Add tox for static checks

Add toxdir to gitignore
Add ansible and yamllint

.ansible-lint.yaml

@@ -0,0 +1,9 @@
+---
+skip_list:
+  - line-length  # don't yell about line length
+  - meta-no-info  # we don't publish to galaxy so stop yelling about it
+  - package-latest  # we install lots of latest stuff still 😢
+  - experimental  # no instability plz, give us a call when ur stable
+
+warn_list:
+  - no-handler  # good to keep, but shouldn't be fatal

.gitignore

@@ -6,3 +6,4 @@ playbooks/testing.yml
 **/__pycache__/
 .venv/
 .ansible/
+.tox/

.yamllintrc.yaml

@@ -0,0 +1,7 @@
+---
+yaml-files:
+  - "*.yml"
+  - "*.yaml"
+
+rules:
+  line-length: disable

Makefile

@@ -1,5 +1,6 @@
 clean:
 	rm --recursive --force .ansible/
+	rm --recursive --force .tox/
 
 dev:
 	@poetry install --remove-untracked

pyproject.toml

@@ -6,8 +6,8 @@ authors = ["Ethan Paul <me@enp.one>"]
 license = "MIT"
 
 [tool.poetry.dependencies]
-python = "^3.8"
+python = "^3.10"
-ansible = "^4.9.0"
+ansible-core = "^2.12.1"
 docker = "^4.2.0"
 docker-compose = "^1.25.4"
 paramiko = "^2.7.1"
@@ -16,12 +16,13 @@ netaddr = "^0.8.0"
 
 [tool.poetry.dev-dependencies]
 ansible-lint = "^4.2.0"
+ipython = "^7.28.0"
+mdformat = "^0.7.9"
+mdformat-gfm = "^0.3.3"
+poetry = "^1.1.0"
 pre-commit = "^2.9.2"
 pre-commit-hooks = "^3.3.0"
 safety = "^1.9.0"
 tox = "^3.20.1"
-tox-poetry-installer = "^0.8.1"
+tox-poetry-installer = {extras = ["poetry"], version = "^0.8.3"}
 yamllint = "^1.20.0"
-mdformat = "^0.7.9"
-mdformat-gfm = "^0.3.3"
-ipython = "^7.28.0"

skylab/core/galaxy.yml

@@ -17,4 +17,10 @@ build_ignore: []
 # L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
 # range specifiers can be set and are separated by ','
 dependencies:
+  ansible.netcommon: ">=2.5.0,<3.0.0"
+  ansible.posix: ">=1.3.0,<2.0.0"
+  ansible.utils: ">=2.4.3,<3.0.0"
   community.docker: ">=2.0.2,<3.0.0"
+  community.network: ">=3.0.0,<4.0.0"
+  community.general: ">=4.1.0,<5.0.0"
+  community.crypto: ">=1.0.0,<2.0.0"

tox.ini

@@ -0,0 +1,42 @@
+[tox]
+envlist = ansible, python, security
+skipsdist = true
+
+[testenv]
+require_locked_deps = true
+require_poetry = true
+setenv =
+    ANSIBLE_CONFIG = {toxinidir}/ansible.cfg
+whitelist_externals =
+    bash
+
+[testenv:ansible]
+description = Lint ansible resources
+locked_deps =
+    ansible-core
+    ansible-lint
+    yamllint
+    pre-commit
+    pre-commit-hooks
+    mdformat
+    mdformat-gfm
+commands =
+    yamllint --config-file {toxinidir}/.yamllintrc.yaml \
+      {toxinidir}/skylab/ \
+      {toxinidir}/inventory.yaml \
+      {toxinidir}/requirements.yaml
+    bash -c "ansible-lint -c {toxinidir}/.ansible-lint.yaml \
+      {toxinidir}/skylab/*/playbooks/"
+    pre-commit run --all-files
+
+[testenv:security]
+description = Check security parameters
+ignore_errors = true
+locked_deps =
+    poetry
+    safety
+commands =
+    poetry export --format requirements.txt --without-hashes --dev --output {envtmpdir}/req.txt
+    safety check --json --file {envtmpdir}/req.txt \
+        # Ignore unfixed CVE-2021-3532 from ansible \
+        --ignore 42923