update ansible_distribution_major_version conditionals
Signed-off-by: Karsten Hopp <karsten@redhat.com>
This commit is contained in:
Karsten Hopp
Pierre-Yves Chibon
parent
d982c06fde
commit
c9ed62ac32
45 changed files with 460 additions and 175 deletions
|
|
@ -77,8 +77,8 @@
|
||||||
#notify:
|
#notify:
|
||||||
#- fix openvpn routing
|
#- fix openvpn routing
|
||||||
|
|
||||||
- name: restart openvpn (RHEL7)
|
- name: restart openvpn (RHEL7+)
|
||||||
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
|
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int >= 7
|
||||||
action: service name=openvpn-client@openvpn state=restarted
|
action: service name=openvpn-client@openvpn state=restarted
|
||||||
#notify:
|
#notify:
|
||||||
#- fix openvpn routing
|
#- fix openvpn routing
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,16 @@
|
||||||
- name: Get list of active loaded services with systemctl
|
- name: Get list of active loaded services with systemctl
|
||||||
shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1'
|
shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1'
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when: ansible_distribution_major_version|int > 6
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
register: loaded_active_services_systemctl
|
||||||
|
tags:
|
||||||
|
- check
|
||||||
|
- services
|
||||||
|
|
||||||
|
- name: Get list of active loaded services with systemctl
|
||||||
|
shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1'
|
||||||
|
changed_when: False
|
||||||
|
when: ansible_distribution_major_version|int > 6 and ansible_distribution is 'RedHat'
|
||||||
register: loaded_active_services_systemctl
|
register: loaded_active_services_systemctl
|
||||||
tags:
|
tags:
|
||||||
- check
|
- check
|
||||||
|
|
@ -26,7 +35,16 @@
|
||||||
- name: Get list of inactive loaded services with systemctl
|
- name: Get list of inactive loaded services with systemctl
|
||||||
shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1'
|
shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1'
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when: ansible_distribution_major_version|int > 6
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
register: loaded_inactive_services_systemctl
|
||||||
|
tags:
|
||||||
|
- check
|
||||||
|
- services
|
||||||
|
|
||||||
|
- name: Get list of inactive loaded services with systemctl
|
||||||
|
shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1'
|
||||||
|
changed_when: False
|
||||||
|
when: ansible_distribution_major_version|int > 6 and ansible_distribution is 'RedHat'
|
||||||
register: loaded_inactive_services_systemctl
|
register: loaded_inactive_services_systemctl
|
||||||
tags:
|
tags:
|
||||||
- check
|
- check
|
||||||
|
|
@ -36,7 +54,7 @@
|
||||||
- name: Get list of enabled services with chkconfig at current runlevel
|
- name: Get list of enabled services with chkconfig at current runlevel
|
||||||
shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:on\" | awk '{print $1}'"
|
shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:on\" | awk '{print $1}'"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when: ansible_distribution_major_version|int <= 6
|
when: ansible_distribution_major_version|int <= 6 and ansible_distribution is 'RedHat'
|
||||||
register: enabled_services_chkconfig
|
register: enabled_services_chkconfig
|
||||||
tags:
|
tags:
|
||||||
- check
|
- check
|
||||||
|
|
@ -45,7 +63,7 @@
|
||||||
- name: Get list of disabled services with chkconfig at current runlevel
|
- name: Get list of disabled services with chkconfig at current runlevel
|
||||||
shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:off\" | awk '{print $1}'"
|
shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:off\" | awk '{print $1}'"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when: ansible_distribution_major_version|int <= 6
|
when: ansible_distribution_major_version|int <= 6 and ansible_distribution is 'RedHat'
|
||||||
register: disabled_services_chkconfig
|
register: disabled_services_chkconfig
|
||||||
tags:
|
tags:
|
||||||
- check
|
- check
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,7 @@
|
||||||
- "/srv/private/ansible/vars.yml"
|
- "/srv/private/ansible/vars.yml"
|
||||||
- "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml"
|
- "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml"
|
||||||
|
|
||||||
|
# FIXME: is checking for RedHat correct here ?
|
||||||
roles:
|
roles:
|
||||||
- base
|
- base
|
||||||
- rkhunter
|
- rkhunter
|
||||||
|
|
@ -35,7 +36,7 @@
|
||||||
- collectd/base
|
- collectd/base
|
||||||
- apache
|
- apache
|
||||||
- download
|
- download
|
||||||
- { role: mod_limitipconn, when: ansible_distribution_major_version|int != '7'}
|
- { role: mod_limitipconn, when: ansible_distribution_major_version|int != '7' and ansible_distribution is 'RedHat'}
|
||||||
- rsyncd
|
- rsyncd
|
||||||
- { role: nfs/client, when: datacenter == "phx2", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
|
- { role: nfs/client, when: datacenter == "phx2", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
|
||||||
- { role: nfs/client, when: datacenter == "rdu", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
|
- { role: nfs/client, when: datacenter == "rdu", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,7 @@
|
||||||
dnf: state=present pkg={{ item }}
|
dnf: state=present pkg={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- fedora-packager
|
- fedora-packager
|
||||||
when: ansible_distribution_major_version|int > 21
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,25 +17,25 @@
|
||||||
|
|
||||||
- name: yum update {{ package }} from main repo
|
- name: yum update {{ package }} from main repo
|
||||||
yum: name="{{ package }}" state=latest update_cache=yes
|
yum: name="{{ package }}" state=latest update_cache=yes
|
||||||
when: not testing and ansible_distribution_major_version|int < 22
|
when: not testing and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: yum update {{ package }} from testing repo
|
- name: yum update {{ package }} from testing repo
|
||||||
yum: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg update_cache=yes
|
yum: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg update_cache=yes
|
||||||
when: testing and ansible_distribution_major_version|int < 22
|
when: testing and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: dnf clean all (since we can't do it when updating)
|
- name: dnf clean all (since we can't do it when updating)
|
||||||
command: dnf clean all
|
command: dnf clean all
|
||||||
when: not testing and ansible_distribution_major_version|int > 21
|
when: not testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: dnf update {{ package }} from main repo
|
- name: dnf update {{ package }} from main repo
|
||||||
dnf: name="{{ package }}" state=latest
|
dnf: name="{{ package }}" state=latest
|
||||||
when: not testing and ansible_distribution_major_version|int > 21
|
when: not testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: dnf clean all (since we can't do it when updating)
|
- name: dnf clean all (since we can't do it when updating)
|
||||||
command: dnf clean all --enablerepo=infrastructure-tags-stg
|
command: dnf clean all --enablerepo=infrastructure-tags-stg
|
||||||
when: testing and ansible_distribution_major_version|int > 21
|
when: testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: dnf update {{ package }} from testing repo
|
- name: dnf update {{ package }} from testing repo
|
||||||
dnf: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg
|
dnf: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg
|
||||||
when: testing and ansible_distribution_major_version|int > 21
|
when: testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -69,11 +69,12 @@
|
||||||
tasks:
|
tasks:
|
||||||
- name: install cloud-utils (yum)
|
- name: install cloud-utils (yum)
|
||||||
package: name=cloud-utils state=present
|
package: name=cloud-utils state=present
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
# FIXME no Fedora ?
|
||||||
- name: install cloud-utils (dnf)
|
- name: install cloud-utils (dnf)
|
||||||
command: dnf install -y cloud-utils
|
command: dnf install -y cloud-utils
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
|
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -76,11 +76,12 @@
|
||||||
tasks:
|
tasks:
|
||||||
- name: install cloud-utils (yum)
|
- name: install cloud-utils (yum)
|
||||||
package: name=cloud-utils state=present
|
package: name=cloud-utils state=present
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
# FIXME no Fedora ?
|
||||||
- name: install cloud-utils (dnf)
|
- name: install cloud-utils (dnf)
|
||||||
command: dnf install -y cloud-utils
|
command: dnf install -y cloud-utils
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
|
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,19 @@
|
||||||
- name: hotfix - copy over new httpd init script
|
- name: hotfix - copy over new httpd init script
|
||||||
copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd
|
copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd
|
||||||
owner=root group=root mode=0755
|
owner=root group=root mode=0755
|
||||||
when: ansible_distribution_major_version|int < 30
|
when: ansible_distribution_major_version|int < 30 and ansible_distribution is 'Fedora'
|
||||||
|
notify:
|
||||||
|
- reload apache
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- hotfix
|
||||||
|
- apache
|
||||||
|
|
||||||
|
# install hash randomization hotfix
|
||||||
|
- name: hotfix - copy over new httpd init script
|
||||||
|
copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd
|
||||||
|
owner=root group=root mode=0755
|
||||||
|
when: ansible_distribution_major_version|int <= 8 and ansible_distribution is 'RedHat'
|
||||||
notify:
|
notify:
|
||||||
- reload apache
|
- reload apache
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -34,7 +46,7 @@
|
||||||
|
|
||||||
- name: hotfix - copy over new httpd sysconfig (el6)
|
- name: hotfix - copy over new httpd sysconfig (el6)
|
||||||
copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
|
copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
|
||||||
when: ansible_distribution_major_version|int == 6
|
when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
|
||||||
notify:
|
notify:
|
||||||
- reload apache
|
- reload apache
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -44,7 +56,7 @@
|
||||||
|
|
||||||
- name: hotfix - copy over new httpd sysconfig (el7)
|
- name: hotfix - copy over new httpd sysconfig (el7)
|
||||||
copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
|
copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
|
||||||
notify:
|
notify:
|
||||||
- reload apache
|
- reload apache
|
||||||
tags:
|
tags:
|
||||||
|
|
|
||||||
|
|
@ -11,11 +11,11 @@
|
||||||
- policycoreutils-python
|
- policycoreutils-python
|
||||||
tags:
|
tags:
|
||||||
- selinux
|
- selinux
|
||||||
when: ansible_distribution_major_version|int < 8
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: ensure packages required for semanage are installed (dnf)
|
- name: ensure packages required for semanage are installed (dnf)
|
||||||
package: name=policycoreutils-python-utils state=present
|
package: name=policycoreutils-python-utils state=present
|
||||||
when: ansible_distribution_major_version|int > 27 and ansible_cmdline.ostree is not defined
|
when: (ansible_distribution_major_version|int > 27 and ansible_distribution is 'Fedora') or (ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat') and ansible_cmdline.ostree is not defined
|
||||||
tags:
|
tags:
|
||||||
- selinux
|
- selinux
|
||||||
|
|
||||||
|
|
@ -52,7 +52,18 @@
|
||||||
ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
|
ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
|
||||||
notify:
|
notify:
|
||||||
- restart NetworkManager
|
- restart NetworkManager
|
||||||
when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
|
when: ansible_distribution_major_version|int >=7 and ansible_distribution is 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- resolvconf
|
||||||
|
- base
|
||||||
|
- ifcfg
|
||||||
|
|
||||||
|
- name: disable resolv.conf control from NM
|
||||||
|
ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
|
||||||
|
notify:
|
||||||
|
- restart NetworkManager
|
||||||
|
when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
- resolvconf
|
- resolvconf
|
||||||
|
|
@ -65,7 +76,19 @@
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: 'if_uuid.stdout == ""'
|
failed_when: 'if_uuid.stdout == ""'
|
||||||
check_mode: no
|
check_mode: no
|
||||||
when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist )
|
when: ansible_distribution_major_version|int >=7 and ansible_distribution is 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist )
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- ifcfg
|
||||||
|
- base
|
||||||
|
|
||||||
|
- name: get interface uuid
|
||||||
|
shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br|^em'
|
||||||
|
register: if_uuid
|
||||||
|
changed_when: false
|
||||||
|
failed_when: 'if_uuid.stdout == ""'
|
||||||
|
check_mode: no
|
||||||
|
when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist )
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
- ifcfg
|
- ifcfg
|
||||||
|
|
@ -92,17 +115,25 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int < 22 and ansible_distribution_major_version|int != 8
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: global default packages to install (dnf)
|
- name: global default packages to install (dnf)
|
||||||
dnf: state=present name="{{ global_pkgs_inst }}"
|
dnf: state=present name="{{ global_pkgs_inst }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: global default packages to install (dnf)
|
||||||
|
dnf: state=present name="{{ global_pkgs_inst }}"
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- base
|
||||||
|
when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: make sure hostname is set right on rhel7 hosts
|
- name: make sure hostname is set right on rhel7 hosts
|
||||||
hostname: name="{{inventory_hostname}}"
|
hostname: name="{{inventory_hostname}}"
|
||||||
|
when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
#
|
#
|
||||||
# We set builders root password in the koji_builder role, so do not set those here
|
# We set builders root password in the koji_builder role, so do not set those here
|
||||||
|
|
@ -137,7 +168,7 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: dist pkgs to install (yum)
|
- name: dist pkgs to install (yum)
|
||||||
package: state=present name={{ item }}
|
package: state=present name={{ item }}
|
||||||
|
|
@ -146,21 +177,35 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: dist pkgs to remove (dnf)
|
- name: dist pkgs to remove (dnf)
|
||||||
dnf: state=absent name="{{ base_pkgs_erase }}"
|
dnf: state=absent name="{{ base_pkgs_erase }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: dist pkgs to remove (dnf)
|
||||||
|
dnf: state=absent name="{{ base_pkgs_erase }}"
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- base
|
||||||
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: dist pkgs to install (dnf)
|
- name: dist pkgs to install (dnf)
|
||||||
dnf: state=present name="{{ base_pkgs_inst }}"
|
dnf: state=present name="{{ base_pkgs_inst }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: dist pkgs to install (dnf)
|
||||||
|
dnf: state=present name="{{ base_pkgs_inst }}"
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- base
|
||||||
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: dist disabled services
|
- name: dist disabled services
|
||||||
service: state=stopped enabled=false name={{ item }}
|
service: state=stopped enabled=false name={{ item }}
|
||||||
|
|
@ -234,7 +279,18 @@
|
||||||
- name: enable journald persistence
|
- name: enable journald persistence
|
||||||
file: path=/var/log/journal state=directory
|
file: path=/var/log/journal state=directory
|
||||||
owner=root group=systemd-journal mode=2755
|
owner=root group=systemd-journal mode=2755
|
||||||
when: ansible_distribution_major_version|int >= 7
|
when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
