feat: add ansible-lint validation for test playbooks

Configure pre-commit hook to run ansible-lint on test playbooks and their dependencies.
Since test playbooks include tasks from existing task files, ansible-lint automatically validates those dependencies as well.

Author: jfroche

.ansible-lint.yml

@@ -0,0 +1,38 @@
+---
+profile: production
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option are parsed relative to the CWD of execution.
+exclude_paths:
+  - .cache/  # implicit unless exclude_paths is defined in config
+  - .github/
+
+use_default_rules: true
+enable_list:
+  - args
+  - empty-string-compare
+  - no-log-password
+  - no-same-owner
+warn_list:
+  - experimental
+skip_list:
+  - name[casing]
+  - name[prefix]
+  - yaml[line-length]
+  - var-naming[no-role-prefix]
+
+# Offline mode disables installation of requirements.yml
+offline: false
+
+# Make the output more readable
+parseable: true
+
+# Define required Ansible's variables to satisfy syntax check
+# extra_vars:
+
+# List of additional kind:pattern to be added at the top of the default
+# match list, first match determines the file kind.
+kinds:
+  - tasks: "ansible/tasks/*.yml"
+  - vars: "ansible/vars.yml"

ansible/tasks/setup-nginx.yml

@@ -1,78 +1,82 @@
-- name: nginx - system user
+---
+- name: Nginx - system user
   ansible.builtin.user:
-    name: 'nginx'
-    state: 'present'
+    name: nginx
+    state: present
 
 # Kong installation steps from http://archive.vn/3HRQx
-- name: nginx - system dependencies
+- name: Nginx - system dependencies
   ansible.builtin.apt:
     pkg:
       - libpcre3-dev
       - libssl-dev
       - openssl
       - zlib1g-dev
 
-- name: nginx - download source
+- name: Nginx - download source
   ansible.builtin.get_url:
     checksum: "{{ nginx_release_checksum }}"
-    dest: '/tmp/nginx-{{ nginx_release }}.tar.gz'
-    url: "https://nginx.org/download/nginx-{{ nginx_release }}.tar.gz"
+    dest: /tmp/nginx-{{ nginx_release }}.tar.gz
+    url: https://nginx.org/download/nginx-{{ nginx_release }}.tar.gz
+    mode: '0640'
 
-- name: nginx - unpack archive
+- name: Nginx - unpack archive
   ansible.builtin.unarchive:
-    dest: '/tmp'
+    dest: /tmp
     remote_src: true
-    src: "/tmp/nginx-{{ nginx_release }}.tar.gz"
+    src: /tmp/nginx-{{ nginx_release }}.tar.gz
 
-- name: nginx - configure
+- name: Nginx - configure
   ansible.builtin.command:
     argv:
-      - ./configure 
-      - --prefix=/usr/local/nginx 
-      - --conf-path=/etc/nginx/nginx.conf 
-      - --with-http_ssl_module 
-      - --with-http_realip_module 
+      - ./configure
+      - --prefix=/usr/local/nginx
+      - --conf-path=/etc/nginx/nginx.conf
+      - --with-http_ssl_module
+      - --with-http_realip_module
       - --with-threads
+    creates: /tmp/nginx-{{ nginx_release }}/Makefile
   args:
-    chdir: "/tmp/nginx-{{ nginx_release }}"
+    chdir: /tmp/nginx-{{ nginx_release }}
   become: true
 
-- name: nginx - build and install
+- name: Nginx - build and install
   community.general.make:
-    chdir: "/tmp/nginx-{{ nginx_release }}"
+    chdir: /tmp/nginx-{{ nginx_release }}
     jobs: "{{ parallel_jobs | default(omit) }}"
     target: "{{ make_target }}"
   become: true
   loop:
-    - 'build'
-    - 'install'
+    - build
+    - install
   loop_control:
-    loop_var: 'make_target'
+    loop_var: make_target
 
-- name: nginx - hand over ownership of /etc/nginx and /usr/local/nginx to user nginx
+- name: Nginx - hand over ownership of /etc/nginx and /usr/local/nginx to user nginx
   ansible.builtin.file:
-    owner: 'nginx'
+    owner: nginx
     path: "{{ nginx_dir_item }}"
     recurse: true
   loop:
     - /etc/nginx
     - /usr/local/nginx
   loop_control:
-    loop_var: 'nginx_dir_item'
+    loop_var: nginx_dir_item
 
 # [warn] ulimit is currently set to "1024". For better performance set it to at least
 # "4096" using "ulimit -n"
-- name: nginx - bump up ulimit
+- name: Nginx - bump up ulimit
   community.general.pam_limits:
-    domain: 'nginx'
-    limit_item: 'nofile'
-    limit_type: 'soft'
-    value: '4096'
+    domain: nginx
+    limit_item: nofile
+    limit_type: soft
+    value: "4096"
 
-- name: nginx - create service file
+- name: Nginx - create service file
   ansible.builtin.template:
-    dest: '/etc/systemd/system/nginx.service'
-    src: 'files/nginx.service.j2'
+    dest: /etc/systemd/system/nginx.service
+    src: files/nginx.service.j2
+    mode: '0644'
 
 # Keep it dormant for the timebeing
 

ansible/tests/nginx.yaml

@@ -1,14 +1,16 @@
 ---
-- hosts: localhost
+- name: Setup Nginx Server
+  hosts: localhost
   tasks:
-  - name: Install dependencies
-    apt:
-      pkg:
-        - build-essential
-      update_cache: yes
-  - import_tasks: ../tasks/setup-nginx.yml
-  - name: Start Nginx service
-    service:
-      name: nginx
-      state: started
-      enabled: yes
+    - name: Install dependencies
+      ansible.builtin.apt:
+        pkg:
+          - build-essential
+        update_cache: true
+    - name: Setup Nginx using existing task file
+      ansible.builtin.import_tasks: ../tasks/setup-nginx.yml
+    - name: Start Nginx service
+      ansible.builtin.service:
+        name: nginx
+        state: started
+        enabled: true

nix/hooks.nix

@@ -18,6 +18,15 @@ in
               verbose = true;
             };
 
+            ansible-lint = {
+              enable = true;
+              verbose = true;
+              settings = {
+                configPath = "${../.ansible-lint.yml}";
+                subdir = "ansible/tests";
+              };
+            };
+
             treefmt = {
               enable = true;
               package = config.treefmt.build.wrapper;