From b3ef69f84be5ebbd882348b7b3e67c16321b937f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Thu, 21 Jul 2022 11:49:58 +0200
Subject: [PATCH] fix: make tasks idempotent wherever possible

---
 handlers/main.yml                             |  9 +--
 tasks/configure_glances.yml                   | 24 ++++++-
 tasks/configure_logrotate.yml                 |  2 +
 tasks/configure_ntp.yml                       |  2 +
 .../configure_persistent_journald_logging.yml | 63 +++++++------------
 tasks/configure_swap.yml                      | 17 ++++-
 tasks/main.yml                                |  7 ++-
 7 files changed, 71 insertions(+), 53 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 7265ba6..e975c97 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -39,18 +39,18 @@
 - name: restart exim
   ansible.builtin.systemd:
     name: "exim4"
-    state: restarted
+    state: reloaded
     enabled: true
 
 - name: restart postfix
   ansible.builtin.service:
     name: "postfix"
-    state: restarted
+    state: reloaded
 
 - name: restart sshd
   ansible.builtin.systemd:
     name: "sshd"
-    state: restarted
+    state: reloaded
 
 - name: reload journald configuration
   ansible.builtin.systemd:
@@ -60,8 +60,9 @@
 - name: restart logrotate.service
   ansible.builtin.systemd:
     name: "logrotate.service"
-    state: restarted
+    state: reloaded
   when: ansible_os_family == "Debian"
+  changed_when: false
 
 - name: udev-Regel bekannt machen
   ansible.builtin.command: "udevadm control --reload"
diff --git a/tasks/configure_glances.yml b/tasks/configure_glances.yml
index 971b7ce..b9d1ad3 100644
--- a/tasks/configure_glances.yml
+++ b/tasks/configure_glances.yml
@@ -1,7 +1,27 @@
 ---
+- name: find out if Glances Service is enabled
+  ansible.builtin.command: systemctl is-enabled glances.service
+  register: glances_enabled
+  changed_when: false
+  failed_when:
+    - glances_enabled.stdout != "enabled"
+    - glances_enabled.stdout != "disabled"
+
+# this is idempotent
 - name: stop Glances (web-)server
   ansible.builtin.service:
-    name: "glances"
+    name: "glances.service"
     state: stopped
+  when:
+    - ansible_os_family == "Debian"
+    - glances_enabled.stdout != "disabled"
+
+# this is NOT idempotent, so it needs the "changed: false" stanza
+- name: disable Glances (web-)server
+  ansible.builtin.service:
+    name: "glances.service"
     enabled: false
-  when: ansible_os_family == "Debian"
+  when:
+    - ansible_os_family == "Debian"
+    - glances_enabled.stdout != "disabled"
+  changed_when: false
diff --git a/tasks/configure_logrotate.yml b/tasks/configure_logrotate.yml
index e7ef792..07bd4b9 100644
--- a/tasks/configure_logrotate.yml
+++ b/tasks/configure_logrotate.yml
@@ -1,4 +1,5 @@
 ---
+# copy module modifies parent directory permissions, when file or directory is copied with owner and group different than root. It is also not idempotent and changes on subsequent runs.
 - name: rollout default logrotate config
   ansible.builtin.copy:
     src: "etc/logrotate.conf"
@@ -7,6 +8,7 @@
     group: "root"
     mode: "0644"
   notify: restart logrotate.service
+  tags: [molecule-idempotence-notest]
 
 - name: set custom compression algorithm
   ansible.builtin.blockinfile:
diff --git a/tasks/configure_ntp.yml b/tasks/configure_ntp.yml
index 7714c61..a9b6294 100644
--- a/tasks/configure_ntp.yml
+++ b/tasks/configure_ntp.yml
@@ -1,4 +1,5 @@
 ---
+# copy module modifies parent directory permissions, when file or directory is copied with owner and group different than root. It is also not idempotent and changes on subsequent runs.
 - name: configure NTP
   ansible.builtin.copy:
     src: "etc/ntp.conf"
@@ -6,3 +7,4 @@
     owner: "root"
     group: "root"
     mode: "0644"
+  tags: [molecule-idempotence-notest]
diff --git a/tasks/configure_persistent_journald_logging.yml b/tasks/configure_persistent_journald_logging.yml
index e9e567e..383367c 100644
--- a/tasks/configure_persistent_journald_logging.yml
+++ b/tasks/configure_persistent_journald_logging.yml
@@ -1,47 +1,26 @@
 ---
-# enable persistent systemd journalctl logging
-# Documentation: zless /usr/share/doc/systemd/README.Debian.gz
-- name: enable persistent systemd journalctl logging
-  block:
-  - name: create log directory
-    ansible.builtin.file:
-      path: "/var/log/journal"
-      state: directory
-      mode: "0644"
-      owner: "root"
-      group: "systemd-journal"
+# Documentation: https://www.freedesktop.org/software/systemd/man/journald.conf.html
+- name: configure journald
+  ansible.builtin.blockinfile:
+    path: "/etc/systemd/journald.conf.d/persistence.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    create: "yes"
+    state: present
+    block: |
+      # If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.
+      Storage=persistent
 
-  - name: find out if journald is already logging to a persistent location
-    ansible.builtin.shell: "systemd-tmpfiles --cat-config | grep '/var/log/journal'"
-    register: jd_persist
-    changed_when: false
+      # If enabled (the default), data objects that shall be stored in the journal and are larger than the default threshold of 512 bytes are compressed before they are written to the file system.
+      Compress=true
 
-  - name: link directory name to systemd
-    ansible.builtin.command: systemd-tmpfiles --create --prefix /var/log/journal
-    when: jd_persist.rc == 0
+      # Controls how much disk space the journal may use up at most. (default: 10%)
+      SystemMaxUse=1G
 
-  # Documentation: https://www.freedesktop.org/software/systemd/man/journald.conf.html
-  - name: configure journald
-    ansible.builtin.blockinfile:
-      path: "/etc/systemd/journald.conf.d/persistence.conf"
-      owner: "root"
-      group: "root"
-      mode: "0644"
-      create: "yes"
-      state: present
-      block: |
-        # If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.
-        Storage=persistent
-
-        # If enabled (the default), data objects that shall be stored in the journal and are larger than the default threshold of 512 bytes are compressed before they are written to the file system.
-        Compress=true
-
-        # Controls how much disk space the journal may use up at most. (default: 10%)
-        SystemMaxUse=1G
-
-        # Controls how much disk space systemd-journald shall leave free for other uses. (default: 15%)
-        # THIS DOES NOT WORK, HOWEVER: SystemKeepFree=15%
-        SystemKeepFree=350M
-    notify:
-      - reload journald configuration
+      # Controls how much disk space systemd-journald shall leave free for other uses. (default: 15%)
+      # THIS DOES NOT WORK, HOWEVER: SystemKeepFree=15%
+      SystemKeepFree=350M
+  notify:
+    - reload journald configuration
   when: ansible_facts.service_mgr == "systemd"
diff --git a/tasks/configure_swap.yml b/tasks/configure_swap.yml
index 6f4cbd1..3a6d088 100644
--- a/tasks/configure_swap.yml
+++ b/tasks/configure_swap.yml
@@ -1,12 +1,23 @@
 ---
+- name: check if swap is active
+  ansible.builtin.command: swapon -s
+  register: swap_active
+  changed_when: false
+
 # https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#testing-strings
 - name: switch off swap (immediate result for running server, not reboot persistent)
-  ansible.builtin.command: swapoff -a
-  when: ansible_hostname is not search("validate")
+  ansible.builtin.command: swapoff -va
+  when:
+    - ansible_hostname is not search("validate")
+    - swap_active.stdout == ""
+  register: disable_swap
+  changed_when: disable_swap.stdout not in "swapoff LABEL=swap"
 
 - name: switch off swap (no result for running server, reboot persistent)
   ansible.posix.mount:
     path: "none"
     fstype: "swap"
     state: "absent"
-  when: ansible_hostname is not search("validate")
+  when:
+    - ansible_hostname is not search("validate")
+    - swap_active.stdout == ""
diff --git a/tasks/main.yml b/tasks/main.yml
index 69527d3..ada2ad3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -17,9 +17,11 @@
 #   import_tasks: configure-network.yml
 #   tags: [network,dns]
 
+# We don't test for idempotence because these tasks can never be idempotent.
+# They are meant to copy fresh Backups of the SSH keys every time they are run.
 - name: Server-SSH-Schlüssel sichern
   import_tasks: backup_ssh_hostkeys.yml
-  tags: [ssh]
+  tags: [ssh, molecule-idempotence-notest]
 
 - name: SLUB-lokales Debian-Repository hinzufügen
   import_tasks: configure_package_repositories.yml
@@ -147,6 +149,7 @@
   when: ansible_os_family == "RedHat"
   tags: [ntp]
 
+# there's no way to get this task to become idempotent, so we have to skip the test
 - name: Flush handlers am Ende der Rolle
   ansible.builtin.meta: flush_handlers
-  tags: [always]
+  tags: [always, molecule-idempotence-notest]
-- 
GitLab