diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..dde6f4a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,9 @@ +--- +# See https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/ansible-linting-check.yml b/.github/workflows/ansible-linting-check.yml index 4d7dc8e..1a76d38 100644 --- a/.github/workflows/ansible-linting-check.yml +++ b/.github/workflows/ansible-linting-check.yml @@ -2,21 +2,21 @@ name: Ansible Lint check # yamllint disable-line rule:truthy -on: - push: - branches: '*' - pull_request: - branches: '*' +on: [push, pull_request] jobs: build: + name: Ansible Lint runs-on: ubuntu-latest steps: - - name: 'checkout git repo' - uses: actions/checkout@v3 - - - name: 'Lint Ansible Playbook' - uses: ansible/ansible-lint-action@v6 + - name: Checkout git repo + uses: actions/checkout@v4 with: - targets: "." + submodules: true + fetch-depth: 0 + + - name: Run ansible-lint + uses: ansible-actions/ansible-lint-action@v1.0.2 + with: + target: "./" diff --git a/.github/workflows/galaxy.yml b/.github/workflows/galaxy.yml new file mode 100644 index 0000000..b44f94e --- /dev/null +++ b/.github/workflows/galaxy.yml @@ -0,0 +1,24 @@ +--- +name: Galaxy-NG Roles Import + +# yamllint disable-line rule:truthy +on: + release: + types: ['created'] + +jobs: + build: + name: Galaxy Role Importer + runs-on: ubuntu-latest + + steps: + - name: 'Checkout git repo' + uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 + + - name: 'Release on galaxy' + uses: ansible-actions/ansible-galaxy-action@v1.1.1 + with: + galaxy_api_key: ${{ secrets.galaxy_api_key }} diff --git a/.github/workflows/j2lint-check.yml b/.github/workflows/j2lint-check.yml new file mode 100644 index 0000000..00c7861 --- /dev/null +++ b/.github/workflows/j2lint-check.yml @@ -0,0 +1,22 @@ +--- +name: Jinja2 Linting check + +# yamllint disable-line rule:truthy +on: [push, pull_request] + +jobs: + build: + name: Jinja2 Linting + runs-on: ubuntu-latest + + steps: + - name: Checkout git repo + uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 + + - name: Run j2lint + uses: ansible-actions/j2lint-action@v0.0.1 + with: + target: "./" diff --git a/.github/workflows/yamllint-check.yml b/.github/workflows/yamllint-check.yml new file mode 100644 index 0000000..5e62f57 --- /dev/null +++ b/.github/workflows/yamllint-check.yml @@ -0,0 +1,22 @@ +--- +name: Yamllint check + +# yamllint disable-line rule:truthy +on: [push, pull_request] + +jobs: + build: + name: Yamllint + runs-on: ubuntu-latest + + steps: + - name: Checkout git repo + uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 + + - name: Run yamllint + uses: ansible-actions/yamllint-action@v0.0.1 + with: + target: "./" diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml deleted file mode 100644 index d744e9c..0000000 --- a/.github/workflows/yamllint.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -name: 'Yamllint GitHub Actions' - -# yamllint disable-line rule:truthy -on: - push: - branches: '*' - pull_request: - branches: '*' - -jobs: - yamllint: - name: 'Yamllint' - runs-on: ubuntu-latest - steps: - - name: 'checkout git repo' - uses: actions/checkout@v3 - - - name: 'Yamllint' - uses: karancode/yamllint-github-action@v2.0.0 - with: - yamllint_file_or_dir: '.' - yamllint_config_filepath: './.yamllint' diff --git a/handlers/main.yml b/handlers/main.yml index cf03980..273950c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,10 +1,10 @@ --- -- name: sudo apt update +- name: Run sudo apt update become: true ansible.builtin.apt: update_cache: true -- name: systemctl restart rspamd +- name: Run systemctl restart rspamd become: true ansible.builtin.systemd: name: 'rspamd' diff --git a/tasks/configure.yml b/tasks/configure.yml index e487039..2f47c3f 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,7 +1,7 @@ --- -- name: rspamd password generation +- name: Rspamd password generation block: - - name: configure rspamd password + - name: Configure rspamd password become: true ansible.builtin.template: src: templates/worker-controller.inc.j2 @@ -9,9 +9,9 @@ mode: '0640' owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd rescue: - - name: you have to install passlib + - name: You have to install passlib ansible.builtin.fail: msg: 'I caught an error. Maybe you have to install passlib via pip3' @@ -23,9 +23,9 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd -- name: milter_headers.conf +- name: Configure milter_headers.conf become: true ansible.builtin.copy: src: files/milter_headers.conf @@ -33,9 +33,9 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd -- name: milter_headers.conf +- name: Configure classifier-bayes.conf become: true ansible.builtin.copy: src: files/classifier-bayes.conf @@ -43,7 +43,7 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd - name: Einstellug der redis.conf become: true @@ -53,9 +53,9 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd -- name: classifier-bayes.conf +- name: Modify classifier-bayes.conf become: true ansible.builtin.copy: src: files/classifier-bayes.conf @@ -63,7 +63,7 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd - name: Einstellug der eignene black/whitelist become: true @@ -73,9 +73,9 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd -- name: multimap whitelist_ip.map +- name: Multimap whitelist_ip.map become: true ansible.builtin.copy: src: "{{ rspamd__whitelist_ip_file }}" @@ -83,9 +83,9 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd -- name: multimap whitelist_from.map +- name: Multimap whitelist_from.map become: true ansible.builtin.copy: src: "{{ rspamd__whitelist_from_file }}" @@ -93,9 +93,9 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd -- name: multimap blacklist_ip.map +- name: Multimap blacklist_ip.map become: true ansible.builtin.copy: src: "{{ rspamd__blacklist_ip_file }}" @@ -103,9 +103,9 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd -- name: multimap blacklist_from.map +- name: Multimap blacklist_from.map become: true ansible.builtin.copy: src: "{{ rspamd__blacklist_from_file }}" @@ -113,4 +113,4 @@ owner: "{{ rspamd__default_owner }}" group: "{{ rspamd__default_group }}" mode: '0640' - notify: systemctl restart rspamd + notify: Run systemctl restart rspamd diff --git a/tasks/main.yml b/tasks/main.yml index 1ec3f74..7182711 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,18 +1,24 @@ --- -- include_tasks: versioncheck.yml - when: submodules_versioncheck|bool +- name: Run Optional Versioncheck + ansible.builtin.include_tasks: + file: 'versioncheck.yml' + when: submodules_versioncheck | bool -- name: add apt repos and install rspamd - include_tasks: packages.yml +- name: Add apt repos and install rspamd + ansible.builtin.include_tasks: + file: 'packages.yml' when: ansible_os_family == 'Debian' -- name: configure rspamd - include_tasks: configure.yml +- name: Configure rspamd + ansible.builtin.include_tasks: + file: 'configure.yml' -- name: rspamd dkim signing - include_tasks: dkim.yml +- name: Rspamd dkim signing + ansible.builtin.include_tasks: + file: 'dkim.yml' when: rspamd__configure_dkim | bool -- name: redis backend - include_tasks: redis.yml +- name: Redis backend + ansible.builtin.include_tasks: + file: 'redis.yml' when: rspamd__configure_redis | bool diff --git a/tasks/packages.yml b/tasks/packages.yml index bc639b5..eef626c 100644 --- a/tasks/packages.yml +++ b/tasks/packages.yml @@ -1,50 +1,51 @@ --- -- name: update repo-cache for debian/ubuntu +- name: Update repo-cache for debian/ubuntu become: true ansible.builtin.apt: update_cache: true cache_valid_time: 3600 -- name: install requirements to add new package repos +- name: Install requirements to add new package repos become: true ansible.builtin.apt: - name: - - lsb-release - - wget - - debian-goodies - - apt-dater-host - - apt-transport-https - state: present + name: "{{ item }}" + state: 'present' + loop: + - 'lsb-release' + - 'wget' + - 'debian-goodies' + - 'apt-dater-host' + - 'apt-transport-https' -- name: add rspam repo key +- name: Add rspam repo key become: true ansible.builtin.apt_key: url: 'https://rspamd.com/apt-stable/gpg.key' - state: present - notify: sudo apt update + state: 'present' + notify: Run sudo apt update -- name: add rspamd repo +- name: Add rspamd repo become: true ansible.builtin.apt_repository: repo: "deb https://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main" - state: present - mode: 0644 - notify: sudo apt update + state: 'present' + mode: '0644' + notify: Run sudo apt update -- name: add rspamd srv-repo +- name: Add rspamd srv-repo become: true ansible.builtin.apt_repository: repo: "deb-src https://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main" - state: present - mode: 0644 - notify: sudo apt update + state: 'present' + mode: '0644' + notify: Run sudo apt update -- name: run update if something changed +- name: Run update if something changed ansible.builtin.meta: flush_handlers -- name: install rspamd +- name: Install rspamd become: true ansible.builtin.apt: - name: rspamd - state: present - notify: systemctl restart rspamd + name: 'rspamd' + state: 'present' + notify: Run systemctl restart rspamd diff --git a/tasks/redis.yml b/tasks/redis.yml index 55d0d0d..94a5ebb 100644 --- a/tasks/redis.yml +++ b/tasks/redis.yml @@ -1,6 +1,6 @@ --- -- name: install redis backend +- name: Install redis backend become: true ansible.builtin.apt: - name: redis - state: present + name: 'redis' + state: 'present' diff --git a/tasks/versioncheck.yml b/tasks/versioncheck.yml index 5128cc8..7dd80c5 100644 --- a/tasks/versioncheck.yml +++ b/tasks/versioncheck.yml @@ -7,38 +7,38 @@ ansible.builtin.file: path: '/etc/.ansible-version' state: directory - mode: 0755 - when: submodules_versioncheck|bool + mode: '0755' + when: submodules_versioncheck | bool -- name: check playbook version +- name: Check playbook version become: true ansible.builtin.slurp: src: "/etc/.ansible-version/{{ playbook_version_path }}" register: playbook_version - when: submodules_versioncheck|bool - ignore_errors: true + when: submodules_versioncheck | bool failed_when: false -- name: Print remote role version +- name: Print remote role version # noqa: H500 ansible.builtin.debug: msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}" - when: submodules_versioncheck|bool + when: submodules_versioncheck | bool -- name: Print locale role version +- name: Print locale role version # noqa: H500 ansible.builtin.debug: - msg: "Local role version: '{{ playbook_version_number|string }}'." - when: submodules_versioncheck|bool + msg: "Local role version: '{{ playbook_version_number | string }}'." + when: submodules_versioncheck | bool - name: Check if your version is outdated ansible.builtin.fail: msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!" when: - - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool + - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck | bool -- name: write new version to remote disk +- name: Write new version to remote disk become: true ansible.builtin.copy: content: "{{ playbook_version_number }}" dest: "/etc/.ansible-version/{{ playbook_version_path }}" mode: '0644' - when: submodules_versioncheck|bool + when: submodules_versioncheck | bool + tags: skip_ansible_lint_template-instead-of-copy