|
||||||
|
tags:
|
||||||
|
- journald
|
||||||
|
- config
|
||||||
|
- base
|
||||||
|
notify:
|
||||||
|
- flush journald tmpfiles to persistent store
|
||||||
|
|
||||||
|
- name: enable journald persistence
|
||||||
|
file: path=/var/log/journal state=directory
|
||||||
|
owner=root group=systemd-journal mode=2755
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
tags:
|
tags:
|
||||||
- journald
|
- journald
|
||||||
- config
|
- config
|
||||||
|
|
@ -346,7 +402,16 @@
|
||||||
- name: copy over our custom selinux module
|
- name: copy over our custom selinux module
|
||||||
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
|
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
|
||||||
register: selinux_module
|
register: selinux_module
|
||||||
when: ansible_distribution_major_version|int >= 27
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- selinux
|
||||||
|
|
||||||
|
# Custom selinux policy to allow unix_chkpwd to map PAM database
|
||||||
|
- name: copy over our custom selinux module
|
||||||
|
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
|
||||||
|
register: selinux_module
|
||||||
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
- selinux
|
- selinux
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@
|
||||||
|
|
||||||
[realms]
|
[realms]
|
||||||
{{ ipa_realm }} = {
|
{{ ipa_realm }} = {
|
||||||
{% if ansible_distribution_major_version|default(0)|int == 6 %}
|
{% if ansible_distribution_major_version|default(0)|int == 6 and and ansible_distribution is "RedHat" %}
|
||||||
kdc = ipa01{{ env_suffix }}.phx2.fedoraproject.org
|
kdc = ipa01{{ env_suffix }}.phx2.fedoraproject.org
|
||||||
{% else %}
|
{% else %}
|
||||||
kdc = https://id{{ env_suffix }}.fedoraproject.org/KdcProxy
|
kdc = https://id{{ env_suffix }}.fedoraproject.org/KdcProxy
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,17 @@
|
||||||
- config
|
- config
|
||||||
- sshd
|
- sshd
|
||||||
- selinux
|
- selinux
|
||||||
when: ansible_distribution_major_version|int < 30 and ansible_distribution_major_version|int != 8
|
when: ansible_distribution_major_version|int < 30 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
|
- name: make sure libselinux-python is installed
|
||||||
|
package: name=libselinux-python state=present
|
||||||
|
tags:
|
||||||
|
- basessh
|
||||||
|
- sshd_config
|
||||||
|
- config
|
||||||
|
- sshd
|
||||||
|
- selinux
|
||||||
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: make sure python3-libselinux is installed
|
- name: make sure python3-libselinux is installed
|
||||||
package: name=python3-libselinux state=present
|
package: name=python3-libselinux state=present
|
||||||
|
|
@ -43,7 +53,17 @@
|
||||||
- config
|
- config
|
||||||
- sshd
|
- sshd
|
||||||
- selinux
|
- selinux
|
||||||
when: ansible_distribution_major_version|int >= 30 or ansible_distribution_major_version|int == 8
|
when: ansible_distribution_major_version|int >= 30 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
|
- name: make sure python3-libselinux is installed
|
||||||
|
package: name=python3-libselinux state=present
|
||||||
|
tags:
|
||||||
|
- basessh
|
||||||
|
- sshd_config
|
||||||
|
- config
|
||||||
|
- sshd
|
||||||
|
- selinux
|
||||||
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: check if sshd port is already known by selinux
|
- name: check if sshd port is already known by selinux
|
||||||
shell: semanage port -l | grep ssh
|
shell: semanage port -l | grep ssh
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ Protocol 2
|
||||||
|
|
||||||
Port {{ sshd_port }}
|
Port {{ sshd_port }}
|
||||||
|
|
||||||
{% if ansible_distribution_major_version == "6" %}
|
{% if ansible_distribution_major_version == "6" and ansible_distribution is 'RedHat' %}
|
||||||
KexAlgorithms diffie-hellman-group-exchange-sha256
|
KexAlgorithms diffie-hellman-group-exchange-sha256
|
||||||
MACs hmac-sha2-512,hmac-sha2-256
|
MACs hmac-sha2-512,hmac-sha2-256
|
||||||
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
|
@ -31,9 +31,10 @@ AllowAgentForwarding no
|
||||||
X11Forwarding no
|
X11Forwarding no
|
||||||
PermitTunnel no
|
PermitTunnel no
|
||||||
|
|
||||||
{% if ansible_distribution_major_version == "6" %}
|
{% if ansible_distribution_major_version == "6" and ansible_distribution is 'RedHat' %}
|
||||||
UsePrivilegeSeparation yes
|
UsePrivilegeSeparation yes
|
||||||
{% elif ansible_distribution_major_version == "7" %}
|
#FIXME: How about RHEL8 and Fedora ? sandbox as well ?
|
||||||
|
{% elif ansible_distribution_major_version == "7" and ansible_distribution is 'RedHat' %}
|
||||||
UsePrivilegeSeparation sandbox
|
UsePrivilegeSeparation sandbox
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,3 +26,4 @@
|
||||||
- chrony
|
- chrony
|
||||||
- service
|
- service
|
||||||
- base
|
- base
|
||||||
|
when: ansible_distribution_major_version|int != 8
|
||||||
|
|
|
||||||
|
|
@ -6,21 +6,35 @@
|
||||||
package: name=collectd state=present
|
package: name=collectd state=present
|
||||||
tags:
|
tags:
|
||||||
- collectd
|
- collectd
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
# install pkg
|
# install pkg
|
||||||
- name: install collectd
|
- name: install collectd
|
||||||
dnf: name=collectd state=present
|
dnf: name=collectd state=present
|
||||||
tags:
|
tags:
|
||||||
- collectd
|
- collectd
|
||||||
when: ansible_distribution_major_version|int > 21
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
# install pkg
|
||||||
|
- name: install collectd
|
||||||
|
dnf: name=collectd state=present
|
||||||
|
tags:
|
||||||
|
- collectd
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
|
# install collectd-disk (it was split out)
|
||||||
|
- name: install collectd-disk
|
||||||
|
dnf: name=collectd-disk state=present
|
||||||
|
tags:
|
||||||
|
- collectd
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
# install collectd-disk on F25+ (it was split out)
|
# install collectd-disk on F25+ (it was split out)
|
||||||
- name: install collectd-disk
|
- name: install collectd-disk
|
||||||
dnf: name=collectd-disk state=present
|
dnf: name=collectd-disk state=present
|
||||||
tags:
|
tags:
|
||||||
- collectd
|
- collectd
|
||||||
when: ansible_distribution_major_version|int > 24
|
when: ansible_distribution_major_version|int > 24 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
# install collected.conf
|
# install collected.conf
|
||||||
- name: /etc/collectd.conf
|
- name: /etc/collectd.conf
|
||||||
|
|
@ -55,7 +69,7 @@
|
||||||
- collectd
|
- collectd
|
||||||
notify:
|
notify:
|
||||||
- restart collectd
|
- restart collectd
|
||||||
when: collectd_apache and ansible_distribution_major_version|int < 22
|
when: collectd_apache and ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: install collectd-apache (dnf)
|
- name: install collectd-apache (dnf)
|
||||||
dnf: state=present name=collectd-apache
|
dnf: state=present name=collectd-apache
|
||||||
|
|
@ -63,7 +77,15 @@
|
||||||
- collectd
|
- collectd
|
||||||
notify:
|
notify:
|
||||||
- restart collectd
|
- restart collectd
|
||||||
when: collectd_apache and ansible_distribution_major_version|int > 21
|
when: collectd_apache and ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
- name: install collectd-apache (dnf)
|
||||||
|
dnf: state=present name=collectd-apache
|
||||||
|
tags:
|
||||||
|
- collectd
|
||||||
|
notify:
|
||||||
|
- restart collectd
|
||||||
|
when: collectd_apache and ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: /etc/collectd/apache.conf
|
- name: /etc/collectd/apache.conf
|
||||||
copy: src=apache.conf dest=/etc/collectd.d/apache.conf
|
copy: src=apache.conf dest=/etc/collectd.d/apache.conf
|
||||||
|
|
@ -77,7 +99,7 @@
|
||||||
package: name=libsemanage-python state=present
|
package: name=libsemanage-python state=present
|
||||||
tags:
|
tags:
|
||||||
- collectd
|
- collectd
|
||||||
when: collectd_apache is defined and ansible_distribution_major_version|int < 22
|
when: collectd_apache is defined and ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: Let collectd talk to things over tcp
|
- name: Let collectd talk to things over tcp
|
||||||
seboolean: name=collectd_tcp_network_connect state=yes persistent=yes
|
seboolean: name=collectd_tcp_network_connect state=yes persistent=yes
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
|
|
||||||
- name: enable and start dnf-automatic
|
- name: enable and start dnf-automatic
|
||||||
command: systemctl enable dnf-automatic.timer
|
command: systemctl enable dnf-automatic.timer
|
||||||
when: ansible_distribution_major_version|int < 26
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
args:
|
args:
|
||||||
creates: /etc/systemd/system/basic.target.wants/dnf-automatic.timer
|
creates: /etc/systemd/system/basic.target.wants/dnf-automatic.timer
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -35,15 +35,23 @@
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: 1 != 1
|
changed_when: 1 != 1
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
when: ansible_distribution_major_version|int < 26
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: start dnf-automatic.timer if it is not active
|
- name: start dnf-automatic.timer if it is not active
|
||||||
command: systemctl start dnf-automatic.timer
|
command: systemctl start dnf-automatic.timer
|
||||||
when: automaticative is failed and ansible_distribution_major_version|int < 26
|
when: automaticative is failed and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: enable and start dnf-automatic f26+
|
- name: enable and start dnf-automatic f26+
|
||||||
command: systemctl enable dnf-automatic-install.timer
|
command: systemctl enable dnf-automatic-install.timer
|
||||||
when: ansible_distribution_major_version|int >= 26
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
register: dnfautomaticenable
|
||||||
|
changed_when: dnfautomaticenable.rc != 0
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: enable and start dnf-automatic RHEL8+
|
||||||
|
command: systemctl enable dnf-automatic-install.timer
|
||||||
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
|
||||||
register: dnfautomaticenable
|
register: dnfautomaticenable
|
||||||
changed_when: dnfautomaticenable.rc != 0
|
changed_when: dnfautomaticenable.rc != 0
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -55,11 +63,23 @@
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: 1 != 1
|
changed_when: 1 != 1
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
when: ansible_distribution_major_version|int >= 26
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
- name: check if dnf-automatic-install.timer is active
|
||||||
|
command: systemctl is-active dnf-automatic-install.timer
|
||||||
|
register: automaticative
|
||||||
|
check_mode: no
|
||||||
|
changed_when: 1 != 1
|
||||||
|
ignore_errors: true
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: start dnf-automatic-install.timer if it is not active
|
- name: start dnf-automatic-install.timer if it is not active
|
||||||
command: systemctl start dnf-automatic-install.timer
|
command: systemctl start dnf-automatic-install.timer
|
||||||
when: automaticative is failed and ansible_distribution_major_version|int >= 26
|
when: automaticative is failed and ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
- name: start dnf-automatic-install.timer if it is not active
|
||||||
|
command: systemctl start dnf-automatic-install.timer
|
||||||
|
when: automaticative is failed and ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: disable silly makecache timer
|
- name: disable silly makecache timer
|
||||||
systemd: name=dnf-makecache masked=yes
|
systemd: name=dnf-makecache masked=yes
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
|
|
||||||
- name: install nss_db on rhel or fedora 25 or greater hosts only
|
- name: install nss_db on rhel or fedora 25 or greater hosts only
|
||||||
package: state=present name=nss_db
|
package: state=present name=nss_db
|
||||||
when: ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int > 24
|
when: ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- fas_client
|
- fas_client
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,12 @@
|
||||||
# If NOT using xinetd
|
# If NOT using xinetd
|
||||||
- name: delete stock git daemon config
|
- name: delete stock git daemon config
|
||||||
file: path="/usr/lib/systemd/system/git.service" state=absent
|
file: path="/usr/lib/systemd/system/git.service" state=absent
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
|
||||||
|
tags: git/server
|
||||||
|
|
||||||
|
- name: delete stock git daemon config
|
||||||
|
file: path="/usr/lib/systemd/system/git.service" state=absent
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
tags: git/server
|
tags: git/server
|
||||||
|
|
||||||
- name: configure git daemon
|
- name: configure git daemon
|
||||||
|
|
@ -16,13 +21,21 @@
|
||||||
src="git@.service.j2"
|
src="git@.service.j2"
|
||||||
dest="/usr/lib/systemd/system/git@.service"
|
dest="/usr/lib/systemd/system/git@.service"
|
||||||
mode=0644
|
mode=0644
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
|
||||||
|
tags: git/server
|
||||||
|
|
||||||
|
- name: configure git daemon
|
||||||
|
template: >
|
||||||
|
src="git@.service.j2"
|
||||||
|
dest="/usr/lib/systemd/system/git@.service"
|
||||||
|
mode=0644
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
tags: git/server
|
tags: git/server
|
||||||
|
|
||||||
# If using xinetd
|
# If using xinetd
|
||||||
- name: install xinetd
|
- name: install xinetd
|
||||||
package: name=xinetd state=present
|
package: name=xinetd state=present
|
||||||
when: ansible_distribution_major_version|int == 6
|
when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
|
||||||
tags: git/server
|
tags: git/server
|
||||||
|
|
||||||
- name: install the xinetd config file
|
- name: install the xinetd config file
|
||||||
|
|
@ -30,7 +43,7 @@
|
||||||
src="git.j2"
|
src="git.j2"
|
||||||
dest="/etc/xinetd.d/git"
|
dest="/etc/xinetd.d/git"
|
||||||
mode=0644
|
mode=0644
|
||||||
when: ansible_distribution_major_version|int == 6
|
when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
|
||||||
tags: git/server
|
tags: git/server
|
||||||
notify:
|
notify:
|
||||||
- restart xinetd
|
- restart xinetd
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
- device-mapper-multipath
|
- device-mapper-multipath
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution == "RedHat"
|
||||||
|
|
||||||
- name: install packages needed for iscsi_client (dnf)
|
- name: install packages needed for iscsi_client (dnf)
|
||||||
package:
|
package:
|
||||||
|
|
@ -21,7 +21,17 @@
|
||||||
- device-mapper-multipath
|
- device-mapper-multipath
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == "Fedora" and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: install packages needed for iscsi_client (dnf)
|
||||||
|
package:
|
||||||
|
state: present
|
||||||
|
name:
|
||||||
|
- iscsi-initiator-utils
|
||||||
|
- device-mapper-multipath
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == "RedHat" and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: enable iscsi service
|
- name: enable iscsi service
|
||||||
service: state=started enabled=yes name=iscsi
|
service: state=started enabled=yes name=iscsi
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
{% if ansible_distribution_major_version == '6' %}
|
{% if ansible_distribution_major_version == '6 and ansible_distribution is 'RedHat' %}
