test: introduce GitLab-CI functionality

.ansible-lint

@@ -6,7 +6,7 @@
 # and not relative to the CWD of execution. CLI arguments passed to the --exclude
 # option will be parsed relative to the CWD of execution.
 exclude_paths:
-  - .cache/ # implicit unless exclude_paths is defined in config
+  - .cache/    # implicit unless exclude_paths is defined in config
   - .git/
   - .githooks/
   - backups/
@@ -15,24 +15,19 @@ exclude_paths:
 # verbosity: 1
 
 # Mock modules or roles in order to pass ansible-playbook --syntax-check
-#mock_modules:
-#  - zuul_return
-#  # note the foo.bar is invalid as being neither a module or a collection
-#  - fake_namespace.fake_collection.fake_module
-#  - fake_namespace.fake_collection.fake_module.fake_submodule
-#mock_roles:
-#  - mocked_role
-#  - author.role_name # old standalone galaxy role
-#  - fake_namespace.fake_collection.fake_role # role within a collection
+# mock_modules:
+#   - zuul_return
+#   # note the foo.bar is invalid as being neither a module or a collection
+#   - fake_namespace.fake_collection.fake_module
+#   - fake_namespace.fake_collection.fake_module.fake_submodule
+# mock_roles:
+#   - mocked_role
+#   - author.role_name # old standalone galaxy role
+#   - fake_namespace.fake_collection.fake_role # role within a collection
 
 # Enable checking of loop variable prefixes in roles
 loop_var_prefix: "{role}_"
 
-# Enforce variable names to follow pattern below, in addition to Ansible own
-# requirements, like avoiding python identifiers. To disable add `var-naming`
-# to skip_list.
-var_naming_pattern: "^[a-z_][a-z0-9_]*$"
-
 use_default_rules: true
 # Load custom rules from this specific folder
 # rulesdir:
@@ -46,9 +41,9 @@ skip_list:
 # Any rule that has the 'opt-in' tag will not be loaded unless its 'id' is
 # mentioned in the enable_list:
 enable_list:
-  - empty-string-compare # opt-in
-  - no-log-password # opt-in
-  - no-same-owner # opt-in
+  - empty-string-compare    # opt-in
+  - no-log-password         # opt-in
+  - no-same-owner           # opt-in
   # add yaml here if you want to avoid ignoring yaml checks when yamllint
   # library is missing. Normally its absence just skips using that rule.
   - yaml
@@ -60,19 +55,19 @@ enable_list:
 warn_list:
   - skip_this_tag
   - git-latest
-  - experimental # experimental is included in the implicit list
+  - experimental    # experimental is included in the implicit list
   # - role-name
 
 # Offline mode disables installation of requirements.yml
 offline: false
 
 # Define required Ansible's variables to satisfy syntax check
-#extra_vars:
-#  foo: bar
-#  multiline_string_variable: |
-#    line1
-#    line2
-#  complex_variable: ":{;\t$()"
+# extra_vars:
+#   foo: bar
+#   multiline_string_variable: |
+#     line1
+#     line2
+#   complex_variable: ":{;\t$()"
 
 # Uncomment to enforce action validation with tasks, usually is not
 # needed as Ansible syntax check also covers it.

.config/molecule/config.yml

+---
+prerun: false

.githooks/pre-commit

@@ -24,12 +24,12 @@ exec 1>&2
 # Cross platform projects tend to avoid non-ASCII filenames; prevent
 # them from being added to the repository. We exploit the fact that the
 # printable range starts at the space character and ends with tilde.
-if [ "${allownonascii}" != "true" ] &&
+if [ "$allownonascii" != "true" ] &&
 	# Note that the use of brackets around a tr range is ok here, (it's
 	# even required, for portability to Solaris 10's /usr/bin/tr), since
 	# the square bracket bytes happen to fall in the designated range.
-	test "$( git diff --cached --name-only --diff-filter=A -z "${against}" |
-	  LC_ALL=C tr -d '[ -~]\0' | wc -c )" != 0
+	test $(git diff --cached --name-only --diff-filter=A -z $against |
+	  LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
 then
 	cat <<\EOF
 Error: Attempt to add a non-ASCII file name.
@@ -69,16 +69,12 @@ YAML_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".yml$")
 if [[ ${YAML_FILES} != "" ]]; then
 	for file in ${YAML_FILES}; do
 		yamllint "${file}"
-		if ! yamllint "${file}"; then
+		if [[ ${?} -ne 0 ]]; then
 			exit 1
 		fi
 	done
 fi && echo "SUCCESS: Yamllint stage."
 
-### ANSIBLE-LINT stage
-ansible-lint "site.yml" || exit 1
-echo "SUCCESS: Ansible-lint stage."
-
 ### VAULT detection stage
 VAULT_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".vault$")
 if [[ ${VAULT_FILES} != "" ]]; then
@@ -92,15 +88,14 @@ fi
 if [[ ${STAGED_FILES} != "" ]]; then
 	for file in ${STAGED_FILES}; do
 		grep -e "\$ANSIBLE_VAULT;[[:digit:]]\.[[:digit:]];AES256" "${file}"
-		if grep -e "\$ANSIBLE_VAULT;[[:digit:]]\.[[:digit:]];AES256" "${file}"; then
-			echo "ERROR: Ansible-Vault in String found in file '${file}'." && exit 1
-		fi
+		[[ ${?} -eq 0 ]] && echo "ERROR: Ansible-Vault in String found in file '${file}'." && exit 1
 	done
 fi
 echo "SUCCESS: Vault detection stage."
 
 ### URL detection stage
-if "${GREP_CMD}" "${GREP_EXCLUDES}" -e "http[s]*.*git.*SLUB" -e "http[s]*.*git.*slub" -e "git@" "${REPOPATH}"; then
+${GREP_CMD} ${GREP_EXCLUDES} -e "http[s]*.*git.*SLUB" -e "http[s]*.*git.*slub" -e "git@" "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
 	echo "ERROR: found internal URLs."
 	exit 1;
 fi
@@ -109,28 +104,21 @@ echo "SUCCESS: URL detection stage."
 ### IP address detection stage
 # This is pretty basic regex matching, but it's a start.
 IP_REGEX='[^a-zA-ZäöÜÄÖÜß/\\\-][0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
-if "${GREP_CMD}" "${GREP_EXCLUDES}" -e "${IP_REGEX}" "${REPOPATH}" | grep -v "127.0.0"; then
+${GREP_CMD} ${GREP_EXCLUDES} -e "${IP_REGEX}" "${REPOPATH}" | grep -v "127.0.0"
+if [[ ${?} -eq 0 ]]; then
 	echo "ERROR: found IP address."
 	exit 1;
 fi
 echo "SUCCESS: IP address detection stage."
 
 ### SSH-Key detection stage
-if "${GREP_CMD}" "${GREP_EXCLUDES}" -e "ssh-[dr]sa " "${REPOPATH}"; then
+${GREP_CMD} ${GREP_EXCLUDES} -e "ssh-[dr]sa " "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
 	echo "ERROR: found SSH key."
 	exit 1;
 fi
 echo "SUCCESS: SSH Key detection stage."
 
-### SHELLSCRIPT CHECK stage
-SH_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".sh$")
-if [[ ${SH_FILES} != "" ]]; then
-	for file in ${SH_FILES}; do
-		shellcheck "${file}"
-	done
-fi
-echo "SUCCESS: SHELLSCRIPT CHECK stage."
-
 
 
 

.gitignore

@@ -51,6 +51,8 @@ Thumbs.db
 
 *.retry
 *.vault
+inventory.*
+inv.*
 
 # Vim #
 #######
@@ -72,3 +74,15 @@ tags
 
 .vagrant/
 *.box
+
+# Temporary/Build/Backup #
+##########################
+
+backups/
+build/
+
+# CONFIDENTIAL #
+################
+
+ssh_host_*
+

