refactor(ansible): bring our ansible up to modern ansible-lint standards

hunleyd · hunleyd · commit 991fed4e3a06 · 2025-09-26T09:43:41.000-04:00
diff --git a/ansible/tasks/setup-system.yml b/ansible/tasks/setup-system.yml
@@ -1,209 +1,184 @@
-- name: System - apt update and apt upgrade
-  apt: update_cache=yes upgrade=yes
-  when: debpkg_mode or nixpkg_mode
-  # SEE http://archive.vn/DKJjs#parameter-upgrade
-
-- name: Install required security updates
-  apt:
-    pkg:
-      - tzdata
-      - linux-libc-dev
-  when: debpkg_mode or nixpkg_mode
-# SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638
-# Without this, a similar error is faced
-- name: Install Ansible dependencies
-  apt:
-    pkg:
-      - acl
-  when: debpkg_mode or nixpkg_mode
-
-- name: Install security tools
-  apt:
-    pkg:
-      - nftables
-      - fail2ban
-    update_cache: yes
-    cache_valid_time: 3600
-  when: debpkg_mode or nixpkg_mode
-
-- name: Use nftables backend
-  shell: |
-    update-alternatives --set iptables /usr/sbin/iptables-nft
-    update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
-    update-alternatives --set arptables /usr/sbin/arptables-nft
-    update-alternatives --set ebtables /usr/sbin/ebtables-nft
-    systemctl restart ufw
-  when: debpkg_mode or nixpkg_mode
-
-- name: Create Sysstat log directory
-  file:
-    path: /var/log/sysstat
-    state: directory
-  when: debpkg_mode or nixpkg_mode
-    
-- name: Install other useful tools
-  apt:
-    pkg:
-      - bwm-ng
-      - htop
-      - net-tools
-      - ngrep
-      - sysstat
-      - vim-tiny
-    update_cache: yes
-  when: debpkg_mode or nixpkg_mode
-
-- name: Configure sysstat
-  copy:
-    src: files/sysstat.sysstat
-    dest: /etc/sysstat/sysstat
-  when: debpkg_mode or nixpkg_mode
-
-- name: Configure default sysstat
-  copy:
-    src: files/default.sysstat
-    dest: /etc/default/sysstat
-  when: debpkg_mode or nixpkg_mode
-
-
-- name: Adjust APT update intervals
-  copy:
-    src: files/apt_periodic
-    dest: /etc/apt/apt.conf.d/10periodic
-  when: debpkg_mode or nixpkg_mode
+- name: execute (debpkg_mode or nixpkg_mode) tasks
+  when:
+    - (debpkg_mode or nixpkg_mode)
+  block:
+    - name: System - apt update and apt upgrade
+      ansible.builtin.apt:
+        update_cache: true
+        upgrade: true
+      # SEE http://archive.vn/DKJjs#parameter-upgrade
+
+    - name: Install desired packages
+      ansible.builtin.apt:
+        cache_valid_time: 3600
+        pkg:
+          - acl  # SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638
+          - fail2ban
+          - htop
+          - linux-libc-dev
+          - net-tools
+          - nftables
+          - ngrep
+          - sysstat
+          - tzdata
+          - vim-tiny
+        state: 'present'
+        update_cache: true
+
+    - name: Use nftables backend
+      community.general.alternatives:
+        name: "{{ nft_alt_item['name'] }}"
+        path: "{{ nft_alt_item['path'] }}"
+      loop:
+        - { name: 'arptables', path: '/usr/sbin/arptables-nft' }
+        - { name: 'ebtables', path: '/usr/sbin/ebtables-nft' }
+        - { name: 'iptables', path: '/usr/sbin/iptables-nft' }
+        - { name: 'ip6tables', path: '/usr/sbin/ip6tables-nft' }
+      loop_control:
+        loop_var: 'nft_alt_item'
+
+    - name: Restart ufw
+      ansible.builtin.systemd_service:
+        name: 'ufw'
+        state: 'restarted'
+
+    - name: Create Sysstat log directory
+      ansible.builtin.file:
+        path: '/var/log/sysstat'
+        state: 'directory'
+        
+          - bwm-ng
+
