Merge pull request 'Linter + Dashboard fixes' (#3) from more-linter into main

Reviewed-on: #3

bitlair.yaml

@@ -1,4 +1,3 @@
-
 ---
 
 - hosts: all

group_vars/monitoring.yaml

@@ -1,7 +1,7 @@
 monitoring_domain: dashboard.bitlair.nl
 monitoring_bootstrap_cert: no
 acme_san_domains:
-  - ["{{ monitoring_domain }}", monitoring.bitlair.nl]
+  - ["{{ monitoring_domain }}"]
 
 group_nft_input:
   - "# Allow web-traffic from world"
@@ -21,6 +21,7 @@ prometheus_scrape_configs:
         - "lights.bitlair.nl:9100"
         - "music.bitlair.nl:9100"
         - "service.bitlair.nl:9100"
+        - "user.bitlair.nl:9100"
   - job_name: "mqtt"
     static_configs:
       - targets: [ "localhost:9883" ]
@@ -34,6 +35,7 @@ prometheus_scrape_configs:
         - https://bitlair.nl
         - https://git.bitlair.nl
         - https://pad.bitlair.nl
+        - https://user.bitlair.nl
           # Legacy
         - https://wiki.bitlair.nl
         - https://portal.bitlair.nl

roles/common/handlers/main.yaml

@@ -1,30 +1,27 @@
 ---
-- name: update grub
+- name: Update grub
   ansible.builtin.command:
     cmd: update-grub
 
-- name: reboot
+- name: Apt update
-  ansible.builtin.reboot:
-
-- name: apt update
   ansible.builtin.apt:
     update_cache: true
 
-- name: daemon reload
+- name: Daemon reload
   ansible.builtin.systemd:
     daemon_reload: true
 
-- name: reload sshd
+- name: Reload sshd
   ansible.builtin.systemd:
     name: ssh
     state: reloaded
 
-- name: reload nginx
+- name: Reload nginx
   ansible.builtin.systemd:
     name: nginx
     state: reloaded
 
-- name: persist iptables
+- name: Persist iptables
   ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
   with_items:
     - { c: iptables, ip: v4 }

roles/common/tasks/debian-upgrade.yaml

@@ -21,9 +21,6 @@
   ansible.builtin.apt:
     upgrade: full
 
-- name: Reboot
-  ansible.builtin.reboot:
-
 - name: autoremove
   ansible.builtin.apt:
     autoremove: yes

roles/common/tasks/main.yaml

@@ -76,6 +76,7 @@
       - vim
       - unattended-upgrades
       - apt-listchanges
+      - sudo-ldap
 
 - name: Configure FZF for Bash
   ansible.builtin.lineinfile:
@@ -96,7 +97,7 @@
     path: /etc/default/grub
     regexp: '^GRUB_TIMEOUT='
     line: "GRUB_TIMEOUT=1 # Managed by Ansible"
-  notify: update grub
+  notify: Update grub
 
 - name: Configure cron email
   ansible.builtin.lineinfile:
@@ -118,63 +119,5 @@
     - regexp: '^#?DebianBanner'
       line: 'DebianBanner no'
   when: manage_sshd_config | default(true)
-  notify: reload sshd
+  notify: Reload sshd
 
-- name: Allow SSH
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: "{{ ssh_port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item }}"
-  with_items:
-    - ipv4
-    - ipv6
-  notify: persist iptables
-  when: not nft | bool
-
-- name: Allow ICMP
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: "{{ item.proto }}"
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-  with_items:
-    - { ip: ipv4, proto: icmp }
-    - { ip: ipv6, proto: ipv6-icmp }
-  notify: persist iptables
-  when: not nft | bool
-
-- name: Allow related and established connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    ctstate: ESTABLISHED,RELATED
-    jump: ACCEPT
-    ip_version: "{{ item }}"
-  with_items:
-    - ipv4
-    - ipv6
-  notify: persist iptables
-  when: not nft | bool
-
-- name: Allow local connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    source: "{{ item.cidr }}"
-    jump: ACCEPT
-    ip_version: "{{ item.v }}"
-  with_items: "{{ trusted_ranges }}"
-  notify: persist iptables
-  when: not nft | bool
-
-- name: Deny inbound connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    policy: DROP
-    ip_version: "{{ item }}"
-  with_items:
-    - ipv4
-    - ipv6
-  notify: persist iptables
-  when: not nft | bool

roles/common/tasks/network.yaml

@@ -13,7 +13,6 @@
   with_items:
     - { k: net.ipv4.ip_forward, v: "1" }
     - { k: net.ipv6.conf.all.forwarding, v: "1" }
-  notify: reboot
   when: network_br
 
 - name: Make network interfaces really predictable
@@ -22,8 +21,7 @@
     regexp: ^GRUB_CMDLINE_LINUX
     line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
   notify:
-    - update grub
+    - Update grub
-    - reboot
   when: network_br or network_dhcp or network_static
 
 - name: Configure network interfaces
@@ -33,7 +31,6 @@
     owner: root
     group: root
     mode: 0644
-  notify: reboot
   when: network_br or network_dhcp or network_static
 
 - ansible.builtin.meta: flush_handlers

roles/common/tasks/vm.yaml

@@ -12,7 +12,6 @@
     regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
     line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
   notify:
-    - update grub
+    - Update grub
-    - reboot
   tags:
     - questagent

roles/etherpad/handlers/main.yaml

@@ -2,7 +2,7 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: restart etherpad
+- name: Restart etherpad
   ansible.builtin.systemd:
     name: etherpad
     state: restarted

roles/etherpad/tasks/main.yaml

@@ -15,7 +15,7 @@
       -o /usr/share/keyrings/nodesource.gpg
   args:
     creates: /usr/share/keyrings/nodesource.gpg
-  notify: apt update
+  notify: Apt update
 
 - name: Install nodesource source list
   ansible.builtin.template:
@@ -24,7 +24,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: apt update
+  notify: Apt update
 
 - name: Install nodejs apt preference
   ansible.builtin.template:
@@ -33,7 +33,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: apt update
+  notify: Apt update
 
 - ansible.builtin.meta: flush_handlers
 
@@ -88,7 +88,7 @@
     version: master
     dest: /opt/etherpad
     accept_hostkey: yes
-  notify: restart etherpad
+  notify: Restart etherpad
 
 - name: Install etherpad config
   ansible.builtin.template:
@@ -97,7 +97,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart etherpad
+  notify: Restart etherpad
 
 - name: Install etherpad service
   ansible.builtin.template:
@@ -106,14 +106,14 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart etherpad
+  notify: Restart etherpad
 
 - name: Start etherpad
   ansible.builtin.systemd:
     daemon_reload: true
     name: etherpad
     state: started
-    enabled: yes
+    enabled: true
 
 - name: Install nginx config
   ansible.builtin.template:
@@ -122,21 +122,5 @@
     owner: root
     group: root
     mode: 0644
-  notify: reload nginx
+  notify: Reload nginx
 
-- name: Allow HTTP and HTTPS
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: "{{ item.port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-    action: insert
-  with_items:
-    - { ip: ipv4, port: 80 }
-    - { ip: ipv4, port: 443 }
-    - { ip: ipv6, port: 80 }
-    - { ip: ipv6, port: 443 }
-  notify: persist iptables
-  when: not nft | bool

roles/etherpad/tasks/requirements.yml

@@ -1,3 +1,5 @@
+---
+
 collections:
   - name: community.postgresql
     version: 2.3.2

roles/git-ci/tasks/main.yaml

@@ -1,6 +1,5 @@
 ---
-- tags: forgejo_runner
+
-  block:
 - name: Install dependencies
   ansible.builtin.apt:
     name: docker.io
@@ -38,7 +37,7 @@
 - name: Enable service
   ansible.builtin.systemd:
     name: forgejo-runner
-        enabled: yes
+    enabled: true
     daemon_reload: true
 
 - name: Start service
@@ -47,4 +46,5 @@
     state: started
     daemon_reload: true
 
-    - ansible.builtin.meta: flush_handlers
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/git-server/tasks/main.yaml

@@ -14,14 +14,14 @@
     owner: root
     group: root
     mode: 0644
-  notify: reload nginx
+  notify: Reload nginx
 
