chore(roles): role/test hygiene from review (O16,O17,O25,O26)
- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv
hook with `command -v direnv` so a missing direnv doesn't error every shell (O16)
- dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to
disk like the per_user dotfiles); the include now carries packages+config so a
`--tags config` run re-renders the theme while the binary install stays packages
only (O17). Verified via `molecule converge -- --tags config`.
- drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across
base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25)
- reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26)
make lint green; dev_env + reverse_proxy molecule green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
175777e36a
commit
9b5851ba4b
9 changed files with 11 additions and 17 deletions
|
|
@ -51,14 +51,9 @@
|
||||||
- name: Sshd drop-in present and config valid
|
- name: Sshd drop-in present and config valid
|
||||||
ansible.builtin.command: sshd -t
|
ansible.builtin.command: sshd -t
|
||||||
changed_when: false
|
changed_when: false
|
||||||
tags: [verify]
|
|
||||||
|
|
||||||
- name: PasswordAuthentication is disabled
|
- name: PasswordAuthentication is disabled
|
||||||
ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
|
ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
|
||||||
changed_when: false
|
changed_when: false
|
||||||
tags: [verify]
|
|
||||||
|
|
||||||
- name: Fail2ban sshd jail configured
|
- name: Fail2ban sshd jail configured
|
||||||
ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
|
ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
|
||||||
changed_when: false
|
changed_when: false
|
||||||
tags: [verify]
|
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,6 @@ alias ll="ls -lh"
|
||||||
alias la="ls -lha"
|
alias la="ls -lha"
|
||||||
alias ..="cd .."
|
alias ..="cd .."
|
||||||
alias update="sudo apt update && sudo apt upgrade -y"
|
alias update="sudo apt update && sudo apt upgrade -y"
|
||||||
alias rclone="/usr/bin/rclone"
|
|
||||||
|
|
||||||
# Use neovim for vim/vi commands
|
# Use neovim for vim/vi commands
|
||||||
alias vim='nvim'
|
alias vim='nvim'
|
||||||
|
|
@ -50,6 +49,5 @@ export PATH="$HOME/.local/bin:$HOME/bin:$PATH"
|
||||||
# Ensure USER is set (edge cases)
|
# Ensure USER is set (edge cases)
|
||||||
export USER=$(whoami)
|
export USER=$(whoami)
|
||||||
|
|
||||||
# Extras from inventory
|
# Enable direnv for automatic virtualenv activation (guarded — direnv may not be installed)
|
||||||
# Enable direnv for automatic virtualenv activation
|
command -v direnv >/dev/null 2>&1 && eval "$(direnv hook zsh)"
|
||||||
eval "$(direnv hook zsh)"
|
|
||||||
|
|
|
||||||
|
|
@ -17,12 +17,16 @@
|
||||||
tags: [packages]
|
tags: [packages]
|
||||||
tags: [packages]
|
tags: [packages]
|
||||||
|
|
||||||
|
# Also reachable under `config`: oh_my_posh.yml renders /etc/oh-my-posh/zen.toml (a config
|
||||||
|
# task, tagged `config` within the file) alongside the binary install (`packages`). apply
|
||||||
|
# keeps `packages` on the untagged binary tasks; the include carries both so `--tags config`
|
||||||
|
# enters it and re-renders just the theme.
|
||||||
- name: Install oh-my-posh prompt (pinned release)
|
- name: Install oh-my-posh prompt (pinned release)
|
||||||
ansible.builtin.include_tasks:
|
ansible.builtin.include_tasks:
|
||||||
file: oh_my_posh.yml
|
file: oh_my_posh.yml
|
||||||
apply:
|
apply:
|
||||||
tags: [packages]
|
tags: [packages]
|
||||||
tags: [packages]
|
tags: [packages, config]
|
||||||
|
|
||||||
- name: Install Node.js (pinned release)
|
- name: Install Node.js (pinned release)
|
||||||
ansible.builtin.include_tasks:
|
ansible.builtin.include_tasks:
|
||||||
|
|
|
||||||
|
|
@ -17,9 +17,11 @@
|
||||||
path: /etc/oh-my-posh
|
path: /etc/oh-my-posh
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
tags: [config]
|
||||||
|
|
||||||
- name: Oh-my-posh | Deploy zen.toml theme (system-wide)
|
- name: Oh-my-posh | Deploy zen.toml theme (system-wide)
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: oh-my-posh/zen.toml
|
src: oh-my-posh/zen.toml
|
||||||
dest: /etc/oh-my-posh/zen.toml
|
dest: /etc/oh-my-posh/zen.toml
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
tags: [config]
|
||||||
|
|
|
||||||
|
|
@ -8,10 +8,7 @@
|
||||||
ansible.builtin.command: docker --version
|
ansible.builtin.command: docker --version
|
||||||
register: docker_version_output
|
register: docker_version_output
|
||||||
changed_when: false
|
changed_when: false
|
||||||
tags: [verify]
|
|
||||||
|
|
||||||
- name: Assert docker --version succeeded
|
- name: Assert docker --version succeeded
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that: docker_version_output.rc == 0
|
that: docker_version_output.rc == 0
|
||||||
msg: "docker --version failed — Docker was not installed correctly"
|
msg: "docker --version failed — Docker was not installed correctly"
|
||||||
tags: [verify]
|
|
||||||
|
|
|
||||||
|
|
@ -9,4 +9,3 @@
|
||||||
- public_dns__domain == "example.test"
|
- public_dns__domain == "example.test"
|
||||||
- public_dns__apply | bool == false
|
- public_dns__apply | bool == false
|
||||||
msg: "public_dns defaults/vars did not resolve as expected"
|
msg: "public_dns defaults/vars did not resolve as expected"
|
||||||
tags: [verify]
|
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,6 @@
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: /opt/services/reverse_proxy/Caddyfile
|
src: /opt/services/reverse_proxy/Caddyfile
|
||||||
register: _caddyfile
|
register: _caddyfile
|
||||||
tags: [verify]
|
|
||||||
|
|
||||||
- name: Assert Caddyfile exists and contains expected content
|
- name: Assert Caddyfile exists and contains expected content
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
|
|
@ -19,4 +17,3 @@
|
||||||
- "'respond \"ok\" 200' in (_caddyfile.content | b64decode)"
|
- "'respond \"ok\" 200' in (_caddyfile.content | b64decode)"
|
||||||
fail_msg: "Caddyfile is missing expected content"
|
fail_msg: "Caddyfile is missing expected content"
|
||||||
success_msg: "Caddyfile rendered correctly"
|
success_msg: "Caddyfile rendered correctly"
|
||||||
tags: [verify]
|
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
{
|
{
|
||||||
email {{ reverse_proxy__acme_email }}
|
email {{ reverse_proxy__acme_email }}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
services:
|
services:
|
||||||
caddy:
|
caddy:
|
||||||
image: caddy:2
|
image: caddy:2
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue