feat(ci): introduce github actions for ansible

.ansible-lint

@@ -0,0 +1,9 @@
+---
+# .ansible-lint
+
+exclude_paths:
+  - .github/
+  - snowflake/
+
+use_default_rules: true
+offline: false

.github/workflows/ansible.yml

@@ -0,0 +1,16 @@
+name: Ansible
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@main

.gitignore

@@ -1,3 +1,5 @@
+.vscode
+venv
 roles/firewall/files/dnsd
 cmd/dnsd/dnsd
 roles/firewall/files/nfguard

inventory.yaml

@@ -6,4 +6,4 @@ all:
         forwarding: 1
       hosts:
         fd5d:2ddd:f4a5::1:
-          hostname: puremini
+          hostname: puremini

requirements.yml

@@ -0,0 +1,4 @@
+---
+
+collections:
+  - ansible.posix

roles/base/handlers/main.yml

@@ -1,21 +1,25 @@
 ---
 
 - name: Update grub
-  shell: update-grub
+  ansible.builtin.command:
+    cmd: /usr/sbin/update-grub
   listen: update grub
+  changed_when: false
 
 - name: Reload .network and .netdev files
-  shell: networkctl reload
+  ansible.builtin.command:
+    cmd: /usr/bin/networkctl reload
   listen: networkctl reload
-
-- name: Daemon reload
-  shell: systemctl daemon-reload
-  listen: daemon-reload
+  changed_when: false
 
 - name: Restart resolved
-  shell: systemctl restart systemd-resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved.service
+    state: restarted
   listen: restart resolved
 
 - name: Restart timesyncd
-  shell: systemctl restart systemd-timesyncd
-  listen: restart ntp
+  ansible.builtin.systemd:
+    name: systemd-timesyncd.service
+    state: restarted
+  listen: restart ntp

roles/base/tasks/dns.yml

@@ -1,32 +1,32 @@
 ---
 
 - name: Install systemd-resolved
-  apt:
+  ansible.builtin.apt:
     name: systemd-resolved
     state: present
   tags: dns
 
 - name: Setup systemd-resolved
-  template:
+  ansible.builtin.template:
     src: resolved.conf.j2
     dest: "{{ systemd_prefix }}/resolved.conf"
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   notify: restart resolved
   tags: dns
 
 - name: Enable systemd-resolved
-  systemd:
+  ansible.builtin.systemd:
     name: systemd-resolved.service
     state: started
-    enabled: yes
-    masked: no
+    enabled: true
+    masked: false
   tags: dns
 
 - name: Setup resolv.conf
-  file:
+  ansible.builtin.file:
     src: /var/run/systemd/resolve/stub-resolv.conf
     dest: /etc/resolv.conf
     state: link
-  tags: dns
+  tags: dns

roles/base/tasks/fhs.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Prepare for the symlink phase
-  file:
+  ansible.builtin.file:
     state: absent
     path: "{{ item }}"
   loop:
@@ -12,8 +12,8 @@
   tags: fhs
 
 - name: Symlink to /dev/null
-  file:
-    force: yes
+  ansible.builtin.file:
+    force: true
     src: /dev/null
     dest: "{{ item }}"
     state: link
@@ -32,10 +32,10 @@
   tags: fhs
 
 - name: Cleanup /etc
-  file:
+  ansible.builtin.file:
     state: absent
     path: "{{ item }}"
   loop:
     - /etc/opt
     - /etc/ufw
-  tags: fhs
+  tags: fhs

roles/base/tasks/init.yml

@@ -1,21 +1,21 @@
 ---
 
 - name: Set the hostname
-  hostname:
+  ansible.builtin.hostname:
     name: "{{ hostname }}"
   tags: init
 
 - name: Set apt sources
-  template:
+  ansible.builtin.template:
     src: sources.list.j2
     dest: /etc/apt/sources.list
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   tags: init
 
 - name: Delete old apt sources
-  file:
+  ansible.builtin.file:
     state: absent
     path: "{{ item }}"
   loop:
@@ -24,27 +24,27 @@
   tags: init
 
 - name: Configure apt
-  template:
+  ansible.builtin.template:
     src: 99custom.j2
     dest: /etc/apt/apt.conf.d/99custom
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   tags: init
 
