Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'docs 📝: Add new rule to detect Sidekiq secret in README.md' (#23) from dev into main
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 11s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details

Browse Source 
Reviewed-on: #23
This commit was merged in pull request #23.
This commit is contained in:
Jose
2026-02-14 11:02:55 +01:00
parent e165d9b1ca ac3e5e55c6
commit 64957d48ff
4 changed files with 220 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
.gitea/workflows/pr-check-yaml
View File

@@ -1,164 +0,0 @@
---
# https://github.com/kekxv/pr-check
name: PR check
on:
pull_request:
types: [opened, synchronize]
jobs:
leak_test:
name: Gitleaks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
github-server-url: ${{ vars.GIT_SERVER_URL }}
- name: Install Gitleaks
run: |
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz \
| tar -xz
sudo mv gitleaks /usr/local/bin/
- name: Run Gitleaks
run: |
gitleaks dir . \
--redact=10 \
--verbose \
--exit-code 1
lint_test:
name: lint tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
github-server-url: ${{ vars.GIT_SERVER_URL }}
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20
- name: Run markdownlint
run: npx markdownlint-cli2 "**/*.md" "#node_modules"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.14"
- name: Install ansible-lint and yamllint
run: |
python -m pip install --upgrade pip
pip install ansible ansible-lint yamllint
- name: Run yamllint
run: |
yamllint .
- name: Run ansible-lint
run: |
ansible-lint
handle_failures:
runs-on: ubuntu-latest
needs: [leak_test, lint_test]
if: needs.leak_test.result != 'success' || needs.lint_test.result != 'success'
steps:
- name: Comment, label, and close PR
run: |
API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
PR="${{ github.event.pull_request.number }}"
TOKEN="${{ secrets.GITEA_TOKEN }}"
COMMENT_BODY="❌ CI checks failed.\n\nLeak test: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
# Find existing comment
EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
"$API/issues/$PR/comments" \
| jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
# Update or create comment
if [ -n "$EXISTING_COMMENT_ID" ]; then
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
"$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
else
curl -s -X POST \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
"$API/issues/$PR/comments"
fi
# Add label if missing
LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
if ! echo "$LABELS" | grep -q "^ci-failed$"; then
curl -s -X POST \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '["ci-failed"]' \
"$API/issues/$PR/labels"
fi
# Close PR
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"state":"closed"}' \
"$API/pulls/$PR"
handle_success:
runs-on: ubuntu-latest
needs: [leak_test, lint_test]
if: needs.leak_test.result == 'success' && needs.lint_test.result == 'success'
steps:
- name: Update comment, remove label, reopen PR
run: |
API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
PR="${{ github.event.pull_request.number }}"
TOKEN="${{ secrets.GITEA_TOKEN }}"
COMMENT_BODY="✅ All CI checks passed.\n\nLeak test: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
# Find existing comment
EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
"$API/issues/$PR/comments" \
| jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
# Update comment if exists
if [ -n "$EXISTING_COMMENT_ID" ]; then
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
"$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
fi
# Remove label if exists
LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
if echo "$LABELS" | grep -q "^ci-failed$"; then
curl -s -X DELETE \
-H "Authorization: token $TOKEN" \
"$API/issues/$PR/labels/ci-failed"
fi
# Reopen PR if closed
PR_STATE=$(curl -s -H "Authorization: token $TOKEN" "$API/pulls/$PR" | jq -r '.state')
if [ "$PR_STATE" = "closed" ]; then
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"state":"open"}' \
"$API/pulls/$PR"
fi

168
.gitea/workflows/pr-check.yaml Normal file
View File

@@ -0,0 +1,168 @@
---
# https://github.com/kekxv/pr-check
name: PR check
on:
pull_request:
types: [opened, synchronize]
jobs:
leak_test:
name: Gitleaks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
github-server-url: ${{ vars.GIT_SERVER_URL }}
- name: Install Gitleaks
run: |
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz \
| tar -xz
sudo mv gitleaks /usr/local/bin/
- name: Run Gitleaks
run: |
gitleaks dir . \
--config .gitleaks.toml \
--redact=50 \
--verbose \
--exit-code 1
# --exclude-files "README.md"
lint_test:
name: lint tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
github-server-url: ${{ vars.GIT_SERVER_URL }}
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20
- name: Run markdownlint
run: npx markdownlint-cli2 "**/*.md" "#node_modules"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.14"
- name: Install ansible-lint and yamllint
run: |
python -m pip install --upgrade pip
pip install ansible ansible-lint yamllint
- name: Run yamllint
run: |
yamllint .
- name: Run ansible-lint
run: |
ansible-lint
handle_failures:
runs-on: ubuntu-latest
needs: [leak_test, lint_test]
if: "${{ always() && (
needs.leak_test.result != 'success' ||
needs.lint_test.result != 'success' ) }}"
steps:
- name: Comment, label, and close PR
run: |
API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
PR="${{ github.event.pull_request.number }}"
TOKEN="${{ secrets.GITEA_TOKEN }}"
COMMENT_BODY="❌ CI checks failed.\n\nLeak: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
# Find existing comment
EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
"$API/issues/$PR/comments" \
| jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
# Update or create comment
if [ -n "$EXISTING_COMMENT_ID" ]; then
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
"$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
else
curl -s -X POST \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
"$API/issues/$PR/comments"
fi
# Add label if missing
LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
if ! echo "$LABELS" | grep -q "^ci-failed$"; then
curl -s -X POST \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '["ci-failed"]' \
"$API/issues/$PR/labels"
fi
# Close PR
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"state":"closed"}' \
"$API/pulls/$PR"
handle_success:
runs-on: ubuntu-latest
needs: [leak_test, lint_test]
if: needs.leak_test.result == 'success' && needs.lint_test.result == 'success'
steps:
- name: Update comment, remove label, reopen PR
run: |
API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
PR="${{ github.event.pull_request.number }}"
TOKEN="${{ secrets.GITEA_TOKEN }}"
COMMENT_BODY="✅ CI checks pass.\n\nLeaks: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
# Find existing comment
EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
"$API/issues/$PR/comments" \
| jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
# Update comment if exists
if [ -n "$EXISTING_COMMENT_ID" ]; then
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
"$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
fi
# Remove label if exists
LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
if echo "$LABELS" | grep -q "^ci-failed$"; then
curl -s -X DELETE \
-H "Authorization: token $TOKEN" \
"$API/issues/$PR/labels/ci-failed"
fi
# Reopen PR if closed
PR_STATE=$(curl -s -H "Authorization: token $TOKEN" "$API/pulls/$PR" | jq -r '.state')
if [ "$PR_STATE" = "closed" ]; then
curl -s -X PATCH \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"state":"open"}' \
"$API/pulls/$PR"
fi

47
.gitleaks.toml Normal file
View File

@@ -0,0 +1,47 @@
title = "Gitleaks Config"
# ==========================
# Allowlist / False Positive Rules
# ==========================
# [[allowlist]]
# description = "Ignore placeholder secrets in README.md"
# filepath = "README.md"
# # Add all placeholder-like patterns that trigger false positives
# regex = "cafebabe|deadbeef|DB_PASSWORD"
# [[allowlist]]
# description = "Ignore badge URLs in README"
# filepath = "README.md"
# regex = "https://img.shields.io"
# ==========================
# Rules
# ==========================
# [[rules]]
# id = "generic-api-key"
# description = "Generic API Key"
# regex = "(?i)(api[_-]?key|secret|token)=\\S+"
# entropy = 3.5
# [[rules]]
# id = "sidekiq-secret"
# description = "Sidekiq Secret"
# regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+"
# entropy = 2.5
# ==========================
# File-specific entropy overrides
# ==========================
[[rules]]
id = "generic-api-key-docs"
description = "Ignore placeholder secrets in README.md"
regex = "(?i)(api[_-]?key|secret|token)=\\S+"
filepath = "README.md"
entropy = 5.0 # high threshold, placeholders won't trigger
[[rules]]
id = "sidekiq-secret"
description = "Sidekiq Secret in README.md"
regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+"
filepath = "README.md"
entropy = 5.0

10
README.md
View File

@@ -1,4 +1,4 @@
# ansible_role_proxmox_provision
# README ansible_role_proxmox_provision
> A reusable Ansible role template for for Proxmox VE
> with a focus on provisioning and managing.
@@ -7,7 +7,7 @@
[![Ansible Version](https://img.shields.io/badge/Ansible-2.12+-blue)](https://www.ansible.com/)
[![Proxmox](https://img.shields.io/badge/Proxmox-9-orange?logo=proxmox&logoColor=white)](https://www.proxmox.com/)
## 📌 Key Features
## 📌 Features
**Proxmox VE Optimized** - Specifically designed for Proxmox Virtual Environment
**Idempotent** - Safe to run multiple times
@@ -18,7 +18,7 @@
## 📊 Compatibility Matrix
| Feature | VE 7 | VE 8 | VE 9 |
| Feature \ Proxmox Version| 7 | 8 | 9 |
| ------------------------ | ---- | ---- | ---- |
| No-subscription repo | ✅ | ✅ | ✅ |
| Enterprise repo disabled | ✅ | ✅ | ✅ |
@@ -26,7 +26,7 @@
| Swap handling | ✅ | ✅ | ✅ |
| Logrotate protection | ✅ | ✅ | ✅ |
| Powertop auto-tune | ✅ | ✅ | ✅ |
| API utilities | ✅ | ✅ | ✅ |
| Utilities | ✅ | ✅ | ✅ |
## 📂 Directory Structure
@@ -46,7 +46,7 @@ ansible_role_proxmox_provision/
│ ├── repos.yml # Repository setup
│ ├── subscription.yml # Subscription nag removal
│ ├── swap.yml # Swap setup
│ └── utilities.yml # API utilities installation
│ └── utilities.yml # Utilities installation
├── templates/ # Jinja2 templates
└── vars/ # Non-overridable variables
└── main.yml