 - name: Enable nginx site
   ansible.builtin.file:
     src: /etc/nginx/sites-available/forgejo
     dest: /etc/nginx/sites-enabled/forgejo
     state: link
-  notify: reload nginx
+  notify: Reload nginx
 
 - name: Create user
   ansible.builtin.user:
@@ -38,7 +38,6 @@
     group: "{{ git_server_user }}"
     mode: 0755
 
-
 # TODO: Install initial config
 
 - name: Install service file
@@ -48,7 +47,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: reload forgejo
+  notify: Reload forgejo
 
 - name: Install update script
   ansible.builtin.template:
@@ -62,12 +61,12 @@
   ansible.builtin.command: "{{ git_server_working_dir }}/update.sh"
   args:
     creates: "{{ git_server_working_dir }}/forgejo"
-  notify: reload forgejo
+  notify: Reload forgejo
 
 - name: Enable service
   ansible.builtin.systemd:
     name: forgejo
-    enabled: yes
+    enabled: true
     daemon_reload: true
 
 - name: Start service
@@ -81,24 +80,6 @@
     src: cronjob
     dest: /etc/cron.d/forgejo
 
-- name: Allow Git SSH, HTTP and HTTPS
+- name: Debug
-  ansible.builtin.iptables:
+  ansible.builtin.debug:
-    chain: INPUT
+    msg: "If Forgejo has not been setup yet, please do so manually."
-    protocol: tcp
-    destination_port: "{{ item.port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-    action: insert
-  with_items:
-    - { ip: ipv4, port: 80 }
-    - { ip: ipv4, port: 22 }
-    - { ip: ipv4, port: 443 }
-    - { ip: ipv6, port: 80 }
-    - { ip: ipv6, port: 22 }
-    - { ip: ipv6, port: 443 }
-  notify: persist iptables
-  when: not nft | bool
-
-- ansible.builtin.debug:
-    msg: If Forgejo has not been setup yet, please do so manually.

roles/go/tasks/main.yaml

@@ -19,11 +19,11 @@
       register: go_latest_version_shell
 
     - name: Format Go latest version variable
-      set_fact:
+      ansible.builtin.set_fact:
         go_latest_version: "{{ go_latest_version_shell.stdout }}"
 
     - name: Detect installed Go version
-      shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
+      ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
       register: go_installed_version_shell
       changed_when: false
 
@@ -31,19 +31,20 @@
       set_fact:
         go_installed_version: "{{ go_installed_version_shell.stdout }}"
 
-    - debug:
+    - name: Debug
+      ansible.builtin.debug:
         msg:
           - "Latest Go version: {{ go_latest_version}}"
           - "Installed Go version: {{ go_installed_version }}"
 
     - name: Remove installed go
-      file:
+      ansible.builtin.file:
         state: absent
         path: /usr/local/go
       when: go_installed_version != go_latest_version
 
     - name: Install Go
-      unarchive:
+      ansible.builtin.unarchive:
         src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz
         dest: /usr/local
         remote_src: yes
@@ -52,7 +53,7 @@
       when: go_installed_version != go_latest_version
 
     - name: Configure Go environment
-      template:
+      ansible.builtin.template:
         src: go.profile
         dest: /etc/profile.d/go.sh
         owner: root
@@ -60,7 +61,7 @@
         mode: 0644
 
     - name: Link go binary
-      file:
+      ansible.builtin.file:
         state: link
         src: /usr/local/go/bin/go
         dest: /usr/local/bin/go

roles/monitoring/tasks/main.yaml

@@ -7,35 +7,20 @@
     owner: root
     group: root
     mode: 0644
-  notify: reload nginx
+  notify: Reload nginx
 
 - name: Enable nginx site
   ansible.builtin.file:
     src: /etc/nginx/sites-available/monitoring
     dest: /etc/nginx/sites-enabled/monitoring
     state: link
-  notify: reload nginx
+  notify: Reload nginx
 
 - name: Start nginx
   ansible.builtin.systemd:
     name: nginx
     state: started
-    enabled: yes
+    enabled: true
-
-- name: Allow HTTP/HTTPS
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: "{{ item.port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-    action: insert
-  with_items:
-    - { ip: ipv6, port: 80 }
-    - { ip: ipv6, port: 443 }
-  notify: persist iptables
-  when: not nft | bool
 
 - name: mqtt_exporter
   tags: mqtt_exporter

roles/monitoring/templates/grafana.ini

@@ -69,6 +69,9 @@ level = info
 [grafana_com]
 url = https://grafana.com
 
+[auth]
+oauth_allow_insecure_email_lookup=true
+
 [auth.anonymous]
 enabled = true
 org_name = Bitlair

roles/mqtt/tasks/main.yaml

@@ -29,4 +29,4 @@
   ansible.builtin.systemd:
     name: mosquitto
     state: started
-    enabled: yes
+    enabled: true

roles/music/handlers/main.yaml

@@ -2,37 +2,37 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: restart trollibox
+- name: Restart trollibox
   ansible.builtin.systemd:
     name: trollibox
     state: restarted
     daemon_reload: true
 
-- name: rebuild librespot
+- name: Rebuild librespot
   ansible.builtin.command:
     cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend
   args:
     chdir: /opt/librespot
 
-- name: restart librespot
+- name: Restart librespot
   ansible.builtin.systemd:
     name: librespot
     state: restarted
     daemon_reload: true
 
-- name: restart soundboard
+- name: Restart soundboard
   ansible.builtin.systemd:
     name: soundboard
     state: restarted
     daemon_reload: true
 
-- name: restart mpd-volume-to-mqtt
+- name: Restart mpd-volume-to-mqtt
   ansible.builtin.systemd:
     name: mpd-volume-to-mqtt
     state: restarted
     daemon_reload: true
 
-- name: restart skipbutton
+- name: Restart skipbutton
   ansible.builtin.systemd:
     name: skipbutton
     state: restarted

roles/music/tasks/librespot.yaml

@@ -11,8 +11,8 @@
     dest: /opt/librespot
     accept_hostkey: yes
   notify:
-    - rebuild librespot
+    - Rebuild librespot
-    - restart librespot
+    - Restart librespot
 
 - name: Install service file
   ansible.builtin.template:
@@ -21,7 +21,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart librespot
+  notify: Restart librespot
 
 - name: Enable Librespot
   ansible.builtin.systemd:

roles/music/tasks/main.yaml

@@ -1,22 +1,28 @@
 ---
-- tags: music_mpd
+
+- name: Import mpd
   ansible.builtin.import_tasks:
     file: mpd.yaml
+  tags:
+    - music_mpd
 
-- tags: music_trollibox
+- name: Import trollibox
   ansible.builtin.import_tasks:
     file: trollibox.yaml
+  tags:
+    - music_trollibox
 
-- tags: music_librespot
+- name: Librespot
   ansible.builtin.import_tasks:
     file: librespot.yaml
+  tags:
+    - music_librespot
 
-- tags: music_soundboard
+- name: Soundboard
   ansible.builtin.import_tasks:
     file: soundboard.yaml
-
+  tags:
-- tags: music
+    - music_soundboard
-  block:
 
 - name: Install nginx config
   ansible.builtin.template:
@@ -25,4 +31,4 @@
     owner: root
     group: root
     mode: 0644
-      notify: reload nginx
+  notify: Reload nginx

roles/music/tasks/mpd.yaml

@@ -1,4 +1,5 @@
 ---
+
 - name: Install MPD
   ansible.builtin.apt:
     name:
@@ -15,7 +16,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart mpd-volume-to-mqtt
+  notify: Restart mpd-volume-to-mqtt
 
 - name: Install mpd-volume-to-mqtt service
   ansible.builtin.template:
@@ -24,7 +25,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart mpd-volume-to-mqtt
+  notify: Restart mpd-volume-to-mqtt
 
 - name: Enable mpd-volume-to-mqtt
   ansible.builtin.systemd:
@@ -39,7 +40,7 @@
     version: master
     dest: /opt/skipbutton
     accept_hostkey: yes
-  notify: restart skipbutton
+  notify: Restart skipbutton
 
 - name: Install skipbutton service
   ansible.builtin.template:
@@ -48,7 +49,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart skipbutton
+  notify: Restart skipbutton
 
 - name: Enable skipbutton
   ansible.builtin.systemd:

roles/music/tasks/soundboard.yaml

@@ -10,7 +10,7 @@
     version: main
     dest: /opt/soundboard
     accept_hostkey: yes
-  notify: restart soundboard
+  notify: Restart soundboard
 