.gitlab-ci.yml

+---
+# A pipeline is composed of independent jobs that run scripts, grouped into stages.
+# Stages run in sequential order, but jobs within stages run in parallel.
+#
+# For more information, see: https://docs.gitlab.com/ee/ci/yaml/index.html#stages
+
+stages:          # List of stages for jobs, and their order of execution
+  - test
+
+default:
+  before_script:
+    - source /opt/molecule/bin/activate
+    - ansible --version
+    - molecule --version
+
+test-job:
+  stage: test
+  tags:
+    - "shell"
+  script:
+    # make sure that Ansible Vaults are present and can be decrypted
+    - echo "${VAULT_LZA_BOOTSTRAP_RHEL_SERVER}" > ../lza_bootstrap_rhel_server.pass
+    - export ANSIBLE_VAULT_IDENTITY_LIST="../lza_bootstrap_rhel_server.pass"
+    - rm -rf ../ansible_vaults/
+    - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
+    
+    # run Molecule tests against DEFAULT scenario (virtualbox_centos7)
+    - export SCENARIO="virtualbox_centos7"
+    - molecule syntax --scenario-name "${SCENARIO}"
+    - molecule lint --scenario-name "${SCENARIO}"
+    - molecule create --scenario-name "${SCENARIO}"
+    - molecule converge --scenario-name "${SCENARIO}"
+    - molecule idempotence --scenario-name "${SCENARIO}"
+    # - molecule verify --scenario-name "${SCENARIO}"
+    - molecule destroy --scenario-name "${SCENARIO}"
+    
+    # run Molecule tests against Rocky Linux 8 scenario (virtualbox_rocky8)
+    - export SCENARIO="virtualbox_rocky8"
+    - molecule syntax --scenario-name "${SCENARIO}"
+    - molecule lint --scenario-name "${SCENARIO}"
+    - molecule create --scenario-name "${SCENARIO}"
+    - molecule converge --scenario-name "${SCENARIO}"
+    - molecule idempotence --scenario-name "${SCENARIO}"
+    # - molecule verify --scenario-name "${SCENARIO}"
+    - molecule destroy --scenario-name "${SCENARIO}"

.yamllint

 ---
-# based on documentation available at
-# https://yamllint.readthedocs.io/en/stable/rules.html
-
+# Based on ansible-lint config
 extends: default
 
 rules:
@@ -11,13 +9,25 @@ rules:
   brackets:
     max-spaces-inside: 1
     level: error
-  comments:
-    min-spaces-from-content: 4
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
   comments-indentation: disable
-  document-end: disable
-  document-start:
-    level: warning
-  octal-values:
-    forbid-explicit-octal: false
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
   line-length: disable
-  truthy: enable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

defaults/main.yml

 ---
 # defaults file for ansible_lza_bootstrap_rhel_server
 
-tsm_default_version_short: "v8110"
-tsm_default_version_long: "8.1.10"
-tsm_default_checksum: "sha1:8ed715ad4c934a9891b2357d4877f3095a2c5ac2"
+tsm_default_version_short: "v8115"
+tsm_default_version_long: "8.1.15"
+tsm_default_checksum: "sha256:e24735f2f2f88bedc93371eae507c14dccb8e7be2676794b53ad94674338d8a1"

meta/main.yml

 ---
 galaxy_info:
-  author: Jörg Sachse
-  description: role to initialise empty VMs that should become RHEL servers before switching to a non-root user for further management.
+  author: Jörg Sachse (<Joerg.Sachse@slub-dresden.de>)
   company: SLUB Dresden
-  # If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker Some suggested licenses: - BSD 
-  # (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
-  license: GPLv3
-  min_ansible_version: 2.5
-  # If this a Container Enabled role, provide the minimum Ansible Container version. min_ansible_container_version: Optionally specify the branch Galaxy will use when accessing the GitHub repo 
-  #for this role. During role install, if no tags are available, Galaxy will use this branch. During import Galaxy will access files on this branch. If Travis integration is configured, only 
-  #notifications for this branch will be accepted. Otherwise, in all cases, the repo's default branch (usually master) will be used. github_branch:
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions. If you don't wish to enumerate all versions for a particular platform, use 'all'. To view available 
+  description: This role can be used to initialise empty VMs that should become RHEL servers before switching to a non-root user for further management.
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes and categorizes the role. Users find roles by searching for tags. Be sure to remove the '[]' above, if you
+    # add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+  # issue_tracker_url: "https://example.com/"
+    # If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker
+  license: public domain
+    # Some suggested licenses: - BSD
+    # (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
+  min_ansible_version: "2.5"
+    # If this a Container Enabled role, provide the minimum Ansible Container version. min_ansible_container_version: Optionally specify the branch Galaxy will use when accessing the GitHub repo
+    # for this role. During role install, if no tags are available, Galaxy will use this branch. During import Galaxy will access files on this branch. If Travis integration is configured, only
+    # notifications for this branch will be accepted. Otherwise, in all cases, the repo's default branch (usually master) will be used. github_branch:
+  namespace: "slub"
+  # Provide a list of supported platforms, and for each platform a list of versions. If you don't wish to enumerate all versions for a particular platform, use 'all'. To view available
   # platforms and versions (or releases), visit: https://galaxy.ansible.com/api/v1/platforms/
   #
   # platforms: - name: Fedora
   #   versions: - all - 25 - name: SomePlatform versions: - all - 1.0 - 7 - 99.99
   platforms:
-    - name: RedHat
+    - name: EL
       versions:
-        - 7
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes and categorizes the role. Users find roles by searching for tags. Be sure to remove the '[]' above, if you 
-    # add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+        - "7"
+        - "8"
 dependencies: []

molecule/default

+virtualbox_centos7
\ No newline at end of file

molecule/default/molecule.yml

----
-dependency:
-  name: galaxy
-driver:
-  name: vagrant
-  provider:
-    name: virtualbox
-lint: |
-  set -e
-  yamllint .
-  ansible-lint -x formatting
-  flake8 --ignore=E501
-platforms:
-  - name: molecule-bootstrap-redhat
-    box: centos/7
-    memory: 512
-    cpus: 1
-provisioner:
-  name: ansible
-  log: true
-  config_options:
-    defaults:
-      # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
-      vault_identity_list: "@$HOME/.ansible/roles/molecule_prepare.pass, @$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/lza_server_hardening.pass, @$HOME/.ansible/roles/lza_bootstrap_rhel_server.pass, @$HOME/.ansible/roles/slub_osquery.pass"
-  vvv: false
-verifier:
-  name: testinfra
-  env:
-    PYTHONWARNINGS: "ignore:.*U.*mode is deprecated:DeprecationWarning"
-  options:
-    v: 1

molecule/default/playbook.yml

----
-- name: Converge
-  hosts: all
-  roles:
-    - role: ansible_lza_bootstrap_rhel_server

molecule/default/prepare.yml

----
-- name: Prepare
-  hosts: all
-  gather_facts: false
-  tasks:
-    - name: Install python for Ansible
-      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
-      become: true
-      changed_when: false

molecule/default/tests/test_default.py

-import os
-
-import testinfra.utils.ansible_runner
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
-
-
-def test_hosts_file(host):
-    f = host.file('/etc/hosts')
-
-    assert f.exists
-    assert f.user == 'root'
-    assert f.group == 'root'

molecule/default/INSTALL.rst → molecule/resources/playbooks/INSTALL.rst

-*******
+*********************************
 Vagrant driver installation guide
-*******
+*********************************
 
 Requirements
 ============
@@ -20,4 +20,4 @@ widely recommended `'--user' flag`_ when invoking ``pip``.
 
 .. code-block:: bash
 
-    $ pip install 'molecule[vagrant]'
+    $ pip install 'molecule_vagrant'

molecule/resources/playbooks/README.md

+This drectory contains shared playbooks and a shared Dockerfile.
+
+Visit https://molecule.readthedocs.io/en/latest/examples.html#sharing-across-scenarios for details on sharing playbooks, tests etc. across multiple scenarios.

molecule/resources/playbooks/converge.yml

+---
+- name: Converge
+  hosts: all
+  pre_tasks:
+    - name: update apt cache
+      ansible.builtin.apt:
+        update_cache: true
+        upgrade: dist
+      become: true
+      when: ansible_os_family == "Debian"
+    - name: update yum cache
+      ansible.builtin.yum:
+        update_cache: true
+      become: true
+      when: ansible_os_family == "RedHat"
+  roles:
+    - {role: "ansible_lza_bootstrap_rhel_server", become: true}

molecule/resources/playbooks/prepare.yml

+---
+- name: Prepare
+  hosts: "*"
+  tasks:
+    - name: add SLUB Debian Repository
+      block:
+        - name: install GPG
+          ansible.builtin.apt:
+            name: "gnupg"
+            state: latest
+            update_cache: true
+          become: true
+        - name: add GPG key for SLUB Debian repository
+          ansible.builtin.apt_key:
+            url: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+            state: present
+          become: true
+        - name: add repo URL to sources.list
+          ansible.builtin.apt_repository:
+            repo: "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main"
+            state: present
+            update_cache: true
+            mode: "0644"
+          become: true
+      when: ansible_os_family == "Debian"
+    - name: Increase disk size of created VM. The Rocky Linux 8 Vagrant image is too small to fit the IBMSP client on it, so we have to make room before running any tests.
+      block:
+        - name: install growpart
+          ansible.builtin.yum:
+            name: "cloud-utils-growpart"
+          become: true
+        - name: resize partition
+          ansible.builtin.command: "growpart /dev/sda 1"
+          register: growpart
+          changed_when: '"CHANGED:" in growpart.stdout'
+          failed_when:
+            - 'not "it cannot be grown" in growpart.stdout'
+            - 'not growpart.rc == 0'
+          become: true
+        - name: resize XFS filesystem
+          ansible.builtin.command: "xfs_growfs -d /"
+          register: growfs
+          changed_when: '"data blocks changed from" in growfs.stdout'
+          become: true
+      when: ansible_os_family == "RedHat"

molecule/resources/playbooks/verify.yml

+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Example assertion
+    ansible.builtin.assert:
+      that: true

molecule/virtualbox_centos7/molecule.yml

+---
+dependency:
+  name: galaxy
+  enabled: false
+driver:
+  name: vagrant
+lint: |
+  set -e
+  yamllint .
+  ansible-lint -x no-loop-var-prefix,command-instead-of-module,package-latest
+platforms:
+  # Check out the documentation at
+  # https://github.com/ansible-community/molecule-vagrant#documentation
+  # for more platform parameters.
+  - name: vm-runner
+    box: centos/7
+    memory: 1024
+    # List of raw Vagrant `config` options.
+    # provider_raw_config_args:
+    #   - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+    # Dictionary of `config` options.
+    config_options:
+      ssh.keep_alive: yes
+      ssh.remote_user: "'lza'"
+provisioner:
+  name: ansible
+  log: true
+  config_options:
+    defaults:
+      # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
+      # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
+      vault_identity_list: "../lza_bootstrap_rhel_server.pass"
+  vvv: false
+  playbooks:
+    # create: ../resources/playbooks/create.yml
+    # destroy: ../resources/playbooks/destroy.yml
+    converge: ../resources/playbooks/converge.yml
+    # prepare: ../resources/playbooks/prepare.yml
+    verify: ../resources/playbooks/verify.yml
+verifier:
+  name: ansible

molecule/virtualbox_rocky8/molecule.yml

+---
+dependency:
+  name: galaxy
+  enabled: false
+driver:
+  name: vagrant
+lint: |
+  set -e
+  yamllint .
+  ansible-lint -x no-loop-var-prefix,command-instead-of-module,package-latest
+platforms:
+  # Check out the documentation at
+  # https://github.com/ansible-community/molecule-vagrant#documentation
+  # for more platform parameters.
+  - name: mol-lza-bootstrap-rocky8
+    box: rockylinux/8
+    memory: 1024
+    # List of raw Vagrant `config` options.
+    # provider_raw_config_args:
+    #   - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+    # Dictionary of `config` options.
+    config_options:
+      ssh.keep_alive: yes
+      ssh.remote_user: "'lza'"
+      disksize.size: '10GB'
+provisioner:
+  name: ansible
+  log: true
+  config_options:
+    defaults:
+      # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
+      # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
+      vault_identity_list: "../lza_bootstrap_rhel_server.pass"
+  vvv: false
+  playbooks:
+    # create: ../resources/playbooks/create.yml
+    # destroy: ../resources/playbooks/destroy.yml
+    converge: ../resources/playbooks/converge.yml
+    prepare: ../resources/playbooks/prepare.yml
+    verify: ../resources/playbooks/verify.yml
+verifier:
+  name: ansible