feat: add package/install-only setup mode

[O1ahmad]

Note

Medium Risk
Adds a new setup_mode path and uninstall cleanup behavior; risk is moderate because it changes provisioning/uninstall flows and file removal logic (could delete the wrong path if variables are mis-set).

Overview
Adds a new setup_mode: install that runs an install/setup.yml path to download a binary/tool without creating container/systemd/k8s service resources.

Extends uninstall behavior to remove the installed binary file for install mode, updates the README to document the new mode with an example, and adds Molecule scenarios to verify binary installation and clean uninstall without any systemd unit being created.

^{Written by Cursor Bugbot for commit c9e2a0d. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• New Features

  • Added support for a new "install" mode to set up and manage tools without creating system services.

• Documentation

  • Added configuration examples demonstrating the new install mode with tool-specific settings.

• Tests

  • Expanded test coverage for the new install mode, including installation and uninstallation verification scenarios.

[coderabbitai]

Warning

Rate limit exceeded

@O1ahmad has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 4 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 220bc3b and 70c63c1.

📒 Files selected for processing (10)

• README.md
• handlers/main.yml
• tasks/common/custom-facts.yml
• tasks/install/setup.yml
• tests/molecule/install-basic/converge.yml
• tests/molecule/install-basic/molecule.yml
• tests/molecule/install-basic/tests/test_install_basic.py
• tests/molecule/install-uninstall/converge.yml
• tests/molecule/install-uninstall/molecule.yml
• tests/molecule/install-uninstall/tests/test_install_uninstall.py

📝 Walkthrough

Walkthrough

This pull request introduces a new install setup mode for deploying tools as binary executables without creating systemd services. Changes include documentation updates, a new task implementation, handler logic expansion to support both systemd and install modes, and comprehensive test coverage with Molecule scenarios validating binary installation and uninstallation workflows.

Changes

Cohort / File(s)	Summary
Documentation README.md	Extended setup_mode options to include install and added example playbook demonstrating tool installation without service creation.
Task Implementation tasks/install/setup.yml, handlers/main.yml	New task to download tool binary via included task file; handler logic updated to support both systemd and install modes for cleanup, with conditional guards and path resolution using binary_url basename.
Default Variables tasks/common/custom-facts.yml	Updated default user/group resolution from ansible_user to ansible_user_id in Systemd unit configuration.
Test Infrastructure tests/molecule/install-basic/molecule.yml, tests/molecule/install-basic/converge.yml, tests/molecule/install-basic/tests/test_install_basic.py	New Molecule test scenario validating binary installation with correct permissions and absence of systemd service creation.
Test Infrastructure tests/molecule/install-uninstall/molecule.yml, tests/molecule/install-uninstall/converge.yml, tests/molecule/install-uninstall/tests/test_install_uninstall.py	New Molecule test scenario validating binary installation followed by uninstallation and binary removal.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 A new mode hops in, so lean and light,
No services dance—just binaries right!
Tests verify paths with whiskers of care,
Install and uninstall, a pair so fair!
The role grows stronger, hopping with grace. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add package/install-only setup mode' accurately reflects the main change: introducing a new install-only setup mode that allows binary installation without service creation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ahmad/support_install_only_setup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[O1ahmad]

@cursor review this PR

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

README.md (1)

193-205: Add language specifier to fenced code block.

The fenced code block is missing a language specifier, which helps with syntax highlighting and accessibility.

📝 Proposed fix

-```
+```yaml
 - name: Install curl tool

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 193 - 205, The fenced code block containing the
Ansible play (the snippet that starts with "- name: Install curl tool" and
includes "role: basic-service" and vars like "setup_mode", "name", "binary_url")
lacks a language specifier; update the opening fence to include a language
(e.g., change the opening ``` to ```yaml) so the YAML is properly highlighted
and accessible.

tests/molecule/install-basic/tests/test_install_basic.py (1)

11-14: Consider catching a specific exception or logging the failure.

The bare except Exception: pass silently swallows all errors, which could mask unexpected failures. Since the intent is to tolerate systems where querying a non-existent service throws, consider catching a more specific exception or at minimum logging the occurrence.

♻️ Proposed improvement

     try:
         assert not service.is_running
-    except Exception:
-        pass
+    except AssertionError:
+        # Service query may fail on systems where the service doesn't exist
+        pass

Alternatively, if the underlying library raises a different exception type when the service doesn't exist, catch that specific type instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/molecule/install-basic/tests/test_install_basic.py` around lines 11 -
14, The test currently swallows all errors with a bare except when checking
service.is_running; update the try/except around the service.is_running
assertion in test_install_basic.py to catch a specific exception from the
service-querying library (or the concrete exception type you observed) instead
of Exception, and if you cannot determine the exact type, at minimum log the
caught exception (using the test logger or pytest logging) so failures aren't
silently ignored; reference the service.is_running check when making this
change.

tests/molecule/install-uninstall/molecule.yml (1)

11-11: Pin the Docker image to an immutable tag/digest.

Using :latest can make this scenario flaky and non-reproducible as upstream changes land. Prefer a fixed tag or digest.

Proposed change

-    image: geerlingguy/docker-ubuntu2404-ansible:latest
+    image: geerlingguy/docker-ubuntu2404-ansible@sha256:<pinned-digest>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/molecule/install-uninstall/molecule.yml` at line 11, Replace the
mutable image tag "geerlingguy/docker-ubuntu2404-ansible:latest" with a fixed,
immutable reference (a specific version tag or a digest) in the molecule config
so tests are reproducible; locate the image key that currently reads image:
geerlingguy/docker-ubuntu2404-ansible:latest in the molecule.yml and change it
to something like image: geerlingguy/docker-ubuntu2404-ansible:<fixed-tag> or
image: geerlingguy/docker-ubuntu2404-ansible@sha256:<digest>.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/molecule/install-uninstall/molecule.yml`:
- Line 23: Replace the hardcoded relative ANSIBLE_ROLES_PATH value with
Molecule's project directory variable: change the ANSIBLE_ROLES_PATH entry
(currently set to "../../../../") to use ${MOLECULE_PROJECT_DIRECTORY} so
Molecule resolves the path robustly; apply the same replacement to the
ANSIBLE_ROLES_PATH line in all 8 scenario molecule.yml files (look for the
ANSIBLE_ROLES_PATH key to locate each occurrence).

---

Nitpick comments:
In `@README.md`:
- Around line 193-205: The fenced code block containing the Ansible play (the
snippet that starts with "- name: Install curl tool" and includes "role:
basic-service" and vars like "setup_mode", "name", "binary_url") lacks a
language specifier; update the opening fence to include a language (e.g., change
the opening ``` to ```yaml) so the YAML is properly highlighted and accessible.

In `@tests/molecule/install-basic/tests/test_install_basic.py`:
- Around line 11-14: The test currently swallows all errors with a bare except
when checking service.is_running; update the try/except around the
service.is_running assertion in test_install_basic.py to catch a specific
exception from the service-querying library (or the concrete exception type you
observed) instead of Exception, and if you cannot determine the exact type, at
minimum log the caught exception (using the test logger or pytest logging) so
failures aren't silently ignored; reference the service.is_running check when
making this change.

In `@tests/molecule/install-uninstall/molecule.yml`:
- Line 11: Replace the mutable image tag
"geerlingguy/docker-ubuntu2404-ansible:latest" with a fixed, immutable reference
(a specific version tag or a digest) in the molecule config so tests are
reproducible; locate the image key that currently reads image:
geerlingguy/docker-ubuntu2404-ansible:latest in the molecule.yml and change it
to something like image: geerlingguy/docker-ubuntu2404-ansible:<fixed-tag> or
image: geerlingguy/docker-ubuntu2404-ansible@sha256:<digest>.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb35577 and c9e2a0d.

📒 Files selected for processing (9)

• README.md
• tasks/install/setup.yml
• tasks/main.yml
• tests/molecule/install-basic/converge.yml
• tests/molecule/install-basic/molecule.yml
• tests/molecule/install-basic/tests/test_install_basic.py
• tests/molecule/install-uninstall/converge.yml
• tests/molecule/install-uninstall/molecule.yml
• tests/molecule/install-uninstall/tests/test_install_uninstall.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the target file
fd "molecule.yml" --type f

Repository: O1ahmad/basic-service

Length of output: 416

---

🏁 Script executed:

# Check the specific file and its content
if [ -f "tests/molecule/install-uninstall/molecule.yml" ]; then
  cat -n "tests/molecule/install-uninstall/molecule.yml" | head -30
else
  echo "File not found at expected location"
fi

Repository: O1ahmad/basic-service

Length of output: 908

---

🏁 Script executed:

# Understand the directory structure relative to this molecule.yml
pwd
find . -name "*.yml" -path "*/molecule/*" | head -10

Repository: O1ahmad/basic-service

Length of output: 549

---

🏁 Script executed:

# Check for all ANSIBLE_ROLES_PATH usage in the codebase
rg "ANSIBLE_ROLES_PATH" -A 2 -B 2

Repository: O1ahmad/basic-service

Length of output: 2906

---

🏁 Script executed:

# Check the directory structure to understand what ../../../../ resolves to
cd tests/molecule/install-uninstall && pwd && ls -la && cd ../../../.. && pwd && ls -la

Repository: O1ahmad/basic-service

Length of output: 953

---

🏁 Script executed:

# Search for any documentation or comments about molecule paths in the codebase
rg "MOLECULE_PROJECT_DIRECTORY|molecule.*directory" -i

Repository: O1ahmad/basic-service

Length of output: 47

---

🌐 Web query:

Molecule ANSIBLE_ROLES_PATH environment variable ${MOLECULE_PROJECT_DIRECTORY} support

💡 Result:

Yes—Molecule supports shell-style environment-variable substitution (both $VAR and ${VAR}) anywhere in molecule.yml, including inside provisioner.env, and it will also substitute Molecule’s own MOLECULE_* variables such as MOLECULE_PROJECT_DIRECTORY. If a variable is unset, Molecule substitutes an empty string (unless you use a default like ${VAR:-default}). [1]

Example:

provisioner:
  name: ansible
  env:
    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles

If you need fallbacks / defaults, use:

provisioner:
  name: ansible
  env:
    ANSIBLE_ROLES_PATH: ${ANSIBLE_ROLES_PATH:-${MOLECULE_PROJECT_DIRECTORY}/roles}

Sources: Molecule “Variable Substitution” docs (including MOLECULE_PROJECT_DIRECTORY) [1], example of ${VAR} / ${VAR:-default} usage in molecule.yml [2].

[1] (docs.ansible.com)
[2] (stackoverflow.com)

Citations:

• 1: https://docs.ansible.com/projects/molecule/configuration/
• 2: https://stackoverflow.com/questions/59034734/ansible-molecule-yml-how-to-refer-to-env-variables-define-in-same-file?utm_source=openai

---

🌐 Web query:

Molecule provisioner environment variables project directory

💡 Result:

In Molecule (pre ansible-native “provisioner” config), you set environment variables for Ansible under:

provisioner:
  name: ansible
  env:
    ANSIBLE_STDOUT_CALLBACK: yaml
    ANSIBLE_FORCE_COLOR: "true"

Molecule will also substitute environment variables inside molecule.yml, including special built-ins like the project directory. The built-in for the project (role) root is:

• MOLECULE_PROJECT_DIRECTORY → “Path to your project (role) directory (usually <role_path>)” [1]

So you can reference the project directory in provisioner env vars like:

provisioner:
  name: ansible
  env:
    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/roles"

Notes:

• If an env var is not set, Molecule substitutes an empty string. [1]
• Molecule supports $VAR and ${VAR} (including default forms like ${VAR:-default}). [1]
• Provisioner env values are appended to Molecule’s defaults; path-like values may be made absolute relative to the scenario directory (per Molecule docs). [1][2]

Sources: Molecule configuration env-var substitution + built-in MOLECULE_* variables (including MOLECULE_PROJECT_DIRECTORY) [1], and Molecule provisioner env configuration examples [2].

---

ANSIBLE_ROLES_PATH: "../../../../" should use Molecule's project directory variable for robustness.

The deep relative path is sensitive to where Molecule is executed from and can fail if cwd changes. Use ${MOLECULE_PROJECT_DIRECTORY} instead, which Molecule's documentation officially supports for environment variable substitution.

Proposed change

-    ANSIBLE_ROLES_PATH: "../../../../"
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}"

Note: This pattern appears in all 8 scenario files and should be updated consistently.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ANSIBLE_ROLES_PATH: "../../../../"
	ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/molecule/install-uninstall/molecule.yml` at line 23, Replace the
hardcoded relative ANSIBLE_ROLES_PATH value with Molecule's project directory
variable: change the ANSIBLE_ROLES_PATH entry (currently set to "../../../../")
to use ${MOLECULE_PROJECT_DIRECTORY} so Molecule resolves the path robustly;
apply the same replacement to the ANSIBLE_ROLES_PATH line in all 8 scenario
molecule.yml files (look for the ANSIBLE_ROLES_PATH key to locate each
occurrence).

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Missing guard could delete entire destination directory

Medium Severity

The "Remove install artifacts" task lacks a guard for empty binary_url. When binary_file_name_override is undefined (default) and binary_url is empty (its default value), the expression binary_url | basename evaluates to '', making the path resolve to {{ destination_directory }}/ — effectively pointing to /usr/local/bin/ itself. With state: absent, this would recursively delete the entire directory. The analogous systemd handler in handlers/main.yml is protected by a binary_file_name is defined guard, but this new task has no equivalent safeguard.

 

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

tests/molecule/install-basic/molecule.yml (1)

22-24: Use ${MOLECULE_PROJECT_DIRECTORY} instead of deep relative path.

The hardcoded relative path "../../../../" is fragile and depends on the exact directory structure. Molecule supports ${MOLECULE_PROJECT_DIRECTORY} for robust path resolution regardless of where tests are executed from.

Proposed fix

   env:
-    ANSIBLE_ROLES_PATH: "../../../../"
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}"
     ANSIBLE_ALLOW_BROKEN_CONDITIONALS: "True"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/molecule/install-basic/molecule.yml` around lines 22 - 24, Replace the
hardcoded "../../../../" value for the ANSIBLE_ROLES_PATH environment variable
in the molecule yml with the Molecule variable ${MOLECULE_PROJECT_DIRECTORY}
(e.g., set ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}"), keeping the
existing ANSIBLE_ALLOW_BROKEN_CONDITIONALS entry unchanged; update the env
mapping where ANSIBLE_ROLES_PATH is defined so Molecule resolves the project
directory robustly.

tests/molecule/install-basic/converge.yml (1)

7-13: Remove the command variable from install-basic/converge.yml.

The command variable on line 13 is unused in install mode. The install mode only executes download-binary.yml to fetch and place the binary, without creating or configuring a systemd service. The command variable is only used in systemd and container modes (for ExecStart and container command respectively), and the install-uninstall test demonstrates this variable is not required for install operations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/molecule/install-basic/converge.yml` around lines 7 - 13, Remove the
unused command variable from the vars block in converge.yml when setup_mode is
install: delete the line defining command (the variable name `command`) since
install mode only runs download-binary.yml and does not use ExecStart or
container command; leave other vars (`setup_mode: install`, `name: test-tool`,
`binary_url`, `binary_file_name_override`, `user`) intact so the install play
still downloads and places the binary.

tests/molecule/install-basic/tests/test_install_basic.py (1)

11-14: Avoid silently swallowing exceptions with try-except-pass.

The broad except Exception: pass can mask real test infrastructure failures. If checking is_running on a non-existent service is expected to raise an exception, consider either:

1. Catching a specific exception type (e.g., AssertionError or the testinfra-specific exception).
2. Logging the exception for debugging purposes.
3. Removing this check entirely since the unit_file.exists assertion below definitively verifies no service was created.

♻️ Option 1: Remove the redundant check (preferred)

 def test_service_not_exists(host):
     # Ensure no systemd service was created
     service = host.service("test-tool")
     assert not service.is_enabled
-    try:
-        assert not service.is_running
-    except Exception:
-        pass
-    
+
     unit_file = host.file("/etc/systemd/system/test-tool.service")
     assert not unit_file.exists

♻️ Option 2: Log the exception if you want to keep the check

+import logging
+
+logger = logging.getLogger(__name__)
+
 def test_service_not_exists(host):
     # Ensure no systemd service was created
     service = host.service("test-tool")
     assert not service.is_enabled
     try:
         assert not service.is_running
-    except Exception:
-        pass
+    except AssertionError:
+        pass  # Service might not exist, which is expected
+    except Exception as e:
+        logger.debug("Could not check service running state: %s", e)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/molecule/install-basic/tests/test_install_basic.py` around lines 11 -
14, Remove the try/except block that does "try: assert not service.is_running
except Exception: pass" and rely on the existing unit_file.exists assertion
instead; if you must keep the service state check, replace the broad except with
a specific exception type and log or re-raise the error rather than silently
passing—locate the code referencing service.is_running and unit_file.exists and
either delete the redundant assertion or change the exception handling to catch
a specific exception and log it.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 193-205: Add the missing YAML language specifier to the fenced
code block and replace the broken curl binary URL: update the opening fence to
"```yaml" and change the value of the binary_url key (the example shows
binary_url currently pointing to the defunct mcafee GitHub release) to a working
alternative such as the static curl release (e.g., the moparisthebest
static-curl URL) while keeping the surrounding keys binary_strip_components and
binary_file_name_override unchanged.

---

Nitpick comments:
In `@tests/molecule/install-basic/converge.yml`:
- Around line 7-13: Remove the unused command variable from the vars block in
converge.yml when setup_mode is install: delete the line defining command (the
variable name `command`) since install mode only runs download-binary.yml and
does not use ExecStart or container command; leave other vars (`setup_mode:
install`, `name: test-tool`, `binary_url`, `binary_file_name_override`, `user`)
intact so the install play still downloads and places the binary.

In `@tests/molecule/install-basic/molecule.yml`:
- Around line 22-24: Replace the hardcoded "../../../../" value for the
ANSIBLE_ROLES_PATH environment variable in the molecule yml with the Molecule
variable ${MOLECULE_PROJECT_DIRECTORY} (e.g., set ANSIBLE_ROLES_PATH:
"${MOLECULE_PROJECT_DIRECTORY}"), keeping the existing
ANSIBLE_ALLOW_BROKEN_CONDITIONALS entry unchanged; update the env mapping where
ANSIBLE_ROLES_PATH is defined so Molecule resolves the project directory
robustly.

In `@tests/molecule/install-basic/tests/test_install_basic.py`:
- Around line 11-14: Remove the try/except block that does "try: assert not
service.is_running except Exception: pass" and rely on the existing
unit_file.exists assertion instead; if you must keep the service state check,
replace the broad except with a specific exception type and log or re-raise the
error rather than silently passing—locate the code referencing
service.is_running and unit_file.exists and either delete the redundant
assertion or change the exception handling to catch a specific exception and log
it.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c9e2a0d and 220bc3b.

📒 Files selected for processing (10)

• README.md
• handlers/main.yml
• tasks/common/custom-facts.yml
• tasks/install/setup.yml
• tests/molecule/install-basic/converge.yml
• tests/molecule/install-basic/molecule.yml
• tests/molecule/install-basic/tests/test_install_basic.py
• tests/molecule/install-uninstall/converge.yml
• tests/molecule/install-uninstall/molecule.yml
• tests/molecule/install-uninstall/tests/test_install_uninstall.py

🚧 Files skipped from review as they are similar to previous changes (1)

• tasks/install/setup.yml