Merge pull request #66 from systemli/patch-1

Bump Integration Workflow to v1.0.0

.ansible-lint

@@ -1,4 +1,3 @@
 ---
 skip_list:
-  - fqcn-builtins
-  - no-handler  # Tasks that run when changed should likely be handlers.
+  - no-handler # Tasks that run when changed should likely be handlers.

.github/workflows/main.yml

@@ -5,7 +5,7 @@ on:
   push:
     branches:
       - main
-    tags:        
+    tags:
       - '**'           # Push events to every tag including hierarchical tags like v1.0/beta
     paths-ignore:
       - ".*"
@@ -19,6 +19,6 @@ on:
 jobs:
   integration:
     name: Integration
-    uses: systemli/github-ansible-workflow/.github/workflows/ansible-integration-workflow.yaml@main
+    uses: systemli/github-ansible-workflow/.github/workflows/ansible-integration-workflow.yaml@v1.0.0
     with:
       distros: '[ "debian11", "debian10" ]'

handlers/main.yml

@@ -1,20 +1,19 @@
 ---
-
 - name: Restart bind9
-  service:
+  ansible.builtin.service:
     name: bind9
     state: restarted
 
 - name: Reload bind9
-  service:
+  ansible.builtin.service:
     name: bind9
     state: reloaded
 
 - name: Restart monit
-  service:
+  ansible.builtin.service:
     name: monit
     state: restarted
 
 - name: Zone file change
-  debug:
+  ansible.builtin.debug:
     msg: "dummy handler"

tasks/create_ddns_keys.yml

@@ -1,29 +1,33 @@
+---
 - name: Determine if DDNS key already exists
   become: false
   delegate_to: localhost
-  stat:
+  ansible.builtin.stat:
     path: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.private"
   register: update_keyfile_tmp
   when: item.update_keyfile is defined
 
 - name: Generate DDNS key
-  shell: "tsig-keygen -a {{ item.update_key_algorithm | d('hmac-sha512') }} {{ item.name }}_{{ item.update_keyfile }}_update > /etc/bind/keys/{{ item.update_keyfile }}.private"
+  ansible.builtin.shell: "tsig-keygen -a {{ item.update_key_algorithm | d('hmac-sha512') }} {{ item.name }}_{{ item.update_keyfile }}_update > /etc/bind/keys/{{ item.update_keyfile }}.private"
   args:
     chdir: "{{ bind9_zonedir }}"
   register: ddns_key
+  changed_when: ddns_key.rc != 0
   when: item.update_keyfile is defined and not update_keyfile_tmp.stat.exists
 
 - name: Copy DDNS key to control host
-  fetch:
+  ansible.builtin.fetch:
     src: "/etc/bind/keys/{{ item.update_keyfile }}.private"
     dest: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.private"
+    mode: "0640"
     flat: true
   when: ddns_key.changed
 
 - name: Create dummy DDNS public key file on control host
   become: false
   delegate_to: localhost
-  file:
+  ansible.builtin.file:
     path: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.key"
+    mode: "0640"
     state: touch
   when: ddns_key.changed

tasks/main.yml

@@ -1,13 +1,12 @@
 ---
-
 - name: Install bind9 packages
-  apt:
+  ansible.builtin.apt:
     pkg: "{{ bind9_packages }}"
     state: present
     cache_valid_time: 600
 
 - name: Copy bind9 defaults file
-  template:
+  ansible.builtin.template:
     src: "{{ bind9_templates | default('') }}bind/default.j2"
     dest: /etc/default/bind9
     owner: root
@@ -20,34 +19,34 @@
   when: bind9_named_logging
   block:
     - name: Ensure existence of the log directory
-      file:
+      ansible.builtin.file:
         path: "{{ bind9_log_path }}"
         state: directory
         owner: "{{ bind9_user }}"
         group: "{{ bind9_group }}"
         mode: 0755
 
     - name: Configure log rotate for bind9
-      template:
+      ansible.builtin.template:
         src: "{{ bind9_templates | default('') }}logrotate.d/bind.j2"
         dest: /etc/logrotate.d/bind
         owner: root
         group: "{{ bind9_group }}"
         mode: 0644
 
 - name: Create dynamic DNS keys
-  include_tasks: create_ddns_keys.yml
+  ansible.builtin.include_tasks: create_ddns_keys.yml
   with_items:
     - "{{ bind9_zones_static + bind9_zones_dynamic }}"
   when: bind9_generate_ddns_key | bool
 
 - name: Configure bind9 named.conf files
-  template:
+  ansible.builtin.template:
     src: "{{ bind9_templates | default('') }}bind/{{ item }}.j2"
     dest: /etc/bind/{{ item }}
     owner: root
     group: "{{ bind9_group }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - named.conf.local
     - named.conf.options
@@ -57,7 +56,7 @@
   register: bind9_named_conf
 
 - name: Check validity of named.conf
-  command: named-checkconf
+  ansible.builtin.command: named-checkconf
   register: bind9_reg_named_checkconf
   become: true
   become_user: "{{ bind9_user }}"
@@ -66,51 +65,51 @@
     ansible_ssh_pipelining: True
 
 - name: Create bind9 directory for master zones
-  file:
+  ansible.builtin.file:
     path: "{{ bind9_zonedir }}"
     state: directory
     owner: root
     group: "{{ bind9_group }}"
-    mode: 02775
+    mode: "02775"
   when: bind9_authoritative | default()
 
 - name: Create bind9 directory for master zone includes
-  file:
+  ansible.builtin.file:
     path: "{{ bind9_zonedir }}/includes"
     state: directory
     owner: root
     group: "{{ bind9_group }}"
-    mode: 0755
+    mode: "0755"
   when: bind9_authoritative | default()
 
 - name: Install bind9 authoritative include files
-  template:
+  ansible.builtin.template:
     src: "bind/zones/includes/{{ item }}.j2"
     dest: "{{ bind9_zonedir }}/includes/{{ item }}"
     owner: root
     group: "{{ bind9_group }}"
-    mode: 0644
+    mode: "0644"
   with_items: "{{ bind9_authoritative_includes }}"
   when: bind9_authoritative | default()
   notify:
     - Zone file change
     - Reload bind9
 
 - name: Install bind9 rndc key
-  template:
+  ansible.builtin.template:
     src: "{{ bind9_templates | default('') }}bind/rndc.key.j2"
     dest: /etc/bind/rndc.key
     owner: "{{ bind9_user }}"
     group: "{{ bind9_group }}"
-    mode: 0640
+    mode: "0640"
   when: bind9_rndc_key | default()
   notify:
     - Restart bind9
   tags:
     - role:bind9:rndc_key
 
 - name: Create bind9 directory for keys
-  file:
+  ansible.builtin.file:
     path: /etc/bind/keys
     state: directory
     owner: "{{ bind9_user }}"
@@ -123,12 +122,12 @@
 
 # TODO: DDNS: move keys into vault file
 - name: Copy over DDNS keys for zones with update_keyfile
-  copy:
+  ansible.builtin.copy:
     src: bind/zones/{{ item.update_keyfile }}.key
     dest: /etc/bind/keys/{{ item.update_keyfile }}.key
     owner: "{{ bind9_user }}"
     group: "{{ bind9_group }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - "{{ bind9_zones_static + bind9_zones_dynamic }}"
   when:
@@ -137,12 +136,12 @@
     - item.update_keyfile | default()
 
 - name: Copy over DDNS private keys for zones with update_keyfile
-  copy:
+  ansible.builtin.copy:
     src: bind/zones/{{ item.update_keyfile }}.private
     dest: /etc/bind/keys/{{ item.update_keyfile }}.private
     owner: "{{ bind9_user }}"
     group: "{{ bind9_group }}"
-    mode: 0600
+    mode: "0600"
   with_items:
     - "{{ bind9_zones_static + bind9_zones_dynamic }}"
   when:
@@ -152,7 +151,7 @@
 
 # TODO: DNSSEC: implement key rollover
 - name: Determine if DNSSEC keys for zones already exist
-  find:
+  ansible.builtin.find:
     paths: /etc/bind/keys
     patterns: "K{{ item.name }}.+008+*"
   register: bind9_reg_dnssec_keys_tmp
@@ -167,14 +166,15 @@
 
 # Filter out all skipped results (e.g. if item.dnssec is set to False)
 - name: Set bind9_reg_dnssec_keys
-  set_fact:
+  ansible.builtin.set_fact:
     bind9_reg_dnssec_keys: "{{ bind9_reg_dnssec_keys_tmp.results | selectattr('skipped', 'undefined') | list }}"
 
 - name: Generate bind9 key signing keys for zones
-  command: dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK {{ item.item.name }}
+  ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK {{ item.item.name }}
   args:
     chdir: /etc/bind/keys
   register: bind9_reg_keygen_ksk
+  changed_when: bind9_reg_keygen_ksk.rc != 0
   become: true
   become_user: "{{ bind9_user }}"
   with_items: "{{ bind9_reg_dnssec_keys }}"
@@ -188,10 +188,11 @@
     - role:bind9:dnssec
 
