Infrastructure/ansible
5
0
Fork 0
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
ansible/roles/base/tasks/main.yml
Ryan Lerch 62952df107 ansiblelint fixes-- fqcn[action-core] - file to ansible.builtin.file 
Replaces many references to  file: with ansible.builtin.file

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
2025-01-15 10:41:52 +10:00

555 lines
14 KiB
YAML
Raw Blame History

---
#
# This is the base role for all machines.
# Things in here are things we want to do to every machine no matter what.
#
# On fedora and rhel larger than 7, all we need is policycoreutils-python-utils,
# which in turn pulls in python3-policycoreutils
#
- name: Ensure packages required for semanage are installed (fedora/rhel8)
package: name=policycoreutils-python-utils state=present
when: ansible_distribution_major_version|int > 7
tags:
- selinux
- name: Global default packages to install (dnf)
dnf: state=present name="{{ global_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int >= 8 and
ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
- name: Global default packages to install (dnf)
dnf: state=present name="{{ global_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int > 29 and
ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: Make sure hostname is set right on all hosts
hostname: name="{{inventory_hostname}}"
#
# We set builders root password in the koji_builder role, so do not set those here
#
- name: Set root passwd
user: name=root password={{ rootpw }} state=present
tags:
- rootpw
- base
when:
- not inventory_hostname.startswith(('buildvm-','buildhw-','bkernel','koji','compose'))
- not inventory_hostname.startswith('copr')
- name: Add ansible root key
authorized_key: user=root key="{{ item }}"
with_file:
- ansible-pub-key
tags:
- config
- base
- name: Dist pkgs to remove (yum)
package: state=absent name={{ item }}
with_items:
- "{{ base_pkgs_erase }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: Dist pkgs to install (yum)
package: state=present name={{ item }}
with_items:
- "{{ base_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: Dist pkgs to remove (dnf)
dnf: state=absent name="{{ base_pkgs_erase }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int > 29 and
ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: Dist pkgs to remove (dnf)
dnf: state=absent name="{{ base_pkgs_erase }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int >= 8 and
ansible_distribution == 'RedHat' and
ansible_cmdline.ostree is not defined
- name: Dist pkgs to install (dnf)
dnf: state=present name="{{ base_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int > 29 and
ansible_distribution == 'Fedora' and
ansible_cmdline.ostree is not defined
- name: Dist pkgs to install (dnf)
dnf: state=present name="{{ base_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int >= 8 and
ansible_distribution == 'RedHat' and
ansible_cmdline.ostree is not defined
- name: Dist disabled services
service: state=stopped enabled=false name={{ item }}
with_items:
- "{{ service_disabled }}"
tags:
- service
- config
- base
- name: Dist enabled services
service: state=started enabled=true name={{ item }}
with_items:
- "{{ service_enabled }}"
tags:
- service
- config
- base
when: >
ansible_distribution_major_version|int > 31 and
ansible_distribution == 'Fedora' or
ansible_distribution == 'RedHat'
- name: Ensure iptables is installed
package: state=present name=iptables
tags:
- packages
- base
- name: Ensure ipset is installed
package: state=present name=ipset
tags:
- packages
- base
- name: Setup builder ipset if this is a new install
shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi"
args:
creates: /etc/sysconfig/ipset-osbuildapi
when: "'osbuild' in group_names"
tags:
- base
- iptables
- name: Install blocklist update script
copy:
src: "{{ private }}/files/blocklist/blocklist-update.sh"
dest: /usr/local/bin/blocklist-update.sh
owner: root
group: root
mode: "0700"
tags:
- base
- iptables
- blocklist
when: "'iad2' not in inventory_hostname or external | bool "
- name: Setup blocklist update cron job
cron:
name: blocklist-update
user: root
minute: 15
hour: "*/2"
job: "/usr/local/bin/blocklist-update.sh force >& /dev/null"
when: "'iad2' not in inventory_hostname or external | bool"
tags:
- base
- iptables
- blocklist
- name: Iptables
template:
src: "{{ item }}"
dest: /etc/sysconfig/iptables
mode: '0600'
validate: "/sbin/iptables-restore --test %s"
with_first_found:
- iptables/iptables.{{ datacenter }}
- iptables/iptables.{{ inventory_hostname }}
- iptables/iptables.{{ host_group }}
- iptables/iptables.{{ env }}
- iptables/iptables
when: baseiptables|bool
notify:
- restart iptables
- reload libvirtd
tags:
- iptables
- config
- base
- name: Iptables service enabled
service: name=iptables state=started enabled=true
tags:
- iptables
- service
- base
when: baseiptables|bool
- name: Ip6tables
template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
with_first_found:
- iptables/ip6tables.{{ datacenter }}
- iptables/ip6tables.{{ inventory_hostname }}
- iptables/ip6tables.{{ host_group }}
- iptables/ip6tables.{{ env }}
- iptables/ip6tables
when: baseiptables|bool
notify:
- restart ip6tables
- reload libvirtd
tags:
- ip6tables
- config
- base
- name: Ip6tables service enabled
service: name=ip6tables state=started enabled=true
tags:
- ip6tables
- service
- base
when: baseiptables|bool
- name: Enable journald persistence
ansible.builtin.file: path=/var/log/journal state=directory
owner=root group=systemd-journal mode=2755
when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat'
tags:
- journald
- config
- base
notify:
- flush journald tmpfiles to persistent store
- name: Enable journald persistence
ansible.builtin.file: path=/var/log/journal state=directory
owner=root group=systemd-journal mode=2755
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
tags:
- journald
- config
- base
notify:
- flush journald tmpfiles to persistent store
- name: Install rh ca for splunk
copy: src={{ private }}/files/splunk-certs/2022-IT-Root-CA.pem
dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem
tags:
- rsyslogd
- config
- base
when: inventory_hostname.startswith('log01')
- name: Ensure packages required for rsyslog are installed
package: name={{ item }} state=present
with_items:
- rsyslog-gnutls
tags:
- rsyslogd
- config
- base
when: inventory_hostname.startswith('log01')
- name: Rsyslog.conf
copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644
with_first_found:
- rsyslog/rsyslog.conf.{{ inventory_hostname }}
- rsyslog/rsyslog.conf.{{ dist_tag }}
- rsyslog/rsyslog.conf.default
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Rsyslog log rotate for rsyslog servers
copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=0644
when: inventory_hostname.startswith('log')
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Add rsyslog config to /etc/rsyslog.d
copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
with_fileglob:
- rsyslog/*.conf
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Rsyslog-audit.conf
copy: src={{ item }} dest=/etc/rsyslog.d/rsyslog-audit.conf owner=root group=root mode=0644
with_first_found:
- rsyslog/rsyslog-audit.conf.{{ datacenter }}
- rsyslog/rsyslog-audit.conf.default
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Log everything to log01 except on mirrorlist, do not log local4 there.
copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: not inventory_hostname.startswith(('mirrorlist','copr'))
tags:
- rsyslogd
- config
- base
- name: Log everything to log01 except on mirrorlist, do log local4 there.
copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: inventory_hostname.startswith('mirrorlist')
tags:
- rsyslogd
- config
- base
- name: Rsyslogd make systemd limits directory for file handles
ansible.builtin.file: dest=/etc/systemd/system/rsyslog.service.d/ mode=0755 owner=root group=root state=directory
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
tags:
- rsyslogd
- config
- name: Rsyslogd put systemd limits directory for file handles
copy: src=rsyslog/rsyslog-limits-systemd
dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
tags:
- rsyslogd
- config
# Custom selinux policy to allow rsyslog to read and send audit to log01
- name: Ensure a directory exists for our custom selinux module
ansible.builtin.file: dest=/usr/local/share/rsyslog state=directory
tags:
- rsyslogd
- config
- rsyslog-audit
- name: Copy over our custom selinux module
copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp
register: selinux_module
tags:
- rsyslogd
- config
- rsyslog-audit
- name: Install our custom selinux module
command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp
when: selinux_module is changed and ansible_distribution_major_version|int > 6
tags:
- rsyslogd
- config
- rsyslog-audit
# Custom selinux policy to allow unix_chkpwd to map PAM database
- name: Copy over our custom selinux module
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
register: selinux_module
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
tags:
- config
- selinux
# Custom selinux policy to allow unix_chkpwd to map PAM database
- name: Copy over our custom selinux module
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
register: selinux_module
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat'
tags:
- config
- selinux
- name: Install our custom selinux module
command: semodule -i /usr/local/share/mapchkpwd.pp
when: selinux_module is changed
tags:
- selinux
- config
- name: Setup postfix
import_tasks: postfix.yml
#
# This task installs some common scripts to /usr/local/bin
# scripts are under roles/base/files/common-scripts
#
- name: Install common scripts
copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
with_fileglob:
- common-scripts/*
tags:
- config
- base
- common-scripts
- name: Drop in a little system_identification note
template: src=system_identification dest=/etc/system_identification
tags:
- config
- base
#
# Watchdog stuff
#
- name: Set up watchdog
import_tasks: watchdog.yml
# Set PS1 to show stage environment at PS1
#
- name: Set PS1 for stage in /etc/profile.d
copy: >
src=setstgps1.sh
dest="/etc/profile.d/setstgps1.sh"
owner=root
group=root
mode=0644
when: env == 'staging'
tags:
- base
- config
- prompt
# Set PS1 to show prod environment at PS1
#
- name: Set PS1 for prod in /etc/profile.d
copy: >
src=setprodps1.sh
dest="/etc/profile.d/setprodps1.sh"
owner=root
group=root
mode=0644
when: env == 'production' and datacenter != 'iad2'
tags:
- base
- config
- prompt
# Set PS1 to show prod-iad2 environment at PS1
#
- name: Set PS1 for prod in /etc/profile.d
copy: >
src=setprodiad2ps1.sh
dest="/etc/profile.d/setprodiad2ps1.sh"
owner=root
group=root
mode=0644
when: env == 'production' and datacenter == 'iad2'
tags:
- base
- config
- prompt
# Set krb5 conf
- name: Configure krb5
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
when: not inventory_hostname.startswith('ipa')
tags:
- base
- config
- krb5
- name: Configure krb5 (IPA master)
template: src=krb5.conf.master.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
when: inventory_hostname.startswith('ipa')
tags:
- base
- config
- krb5
- name: Setup host keytab
import_tasks: keytab.yml
when: not inventory_hostname.startswith('ipa')
# SSSD-KCM has been showing way too many bugs with it saying "I have a ticket" while the ticket
# is actually expired, and kinit's still not refreshing them and such alike.
# Let's just nuke it for now.
- name: We do NOT use sssd-kcm
ansible.builtin.file: path=/etc/krb5.conf.d/kcm_default_ccache state=absent
tags:
- base
- config
- krb5
# rhel8 hosts do not have /usr/bin/python, but there are a few things we call
# with that because they also run the same on python2 hosts.
# So, we set python3 to /usr/bin/python on those hosts:
- name: Ensure that platform-python is installed on EL8 boxes
package: name={{ item }} state=present
with_items:
- platform-python
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8
tags:
- base
- config
- python3alternative
- name: Set /usr/bin/python to python3 on rhel8 hosts
alternatives:
name: python
link: /usr/bin/python
path: /usr/bin/python3
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8
tags:
- base
- config
- python3alternative
- name: Cron jobs to compress logs under /var/log/hosts and /mnt/fedora_stats
copy: src=compress-log.cron dest=/etc/cron.d/ mode=0644
tags:
- compress
when: inventory_hostname.startswith('log0')
- name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
import_tasks: crypto-policies.yml
- name: Proxy log rotate for proxy servers
copy: src="{{ files }}/common/rsyslog-logrotate" dest=/etc/logrotate.d/rsyslog mode=0644
when: inventory_hostname.startswith('proxy')
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
Reference in a new issue View git blame Copy permalink