chore: migrate to ansible-lint (previous action was discontinued)

.ansible-lint

@@ -1,6 +1,7 @@
+---
 # .ansible-lint
 exclude_paths:
-  - .cache/  # implicit unless exclude_paths is defined in config
+  - .cache/ # implicit unless exclude_paths is defined in config
   - .github/
   - custom_kube_prometheus/
   - ansible/roles/k8s_setup_monitoring/files/manifests/
@@ -11,11 +12,11 @@ verbosity: -2
 # Mock modules or roles in order to pass ansible-playbook --syntax-check
 # mock_modules:
 #   - zuul_return
-  # note the foo.bar is invalid as being neither a module or a collection
-  # - fake_namespace.fake_collection.fake_module
-  # - fake_namespace.fake_collection.fake_module.fake_submodule
+# note the foo.bar is invalid as being neither a module or a collection
+# - fake_namespace.fake_collection.fake_module
+# - fake_namespace.fake_collection.fake_module.fake_submodule
 mock_roles:
-  - freeipa.ansible_freeipa.ipaclient  # necessary because ansible lint cannot evaluate the requirements.yml file
+  - freeipa.ansible_freeipa.ipaclient # necessary because ansible lint cannot evaluate the requirements.yml file
 #   - mocked_role
 #   - author.role_name  # old standalone galaxy role
 #   - fake_namespace.fake_collection.fake_role  # role within a collection
@@ -35,15 +36,15 @@ use_default_rules: true
 
 # This makes linter to fully ignore rules/tags listed below
 skip_list:
-  - name[missing]  # This rule flags missing names in blocks, which would result in many redundant names
+  - name[missing] # This rule flags missing names in blocks, which would result in many redundant names
   - key-order[task]
 
 # Any rule that has the 'opt-in' tag will not be loaded unless its 'id' is
 # mentioned in the enable_list:
 enable_list:
-  - fqcn-builtins  # opt-in
-  - no-log-password  # opt-in
-  - no-same-owner  # opt-in
+  - fqcn-builtins # opt-in
+  - no-log-password # opt-in
+  - no-same-owner # opt-in
   # add yaml here if you want to avoid ignoring yaml checks when yamllint
   # library is missing. Normally its absence just skips using that rule.
   - yaml
@@ -55,7 +56,8 @@ enable_list:
 warn_list:
   - skip_this_tag
   - git-latest
-  - experimental  # experimental is included in the implicit list
+  - experimental # experimental is included in the implicit list
+  - yaml[line-length]
   # - role-name
 
 # Offline mode disables installation of requirements.yml

.gitattributes

@@ -0,0 +1,2 @@
+# SCM syntax highlighting & preventing 3-way merges
+pixi.lock merge=binary linguist-language=YAML linguist-generated=true

.github/workflows/linter.yaml

@@ -15,11 +15,11 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
       - name: Lint ansible project
-        uses: ansible-community/ansible-lint-action@v6
+        uses: ansible/ansible-lint@v25
         with:
-          path: "ansible/roles"
+          args: --skip-list yaml[line-length]

.gitignore

@@ -139,3 +139,6 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+# pixi environments
+.pixi/*
+!.pixi/config.toml

ansible/playbooks/usermgmt/create-users-groups.yml

@@ -1,9 +1,9 @@
 ---
 - hosts: localhost
   gather_facts: false
   vars:
-    # userglob: ../../../../IKIM-config/ansible/userdata/users/*.yml
-    # groupglob: ../../../../IKIM-config/ansible/userdata/groups/*.yml
+  # userglob: ../../../../IKIM-config/ansible/userdata/users/*.yml
+  # groupglob: ../../../../IKIM-config/ansible/userdata/groups/*.yml
   tasks:
     - name: Load users
       ansible.builtin.include_tasks: tasks/load-user.yml
@@ -17,7 +17,7 @@
   tags: usermgmt-load
 
 # FIXME: We run this locally via ipa_host_override for now. Needs cleanup.
 - hosts: "{{ ipa_host_override | default('managed_cluster') }}"
   run_once: true
   gather_facts: false
   vars:
@@ -34,7 +34,7 @@
       loop: "{{ hostvars['localhost']['groupdata'] | default({}) | dict2items }}"
   tags: usermgmt-ipa
 
 - hosts: bastion_hosts
   gather_facts: false
   tasks:
     - name: Create users
@@ -42,7 +42,7 @@
       loop: "{{ hostvars['localhost']['userdata'] | default({}) | dict2items }}"
   tags: usermgmt-bastion
 
 - hosts: nfs_server_homedirs
   gather_facts: false
   tasks:
     - name: Create users

ansible/playbooks/usermgmt/tasks/add-user-bastion.yml

@@ -23,9 +23,9 @@
       - sudo
       - /root/bin/ikimuseradd.sh
       - "{{ usermgmt_tempfile['path'] }}"
-    # As of 2024-10, ikimuseradd.sh also handles adding new ssh keys for
-    # existing users, so always run it, even if /home/user already exists.
-    # creates: "/home/{{ item['value']['username'] }}"
+  # As of 2024-10, ikimuseradd.sh also handles adding new ssh keys for
+  # existing users, so always run it, even if /home/user already exists.
+  # creates: "/home/{{ item['value']['username'] }}"
   when: usermgmt_tempfile['path'] is defined
 
 - name: Delete the temp file

ansible/roles/apptainer/defaults/main.yml

@@ -1,2 +1,3 @@
+---
 apptainer_release: "1.1.5"
 apptainer_cache_root: "/local/apptainercache"

ansible/roles/apptainer/vars/main.yml

@@ -1 +1,2 @@
+---
 apptainer_deb_url: "https://github.com/apptainer/apptainer/releases/download/v{{ apptainer_release }}/apptainer_{{ apptainer_release }}_amd64.deb"

ansible/roles/c_nodes/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Partition the 2nd drive
   parted:
     device: /dev/sdb

ansible/roles/custom_pkgs/defaults/main.yml

@@ -1,3 +1,4 @@
+---
 # The paths of the deb packages to install on the target host.
 # If custom_pkgs_archive is defined, the items in custom_pkgs_debs are
 # interpreted as paths in the archive.

ansible/roles/custom_pkgs/vars/main.yml

@@ -1 +1,2 @@
+---
 custom_pkgs_prefix: "{{ (custom_pkgs_archive is defined) | ternary('/tmp', '') }}"

ansible/roles/docker/handlers/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Reload the systemd configuration and restart the Docker unit
   ansible.builtin.systemd:
     name: docker

ansible/roles/docker/tasks/docker-nvidia.yml

@@ -1,3 +1,4 @@
+---
 - name: Install the container runtime
   ansible.builtin.include_role:
     name: nvidia.nvidia_docker

ansible/roles/docker/vars/main.yml

@@ -1,3 +1,4 @@
+---
 docker_signing_key_directory: "/etc/apt/keyrings"
 docker_signing_key_path: "{{ docker_signing_key_directory }}/docker-gpg.asc"
 

ansible/roles/ftp/tasks/configure.yml

@@ -1,3 +1,4 @@
+---
 - name: Write lftp.conf
   ansible.builtin.template:
     src: lftp.conf.j2

ansible/roles/ftp/tasks/install.yml

@@ -1,3 +1,4 @@
+---
 - name: Install lftp
   ansible.builtin.apt:
     name:

ansible/roles/g_nodes/tasks/gpu-tools.yml

@@ -1,3 +1,4 @@
+---
 - name: Install nvtop
   ansible.builtin.apt:
     name:

ansible/roles/ipaclient_postinstall/handlers/main.yml

@@ -1,3 +1,4 @@
+---
 - name: restart sssd service
   ansible.builtin.systemd:
     name: sssd

ansible/roles/ipaclient_postinstall/tasks/pam_mkhomedir_umask.yml

@@ -3,5 +3,5 @@
   ansible.builtin.lineinfile:
     path: /etc/pam.d/common-session
     backrefs: true
-    regexp: '^session(.*)pam_mkhomedir.so$'
-    line: 'session\1pam_mkhomedir.so umask=0027'
+    regexp: "^session(.*)pam_mkhomedir.so$"
+    line: "session\\1pam_mkhomedir.so umask=0027"

ansible/roles/ipaclient_postinstall/tasks/sssd_socket_activation.yml

@@ -1,7 +1,8 @@
+---
 - name: Modify sssd.conf to avoid blocking the sssd responder sockets
   ansible.builtin.lineinfile:
     path: /etc/sssd/sssd.conf
     state: absent
-    regexp: '^services ='
+    regexp: "^services ="
   notify: restart sssd service
   become: true

ansible/roles/ipaserver/defaults/main.yml

@@ -1,2 +1,3 @@
+---
 ipa_storage: /var/lib/ipa-data
 ipa_server_image: freeipa/freeipa-server:centos-8-stream

ansible/roles/ipaserver/vars/main.yml

@@ -1,3 +1,4 @@
+---
 server_options_filename: ipa-server-install-options
 server_options_path: "{{ ipa_storage }}/{{ server_options_filename }}"
 server_service_name: freeipa-server

ansible/roles/ipaserver_settings/defaults/main.yml

@@ -1,3 +1,4 @@
+---
 ipa_default_shell: /bin/bash
 
 # List of automount mappings

ansible/roles/ipaserver_settings/tasks/create_automountmaps.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Install dependencies
   ansible.builtin.apt:
     name: python3-docker
@@ -19,7 +18,6 @@
   changed_when: false
   register: ipaserver_settings_automountmap_search
 
-
 - name: Create the automount map
   community.docker.docker_container_exec:
     container: "{{ ipa_server_container_name }}"

ansible/roles/ipaserver_settings/tasks/create_hostgroups.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Ensure that hostgroups are present
   community.general.ipa_hostgroup:
     name: "{{ ipaserver_settings_item['name'] }}"

ansible/roles/ipaserver_settings/tasks/create_rbacrules.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Ensure user managers have the appropriate permissions
   community.general.ipa_role:
     cn: "{{ ipaserver_settings_item['rolename'] }}"

ansible/roles/ipaserver_settings/tasks/create_services.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Create nfs service on ipa server
   community.general.ipa_service:
     krbcanonicalname: "nfs/{{ primary_ipaserver }}@{{ ipaserver_realm }}"

ansible/roles/ipaserver_settings/tasks/ensure_general_config.yml

@@ -1,5 +1,4 @@
 ---
-
 # ensure that the home directory path is set to /homes for all users
 # reason: the shared home directory from s1 is mounted at /homes
 - name: Create nfs service on ipa server

ansible/roles/ipaserver_settings/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Include ipa services tasks
   block:
     - ansible.builtin.include_tasks: create_services.yml

ansible/roles/ipaticket/defaults/main.yml

@@ -1,2 +1,3 @@
+---
 ipaadmin_user: "{{ vault_ipaadmin_user }}"
 ipaadmin_password: "{{ vault_ipaadmin_password }}"

ansible/roles/ipaticket/handlers/main.yml

@@ -1,3 +1,4 @@
+---
 - name: Clear the Kerberos ticket
   ansible.builtin.command: kdestroy
   changed_when: true

ansible/roles/k8s_setup_monitoring/files/manifests_autogenerated/alertmanager-alertmanager.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: monitoring.coreos.com/v1
 kind: Alertmanager
 metadata:

ansible/roles/k8s_setup_monitoring/files/manifests_autogenerated/alertmanager-podDisruptionBudget.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata: