ci: add pre-commit, molecule, github workflows + chore

.ansible-lint

@@ -0,0 +1,5 @@
+---
+warn_list:
+  - experimental
+exclude_paths:
+  - .github/workflows/

.codespellignore

@@ -0,0 +1 @@
+browseable

.github/dependabot.yml

@@ -0,0 +1,12 @@
+---
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
+# Set update schedule for GitHub Actions
+
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"

.github/workflows/default-bare.yml

@@ -0,0 +1,106 @@
+---
+name: default-bare
+
+on:
+  push:
+  pull_request:
+
+permissions: {}
+
+jobs:
+  build:
+    permissions:
+      contents: read
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      max-parallel: 4
+      matrix:
+        os: [ubuntu-22.04, ubuntu-20.04]
+    env:
+      ANSIBLE_CALLBACKS_ENABLED: profile_tasks
+      ANSIBLE_EXTRA_VARS: ""
+      ANSIBLE_ROLE: theidiotyouyellat.opencanary
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          path: ${{ env.ANSIBLE_ROLE }}
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          pip3 install ansible-lint flake8 yamllint
+          which ansible
+          pip3 install ansible
+          pip3 show ansible
+          ls -l $HOME/.local/bin || true
+          ansible --version
+          cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE
+          [ -f molecule/default/requirements.yml ] && ansible-galaxy install -r molecule/default/requirements.yml
+          { echo '[defaults]'; echo 'callback_whitelist = profile_tasks, timer'; echo 'roles_path = ../:/home/runner/.ansible/roles'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg
+      - name: Environment
+        run: |
+          set -x
+          pwd
+          env
+          find . -ls
+      - name: run test
+        run: |
+          cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv molecule/default/converge.yml ${ANSIBLE_EXTRA_VARS}
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+      - name: idempotency run
+        run: |
+          cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv molecule/default/converge.yml ${ANSIBLE_EXTRA_VARS} | tee /tmp/idempotency.log | grep -q 'changed=0.*failed=0'  && (echo 'Idempotence test: pass' && exit 0)  || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0)
+      - name: On failure
+        run: |
+          systemctl -l --no-pager status
+          systemctl -l --no-pager --failed
+          ls -l /usr/bin/ | egrep '(python|pip|ansible)'
+          pip freeze
+          pip3 freeze
+          ip addr
+          cat /etc/resolv.conf
+          host www.google.com
+          ping -c 1 www.google.com || true
+          ping -c 1 8.8.8.8 || true
+        if: ${{ failure() }}
+        continue-on-error: true
+      - name: After script - ansible setup
+        run: |
+          ansible -i inventory --connection=local -m setup localhost
+        if: ${{ always() }}
+        continue-on-error: true
+      - name: After script - systemd
+        run: |
+          systemctl -l --no-pager status opencanaryd || true
+          systemd-analyze --no-pager security || true
+          systemd-analyze --no-pager security opencanaryd || true
+          systemd-analyze --no-pager verify opencanaryd || true
+          rsyslogd -v
+        if: ${{ always() }}
+        continue-on-error: true
+      - name: After script - etc
+        run: |
+          set -x
+          cat /etc/opencanaryd/opencanary.conf
+          cat /etc/systemd/system/opencanaryd.service
+        if: ${{ always() }}
+        continue-on-error: true
+      - name: After script - python
+        run: |
+          set -x
+          pip install pipdeptree
+          pipdeptree -r
+          pip freeze
+          pip3 freeze
+          /opt/opencanary/bin/pip install pipdeptree
+          /opt/opencanary/bin/pipdeptree -r
+          /opt/opencanary/bin/pip freeze
+        if: ${{ always() }}
+        continue-on-error: true

.github/workflows/default.yml

@@ -0,0 +1,60 @@
+---
+name: AnsibleCI
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build:
+
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    continue-on-error: ${{ matrix.experimental }}
+    strategy:
+      fail-fast: false
+      max-parallel: 4
+      matrix:
+        include:
+          - molecule_distro: 'rockylinux:9'
+            experimental: true
+          - molecule_distro: 'rockylinux:8'
+            experimental: true
+          - molecule_distro: 'ubuntu:22.04'
+            experimental: false
+          - molecule_distro: 'ubuntu:20.04'
+            experimental: false
+    env:
+      ANSIBLE_CALLBACKS_ENABLED: profile_tasks
+      MOLECULE_NO_LOG: "false"
+      ANSIBLE_ROLE: theidiotyouyellat.opencanary
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          path: ${{ env.ANSIBLE_ROLE }}
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install molecule molecule-plugins docker ansible-lint flake8 testinfra ansible
+          mkdir -p $HOME/.ansible/roles && ln -s $GITHUB_WORKSPACE/$ANSIBLE_ROLE $HOME/.ansible/roles/
+      - name: Environment
+        run: |
+          pwd
+          env
+          find -ls
+      - name: run test
+        run: |
+          cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.molecule_distro }}