 - name: Create virtualenv
   ansible.builtin.command:
@@ -31,7 +31,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart soundboard
+  notify: Restart soundboard
 
 - name: Install soundboard service file
   ansible.builtin.template:
@@ -40,7 +40,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart soundboard
+  notify: Restart soundboard
 
 - name: Enable soundboard
   ansible.builtin.systemd:

roles/music/tasks/trollibox.yaml

@@ -5,8 +5,8 @@
     dest: /etc/trollibox.yaml
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart trollibox
+  notify: Restart trollibox
 
 - name: Get latest Trollibox version from Github API
   ansible.builtin.get_url:
@@ -25,8 +25,8 @@
     remote_src: yes
     dest: /usr/local/bin
     include: [ trollibox ]
-    mode: 0755
+    mode: "0755"
-  notify: restart trollibox
+  notify: Restart trollibox
 
 - name: Install service file
   ansible.builtin.template:
@@ -34,8 +34,8 @@
     dest: /etc/systemd/system/trollibox.service
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart trollibox
+  notify: Restart trollibox
 
 - name: Enable Trollibox
   ansible.builtin.systemd:

roles/nginx/defaults/main.yaml

@@ -4,7 +4,6 @@ nginx_package:              "nginx-light"
 nginx_user:                 "www-data"
 nginx_modules_dir:          "/etc/nginx/modules-enabled"
 
-
 nginx_tls_version:          "TLSv1.2 TLSv1.3"
 nginx_tls_cipherlist:       "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
 nginx_tls_curve:            "prime256v1:secp384r1"
@@ -14,4 +13,3 @@ nginx_ssl_stapling:         "on"
 nginx_ssl_stapling_verify:  "on"
 nginx_wk_acme:              "/var/lib/dehydrated/acme-challenges"
 nginx_client_max_body_size: "32m"
-

roles/photos/tasks/bambulab-fetch.yaml

@@ -33,5 +33,5 @@
   ansible.builtin.systemd:
     name: bambulab-fetch
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/photos/tasks/photo-gallery.yaml

@@ -33,5 +33,5 @@
   ansible.builtin.systemd:
     name: photo-gallery
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/photos/tasks/photos2mqtt.yaml

@@ -31,5 +31,5 @@
   ansible.builtin.systemd:
     name: photos2mqtt
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/raspi/tasks/main.yaml

@@ -15,7 +15,7 @@
 - name: Enable sshd
   ansible.builtin.systemd:
     name: sshd
-    enabled: yes
+    enabled: true
     state: started
 
 - name: Rotate display
@@ -24,7 +24,6 @@
     line: "display_rotate={{ raspi_rotate_display }} # Managed by Ansible"
     regexp: "^#?display_rotate"
   when: raspi_rotate_display is defined
-  notify: reboot
 
 - name: Disable swap
   block:
@@ -45,4 +44,3 @@
     path: /etc/dhcpcd.conf
     line: "slaac hwaddr # Managed by Ansible"
     regexp: "^#?slaac"
-  notify: reboot

roles/services/handlers/main.yaml

@@ -2,55 +2,55 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: restart irc-bot
+- name: Restart irc-bot
   ansible.builtin.systemd:
     name: irc-bot
     state: restarted
     daemon_reload: true
 
-- name: restart irc-photos
+- name: Restart irc-photos
   ansible.builtin.systemd:
     name: irc-photos
     state: restarted
     daemon_reload: true
 
-- name: restart irc-doorduino
+- name: Restart irc-doorduino
   ansible.builtin.systemd:
     name: irc-doorduino
     state: restarted
     daemon_reload: true
 
-- name: restart discord-bot
+- name: Restart discord-bot
   ansible.builtin.systemd:
     name: discord-bot
     state: restarted
     daemon_reload: true
 
-- name: restart siahsd
+- name: Restart siahsd
   ansible.builtin.systemd:
     name: siahsd
     state: restarted
     daemon_reload: true
 
-- name: restart spacestated
+- name: Restart spacestated
   ansible.builtin.systemd:
     name: spacestated
     state: restarted
     daemon_reload: true
 
-- name: restart mastodon-spacestate
+- name: Restart mastodon-spacestate
   ansible.builtin.systemd:
     name: mastodon-spacestate
     state: restarted
     daemon_reload: true
 
-- name: restart wifi-mqtt
+- name: Restart wifi-mqtt
   ansible.builtin.systemd:
     name: wifi-mqtt
     state: restarted
     daemon_reload: true
 
-- name: restart power-mqtt
+- name: Restart power-mqtt
   ansible.builtin.systemd:
     name: power-mqtt
     state: restarted

roles/services/tasks/discord_bot.yaml

@@ -1,4 +1,5 @@
 ---
+
 - name: Install dependencies
   ansible.builtin.apt:
     name:
@@ -24,7 +25,8 @@
     version: main
     dest: /var/lib/discord-bot
     accept_hostkey: yes
-  notify: restart discord-bot
+  notify: Restart discord-bot
+  ignore_errors: true
 
 - name: Install service file
   ansible.builtin.template:
@@ -32,12 +34,12 @@
     dest: /etc/systemd/system/discord-bot.service
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart discord-bot
+  notify: Restart discord-bot
 
 - name: Start discord-bot
   ansible.builtin.systemd:
     name: discord-bot
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/services/tasks/ircbot.yaml

@@ -5,7 +5,8 @@
     version: master
     dest: /var/lib/irc-bot
     accept_hostkey: yes
-  notify: restart irc-bot
+  ignore_errors: true
+  notify: Restart irc-bot
 
 - name: Link irc-say
   ansible.builtin.file:
@@ -23,13 +24,13 @@
   vars:
     description: Bitlair IRC bot
     exec: /bin/bash /var/lib/irc-bot/irc-bot
-  notify: restart irc-bot
+  notify: Restart irc-bot
 
 - name: Start irc-bot
   ansible.builtin.systemd:
     name: irc-bot
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true
 
 - name: Create helpers dir
@@ -44,7 +45,7 @@
     owner: root
     group: root
     mode: 0755
-  notify: restart irc-photos
+  notify: Restart irc-photos
 
 - name: Install photos notification service
   ansible.builtin.template:
@@ -57,13 +58,13 @@
     description: Bitlair IRC photos notification
     requires: irc-bot.service
     exec: /bin/bash /var/lib/irc-helpers/photos.sh
-  notify: restart irc-photos
+  notify: Restart irc-photos
 
 - name: Start irc-photos
   ansible.builtin.systemd:
     name: irc-photos
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true
 
 - name: Install doorduino notification
@@ -73,7 +74,7 @@
     owner: root
     group: root
     mode: 0755
-  notify: restart irc-doorduino
+  notify: Restart irc-doorduino
 
 - name: Install doorduino notification service
   ansible.builtin.template:
@@ -86,11 +87,11 @@
     description: Bitlair IRC doorduino notification
     requires: irc-bot.service
     exec: /bin/bash /var/lib/irc-helpers/doorduino.sh
-  notify: restart irc-doorduino
+  notify: Restart irc-doorduino
 
 - name: Start irc-doorduino
   ansible.builtin.systemd:
     name: irc-doorduino
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/services/tasks/main.yaml

@@ -1,22 +1,43 @@
 ---
-- tags: services_ircbot
+
+- name: Import ircbot
   ansible.builtin.import_tasks:
     file: ircbot.yaml
+  tags:
+    - services_ircbot
 
-- tags: services_discord_bot
+- name: Import services_discord_bot
-  ansible.builtin.import_tasks: discord_bot.yaml
+  ansible.builtin.import_tasks:
+    file: discord_bot.yaml
+  tags:
+    - services_discord_bot
 
-- tags: services_siahsd
+- name: Import siahsd
-  import_tasks: siahsd.yaml
+  ansible.builtin.import_tasks:
+    file: siahsd.yaml
+  tags:
+    - services_siahsd
 
-- tags: services_spacestated
+- name: Import spacestated
-  import_tasks: spacestated.yaml
+  ansible.builtin.import_tasks:
+    file: spacestated.yaml
+  tags:
+    - services_spacestated
 
-- tags: services_mastodon_spacestate
+- name: Import mastodon_spacestate.yaml
-  import_tasks: mastodon_spacestate.yaml
+  ansible.builtin.import_tasks:
+    file: mastodon_spacestate.yaml
+  tags:
+    - services_mastodon_spacestate
 
-- tags: services_wifi_mqtt
+- name: import wifi_mqtt
-  import_tasks: wifi_mqtt.yaml
+  ansible.builtin.import_tasks:
+    file: wifi_mqtt.yaml
+  tags:
+    - services_wifi_mqtt
 
-- tags: services_power_mqtt
+- name: Import power_mqt
-  import_tasks: power_mqtt.yaml
+  ansible.builtin.import_tasks:
+    file: power_mqtt.yaml
+  tags:
+    - services_power_mqtt

roles/services/tasks/mastodon_spacestate.yaml

@@ -11,7 +11,8 @@
     version: main
     dest: /var/lib/mastodon-spacestate
     accept_hostkey: yes
-  notify: restart mastodon-spacestate
+  notify: Restart mastodon-spacestate
+  ignore_errors: true
 
 - name: Install config
   ansible.builtin.template:
@@ -20,7 +21,7 @@
     owner: root
     group: root
     mode: 0655
-  notify: restart mastodon-spacestate
+  notify: Restart mastodon-spacestate
 
 - name: Install service file
   ansible.builtin.template:
@@ -29,11 +30,11 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart mastodon-spacestate
+  notify: Restart mastodon-spacestate
 
 - name: Start mastodon-spacestate
   ansible.builtin.systemd:
     name: mastodon-spacestate
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/services/tasks/power_mqtt.yaml

@@ -10,7 +10,7 @@
     owner: root
     group: root
     mode: 0755
-  notify: restart power-mqtt
+  notify: Restart power-mqtt
 
 - name: Remove old service
   ansible.builtin.file:
@@ -27,13 +27,13 @@
   vars:
     description: "SMD630 to MQTT Probe"
     exec: "/var/lib/power-mqtt.py %i"
-  notify: restart power-mqtt@
+  notify: Restart power-mqtt@
 
 - name: Enable power-mqtt
   ansible.builtin.systemd:
     name: "power-mqtt@{{ item.net }}/{{ item.ip }}"
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true
   with_items:
     - net: space

roles/services/tasks/siahsd.yaml

@@ -7,6 +7,7 @@
     state: directory
     owner: siahsd
     group: nogroup
+    mode: "0750"
   with_items:
     - /var/log/siahsd
     - /var/lib/siahsd
@@ -17,8 +18,8 @@
     dest: /etc/siahsd.conf
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart siahsd
+  notify: Restart siahsd
 
 - name: Install service file
   ansible.builtin.template:
@@ -26,24 +27,13 @@
     dest: /etc/systemd/system/siahsd.service
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart siahsd
+  notify: Restart siahsd
 
 - name: Start siahsd
   ansible.builtin.systemd:
     name: siahsd
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true
 
-- name: Allow siahsd traffic
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: udp
-    destination_port: "4000"
-    jump: ACCEPT
-    ip_version: "{{ item }}"
-    action: insert
-  with_items: [ ipv4, ipv6 ]
-  notify: persist iptables
-  when: not nft | bool

roles/services/tasks/spacestated.yaml

@@ -24,7 +24,8 @@
     version: main
     dest: /var/lib/spacestated/spacestated
     accept_hostkey: yes
-  notify: restart spacestated
+  notify: Restart spacestated
+  ignore_errors: true
 
 - name: Install service file
   ansible.builtin.template:
@@ -33,11 +34,11 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart spacestated
+  notify: Restart spacestated
 
 - name: Start spacestated
   ansible.builtin.systemd:
     name: spacestated
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/services/tasks/wifi_mqtt.yaml

@@ -7,25 +7,26 @@
       - make
 
 - name: Clone source
-  git:
+  ansible.builtin.git:
     repo: https://github.com/bitlair/wifi-mqtt.git
     version: main
     dest: /var/lib/wifi-mqtt
     accept_hostkey: yes
-  notify: restart wifi-mqtt
+  notify: Restart wifi-mqtt
+  ignore_errors: true
 
