fix smaller stuff like linting, remove old stuff, update dependencies

.github/workflows/linter.yml

@@ -42,7 +42,7 @@ jobs:
       # Checkout the code base #
       ##########################
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper
           # list of changed files within `super-linter`

.gitignore

@@ -3,3 +3,4 @@
 .vagrant
 venv/
 external_roles/
+collections/

README.md

@@ -1,4 +1,4 @@
-# Freifunk Berlin Ansible Repo
+# Freifunk Berlin Ansible Repository
 
 This repository currently contains our WIP state for the infrastructure code.
 
@@ -21,7 +21,7 @@ This repository currently manages these services:
 
 ## Requirements
 
-- Ansible 5.x
+- Ansible 8.x
 - The secret encryption password for ansible-vault under `./.vaultpass`
   - For alternative methods look here: <https://docs.ansible.com/ansible/latest/user_guide/vault.html>
 - Have the necessary requirements installed: `ansible-galaxy install -r requirements.yml`
@@ -35,7 +35,7 @@ Also, the roles are divided into 2 directories, one for external ones, and one f
 
 This separation makes using the monorepo approach easier, since we can just exclude all directories in the `.gitignore`.
 
-```
+```text
 ├── .config                      # Directory with config files e.g. for github actions
 ├── .github                      # Directory for github actions
 ├── ansible.cfg                  # Custom settings for this Repository

ansible.cfg

@@ -3,7 +3,7 @@ inventory = ./inventory/hosts
 collections_paths = ./collections
 roles_path = ./external_roles:./roles
 vault_password_file = ./.vaultpass
-ansible_managed = Managed by ff-berlin ansible: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+ansible_managed = Managed by ff-berlin ansible
 
 forks = 10
 allow_world_readable_tmpfiles=true

inventory/hosts

@@ -21,7 +21,6 @@ b.tunnel.berlin.freifunk.net # freifunk-gw01
 c.tunnel.berlin.freifunk.net # vpn03d.berlin.freifunk.net
 d.tunnel.berlin.freifunk.net # vpn03f.berlin.freifunk.net
 f.tunnel.berlin.freifunk.net # vpn03h.berlin.freifunk.net
-t-löffel.de
 
 [other]
 util.berlin.freifunk.net

requirements.txt

@@ -1,3 +1,3 @@
-ansible >= 2.13
+ansible >= 2.15
 black >= 23.9
 isort >= 5.12

requirements.yml

@@ -3,15 +3,15 @@
 # usage: ansible-galaxy install -r requirements.yml
 roles:
   - src: ryandaniels.create_users
-    version: 1.0.8
+    version: 1.0.11
   - src: geerlingguy.nginx
-    version: 3.1.0
+    version: 3.1.4
   - src: systemli.letsencrypt
-    version: 2.1.0
+    version: 2.3.0
 collections:
   - name: ansible.posix
-    version: 1.5.1
+    version: 1.5.4
   - name: community.mysql
-    version: 3.6.0
+    version: 3.8.0
   - name: community.general
-    version: 6.5.0
+    version: 7.5.1

roles/caddy/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Restart caddy
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
     name: caddy
     enabled: true

roles/caddy/tasks/main.yml

@@ -10,20 +10,18 @@
     state: present
 
 - name: Install dependencies
-  apt:
+  ansible.builtin.apt:
     name:
       - caddy
     state: present
     update_cache: true
     cache_valid_time: 3600
 
 - name: Copy caddyfile
-  template:
+  ansible.builtin.template:
     dest: /etc/caddy/Caddyfile
     src: "{{ caddy_caddyfile }}"
-    mode: 0640
+    mode: "0640"
     owner: caddy
     group: caddy
   notify: Restart caddy
-
-...

roles/common/handlers/main.yml

@@ -1,10 +1,4 @@
 ---
-- name: Restart collectd
-  ansible.builtin.service:
-    name: collectd
-    enabled: true
-    state: restarted
-
 - name: Restart fail2ban
   ansible.builtin.service:
     name: fail2ban

roles/common/tasks/main.yml

@@ -1,10 +1,9 @@
 ---
 # tasks to be run on all machines
 - name: Install basic tools
-  apt:
+  ansible.builtin.apt:
     name:
       - atop
-      - collectd
       - curl
       - fail2ban
       - git
@@ -22,60 +21,50 @@
     state: present
     update_cache: true
 
-# Collectd config
-- name: Copy collectd config
-  template:
-    src: collectd-ffberlin.conf.j2
-    dest: /etc/collectd/collectd.conf.d/ffberlin.conf
-    mode: 0640
-    owner: root
-    group: root
-  notify: Restart collectd
-
 - name: Configure fail2ban-jails
-  template:
+  ansible.builtin.template:
     src: fail2ban-ffberlin.local.j2
     dest: /etc/fail2ban/jail.local
-    mode: 0640
+    mode: "0640"
     owner: root
     group: root
   notify: Restart fail2ban
 
 - name: Copy custom motd
-  template:
+  ansible.builtin.template:
     src: motd.j2
     dest: /etc/motd
-    mode: 0640
+    mode: "0640"
     owner: root
     group: root
 
 - name: Configure prometheus-node-exporter
-  template:
+  ansible.builtin.template:
     src: prometheus-node-exporter.j2
     dest: /etc/default/prometheus-node-exporter
-    mode: 0640
+    mode: "0640"
     owner: root
     group: root
   notify: Restart prometheus-node-exporter
 
 - name: Disallow password-based login for all users
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
-    line: 'PasswordAuthentication no'
+    line: PasswordAuthentication no
     insertafter: EOF
   notify: Restart sshd
 
 - name: Disallow login for root user
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
-    line: 'PermitRootLogin no'
+    line: PermitRootLogin no
     insertafter: EOF
   notify: Restart sshd
 
 - name: Set Journald Max Size to 1G
   ansible.builtin.lineinfile:
     path: /etc/systemd/journald.conf
-    insertafter: '^#SystemMaxUse'
-    regexp: '^SystemMaxUse'
+    insertafter: ^#SystemMaxUse
+    regexp: ^SystemMaxUse
     line: SystemMaxUse=1G
   notify: Restart journald

roles/ff_monitor/handlers/main.yml

@@ -1,34 +1,34 @@
 ---
 - name: Restart rrdcached
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
     name: rrdcached
     enabled: true
     state: restarted
 
 - name: Restart collectd
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
     name: collectd
     enabled: true
     state: restarted
 
 - name: Restart php-fpm
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
     name: php7.4-fpm
     enabled: true
     state: restarted
 
 - name: Restart prometheus
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
     name: prometheus
     enabled: true
     state: restarted
 
 - name: Restart grafana
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
     name: grafana-server
     enabled: true

roles/ff_monitor/tasks/main.yml

@@ -6,12 +6,12 @@
 
 - name: Add grafana APT Repo
   ansible.builtin.apt_repository:
-    repo: "deb https://apt.grafana.com stable main"
+    repo: deb https://apt.grafana.com stable main
     state: present
     update_cache: false
 
 - name: Install dependencies
-  apt:
+  ansible.builtin.apt:
     name:
       - grafana
       - prometheus
@@ -22,19 +22,19 @@
     cache_valid_time: 3600
 
 - name: Copy prometheus config
-  template:
+  ansible.builtin.template:
     dest: /etc/prometheus/prometheus.yml
     src: prometheus.yml.j2
-    mode: '0640'
+    mode: "0640"
     owner: prometheus
     group: prometheus
   notify: Restart prometheus
 
 - name: Copy prometheus defaults
-  template:
+  ansible.builtin.template:
     dest: /etc/default/prometheus
     src: prometheus.j2
-    mode: '0640'
+    mode: "0640"
     owner: root
     group: root
   notify: Restart prometheus
@@ -53,19 +53,19 @@
     - collectd-exporter
 
 - name: Copy grafana config
-  template:
+  ansible.builtin.template:
     dest: /etc/grafana/grafana.ini
     src: grafana.ini.j2
-    mode: '0640'
+    mode: "0640"
     owner: grafana
     group: grafana
   notify: Restart grafana
 
 - name: Copy collectd config
-  template:
+  ansible.builtin.template:
     dest: /etc/collectd/collectd.conf
     src: collectd.conf.j2
-    mode: '0644'
+    mode: "0644"
     owner: root
     group: root
   notify: Restart collectd
@@ -75,13 +75,13 @@
     name: remove old rrd files
     special_time: daily
     user: root
-    job: "find /mnt/collectd/rrd/ -type f -mtime +14 -delete; find /mnt/collectd/rrd/ -type d -empty -delete"
+    job: find /mnt/collectd/rrd/ -type f -mtime +14 -delete; find /mnt/collectd/rrd/ -type d -empty -delete
 
 - name: Create a directory if it does not exist
   ansible.builtin.file:
     path: "{{ item }}"
     state: directory
-    mode: '0750'
+    mode: "0750"
     owner: www-data
     group: www-data
   with_items:
@@ -94,17 +94,17 @@
   ansible.builtin.copy:
     src: files/firmwaremetrics/
     dest: /srv/www/monitor.berlin.freifunk.net/metrics/firmware/
-    mode: '0750'
+    mode: "0750"
     owner: www-data
     group: www-data
 
 - name: Copy helperscripts
   ansible.builtin.copy:
-    src: "files/{{ item }}"
+    src: files/{{ item }}
     dest: /opt/helperscripts/
     owner: www-data
     group: www-data
-    mode: '0750'
+    mode: "0750"
   with_items:
     - create_node_geojson.py
     - create_node_list.py
@@ -114,26 +114,27 @@
     name: create node json
     special_time: daily
     user: www-data
-    job: "/opt/helperscripts/create_node_list.py > /srv/www/monitor.berlin.freifunk.net/static/nodes.json"
+    job: /opt/helperscripts/create_node_list.py > /srv/www/monitor.berlin.freifunk.net/static/nodes.json
 
 - name: Cronjob to create node geojson
   ansible.builtin.cron:
     name: create node geojson
     special_time: daily
     user: www-data
-    job: "/opt/helperscripts/create_node_geojson.py > /srv/www/monitor.berlin.freifunk.net/static/nodes_geojson.json"
+    job: /opt/helperscripts/create_node_geojson.py > /srv/www/monitor.berlin.freifunk.net/static/nodes_geojson.json
 
 - name: Checkout CGP Repo
+  become: true
   become_user: www-data
   ansible.builtin.git:
     repo: https://github.com/freifunk-berlin/CGP.git
     dest: /srv/www/monitor.berlin.freifunk.net/cgp/
     version: master
 
 - name: Copy CGP config
-  template:
+  ansible.builtin.template:
     dest: /srv/www/monitor.berlin.freifunk.net/cgp/conf/config.local.php
     src: config.local.php.j2
-    mode: '0644'
+    mode: "0644"
     owner: www-data
     group: www-data

roles/ff_monitor/templates/prometheus.j2

@@ -1,4 +1,4 @@
 # {{ ansible_managed }}
 # Set the command-line arguments to pass to the server.
 
-ARGS="--storage.tsdb.retention.size=70GB --enable-feature=memory-snapshot-on-shutdown --web.listen-address=127.0.0.1:9090"
+ARGS="--storage.tsdb.retention.size=90GB --enable-feature=memory-snapshot-on-shutdown --web.listen-address=127.0.0.1:9090"