Draft: Add molecule stuff

.github/workflows/molecule.yml

@@ -0,0 +1,39 @@
+---
+name: Ansible Molecule
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        config:
+          - image: "debian"
+            tag: "bullseye"
+          - image: "debian"
+            tag: "buster"
+          - image: "centos"
+            tag: "7"
+          - image: "centos"
+            namespace: "quay.io/centos/"
+            tag: "stream8"
+          - image: "centos"
+            namespace: "quay.io/centos/"
+            tag: "stream9"
+          - image: "leap"
+            namespace: "registry.opensuse.org/opensuse/"
+            tag: "15"
+      fail-fast: false
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          path: "${{ github.repository }}"
+      - name: molecule
+        uses: robertdebock/[email protected]
+        with:
+          image: ${{ matrix.config.image }}
+          tag: ${{ matrix.config.tag }}
+          namespace: ${{ matrix.config.namespace }}

README.md

@@ -63,7 +63,7 @@ Check out `roles/maintenance_*/defaults/main.yml` to see which options can be ov
 [defaults]
 display_skipped_hosts=no
 display_ok_hosts=no
-callbacks_whitelist=adfinis.maintenance.report
+callback_whitelist=adfinis.maintenance.report
 callbacks_enabled=adfinis.maintenance.report
 duplicate_dict_key=ignore
 inject_facts_as_vars=no
@@ -136,6 +136,14 @@ changed: [debian01.example.org]
 
 There is also a checklist summarising all tasks that were run but finished with either `ok` or `skipped`.
 
+## Molecule Tests
+
+Before testing, create a file `.env.yml` with the infos on the platform you want to test (see the matrix in the [molecule workflow](.github/workflows/molecule.yml) for examples):
+
+``` yaml
+image: "debian"
+tag: "bullseye"
+```
 
 ## License
 

galaxy.yml

@@ -1,3 +1,4 @@
+---
 ### REQUIRED
 # The namespace of the collection. This can be a company/brand/organization or product namespace under which all
 # content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with

molecule/default/converge.yml

@@ -0,0 +1,32 @@
+---
+
+- name: All tasks
+  hosts: all
+  gather_facts: true
+  vars:
+    maintenance_exclude_tasks:
+      - 11-020 # Initramfs update
+      - 10-028 # Hard depends on systemd -> Doesn't work yet with centos
+    #  - 10-039
+    #  - 10-041
+    #  - 10-042
+    #  - 10-051  # TODO: remove these!
+
+  tasks:
+    - name: "Include 10_linux/"
+      ansible.builtin.include_role:
+        name: "maintenance_10_linux"
+
+    - name: "Include 11_debian/"
+      ansible.builtin.include_role:
+        name: "maintenance_11_debian"
+      when: ansible_facts['os_family'] == "Debian"
+
+    - name: "Print os Family"
+      ansible.builtin.debug:
+        var: ansible_facts['os_family']
+
+    - name: "Include 15_rhel/"
+      ansible.builtin.include_role:
+        name: "maintenance_15_rhel"
+      when: ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == "Suse"

molecule/default/molecule.yml

@@ -0,0 +1,38 @@
+---
+dependency:
+  name: galaxy
+
+driver:
+  name: docker
+
+platforms:
+  - name: "${image:-debian}-${tag:-10}"
+    image: "${namespace}${image:-debian}:${tag:-10}"
+
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "../../roles"
+  options:
+    D: true
+  config_options:
+    defaults:
+      retry_files_enabled: false
+      callbacks_enabled: "adfinis.maintenance.report"
+      duplicate_dict_key: ignore
+      inject_facts_as_vars: false
+
+scenario:
+  test_sequence:
+    - dependency
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - side_effect
+    - idempotence
+    - destroy
+
+verifier:
+  name: ansible

molecule/default/prepare.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Prepare hosts
+  hosts: all
+  tasks:
+    - name: Gather facts
+      ansible.builtin.setup:
+
+    - name: Prepare container
+      ansible.builtin.include_tasks:
+        file: "prepare/{{ ansible_facts.distribution }}{{ ansible_facts.distribution_major_version }}.yml"

molecule/default/prepare/CentOS7.yml

@@ -0,0 +1,19 @@
+---
+- name: Install packages
+  ansible.builtin.yum:
+    name:
+      - selinux-policy
+      - openssh-server
+      - audit
+      - sysvinit-tools
+      - libselinux-python
+    state: installed
+
+# EL7 delivers Ansible 2.9 throuh EPEL which is too old for
+# ansible-collection-maintenance
+# To keep effort low, we take the package through pip
+
+- name: Create SSH keys
+  ansible.builtin.command:
+    cmd: "ssh-keygen -A"
+    creates: /etc/ssh/ssh_host_rsa_key

molecule/default/prepare/CentOS8.yml

@@ -0,0 +1,20 @@
+---
+- name: Install packages
+  ansible.builtin.yum:
+    name:
+      - selinux-policy
+      - hostname
+      - openssh-server
+      - audit
+      - libselinux-python3
+    state: installed
+
+- name: Create SSH keys
+  ansible.builtin.command:
+    cmd: "ssh-keygen -A"
+    creates: /etc/ssh/ssh_host_rsa_key
+
+- name: Create wtmp
+  ansible.builtin.file:
+    path: /var/log/wtmp
+    state: file