.github/workflows/galaxy.yml

@@ -0,0 +1,26 @@
+---
+name: Ansible Galaxy release
+
+on:
+  release:
+    types: [created, edited, published, released]
+  push:
+    tags:
+      - '*'
+
+permissions: {}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          path: theidiotyouyellat.opencanary
+      - name: galaxy
+        uses: robertdebock/[email protected]
+        with:
+          galaxy_api_key: ${{ secrets.galaxy_api_key }}
+          path: theidiotyouyellat.opencanary
+          git_branch: master

.github/workflows/lint.yml

@@ -0,0 +1,61 @@
+---
+name: lint
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 4
+    env:
+      ANSIBLE_CALLBACKS_ENABLED: profile_tasks
+      ANSIBLE_EXTRA_VARS: ""
+      ANSIBLE_ROLE: theidiotyouyellat.opencanary
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          path: ${{ env.ANSIBLE_ROLE }}
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          pip3 install --pre ansible-lint flake8 yamllint
+          which ansible
+          pip3 install ansible
+          pip3 show ansible
+          ls -l $HOME/.local/bin || true
+          ansible --version
+          cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE
+          [ -f molecule/default/requirements.yml ] && ansible-galaxy install -r molecule/default/requirements.yml
+          { echo '[defaults]'; echo 'callbacks_enabled = profile_tasks, timer'; echo 'roles_path = ../:/home/runner/.ansible/roles'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg
+      - name: Environment
+        run: |
+          pwd
+          env
+          find . -ls
+      - uses: codespell-project/actions-codespell@master
+        with:
+          ignore_words_file: ${{ env.ANSIBLE_ROLE }}/.codespellignore
+          skip: .git
+          path: ${{ env.ANSIBLE_ROLE }}
+        if: ${{ always() }}
+      - name: yamllint
+        run: |
+          cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && yamllint .
+        if: ${{ always() }}
+      - name: ansible-lint
+        run: |
+          cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-lint
+        if: ${{ always() }}

.pre-commit-config.yaml

@@ -0,0 +1,31 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: check-yaml
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-added-large-files
+      - id: check-json
+      - id: detect-private-key
+      - id: check-case-conflict
+      - id: requirements-txt-fixer
+      - id: check-ast
+      - id: check-shebang-scripts-are-executable
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-xml
+      # - id: detect-aws-credentials
+      - id: check-docstring-first
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.2.5
+    hooks:
+      - id: codespell
+        args: [-I, .codespellignore]
+  - repo: https://github.com/ansible-community/ansible-lint.git
+    rev: v6.18.0
+    hooks:
+      - id: ansible-lint
+        files: \.(yaml|yml)$

.yamllint

@@ -0,0 +1,28 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  truthy: disable

defaults/main.yml

@@ -8,8 +8,8 @@ github_src_dir: "/opt/opencanary_src"
 
 # opencanary conf file defaults
 device_node_id: "opencanary-{{ ansible_hostname }}"
-ip_ignorelist: [ ]
-logtype_ignorelist: [ ]
+ip_ignorelist: []
+logtype_ignorelist: []
 git_enabled: "false"
 git_port: "9418"
 ftp_enabled: "false"
@@ -32,7 +32,7 @@ logger_syslog_port: 514
 webhook_method: "POST"
 webhook_data: '{"message": "%(message)s"}'
 webhook_status_code: 200
-webhook_ignore: [ ]
+webhook_ignore: []
 smtp_port: 25
 smtp_subject: "OpenCanary Alert"
 portscan_enabled: "false"
@@ -41,7 +41,7 @@ portscan_logfile: "/var/log/kern.log"
 portscan_synrate: "5"
 portscan_nmaposrate: "5"
 portscan_lorate: "3"
-portscan_ignore_ports: [ ]
+portscan_ignore_ports: []
 smb_auditfile: "/var/log/samba-audit.log"
 smb_enabled: "false"
 mysql_enabled: "false"
@@ -91,3 +91,5 @@ samba_netbios_name: "{{ ansible_hostname }}"
 samba_share: personal
 samba_comment: "Personal docs"
 samba_path: "/opt/{{ samba_share }}"
+
+is_container: false