diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 000000000..f2ee80490 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,14 @@ +--- +exclude_paths: + - mkdocs.yaml + - hack/ + - cluster/ + +skip_list: + - yaml[line-length] + - var-naming +warn_list: + - command-instead-of-shell + - deprecated-command-syntax + - experimental + - no-changed-when diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 000000000..028664245 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,17 @@ +# editorconfig.org +root = true + +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +[Makefile] +indent_style = tab + +[*.{bash,sh}] +indent_style = space +indent_size = 4 diff --git a/.github/PAUL.yaml b/.github/PAUL.yaml index 1019906b7..2c7e8c2c6 100644 --- a/.github/PAUL.yaml +++ b/.github/PAUL.yaml @@ -19,12 +19,12 @@ pull_requests: automated_merge: false # The time in days after a PR should be labeled inactive stale_time: 15 - # This will limit the amount of PR's a single contributer can have + # This will limit the amount of PR's a single contributor can have # Limits work in progress - #limit_pull_requests: + # limit_pull_requests: # max_number: 3 # This is the message that will displayed when a user opens a pull request - #open_message: | + # open_message: | # Greetings! Thanks for opening a PR # Enables the /cat command cats_enabled: true diff --git a/.github/linters/.cspell.json b/.github/linters/.cspell.json new file mode 100644 index 000000000..72b30871b --- /dev/null +++ b/.github/linters/.cspell.json @@ -0,0 +1,279 @@ +{ + "ignorePaths": [ + "**/node_modules/**", + "**/vscode-extension/**", + "**/.git/**", + "**/.pnpm-lock.json", + ".vscode", + "package-lock.json", + "megalinter-reports" + ], + "language": "en", + "version": "0.2", + "words": [ + "AAAAC", + "AAAAIHYT", + "ASMT", + "AUTHENTIK", + "Apiserver", + "Authentik", + "Autodetection", + "Autoscaler", + "CAYH", + "Ceph", + "DFNEAF", + "DOTENV", + "Dataplane", + "Datasources", + "Filesystems", + "JSONLINT", + "KOPIA", + "KUBECONFIG", + "KUBECONFORM", + "KUBEVAL", + "KURED", + "Kured", + "Kustomization", + "Kustomizations", + "LIDARR", + "MARKDOWNLINT", + "MINIO", + "PROWLARR", + "Pozo", + "QBITTORRENT", + "RADARR", + "RESTIC", + "Relabelings", + "Restic", + "Roboto", + "SATA", + "SIGNUPS", + "SONARR", + "Snapshotter", + "Taskfile", + "Thanos", + "Tigera", + "Vandevenne", + "Whitebox", + "Woll", + "agekey", + "alertmanager", + "alertmanagerconfigs", + "alertmanagers", + "alertname", + "amhost", + "apiserver", + "arithmatex", + "arpa", + "authentik", + "automaed", + "automerge", + "autoremove", + "autoupdate", + "backube", + "bargauge", + "bazarr", + "beryju", + "betterem", + "bgpconfiguration", + "bgppeer", + "bitnami", + "blackbox", + "blkdiscard", + "blockinfile", + "blockpool", + "bucketweb", + "cainjector", + "ceph", + "certmanager", + "cloudflared", + "cloudnative", + "cmds", + "cnpg", + "cpuid", + "crds", + "daemonset", + "dashboardproviders", + "dataplane", + "datasource", + "datasources", + "dbname", + "deliveryheroio", + "descheduler", + "dind", + "direnv", + "disabledsources", + "distro", + "dmsetup", + "dnla", + "dotglob", + "dsync", + "dyff", + "envsubst", + "flot", + "fluxcd", + "fontawesome", + "fstrim", + "fullname", + "gitops", + "gnet", + "goauthentik", + "gotk", + "hdparm", + "helmrelease", + "helmreleases", + "hifis", + "homeport", + "hyperconverged", + "ignoreceph", + "initdb", + "inlinehilite", + "inodes", + "inorder", + "inotify", + "ipvsadm", + "jetstack", + "jsonschema", + "kopia", + "kubeconfig", + "kubelet", + "kubereboot", + "kubeval", + "kured", + "kustomization", + "kustomizations", + "kustomize", + "kyverno", + "leaderelection", + "leaseduration", + "letsencrypt", + "lidarr", + "linewidth", + "looseversioning", + "lwolf", + "magiclink", + "markdownlint", + "materialx", + "mhausenblas", + "mkdocs", + "msdosfs", + "natel", + "netfilter", + "noqa", + "noreply", + "notin", + "nscc", + "nvme", + "objectbucket", + "objstore", + "oflag", + "onedr", + "osds", + "outsidecluster", + "overseerr", + "packagegroups", + "packagelabels", + "partprobe", + "piechart", + "podmonitor", + "podmonitors", + "pointradius", + "posix", + "postbuild", + "poweroff", + "precommit", + "prepareosd", + "procs", + "prometheuses", + "prometheusrule", + "prometheusrules", + "promhost", + "prowlarr", + "proxied", + "pymdownx", + "qbittorrent", + "quantile", + "radarr", + "rbdplugin", + "recyclarr", + "relabelings", + "renewdeadline", + "renovatebot", + "replicapool", + "replicationdestination", + "replicationdestinations", + "replicationsource", + "replicationsources", + "restic", + "resyncs", + "retryperiod", + "reviewdog", + "rgba", + "rsrc", + "runbook", + "scheduledbackup", + "schemafile", + "semanticcommits", + "servicelb", + "servicemonitor", + "servicemonitors", + "sgdisk", + "shellcheck", + "shjfqrsw", + "shopt", + "signin", + "signoff", + "signout", + "singlestat", + "smartquotes", + "smartsymbols", + "snapclass", + "snapshotter", + "socat", + "sonarr", + "sparkline", + "sslmode", + "stakater", + "statefulset", + "stefanzweifel", + "storegateway", + "summerwind", + "superfences", + "swapoff", + "swaptotal", + "taskfile", + "taskfiles", + "tasklist", + "tautulli", + "templating", + "thanos", + "thanosrulers", + "tigera", + "timepicker", + "timheuer", + "tmpl", + "toplevel", + "trackmap", + "traefik", + "twemoji", + "unmap", + "vaultwarden", + "vfat", + "volsync", + "vonage", + "wipefs", + "wkeqj", + "woll", + "worldmap", + "wsport", + "xanmanning", + "xaxis", + "xstg", + "yamlfmt", + "yaxes", + "yaxis", + "ymax", + "ymin", + "zzztest" + ] +} diff --git a/.github/workflows/krr.yaml b/.github/workflows/krr.yaml index 3b4bd1cd6..6428695d3 100644 --- a/.github/workflows/krr.yaml +++ b/.github/workflows/krr.yaml @@ -1,7 +1,7 @@ --- name: krr -on: +on: # yamllint disable-line rule:truthy workflow_dispatch: env: diff --git a/.mega-linter.yml b/.mega-linter.yml index 841d6817a..716dc9aa3 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -2,27 +2,42 @@ # Configuration file for MegaLinter # See all available variables at https://oxsecurity.github.io/megalinter/configuration/ and in linters documentation +FLAVOR_SUGGESTIONS: false APPLY_FIXES: none # all, none, or list of linter keys # ENABLE: # If you use ENABLE variable, all other languages/formats/tooling-formats will be disabled by default ENABLE_LINTERS: # If you use ENABLE_LINTERS variable, all other linters will be disabled by default - ACTION_ACTIONLINT + - ANSIBLE_ANSIBLE_LINT - ENV_DOTENV_LINTER - JSON_JSONLINT - KUBERNETES_KUBEVAL + - KUBERNETES_KUBECONFORM - MARKDOWN_MARKDOWNLINT - MARKDOWN_MARKDOWN_LINK_CHECK - YAML_YAMLLINT -DISABLE: - - COPYPASTE # Comment to enable checks of excessive copy-pastes - - SPELL # Comment to enable checks of spelling mistakes + - SPELL_CSPELL + - SPELL_MISSPELL + SHOW_ELAPSED_TIME: true FILEIO_REPORTER: false +CLEAR_REPORT_FOLDER: true # DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass LINTER_RULES_PATH: .github/linters KUBERNETES_DIRECTORY: cluster -KUBERNETES_KUBEVAL_ARGUMENTS: --ignore-missing-schemas +KUBERNETES_KUBEVAL_ARGUMENTS: [--ignore-missing-schemas] +KUBERNETES_KUBECONFORM_ARGUMENTS: [--ignore-missing-schemas] JSON_JSONLINT_FILE_EXTENSIONS: [.json, .json5] JSON_JSONLINT_ARGUMENTS: [--mode, json5] + +ANSIBLE_ANSIBLE_LINT_PRE_COMMANDS: + - command: pip3 install --user --requirement ansible/requirements.txt + cwd: workspace + - command: ansible-galaxy install -r ansible/requirements.yml --roles-path ~/.ansible/roles --force + cwd: workspace + - command: ansible-galaxy collection install -r ansible/requirements.yml --collections-path ~/.ansible/collections --force + cwd: workspace + +SPELL_FILTER_REGEX_EXCLUDE: (ansible|cluster)/.*\.sops\.ya?ml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 64fdb19ba..70f42dc66 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,67 +1,33 @@ --- fail_fast: false repos: -- repo: https://github.com/adrienverge/yamllint - rev: v1.31.0 - hooks: - - args: - - -c - - .github/linters/.yamllint.yml - id: yamllint -- repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt - rev: 0.2.3 - hooks: - - id: yamlfmt - args: [--mapping, '2', --sequence, '4', --offset, '2'] - exclude: ^.github/linters/.yamllint.yml|.pre-commit-config.yaml|mkdocs.yaml|ansible/.*$ -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 - hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - - id: mixed-line-ending -- repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.5.1 - hooks: - - id: remove-crlf - - id: remove-tabs -- repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 - hooks: - - id: fix-smartquotes -- repo: https://github.com/onedr0p/sops-pre-commit - rev: v2.1.1 - hooks: - - id: forbid-secrets - exclude: volsync.yaml -- repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.23.0 - hooks: - - id: check-jsonschema - name: "Check GitHub Workflows" - files: ^\.github/workflows/ - types: [yaml] - args: ["--schemafile", "https://json.schemastore.org/github-workflow"] -- repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.34.0 - hooks: - - id: markdownlint - name: "Check Markdown files" - args: - - --config - - .github/linters/.markdownlint.json -- repo: https://github.com/tcort/markdown-link-check - rev: v3.11.2 - hooks: - - id: markdown-link-check -- repo: local - hooks: - - id: kubeval - name: "Check Kubernetes manifests" - description: Lint kube files with system. - entry: kubeval - language: system - files: cluster/ - types: [yaml] - args: [--ignore-missing-schemas] - exclude: ^cluster/apps/media/recyclarr/app/recyclarr.sops.yaml$ + - repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt + rev: 0.2.3 + hooks: + - id: yamlfmt + args: [--mapping, '2', --sequence, '4', --offset, '2'] + exclude: ^.github/linters/.yamllint.yml|.pre-commit-config.yaml|mkdocs.yaml|ansible/.*$ + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: mixed-line-ending + - repo: https://github.com/Lucas-C/pre-commit-hooks + rev: v1.5.1 + hooks: + - id: remove-crlf + - id: remove-tabs + - repo: https://github.com/sirosen/fix-smartquotes + rev: 0.2.0 + hooks: + - id: fix-smartquotes + - repo: https://github.com/onedr0p/sops-pre-commit + rev: v2.1.1 + hooks: + - id: forbid-secrets + exclude: volsync.yaml + - repo: https://github.com/oxsecurity/megalinter + rev: v6.22.1 + hooks: + - id: megalinter-incremental # Faster, less thorough diff --git a/ansible/playbooks/cluster-installation.yml b/ansible/playbooks/cluster-installation.yml index 37759376b..0b77caf3f 100644 --- a/ansible/playbooks/cluster-installation.yml +++ b/ansible/playbooks/cluster-installation.yml @@ -1,5 +1,6 @@ --- -- hosts: +- name: Cluster installation + hosts: - master - worker become: true @@ -25,7 +26,7 @@ vars: k3s_state: installed - - name: Get absolute path to this Git repository + - name: Get absolute path to this Git repository # noqa: run-once[task] command-instead-of-module delegate_to: localhost become: false run_once: true @@ -33,8 +34,9 @@ ansible.builtin.command: |- git rev-parse --show-toplevel register: repo_abs_path + changed_when: false - - name: Copy kubeconfig project directory + - name: Copy kubeconfig project directory # noqa: run-once[task] run_once: true ansible.builtin.fetch: src: "/etc/rancher/k3s/k3s.yaml" @@ -44,7 +46,7 @@ - k3s_control_node is defined - k3s_control_node - - name: Update kubeconfig with the correct IPv4 address + - name: Update kubeconfig with the correct IPv4 address # noqa: run-once[task] delegate_to: localhost become: false run_once: true @@ -53,7 +55,7 @@ regexp: "https://127.0.0.1:6443" replace: "https://{{ k3s_registration_address }}:6443" - - name: Resource Readiness Check + - name: Resource Readiness Check # noqa: run-once[task] run_once: true kubernetes.core.k8s_info: kubeconfig: /etc/rancher/k3s/k3s.yaml diff --git a/ansible/playbooks/cluster-nuke.yml b/ansible/playbooks/cluster-nuke.yml index eada19707..f775347bf 100644 --- a/ansible/playbooks/cluster-nuke.yml +++ b/ansible/playbooks/cluster-nuke.yml @@ -1,5 +1,6 @@ --- -- hosts: +- name: Cluster nuke + hosts: - master - worker become: true diff --git a/ansible/playbooks/cluster-prepare.yml b/ansible/playbooks/cluster-prepare.yml index 3c1a9acd2..37ad84fbc 100644 --- a/ansible/playbooks/cluster-prepare.yml +++ b/ansible/playbooks/cluster-prepare.yml @@ -1,5 +1,6 @@ --- -- hosts: +- name: Cluster prepare + hosts: - master - worker become: true @@ -31,11 +32,13 @@ service: fstrim.timer enabled: true - name: Host configuration part 2 + notify: Reboot block: - name: Host (2) | Disable swap at runtime ansible.builtin.command: swapoff -a when: - ansible_swaptotal_mb > 0 + changed_when: false - name: Host (2) | Disable swap at boot ansible.posix.mount: name: '{{ item }}' @@ -49,7 +52,7 @@ loop: [br_netfilter, ip_vs, ip_vs_rr, overlay, rbd] - name: Host (2) | Enable kernel modules on boot ansible.builtin.copy: - mode: 0644 + mode: '0644' content: '{{ item }}' dest: /etc/modules-load.d/{{ item }}.conf loop: [br_netfilter, ip_vs, ip_vs_rr, overlay, rbd] @@ -71,7 +74,6 @@ net.bridge.bridge-nf-call-ip6tables: 1 fs.inotify.max_user_watches: 524288 fs.inotify.max_user_instances: 512 - notify: Reboot - name: Packages block: - name: Packages | Install required packages diff --git a/ansible/playbooks/cluster-reboot.yml b/ansible/playbooks/cluster-reboot.yml index 774f2f8f4..d0df12920 100644 --- a/ansible/playbooks/cluster-reboot.yml +++ b/ansible/playbooks/cluster-reboot.yml @@ -1,5 +1,6 @@ --- -- hosts: +- name: Cluster reboot + hosts: - master - worker become: true diff --git a/ansible/playbooks/cluster-rook-nuke.yml b/ansible/playbooks/cluster-rook-nuke.yml index 7df7d4e80..531b877ec 100644 --- a/ansible/playbooks/cluster-rook-nuke.yml +++ b/ansible/playbooks/cluster-rook-nuke.yml @@ -1,5 +1,5 @@ --- -- name: Cluster Rook-Ceph +- name: Cluster Rook-Ceph nuke hosts: - master - worker @@ -23,7 +23,7 @@ seconds: 2 tasks: - # https://rook.io/docs/rook/v1.10/Getting-Started/ceph-teardown/ - name: Reset Rook Ceph + name: Reset Rook Ceph # noqa: ignore-errors ignore_errors: true block: - name: Remove /var/lib/rook @@ -32,17 +32,23 @@ path: /var/lib/rook - name: Zap the disk to a fresh, usable state (zap-all is important, b/c MBR has to be clean) ansible.builtin.command: sgdisk --zap-all "{{ rook_block_device }}" || true + changed_when: false - name: Wipe a large portion of the beginning of the disk to remove more LVM metadata that may be present ansible.builtin.command: dd if=/dev/zero of="{{ rook_block_device }}" bs=1M count=100 oflag=direct,dsync + changed_when: false - name: Wipe the block device with wipefs ansible.builtin.command: wipefs --all --force "{{ rook_block_device }}" + changed_when: false - name: SSDs may be better cleaned with blkdiscard instead of dd ansible.builtin.command: blkdiscard "{{ rook_block_device }}" + changed_when: false - name: Inform the OS of partition table changes ansible.builtin.command: partprobe "{{ rook_block_device }}" + changed_when: false - name: Ceph can leave LVM and device mapper data that can lock the disks ansible.builtin.command: "{{ item }}" loop: - ls /dev/mapper/ceph-* | xargs -I% -- dmsetup remove % - rm -rf /dev/ceph-* - rm -rf /dev/mapper/ceph--* + changed_when: false diff --git a/cluster/apps/calico-system/calico/addons/dashboards/typha-dashboard.json b/cluster/apps/calico-system/calico/addons/dashboards/typha-dashboard.json index 654b32e03..b36ecb3f3 100644 --- a/cluster/apps/calico-system/calico/addons/dashboards/typha-dashboard.json +++ b/cluster/apps/calico-system/calico/addons/dashboards/typha-dashboard.json @@ -1692,7 +1692,7 @@ "time": { "from": "now-6h", "to": "now" }, "timepicker": {}, "timezone": "", - "title": "Typha Dashborad (Calico)", + "title": "Typha Dashboard (Calico)", "uid": "calico-typha-dashboard", "variables": { "list": [] }, "version": 10 diff --git a/cluster/apps/cert-manager/cert-manager/app/prometheusrule.yaml b/cluster/apps/cert-manager/cert-manager/app/prometheusrule.yaml index 9ab056d7f..6bce15e16 100644 --- a/cluster/apps/cert-manager/cert-manager/app/prometheusrule.yaml +++ b/cluster/apps/cert-manager/cert-manager/app/prometheusrule.yaml @@ -17,7 +17,7 @@ spec: annotations: description: New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back. runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent - summary: Cert Manager has dissapeared from Prometheus service discovery. + summary: Cert Manager has disappeared from Prometheus service discovery. - name: certificates rules: - alert: CertManagerCertExpirySoon