WIP.

.ansible-lint

@@ -42,7 +42,7 @@ use_default_rules: true
 
 # Ansible-lint completely ignores rules or tags listed below
 skip_list:
-  - skip_this_tag
+  - no-log-password
 
 # Ansible-lint does not automatically load rules that have the 'opt-in' tag.
 # You must enable opt-in rules by listing each rule 'id' below.
@@ -108,4 +108,4 @@ kinds:
 
 # List of additions modules to allow in only-builtins rule.
 # only_builtins_allow_modules:
-#   - example_module
+#   - example_module

.pre-commit-config.yaml

@@ -2,7 +2,7 @@
 repos:
 
   - repo: https://github.com/lyz-code/yamlfix/
-    rev: master
+    rev: 1.1.1
     hooks:
       - id: yamlfix
 

playbook.yml

@@ -1,5 +1,6 @@
 ---
-- hosts: all
+- name: Deploy data.coop services
+  hosts: all
   gather_facts: true
   become: true
   vars:
@@ -14,9 +15,11 @@
     smtp_port: '587'
 
   tasks:
-    - import_role:
+    - name: Setup host basics
+      ansible.builtin.import_role:
         name: ubuntu_base
       tags:
         - base_only
-    - import_role:
+    - name: Deploy docker containers (services)
+      ansible.builtin.import_role:
         name: docker

roles/docker/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: restart nginx
+- name: Restart nginx
   community.docker.docker_container:
     name: nginx-proxy
     restart: 'yes'

roles/docker/tasks/main.yml

@@ -1,33 +1,33 @@
 ---
-- name: add docker gpg key
-  apt_key:
+- name: Add docker gpg key
+  ansible.builtin.apt_key:
     keyserver: pgp.mit.edu
     id: 8D81803C0EBFCD88
     state: present
 
-- name: add docker apt repository
+- name: Add docker apt repository
   ansible.builtin.apt_repository:
     repo: deb https://download.docker.com/linux/ubuntu bionic stable
     state: present
     update_cache: true
 
-- name: install docker-ce
+- name: Install docker-ce
   ansible.builtin.apt:
     name: docker-ce
     state: present
 
-- name: install docker python bindings
-  pip:
+- name: Install docker python bindings
+  ansible.builtin.pip:
     executable: pip3
     name: docker-compose
     state: present
 
-- name: create folder structure for bind mounts
+- name: Create folder structure for bind mounts
   ansible.builtin.file:
     name: '{{ volume_root_folder }}'
     state: directory
 
-- name: setup services
-  import_tasks: services.yml
+- name: Setup services
+  ansible.builtin.import_tasks: services.yml
   tags:
     - setup_services

roles/docker/tasks/services.yml

@@ -4,10 +4,12 @@
     name: external_services
 
 - name: setup services
-  include_tasks: services/{{ item.value.file }}
+  include_tasks: services/{{ docker_service.value.file }}
   loop: '{{ services | dict2items }}'
-  when: single_service is not defined and item.value.file is defined and item.value.disabled_in_vagrant
-    is not defined
+  loop_control:
+    loop_var: docker_service
+  when: single_service is not defined and docker_service.value.file is defined and
+    docker_service.value.disabled_in_vagrant is not defined
 
 - name: setup single service
   include_tasks: services/{{ services[single_service].file }}

roles/docker/tasks/services/docker_registry.yml

@@ -24,8 +24,8 @@
       REGISTRY_AUTH_HTPASSWD_REALM: data.coop docker registry
 
 - name: generate htpasswd file
-  shell: docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{
-    services.docker_registry.volume_folder }}/auth/htpasswd
+  shell: docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > services.docker_registry.volume_folder
+    }}/auth/htpasswd
   args:
     creates: '{{ services.docker_registry.volume_folder }}/auth/htpasswd'
 

roles/docker/tasks/services/matrix_riot.yml

@@ -50,8 +50,10 @@
 - name: upload vhost config for riot domain
   ansible.builtin.template:
     src: files/configs/matrix/vhost-riot
-    dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}'
+    dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ domain }}'
   loop: '{{ services.riot.domains }}'
+  loop_control:
+    loop_var: domain
 
 - name: upload homeserver.yaml
   ansible.builtin.template:

roles/docker/tasks/services/websites/new-new.data.coop.yml

@@ -8,8 +8,8 @@
     networks:
       - name: external_services
     env:
-      VIRTUAL_HOST: new-new.{{ services.data_coop_website.domains|join(',') }}
-      LETSENCRYPT_HOST: new-new.{{ services.data_coop_website.domains|join(',')
+      VIRTUAL_HOST: new-new.{{ services.data_coop_website.domains | join(',') }}
+      LETSENCRYPT_HOST: new-new.{{ services.data_coop_website.domains | join(',')
         }}
       LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
 # The ssh-key is for read-only only

roles/ubuntu_base/tasks/base.yml

@@ -16,7 +16,7 @@
   when: not vagrant
 
 - name: Install necessary packages via pip
-  pip:
+  ansible.builtin.pip:
     name: '{{ packages }}'
   vars:
     packages:

roles/ubuntu_base/tasks/dell-apt-repo.yml

@@ -1,6 +1,6 @@
 ---
 - name: Import dell apt signing key
-  apt_key:
+  ansible.builtin.apt_key:
     id: 1285491434D8786F
     keyserver: keyserver.ubuntu.com
 

roles/ubuntu_base/tasks/firewall.yml

@@ -20,3 +20,5 @@
     - port: 587 # Email
     - port: 993 # Email
     - port: 19022 # SSH
+  loop_control:
+    loop_var: ubuntu_base_port

roles/ubuntu_base/tasks/users.yml

@@ -1,19 +1,23 @@
 ---
 - name: Add users
   user:
-    name: '{{ item.name }}'
-    comment: '{{ item.comment }}'
-    password: '{{ item.password }}'
-    groups: '{{ item.groups }}'
+    name: '{{ ubuntu_base_user.name }}'
+    comment: '{{ ubuntu_base_user.comment }}'
+    password: '{{ ubuntu_base_user.password }}'
+    groups: '{{ ubuntu_base_user.groups }}'
     update_password: always
   loop: '{{ users | default([]) }}'
+  loop_control:
+    loop_var: ubuntu_base_user
 
 - name: Add ssh authorized_keys
   ansible.posix.authorized_key:
-    user: '{{ item.name }}'
-    key: "{{ item.ssh_keys | join('\n') }}"
+    user: '{{ ubuntu_base_user.name }}'
+    key: "{{ ubuntu_base_user.ssh_keys | join('\n') }}"
     exclusive: true
   loop: '{{ users | default([]) }}'
+  loop_control:
+    loop_var: ubuntu_base_user
 
 - name: Add ssh authorized_keys to root user
   ansible.posix.authorized_key: