Skip to content

Commit

Permalink
Merge pull request #79 from cisagov/lineage/skeleton
Browse files Browse the repository at this point in the history
⚠️ CONFLICT! Lineage pull request for: skeleton
  • Loading branch information
jsf9k authored Jun 12, 2024
2 parents cf4a126 + db8b0b6 commit b39f654
Show file tree
Hide file tree
Showing 15 changed files with 358 additions and 92 deletions.
2 changes: 2 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ updates:
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
# Managed by cisagov/skeleton-ansible-role
- dependency-name: docker/setup-buildx-action
- dependency-name: docker/setup-qemu-action
- dependency-name: github/codeql-action
package-ecosystem: github-actions
schedule:
Expand Down
57 changes: 56 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -168,12 +168,60 @@ jobs:
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
test:
name: >-
test (${{ matrix.scenario }}) -
${{ matrix.platform }}-${{ matrix.architecture }}
needs:
- diagnostics
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
- amd64
# We cannot currently test _any_ ARM64 platforms under QEMU
# because QEMU cannot currently support iptables:
# https://github.com/multiarch/qemu-user-static/issues/191
# - arm64
platform:
# Amazon Linux 2 does not appear to provide OpenVPN
# - amazonlinux2023-systemd
- debian10-systemd
- debian11-systemd
- debian12-systemd
- debian13-systemd
# For reasons I haven't been able to discern, the Fedora
# molecule tests work fine locally but fail in GitHub
# Actions due to being unable to perform some iptables
# operations. I would think this was due to some kernel
# module not being loaded in the underlying host instance,
# except that other platforms pass just fine in GitHub
# Actions.
#
# I've already spent too much time on this, and the role
# works just fine when building a Fedora AMI, so I will make
# the executive decision to remove Fedora support for now.
# I created this issue to document the error:
# https://github.com/cisagov/ansible-role-ufw/issues/3
# - fedora39-systemd
# - fedora40-systemd
- kali-systemd
# For reasons I haven't been able to discern, the Ubuntu
# Focal molecule tests work fine locally but fail in GitHub
# Actions due to being unable to perform some iptables
# operations. I would think this was due to some kernel
# module not being loaded in the underlying host instance,
# except that other platforms pass just fine in GitHub
# Actions.
#
# I've already spent too much time on this, and we don't
# require the Ubuntu support right now, so I will make the
# executive decision to remove Ubuntu Focal support for now.
# I created this issue to document the error:
# https://github.com/cisagov/ansible-role-ufw/issues/3
# - ubuntu-20-systemd
- ubuntu-22-systemd
- ubuntu-24-systemd
scenario:
- default
steps:
Expand Down Expand Up @@ -204,8 +252,15 @@ jobs:
run: |
python -m pip install --upgrade pip
pip install --upgrade --requirement requirements-test.txt
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Run molecule tests
run: molecule test --scenario-name ${{ matrix.scenario }}
run: >-
molecule test
--platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
--scenario-name ${{ matrix.scenario }}
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
51 changes: 35 additions & 16 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ default_language_version:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
rev: v4.6.0
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
Expand All @@ -31,7 +31,7 @@ repos:

# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.39.0
rev: v0.41.0
hooks:
- id: markdownlint
args:
Expand All @@ -46,7 +46,7 @@ repos:
# mirror does not pull tags for old major versions once a new major
# version tag is published.
additional_dependencies:
- prettier@3.2.5
- prettier@3.3.1
- repo: https://github.com/adrienverge/yamllint
rev: v1.35.1
hooks:
Expand All @@ -56,14 +56,14 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.28.0
rev: 0.28.4
hooks:
- id: check-github-actions
- id: check-github-workflows

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v3.6.2
rev: v3.7.1
hooks:
- id: validate_manifest

Expand Down Expand Up @@ -98,7 +98,7 @@ repos:

# Shell script hooks
- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.7.0-4
rev: v3.8.0-1
hooks:
- id: shfmt
args:
Expand All @@ -116,21 +116,22 @@ repos:
# Redirect operators are followed by a space
- --space-redirects
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.9.0.6
rev: v0.10.0.1
hooks:
- id: shellcheck

# Python hooks
- repo: https://github.com/PyCQA/bandit
rev: 1.7.7
rev: 1.7.8
hooks:
- id: bandit
# Bandit complains about the use of assert() in tests
exclude: molecule/default/tests
# Bandit complains about the use of assert() in tests. This should cover
# the tests/ subdirectory for any molecule scenario.
exclude: molecule/[^/]+/tests
args:
- --config=.bandit.yml
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 24.2.0
rev: 24.4.2
hooks:
- id: black
- repo: https://github.com/PyCQA/flake8
Expand All @@ -144,26 +145,44 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.8.0
rev: v1.10.0
hooks:
- id: mypy
additional_dependencies:
- types-PyYAML
- repo: https://github.com/asottile/pyupgrade
rev: v3.15.1
rev: v3.15.2
hooks:
- id: pyupgrade

