb6401e0ff9 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 22 Oct 2021 23:12:10 +0300
Subject: [PATCH] pre-commit overhaul.
- Update and add more hooks (for new code that's about to be added).
- Address found issues.
---
.pre-commit-config.yaml | 133 +++++++++++++++---
Ansible/ansible.cfg | 2 +-
Ansible/roles/debian_server/tasks/main.yml | 1 +
.../roles/debian_server/tasks/maintenance.yml | 2 +-
Ansible/roles/router/files/metricbeat.yml | 14 +-
Ansible/roles/router/files/packetbeat.yml | 14 +-
Ansible/roles/router/files/pf.conf | 2 +-
Ansible/roles/router/tasks/main.yaml | 5 +-
.../roles/router/tasks/tasks/sshd_config.yaml | 1 +
Ansible/roles/wap/tasks/main.yaml | 3 +
Ansible/roles/wap/templates/daily.j2 | 0
Ansible/tasks/renew-cert.yaml | 7 +-
Ansible/update.yaml | 2 +-
README.md | 2 +-
14 files changed, 141 insertions(+), 47 deletions(-)
create mode 120000 Ansible/roles/router/tasks/tasks/sshd_config.yaml
mode change 100644 => 100755 Ansible/roles/wap/templates/daily.j2
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 84ede3c..1b526cc 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,55 +1,142 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks.git
- rev: v3.4.0
+ rev: v4.0.1
hooks:
- id: check-added-large-files
- id: check-executables-have-shebangs
+ - id: check-json
- id: check-merge-conflict
+ - id: check-shebang-scripts-are-executable
- id: check-symlinks
+ - id: check-toml
+ - id: check-xml
+ - id: check-yaml
+ exclude: ^Ansible/roles/(wap|router)/vars/main\.yaml$
+ - id: detect-private-key
+ - id: end-of-file-fixer
- id: trailing-whitespace
+ exclude: \.diff$
- - repo: https://github.com/Yelp/detect-secrets
- rev: v0.14.3
+ - repo: https://github.com/codespell-project/codespell.git
+ rev: v2.1.0
+ hooks:
+ - id: codespell
+ args:
+ - '-L=doas,fo'
+
+ - repo: https://github.com/Yelp/detect-secrets.git
+ rev: v1.1.0
hooks:
- id: detect-secrets
- exclude: |-
- nsd/shore\.co\.il|roles/router/vars/main\.yaml|roles/wap/vars/main\.yaml
+ exclude: ^Ansible/roles/router/files/nsd/
- - repo: https://github.com/adrienverge/yamllint
- rev: v1.25.0
+ - repo: https://gitlab.com/devopshq/gitlab-ci-linter.git
+ rev: v1.0.4
hooks:
- - id: yamllint
+ - id: gitlab-ci-linter
+ args:
+ - "--server"
+ - https://git.shore.co.il
- - repo: https://github.com/amperser/proselint/
+ - repo: https://github.com/amperser/proselint.git
rev: 0.10.2
hooks:
- id: proselint
- types: [markdown]
+ types: [plain-text]
+ exclude: LICENSE
+
+ - repo: https://github.com/adrienverge/yamllint.git
+ rev: v1.26.3
+ hooks:
+ - id: yamllint
- repo: https://github.com/executablebooks/mdformat.git
- rev: 0.5.3
+ rev: 0.7.10
hooks:
- id: mdformat
- - repo: https://git.shore.co.il/nimrod/shell-pre-commit.git
- rev: v0.6.0
+ - repo: https://github.com/ambv/black.git
+ rev: 21.9b0
hooks:
- - id: shell-lint
+ - id: black
+ args:
+ - |
+ --line-length=79
- - repo: https://github.com/shellcheck-py/shellcheck-py.git
- rev: v0.7.1.1
+ - repo: https://github.com/Lucas-C/pre-commit-hooks-markup.git
+ rev: v1.0.1
hooks:
- - id: shellcheck
+ - id: rst-linter
+
+ - repo: https://github.com/myint/rstcheck.git
+ rev: master
+ hooks:
+ - id: rstcheck
+
+ - repo: https://github.com/PyCQA/prospector.git
+ rev: 1.5.1
+ hooks:
+ - id: prospector
+ args:
+ - |-
+ --max-line-length=79
+ - |-
+ --with-tool=pyroma
+ - |-
+ --with-tool=bandit
+ - |-
+ --without-tool=pep257
+ - |-
+ --doc-warnings
+ - |-
+ --test-warnings
+ - |-
+ --full-pep8
+ - |-
+ --strictness=high
+ - |-
+ --no-autodetect
+ additional_dependencies:
+ - bandit
+ - pyroma
+
+ - repo: https://gitlab.com/pycqa/flake8.git
+ rev: 3.9.2
+ hooks:
+ - id: flake8
+ args:
+ - |-
+ --doctests
+ additional_dependencies:
+ - flake8-bugbear
- - repo: https://git.shore.co.il/ansible/ansible-pre-commit.git
- rev: v0.10.0
+ - repo: https://github.com/pre-commit/pre-commit.git
+ rev: v2.15.0
hooks:
+ - id: validate_manifest
+
+ - repo: https://git.shore.co.il/nimrod/pre-commit-hooks.git
+ rev: v0.2.0
+ hooks:
+ - id: shell-validate
- id: ansible-syntax-check
- # yamllint disable-line rule:line-length
- files: (bootstrap|update|renew-certs|debian_server|kodi|router)\.yaml
+ - id: terraform-fmt
+ - id: terraform-validate
+ - id: poetry-check
+ - id: docker-compose
- - repo: https://github.com/ansible/ansible-lint
- rev: v4.3.7
+ - repo: https://github.com/shellcheck-py/shellcheck-py.git
+ rev: v0.7.2.1
+ hooks:
+ - id: shellcheck
+
+ - repo: https://github.com/ansible/ansible-lint.git
+ rev: v5.1.3
hooks:
- id: ansible-lint
+
+ - repo: https://github.com/AleksaC/hadolint-py.git
+ rev: v2.1.0
+ hooks:
+ - id: hadolint
diff --git a/Ansible/ansible.cfg b/Ansible/ansible.cfg
index 599421b..45588da 100644
--- a/Ansible/ansible.cfg
+++ b/Ansible/ansible.cfg
@@ -11,7 +11,7 @@ pipelining = True
retry_files_save_path = /tmp/
system_warnings = True
unparsed_is_failed = True
-vault_password_file = vault-passhole
+vault_password_file = vault-passhole ;# pragma: allowlist secret
verbosity = 2
[inventory]
diff --git a/Ansible/roles/debian_server/tasks/main.yml b/Ansible/roles/debian_server/tasks/main.yml
index 7a79a79..5ad3c2a 100644
--- a/Ansible/roles/debian_server/tasks/main.yml
+++ b/Ansible/roles/debian_server/tasks/main.yml
@@ -92,6 +92,7 @@
backup: true
create: true
line: '{{ item }}: {{ item }}@shore.co.il'
+ mode: 0o0644
path: /etc/aliases
regexp: '^{{ item }}:'
state: present
diff --git a/Ansible/roles/debian_server/tasks/maintenance.yml b/Ansible/roles/debian_server/tasks/maintenance.yml
index 6c17163..ba3d104 100644
--- a/Ansible/roles/debian_server/tasks/maintenance.yml
+++ b/Ansible/roles/debian_server/tasks/maintenance.yml
@@ -13,7 +13,7 @@
ansible.builtin.get_url:
dest: /usr/local/bin/mnpw
mode: 0o0755
- # yamllint disable-line rule:line-length
+ # yamllint disable-line rule:line-length
url: https://git.shore.co.il/api/v4/projects/167/packages/generic/mnpw/v0.1.5/mnpw
- name: Create a directory for periodic scripts and Nagios plugins
diff --git a/Ansible/roles/router/files/metricbeat.yml b/Ansible/roles/router/files/metricbeat.yml
index 2306b46..3d9c73e 100644
--- a/Ansible/roles/router/files/metricbeat.yml
+++ b/Ansible/roles/router/files/metricbeat.yml
@@ -9,8 +9,8 @@ logging:
to_syslog: true
metrics.enabled: false
-#processors:
-# - add_host_metadata: ~
+# processors:
+# - add_host_metadata: ~
metricbeat.config.modules:
path: ${path.config}/modules.d/*.yml
@@ -22,12 +22,12 @@ metricbeat.modules:
- cpu
- load
- memory
- #- network
- #- process
- #- process_summary
+ # - network
+ # - process
+ # - process_summary
- uptime
- socket_summary
- #- diskio
+ # - diskio
- filesystem
- fsstat
- #- service
+ # - service
diff --git a/Ansible/roles/router/files/packetbeat.yml b/Ansible/roles/router/files/packetbeat.yml
index 90f0237..07b3b8a 100644
--- a/Ansible/roles/router/files/packetbeat.yml
+++ b/Ansible/roles/router/files/packetbeat.yml
@@ -9,8 +9,8 @@ logging:
to_syslog: true
metrics.enabled: false
-#processors:
-# - add_host_metadata: ~
+# processors:
+# - add_host_metadata: ~
packetbeat:
interfaces.device: em1
@@ -27,8 +27,8 @@ packetbeat:
enabled: true
ports:
- 443
- #- type: dhcp
- # enabled: true
- # ports:
- # - 67
- # - 68
+ # - type: dhcp
+ # enabled: true
+ # ports:
+ # - 67
+ # - 68
diff --git a/Ansible/roles/router/files/pf.conf b/Ansible/roles/router/files/pf.conf
index 527d5f8..aec3713 100644
--- a/Ansible/roles/router/files/pf.conf
+++ b/Ansible/roles/router/files/pf.conf
@@ -49,7 +49,7 @@ pass in quick proto tcp to (egress:0) port { smtp, submission, imaps } rdr-to ho
pass out quick proto tcp to host01.shore.co.il port { submission, smtp, imaps } received-on ingress nat-to ingress set prio ( 4, 6 )
pass in quick proto { tcp, udp } to (egress:0) port bittorrent rdr-to kodi.shore.co.il set queue bulk set prio 1
-# Allowd NAT and proxying
+# Allowed NAT and proxying
#pass in quick on ingress inet proto tcp to egress:network port www divert-to localhost port wwwproxy
pass in quick on ingress inet proto tcp to port ftp divert-to localhost port ftpproxy
pass in quick on ingress inet to !(ingress:0)
diff --git a/Ansible/roles/router/tasks/main.yaml b/Ansible/roles/router/tasks/main.yaml
index aea97aa..8c0f305 100644
--- a/Ansible/roles/router/tasks/main.yaml
+++ b/Ansible/roles/router/tasks/main.yaml
@@ -1,6 +1,5 @@
---
- name: Configure sysctl
- ignore_errors: true
with_dict:
net.inet.ip.forwarding: "1"
ansible.posix.sysctl:
@@ -66,9 +65,11 @@
- name: Configure the network interfaces
with_dict:
+ # yamllint disable rule:line-length
em1: |
description "Connected to the fiber cable, used for PPPoE connection to the ISP."
up
+ # yamllint enable rule:line-length
em5: |
description "Connected to internal LAN."
inet 192.168.3.1 255.255.255.0
@@ -498,7 +499,7 @@
fw_update -an | grep -v '^quirks'
dest: /etc/daily.local
group: wheel
- mode: 0o044
+ mode: 0o0444
owner: root
tags:
- cron
diff --git a/Ansible/roles/router/tasks/tasks/sshd_config.yaml b/Ansible/roles/router/tasks/tasks/sshd_config.yaml
new file mode 120000
index 0000000..1f713de
--- /dev/null
+++ b/Ansible/roles/router/tasks/tasks/sshd_config.yaml
@@ -0,0 +1 @@
+../../../../tasks/sshd_config.yaml
\ No newline at end of file
diff --git a/Ansible/roles/wap/tasks/main.yaml b/Ansible/roles/wap/tasks/main.yaml
index 244d3f7..20cdd3d 100644
--- a/Ansible/roles/wap/tasks/main.yaml
+++ b/Ansible/roles/wap/tasks/main.yaml
@@ -78,12 +78,15 @@
- name: Render UCI configuration
ansible.builtin.template:
dest: /root/uci.conf
+ mode: 0o0644
src: uci.conf.j2
- name: Import UCI configuration
ansible.builtin.shell:
cmd: uci import < /root/uci.conf
+ changed_when: true
- name: Commit UCI configuration
ansible.builtin.command:
cmd: uci commit
+ changed_when: true
diff --git a/Ansible/roles/wap/templates/daily.j2 b/Ansible/roles/wap/templates/daily.j2
old mode 100644
new mode 100755
diff --git a/Ansible/tasks/renew-cert.yaml b/Ansible/tasks/renew-cert.yaml
index 3f69a38..4b18c12 100644
--- a/Ansible/tasks/renew-cert.yaml
+++ b/Ansible/tasks/renew-cert.yaml
@@ -35,7 +35,7 @@
- name: Register account
community.crypto.acme_account:
- account_key_src: *account_key_src
+ account_key_src: *account_key_src # pragma: allowlist secret
acme_directory: &acme_directory |-
https://acme-v02.api.letsencrypt.org/directory
# acme_directory: &acme_directory |-
@@ -85,7 +85,7 @@
- name: Create {{ host }} challenge
community.crypto.acme_certificate:
account_email: *email
- account_key_src: *account_key_src
+ account_key_src: *account_key_src # pragma: allowlist secret
acme_directory: *acme_directory
acme_version: *acme_version
csr: *csr_src
@@ -109,6 +109,7 @@
- name: Create ACME challenge directory on {{ host }}
delegate_to: &delegate_to '{{ delegate_host|default(host) }}'
file:
+ mode: 0o0755
path: /var/www/www.shore.co.il/.well-known/acme-challenge
state: directory
@@ -128,7 +129,7 @@
- name: Validate {{ host }} challenge
community.crypto.acme_certificate:
account_email: *email
- account_key_src: *account_key_src
+ account_key_src: *account_key_src # pragma: allowlist secret
acme_directory: *acme_directory
acme_version: *acme_version
challenge: http-01
diff --git a/Ansible/update.yaml b/Ansible/update.yaml
index 857a7cb..1d6bb85 100644
--- a/Ansible/update.yaml
+++ b/Ansible/update.yaml
@@ -19,7 +19,7 @@
upgrade: dist
register: apt_upgrade
- - name: Remove no-longer needed dependecies
+ - name: Remove no-longer needed dependencies
apt:
autoremove: true
purge: true
diff --git a/README.md b/README.md
index 61cf23f..a8895fb 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ time moved on a few things changed. Firstly, my homelab was stable and I
didn't have to manage it. My work changed and I used Ansible less and Docker
more. [Molecule](https://molecule.readthedocs.io/) 2.0 came out and I had to
redo all of the CI setup. Also, I reached the time limit with TravisCI with some
-of the more complex roles which casued them to fail although they were
+of the more complex roles which caused them to fail although they were
completely working.
With this in mind, this is a new take on my homelab setup. I'm not going to do
--
GitLab