Fix lint, Fixes #37520

playbooks/live/functions/create-live-app.yml

@@ -73,11 +73,11 @@
     - name: Generating an application secret on localhost with /dev/urandom
       ansible.builtin.shell: >
         set -o pipefail && \
-        cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 30 | head -n 1
+        head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 30 | head -n 1
       register: secret
       args:
         executable: /bin/bash
-      failed_when: false # Ansible-lint requires pipefail, but the return is then non-null so we have to force this
+      changed_when: false
       when: base_live_secret is not defined or app_secret_diff
 
     - name: Deciding the application secret to use
@@ -97,7 +97,9 @@
 
     - name: (Re)create the RTMP app configuration
       notify: Reload nginx
-      ansible.builtin.command: ubicast-livectl add {{ live_app_name }} {{ hostvars['localhost'].live_app_secret }}
+      ansible.builtin.command:
+        cmd: ubicast-livectl add {{ live_app_name }} {{ hostvars['localhost'].live_app_secret }}
+        creates: /etc/nginx/rtmp.d/{{ live_app_name }}.conf
       when: app_status.rc == 1
 
     - name: Prepare the nginx RTMP temporary directory

playbooks/live/subplays/ha-case.yml

@@ -47,7 +47,9 @@
       register: rtmp_conf_dir
 
     - name: Remove unused MediaServer(s) rtmp configurations
-      ansible.builtin.shell: /bin/rm -f /etc/nginx/rtmp.d/*
+      ansible.builtin.command:
+        cmd: /bin/rm -r /etc/nginx/rtmp.d
+        removes: /etc/nginx/rtmp.d
       args:
         warn: false
       when: rtmp_conf_dir.stat.exists

playbooks/mediavault/ressources/add_backup_task.yml

@@ -6,7 +6,10 @@
   register: backup_marker
 
 - name: create {{ item.name }} backup
-  ansible.builtin.command: mediavaultctl add --backup-name "{{ item.name }}" --source-folder "{{ item.source }}" --dest-folder "{{ item.dest }}"
+  ansible.builtin.command:
+    cmd: mediavaultctl add --backup-name "{{ item.name }}" --source-folder "{{ item.source }}" --dest-folder "{{ item.dest }}"
+    creates: "/etc/systemd/system/mediavault-backup-{{ item.name }}.service"
   when: not backup_marker.stat.exists
 
+
 ...

playbooks/postgres-maintenance/fenced_to_standby.yml

@@ -42,4 +42,5 @@
       ansible.builtin.command: repmgr -f /etc/postgresql/13/main/repmgr.conf --force --verbose standby register
       become: true
       become_user: postgres
+      changed_when: false
       when: copy_from_primary is succeeded

playbooks/postgres-maintenance/standby_to_primary.yml

@@ -7,16 +7,22 @@
       ansible.builtin.fail:
         msg: Current status {{ rephacheck['stdout'] }} must be standby.
       when: rephacheck['stdout'] != "standby"
+
     - name: check if node is currently in standby
-      ansible.builtin.command: repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow --dry-run
+      ansible.builtin.command:
+        cmd: repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow --dry-run
       become: true
       become_user: postgres
-      when: rephacheck['stdout'] == "standby"
+      changed_when: false
       register: standby_dry_run
+      when: rephacheck['stdout'] == "standby"
+
     - name: switch standby node to primary
-      ansible.builtin.command: repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow
+      ansible.builtin.command:
+        cmd: repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow
       become: true
       become_user: postgres
+      changed_when: false
       when:
         - standby_dry_run is succeeded
         - rephacheck['stdout'] == "standby"

roles/bench-server/tasks/main.yml

@@ -99,4 +99,5 @@
   ansible.builtin.command:
     cmd: make build_docker_img
     chdir: /usr/share/ms-testing-suite
+  changed_when: false
   run_once: true

roles/letsencrypt/tasks/main.yml

@@ -72,6 +72,7 @@
     - letsencrypt_save_list is changed
   register: letsencrypt_dry_run
   ignore_errors: true
+  changed_when: false
   ansible.builtin.command:
     cmd: >
       certbot certonly
@@ -90,6 +91,7 @@
 - name: exit in case of failure
   when: letsencrypt_dry_run is failed
   ansible.builtin.fail:
+
 - name: generate certificates
   notify: restart nginx
   when:
@@ -104,6 +106,7 @@
         --webroot -w {{ letsencrypt_webroot }}
         --expand
         -d {{ letsencrypt_domains | join(',') }}
+    creates: "/etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem"
 
 - name: update nginx certificate configuration
   when:
@@ -113,7 +116,7 @@
   notify: restart nginx
   ansible.builtin.lineinfile:
     path: /etc/nginx/conf.d/ssl_certificate.conf
-    regexp: ssl_certificate\s+([\w/\-\_\.]+);
+    regexp: 'ssl_certificate\s+([\w/\-\_\.]+);'
     line: ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/fullchain.pem;
 
 - name: update nginx certificate key configuration
@@ -124,5 +127,5 @@
   notify: restart nginx
   ansible.builtin.lineinfile:
     path: /etc/nginx/conf.d/ssl_certificate.conf
-    regexp: ssl_certificate_key\s+([\w/\-\_\.]+);
+    regexp: 'ssl_certificate_key\s+([\w/\-\_\.]+);'
     line: ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem;

roles/metricbeat/tasks/main.yml

@@ -36,7 +36,9 @@
   notify: restart metricbeat
 
 - name: enable metricbeat dashboard
-  ansible.builtin.command: metricbeat setup
+  ansible.builtin.command:
+    cmd: metricbeat setup
+  changed_when: false
   when: inventory_hostname == groups['mediaserver'][0]
 
 - name: enable sql metricbeat configuration

roles/munin/munin-node/tasks/main.yml

@@ -21,7 +21,7 @@
 - name: setup munin-node plugins link
   notify: restart munin-node
   ansible.builtin.shell:
-    cmd: munin-node-configure --shell --remove-also 2>&1 | sh -x
+    munin-node-configure --shell --remove-also 2>&1 || true | sh -x  # noqa risky-shell-pipe
   # sh -x print executed cmd to stderr
   register: munin_plugin_linked
   changed_when: munin_plugin_linked.stderr | length > 0

roles/netcapture/tasks/main.yml

@@ -24,7 +24,7 @@
     src: miris-api.json.j2
     dest: "{{ netcapture_conf_folder }}/api.json"
     mode: u=rw,g=r,o=r
-  when: miris_config_file.stat.exists == false
+  when: not miris_config_file.stat.exists
 
 - name: netcapture config dir
   ansible.builtin.file:

roles/nginx/tasks/main.yml

@@ -18,19 +18,20 @@
     path: "{{ item }}"
     state: absent
 
-- name: nginx check old ssl conf exists
-  register: nginx_old_ssl_conf
-  ansible.builtin.stat:
-    path: /etc/nginx/conf.d/ssl.conf
-
-- name: nginx migrate old ssl certificate conf
-  when: nginx_old_ssl_conf.stat.exists
-  notify: restart nginx
-  loop:
-    - grep ssl_certificate /etc/nginx/conf.d/ssl.conf > /etc/nginx/conf.d/ssl_certificate.conf
-    - mv /etc/nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf.old
-  ansible.builtin.command:
-    cmd: "{{ item }}"
+# NOTE: /etc/nginx/conf.d/ssl.conf does not exist after current nginx package installation
+# - name: nginx check old ssl conf exists
+#   register: nginx_old_ssl_conf
+#   ansible.builtin.stat:
+#     path: /etc/nginx/conf.d/ssl.conf
+#
+# - name: nginx migrate old ssl certificate conf
+#   when: nginx_old_ssl_conf.stat.exists
+#   notify: restart nginx
+#   loop:
+#     - grep ssl_certificate /etc/nginx/conf.d/ssl.conf > /etc/nginx/conf.d/ssl_certificate.conf
+#     - mv /etc/nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf.old
+#   ansible.builtin.command:
+#     cmd: "{{ item }}"
 
 - name: nginx check ssl cert conf exists
   register: nginx_ssl_cert_conf

roles/postgres-ha/tasks/main.yml

@@ -150,6 +150,7 @@
     - name: register primary
       become: true
       become_user: postgres
+      changed_when: true
       when: repmgr_check_primary.query_result | length == 0
       notify: restart repmgrd
       ansible.builtin.command:
@@ -185,6 +186,7 @@
     - name: clone from primary to standby
       become: true
       become_user: postgres
+      changed_when: true
       when: repmgr_check_standby.query_result | length == 0
       ignore_errors: true
       register: repmgr_clone_standby
@@ -231,6 +233,7 @@
     - name: register standby
       become: true
       become_user: postgres
+      changed_when: true
       when: repmgr_check_standby.query_result | length == 0
       notify: restart repmgrd
       ansible.builtin.command:
@@ -254,6 +257,7 @@
     - name: register witness
       become: true
       become_user: postgres
+      changed_when: true
       when: repmgr_check_witness.query_result | length == 0
       notify: restart repmgrd
       ansible.builtin.command:
@@ -332,3 +336,5 @@
     ferm_global_settings: "{{ pg_ferm_global_settings }}"
   ansible.builtin.include_role:
     name: ferm-configure
+
+...