Merge pull request #45 from myii/ci/merge-matrix-and-add-salt-lint-and-rubocop

ci: merge travis matrix, add `salt-lint` & `rubocop` to `lint` job

Author: myii

.rubocop.yml

@@ -0,0 +1,10 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+# General overrides used across formulas in the org
+Metrics/LineLength:
+  # Increase from default of `80`
+  # Based on https://github.com/PyCQA/flake8-bugbear#opinionated-warnings (`B950`)
+  Max: 88
+
+# Any offenses that should be fixed, e.g. collected via. `rubocop --auto-gen-config`

.salt-lint

@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+exclude_paths: []
+skip_list:
+  # Using `salt-lint` for linting other files as well, such as Jinja macros/templates
+  - 205  # Use ".sls" as a Salt State file extension
+  # Skipping `207` and `208` because `210` is sufficient, at least for the time-being
+  # I.e. Allows 3-digit unquoted codes to still be used, such as `644` and `755`
+  - 207  # File modes should always be encapsulated in quotation marks
+  - 208  # File modes should always contain a leading zero
+tags: []
+verbosity: 1

.travis.yml

@@ -1,92 +1,43 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
+## Machine config
 dist: bionic
-stages:
-  - test
-  - lint
-  - name: release
-    if: branch = master AND type != pull_request
-
 sudo: required
-cache: bundler
-language: ruby
-
 services:
   - docker
 
-# Make sure the instances listed below match up with
-# the `platforms` defined in `kitchen.yml`
-env:
-  matrix:
-    - INSTANCE: default-debian-10-develop-py3
-    # - INSTANCE: tables-debian-10-develop-py3
-    # - INSTANCE: default-ubuntu-1804-develop-py3
-    # - INSTANCE: tables-ubuntu-1804-develop-py3
-    # - INSTANCE: default-centos-7-develop-py3
-    # - INSTANCE: tables-centos-7-develop-py3
-    # - INSTANCE: default-fedora-30-develop-py3
-    # - INSTANCE: tables-fedora-30-develop-py3
-    # - INSTANCE: default-opensuse-leap-15-develop-py3
-    # - INSTANCE: tables-opensuse-leap-15-develop-py3
-    # - INSTANCE: default-amazonlinux-2-develop-py2
-    # - INSTANCE: tables-amazonlinux-2-develop-py2
-    # - INSTANCE: default-arch-base-latest-develop-py2
-    # - INSTANCE: tables-arch-base-latest-develop-py2
-    # - INSTANCE: default-debian-9-2019-2-py3
-    # - INSTANCE: tables-debian-9-2019-2-py3
-    - INSTANCE: default-ubuntu-1804-2019-2-py3
-    # - INSTANCE: tables-ubuntu-1804-2019-2-py3
-    # - INSTANCE: default-centos-7-2019-2-py3
-    # - INSTANCE: tables-centos-7-2019-2-py3
-    # - INSTANCE: default-fedora-30-2019-2-py3
-    # - INSTANCE: tables-fedora-30-2019-2-py3
-    # - INSTANCE: default-opensuse-leap-15-2019-2-py3
-    # - INSTANCE: tables-opensuse-leap-15-2019-2-py3
-    - INSTANCE: default-amazonlinux-2-2019-2-py2
-    # - INSTANCE: tables-amazonlinux-2-2019-2-py2
-    - INSTANCE: default-arch-base-latest-2019-2-py2
-    # - INSTANCE: tables-arch-base-latest-2019-2-py2
-    # - INSTANCE: default-debian-9-2018-3-py2
-    # - INSTANCE: tables-debian-9-2018-3-py2
-    # - INSTANCE: default-ubuntu-1604-2018-3-py2
-    # - INSTANCE: tables-ubuntu-1604-2018-3-py2
-    - INSTANCE: default-centos-7-2018-3-py2
-    # - INSTANCE: tables-centos-7-2018-3-py2
-    - INSTANCE: default-fedora-29-2018-3-py2
-    # - INSTANCE: tables-fedora-29-2018-3-py2
-    # - INSTANCE: default-opensuse-leap-15-2018-3-py2
-    # - INSTANCE: tables-opensuse-leap-15-2018-3-py2
-    # - INSTANCE: default-amazonlinux-2-2018-3-py2
-    # - INSTANCE: tables-amazonlinux-2-2018-3-py2
-    # - INSTANCE: default-arch-base-latest-2018-3-py2
-    # - INSTANCE: tables-arch-base-latest-2018-3-py2
-    # - INSTANCE: default-debian-8-2017-7-py2
-    # - INSTANCE: tables-debian-8-2017-7-py2
-    # - INSTANCE: default-ubuntu-1604-2017-7-py2
-    # - INSTANCE: tables-ubuntu-1604-2017-7-py2
-    # - INSTANCE: default-centos-6-2017-7-py2
-    # - INSTANCE: tables-centos-6-2017-7-py2
-    # - INSTANCE: default-fedora-29-2017-7-py2
-    # - INSTANCE: tables-fedora-29-2017-7-py2
-    # - INSTANCE: default-opensuse-leap-15-2017-7-py2
-    - INSTANCE: tables-opensuse-leap-15-2017-7-py2
-    # - INSTANCE: default-amazonlinux-2-2017-7-py2
-    # - INSTANCE: tables-amazonlinux-2-2017-7-py2
-    # - INSTANCE: default-arch-base-latest-2017-7-py2
-    # - INSTANCE: tables-arch-base-latest-2017-7-py2
+## Language and cache config
+language: ruby
+cache: bundler
 
