Merge pull request #3 from punktDe/cicd

Add molecule testing and refactor the code

.ansible-lint

@@ -0,0 +1,10 @@
+---
+skip_list:
+  - 'risky-shell-pipe'
+  - 'role-name'
+
+warn_list:
+  - package-latest
+  - unnamed-task
+  - command-instead-of-shell
+  - no-handler

.github/workflows/test.yml

@@ -0,0 +1,47 @@
+---
+name: Test
+run-name: Run molecule tests on the role
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies.
+        run: pip install yamllint ansible-lint ansible
+
+      - name: Run ansible-lint
+        run: "ansible-lint"
+
+  molecule:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies.
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible docker molecule molecule-plugins
+          sudo apt install rsync
+
+      - name: Install Galaxy dependencies.
+        run: ansible-galaxy collection install community.docker community.mysql
+
+      - name: Run molecule
+        run: "molecule test"

.pre-commit-config.yaml

@@ -0,0 +1,6 @@
+---
+repos:
+  - repo: https://github.com/ansible/ansible-lint.git
+    rev: v6.17.2
+    hooks:
+      - id: ansible-lint

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

handlers/main.yaml

@@ -1,14 +1,16 @@
 - name: Restart oauth2_proxy
-  shell: |
-    set -e -u -o pipefail
-    {% if ansible_system == 'Linux' %}
-      systemctl daemon-reload
-      systemctl enable oauth2-proxy@{{ item }}
-      systemctl restart oauth2-proxy@{{ item }}
-    {% else %}
-      supervisorctl update OAuth2Proxy{{ item|title }}
-      supervisorctl restart OAuth2Proxy{{ item|title }}
-    {% endif %}
+  changed_when: yes
+  ansible.builtin.shell: 
+    cmd: |
+      set -e -u -o pipefail
+      {% if ansible_system == 'Linux' %}
+        systemctl daemon-reload
+        systemctl enable oauth2-proxy@{{ item }}
+        systemctl restart oauth2-proxy@{{ item }}
+      {% else %}
+        supervisorctl update OAuth2Proxy{{ item | title }}
+        supervisorctl restart OAuth2Proxy{{ item | title }}
+      {% endif %}
   args:
     executable: >-
       {%- if ansible_system == 'Linux' -%}
@@ -32,4 +34,4 @@
         {%- set _ = services.append(item.item.key) -%}
       {%- endif -%}
     {%- endfor -%}
-    {{- services|sort|unique -}}
+    {{- services |sort | unique -}}

meta/main.yaml

@@ -1,4 +1,12 @@
 ---
+galaxy_info:
+  author: "Punkt.de"
+  license: ""
+  description: "oauth2-proxy role for Proserver"
+  role_name: "proserver_oauth2_proxy"
+  namespace: "punktde"
+  min_ansible_version: "2.15"
+
 dependencies:
   - role: supervisord
-    when: ansible_system != 'Linux'
+    when: ansible_system == 'FreeBSD'

molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include ansible-proserver-oauth2-proxy"
+      ansible.builtin.include_role:
+        name: "ansible-proserver-oauth2-proxy"

molecule/default/molecule.yml

@@ -0,0 +1,27 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: geerlingguy/docker-ubuntu2204-ansible
+    command: /lib/systemd/systemd
+    pre_build_image: true
+    privileged: true
+    cgroupns_mode: host
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+provisioner:
+  name: ansible
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}
+verifier:
+  name: ansible
+scenario:
+  name: default
+  test_sequence:
+    - destroy
+    - create
+    - converge
+    - verify

molecule/default/verify.yml

@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Example assertion
+      ansible.builtin.assert:
+        that: true

requirements.yml

@@ -0,0 +1,6 @@
+---
+roles:
+  - src: https://github.com/punktDe/ansible-proserver-supervisord
+    name: supervisord
+    version: master
+    scm: git

tasks/config.yaml

@@ -1,19 +1,23 @@
 - name: Create directories for oauth2_proxy config
-  file:
+  ansible.builtin.file:
     state: directory
     path: "{{ config_dir }}"
+    owner: root
+    mode: "0755"
   loop_control:
     label: "{{ config_dir }}"
   vars:
     config_dir: "{{ oauth2_proxy.prefix.opt }}/etc/{{ item }}"
-  with_items: "{{ oauth2_proxy.config|dict2items|selectattr('value', 'mapping')|map(attribute='key')|list }}"
+  with_items: "{{ oauth2_proxy.config | dict2items | selectattr('value', 'mapping') | map(attribute='key') | list }}"
 
 - name: Template oauth2_proxy config
-  template:
+  ansible.builtin.template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
+    owner: root
+    mode: "0644"
   loop_control:
     label: "{{ item.dest }}"
-  with_items: "{{ oauth2_proxy|oauth2_proxy_templates }}"
+  with_items: "{{ oauth2_proxy | oauth2_proxy_templates }}"
   register: oauth2_proxy_template_config_result
   notify: Restart oauth2_proxy

tasks/install.yaml

@@ -1,52 +1,51 @@
 ---
 - name: Set URL variables
-  set_fact:
-    oauth2_proxy_download_url: >- 
+  ansible.builtin.set_fact:
+    oauth2_proxy_download_url: >-
       https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ oauth2_proxy.version }}/oauth2-proxy-v{{ oauth2_proxy.version }}.{{ ansible_system | lower }}-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.tar.gz
     oauth2_proxy_download_checksum: >-
       https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ oauth2_proxy.version }}/oauth2-proxy-v{{ oauth2_proxy.version }}.{{ ansible_system | lower }}-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}-sha256sum.txt
 
-- name: Create directories for oauth2_proxy
-  file:
+- name: Create directory for oauth2_proxy binary
+  ansible.builtin.file:
     state: directory
     path: "{{ item }}"
+    owner: root
+    mode: "0755"
   with_items:
     - "{{ oauth2_proxy.prefix.opt }}/bin"
-    - "{{ oauth2_proxy.prefix.opt }}/etc"
-  when: oauth2_proxy.install == true
 
 - name: Download oauth2_proxy binary
   register: oauth2_proxy_download
   check_mode: no
-  unarchive:
+  ansible.builtin.unarchive:
     src: "{{ oauth2_proxy_download_url }}"
     dest: "/tmp"
     remote_src: yes
     mode: a+x
     list_files: true
   notify: Restart oauth2_proxy
-  when: oauth2_proxy.install == true
 
 - name: Verify the new binary checksum
   register: oauth2_proxy_binary_new
-  failed_when: >-
-    lookup('ansible.builtin.url', oauth2_proxy_download_checksum) |
-    split(' ') | first != oauth2_proxy_binary_new.stat.checksum
-  stat:
+  ansible.builtin.stat:
     path: "/tmp/{{ oauth2_proxy_download.files[0] }}oauth2-proxy"
     checksum_algorithm: sha256
     get_checksum: yes
+  failed_when: >-
+    lookup('ansible.builtin.url', oauth2_proxy_download_checksum) |
+    split(' ') | first != oauth2_proxy_binary_new.stat.checksum
 
 - name: Verify the old binary checksum
   check_mode: no
   register: oauth2_proxy_binary_old
-  stat:
+  ansible.builtin.stat:
     path: "{{ oauth2_proxy.prefix.opt }}/bin/oauth2_proxy"
     checksum_algorithm: sha256
     get_checksum: yes
 
 - name: Copy the new binary in place
-  when: "oauth2_proxy_binary_old.stat.checksum not in oauth2_proxy_binary_new.stat.checksum"
+  when: "not oauth2_proxy_binary_old.stat.exists or oauth2_proxy_binary_old.stat.checksum not in oauth2_proxy_binary_new.stat.checksum"
   register: oauth2_proxy_install_binary_result
   ansible.builtin.copy:
     remote_src: yes

tasks/main.yaml

@@ -1,5 +1,15 @@
 ---
-- import_tasks: install.yaml
-- import_tasks: config.yaml
-- import_tasks: supervisord.yaml
-- import_tasks: systemd.yaml
+- name: Install the oauth2-proxy binary
+  ansible.builtin.import_tasks: install.yaml
+  when: oauth2_proxy.install | default(True)
+
+- name: Configure oauth2-proxy
+  ansible.builtin.import_tasks: config.yaml
+
+- name: Manage the oauth2_proxy service (supervisord)
+  ansible.builtin.import_tasks: supervisord.yaml
+  when: ansible_system != 'FreeBSD'
+
+- name: Manage the oauth2_proxy service (systemd)
+  ansible.builtin.import_tasks: systemd.yaml
+  when: ansible_system == 'Linux'

tasks/supervisord.yaml

@@ -1,12 +1,14 @@
 - name: Template supervisord config for oauth2_proxy
-  template:
+  ansible.builtin.template:
     src: "supervisord.d/oauth2_proxy.conf.j2"
     dest: "{{ config_path }}"
+    owner: root
+    mode: "0644"
   loop_control:
     label: "{{ config_path }}"
-  when: ansible_system != 'Linux' and item.value
+  when: item.value
   vars:
     config_name: "{{ item.key }}"
-    config_path: "{{ supervisord.prefix.config }}/OAuth2Proxy{{ config_name|title }}.conf"
+    config_path: "{{ supervisord.prefix.config }}/OAuth2Proxy{{ config_name | title }}.conf"
   with_dict: "{{ oauth2_proxy.config }}"
   register: oauth2_proxy_template_supervisord_config_result

tasks/systemd.yaml

@@ -1,12 +1,8 @@
 - name: Template systemd service for oauth2_proxy
-  when: ansible_system == 'Linux'
-  loop:
-    - src: systemd/oauth2-proxy@.service
-      dest: /etc/systemd/system/oauth2-proxy@.service
-  loop_control:
-    label: "{{ item.dest }}"
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
+  ansible.builtin.template:
+    src: systemd/oauth2-proxy@.service
+    dest: /etc/systemd/system/oauth2-proxy@.service
+    owner: root
+    mode: "0644"
   register: oauth2_proxy_template_systemd_service_result
   notify: Restart oauth2_proxy