|
||||||
Alias /kerneltest/static /usr/lib/python2.6/site-packages/kerneltest/static/
|
Alias /kerneltest/static /usr/lib/python2.6/site-packages/kerneltest/static/
|
||||||
{% else %}
|
{% else %}
|
||||||
Alias /kerneltest/static /usr/lib/python2.7/site-packages/kerneltest/static/
|
Alias /kerneltest/static /usr/lib/python2.7/site-packages/kerneltest/static/
|
||||||
|
|
|
||||||
|
|
@ -363,6 +363,7 @@
|
||||||
- selinux
|
- selinux
|
||||||
- koji_hub
|
- koji_hub
|
||||||
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
|
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
|
||||||
|
# FIXME wht about RHEL8+ ?
|
||||||
|
|
||||||
- name: Set httpd to run on boot
|
- name: Set httpd to run on boot
|
||||||
service: name=httpd enabled=yes
|
service: name=httpd enabled=yes
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,10 @@
|
||||||
- name: ensure packages required for mariadb are installed
|
|
||||||
package:
|
|
||||||
state: present
|
|
||||||
name:
|
|
||||||
- mariadb-server
|
|
||||||
- MySQL-python
|
|
||||||
when: ansible_distribution_major_version|int < 22
|
|
||||||
|
|
||||||
- name: ensure packages required for mariadb are installed
|
- name: ensure packages required for mariadb are installed
|
||||||
package:
|
package:
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
- mariadb-server
|
- mariadb-server
|
||||||
- MySQL-python
|
- MySQL-python
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: copy my.cnf
|
- name: copy my.cnf
|
||||||
copy: src={{ item }} dest=/etc/my.cnf owner=root group=root mode=0644
|
copy: src={{ item }} dest=/etc/my.cnf owner=root group=root mode=0644
|
||||||
|
|
|
||||||
|
|
@ -77,7 +77,7 @@
|
||||||
|
|
||||||
- name: install our custom selinux module
|
- name: install our custom selinux module
|
||||||
command: semodule -i /usr/share/nrpe/fi-nrpe.pp
|
command: semodule -i /usr/share/nrpe/fi-nrpe.pp
|
||||||
when: ansible_distribution_major_version|int == 7 and selinux_module is changed
|
when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' and selinux_module is changed
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
- nagios_client
|
- nagios_client
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
- name: install network-scripts package
|
- name: install network-scripts package
|
||||||
package: name=network-scripts state=installed
|
package: name=network-scripts state=installed
|
||||||
when: ansible_distribution_major_version|int >= 29
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
tags:
|
tags:
|
||||||
- nfs/client
|
- nfs/client
|
||||||
|
|
||||||
|
|
@ -51,12 +51,12 @@
|
||||||
tags:
|
tags:
|
||||||
- nfs/client
|
- nfs/client
|
||||||
|
|
||||||
- name: enable nfs-related services and run them (rhel 7 and Fedora)
|
- name: enable nfs-related services and run them (rhel 7+ and Fedora)
|
||||||
service: name={{ item }} enabled=true state=started
|
service: name={{ item }} enabled=true state=started
|
||||||
with_items:
|
with_items:
|
||||||
- rpcbind
|
- rpcbind
|
||||||
- nfs-lock
|
- nfs-lock
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- nfs/client
|
- nfs/client
|
||||||
|
|
||||||
|
|
@ -67,7 +67,7 @@
|
||||||
- rpcbind
|
- rpcbind
|
||||||
- nfs
|
- nfs
|
||||||
- nfslock
|
- nfslock
|
||||||
when: ansible_distribution_major_version|int == 6
|
when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- nfs/client
|
- nfs/client
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ user nginx;
|
||||||
worker_processes {{ nginx_worker_processes }};
|
worker_processes {{ nginx_worker_processes }};
|
||||||
|
|
||||||
error_log /var/log/nginx/error.log {{ nginx_error_level }};
|
error_log /var/log/nginx/error.log {{ nginx_error_level }};
|
||||||
{% if ansible_distribution_major_version == "7" %}
|
{% if ansible_distribution_major_version == "7" and ansible_distribution is "RedHat" %}
|
||||||
pid /run/nginx.pid;
|
pid /run/nginx.pid;
|
||||||
{% else %}
|
{% else %}
|
||||||
pid /var/run/nginx.pid;
|
pid /var/run/nginx.pid;
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
state: present
|
state: present
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int >= 29
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: Enable ipv4_forward in sysctl
|
- name: Enable ipv4_forward in sysctl
|
||||||
sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes
|
sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,8 @@
|
||||||
---
|
---
|
||||||
# OpenVpn basic configuration
|
# OpenVpn basic configuration
|
||||||
|
|
||||||
|
# FIXME lots of changes, please review carefully:
|
||||||
|
#
|
||||||
- name: Install needed package
|
- name: Install needed package
|
||||||
package:
|
package:
|
||||||
state: present
|
state: present
|
||||||
|
|
@ -9,7 +11,7 @@
|
||||||
tags:
|
tags:
|
||||||
- openvpn
|
- openvpn
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int < 8
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: Install needed package (dnf)
|
- name: Install needed package (dnf)
|
||||||
package:
|
package:
|
||||||
|
|
@ -21,7 +23,7 @@
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: Install certificate and key (rhel6 and fedora24 and older)
|
- name: Install certificate and key (rhel6)
|
||||||
copy: src={{ private }}/files/vpn/pki/ca.crt
|
copy: src={{ private }}/files/vpn/pki/ca.crt
|
||||||
dest=/etc/openvpn/ca.crt
|
dest=/etc/openvpn/ca.crt
|
||||||
owner=root group=root mode=0600
|
owner=root group=root mode=0600
|
||||||
|
|
@ -29,12 +31,21 @@
|
||||||
- install
|
- install
|
||||||
- openvpn
|
- openvpn
|
||||||
#notify:
|
#notify:
|
||||||
#- restart openvpn (Fedora)
|
|
||||||
#- restart openvpn (RHEL7)
|
|
||||||
#- restart openvpn (RHEL6)
|
#- restart openvpn (RHEL6)
|
||||||
when: ansible_distribution_major_version|int < 25
|
when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: Install certificate and key (rhel7 or fedora) for client
|
- name: Install certificate and key (rhel7+) for client
|
||||||
|
copy: src={{ private }}/files/vpn/pki/ca.crt
|
||||||
|
dest=/etc/openvpn/client/ca.crt
|
||||||
|
owner=root group=root mode=0600
|
||||||
|
tags:
|
||||||
|
- install
|
||||||
|
- openvpn
|
||||||
|
#notify:
|
||||||
|
#- restart openvpn (RHEL7+)
|
||||||
|
when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' ) and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: Install certificate and key (Fedora) for client
|
||||||
copy: src={{ private }}/files/vpn/pki/ca.crt
|
copy: src={{ private }}/files/vpn/pki/ca.crt
|
||||||
dest=/etc/openvpn/client/ca.crt
|
dest=/etc/openvpn/client/ca.crt
|
||||||
owner=root group=root mode=0600
|
owner=root group=root mode=0600
|
||||||
|
|
@ -43,9 +54,29 @@
|
||||||
- openvpn
|
- openvpn
|
||||||
#notify:
|
#notify:
|
||||||
#- restart openvpn (Fedora)
|
#- restart openvpn (Fedora)
|
||||||
#- restart openvpn (RHEL7)
|
when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' ) and ansible_cmdline.ostree is not defined
|
||||||
#- restart openvpn (RHEL6)
|
|
||||||
when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24 ) and ansible_cmdline.ostree is not defined
|
- name: Install certificate and key (fedora) for server
|
||||||
|
copy: src={{ private }}/files/vpn/pki/ca.crt
|
||||||
|
dest=/etc/openvpn/server/ca.crt
|
||||||
|
owner=root group=root mode=0600
|
||||||
|
tags:
|
||||||
|
- install
|
||||||
|
- openvpn
|
||||||
|
#notify:
|
||||||
|
#- restart openvpn (Fedora)
|
||||||
|
when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' ) and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: Install certificate and key (rhel7+) for server
|
||||||
|
copy: src={{ private }}/files/vpn/pki/ca.crt
|
||||||
|
dest=/etc/openvpn/server/ca.crt
|
||||||
|
owner=root group=root mode=0600
|
||||||
|
tags:
|
||||||
|
- install
|
||||||
|
- openvpn
|
||||||
|
#notify:
|
||||||
|
#- restart openvpn (RHEL7+)
|
||||||
|
when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' ) and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: Install certificate and key (rhel7 or fedora) for server
|
- name: Install certificate and key (rhel7 or fedora) for server
|
||||||
copy: src={{ private }}/files/vpn/pki/ca.crt
|
copy: src={{ private }}/files/vpn/pki/ca.crt
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- openvpn
|
- openvpn
|
||||||
when: ansible_distribution_major_version|int < 8
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: Install needed packages
|
- name: Install needed packages
|
||||||
package:
|
package:
|
||||||
|
|
@ -19,7 +19,17 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- openvpn
|
- openvpn
|
||||||
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: Install needed packages
|
||||||
|
package:
|
||||||
|
state: present
|
||||||
|
name:
|
||||||
|
- openvpn
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- openvpn
|
||||||
|
when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: Install main config file (rhel7 and fedora)
|
- name: Install main config file (rhel7 and fedora)
|
||||||
template: src=client.conf
|
template: src=client.conf
|
||||||
|
|
@ -30,9 +40,8 @@
|
||||||
- openvpn
|
- openvpn
|
||||||
# notify:
|
# notify:
|
||||||
# - restart openvpn (Fedora)
|
# - restart openvpn (Fedora)
|
||||||
# - restart openvpn (RHEL7)
|
# - restart openvpn (RHEL6+)
|
||||||
# - restart openvpn (RHEL6)
|
when: (ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora') and ansible_cmdline.ostree is not defined
|
||||||
when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
|
|
||||||
|
|
||||||
- name: Install configuration files (rhel7 and fedora)
|
- name: Install configuration files (rhel7 and fedora)
|
||||||
copy: src={{ item.file }}
|
copy: src={{ item.file }}
|
||||||
|
|
@ -51,8 +60,7 @@
|
||||||
# notify:
|
# notify:
|
||||||
# - restart openvpn (Fedora)
|
# - restart openvpn (Fedora)
|
||||||
# - restart openvpn (RHEL7)
|
# - restart openvpn (RHEL7)
|
||||||
# - restart openvpn (RHEL6)
|
when: (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat') or (ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora') and ansible_cmdline.ostree is not defined
|
||||||
when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
|
|
||||||
|
|
||||||
- name: Install configuration files (rhel6)
|
- name: Install configuration files (rhel6)
|
||||||
copy: src={{ item.file }}
|
copy: src={{ item.file }}
|
||||||
|
|
@ -72,35 +80,26 @@
|
||||||
- install
|
- install
|
||||||
- openvpn
|
- openvpn
|
||||||
# notify:
|
# notify:
|
||||||
# - restart openvpn (Fedora)
|
|
||||||
# - restart openvpn (RHEL7)
|
|
||||||
# - restart openvpn (RHEL6)
|
# - restart openvpn (RHEL6)
|
||||||
when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined
|
when: (ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat') and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: enable openvpn service for rhel 6
|
- name: enable openvpn service for rhel 6
|
||||||
service: name=openvpn state=started enabled=true
|
service: name=openvpn state=started enabled=true
|
||||||
when: ansible_distribution_major_version|int == 6
|
when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
|
||||||
- service
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: enable openvpn service for fedora 24
|
|
||||||
service: name=openvpn@openvpn state=started enabled=true
|
|
||||||
when: ansible_distribution_major_version|int == 24
|
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
||||||
- name: Make sure old openvpn is not running in rhel 7
|
- name: Make sure old openvpn is not running in rhel 7
|
||||||
service: name=openvpn@openvpn state=stopped enabled=false
|
service: name=openvpn@openvpn state=stopped enabled=false
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
||||||
- name: Make sure openvpn is running in rhel 7
|
- name: Make sure openvpn is running in rhel 7+
|
||||||
service: name=openvpn-client@openvpn state=started enabled=true
|
service: name=openvpn-client@openvpn state=started enabled=true
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
@ -115,7 +114,7 @@
|
||||||
- name: Create directories for post-vpn service configs
|
- name: Create directories for post-vpn service configs
|
||||||
file: path="/etc/systemd/system/{{item}}.service.d" state=directory
|
file: path="/etc/systemd/system/{{item}}.service.d" state=directory
|
||||||
with_items: "{{postvpnservices}}"
|
with_items: "{{postvpnservices}}"
|
||||||
when: is_fedora is defined or ansible_distribution_major_version|int == 7
|
when: is_fedora is defined or (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat')
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
@ -123,7 +122,7 @@
|
||||||
- name: Deploy postvpn.conf for post-vpn services
|
- name: Deploy postvpn.conf for post-vpn services
|
||||||
copy: src=postvpn.conf dest="/etc/systemd/system/{{item}}.service.d/postvpn.conf"
|
copy: src=postvpn.conf dest="/etc/systemd/system/{{item}}.service.d/postvpn.conf"
|
||||||
with_items: "{{postvpnservices}}"
|
with_items: "{{postvpnservices}}"
|
||||||
when: is_fedora is defined or ansible_distribution_major_version|int == 7
|
when: is_fedora is defined or (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat')
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,6 @@
|
||||||
---
|
---
|
||||||
|
# FIXME: Are these hosts really running RHEL or do we need to check for CentOS ?
|
||||||
|
#
|
||||||
# Configuration for the fedora-packages webapp
|
# Configuration for the fedora-packages webapp
|
||||||
- name: install needed packages
|
- name: install needed packages
|
||||||
package: name={{ item }} state=present
|
package: name={{ item }} state=present
|
||||||
|
|
@ -91,7 +93,7 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- packages/web
|
- packages/web
|
||||||
when: ansible_distribution_major_version|int < 7
|
when: ansible_distribution_major_version|int < 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
# Here's the indexer stuff
|
# Here's the indexer stuff
|
||||||
- name: Create cache structure
|
- name: Create cache structure
|
||||||
|
|
@ -134,7 +136,7 @@
|
||||||
- packages
|
- packages
|
||||||
- packages/web
|
- packages/web
|
||||||
- hotfix
|
- hotfix
|
||||||
when: ansible_distribution_major_version|int < 7
|
when: ansible_distribution_major_version|int < 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
# Lastly, here's some selinux stuff.
|
# Lastly, here's some selinux stuff.
|
||||||
- name: set some selinux booleans
|
- name: set some selinux booleans
|
||||||
|
|
@ -163,4 +165,4 @@
|
||||||
- packages
|
- packages
|
||||||
- packages/web
|
- packages/web
|
||||||
- selinux
|
- selinux
|
||||||
when: ansible_distribution_major_version|int > 6
|
when: ansible_distribution_major_version|int > 6 and (ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora')
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
- postgresql-plpython
|
- postgresql-plpython
|
||||||
- python-psycopg2
|
- python-psycopg2
|
||||||
- pxz
|
- pxz
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- postgresql
|
- postgresql
|
||||||
|
|
@ -25,7 +25,21 @@
|
||||||
- postgresql-plpython
|
- postgresql-plpython
|
||||||
- python-psycopg2
|
- python-psycopg2
|
||||||
- pxz
|
- pxz
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- postgresql
|
||||||
|
|
||||||
|
- name: install postgresql server packages (dnf)
|
||||||
|
package:
|
||||||
|
state: present
|
||||||
|
name:
|
||||||
|
- postgresql-server
|
||||||
|
- postgresql-contrib
|
||||||
|
- postgresql-plpython
|
||||||
|
- python-psycopg2
|
||||||
|
- pxz
|
||||||
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- postgresql
|
- postgresql
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@
|
||||||
- packages
|
- packages
|
||||||
- postgresql-bdr
|
- postgresql-bdr
|
||||||
|
|
||||||
|
# No Fedora packages available for F25+
|
||||||
- name: install postgresql server packages (yum)
|
- name: install postgresql server packages (yum)
|
||||||
package: name={{ item }} state=present
|
package: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
|
|
@ -20,7 +21,7 @@
|
||||||
- postgresql-bdr94-bdr
|
- postgresql-bdr94-bdr
|
||||||
- postgresql-bdr94-plpython
|
- postgresql-bdr94-plpython
|
||||||
- python-psycopg2
|
- python-psycopg2
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- postgresql-bdr
|
- postgresql-bdr
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: install rkhunter (yum)
|
|
||||||
package: name=rkhunter state=present
|
|
||||||
notify:
|
|
||||||
- run rkhunter
|
|
||||||
tags:
|
|
||||||
- rkhunter
|
|
||||||
- packages
|
|
||||||
when: ansible_distribution_major_version|int < 22
|
|
||||||
|
|
||||||
- name: install rkhunter (dnf)
|
- name: install rkhunter (dnf)
|
||||||
package: name=rkhunter state=present
|
package: name=rkhunter state=present
|
||||||
notify:
|
notify:
|
||||||
|
|
@ -15,7 +6,7 @@
|
||||||
tags:
|
tags:
