.gitlab-ci.yml

@@ -7,7 +7,19 @@
 # See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
 stages:
 - test
+- lint
 sast:
   stage: test
 include:
 - template: Security/SAST.gitlab-ci.yml
+
+
+ansible-lint:
+  stage: lint
+  allow_failure: true
+  image:
+    name: nixos/nix
+    entrypoint: [""]
+  script:
+    - cd tools/nix
+    - nix --extra-experimental-features nix-command --extra-experimental-features flakes develop --command bash -c "cd ../../40_ansible/; ansible-lint"

40_ansible/roles/api_admin/tasks/main.yml

 ---
-- name: Create api first admin 
+- name: Create api first admin
   run_once: true
   ansible.builtin.uri:
-    url: https://api.{{ host_domain.name }}/users/ 
+    url: https://api.{{ host_domain.name }}/users/
     method: POST
     body:
       name: "{{ api_password[env_name].user }}"
@@ -13,10 +13,10 @@
     body_format: json
     user: panpan_est_le_plus_beau
     password: coincoin_est_un_serieux_concurrent
-  register: api_admin_result  
+  register: api_admin_result
   failed_when: api_admin_result.status not in [201, 403]
   changed_when: api_admin_result.status == 201
-  until: api_admin_result.status in [201, 403] 
+  until: api_admin_result.status in [201, 403]
   retries: 4
   delay: 3
-  tags: [api,apiadmin]
+  tags: [api, apiadmin]

40_ansible/roles/api_server/tasks/podman.yml

@@ -79,7 +79,7 @@
 
 - name: Show others for api
   ansible.builtin.debug:
-    msg: "{{ [ api_password ] | map('compute_api_others', platforms, env_name) | first | to_json }}"
+    msg: "{{ [api_password] | map('compute_api_others', platforms, env_name) | first | to_json }}"
   tags: [never, api]
 
 - name: Install api container
@@ -111,7 +111,7 @@
         DIMAIL_REMOTE_CONFIG: "{{ ['something'] | map('compute_api_hosts', hostvars) | first }}"
         DIMAIL_TECH_DOMAIN: "{{ tech_domain.name }}"
         DIMAIL_MYSELF: "{{ env_name }}"
-        DIMAIL_OTHERS: "{{ [ api_password ] | map('compute_api_others', platforms, env_name) | first | to_json }}"
+        DIMAIL_OTHERS: "{{ [api_password] | map('compute_api_others', platforms, env_name) | first | to_json }}"
         DIMAIL_LOG: "normal"
       publish:
         - "8000:8000"

40_ansible/roles/api_server/tasks/scripts.yml

@@ -7,4 +7,3 @@
     group: root
     mode: u=rx,g=rx,o=rx
   tags: [api]
-

40_ansible/roles/api_slave/tasks/main.yml

@@ -67,7 +67,7 @@
     name: hash the postfix certs map
     weekday: 1
     hour: 8
-    minute: 10 
+    minute: 10
     job: /usr/sbin/postmap -o -F /opt/certs/config/postfix/certs-api; /usr/sbin/service postfix reload
     cron_file: postmap-api-certs
     user: root

40_ansible/roles/check_env/tasks/main.yml

@@ -16,5 +16,3 @@
       - "'webfront' in groups and groups['webfront'] | length > 0"
   when: "'api_server' in groups and groups['api_server'] | length > 0"
   tags: [check, check_env]
-
-

40_ansible/roles/check_vars/tasks/check_var.yml

 ---
 - name: Effectue le checkup complet pour la variable `{{ var.name }}`
-  tags: [ check, check_vars ]
+  tags: [check, check_vars]
   when: var.when | default(true)
   block:
     - name: Récupère le chemin de définition de schema de la variable `{{ var.name }}`

40_ansible/roles/check_vars/tasks/main.yml

@@ -16,7 +16,7 @@
   loop_control:
     loop_var: var
     label: "Variable {{ var.name }}"
-  tags: [ check, check_vars, always ]
+  tags: [check, check_vars, always]
 
