copr-infra: setup root passwords

This is useful when trying to fix things like /etc/fstab
https://fosstodon.org/@praiskup/113557853677016655

inventory/group_vars/copr_back_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: backend
+
 # what is the main backend service name
 copr_backend_target: copr-backend.target
 

inventory/group_vars/copr_back_dev_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: backend
+
 _copr_be_conf: copr-be.conf-dev
 # what is the main backend service name
 copr_backend_target: copr-backend.target

inventory/group_vars/copr_dist_git_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: distgit
+
 freezes: false
 # consumed by roles/copr/certbot
 letsencrypt:

inventory/group_vars/copr_dist_git_dev_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: distgit
+
 devel: true
 freezes: false
 # consumed by roles/copr/certbot

inventory/group_vars/copr_front_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: frontend
+
 copr_fe_homedir: /usr/share/copr/coprs_frontend
 copr_frontend_public_hostname: "copr.fedorainfracloud.org"
 copr_kerberos_auth_enabled: true

inventory/group_vars/copr_front_dev_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: frontend
+
 allowlist_emails:
   - msuchy@redhat.com
   - praiskup@redhat.com

inventory/group_vars/copr_keygen_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: keygen
+
 copr_hostbase: copr-keygen
 # http + signd dest ports
 custom_rules:

inventory/group_vars/copr_keygen_dev_aws

@@ -1,4 +1,6 @@
 ---
+copr_machine_type: keygen
+
 copr_hostbase: copr-keygen-dev
 # http + signd dest ports
 custom_rules:

inventory/group_vars/copr_pulp_aws

@@ -1,3 +1,5 @@
 ---
+copr_machine_type: pulp
+
 services_disabled: false
 aws_ipv6_addr: ""

inventory/group_vars/copr_pulp_dev_aws

@@ -1,3 +1,5 @@
 ---
+copr_machine_type: pulp
+
 services_disabled: true
 aws_ipv6_addr: "2600:1f18:8ee:ae00:c607:4520:249f:6cc8"

playbooks/groups/copr-backend.yml

@@ -55,12 +55,13 @@
 
   # Roles are run first, before tasks, regardless of where you place them here.
   roles:
-  - base
-  - nagios_client
-  - copr/backend
-  - role: messaging/base
-    when: copr_messaging
-  - role: rsnapshot-push
-    when: env == "production"
-  - role: log-detective-backup
-    when: env == "production"
+    - copr/pre
+    - base
+    - nagios_client
+    - copr/backend
+    - role: messaging/base
+      when: copr_messaging
+    - role: rsnapshot-push
+      when: env == "production"
+    - role: log-detective-backup
+      when: env == "production"

playbooks/groups/copr-dist-git.yml

@@ -50,9 +50,10 @@
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   roles:
-  - base
-  - nagios_client
-  - copr/dist_git
+    - copr/pre
+    - base
+    - nagios_client
+    - copr/dist_git
 
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"

playbooks/groups/copr-frontend.yml

@@ -50,6 +50,7 @@
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   roles:
-  - base
-  - nagios_client
-  - copr/frontend
+    - copr/pre
+    - base
+    - nagios_client
+    - copr/frontend

playbooks/groups/copr-pulp.yml

@@ -84,9 +84,10 @@
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   roles:
-  - base
-  - nagios_client
-  - copr/pulp
+    - copr/pre
+    - base
+    - nagios_client
+    - copr/pulp
 
 
 - name: Use pulp_installer collection

roles/copr/pre/tasks/main.yml

@@ -1,4 +1,11 @@
 ---
+- name: setup the root password
+  ansible.builtin.user:
+    name: root
+    password: "{{ copr_root_passwords[deployment_type][copr_machine_type] }}"
+  tags:
+    - root_password
+
 - name: create copr-signer group
   group: name="copr-signer" state=present gid=989
   when: "'copr_keygen_aws' in group_names or 'copr_keygen_dev_aws' in group_names"