|
||||||
- rkhunter
|
- rkhunter
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
|
||||||
- name: rkhunter.conf
|
- name: rkhunter.conf
|
||||||
|
|
|
||||||
|
|
@ -165,13 +165,8 @@ ALLOW_SSH_ROOT_USER=without-password
|
||||||
# configuration file, then a value of '2' may be set here in order to
|
# configuration file, then a value of '2' may be set here in order to
|
||||||
# suppress a warning message. This option has a default value of '0'.
|
# suppress a warning message. This option has a default value of '0'.
|
||||||
#
|
#
|
||||||
{% if ansible_distribution == 'Fedora' and ansible_distribution_major_version|int < 22 %}
|
|
||||||
# Fedora 21 doesn't set protocol in ssh config
|
|
||||||
ALLOW_SSH_PROT_V1=2
|
|
||||||
{% else %}
|
|
||||||
# For RHEL and Fedora 22+ we set proto to v2 only
|
# For RHEL and Fedora 22+ we set proto to v2 only
|
||||||
ALLOW_SSH_PROT_V1=0
|
ALLOW_SSH_PROT_V1=0
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# This setting tells rkhunter the directory containing the SSH configuration
|
# This setting tells rkhunter the directory containing the SSH configuration
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
# This role sets up rsyncd on a server
|
# This role sets up rsyncd on a server
|
||||||
#
|
#
|
||||||
|
|
||||||
- name: install rnecessary packages
|
- name: install necessary packages
|
||||||
package:
|
package:
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
|
|
@ -13,9 +13,9 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- rsyncd
|
- rsyncd
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: install rnecessary packages
|
- name: install necessary packages
|
||||||
package:
|
package:
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
|
|
@ -25,7 +25,19 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- rsyncd
|
- rsyncd
|
||||||
when: ansible_distribution_major_version|int > 21
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
- name: install necessary packages
|
||||||
|
package:
|
||||||
|
state: present
|
||||||
|
name:
|
||||||
|
- rsync
|
||||||
|
- xinetd
|
||||||
|
- libsemanage-python
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- rsyncd
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: rsyncd.conf file
|
- name: rsyncd.conf file
|
||||||
copy: src={{ item }} dest=/etc/rsyncd.conf mode=0644
|
copy: src={{ item }} dest=/etc/rsyncd.conf mode=0644
|
||||||
|
|
|
||||||
|
|
@ -30,15 +30,23 @@
|
||||||
package: state=present name={{ item }}
|
package: state=present name={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- gnupg1
|
- gnupg1
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: install fedora only packages
|
- name: install gnupg packages
|
||||||
package: state=present name={{ item }}
|
package: state=present name={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- gnupg
|
- gnupg
|
||||||
when: ansible_distribution_major_version|int > 23
|
when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
|
- name: install gnupg packages
|
||||||
|
package: state=present name={{ item }}
|
||||||
|
with_items:
|
||||||
|
- gnupg
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
|
@ -50,7 +58,7 @@
|
||||||
|
|
||||||
- name: Setup gpg link on rhel7
|
- name: Setup gpg link on rhel7
|
||||||
file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg
|
file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: add polkit rules to allow sigul user to access the smartcard/yubikey
|
- name: add polkit rules to allow sigul user to access the smartcard/yubikey
|
||||||
copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
|
copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
|
||||||
|
|
|
||||||
|
|
@ -5,14 +5,21 @@
|
||||||
name:
|
name:
|
||||||
- git
|
- git
|
||||||
- python-grokmirror
|
- python-grokmirror
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: ensure grokmirror packages are installed (dnf)
|
- name: ensure grokmirror packages are installed (dnf)
|
||||||
dnf: name={{ item }} state=present
|
dnf: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
- git
|
- git
|
||||||
- python-grokmirror
|
- python-grokmirror
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: ensure grokmirror packages are installed (dnf)
|
||||||
|
dnf: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- git
|
||||||
|
- python-grokmirror
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: create grokmirror user
|
- name: create grokmirror user
|
||||||
user: name={{ grokmirror_user }}
|
user: name={{ grokmirror_user }}
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
- mod_wsgi
|
- mod_wsgi
|
||||||
- python-psycopg2
|
- python-psycopg2
|
||||||
- libsemanage-python
|
- libsemanage-python
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: ensure packages required for resultsdb are installed (dnf)
|
- name: ensure packages required for resultsdb are installed (dnf)
|
||||||
dnf: name={{ item }} state=present
|
dnf: name={{ item }} state=present
|
||||||
|
|
@ -19,7 +19,16 @@
|
||||||
- python3-mod_wsgi
|
- python3-mod_wsgi
|
||||||
- python3-psycopg2
|
- python3-psycopg2
|
||||||
- python2-libsemanage
|
- python2-libsemanage
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: ensure packages required for resultsdb are installed (dnf)
|
||||||
|
dnf: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- resultsdb
|
||||||
|
- python3-mod_wsgi
|
||||||
|
- python3-psycopg2
|
||||||
|
- python2-libsemanage
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: ensure database is created
|
- name: ensure database is created
|
||||||
delegate_to: "{{ resultsdb_db_host_machine }}"
|
delegate_to: "{{ resultsdb_db_host_machine }}"
|
||||||
|
|
|
||||||
|
|
@ -8,14 +8,21 @@
|
||||||
name:
|
name:
|
||||||
- resultsdb_frontend
|
- resultsdb_frontend
|
||||||
- mod_wsgi
|
- mod_wsgi
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: ensure packages required for resultsdb_frontend are installed (dnf)
|
- name: ensure packages required for resultsdb_frontend are installed (dnf)
|
||||||
dnf: name={{ item }} state=present
|
dnf: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
- resultsdb_frontend
|
- resultsdb_frontend
|
||||||
- python3-mod_wsgi
|
- python3-mod_wsgi
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: ensure packages required for resultsdb_frontend are installed (dnf)
|
||||||
|
dnf: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- resultsdb_frontend
|
||||||
|
- python3-mod_wsgi
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: ensure selinux lets httpd talk to the network
|
- name: ensure selinux lets httpd talk to the network
|
||||||
seboolean: name=httpd_can_network_connect persistent=yes state=yes
|
seboolean: name=httpd_can_network_connect persistent=yes state=yes
|
||||||
|
|
|
||||||
|
|
@ -4,13 +4,19 @@
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
- mod_ssl
|
- mod_ssl
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: ensure ssl related packages are installed (dnf)
|
- name: ensure ssl related packages are installed (dnf)
|
||||||
dnf: name={{ item }} state=present
|
dnf: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
- mod_ssl
|
- mod_ssl
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: ensure ssl related packages are installed (dnf)
|
||||||
|
dnf: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- mod_ssl
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
#- name: copy ssl key
|
#- name: copy ssl key
|
||||||
# copy: src={{ private }}/files/taskotron/certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key dest=/etc/pki/tls/private/{{ inventory_hostname }}.key
|
# copy: src={{ private }}/files/taskotron/certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key dest=/etc/pki/tls/private/{{ inventory_hostname }}.key
|
||||||
|
|
|
||||||
|
|
@ -4,13 +4,19 @@