 - name: Update the apt cache
-  apt:
-    update_cache: yes
+  ansible.builtin.apt:
+    update_cache: true
   tags: init
 
 - name: Install essential packages
-  apt:
+  ansible.builtin.apt:
     name: "{{ item }}"
     state: present
   loop:
     - aptitude
     - btrfs-progs
-    - gdisk 
+    - gdisk
     - hardening-runtime
     - htop
     - iproute2
@@ -62,15 +62,15 @@
   tags: init
 
 - name: Customize the hardening runtime
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/default/grub.d/01_hardening.cfg
     line: GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT intel_iommu=on"
     state: present
   notify: update grub
   tags: init
 
 - name: Remove default packages
-  apt:
+  ansible.builtin.apt:
     name: "{{ item }}"
     state: absent
   loop:
@@ -87,11 +87,11 @@
   tags: init
 
 - name: Disable futile services
-  systemd:
+  ansible.builtin.systemd:
     name: "{{ item }}"
     state: stopped
-    enabled: no
-    masked: yes
+    enabled: false
+    masked: true
   loop:
     - emergency.service
     - rc-local.service
@@ -105,4 +105,4 @@
     - systemd-rfkill.service
     - systemd-rfkill.socket
     - user@0.service
-  tags: init
+  tags: init

roles/base/tasks/main.yml

@@ -1,16 +1,16 @@
 ---
 
 - name: Initialize the system
-  import_tasks: init.yml
+  ansible.builtin.import_tasks: init.yml
 
 - name: Customize the FHS
-  import_tasks: fhs.yml
+  ansible.builtin.import_tasks: fhs.yml
 
 - name: Initialize the network
-  import_tasks: network.yml
+  ansible.builtin.import_tasks: network.yml
 
 - name: Setup dns
-  import_tasks: dns.yml
+  ansible.builtin.import_tasks: dns.yml
 
 - name: Setup ntp
-  import_tasks: ntp.yml
+  ansible.builtin.import_tasks: ntp.yml

roles/base/tasks/network.yml

@@ -1,20 +1,20 @@
 ---
 
 - name: Check systemd-networkd
-  systemd:
+  ansible.builtin.systemd:
     name: systemd-networkd
     state: started
-    enabled: yes
-    masked: no
+    enabled: true
+    masked: false
   tags: network
 
 - name: Install network profiles
-  template:
+  ansible.builtin.template:
     src: "{{ item }}.j2"
     dest: "{{ systemd_network }}/{{ item }}"
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   loop:
     - en.network
     - wan.netdev
@@ -23,7 +23,7 @@
   tags: network
 
 - name: Delete unused directories
-  file:
+  ansible.builtin.file:
     state: absent
     path: "{{ item }}"
   loop:
@@ -32,24 +32,24 @@
   tags: network
 
 - name: Remove comments from /etc/sysctl.conf
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/sysctl.conf
-    regexp: '^#' 
+    regexp: '^#'
     state: absent
   tags: network
 
 - name: Remove empty lines from /etc/sysctl.conf
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/sysctl.conf
     regexp: '^\s*$'
     state: absent
   tags: network
 
 - name: Setting sysctl.conf
-  sysctl:
+  ansible.posix.sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
-  ignore_errors: true
+  failed_when: false
   loop:
     - name: kernel.printk
       value: 3 4 1 3
@@ -143,4 +143,4 @@
       value: 2
     - name: kernel.unprivileged_userns_clone
       value: 0
-  tags: network
+  tags: network

roles/base/tasks/ntp.yml

@@ -1,25 +1,25 @@
 ---
 
 - name: Install timesyncd
-  apt:
+  ansible.builtin.apt:
     name: systemd-timesyncd
     state: present
   tags: ntp
 
 - name: Setup timesyncd.conf
-  template:
+  ansible.builtin.template:
     src: timesyncd.conf.j2
     dest: "{{ systemd_prefix }}/timesyncd.conf"
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
   notify: restart ntp
   tags: ntp
 
 - name: Enable timesyncd
-  systemd:
+  ansible.builtin.systemd:
     name: systemd-timesyncd.service
     state: started
-    enabled: yes
-    masked: no
-  tags: ntp
+    enabled: true
+    masked: false
+  tags: ntp