Initial work on batcave playbook. More to come, see todo in role

playbooks/groups/batcave.yml

@@ -20,7 +20,14 @@
   - ansible-server
   - sudo
   - collectd/base
+  - apache
+  - httpd/mod_ssl
+  - { role: httpd/certificate, name: wildcard-2014.fedorapeople.org, SSLCertificateChainFile: wildcard-2014.fedorapeople.org.intermediate.cert }
 
+  - batcave
+
+  - { role: nfs/client, mnt_dir: '/srv/web/pub',  nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
+  
   tasks:
   - include: "{{ tasks }}/yumrepos.yml"
   - include: "{{ tasks }}/2fa_client.yml"

roles/batcave/files/ansible.cfg

@@ -0,0 +1,158 @@
+# config file for ansible -- http://ansible.com/
+# ==============================================
+
+# nearly all parameters can be overridden in ansible-playbook 
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+[defaults]
+
+# some basic default values...
+
+hostfile       = /srv/web/infra/ansible/inventory
+library        = /srv/web/infra/ansible/library:/usr/share/ansible
+remote_tmp     = $HOME/.ansible/tmp
+pattern        = *
+forks          = 90
+poll_interval  = 15
+sudo_user      = root
+#ask_sudo_pass = True
+#ask_pass      = True
+transport      = smart
+remote_port    = 22
+
+# additional paths to search for roles in, colon seperated
+roles_path    = /srv/web/infra/ansible/roles
+
+# uncomment this to disable SSH key host checking
+#host_key_checking = False
+
+# change this for alternative sudo implementations
+sudo_exe = sudo
+
+# what flags to pass to sudo
+#sudo_flags = -H
+
+# SSH timeout
+timeout = 90
+
+# default user to use for playbooks if user is not specified
+# (/usr/bin/ansible will use current user as default)
+#remote_user = root
+
+# logging is off by default unless this path is defined
+# if so defined, consider logrotate
+#log_path = /var/log/ansible.log
+
+# default module name for /usr/bin/ansible
+#module_name = command
+
+# use this shell for commands executed under sudo
+# you may need to change this to bin/bash in rare instances
+# if sudo is constrained
+#executable = /bin/sh
+
+# if inventory variables overlap, does the higher precedence one win
+# or are hash values merged together?  The default is 'replace' but
+# this can also be set to 'merge'.
+#hash_behaviour = replace
+
+# How to handle variable replacement - as of 1.2, Jinja2 variable syntax is
+# preferred, but we still support the old $variable replacement too.
+# Turn off ${old_style} variables here if you like.
+#legacy_playbook_variables = yes
+
+# list any Jinja2 extensions to enable here:
+#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
+
+# if set, always use this private key file for authentication, same as 
+# if passing --private-key to ansible or ansible-playbook
+#private_key_file = /path/to/file
+
+# format of string {{ ansible_managed }} available within Jinja2 
+# templates indicates to users editing templates files will be replaced.
+# replacing {file}, {host} and {uid} and strftime codes with proper values.
+ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+
+# by default, ansible-playbook will display "Skipping [host]" if it determines a task
+# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping" 
+# messages. NOTE: the task header will still be shown regardless of whether or not the 
+# task is skipped.
+#display_skipped_hosts = True
+
+# by default (as of 1.3), Ansible will raise errors when attempting to dereference 
+# Jinja2 variables that are not set in templates or action lines. Uncomment this line
+# to revert the behavior to pre-1.3.
+#error_on_undefined_vars = False
+
+# by default (as of 1.6), Ansible may display warnings based on the configuration of the
+# system running ansible itself. This may include warnings about 3rd party packages or
+# other conditions that should be resolved if possible.
+# to disable these warnings, set the following value to False:
+system_warnings = False
+
+# set plugin path directories here, seperate with colons
+action_plugins     = /srv/web/infra/ansible/action_plugins:/usr/share/ansible_plugins/action_plugins
+callback_plugins   = /srv/web/infra/ansible/callback_plugins:/usr/share/ansible_plugins/callback_plugins
+connection_plugins = /srv/web/infra/ansible/connection_plugins:/usr/share/ansible_plugins/connection_plugins
+lookup_plugins     = /srv/web/infra/ansible/lookup_plugins:/usr/share/ansible_plugins/lookup_plugins
+vars_plugins       = /srv/web/infra/ansible/vars_plugins:/usr/share/ansible_plugins/vars_plugins
+filter_plugins     = /srv/web/infra/ansible/filter_plugins:/usr/share/ansible_plugins/filter_plugins
+
+# don't like cows?  that's unfortunate.
+# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 
+#nocows = 1
+
+# don't like colors either?
+# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
+#nocolor = 1
+
+[paramiko_connection]
+
+# uncomment this line to cause the paramiko connection plugin to not record new host
+# keys encountered.  Increases performance on new host additions.  Setting works independently of the
+# host key checking setting above.
+#record_host_keys=False
+
+# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
+# line to disable this behaviour.
+#pty=False
+
+[ssh_connection]
+
+# ssh arguments to use
+# Leaving off ControlPersist will result in poor performance, so use 
+# paramiko on older platforms rather than removing it
+# ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+
+# The path to use for the ControlPath sockets. This defaults to
+# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
+# very long hostnames or very long path names (caused by long user names or 
+# deeply nested home directories) this can exceed the character limit on
+# file socket names (108 characters for most platforms). In that case, you 
+# may wish to shorten the string below.
+# 
+# Example: 
+# control_path = %(directory)s/%%h-%%r
+#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
+
+# Enabling pipelining reduces the number of SSH operations required to 
+# execute a module on the remote server. This can result in a significant 
+# performance improvement when enabled, however when using "sudo:" you must 
+# first disable 'requiretty' in /etc/sudoers
+#
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+# 
+pipelining = True
+
+# if True, make ansible use scp if the connection type is ssh 
+# (default is sftp)
+#scp_if_ssh = True
+
+[accelerate]
+accelerate_port = 5099
+accelerate_timeout = 30
+accelerate_connect_timeout = 5.0

roles/batcave/files/logview.cron

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Send a email with failed or changed from ansible playbook runs 
+/srv/web/infra/ansible/scripts/logview -d yesterday -s CHANGED -s FAILED | mailx -s "ansible changed/failed actions" sysadmin-logs-members@fedoraproject.org

roles/batcave/files/root_bashrc

@@ -0,0 +1,29 @@
+# .bashrc
+
+# User specific aliases and functions
+
+alias rm='rm -i'
+alias cp='cp -i'
+alias mv='mv -i'
+
+# Source global definitions
+if [ -f /etc/bashrc ]; then
+	. /etc/bashrc
+fi
+
+
+if [ -f /root/sshagent ]; then
+      source /root/sshagent >>/dev/null 
+      working=`ps $SSH_AGENT_PID`
+      if [ "$?" != 0 ]; then
+        if [ ${TERM} != "dumb" ]; then
+         echo "No ssh-agent running, you will need to run one:"
+         echo "ssh-agent -s > /root/sshagent"
+         echo "source /root/sshagent"
+         echo "ssh-add /srv/privatekeys/ssh/ansible_root.private"
+         echo "ssh-add /srv/privatekeys/ssh/fedora-admin.private"
+        fi
+      fi
+     
+fi
+

roles/batcave/tasks/main.yml

@@ -0,0 +1,91 @@
+#
+# This role sets up the various packages and scripts needed for a batcave
+#
+
+#
+# make directory for nfs mounts to live in
+#
+
+- name: create /srv/web/pub for nfs mounts
+  file: dest=/srv/web/pub state=directory mode=755
+  tags:
+  - batcave
+  - config
+
+- name: install packages needed
+  yum: pkg={{ item }} state=present
+  with_items:
+  - srm                       # secure rm to delete sensitive files.
+  - ansible                   # This is our ansible master, needs ansible installed.
+  - ansible-openstack-modules # Needed to manage cloud with ansible
+  tags:
+  - batcave
+  - config
+
+# 
+# This is our ansible master, setup ansible
+#
+
+- name: use our ansible.cfg
+  copy: src=ansible.cfg dest=/etc/ansible/ansible.cfg
+  tags:
+  - batcave
+  - config
+
+- name: setup roots bashrc to note about agents
+  copy: src=root_bashrc dest=/root/.bashrc
+  tags:
+  - batcave
+  - config
+
+- name: run daily logview report for ansible actions. 
+  copy: src=logview.cron dest=/etc/cron.daily/logview.cron
+  tags:
+  - batcave
+  - config
+ 
+#
+# Set selinux booleans we need
+#
+
+- name: set selinux booleans
+  seboolean: name={{ item }} persistent=yes state=yes
+  with_items:
+  - httpd_can_network_connect
+  - httpd_use_nfs
+  - httpd_can_network_relay
+  tags:
+  - batcave
+  - config
+
+# still to convert from puppet:
+#    include scripts::check-sshkeys
+#    include scripts::git-notifier
+#    include scripts::retrieve-security-question
+#    include scripts::sync-openshift-keys
+#    include scripts::zodbotAnnounceCommits
+#    include scripts::fedmsgAnnounceCommits
+#    include scripts::ansible-playbook-check-diff
+#    include scripts::public-db-copy
+#
+#    include cgit::cgit
+#    include cgit::clean-lock-cron
+#    include ansible_utils::ansible_utils
+#
+#    include repo2json
+#
+#    include scripts::sync-rhn
+#    include scripts::vmdiff
+#    include rsync::server
+#    include scripts::geoip-retriever
+#    include geoip-retriever
+#    include git::package
+#    include git::mail-hooks
+#    include git-email-package
+#
+#    httpd::site { "infrastructure.fedoraproject.org": }
+#
+#    httpd::mime-type { "restructured text docs":
+#        website => "infrastructure.fedoraproject.org",
+#        mimetype => "text/plain",
+#        extensions => [ ".rst" ],