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
- httpd
|
- httpd
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: ensure packages required for taskotron-frontend are installed (dnf)
|
- name: ensure packages required for taskotron-frontend are installed (dnf)
|
||||||
dnf: name={{ item }} state=present
|
dnf: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
- httpd
|
- httpd
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: ensure packages required for taskotron-frontend are installed (dnf)
|
||||||
|
dnf: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- httpd
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: create dirs for static files
|
- name: create dirs for static files
|
||||||
file: path=/var/www/html/{{ item }} state=directory owner=apache group=apache mode=1755
|
file: path=/var/www/html/{{ item }} state=directory owner=apache group=apache mode=1755
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,13 @@
|
||||||
dnf: name={{ item }} state=present
|
dnf: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
- tmpwatch
|
- tmpwatch
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: ensure packages required for buildmaster are installed (dnf)
|
||||||
|
dnf: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- tmpwatch
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: create artifacts directory
|
- name: create artifacts directory
|
||||||
file: path={{ item }} state=directory owner=buildmaster group=buildmaster mode=0775 setype=httpd_sys_content_t
|
file: path={{ item }} state=directory owner=buildmaster group=buildmaster mode=0775 setype=httpd_sys_content_t
|
||||||
|
|
|
||||||
|
|
@ -11,13 +11,19 @@
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
- libsemanage-python
|
- libsemanage-python
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: ensure packages required for proxying are installed (dnf)
|
- name: ensure packages required for proxying are installed (dnf)
|
||||||
dnf: name={{ item }} state=present
|
dnf: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
- libsemanage-python
|
- libsemanage-python
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
|
- name: ensure packages required for proxying are installed (dnf)
|
||||||
|
dnf: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- libsemanage-python
|
||||||
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: allow httpd tcp connections with selinux
|
- name: allow httpd tcp connections with selinux
|
||||||
seboolean: name=httpd_can_network_connect state=true persistent=yes
|
seboolean: name=httpd_can_network_connect state=true persistent=yes
|
||||||
|
|
|
||||||
|
|
@ -22,15 +22,8 @@
|
||||||
- restart varnish
|
- restart varnish
|
||||||
tags:
|
tags:
|
||||||
- varnish
|
- varnish
|
||||||
when: ansible_distribution_major_version|int == 7
|
when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
|
||||||
|
#FIXME: RHEL8+ ?
|
||||||
- name: install varnish /etc/sysconfig/varnish file (fedora 25-28)
|
|
||||||
template: src=varnish.f25.j2 dest=/etc/varnish/varnish.params owner=root group=root
|
|
||||||
notify:
|
|
||||||
- restart varnish
|
|
||||||
tags:
|
|
||||||
- varnish
|
|
||||||
when: ansible_distribution_major_version|int >= 25 and ansible_distribution_major_version|int < 29
|
|
||||||
|
|
||||||
- name: install varnish /etc/systemd/system/varnish.service file (fedora 29+)
|
- name: install varnish /etc/systemd/system/varnish.service file (fedora 29+)
|
||||||
template: src=varnish.f29.j2 dest=/etc/systemd/system/varnish.service owner=root group=root
|
template: src=varnish.f29.j2 dest=/etc/systemd/system/varnish.service owner=root group=root
|
||||||
|
|
@ -39,7 +32,7 @@
|
||||||
- restart varnish
|
- restart varnish
|
||||||
tags:
|
tags:
|
||||||
- varnish
|
- varnish
|
||||||
when: ansible_distribution_major_version|int >= 29
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
|
||||||
|
|
||||||
- name: install /etc/varnish/default.vcl (proxies)
|
- name: install /etc/varnish/default.vcl (proxies)
|
||||||
template: src={{ varnish_group }}.vcl.j2 dest=/etc/varnish/default.vcl owner=root group=root
|
template: src={{ varnish_group }}.vcl.j2 dest=/etc/varnish/default.vcl owner=root group=root
|
||||||
|
|
|
||||||
|
|
@ -3,13 +3,19 @@
|
||||||
package: name=pam_url state=present
|
package: name=pam_url state=present
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: install pam_url
|
- name: install pam_url
|
||||||
dnf: name=pam_url state=present
|
dnf: name=pam_url state=present
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
when: ansible_distribution_major_version|int > 21
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
|
- name: install pam_url
|
||||||
|
dnf: name=pam_url state=present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'RedHat'
|
||||||
|
|
||||||
- name: /etc/pki/tls/private/totpcgi.pem
|
- name: /etc/pki/tls/private/totpcgi.pem
|
||||||
copy: src="{{ private }}/files/2fa-certs/keys/{{ inventory_hostname }}.pem" dest=/etc/pki/tls/private/totpcgi.pem mode=0400
|
copy: src="{{ private }}/files/2fa-certs/keys/{{ inventory_hostname }}.pem" dest=/etc/pki/tls/private/totpcgi.pem mode=0400
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
- ntp
|
- ntp
|
||||||
- libsemanage-python
|
- libsemanage-python
|
||||||
- libselinux-python
|
- libselinux-python
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
|
@ -15,7 +15,16 @@
|
||||||
with_items:
|
with_items:
|
||||||
- ntpdate
|
- ntpdate
|
||||||
- libselinux-python
|
- libselinux-python
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
|
- name: Install desired extra packages (dnf)
|
||||||
|
dnf: state=present pkg={{ item }}
|
||||||
|
with_items:
|
||||||
|
- ntpdate
|
||||||
|
- libselinux-python
|
||||||
|
when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
|
@ -57,14 +66,21 @@
|
||||||
- name: update all
|
- name: update all
|
||||||
command: yum -y update creates=/etc/sysconfig/global-update-applied
|
command: yum -y update creates=/etc/sysconfig/global-update-applied
|
||||||
register: updated
|
register: updated
|
||||||
when: ansible_distribution_major_version|int < 22
|
when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: update all
|
- name: update all
|
||||||
command: dnf -y update creates=/etc/sysconfig/global-update-applied
|
command: dnf -y update creates=/etc/sysconfig/global-update-applied
|
||||||
register: updated
|
register: updated
|
||||||
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
|
when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
|
- name: update all
|
||||||
|
command: dnf -y update creates=/etc/sysconfig/global-update-applied
|
||||||
|
register: updated
|
||||||
|
when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -88,16 +88,8 @@
|
||||||
- yumrepos
|
- yumrepos
|
||||||
|
|
||||||
- name: add aarch64 server rpms repo
|
- name: add aarch64 server rpms repo
|
||||||
copy: src="{{ files }}/common/rhel-7-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-7-aarch64-server-rpms.repo"
|
copy: src="{{ files }}/common/rhel-{{ ansible_distribution_major_version }}-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-{{ ansible_distribution_major_version }}-aarch64-server-rpms.repo"
|
||||||
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version == 7
|
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version >= 7
|
||||||
tags:
|
|
||||||
- config
|
|
||||||
- packages
|
|
||||||
- yumrepos
|
|
||||||
|
|
||||||
- name: add aarch64 server rpms repo
|
|
||||||
copy: src="{{ files }}/common/rhel-8-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-8-aarch64-server-rpms.repo"
|
|
||||||
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version == 8
|
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
- packages
|
- packages
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue