diff --git a/.config/molecule/config.yml b/.config/molecule/config.yml new file mode 100644 index 0000000..db32661 --- /dev/null +++ b/.config/molecule/config.yml @@ -0,0 +1,236 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + # These platforms do not provide systemd-resolved. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian10-ansible:latest + # name: debian10-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian10-ansible:latest + # name: debian10-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian11-ansible:latest + # name: debian11-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian11-ansible:latest + # name: debian11-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora41-ansible:latest + name: fedora41-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora41-ansible:latest + name: fedora41-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + # These platforms do not provide systemd-resolved. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + # name: ubuntu-20-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + # name: ubuntu-20-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + # name: ubuntu-22-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + # name: ubuntu-22-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw +provisioner: + name: ansible + config_options: + defaults: + # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this + # path for us pre-25.2.0, but now we have to do it ourselves. + # See ansible/molecule#4380 and + # https://github.com/ansible/molecule/releases/tag/v25.2.0 for + # more details. + roles_path: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +verifier: + name: testinfra diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 709d331..927e821 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,21 +11,19 @@ updates: # Managed by cisagov/skeleton-generic - dependency-name: actions/cache - dependency-name: actions/checkout + - dependency-name: actions/dependency-review-action - dependency-name: actions/setup-go - dependency-name: actions/setup-python + - dependency-name: cisagov/action-job-preamble - dependency-name: cisagov/setup-env-github-action - - dependency-name: crazy-max/ghaction-dump-context - dependency-name: crazy-max/ghaction-github-labeler - - dependency-name: crazy-max/ghaction-github-status - - dependency-name: GitHubSecurityLab/actions-permissions + - dependency-name: github/codeql-action - dependency-name: hashicorp/setup-packer - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - - dependency-name: step-security/harden-runner # Managed by cisagov/skeleton-ansible-role + - dependency-name: cisagov/action-disable-apparmor - dependency-name: docker/setup-buildx-action - - dependency-name: docker/setup-qemu-action - - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/labels.yml b/.github/labels.yml index 5b16492..fe9a53e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,69 +2,69 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: "eb6420" +- color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked - color: "000000" description: This issue or pull request involves changes to existing functionality name: breaking change -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses broken functionality name: bug -- color: "07648d" +- color: 07648d description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) name: code.gov -- color: "0366d6" +- color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: "5319e7" +- color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation -- color: "cfd3d7" +- color: cfd3d7 description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate -- color: "b005bc" +- color: b005bc description: A high-level objective issue encompassing multiple issues instead of a specific unit of work name: epic - color: "000000" description: Pull requests that update GitHub Actions code name: github-actions -- color: "0e8a16" +- color: 0e8a16 description: This issue or pull request is well-defined and good for newcomers name: good first issue -- color: "ff7518" +- color: ff7518 description: Pull request that should count toward Hacktoberfest participation name: hacktoberfest-accepted -- color: "a2eeef" +- color: a2eeef description: This issue or pull request will add or improve functionality, maintainability, or ease of use name: improvement -- color: "fef2c0" +- color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: "ce099a" +- color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 -- color: "a4fc5d" +- color: a4fc5d description: This issue or pull request requires further information name: need info -- color: "fcdb45" +- color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold -- color: "ef476c" +- color: ef476c description: This issue is a request for information or needs discussion name: question -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses a security issue name: security -- color: "00008b" +- color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: "1d76db" +- color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update -- color: "d4c5f9" +- color: d4c5f9 description: This issue or pull request increments the version number name: version bump -- color: "ffffff" +- color: ffffff description: This issue will not be incorporated name: wontfix diff --git a/.github/lineage.yml b/.github/lineage.yml index a735189..e55a27d 100644 --- a/.github/lineage.yml +++ b/.github/lineage.yml @@ -2,4 +2,4 @@ lineage: skeleton: remote-url: https://github.com/cisagov/skeleton-ansible-role.git -version: '1' +version: "1" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 18ed5bf..93adddf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,7 @@ --- name: build -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested @@ -36,23 +36,34 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} lint: needs: - diagnostics @@ -61,15 +72,32 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 @@ -92,16 +120,16 @@ jobs: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ go${{ steps.setup-go.outputs.go-version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ - tf${{ steps.setup-env.outputs.terraform-version }}-" + tf${{ steps.setup-env.outputs.terraform-version }}- with: - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }}" + ${{ hashFiles('**/.pre-commit-config.yaml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the @@ -177,6 +205,9 @@ jobs: permissions: # actions/checkout needs this to fetch code contents: read + # This line is long, but if I use a block style indicator then GH + # Actions doesn't parse and execute the expression. + # yamllint disable-line rule:line-length runs-on: ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }} strategy: fail-fast: false @@ -204,15 +235,32 @@ jobs: - disable_stub_resolver - specify_resolv_conf_target steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-ansible-role#227 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 @@ -222,63 +270,39 @@ jobs: python-version: ${{ steps.setup-env.outputs.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}" + ${{ hashFiles('**/requirements.txt') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install dependencies run: | python -m pip install --upgrade pip pip install --upgrade --requirement requirements-test.txt - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - # Disabling the unix-chkpwd AppArmor profile is necessary when - # running Molecule tests against Fedora 40 and 41; otherwise, - # the privileged container cannot successfully run sudo and - # hence Ansible is unable to do anything. See + # AppArmor interferes when running Molecule tests against Fedora + # 40 and 41; it does not allow the privileged container to run + # sudo and hence Ansible is unable to do anything. See # fedora-cloud/docker-brew-fedora#117 for more details. # - # Purging firefox is currently necessary because the - # installation available on the GitHub runner instance provides - # two conflicting AppArmor profiles: - # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox. - # This conflict causes the aa-disable /usr/sbin/unix_chkpwd - # command to fail. - # - # Purging passt is currently necessary because the installation - # available on the GitHub runner instance contains a wonky - # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes - # the aa-disable command to fail. - # - # TODO: Remove the apt-get purge and systemctl reload commands - # when possible. See cisagov/skeleton-ansible-role#215 for more - # details. - - name: Disable unix-chkpwd AppArmor profile - run: | - sudo apt-get purge firefox passt - sudo systemctl reload apparmor.service - sudo apt-get install apparmor-utils - sudo aa-disable /usr/sbin/unix_chkpwd - if: ${{ startsWith(matrix.platform, 'fedora') }} + # There is a growing consensus that AppArmor causes too many + # problems and should not be active on the short-lived GitHub + # runners. See, for example, + # actions/runner-images/issues/10015. To avoid problems in the + # future, it makes sense to simply disable AppArmor altogether + # before running Molecule tests. + - name: Disable AppArmor + uses: cisagov/action-disable-apparmor@v1 - name: Run molecule tests run: >- molecule test --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} --scenario-name ${{ matrix.scenario }} - # TODO: Remove the apt-get install command when possible. See - # cisagov/skeleton-ansible-role#215 for more details. - - name: Re-enable unix-chkpwd AppArmor profile - run: | - sudo aa-enforce /usr/sbin/unix_chkpwd - sudo apt-get install firefox passt - if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 03d9c1e..eba0465 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,21 +6,23 @@ # or to provide custom queries or build logic. name: CodeQL +# The use of on here as a key is part of the GitHub actions syntax. +# yamllint disable-line rule:truthy on: merge_group: types: - checks_requested + pull_request: + # The branches here must be a subset of the ones in the push key + branches: + - develop push: - # Dependabot triggered push events have read-only access, but uploading code + # Dependabot-triggered push events have read-only access, but uploading code # scanning requires write access. branches-ignore: - dependabot/** - pull_request: - # The branches below must be a subset of the branches above - branches: - - develop schedule: - - cron: '0 2 * * 6' + - cron: 0 2 * * 6 jobs: diagnostics: @@ -31,23 +33,34 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} analyze: name: Analyze needs: @@ -61,23 +74,44 @@ jobs: strategy: fail-fast: false matrix: - # Override automatic language detection by changing the below list - # Supported options are go, javascript, csharp, python, cpp, and java + # Override automatic language detection by changing the below + # list + # + # Supported options are actions, c-cpp, csharp, go, + # java-kotlin, javascript-typescript, python, ruby, and swift. language: + - actions - python # Learn more... # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..ee87e04 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,95 @@ +--- +name: Dependency review + +on: # yamllint disable-line rule:truthy + merge_group: + types: + - checks_requested + pull_request: + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + dependency-review: + name: Dependency review + needs: + - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read + runs-on: ubuntu-latest + steps: + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: checkout-repo + name: Checkout the repository + uses: actions/checkout@v4 + - id: dependency-review + name: Review dependency changes for vulnerabilities and license changes + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0005147..fa6f772 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -1,7 +1,7 @@ --- name: sync-labels -on: +on: # yamllint disable-line rule:truthy push: paths: - .github/labels.yml @@ -20,23 +20,34 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} labeler: needs: - diagnostics @@ -47,15 +58,32 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels if: success() diff --git a/.gitignore b/.gitignore index 937e21d..f80f425 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,9 @@ # Files already tracked by Git are not affected. # See: https://git-scm.com/docs/gitignore +## Ansible ## +.ansible + ## Python ## __pycache__ .mypy_cache diff --git a/.mdl_config.yaml b/.mdl_config.yaml index 4a650c1..1b48994 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -6,12 +6,12 @@ default: true # MD003/heading-style/header-style - Heading style MD003: # Enforce the ATX-closed style of header - style: "atx_closed" + style: atx_closed # MD004/ul-style - Unordered list style MD004: # Enforce dashes for unordered lists - style: "dash" + style: dash # MD013/line-length - Line length MD013: @@ -30,7 +30,7 @@ MD024: # MD029/ol-prefix - Ordered list item prefix MD029: # Enforce the `1.` style for ordered lists - style: "one" + style: one # MD033/no-inline-html - Inline HTML MD033: @@ -42,19 +42,19 @@ MD033: # MD035/hr-style - Horizontal rule style MD035: # Enforce dashes for horizontal rules - style: "---" + style: --- # MD046/code-block-style - Code block style MD046: # Enforce the fenced style for code blocks - style: "fenced" + style: fenced # MD049/emphasis-style - Emphasis style should be consistent MD049: # Enforce asterisks as the style to use for emphasis - style: "asterisk" + style: asterisk # MD050/strong-style - Strong style should be consistent MD050: # Enforce asterisks as the style to use for strong - style: "asterisk" + style: asterisk diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b6a30a4..a8f80b1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,17 +39,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.42.0 + rev: v0.44.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.3.3 + rev: v3.5.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.35.1 + rev: v1.37.0 hooks: - id: yamllint args: @@ -57,14 +57,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.4 + rev: 0.32.1 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.0.1 + rev: v4.2.0 hooks: - id: validate_manifest @@ -99,7 +99,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.10.0-1 + rev: v3.11.0-1 hooks: - id: shfmt args: @@ -123,7 +123,7 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.8.3 hooks: - id: bandit # Bandit complains about the use of assert() in tests. This should cover @@ -132,25 +132,25 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.10.0 + rev: 25.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.1 + rev: 7.1.2 hooks: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 5.13.2 + rev: 6.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.13.0 + rev: v1.15.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.7.3 + rev: v2.8.0 hooks: - id: pip-audit args: @@ -167,13 +167,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.0 + rev: v3.19.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.10.0 + rev: v25.1.3 hooks: - id: ansible-lint additional_dependencies: @@ -217,7 +217,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.1 + rev: v1.98.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/.yamllint b/.yamllint index 8855aa9..a1b1908 100644 --- a/.yamllint +++ b/.yamllint @@ -4,36 +4,93 @@ extends: default rules: braces: + # Do not allow non-empty flow mappings + forbid: non-empty + # Allow up to one space inside braces. This is required for Ansible compatibility. max-spaces-inside: 1 level: error + brackets: + # Do not allow non-empty flow sequences + forbid: non-empty max-spaces-inside: 1 level: error + colons: max-spaces-after: -1 level: error + commas: max-spaces-after: -1 level: error - comments: disable + + comments: + # Ensure that inline comments have at least one space before the preceding content. + # This is required for Ansible compatibility. + min-spaces-from-content: 1 + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of # this behavior. comments-indentation: disable + document-start: disable + empty-lines: max: 3 level: error + hyphens: level: error - indentation: disable + + indentation: + # Ensure that block sequences inside of a mapping are indented + indent-sequences: true + # Enforce a specific number of spaces + spaces: 2 + key-duplicates: enable - line-length: disable + + # yamllint does not allow inline mappings that exceed the line length by + # default. There are many scenarios where the inline mapping may be a key, + # hash, or other long value that would exceed the line length but cannot + # reasonably be broken across lines. + line-length: + # This rule implies the allow-non-breakable-words rule + allow-non-breakable-inline-mappings: true + # Allows a 10% overage from the default limit of 80 + max: 88 + new-line-at-end-of-file: disable + new-lines: type: unix + + # Using anything other than strings to express octal values can lead to unexpected + # and potentially unsafe behavior. Ansible strongly recommends against such practices + # and these rules are needed for Ansible compatibility. Please see the following for + # more information: + # https://ansible.readthedocs.io/projects/lint/rules/risky-octal/ + octal-values: + # Do not allow explicit octal values (those beginning with a leading 0o). + forbid-explicit-octal: true + # Do not allow implicit octal values (those beginning with a leading 0). + forbid-implicit-octal: true + + quoted-strings: + # Allow disallowed quotes (single quotes) for strings that contain allowed quotes + # (double quotes). + allow-quoted-quotes: true + # Apply these rules to keys in mappings as well + check-keys: true + # We prefer double quotes for strings when they are needed + quote-type: double + # Only require quotes when they are necessary for proper processing + required: only-when-needed + trailing-spaces: disable + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable diff --git a/bump-version b/bump-version new file mode 100755 index 0000000..15b4af1 --- /dev/null +++ b/bump-version @@ -0,0 +1,172 @@ +#!/usr/bin/env bash + +# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) +# bump-version --list-files + +set -o nounset +set -o errexit +set -o pipefail + +# Stores the canonical version for the project. +VERSION_FILE=version.txt +# Files that should be updated with the new version. +VERSION_FILES=("$VERSION_FILE") + +USAGE=$( + cat << END_OF_LINE +Update the version of the project. + +Usage: + ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) + ${0##*/} --list-files + ${0##*/} (-h | --help) + +Options: + -h | --help Show this message. + --push Perform a \`git push\` after updating the version. + --label LABEL Specify the label to use when updating the build or prerelease version. + --list-files List the files that will be updated when the version is bumped. +END_OF_LINE +) + +old_version=$(< "$VERSION_FILE") +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} +new_version="$old_version" + +bump_part="" +label="" +commit_prefix="Bump" +with_push=false +commands_with_label=("build" "prerelease") +commands_with_prerelease=("major" "minor" "patch") +with_prerelease=false + +####################################### +# Display an error message, the help information, and exit with a non-zero status. +# Arguments: +# Error message. +####################################### +function invalid_option() { + echo "$1" + echo "$USAGE" + exit 1 +} + +####################################### +# Bump the version using the provided command. +# Arguments: +# The version to bump. +# The command to bump the version. +# Returns: +# The new version. +####################################### +function bump_version() { + local temp_version + temp_version=$(python -c "import semver; print(semver.parse_version_info('$1').${2})") + echo "$temp_version" +} + +if [ $# -eq 0 ]; then + echo "$USAGE" + exit 1 +else + while [ $# -gt 0 ]; do + case $1 in + --push) + if [ "$with_push" = true ]; then + invalid_option "Push has already been set." + fi + + with_push=true + shift + ;; + --label) + if [ -n "$label" ]; then + invalid_option "Label has already been set." + fi + + label="$2" + shift 2 + ;; + build | finalize | major | minor | patch) + if [ -n "$bump_part" ]; then + invalid_option "Only one version part should be bumped at a time." + fi + + bump_part="$1" + shift + ;; + prerelease) + with_prerelease=true + shift + ;; + show) + echo "$old_version" + exit 0 + ;; + -h | --help) + echo "$USAGE" + exit 0 + ;; + --list-files) + printf '%s\n' "${VERSION_FILES[@]}" + exit 0 + ;; + *) + invalid_option "Invalid option: $1" + ;; + esac + done +fi + +if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_label[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}" +fi + +if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}" +fi + +label_option="" +if [ -n "$label" ]; then + label_option="token='$label'" +fi + +if [ -n "$bump_part" ]; then + if [ "$bump_part" = "finalize" ]; then + commit_prefix="Finalize" + bump_command="finalize_version()" + elif [ "$bump_part" = "build" ]; then + bump_command="bump_${bump_part}($label_option)" + else + bump_command="bump_${bump_part}()" + fi + new_version=$(bump_version "$old_version" "$bump_command") + echo Changing version from "$old_version" to "$new_version" +fi + +if [ "$with_prerelease" = true ]; then + bump_command="bump_prerelease($label_option)" + temp_version=$(bump_version "$new_version" "$bump_command") + echo Changing version from "$new_version" to "$temp_version" + new_version="$temp_version" +fi + +tmp_file=/tmp/version.$$ +for version_file in "${VERSION_FILES[@]}"; do + if [ ! -f "$version_file" ]; then + echo Missing expected file: "$version_file" + exit 1 + fi + sed "s/$old_version_regex/$new_version/" "$version_file" > $tmp_file + mv $tmp_file "$version_file" +done + +git add "${VERSION_FILES[@]}" +git commit --message "$commit_prefix version from $old_version to $new_version" + +if [ "$with_push" = true ]; then + git push +fi diff --git a/defaults/main.yml b/defaults/main.yml index 0134d38..6d431a9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,4 +26,5 @@ systemd_resolved_dropin_config_file: /etc/systemd/resolved.conf.d/99-ansible-rol # using the DNS resolver provided via DHCP. See here for more # information: # https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF -systemd_resolved_resolv_conf_filename: "{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf" +systemd_resolved_resolv_conf_filename: >- + {{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index ce43622..c13b095 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -19,18 +19,21 @@ - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed when: '"python3" in ansible_facts.packages' block: - # This gets a unique list of installed Python packages in the form of major.minor - # by taking the list of installed Python packages and: + # This gets a unique list of installed Python packages in + # the form of major.minor by taking the list of installed + # Python packages and: # 1. Extracting the version from each package's information # 2. Removing any version information after the major.minor version # 3. Ensuring there are no duplicates # - # NOTE: - # Since the value of python_versions is a multiline string, the regex expressions used in - # the regex_replace filter must use single backslashes for special sequences. If the value - # of python_versions were to be changed from a multiline string, the special sequences - # must be modified to use double backslashes instead. This is due to how the YAML is - # processed when Ansible reads the playbook. + # NOTE: Since the value of python_versions is a multiline + # string, the regex expressions used in the regex_replace + # filter must use single backslashes for special + # sequences. If the value of python_versions were to be + # changed from a multiline string, the special sequences + # must be modified to use double backslashes instead. This + # is due to how the YAML is processed when Ansible reads + # the playbook. - name: Extract version information about installed Python packages ansible.builtin.set_fact: python_versions: >- @@ -44,6 +47,6 @@ - name: Restore EXTERNALLY-MANAGED file for Python ansible.builtin.template: dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED - mode: 0644 + mode: u=rw,g=r,o=r src: EXTERNALLY-MANAGED.j2 loop: "{{ python_versions }}" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 65ef319..191b6ce 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,237 +1,6 @@ --- -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -provisioner: - name: ansible - env: - # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this - # path for us pre-25.2.0, but now we have to do it ourselves. See - # ansible/molecule#4380 and - # https://github.com/ansible/molecule/releases/tag/v25.2.0 for - # more details. - ANSIBLE_ROLES_PATH: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +# See ../../.config/molecule/config.yml for the Molecule configuration +# that is shared among all scenarios. Any values set here will +# override the values in that file. scenario: name: default -verifier: - name: testinfra diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index cb43771..7c8356c 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -58,8 +58,8 @@ become: true become_method: ansible.builtin.sudo tasks: - - name: Install some tools that are required for testing - ansible.builtin.package: - name: - - dnsutils - - net-tools + - name: Install some tools that are required for testing + ansible.builtin.package: + name: + - dnsutils + - net-tools diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index 1854da0..1ef84c4 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,7 +1,8 @@ --- -# This is necessary to ensure a version of this collection that is compatible -# with version 2.32.0+ of the Python requests library. This should be removed when -# it is no longer required per https://github.com/cisagov/skeleton-ansible-role/issues/195 +# This is necessary to ensure a version of this collection that is +# compatible with version 2.32.0+ of the Python requests library. This +# should be removed when it is no longer required per +# https://github.com/cisagov/skeleton-ansible-role/issues/195 collections: - name: community.docker version: ">=3.10.2" diff --git a/molecule/disable_stub_resolver/molecule.yml b/molecule/disable_stub_resolver/molecule.yml index 7782a03..c65aec5 100644 --- a/molecule/disable_stub_resolver/molecule.yml +++ b/molecule/disable_stub_resolver/molecule.yml @@ -1,237 +1,6 @@ --- -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -provisioner: - name: ansible - env: - # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this - # path for us pre-25.2.0, but now we have to do it ourselves. See - # ansible/molecule#4380 and - # https://github.com/ansible/molecule/releases/tag/v25.2.0 for - # more details. - ANSIBLE_ROLES_PATH: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +# See ../../.config/molecule/config.yml for the Molecule configuration +# that is shared among all scenarios. Any values set here will +# override the values in that file. scenario: name: disable_stub_resolver -verifier: - name: testinfra diff --git a/molecule/specify_resolv_conf_target/converge.yml b/molecule/specify_resolv_conf_target/converge.yml index 17d71af..aa71f57 100644 --- a/molecule/specify_resolv_conf_target/converge.yml +++ b/molecule/specify_resolv_conf_target/converge.yml @@ -6,4 +6,5 @@ ansible.builtin.include_role: name: ansible-role-systemd-resolved vars: - systemd_resolved_resolv_conf_filename: "{{ dynamic_resolv_conf_target_dir }}/resolv.conf" + systemd_resolved_resolv_conf_filename: >- + {{ dynamic_resolv_conf_target_dir }}/resolv.conf diff --git a/molecule/specify_resolv_conf_target/molecule.yml b/molecule/specify_resolv_conf_target/molecule.yml index 898224d..982a97e 100644 --- a/molecule/specify_resolv_conf_target/molecule.yml +++ b/molecule/specify_resolv_conf_target/molecule.yml @@ -1,237 +1,6 @@ --- -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -provisioner: - name: ansible - env: - # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this - # path for us pre-25.2.0, but now we have to do it ourselves. See - # ansible/molecule#4380 and - # https://github.com/ansible/molecule/releases/tag/v25.2.0 for - # more details. - ANSIBLE_ROLES_PATH: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +# See ../../.config/molecule/config.yml for the Molecule configuration +# that is shared among all scenarios. Any values set here will +# override the values in that file. scenario: name: specify_resolv_conf_target -verifier: - name: testinfra diff --git a/requirements-dev.txt b/requirements-dev.txt index d84ee68..23d5741 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,2 +1,4 @@ --requirement requirements-test.txt ipython +# The bump-version script requires at least version 3 of semver. +semver>=3 diff --git a/setup-env b/setup-env index 059ccad..f3304d9 100755 --- a/setup-env +++ b/setup-env @@ -74,7 +74,8 @@ check_python_version() { "invalid version of Python." exit 1 # Else if the Python version isn't installed then notify the user. - # grep -E is used for searching through text lines that match the specific verison. + # grep -E is used for searching through text lines that match the + # specific version. elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." echo "Installed Python versions are:" diff --git a/tasks/main.yml b/tasks/main.yml index 7daa6cd..3d7469c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,7 +12,12 @@ vars: conditions: - systemd_resolved_dns_stub_listener is boolean + # yamllint doesn't like these next two lines because they + # are so long, but there is no clean way to shorten them. + # + # yamllint disable-line rule:line-length - systemd_resolved_dns_stub_listener is string and systemd_resolved_dns_stub_listener == "tcp" + # yamllint disable-line rule:line-length - systemd_resolved_dns_stub_listener is string and systemd_resolved_dns_stub_listener == "udp" - name: Load var file with OS-specific information @@ -37,7 +42,7 @@ live actually exists ansible.builtin.file: group: root - mode: 0755 + mode: u=rwx,g=rx,o=rx owner: root path: "{{ systemd_resolved_dropin_config_file | dirname }}" state: directory @@ -45,7 +50,7 @@ - name: Set DNSStubListener config value for systemd-resolved community.general.ini_file: group: root - mode: 0644 + mode: u=rw,g=r,o=r # This is just to maintain the look and feel of the # /etc/systemd/resolved.conf file as provided by systemd-resolved. no_extra_spaces: true diff --git a/version.txt b/version.txt new file mode 100644 index 0000000..3eefcb9 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +1.0.0