 - name: Generate bind9 zone signing keys for zones
-  command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE {{ item.item.name }}
+  ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE {{ item.item.name }}
   args:
     chdir: /etc/bind/keys
   register: bind9_reg_keygen_zsk
+  changed_when: bind9_reg_keygen_zsk.rc != 0
   become: true
   become_user: "{{ bind9_user }}"
   with_items: "{{ bind9_reg_dnssec_keys }}"
@@ -205,7 +206,7 @@
     - role:bind9:dnssec
 
 - name: Read in key signing keys from key files (DNSKEY)
-  command: "grep 'IN DNSKEY' /etc/bind/keys/{{ item.stdout }}.key"
+  ansible.builtin.command: "grep 'IN DNSKEY' /etc/bind/keys/{{ item.stdout }}.key"
   register: bind9_reg_ksk
   changed_when: false
   with_items: "{{ bind9_reg_keygen_ksk.results }}"
@@ -217,7 +218,7 @@
     - role:bind9:dnssec
 
 - name: Generate DS records from key signing keys
-  command: "dnssec-dsfromkey -2 /etc/bind/keys/{{ item.stdout }}.key"
+  ansible.builtin.command: "dnssec-dsfromkey -2 /etc/bind/keys/{{ item.stdout }}.key"
   register: bind9_reg_ksk_ds
   changed_when: false
   with_items: "{{ bind9_reg_keygen_ksk.results }}"
@@ -229,12 +230,13 @@
     - role:bind9:dnssec
 
 - name: Generate notification message
-  set_fact:
-    notification_message: 'New key signing key (KSK) for zone "{{ item.0.item.item.item.name }}" needs to be inserted/updated at registrar (use the format that the registrar demands):
+  ansible.builtin.set_fact:
+    notification_message: |
+      New key signing key (KSK) for zone "{{ item.0.item.item.item.name }}" needs to be inserted/updated at registrar (use the format that the registrar demands):
 
-{{ item.0.stdout }}
+      {{ item.0.stdout }}
 
-{{ item.1.stdout }}'
+      {{ item.1.stdout }}
   with_together:
     - "{{ bind9_reg_ksk.results }}"
     - "{{ bind9_reg_ksk_ds.results }}"
@@ -267,7 +269,7 @@
 
 # send message to matrix
 - name: Set matrix notification message
-  set_fact:
+  ansible.builtin.set_fact:
     bind9_matrix_notifier_text: "{{ notification_message }}"
   ignore_errors: "{{ ansible_check_mode }}"
   with_together:
@@ -281,9 +283,8 @@
   tags:
     - role:bind9:dnssec
 
-
 - name: Send message to matrix via webhook
-  uri:
+  ansible.builtin.uri:
     url: "{{ bind9_matrix_notifier_url }}"
     method: POST
     body: "{{ bind9_matrix_notifier_body | to_nice_json }}"
@@ -301,14 +302,13 @@
   tags:
     - role:bind9:dnssec
 
-
 - name: Create dynamic bind9 zone files
-  template:
+  ansible.builtin.template:
     src: "{{ bind9_templates | default('') }}bind/zones/db.template.j2"
     dest: "{{ bind9_zonedir }}/db.{{ item.name }}"
     owner: root
     group: "{{ bind9_group }}"
-    mode: 0644
+    mode: "0644"
   with_items: "{{ bind9_zones_dynamic }}"
   when:
     - bind9_authoritative | default()
@@ -320,12 +320,12 @@
     - role:bind9:zones
 
 - name: Install static bind9 zone files
-  copy:
+  ansible.builtin.copy:
     src: bind/zones/db.{{ item.name }}
     dest: "{{ bind9_zonedir }}/db.{{ item.name }}"
     owner: root
     group: "{{ bind9_group }}"
-    mode: 0644
+    mode: "0644"
     force: "{{ item.force_update | default('yes') }}"
   with_items: "{{ bind9_zones_static }}"
   when:
@@ -338,7 +338,7 @@
     - role:bind9:zones
 
 - name: Check validity of zone files
-  command: named-checkzone {{ item.name }} {{ bind9_zonedir }}/db.{{ item.name }}
+  ansible.builtin.command: named-checkzone {{ item.name }} {{ bind9_zonedir }}/db.{{ item.name }}
   register: bind9_reg_named_checkzone
   become: true
   become_user: "{{ bind9_user }}"
@@ -351,5 +351,5 @@
     ansible_ssh_pipelining: True
 
 - name: Import monit tasks
-  import_tasks: monit.yml
+  ansible.builtin.import_tasks: monit.yml
   when: bind9_monit_enabled | default()