 - name: Install service file
-  template:
+  ansible.builtin.template:
     src: wifi-mqtt.service
     dest: /etc/systemd/system/wifi-mqtt.service
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart wifi-mqtt
+  notify: Restart wifi-mqtt
 
 - name: Start wifi-mqtt
-  systemd:
+  ansible.builtin.systemd:
     name: wifi-mqtt
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/www/handlers/main.yaml

@@ -1,14 +1,15 @@
 ---
-- ansible.builtin.import_tasks:
+- name: Import handlers
+  ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: restart spaceapi
+- name: Restart spaceapi
   ansible.builtin.systemd:
     name: spaceapi
     state: restarted
     daemon_reload: true
 
-- name: restart mqtt2web
+- name: Restart mqtt2web
   ansible.builtin.systemd:
     name: mqtt2web
     state: restarted

roles/www/tasks/main.yaml

@@ -1,16 +1,25 @@
 ---
-- tags: www_calendar
+
+- name: Import calendar
   ansible.builtin.import_tasks:
     file: calendar.yaml
+  tags:
+    - www_calendar
 
-- tags: www_mediawiki
+- name: Import mediawiki
   ansible.builtin.import_tasks:
     file: mediawiki.yaml
+  tags:
+    - www_mediawiki
 
-- tags: www_mqtt
+- name: Import mqtt
   ansible.builtin.import_tasks:
     file: mqtt.yaml
+  tags:
+    - www_mqtt
 
-- tags: www_spaceapi
+- name: Import spaceapi
   ansible.builtin.import_tasks:
     file: spaceapi.yaml
+  tags:
+    - www_spaceapi

roles/www/tasks/mediawiki.yaml

@@ -1,4 +1,5 @@
 ---
+
 - name: Install dependencies
   ansible.builtin.apt:
     name: php-fpm
@@ -12,19 +13,3 @@
     group: root
     mode: 0644
 
-- name: Allow HTTP/HTTPS
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: "{{ item.port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-    action: insert
-  with_items:
-    - { ip: ipv4, port: 80 }
-    - { ip: ipv4, port: 443 }
-    - { ip: ipv6, port: 80 }
-    - { ip: ipv6, port: 443 }
-  notify: persist iptables
-  when: not nft | bool

roles/www/tasks/mqtt.yaml

@@ -1,4 +1,5 @@
 ---
+
 - name: Install dependencies
   ansible.builtin.apt:
     name:
@@ -6,32 +7,17 @@
       - liblinux-epoll-perl
       - mosquitto
 
-- name: Allow MQTT
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: "{{ item.port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-    action: insert
-  with_items:
-    - { ip: ipv4, port: 1883 }
-    - { ip: ipv6, port: 1883 }
-  notify: persist iptables
-  when: not nft | bool
-
 - name: Install mqtt-simple
-  ansible.builtin.command:
+  community.general.cpanm:
-    cmd: cpan Net::MQTT::Simple
+    name: Net::MQTT::Simple
 
 - name: Clone mqtt2web source
   ansible.builtin.git:
     repo: https://github.com/bitlair/mqtt2web.git
     version: master
     dest: /opt/mqtt2web
-    accept_hostkey: yes
+    accept_hostkey: true
-  notify: restart mqtt2web
+  notify: Restart mqtt2web
 
 - name: Install mqtt2web service file
   ansible.builtin.template:
@@ -41,10 +27,11 @@
     group: root
     mode: 0644
   notify:
-    - daemon reload
+    - Daemon reload
-    - restart mqtt2web
+    - Restart mqtt2web
 
-- ansible.builtin.meta: flush_handlers
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
 
 - name: Enable mqtt2web
   ansible.builtin.systemd:

roles/www/tasks/spaceapi.yaml

@@ -4,8 +4,8 @@
     repo: https://github.com/bitlair/spaceapi.git
     version: main
     dest: /opt/spaceapi
-    accept_hostkey: yes
+    accept_hostkey: true
-  notify: restart spaceapi
+  notify: Restart spaceapi
 
 - name: Install spaceapi service file
   ansible.builtin.template:
@@ -13,8 +13,8 @@
     dest: /etc/systemd/system/spaceapi.service
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart spaceapi
+  notify: Restart spaceapi
 
 - name: Enable spaceapi
   ansible.builtin.systemd: