Changes that make ansible-lint happy. nosec on the subprocess commands

enroll/harvest.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import glob
 import json
 import os
+import re
 import shutil
 from dataclasses import dataclass, asdict
 from typing import Dict, List, Optional, Set
@@ -130,8 +131,19 @@ def _safe_name(s: str) -> str:
     return "".join(out).replace("-", "_")
 
 
+def _role_id(raw: str) -> str:
+    # normalize separators first
+    s = re.sub(r"[^A-Za-z0-9]+", "_", raw)
+    # split CamelCase -> snake_case
+    s = re.sub(r"([a-z0-9])([A-Z])", r"\1_\2", s)
+    s = s.lower()
+    s = re.sub(r"_+", "_", s).strip("_")
+    if not re.match(r"^[a-z_]", s):
+        s = "r_" + s
+    return s
+
 def _role_name_from_unit(unit: str) -> str:
-    base = unit.removesuffix(".service")
+    base = _role_id(unit.removesuffix(".service"))
     return _safe_name(base)
 
 

enroll/manifest.py

@@ -35,7 +35,7 @@ def _write_role_scaffold(role_dir: str) -> None:
 
 
 def _write_playbook(path: str, roles: List[str]) -> None:
-    pb_lines = ["---", "- hosts: all", "  become: true", "  roles:"]
+    pb_lines = ["---", "- name: Apply all roles on host", "  hosts: all", "  become: true", "  roles:"]
     for r in roles:
         pb_lines.append(f"    - {r}")
     with open(path, "w", encoding="utf-8") as f:
@@ -314,7 +314,7 @@ Unowned /etc config files not attributed to packages or services.
             f.write(defaults)
 
         handlers = """---
-- name: systemd daemon-reload
+- name: Run systemd daemon-reload
   ansible.builtin.systemd:
     daemon_reload: true
 
@@ -444,7 +444,7 @@ Generated from `{unit}`.
             f.write(defaults)
 
         handlers = """---
-- name: systemd daemon-reload
+- name: Run systemd daemon-reload
   ansible.builtin.systemd:
     daemon_reload: true
 """