update(nginx): bump version to 1.29.5

(cherry picked from commit f2ee49abe4)

.config/ansible-lint.yml

@@ -0,0 +1,21 @@
+---
+# see https://docs.ansible.com/projects/lint/configuring/#ansible-lint-configuration
+profile: moderate
+exclude_paths:
+  - ".ansible/"
+
+# Enable checking of loop variable prefixes in roles
+loop_var_prefix: "^(__|{role}_)"
+
+# Enforce variable names to follow pattern below, in addition to Ansible own
+# requirements, like avoiding python identifiers. To disable add `var-naming`
+# to skip_list.
+var_naming_pattern: "^[a-z_][a-z0-9_]*$"
+
+skip_list:
+  - "name[template]"
+enable_list:
+  - galaxy
+  - fqcn
+
+offline: true

.gitignore

@@ -0,0 +1,2 @@
+.ansible/
+results/

galaxy.yml

@@ -8,9 +8,9 @@ description: >-2
   Roles for base services which are core functionality like managing packages
   and ssh or common dependencies other services like databases
 dependencies:
-  "community.docker": "^4.7.0"
+  "community.docker": ">=4.7.0"
-  "community.general": "^11.1.2"
+  "community.general": ">=11.1.2"
-  "containers.podman": "^1.17.0"
+  "containers.podman": ">=1.17.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'

playbooks/docker_registry.yml

@@ -13,4 +13,4 @@
       loop: "{{ docker_registries | default([], true) }}"
       loop_control:
         loop_var: "docker_registry"
-        label: "{{ docker_registry.username}}@{{ docker_registry.registry }}"
+        label: "{{ docker_registry.username }}@{{ docker_registry.registry }}"

playbooks/lego_certificate.yml

@@ -6,7 +6,7 @@
   pre_tasks:
     - name: Build target dns records
       ansible.builtin.set_fact:
-        target_dns_records: "{{ target_dns_records + [ _dns_record ] }}"
+        target_dns_records: "{{ target_dns_records + [_dns_record] }}"
       vars:
         _dns_record:
           type: "CNAME"

roles/caddy/defaults/main/config.yml

@@ -17,7 +17,6 @@ caddy_config: |+2
 
   # Import all configurations
   import {{ caddy_dynamic_configs_dir }}/*/Caddyfile
-  
   :80 {
       redir /  https://{host}{uri} 301
   }

roles/git/tasks/main.yml

@@ -8,7 +8,7 @@
     state: present
     marker: "#{mark} ANSIBLE MANAGED BLOCK by finallycoffee.base.git"
     block: |+2
-      {% if git_config_user_name|default(false, true) and git_config_user_email|default(false, true) %}
+      {% if git_config_user_name | default(false, true) and git_config_user_email | default(false, true) %}
       [user]
         name = {{ git_config_user_name }}
         email = {{ git_config_user_email }}

roles/gnupg/defaults/main.yml

@@ -14,7 +14,7 @@ gpg_config_emit_version: false
 gpg_config_comments: false
 gpg_config_ignore_time_conflict: false
 gpg_config_allow_freeform_uid: true
-gpg_config_keyid_format: 0xlong
+gpg_config_keyid_format: "0xlong"
 gpg_config_with_fingerprint: true
 
 gpg_config_keyserver: hkps://keys.openpgp.org

roles/gnupg/tasks/main.yml

@@ -1,55 +1,54 @@
 ---
-
 - name: Ensure gnupg is installed (RedHat*)
-  package:
+  ansible.builtin.package:
     name: gnupg2
     state: latest
   become: true
   when: ansible_os_family == "RedHat"
 
 - name: Ensure gnupg is installed (Arch)
-  package:
+  ansible.builtin.package:
     name: gnupg
     state: latest
   become: true
   when: ansible_os_family == "Archlinux"
 
 - name: Ensure ~/.gnupg folder exists with correct permissions
-  file:
+  ansible.builtin.file:
     path: "{{ gpg_config_folder }}"
     state: directory
-    mode: 0700
+    mode: "0700"
 
 - name: Ensure gpg.conf is templated
-  template:
+  ansible.builtin.template:
     src: gpg.conf.j2
     dest: "{{ gpg_config_file }}"
 
 - name: Configure gpg-agent.conf (agent configuration)
-  template:
+  ansible.builtin.template:
     src: gpg-agent.conf.j2
     dest: "{{ gpg_agent_config_file }}"
 
 - name: Configure scdaemon.conf (smartcard daemon)
-  template:
+  ansible.builtin.template:
     src: scdaemon.conf.j2
     dest: "{{ gpg_scdaemon_config_file }}"
 
 - name: Configure sshcontrol (in order for gpg-agent to act as ssh-agent)
-  template:
+  ansible.builtin.template:
     src: sshcontrol.j2
     dest: "{{ gpg_agent_sshcontrol_file }}"
   when: gpg_agent_config_enable_ssh_support
 
 - name: Copy gnupg_agent script, which makes gpg-agent responsible for ssh-auth
-  copy:
+  ansible.builtin.copy:
     src: gpg-configure-ssh-auth-socket.sh
     dest: "{{ gpg_configure_agent_script }}"
-    mode: 0700
+    mode: "0700"
   when: gpg_agent_config_enable_ssh_support
 
 - name: Ensure gnupg_agent script is included in bashrc
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "~/.bashrc"
     line: "source {{ gpg_configure_agent_script }}"
     state: present

roles/lego/files/lego_run.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -euo pipefail
+set -xeuo pipefail
 
 LEGO_BINARY=$(/usr/bin/env which lego)
 
@@ -8,8 +8,11 @@ if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
     echo "nc not found (in PATH), exiting"
     exit 1
   fi
+  set +e
   nc -z 127.0.0.1 $LEGO_HTTP_PORT;
-  if [[ $? -eq 0 ]]; then
+  nc_exit_code=$?;
+  set -e
+  if [[ $nc_exit_code -eq 0 ]]; then
       LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
   fi
 fi

roles/lego/vars/main.yml

@@ -1,11 +1,11 @@
 ---
 
-lego_domain_command_args: >-
+lego_domain_command_args: >-2
   {% for domain in lego_cert_domains %}
    --domains={{ domain }}
   {%- endfor %}
 
-lego_config_command_args: >-
+lego_config_command_args: >-2
   {% for key in lego_full_command_config %}
    --{{ key | replace("_", "-") }}
   {%- if lego_full_command_config[key] != None and lego_full_command_config[key] != '' -%}

roles/minio/defaults/main/container.yml

@@ -23,7 +23,7 @@ minio_container_command:
   - "--console-address"
   - ":{{ minio_container_listen_port_console }}"
 minio_container_restart_policy: "unless-stopped"
-minio_container_image_force_source: "{{ (minio_container_image_tag == 'latest')|bool }}"
+minio_container_image_force_source: "{{ (minio_container_image_tag == 'latest') | bool }}"
 minio_container_state: >-2
   {{ (minio_state == 'present') | ternary('started', 'absent') }}
 

roles/minio/tasks/deploy-docker.yml

@@ -3,15 +3,15 @@
   ansible.builtin.file:
     path: "{{ minio_data_path }}"
     state: directory
-    user: "{{ minio_user|default(omit, True) }}"
+    user: "{{ minio_user | default(omit, True) }}"
-    group: "{{ minio_user|default(omit, True) }}"
+    group: "{{ minio_user | default(omit, True) }}"
   when: minio_manage_host_filesystem
 
 - name: Ensure container image '{{ minio_container_image }}' is {{ minio_state }}
   community.docker.docker_image:
     name: "{{ minio_container_image }}"
     state: "{{ minio_state }}"
-    source: pull
+    source: "pull"
     force_source: "{{ minio_container_image_force_source }}"
 
 - name: Ensure container '{{ minio_container_name }}' is {{ minio_container_state }}
@@ -23,7 +23,7 @@
     labels: "{{ minio_container_labels }}"
     networks: "{{ minio_container_networks }}"
     ports: "{{ minio_container_ports }}"
-    user: "{{ minio_user|default(omit, True) }}"
+    user: "{{ minio_user | default(omit, True) }}"
     command: "{{ minio_container_command }}"
     restart_policy: "{{ minio_container_restart_policy }}"
     state: "{{ minio_container_state }}"

roles/nginx/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-nginx_version: "1.29.4"
+nginx_version: "1.29.5"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
@@ -34,4 +34,3 @@ nginx_container_state: >-2
 nginx_container_restart_policy: "unless-stopped"
 nginx_container_volumes:
   - "{{ nginx_config_file }}:/etc/nginx/conf.d/nginx.conf:ro"
- 

roles/nginx/tasks/main.yml

@@ -30,7 +30,7 @@
   ansible.builtin.copy:
     dest: "{{ nginx_config_file }}"
     content: "{{ nginx_config }}"
-    mode: 0640
+    mode: "0640"
   notify:
     - restart-nginx
   when: nginx_state == 'present'

roles/openldap/tasks/configure.yml

@@ -2,7 +2,7 @@
 - name: Ensure config attributes are configured
   community.general.ldap_attrs:
     dn: "{{ openldap_config_dn }}"
-    attributes: "{{ { entry.key : entry.value } }}"
+    attributes: "{{ {entry.key: entry.value} }}"
     state: exact
     server_uri: "{{ openldap_socket_url }}"
   loop: "{{ openldap_config_attributes | dict2items }}"
@@ -13,7 +13,7 @@
 - name: Ensure config db attributes are configured
   community.general.ldap_attrs:
     dn: "{{ openldap_config_db_dn }}"
-    attributes: "{{ { entry.key : entry.value } }}"
+    attributes: "{{ {entry.key: entry.value} }}"
     state: exact
     server_uri: "{{ openldap_socket_url }}"
   loop: "{{ openldap_config_db_attributes | dict2items }}"

roles/openldap/tasks/deploy-docker.yml

@@ -22,4 +22,3 @@
       {{ openldap_container_restart_policy | default(omit, true) }}
     healthcheck: "{{ openldap_container_healthcheck | default(omit, true) }}"
     state: "{{ openldap_container_state }}"
-

roles/openldap/tasks/initialize-docker.yml

@@ -2,7 +2,7 @@
 - name: Ensure additional schemas are mapped to container
   ansible.builtin.set_fact:
     openldap_init_container_volumes: >-2
-      {{ openldap_init_container_volumes + [ schema_mount ] }}
+      {{ openldap_init_container_volumes + [schema_mount] }}
   vars:
     schema_file: "{{ openldap_schema_path }}/{{ schema.name }}.ldif"
     schema_mount: >-2

roles/restic/tasks/main.yml

@@ -18,10 +18,10 @@
     msg: "`restic_backup_stdin_command` was set but no filename for the resulting output was supplied in `restic_backup_stdin_command_filename`"
 
 - name: Ensure backup frequency adheres to systemd's OnCalender syntax
-  command:
+  ansible.builtin.command:
     cmd: "systemd-analyze calendar {{ restic_policy.frequency }}"
-  register: systemd_calender_parse_res
+  register: restic_systemd_calender_parse_result
-  failed_when: systemd_calender_parse_res.rc != 0
+  failed_when: restic_systemd_calender_parse_result.rc != 0
   changed_when: false
 
 - name: Ensure restic is installed
@@ -42,13 +42,21 @@
         state: present
       when: ansible_os_family not in ['RedHat', 'Debian']
 
+- name: Ensure backup script is templated
+  ansible.builtin.copy:
+    src: restic-backup-directories.sh
+    dest: /opt/restic-backup-directories.sh
+    owner: root
+    group: root
+    mode: "0755"
+
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
   template:
     dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
     src: restic.service.j2
     owner: root
     group: root
-    mode: 0640
+    mode: "0640"
   notify:
     - reload-systemd
     - trigger-restic
@@ -59,7 +67,7 @@
     src: restic.timer.j2
     owner: root
     group: root
-    mode: 0640
+    mode: "0640"
   notify:
     - reload-systemd