+    - name: Configure sysstat
+      ansible.builtin.copy:
+        dest: "/etc/{{ systat_item }}/sysstat"
+        src: "files/{{ systat_item }}.sysstat"
+      loop:
+        - default
+        - systat
+      loop_control:
+        loop_var: 'systat_item'
+
+    - name: Adjust APT update intervals
+      ansible.builtin.copy:
+        dest: '/etc/apt/apt.conf.d/10periodic'
+        src: 'files/apt_periodic'
 
 # Find platform architecture and set as a variable
-- name: finding platform architecture
-  shell: if [ $(uname -m) = "aarch64" ]; then echo "arm64";  else echo "amd64"; fi
-  register: platform_output
+- name: set the arch as a fact
+  ansible.builtin.set_fact:
+    platform: "{{ 'arm64' if ansible_facts['architecture'] == 'aarch64' else 'amd64' }}"
   tags:
     - update
     - update-only
-- set_fact:
-    platform: "{{ platform_output.stdout }}"
-  tags:
-    - update
-    - update-only
-  when: debpkg_mode or nixpkg_mode or stage2_nix
-
-- name: create overrides dir
-  file:
-    state: directory
-    owner: root
-    group: root
-    path: /etc/systemd/system/systemd-resolved.service.d
-    mode: '0700'
-  when: debpkg_mode or nixpkg_mode
-
-- name: Custom systemd overrides for resolved
-  copy:
-    src: files/systemd-resolved.conf
-    dest: /etc/systemd/system/systemd-resolved.service.d/override.conf
-  when: debpkg_mode or nixpkg_mode
-
-- name: System - Create services.slice
-  template:
-    src: files/services.slice.j2
-    dest: /etc/systemd/system/services.slice
-  when: debpkg_mode or nixpkg_mode
-
-
-- name: System - systemd reload
-  systemd: daemon_reload=yes
-  when: debpkg_mode or nixpkg_mode
-
-- name: Configure journald
-  copy:
-    src: files/journald.conf
-    dest: /etc/systemd/journald.conf
-  when: debpkg_mode or nixpkg_mode
-
-- name: reload systemd-journald
-  systemd:
-   name: systemd-journald
-   state: restarted
-  when: debpkg_mode or nixpkg_mode
-
-- name: Configure logind
-  copy:
-    src: files/logind.conf
-    dest: /etc/systemd/logind.conf
-  when: debpkg_mode or nixpkg_mode
-
-- name: reload systemd-logind
-  systemd:
-   name: systemd-logind
-   state: restarted
-  when: debpkg_mode or nixpkg_mode
-
-- name: enable timestamps for shell history
-  copy:
-    content: |
-      export HISTTIMEFORMAT='%d/%m/%y %T '
-    dest: /etc/profile.d/09-history-timestamps.sh
-    mode: 0644
-    owner: root
-    group: root
-  when: debpkg_mode or nixpkg_mode
-
-- name: configure systemd's pager
-  copy:
-    content: |
-      export SYSTEMD_LESS=FRXMK
-    dest: /etc/profile.d/10-systemd-pager.sh
-    mode: 0644
-    owner: root
-    group: root
-  when: debpkg_mode or nixpkg_mode
-
-- name: set hosts file
-  copy:
-    content: |
-      127.0.0.1   localhost
-      ::1         localhost
-    dest: /etc/hosts
-    mode: 0644
-    owner: root
-    group: root
-  when: debpkg_mode or stage2_nix
-
-#Set Sysctl params for restarting the OS on oom after 10
-- name: Set vm.panic_on_oom=1
-  ansible.builtin.sysctl:
-    name: vm.panic_on_oom
-    value: '1'
-    state: present
-    reload: yes
-  when: debpkg_mode or nixpkg_mode
-
-- name: Set kernel.panic=10
-  ansible.builtin.sysctl:
-    name: kernel.panic
-    value: '10'
-    state: present
-    reload: yes
-  when: debpkg_mode or nixpkg_mode
+  when:
+    - (debpkg_mode or nixpkg_mode or stage2_nix)
+
+- name: execute tasks when )debpkg_mode or nixpkg_mode)
+  when:
+    - (debpkg_mode or nixpkg_mode)
+  block:
+    - name: create overrides dir
+      ansible.builtin.file:
+        group: 'root'
+        mode: '0700'
+        owner: 'root'
+        path: '/etc/systemd/system/systemd-resolved.service.d'
+        state: 'directory'
+
+    - name: Custom systemd overrides for resolved
+      ansible.builtin.copy:
+        dest: '/etc/systemd/system/systemd-resolved.service.d/override.conf'
+        src: 'files/systemd-resolved.conf'
+
+    - name: System - Create services.slice
+      ansible.builtin.template:
+        dest: '/etc/systemd/system/services.slice'
+        src: 'files/services.slice.j2'
+
+
+    - name: System - systemd reload
+      ansible.builtin.systemd_service:
+        daemon_reload: true
+
+    - name: Configure journald
+      ansible.builtin.copy:
+        dest: '/etc/systemd/journald.conf'
+        src: 'files/journald.conf'
+
+    - name: reload systemd-journald
+      ansible.builtin.systemd_service:
+       name: 'systemd-journald'
+       state: 'restarted'
+
+    - name: Configure logind
+      ansible.builtin.copy:
+        dest: '/etc/systemd/logind.conf'
+        src: 'files/logind.conf'
+
+    - name: reload systemd-logind
+      ansible.builtin.systemd_service:
+       name: 'systemd-logind'
+       state: 'restarted'
+
+    - name: enable timestamps for shell history
+      ansible.builtin.lineinfile:
+        create: true
+        group: 'root'
+        line: "export HISTTIMEFORMAT='%d/%m/%y %T '"
+        mode: '0644'
+        owner: 'root'
+        path: '/etc/profile.d/09-history-timestamps.sh'
+        state: 'present'
+
+    - name: configure systemd's pager
+      ansible.builtin.lineinfile:
+        create: true
+        dest: '/etc/profile.d/10-systemd-pager.sh'
+        line: 'export SYSTEMD_LESS=FRXMK'
+        mode: '0644'
+        owner: 'root'
+        group: 'root'
+        state: 'present'
+
+    - name: set hosts file
+      ansible.builtin.lineinfile:
+        dest: '/etc/hosts'
+        group: 'root'
+        line: "{{ localhost_item }}"
+        mode: '0644'
+        owner: 'root'
+        state: 'present'
+      loop:
+        - '127.0.0.1   localhost'
+        - '::1         localhost'
+      loop_control:
+        loop_var: 'localhost_item'
+
+    # Set Sysctl params for restarting the OS on oom after 10
+    - name: Set {{ sysctl_item['name'] }}={{ sysctl_item['value'] }}
+      ansible.posix.sysctl:
+        name: "{{ sysctl_item['name'] }}"
+        reload: true
+        state: 'present'
+        value: "{{ sysctl_item['value'] }}"
+      loop:
+        - { name: 'kernel.panic', value: 10 }
+        - { name: 'net.ipv4.tcp_keepalive_intvl', value: 60 }
+        - { name: 'net.ipv4.tcp_keepalive_time', value 1800 }
+        - { name: 'vm.panic_on_oom', value: 1 }
+      loop_control:
+        loop_var: 'sysctl_item'
 
 - name: configure system
   ansible.posix.sysctl:
-    name: 'net.core.somaxconn'
-    value: 16834
+    name: "{{ sysctl_item['name'] }}"
+    reload: true
+    state: 'present'
+    value: "{{ sysctl_item['value'] }}"
+  loop:
+    - { name: 'net.ipv4.ip_local_port_range', value: '1025 65000' }
+    - { name: 'net.core.somaxconn', value: 16834 }
+  loop_control:
+    loop_var: 'sysctl_item'
 
-- name: configure system
-  ansible.posix.sysctl:
-    name: 'net.ipv4.ip_local_port_range'
-    value: '1025 65000'
-
-#Set Sysctl params specific to keepalives
-- name: Set net.ipv4.tcp_keepalive_time=1800
-  ansible.builtin.sysctl:
-    name: net.ipv4.tcp_keepalive_time
-    value: 1800
-    state: present
-  when: debpkg_mode or nixpkg_mode
-- name: Set net.ipv4.tcp_keepalive_intvl=60
-  ansible.builtin.sysctl:
-    name: net.ipv4.tcp_keepalive_intvl
-    value: 60
-    state: present
-  when: debpkg_mode or nixpkg_mode