+## Script to run for the test stage
 script:
-  - bin/kitchen verify ${INSTANCE}
+  - bin/kitchen verify "${INSTANCE}"
 
+## Stages and jobs matrix
+stages:
+  - test
+  - name: release
+    if: branch = master AND type != pull_request
 jobs:
+  allow_failures:
+    - env: Lint_rubocop
+  fast_finish: true
   include:
-    # Define the `lint` stage (runs `yamllint` and `commitlint`)
-    - stage: lint
-      language: node_js
+    ## Define the test stage that runs the linters (and testing matrix, if applicable)
+
+    # Run all of the linters in a single job (except `rubocop`)
+    - language: node_js
       node_js: lts/*
+      env: Lint
+      name: 'Lint: salt-lint, yamllint & commitlint'
       before_install: skip
       script:
+        # Install and run `salt-lint`
+        - pip install --user salt-lint
+        - git ls-files | grep '\.sls$\|\.jinja$\|\.j2$\|\.tmpl$'
+                       | xargs -I {} salt-lint {}
         # Install and run `yamllint`
         # Need at least `v1.17.0` for the `yaml-files` setting
         - pip install --user yamllint>=1.17.0
@@ -95,10 +46,84 @@ jobs:
         - npm install @commitlint/config-conventional -D
         - npm install @commitlint/travis-cli -D
         - commitlint-travis
-    # Define the release stage that runs `semantic-release`
+    # Run the `rubocop` linter in a separate job that is allowed to fail
+    # Once these lint errors are fixed, this can be merged into a single job
+    - language: node_js
+      node_js: lts/*
+      env: Lint_rubocop
+      name: 'Lint: rubocop'
+      before_install: skip
+      script:
+        # Install and run `rubocop`
+        - gem install rubocop
+        - rubocop -d
+
+    ## Define the rest of the matrix based on Kitchen testing
+    # Make sure the instances listed below match up with
+    # the `platforms` defined in `kitchen.yml`
+    - env: INSTANCE=default-debian-10-develop-py3
+    # - env: INSTANCE=tables-debian-10-develop-py3
+    # - env: INSTANCE=default-ubuntu-1804-develop-py3
+    # - env: INSTANCE=tables-ubuntu-1804-develop-py3
+    # - env: INSTANCE=default-centos-7-develop-py3
+    # - env: INSTANCE=tables-centos-7-develop-py3
+    # - env: INSTANCE=default-fedora-30-develop-py3
+    # - env: INSTANCE=tables-fedora-30-develop-py3
+    # - env: INSTANCE=default-opensuse-leap-15-develop-py3
+    # - env: INSTANCE=tables-opensuse-leap-15-develop-py3
+    # - env: INSTANCE=default-amazonlinux-2-develop-py2
+    # - env: INSTANCE=tables-amazonlinux-2-develop-py2
+    # - env: INSTANCE=default-arch-base-latest-develop-py2
+    # - env: INSTANCE=tables-arch-base-latest-develop-py2
+    # - env: INSTANCE=default-debian-9-2019-2-py3
+    # - env: INSTANCE=tables-debian-9-2019-2-py3
+    - env: INSTANCE=default-ubuntu-1804-2019-2-py3
+    # - env: INSTANCE=tables-ubuntu-1804-2019-2-py3
+    # - env: INSTANCE=default-centos-7-2019-2-py3
+    # - env: INSTANCE=tables-centos-7-2019-2-py3
+    # - env: INSTANCE=default-fedora-30-2019-2-py3
+    # - env: INSTANCE=tables-fedora-30-2019-2-py3
+    # - env: INSTANCE=default-opensuse-leap-15-2019-2-py3
+    # - env: INSTANCE=tables-opensuse-leap-15-2019-2-py3
+    - env: INSTANCE=default-amazonlinux-2-2019-2-py2
+    # - env: INSTANCE=tables-amazonlinux-2-2019-2-py2
+    - env: INSTANCE=default-arch-base-latest-2019-2-py2
+    # - env: INSTANCE=tables-arch-base-latest-2019-2-py2
+    # - env: INSTANCE=default-debian-9-2018-3-py2
+    # - env: INSTANCE=tables-debian-9-2018-3-py2
+    # - env: INSTANCE=default-ubuntu-1604-2018-3-py2
+    # - env: INSTANCE=tables-ubuntu-1604-2018-3-py2
+    - env: INSTANCE=default-centos-7-2018-3-py2
+    # - env: INSTANCE=tables-centos-7-2018-3-py2
+    - env: INSTANCE=default-fedora-29-2018-3-py2
+    # - env: INSTANCE=tables-fedora-29-2018-3-py2
+    # - env: INSTANCE=default-opensuse-leap-15-2018-3-py2
+    # - env: INSTANCE=tables-opensuse-leap-15-2018-3-py2
+    # - env: INSTANCE=default-amazonlinux-2-2018-3-py2
+    # - env: INSTANCE=tables-amazonlinux-2-2018-3-py2
+    # - env: INSTANCE=default-arch-base-latest-2018-3-py2
+    # - env: INSTANCE=tables-arch-base-latest-2018-3-py2
+    # - env: INSTANCE=default-debian-8-2017-7-py2
+    # - env: INSTANCE=tables-debian-8-2017-7-py2
+    # - env: INSTANCE=default-ubuntu-1604-2017-7-py2
+    # - env: INSTANCE=tables-ubuntu-1604-2017-7-py2
+    # - env: INSTANCE=default-centos-6-2017-7-py2
+    # - env: INSTANCE=tables-centos-6-2017-7-py2
+    # - env: INSTANCE=default-fedora-29-2017-7-py2
+    # - env: INSTANCE=tables-fedora-29-2017-7-py2
+    # - env: INSTANCE=default-opensuse-leap-15-2017-7-py2
+    - env: INSTANCE=tables-opensuse-leap-15-2017-7-py2
+    # - env: INSTANCE=default-amazonlinux-2-2017-7-py2
+    # - env: INSTANCE=tables-amazonlinux-2-2017-7-py2
+    # - env: INSTANCE=default-arch-base-latest-2017-7-py2
+    # - env: INSTANCE=tables-arch-base-latest-2017-7-py2
+
+    ## Define the release stage that runs `semantic-release`
     - stage: release
       language: node_js
       node_js: lts/*
+      env: Release
+      name: 'Run semantic-release inc. file updates to AUTHORS, CHANGELOG & FORMULA'
       before_install: skip
       script:
         # Update `AUTHORS.md`

.yamllint

@@ -17,6 +17,7 @@ yaml-files:
   # Default settings
   - '*.yaml'
   - '*.yml'
+  - .salt-lint
   - .yamllint
   # SaltStack Formulas additional settings
   - '*.example'

Gemfile

@@ -1,6 +1,7 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
 
 gem 'kitchen-docker', '>= 2.9'
-gem 'kitchen-salt', '>= 0.6.0'
 gem 'kitchen-inspec', '>= 1.1'
-
+gem 'kitchen-salt', '>= 0.6.0'

bin/kitchen

@@ -8,22 +8,25 @@
 # this file is here to facilitate running it.
 #
 
-require "pathname"
-ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
-  Pathname.new(__FILE__).realpath)
+require 'pathname'
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile',
+                                           Pathname.new(__FILE__).realpath)
 
-bundle_binstub = File.expand_path("../bundle", __FILE__)
+bundle_binstub = File.expand_path('bundle', __dir__)
 
 if File.file?(bundle_binstub)
   if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
     load(bundle_binstub)
   else
-    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
-Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+    abort(
+      'Your `bin/bundle` was not generated by Bundler, '\
+      'so this binstub cannot run.  Replace `bin/bundle` by running '\
+      '`bundle binstubs bundler --force`, then run this command again.'
+    )
   end
 end
 
-require "rubygems"
-require "bundler/setup"
+require 'rubygems'
+require 'bundler/setup'
 
-load Gem.bin_path("test-kitchen", "kitchen")
+load Gem.bin_path('test-kitchen', 'kitchen')

iptables/init.sls

@@ -22,15 +22,15 @@ iptables_packages:
   pkg.installed:
     - pkgs:
 {%-     for pkg in packages %}
-      - {{pkg}}
+      - {{ pkg }}
 {%-     endfor %}
 {%-   endif %}
 
 {%-   if strict_mode %}
 # If the firewall is set to strict mode, we'll need to allow some
 # that always need access to anything
 {%-     for protocol in protocols %}
-iptables_allow_localhost{{suffixes[protocol]}}:
+iptables_allow_localhost{{ suffixes[protocol] }}:
   iptables.append:
     - table: filter
     - chain: INPUT
@@ -44,7 +44,7 @@ iptables_allow_localhost{{suffixes[protocol]}}:
     - save: True
 
 # Allow related/established sessions
-iptables_allow_established{{suffixes[protocol]}}:
+iptables_allow_established{{ suffixes[protocol] }}:
   iptables.append:
     - table: filter
     - chain: INPUT
@@ -57,7 +57,7 @@ iptables_allow_established{{suffixes[protocol]}}:
     - save: True
 
 # Set the policy to deny everything unless defined
-enable_reject_policy{{suffixes[protocol]}}:
+enable_reject_policy{{ suffixes[protocol] }}:
   iptables.set_policy:
     - table: filter
     - chain: INPUT
@@ -66,8 +66,8 @@ enable_reject_policy{{suffixes[protocol]}}:
     - family: ipv6
 {%-       endif %}
     - require:
-      - iptables: iptables_allow_localhost{{suffixes[protocol]}}
-      - iptables: iptables_allow_established{{suffixes[protocol]}}
+      - iptables: iptables_allow_localhost{{ suffixes[protocol] }}
+      - iptables: iptables_allow_established{{ suffixes[protocol] }}
 {%-     endfor %}
 {%-   endif %}
 
@@ -88,7 +88,7 @@ enable_reject_policy{{suffixes[protocol]}}:
 {%-         for ip in service_details.get('ips_allow', ['0.0.0.0/0']) %}
 {%-           if interfaces == '' %}
 {%-             for proto in protos %}
-iptables_{{service_name}}_allow_{{ip}}_{{proto}}{{suffixes[protocol]}}:
+iptables_{{ service_name }}_allow_{{ ip }}_{{ proto }}{{ suffixes[protocol] }}:
   iptables.insert:
     - position: 1
     - table: filter
@@ -106,7 +106,7 @@ iptables_{{service_name}}_allow_{{ip}}_{{proto}}{{suffixes[protocol]}}:
 {%-           else %}
 {%-             for interface in interfaces %}
 {%-               for proto in protos %}
-iptables_{{service_name}}_allow_{{ip}}_{{proto}}_{{interface}}{{suffixes[protocol]}}:
+iptables_{{ service_name }}_allow_{{ ip }}_{{ proto }}_{{ interface }}{{ suffixes[protocol] }}:
   iptables.insert:
     - position: 1
     - table: filter
@@ -130,7 +130,7 @@ iptables_{{service_name}}_allow_{{ip}}_{{proto}}_{{interface}}{{suffixes[protoco
 # If strict mode is disabled we may want to block anything else
 {%-           if interfaces == '' %}
 {%-             for proto in protos %}
-iptables_{{service_name}}_deny_other_{{proto}}{{suffixes[protocol]}}:
+iptables_{{ service_name }}_deny_other_{{ proto }}{{ suffixes[protocol] }}:
   iptables.append:
     - position: last
     - table: filter
@@ -147,7 +147,7 @@ iptables_{{service_name}}_deny_other_{{proto}}{{suffixes[protocol]}}:
 {%-           else %}
 {%-             for interface in interfaces %}
 {%-               for proto in protos %}
-iptables_{{service_name}}_deny_other_{{proto}}_{{interface}}{{suffixes[protocol]}}:
+iptables_{{ service_name }}_deny_other_{{ proto }}_{{ interface }}{{ suffixes[protocol] }}:
   iptables.append:
     - position: last
     - table: filter
@@ -172,7 +172,7 @@ iptables_{{service_name}}_deny_other_{{proto}}_{{interface}}{{suffixes[protocol]
 {%-     for service_name, service_details in firewall.get('nat', {}).items() %}
 {%-       for ip_s, ip_ds in service_details.get('rules', {}).items() %}
 {%-         for ip_d in ip_ds %}
-iptables_{{service_name}}_allow_{{ip_s}}_{{ip_d}}:
+iptables_{{ service_name }}_allow_{{ ip_s }}_{{ ip_d }}:
   iptables.append:
     - table: nat
     - chain: POSTROUTING
@@ -189,7 +189,7 @@ iptables_{{service_name}}_allow_{{ip_s}}_{{ip_d}}:
 {%-     for protocol in protocols %}
 {%-       for service_name, service_details in firewall.get('whitelist' + suffixes[protocol], {}).items() %}
 {%-         for ip in service_details.get('ips_allow', []) %}
-iptables_{{service_name}}_allow_{{ip}}{{suffixes[protocol]}}:
+iptables_{{ service_name }}_allow_{{ ip }}{{ suffixes[protocol] }}:
   iptables.append:
     - table: filter
     - chain: INPUT