molecule/default/prepare/CentOS9.yml

@@ -0,0 +1,21 @@
+---
+- name: Install packages
+  ansible.builtin.yum:
+    name:
+      - selinux-policy
+      - hostname
+      - openssh-server
+      - audit
+      - postfix
+      - libselinux-python3
+    state: installed
+
+- name: Create SSH keys
+  ansible.builtin.command:
+    cmd: "ssh-keygen -A"
+    creates: /etc/ssh/ssh_host_rsa_key
+
+- name: Create wtmp
+  ansible.builtin.file:
+    path: /var/log/wtmp
+    state: file

molecule/default/prepare/Debian10.yml

@@ -0,0 +1,25 @@
+---
+- name: Install packages
+  ansible.builtin.apt:
+    name:
+      - openssh-server
+      - postfix
+    state: present
+    update_cache: true
+
+- name: SSH working directory
+  ansible.builtin.file:
+    path: /run/sshd
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Security repo
+  ansible.builtin.copy:
+    content: |
+      deb http://security.debian.org/debian-security buster/updates main
+    dest: /etc/apt/sources.list.d/security_debian_org_debian_security.list
+    mode: "0755"
+    owner: root
+    group: root

molecule/default/prepare/Debian11.yml

@@ -0,0 +1,25 @@
+---
+- name: Install packages
+  ansible.builtin.apt:
+    name:
+      - openssh-server
+      - postfix
+    state: present
+    update_cache: true
+
+- name: SSH working directory
+  ansible.builtin.file:
+    path: /run/sshd
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Security repo
+  ansible.builtin.copy:
+    content: |
+      deb http://security.debian.org/debian-security bullseye-security main
+    dest: /etc/apt/sources.list.d/security_debian_org_debian_security.list
+    mode: "0755"
+    owner: root
+    group: root

molecule/default/prepare/openSUSE Leap15.yml

@@ -0,0 +1,35 @@
+---
+- name: Install packages
+  community.general.zypper:
+    name:
+      - python3-pip
+      - python3-rpm
+      - hostname
+      - openssh-server
+    state: installed
+    disable_gpg_check: true
+
+# SUSE 12  delivers Ansible 2.9 which is too old for
+# ansible-collection-maintenance
+# To keep effort low, we take the package through pip
+
+- name: Upgrade pip
+  ansible.builtin.command:
+    cmd: "pip3 install --upgrade pip"
+    creates: /usr/bin/pip3.6
+
+- name: Install Ansible
+  ansible.builtin.command:
+    cmd: "pip3.6 install ansible"
+    creates: /usr/bin/ansible
+
+- name: Create wtmp
+  ansible.builtin.file:
+    path: /var/log/wtmp
+    type: file
+    state: present
+
+- name: Create SSH keys
+  ansible.builtin.command:
+    cmd: "ssh-keygen -A"
+    creates: /etc/ssh/ssh_host_rsa_key

molecule/default/side_effect.yml

@@ -0,0 +1,21 @@
+---
+
+- name: All tasks
+  hosts: all
+  gather_facts: true
+
+  tasks:
+    - name: "Load distribution version specific tasks"
+      ansible.builtin.include_tasks:
+        file: "{{ item }}"
+      with_first_found:
+        - "side_effect/{{ ansible_facts.distribution }}{{ ansible_facts.distribution_major_version }}.yml"
+        - "side_effect/{{ ansible_facts.distribution }}.yml"
+        - "side_effect/empty.yml"
+
+    - name: "10-050: Fix serverlogs address"
+      ansible.builtin.lineinfile:
+        path: /etc/aliases
+        regexp: "^root:"
+        line: "root: [email protected]"
+        insertbefore: EOF

molecule/default/side_effect/CentOS7.yml

@@ -0,0 +1,12 @@
+---
+
+- name: "15-010: Create local repo"
+  ansible.builtin.copy:
+    dest: "/etc/yum.repos.d/local.repo"
+    content: |
+      [rhel-{{ ansible_facts.distribution_major_version }}-server-x86_64]
+      name = {{ ansible_facts.distribution_major_version }}-server-x86_64
+      enabled = 1
+      mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
+      gpgcheck=0
+      cost=9001

molecule/default/side_effect/CentOS8.yml

@@ -0,0 +1,18 @@
+---
+
+- name: "15-010: Create local repo"
+  ansible.builtin.copy:
+    dest: "/etc/yum.repos.d/local.repo"
+    content: |
+      [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-baseos-rpms]
+      name = {{ ansible_facts.distribution_major_version }}-server-x86_64
+      enabled = 1
+      mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=BaseOS&infra=$infra
+      gpgcheck=0
+      cost=9001
+      [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-appstream-rpms]
+      name = {{ ansible_facts.distribution_major_version }}-server-x86_64
+      enabled = 1
+      mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=AppStream&infra=$infra
+      gpgcheck=0
+      cost=9001

molecule/default/side_effect/CentOS9.yml

@@ -0,0 +1,19 @@
+---
+
+- name: "15-010: Create local repo"
+  ansible.builtin.copy:
+    dest: "/etc/yum.repos.d/local.repo"
+    content: |
+      [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-baseos-rpms]
+      name = {{ ansible_facts.distribution_major_version }}-server-x86_64
+      enabled = 1
+      mirrorlist=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https,http
+      gpgcheck=0
+      cost=9001
+      [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-appstream-rpms]
+      name = {{ ansible_facts.distribution_major_version }}-server-x86_64
+      enabled = 1
+      mirrorlist=https://mirrors.centos.org/metalink?repo=centos-appstream-$stream&arch=$basearch&protocol=https,http
+      gpgcheck=0
+      cost=9001
+

molecule/default/side_effect/Debian.yml

@@ -0,0 +1,6 @@
+---
+
+- name: "11-017: Execute the package upgrade"
+  ansible.builtin.apt:
+    update_cache: yes
+    upgrade: safe