 - name: Vérifie les variables OIDC/Keycloak si nécessaire
   ansible.builtin.include_tasks: ./check_var.yml
@@ -26,7 +26,7 @@
   loop_control:
     loop_var: var
     label: "Variable {{ var.name }}"
-  tags: [ check, check_vars, always ]
+  tags: [check, check_vars, always]
   when: "'keycloak' in groups and groups['keycloak'] | length > 0"
 
 - name: Vérifie les variables rclone pour les sauvegardes S3
@@ -41,9 +41,10 @@
   loop_control:
     loop_var: var
     label: "Variable {{ var.name }}"
-  tags: [ check, check_vars, always ]
+  tags: [check, check_vars, always]
 
 - name: Vérifie les credentials de l'API
+  tags: [check, check_vars, always]
   block:
     - name: "Vérifie la présence des credentials API pour l'environnement '{{ env_name }}'"
       ansible.builtin.assert:
@@ -52,4 +53,3 @@
           - "api_password[env_name].user is defined"
           - "api_password[env_name].password is defined"
         fail_msg: "Les credentials de l'API pour '{{ env_name }}' ne sont pas où sont incorrectement définis dans api_password !"
-  tags: [ check, check_vars, always ]

40_ansible/roles/cyberwatch/tasks/create_user.yml

@@ -12,7 +12,7 @@
   register: cyberwatch_user
   tags: [cyberwatch, run_cyberwatch]
 
-- name: Show the user
+- name: Show the user # noqa: no-handler
   ansible.builtin.debug:
     msg: "{{ cyberwatch_user }}"
   tags: [cyberwatch, run_cyberwatch, never]

40_ansible/roles/cyberwatch/tasks/install_scripts.yml

@@ -39,4 +39,4 @@
     - { name: "Exécution des scripts Cyberwatch",
         job: "cd /home/cyberwatch/scripts/ && bash /home/cyberwatch/scripts/run_cyberwatch.sh;" }
     - { name: "Nettoyage des vieilles archives des scripts Cyberwatch",
-        job: 'find . -type f -name "{{ archive_name_prefix }}*" -mtime +120 -exec rm {} +' }
\ No newline at end of file
+        job: 'find . -type f -name "{{ archive_name_prefix }}*" -mtime +120 -exec rm {} +' }

40_ansible/roles/cyberwatch/tasks/launch_and_fetch_results.yml

@@ -3,6 +3,7 @@
   ansible.builtin.command:
     cmd: "/home/cyberwatch/scripts/run_cyberwatch.sh"
     chdir: "/home/cyberwatch/scripts/"
+  changed_when: true
   tags: [never, run_cyberwatch]
 
 - name: Cherche les archives à récupérer

40_ansible/roles/handlers/handlers/main.yml

@@ -177,5 +177,3 @@
     name: postsrsd
     state: restarted
     enabled: true
-
-

40_ansible/roles/imap_server/tasks/packages.yml

@@ -23,5 +23,3 @@
   notify:
     - Restart dovecot
   tags: [imap]
-
-

40_ansible/roles/imap_server/tasks/setup_db.yml

@@ -82,57 +82,6 @@
         update_query: "ALTER TABLE users ADD COLUMN proxy CHAR(1) NOT NULL DEFAULT 'N'"
   tags: [imap, imapdb]
 
-# - name: Compute the proxy domains informations # noqa fqcn[action-core]
-#   set_fact:
-#     proxies:
-#       domain: "{{ mail_domains | selectattr('proxy', 'defined') | map(attribute='name') | map('regex_replace', '(.*)', \"'\\1\") }}"
-#       host: "{{ mail_domains | selectattr('proxy', 'defined') | map(attribute='proxy') | map(attribute='host') | map('regex_replace', '(.*)', \"'\\1\") }}"
-#       master: "{{ mail_domains | selectattr('proxy', 'defined') | map(attribute='proxy') | map(attribute='master') | map('regex_replace', '(.*)', \"'\\1\") }}"
-#       pass: "{{ mail_domains | selectattr('proxy', 'defined') | map(attribute='proxy') | map(attribute='pass') | map('regex_replace', '(.*)', \"'\\1\") }}"
-#       count: "{{ mail_domains | selectattr('proxy', 'defined') | map(attribute='name') | length }}"
-#   tags: [imap, imapdb]
-# 
-# - name: Compute the proxy domains query for cleaning # noqa fqcn[action-core]
-#   set_fact:
-#     proxy_sql_clean:
-#       - name: delete domain proxies we don't need anymore
-#         need_query: "select count(*) > 0 as update_needed from domain_proxy where domain not in ({{ proxies.domain | join(',') }})"
-#         update_query: "delete from domain_proxy where domain not in ({{ proxies.domain | join(',') }})"
-#   when: proxies.count|int > 0
-#   tags: [imap, imapdb]
-# 
-# - name: Compute the proxy domains query for cleaning # noqa fqcn[action-core]
-#   set_fact:
-#     proxy_sql_clean:
-#       - name: delete all domain proxies as we don't need anyone
-#         need_query: "select count(*) > 0 as update_needed from domain_proxy"
-#         update_query: "delete from domain_proxy"
-#   when: proxies.count|int == 0
-#   tags: [imap, imapdb]
-# 
-# - name: Empty the proxy_domain_queries # noqa fqcn[action-core]
-#   set_fact:
-#     proxy_sql_insert_or_update: []
-#   tags: [imap, imapdb]
-# 
-# - name: Build the proxy domains queries # noqa fqcn[action-core]
-#   set_fact:
-#     proxy_sql_insert_or_update: "{{ proxy_sql_insert_or_update + [{
-#       'name': 'ensure domain ' + proxies.domain[idx] + ' proxy configuration',
-#       'need_query': 'SELECT count(*)=0 as update_needed FROM domain_proxy WHERE domain=' +
-#          proxies.domain[idx] + ' AND host=' + proxies.host[idx] + ' AND master=' +
-#          proxies.master[idx] + ' AND pass=' + proxies.pass[idx],
-#       'update_query': 'INSERT INTO domain_proxy (domain, host, master, pass) VALUES (' +
-#          proxies.domain[idx] + ',' + proxies.host[idx] + ',' + proxies.master[idx] + ',' +
-#          proxies.pass[idx] + ') ON DUPLICATE KEY UPDATE host=' + proxies.host[idx] + ', master=' +
-#          proxies.master[idx] + ', pass=' + proxies.pass[idx]
-#     }] }}"
-#   loop: "{{ proxies.domain }}"
-#   loop_control:
-#     loop_var: better_than_empty
-#     index_var: idx
-#   tags: [imap, imapdb]
-# 
 - name: Create table 'domain_proxy' in 'dovecot' database
   ansible.builtin.include_role:
     name: setup_db_table

40_ansible/roles/keycloak_server/tasks/install.yml

@@ -9,6 +9,7 @@
 - name: Ensure /home/keycloak/keycloak.keystore is available
   ansible.builtin.stat:
     path: /home/keycloak/keycloak.keystore
+  become: true
   become_user: keycloak
   register: keystore_file
   tags: [keycloak]

40_ansible/roles/mail_filter/tasks/amavis.yml

@@ -8,4 +8,3 @@
     group: root
   notify: Restart amavis
   tags: [spam]
-

40_ansible/roles/mail_filter/tasks/clamav.yml

@@ -5,5 +5,3 @@
     groups: amavis
     append: true
   tags: [spam]
-
-

40_ansible/roles/mail_filter/tasks/main.yml

@@ -7,17 +7,3 @@
     - clamav.yml
     - amavis.yml
   tags: [spam]
-
-#- name: Copy the nagios service config file
-#  run_once: true
-#  ansible.builtin.template:
-#    src: nagios_smtp.cfg.j2
-#    dest: /etc/nagios4/conf.d/services/smtp.cfg
-#    mode: u=rw,g=r,o=r
-#    owner: nagios
-#    group: nagios
-#  delegate_to: "{{ groups['monitor'].0 }}"
-#  tags: [monitor, monitorsmtp, smtp]
-#  notify:
-#    - Reload nagios
-#

40_ansible/roles/mail_filter/tasks/packages.yml

@@ -7,4 +7,3 @@
       - clamav-daemon
     state: latest
   tags: [spam]
-

40_ansible/roles/mail_filter/tasks/spamassassin.yml

@@ -20,4 +20,3 @@
   notify:
     - Restart spamd
   tags: [spam]
-