Apply openvpn/client role before ipa/client

This is so hosts on the Fedora VPN are able to talk to IPA before they try to enroll. Signed-off-by: Nils Philippsen <nils@redhat.com>
2021-03-24 13:43:28 +01:00 · 2021-03-24 13:43:28 +01:00 · 2d4ec8d259
commit 2d4ec8d259
parent bcfe96b710
43 changed files with 77 additions and 105 deletions
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@ -18,6 +18,7 @@
  - rkhunter
  - nagios_client
  - hosts
+  - openvpn/client
  - ipa/client
  - sudo
  - collectd/base
@ -25,7 +26,6 @@
      mnt_dir: '/fedora_backups',
      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3",
      nfs_src_dir: 'fedora_backups' }
-  - openvpn/client
  - grokmirror_mirror

  pre_tasks:
--- a/playbooks/groups/badges-backend.yml
+++ b/playbooks/groups/badges-backend.yml
@ -20,12 +20,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+       when: env != "staging" }
  - ipa/client
  - collectd/base
  - fedmsg/base
  - sudo
-  - { role: openvpn/client,
-       when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/badges-web.yml
+++ b/playbooks/groups/badges-web.yml
@ -20,14 +20,14 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - badges/frontend
  - fedmsg/base
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi
  - role: collectd/web-service
    site: frontpage
--- a/playbooks/groups/basset.yml
+++ b/playbooks/groups/basset.yml
@ -17,12 +17,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mongodb
  - rabbitmq
  - mod_wsgi
--- a/playbooks/groups/bastion_stg.yml
+++ b/playbooks/groups/bastion_stg.yml
@ -15,11 +15,11 @@
  - rkhunter
  - nagios_client
  - hosts
+  #- { role: openvpn/client, when: inventory_hostname.startswith('bastion13') }
  - ipa/client
  - sudo
  #- collectd/base
  #- { role: openvpn/server, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
-  #- { role: openvpn/client, when: inventory_hostname.startswith('bastion13') }
  #- { role: packager_alias, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
  #- opendkim

--- a/playbooks/groups/batcave.yml
+++ b/playbooks/groups/batcave.yml
@ -15,6 +15,7 @@
  - rkhunter
  - nagios_client
  - hosts
+  - openvpn/client
  - ipa/client
  - ansible-server
  - sudo
@ -32,7 +33,6 @@
  - role: httpd/certificate
    certname: "{{wildcard_cert_name}}"
    SSLCertificateChainFile: "{{wildcard_int_file}}"
-  - role: openvpn/client
  - role: rabbit/user
    username: "mirror_pagure_ansible{{ env_suffix }}"
  - role: rabbit/user
--- a/playbooks/groups/blockerbugs.yml
+++ b/playbooks/groups/blockerbugs.yml
@ -16,12 +16,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - sudo
  - rsyncd
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi
  - blockerbugs

--- a/playbooks/groups/busgateway.yml
+++ b/playbooks/groups/busgateway.yml
@ -15,12 +15,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - fedmsg/base
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/certgetter.yml
+++ b/playbooks/groups/certgetter.yml
@ -15,12 +15,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - rsyncd
  - sudo
  - apache
-  - { role: openvpn/client,
-      when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/datagrepper.yml
+++ b/playbooks/groups/datagrepper.yml
@ -17,6 +17,8 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - fedmsg/base
@ -24,8 +26,6 @@
      username: "datagrepper{{ env_suffix }}"}
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi

  pre_tasks:
--- a/playbooks/groups/dns.yml
+++ b/playbooks/groups/dns.yml
@ -17,13 +17,13 @@
  - hosts
  - rkhunter
  - nagios_client
+  - { role: openvpn/client,
+      when: datacenter != "rdu" and datacenter != 'iad2' }
  - ipa/client
  - collectd/base
  - collectd/bind
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: datacenter != "rdu" and datacenter != 'iad2' }
  - dns

  pre_tasks:
--- a/playbooks/groups/download.yml
+++ b/playbooks/groups/download.yml
@ -31,6 +31,7 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client, when: vpn == True }
  - ipa/client
  - collectd/base
  - apache
@ -40,7 +41,6 @@
  - { role: nfs/client, when: datacenter == "iad2", mnt_dir: '/mnt/koji',  nfs_src_dir: 'fedora_koji/koji/' } # needed for internal sync and odcs
  - { role: nfs/client, when: datacenter == "iad2", mnt_dir: '/srv/odcs',  nfs_src_dir: 'fedora_odcs' } # needed for internal sync
  - sudo
-  - { role: openvpn/client, when: vpn == True }

  pre_tasks:
  - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
--- a/playbooks/groups/fedimg.yml
+++ b/playbooks/groups/fedimg.yml
@ -16,16 +16,16 @@
  roles:
  - base
  - rkhunter
+  # The proxies don't actually need to talk to these hosts so we won't bother
+  # putting them on the vpn.
+  #- { role: openvpn/client,
+  #    when: env != "staging" }
  - ipa/client
  - nagios_client
  - hosts
  - collectd/base
  - fedmsg/base
  - sudo
-  # The proxies don't actually need to talk to these hosts so we won't bother
-  # putting them on the vpn.
-  #- { role: openvpn/client,
-  #    when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/fedocal.yml
+++ b/playbooks/groups/fedocal.yml
@ -15,11 +15,11 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi
  - collectd/base

--- a/playbooks/groups/github2fedmsg.yml
+++ b/playbooks/groups/github2fedmsg.yml
@ -20,12 +20,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi

  pre_tasks:
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@ -16,11 +16,11 @@
  - nagios_client
  - collectd/base
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/kerneltest.yml
+++ b/playbooks/groups/kerneltest.yml
@ -20,12 +20,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi

  pre_tasks:
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@ -15,12 +15,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - openvpn/client
  - ipa/client
  - apache
  - collectd/base
  - collectd/server
  - sudo
-  - openvpn/client
  - awstats
  - web-data-analysis
  - role: keytab/service
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@ -19,11 +19,11 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - spamassassin
  - mod_wsgi

--- a/playbooks/groups/mbs.yml
+++ b/playbooks/groups/mbs.yml
@ -18,6 +18,8 @@
  - rkhunter
  - nagios_client
  - hosts
+  # openvpn on the prod frontend nodes
+  - { role: openvpn/client, when: "'mbs_frontend' in group_names and datacenter == 'iad2'" }
  - ipa/client
  - rsyncd
  - sudo
@ -29,22 +31,6 @@
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

- name: openvpn on the prod frontend nodes
-  hosts: mbs_frontend
-  user: root
-  gather_facts: True
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
-   - "{{ vars_path }}/{{ ansible_distribution }}.yml"
-
-  roles:
-  - { role: openvpn/client, when: datacenter == 'iad2' }
-
-  handlers:
-  - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
 - name: Set up apache on the frontend MBS API app
  hosts: mbs_frontend:mbs_frontend_stg
  user: root
--- a/playbooks/groups/mirrormanager.yml
+++ b/playbooks/groups/mirrormanager.yml
@ -15,10 +15,10 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client, when: env != "staging" and inventory_hostname.startswith('mm-frontend')  }
  - ipa/client
  - sudo
  - collectd/base
-  - { role: openvpn/client, when: env != "staging" and inventory_hostname.startswith('mm-frontend')  }
  - { role: nfs/client, when: inventory_hostname.startswith('mm-backend01'), mnt_dir: '/srv/pub',  nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }

  pre_tasks:
--- a/playbooks/groups/noc.yml
+++ b/playbooks/groups/noc.yml
@ -19,11 +19,11 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client, when: env != "staging" }
  - ipa/client
  - collectd/base
  - { role: rsyncd, when: datacenter == 'iad2' }
  - sudo
-  - { role: openvpn/client, when: env != "staging" }
  - mod_wsgi
  - role: keytab/service
    owner_user: apache
--- a/playbooks/groups/notifs-backend.yml
+++ b/playbooks/groups/notifs-backend.yml
@ -22,6 +22,10 @@
  - base
  - rkhunter
  - hosts
+  # The proxies don't actually need to talk to these hosts so we won't bother
+  # putting them on the vpn.
+  #- { role: openvpn/client,
+  #    when: env != "staging" }
  - ipa/client
  - nagios_client
  - collectd/base
@ -30,10 +34,6 @@
  - { role: rabbit/user,
      username: "notifs-backend{{ env_suffix }}"}
  - sudo
-  # The proxies don't actually need to talk to these hosts so we won't bother
-  # putting them on the vpn.
-  #- { role: openvpn/client,
-  #    when: env != "staging" }

  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
--- a/playbooks/groups/notifs-web.yml
+++ b/playbooks/groups/notifs-web.yml
@ -20,6 +20,8 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - mod_wsgi
@ -29,8 +31,6 @@
      username: "notifs-web{{ env_suffix }}"}
  - notifs/frontend
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/nuancier.yml
+++ b/playbooks/groups/nuancier.yml
@ -20,11 +20,11 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi

  pre_tasks:
--- a/playbooks/groups/oci-registry.yml
+++ b/playbooks/groups/oci-registry.yml
@ -16,12 +16,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - role: nfs/client
    mnt_dir: '/srv/registry'
    nfs_src_dir: "oci_registry"
--- a/playbooks/groups/odcs.yml
+++ b/playbooks/groups/odcs.yml
@ -18,6 +18,8 @@
  - rkhunter
  - nagios_client
  - hosts
+  # openvpn on the prod frontend nodes
+  #- { role: openvpn/client, when: "'odcs_frontend' in group_names" }
  - ipa/client
  - rsyncd
  - sudo
@ -29,22 +31,6 @@
  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

-#- name: openvpn on the prod frontend nodes
-#  hosts: odcs_frontend
-#  user: root
-#  gather_facts: True
-#
-#  vars_files:
-#   - /srv/web/infra/ansible/vars/global.yml
-#   - "/srv/private/ansible/vars.yml"
-#   - "{{ vars_path }}/{{ ansible_distribution }}.yml"
-#
-#  roles:
-#  - openvpn/client
-#
-#  handlers:
-#  - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
 - name: Set up odcs frontend service
  hosts: odcs_frontend:odcs_frontend_stg
  user: root
--- a/playbooks/groups/os-cluster.yml
+++ b/playbooks/groups/os-cluster.yml
@ -16,11 +16,11 @@
    - rkhunter
    - nagios_client
    - hosts
+    - { role: openvpn/client, when: env != "staging" }
    - ipa/client
    - collectd/base
    - rsyncd
    - sudo
-    - { role: openvpn/client, when: env != "staging" }

  tasks:
    - name: put openshift repo on os- systems
--- a/playbooks/groups/packages.yml
+++ b/playbooks/groups/packages.yml
@ -23,12 +23,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - rsyncd
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }
  - mod_wsgi

  tasks:
--- a/playbooks/groups/pagure.yml
+++ b/playbooks/groups/pagure.yml
@ -15,10 +15,10 @@
  - rkhunter
  - nagios_client
  - hosts
+  - openvpn/client
  - ipa/client
  - sudo
  - collectd/base
-  - openvpn/client
  - postgresql_server

  pre_tasks:
--- a/playbooks/groups/pdc.yml
+++ b/playbooks/groups/pdc.yml
@ -23,6 +23,8 @@
  - collectd/base
  - hosts
  - ipa/client
+  - role: openvpn/client
+    when: env != "staging" and datacenter == 'iad2'
  - sudo

  tasks:
@ -40,8 +42,6 @@
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  roles:
-  - role: openvpn/client
-    when: env != "staging" and datacenter == 'iad2'
  - mod_wsgi
  - role: fedmsg/base
  # Set up for fedora-messaging
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@ -59,13 +59,13 @@
  roles:
  - base
  - collectd/base
+  - { role: openvpn/client, when: env != "staging" }
  - ipa/client
  - hosts
  - nagios_client
  - rkhunter
  - rsyncd
  - sudo
-  - { role: openvpn/client, when: env != "staging" }
  - cgit/base
  - cgit/clean_lock_cron
  - cgit/make_pkgs_list
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@ -18,6 +18,8 @@

  roles:
  - base
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - rkhunter
  - nagios_client
@ -28,8 +30,6 @@
  - rsyncd
  - { role: mirrormanager/mirrorlist_proxy,
      when: env == "staging" or "'mirrorlist_proxy' in group_names" }
-  - { role: openvpn/client,
-      when: env != "staging" }
  - apache

  tasks:
--- a/playbooks/groups/resultsdb.yml
+++ b/playbooks/groups/resultsdb.yml
@ -23,11 +23,11 @@
   - { role: rkhunter, tags: ['rkhunter'] }
   - { role: nagios_client, tags: ['nagios_client'] }
   - { role: hosts, tags: ['hosts']}
+   - { role: openvpn/client,
+       when: deployment_type == "prod" }
   - ipa/client
   - { role: collectd/base, tags: ['collectd_base'] }
   - { role: sudo, tags: ['sudo'] }
-   - { role: openvpn/client,
-       when: deployment_type == "prod" }
   - apache
   - fedmsg/base
   - { role: dnf-automatic, tags: ['dnfautomatic'] }
--- a/playbooks/groups/retrace.yml
+++ b/playbooks/groups/retrace.yml
@ -64,10 +64,10 @@
  tasks:
    - import_role: name=base
    - import_role: name=hosts
+    - import_role: name=openvpn/client
    - import_role: name=ipa/client
    - import_role: name=rkhunter
    - import_role: name=nagios_client
-    - import_role: name=openvpn/client
    - import_role: name=sudo

    - import_tasks: "{{ tasks_path }}/motd.yml"
--- a/playbooks/groups/smtp-mm.yml
+++ b/playbooks/groups/smtp-mm.yml
@ -17,11 +17,11 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/sundries.yml
+++ b/playbooks/groups/sundries.yml
@ -20,6 +20,8 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - mod_wsgi
@ -35,8 +37,6 @@
  - freemedia
  - sudo
  - pager_server
-  - { role: openvpn/client,
-      when: env != "staging" }
  - role: zanata
    when: master_sundries_node|bool
  - role: fedora-web/build
--- a/playbooks/groups/torrent.yml
+++ b/playbooks/groups/torrent.yml
@ -15,11 +15,11 @@
  - hosts
  - rkhunter
  - nagios_client
+  - openvpn/client
  - ipa/client
  - collectd/base
  - rsyncd
  - sudo
-  - openvpn/client
  - torrent
  - apache

--- a/playbooks/groups/unbound.yml
+++ b/playbooks/groups/unbound.yml
@ -15,12 +15,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - unbound
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/groups/value.yml
+++ b/playbooks/groups/value.yml
@ -15,6 +15,8 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - apache
@ -26,8 +28,6 @@
  - supybot
  - sudo
  - rsyncd
-  - { role: openvpn/client,
-      when: env != "staging" }
  - role: collectd/fedmsg-service
    process: fedmsg-irc
  - mote
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@ -23,12 +23,12 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client, when: vpn|bool }
  - ipa/client
  - collectd/base
  - { role: iscsi_client, when: "inventory_hostname.startswith(('bvirthost', 'buildvmhost-0'))" }
  - { role: iscsi_client, when: "inventory_hostname.startswith(('bvmhost-x86-06', 'bvmhost-x86-07')) and datacenter == 'iad2'" }
  - sudo
-  - { role: openvpn/client, when: vpn|bool }
  - virthost
  - { role: clevis, when: datacenter == 'iad2'}
  - { role: serial-console, when: datacenter == 'iad2' and not inventory_hostname.startswith('buildvmhost-s390x') }
--- a/playbooks/groups/vmhost_copr.yml
+++ b/playbooks/groups/vmhost_copr.yml
@ -24,11 +24,11 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client, when: vpn|bool }
+  - virthost
  - ipa/client
  - collectd/base
  - sudo
-  - { role: openvpn/client, when: vpn|bool }
-  - virthost

  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
--- a/playbooks/groups/wiki.yml
+++ b/playbooks/groups/wiki.yml
@ -23,6 +23,8 @@
  - rkhunter
  - nagios_client
  - hosts
+  - { role: openvpn/client,
+      when: env != "staging" }
  - ipa/client
  - collectd/base
  - apache
@ -34,8 +36,6 @@
  - { role: nfs/client, when: env != "staging", mnt_dir: '/mnt/web/attachments',  nfs_src_dir: 'fedora_app/app/attachments' }
  - mediawiki
  - sudo
-  - { role: openvpn/client,
-      when: env != "staging" }

  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"