# Ansible hooks
- repo: https://github.com/ansible/ansible-lint
rev: v24.2.0
rev: v24.6.0
hooks:
- id: ansible-lint
# files: molecule/default/playbook.yml
additional_dependencies:
# On its own ansible-lint does not pull in ansible, only
# ansible-core. Therefore, if an Ansible module lives in
# ansible instead of ansible-core, the linter will complain
# that the module is unknown. In these cases it is
# necessary to add the ansible package itself as an
# additional dependency, with the same pinning as is done in
# requirements-test.txt of cisagov/skeleton-ansible-role.
# - ansible>=9,<10
# ansible-core 2.16.3 through 2.16.6 suffer from the bug
# discussed in ansible/ansible#82702, which breaks any
# symlinked files in vars, tasks, etc. for any Ansible role
# installed via ansible-galaxy. Hence we never want to
# install those versions.
#
# Note that any changes made to this dependency must also be
# made in requirements.txt in cisagov/skeleton-packer and
# requirements-test.txt in cisagov/skeleton-ansible-role.
- ansible-core>=2.16.7

# Terraform hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.88.0
rev: v1.90.0
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand Down
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ ufw disable && ufw enable
These steps can be performed via cloud-init, as is done
[here](https://github.com/cisagov/openvpn-server-tf-module/blob/develop/cloudinit/create-iptables-rule-for-nat.sh).

> [!NOTE]
> We cannot currently test *any* ARM64 platforms under QEMU because
> [QEMU cannot currently support
> `iptables`](https://github.com/multiarch/qemu-user-static/issues/191).
## Requirements ##

None.
Expand Down
5 changes: 3 additions & 2 deletions meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ galaxy_info:
description: Install and configure OpenVPN
galaxy_tags:
- openvpn
license: CC0
license: CC0-1.0
# With the release of version 2.10, Ansible finally correctly
# identifies Kali Linux as being the Kali distribution of the Debian
# OS family. This simplifies a lot of things for roles that support
Expand Down Expand Up @@ -52,8 +52,8 @@ galaxy_info:
# https://github.com/cisagov/ansible-role-ufw/issues/3
# - name: Fedora
# versions:
# - "38"
# - "39"
# - "40"
- name: Kali
versions:
- "2023"
Expand All @@ -73,5 +73,6 @@ galaxy_info:
# https://github.com/cisagov/ansible-role-ufw/issues/3
# - focal
- jammy
- noble
role_name: openvpn
standalone: true
49 changes: 49 additions & 0 deletions molecule/default/externally-managed-python.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
# This is in place to restore a destructive action in geerlingguy's Ansible
# Docker images that we use for testing. The change is fine for the intended
# purpose of the images but not for how we use them.
- name: Ensure Python is marked as externally managed if appropriate
hosts: all
become: true
become_method: ansible.builtin.sudo
tasks:
- name: Ensure Python is marked as externally managed
when:
- ansible_distribution in ["Debian", "Ubuntu"]
- ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"]
block:
- name: Gather package facts
ansible.builtin.package_facts:
manager: auto

- name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed
when: '"python3" in ansible_facts.packages'
block:
# This gets a unique list of installed Python packages in the form of major.minor
# by taking the list of installed Python packages and:
# 1. Extracting the version from each package's information
# 2. Removing any version information after the major.minor version
# 3. Ensuring there are no duplicates
#
# NOTE:
# Since the value of python_versions is a multiline string, the regex expressions used in
# the regex_replace filter must use single backslashes for special sequences. If the value
# of python_versions were to be changed from a multiline string, the special sequences
# must be modified to use double backslashes instead. This is due to how the YAML is
# processed when Ansible reads the playbook.
- name: Extract version information about installed Python packages
ansible.builtin.set_fact:
python_versions: >-
{{
ansible_facts.packages["python3"]
| map(attribute="version")
| map("regex_replace", "^(\d+\.\d+)\.\d+.*$", "\1")
| unique
}}
- name: Restore EXTERNALLY-MANAGED file for Python
ansible.builtin.template:
dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED
mode: 0644
src: EXTERNALLY-MANAGED.j2
loop: "{{ python_versions }}"
Loading

0 comments on commit b39f654

Please sign in to comment.