Migrate a bunch of things to roles. Thanks to misc!

roles/fas_client/files/fas-client.cron

@@ -0,0 +1 @@
+*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"

roles/fas_client/files/nsswitch.conf

@@ -0,0 +1,45 @@
+# /etc/nsswitch.conf
+#
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# The entry '[NOTFOUND=return]' means that the search for an
+# entry should stop if the search in the previous entry turned
+# up nothing. Note that if the search failed due to some other reason
+# (like no NIS server responding) then the search continues with the
+# next entry.
+#
+# Legal entries are:
+#
+#	nisplus or nis+		Use NIS+ (NIS version 3)
+#	nis or yp		Use NIS (NIS version 2), also called YP
+#	dns			Use DNS (Domain Name Service)
+#	files			Use the local files
+#	db			Use the local database (.db) files
+#	compat			Use NIS on compat mode
+#	hesiod			Use Hesiod for user lookups
+#	[NOTFOUND=return]	Stop searching if not found so far
+#
+
+passwd:     db files
+shadow:     db files
+group:      db files
+
+#hosts:     db files nisplus nis dns
+hosts:      files dns
+
+bootparams: nisplus [NOTFOUND=return] files
+
+ethers:     files
+netmasks:   files
+networks:   files
+protocols:  files
+rpc:        files
+services:   files
+
+netgroup:   files
+
+publickey:  nisplus
+
+automount:  files
+aliases:    files nisplus

roles/fas_client/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: run fasclient
+  action: command /usr/bin/fasClient -i

roles/fas_client/tasks/main.yml

@@ -0,0 +1,80 @@
+---
+#
+# This task sets up fasClient on a machine. 
+# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update.
+#
+
+#
+# fas-clients is in the infrastructure repo. 
+# nss_db is needed to store user/group info.
+#
+- name: install package needed for fas-client
+  yum: state=installed name=$item
+  with_items:
+  - fas-clients
+  - cronie
+  tags:
+  - packages
+
+- name: hotfix - python-fedora proxyclient.py 
+  copy: >
+    src=$files/hotfix/python-fedora/proxyclient.py
+    dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py
+    owner=root mode=644
+  only_if: "'${ansible_distribution}' == 'RedHat'"
+  tags:
+  - hotfix
+  - packages
+
+- name: install nss_db on rhel hosts only
+  yum: state=installed name=nss_db
+  only_if: "'${ansible_distribution}' == 'RedHat'"
+  tags:
+  - packages
+
+#
+# setup /etc/nsswitch.conf to use nssdb
+#
+- name: setup /etc/nsswitch.conf for client use
+  copy: src=nsswitch.conf  dest=/etc/nsswitch.conf owner=root mode=644
+  tags:
+  - config
+
+#
+# fasClients needs a valid /etc/fas.conf. 
+# There's vars used in this template: 
+#
+# fas_client_groups = "sysadmin-main"
+# fas_client_restricted_app = ""
+# fas_client_admin_app = ""
+# fas_client_ssh_groups = ""
+#
+# if desired, set them on a per host/group basis. 
+#
+# Currently the default template is used, but could be modified on a host basis. 
+#
+- name: setup /etc/fas.conf for client use
+  template: src=$item dest=/etc/fas.conf owner=root mode=600
+  with_first_found:
+  - ${ansible_fqdn}.fas.conf.j2 
+  - ${ansible_hostname}.fas.conf.j2 
+  - ${ansible_hostname}.fas.conf.j2 
+  - fas.conf.j2
+  tags:
+  - config
+  notify:
+  - run fasclient
+
+#
+# setup /etc/cron.d/ file to run sync every 10min
+# TODO: use cron module when it's fixed
+#
+#- name: fas_client cron job
+#  cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i"
+#  tags:
+#  - config
+
+- name: fas_client cron job
+  copy: src=fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644
+  tags:
+  - config

roles/fas_client/templates/fas.conf.j2

@@ -0,0 +1,92 @@
+[global]
+; url - Location to fas server
+url = https://admin.fedoraproject.org/accounts/
+
+; temp - Location to generate files while user creation process is happening
+temp = /var/db
+
+; login - username to contact fas
+login = {{ fedorathirdpartyUser }}
+
+; password - password for login name
+password = {{ fedorathirdpartyPassword }}
+
+; prefix - install to a location other than /
+prefix = /
+
+; modefile - Location of a file containing saved home directory modes
+modefile = /var/lib/fas/client_dir_perms
+
+; cla_group - Group for CLA requirements
+cla_group = cla_done
+
+[host]
+; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
+; so if someone is in all 3, the client behaves the same as if they were just
+; in 'groups'
+
+; groups that should have a shell account on this system.
+{% if fas_client_groups %}
+groups = sysadmin-main,{{ fas_client_groups }}
+{% else %}
+groups = sysadmin-main
+{% endif %}
+
+; groups that should have a restricted account on this system.
+; restricted accounts use the restricted_shell value in [users]
+restricted_groups =
+
+; ssh_restricted_groups: groups that should be restricted by ssh key.  You will
+; need to disable password based logins in order for this value to have any
+; security meaning.  Group types can be placed here as well, for example
+; @hg,@git,@svn
+{% if fas_client_ssh_groups %}
+ssh_restricted_groups = {{ fas_client_ssh_groups }}
+{% else %}
+ssh_restricted_groups = 
+{% endif %}
+
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /etc/aliases.template
+
+[users]
+; default shell given to people in [host] groups
+shell = /bin/bash
+
+; home - the location for fas user home dirs
+home = /home/fedora
+
+; home_backup_dir - Location home dirs should get moved to when a user is
+; deleted this location should be tmpwatched
+home_backup_dir = /home/fedora.bak
+
+; ssh_restricted_app - This is the path to the restricted shell script.  It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine.  An alternative example
+; could be given to people who should only have cvs access on the machine.
+; setting this value to "/usr/bin/cvs server" would do this.
+{% if fas_client_restricted_app %}
+ssh_restricted_app = {{ fas_client_restricted_app }}
+{% else %}
+ssh_restricted_app = 
+{% endif %}
+
+; ssh_admin_app - This is the path to an app that an admin is allowed to use.
+{% if fas_client_admin_app %}
+ssh_admin_app = {{ fas_client_admin_app }}
+{% else %}
+ssh_admin_app = 
+{% endif %}
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
+restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys.  Users in the
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+