From 4bea7cd356e465d7e501c3f8e545899020f2c92a Mon Sep 17 00:00:00 2001
From: dvirlabs <dvirlabs@gmail.com>
Date: Sun, 19 Apr 2026 05:21:35 +0300
Subject: [PATCH] Fix drift check

---
 ansible/playbooks/drift-check.yml | 134 +++++++++++++++---------------
 1 file changed, 65 insertions(+), 69 deletions(-)

diff --git a/ansible/playbooks/drift-check.yml b/ansible/playbooks/drift-check.yml
index 91a0eeb..8658e78 100644
--- a/ansible/playbooks/drift-check.yml
+++ b/ansible/playbooks/drift-check.yml
@@ -3,86 +3,82 @@
   hosts: rsyslog_servers
   gather_facts: false
 
-  vars:
-    drift_detected: false
+  # NOTE: src paths below resolve relative to the Ansible controller (the
+  # Woodpecker CI container), so they always reflect the latest Git commit –
+  # NOT the server's local clone, which may be stale.
 
   tasks:
+    # -------------------------------------------------------------------------
+    # Use Ansible copy in check_mode so it compares controller files (Git)
+    # against live server files without actually writing anything.
+    # changed=true  → file differs → drift
+    # changed=false → files match  → synced
+    # -------------------------------------------------------------------------
     - name: Check main rsyslog.conf
-      block:
-        - name: Compare main configuration file
-          command: diff {{ repo_root }}/files/rsyslog.conf {{ rsyslog_main_config }}
-          register: main_diff
-          changed_when: false
-          failed_when: false
+      ansible.builtin.copy:
+        src: "{{ playbook_dir }}/../../files/rsyslog.conf"
+        dest: "{{ rsyslog_main_config }}"
+        owner: root
+        group: root
+        mode: '0644'
+      check_mode: true
+      diff: true
+      register: main_config_check
 
-        - name: Fail if main config has drift
-          fail:
-            msg: "Main rsyslog.conf has drifted from Git. ({{ main_diff.stdout | default('no diff output') }})"
-          when: main_diff.rc != 0
-          ignore_errors: true
-          register: main_drift
+    - name: Check rsyslog.d config files
+      ansible.builtin.copy:
+        src: "{{ playbook_dir }}/../../files/rsyslog.d/"
+        dest: "{{ rsyslog_config_dir }}/"
+        owner: root
+        group: root
+        mode: '0644'
+      check_mode: true
+      diff: true
+      register: rsyslogd_check
 
-        - name: Set drift flag for main config
-          set_fact:
-            drift_detected: true
-          when: main_diff.rc != 0
-
-    - name: Check rsyslog.d directory
-      block:
-        - name: Find config files in repository
-          find:
-            paths: "{{ repo_root }}/files/rsyslog.d"
-            patterns: "*.conf"
-          register: repo_configs
-
-        - name: Compare each config file
-          command: diff {{ item.path }} {{ rsyslog_config_dir }}/{{ item.path | basename }}
-          register: file_diffs
-          changed_when: false
-          failed_when: false
-          loop: "{{ repo_configs.files }}"
-
-        - name: Set drift flag if any file differs
-          set_fact:
-            drift_detected: true
-          when: item.rc != 0
-          loop: "{{ file_diffs.results }}"
-
-    - name: Check for extra files on server
+    - name: Check for extra files on server not present in Git
       block:
         - name: Find config files on server
-          find:
+          ansible.builtin.find:
             paths: "{{ rsyslog_config_dir }}"
             patterns: "*.conf"
           register: server_configs
 
-        - name: Check for files in server but not in repo
-          set_fact:
-            drift_detected: true
-          when:
-            - (server_configs.files | length) > (repo_configs.files | length)
+        - name: Find config files in Git (controller)
+          ansible.builtin.find:
+            paths: "{{ playbook_dir }}/../../files/rsyslog.d"
+            patterns: "*.conf"
+          delegate_to: localhost
+          register: repo_configs
 
-    - name: Report status
-      block:
-        - name: Print SYNCED status
-          debug:
-            msg: |
-              ╭─────────────────────────────╮
-              │  ✓ SYNCED                   │
-              │  Configuration is up-to-date │
-              ╰─────────────────────────────╯
-          when: not drift_detected
+        - name: Flag extra files on server
+          ansible.builtin.set_fact:
+            extra_files_on_server: true
+          when: (server_configs.files | length) > (repo_configs.files | length)
 
-        - name: Print OUT OF SYNC status
-          debug:
-            msg: |
-              ╭─────────────────────────────╮
-              │  ✗ OUT OF SYNC              │
-              │  Configuration has drifted   │
-              ╰─────────────────────────────╯
-          when: drift_detected
+    - name: Set overall drift flag
+      ansible.builtin.set_fact:
+        drift_detected: "{{ main_config_check.changed or rsyslogd_check.changed or (extra_files_on_server | default(false)) }}"
 
-        - name: Fail if drift detected
-          fail:
-            msg: "Configuration drift detected. Live system does not match repository."
-          when: drift_detected
+    - name: Print SYNCED status
+      ansible.builtin.debug:
+        msg: |
+          ╭─────────────────────────────╮
+          │  ✓ SYNCED                   │
+          │  Configuration is up-to-date │
+          ╰─────────────────────────────╯
+      when: not drift_detected
+
+    - name: Print OUT OF SYNC status
+      ansible.builtin.debug:
+        msg: |
+          ╭─────────────────────────────╮
+          │  ✗ OUT OF SYNC              │
+          │  Configuration has drifted   │
+          ╰─────────────────────────────╯
+      when: drift_detected
+
+    - name: Fail if drift detected
+      ansible.builtin.fail:
+        msg: "Configuration drift detected. Live system does not match repository."
+      when: drift_detected