Add a few things to the proxy playbook for initial deployments.

This commit is contained in:
Kevin Fenzi 2016-02-09 22:52:06 +00:00
parent ed96efdaa9
commit 02be817986

View file

@ -88,31 +88,21 @@
- include: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml - include: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml - include: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml
#- name: Some after the after stuff for proxies.
# hosts: proxies-stg
# user: root
# gather_facts: False
# #
# vars_files: # If this is an initial deployment, we need the initial ticketkey
# - /srv/web/infra/ansible/vars/global.yml # If it's not, doesn't hurt to copy it over again
# - "/srv/private/ansible/vars.yml"
# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
# #
# tasks: - name: deploy ticket key
copy: src=/root/ticketkey_{{env}}.tkey dest=/etc/httpd/ticketkey_{{env}}.tkey
owner=root group=root mode=0600
notify:
- reload httpd
# #
# ## TODO - we should audit each one of these sebooleans to make sure they're # If this is an initial deployment, make sure docs are synced over.
# ## really necessary. The proxies are more forward-facing than other machines #
# ## so we should take a little more care.. - name: make sure docs are synced. This could take a very very very logtime to finish
# ## Really, before we are generally allowing httpd to do stuff carte blanche, shell: /usr/local/bin/lock-wrapper docs-sync "/usr/local/bin/docs-sync" >& /dev/null
# ## we should lock things down with 'semanage port' first. See
# ## roles/fedmsg/base/ for an example. - name: make sure selinux contexts are right on srv
# # command: restorecon -Rv /srv
# #- name: Set some sebooleans
# # seboolean: name={{item}} state=true persistent=true
# # with_items:
# # - httpd_can_network_connect_db
# # - httpd_can_network_relay
# # - httpd_can_network_connect
# # - allow_ypbind
# # tags:
# # - selinux