Ryan Lerch
62952df107
Replaces many references to file: with ansible.builtin.file Signed-off-by: Ryan Lerch <rlerch@redhat.com>
657 lines
16 KiB
YAML
657 lines
16 KiB
YAML
#
|
|
# This role sets up the various packages and scripts needed for a batcave
|
|
#
|
|
|
|
#
|
|
# make directory for nfs mounts to live in
|
|
#
|
|
|
|
---
|
|
- name: Create /srv/web/pub for nfs mounts
|
|
ansible.builtin.file: dest=/srv/web/pub state=directory mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: Install packages needed
|
|
package: name={{ item }} state=present
|
|
with_items:
|
|
- srm # secure rm to delete sensitive files.
|
|
- ansible-core # This is our ansible master, needs ansible installed.
|
|
- ansible_utils # Needed for rbac-playbook
|
|
- createrepo_c # Needed for rhn sync
|
|
- ostree # Needed for rhn sync
|
|
- bind # named-checkzone for dns repo
|
|
- emacs-nox
|
|
- nano
|
|
- rpm-sign # for the sign-and-import playbook
|
|
- createrepo # for the sign-and-import playbook
|
|
- unzip # general useful util
|
|
- fpaste # general useful util
|
|
- mtr # useful for network debugging
|
|
- lftp # needed to easily pull in builds from koji for internal repos
|
|
- git-email # needed to send patches for review to the mailing list
|
|
- python3-dns # needed to have ansible remove ip-based known_host entries
|
|
- libvirt-client # needed to allow migrations to be run from here.
|
|
- easy-rsa # For easy copying into ansible-private for certs.
|
|
- dnf # To get dnf reposync
|
|
- dnf-plugins-core # To get dnf reposync
|
|
- fedora-messaging # To send/receive messages on the amqp bus
|
|
- ansible-freeipa # For the IPA server configuration tasks
|
|
- moreutils # needed for pee command for dns repo hook
|
|
# - python39-jmespath # for the copr playbooks
|
|
- rhel-system-roles # for networking
|
|
- python3-requests-kerberos # for authentication via kinit inside ansible
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
- name: Setup ssh_known_hosts file
|
|
copy: src=ssh_known_hosts dest=/etc/ssh/ssh_known_hosts mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- fingerprints
|
|
|
|
#
|
|
# This is our ansible master, setup ansible
|
|
#
|
|
|
|
- name: Setup roots bashrc to note about agents
|
|
copy: src=root_bashrc dest=/root/.bashrc
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: Run daily logview report for ansible actions.
|
|
copy: src=logview.cron dest=/etc/cron.daily/logview.cron mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
- name: Install program for generating ticket key
|
|
copy: src=generate_ticketkey dest=/usr/local/bin/generate_ticketkey mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: Setup cron for daily ticketkey reollover
|
|
copy: src=ticketkey.cron dest=/etc/cron.hourly/ticketkey.cron mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
- name: Setup cron for removing old pdr requests
|
|
copy: src=pdr.cron dest=/etc/cron.d/pdr.cron mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
- name: Setup cron to expose the rabbitmq certs
|
|
copy:
|
|
src: make-rabbitmq-certs-public.sh
|
|
dest: /etc/cron.daily/make-rabbitmq-certs-public
|
|
mode: "0755"
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# Set selinux booleans we need
|
|
#
|
|
|
|
- name: Set selinux booleans
|
|
seboolean: name={{ item }} persistent=yes state=yes
|
|
with_items:
|
|
- httpd_can_network_connect
|
|
- httpd_use_nfs
|
|
- httpd_can_network_relay
|
|
- polyinstantiation_enabled
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# fedora-messaging configuration file for the applications sending messages from
|
|
# batcave
|
|
#
|
|
|
|
- name: Install the fedora-messaging configuration file
|
|
template: src=batcave-messaging.toml dest=/etc/fedora-messaging/batcave-messaging.toml
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- fedora-messaging
|
|
|
|
- name: Create folder where we'll place the certs
|
|
ansible.builtin.file: path=/etc/pki/rabbitmq/ owner=root group=root mode=0755 state=directory
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- fedora-messaging
|
|
|
|
- name: Install the rabbitmq certificates for batcave
|
|
copy: src={{ item.src }}
|
|
dest=/etc/pki/rabbitmq/{{ item.dest }}
|
|
owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }}
|
|
with_items:
|
|
- src: "{{private}}/files/rabbitmq/{{ env }}/pki/issued/batcave{{ env_suffix }}.crt"
|
|
dest: batcave.crt
|
|
owner: root
|
|
group: root
|
|
mode: "444"
|
|
- src: "{{private}}/files/rabbitmq/{{ env }}/pki/private/batcave{{ env_suffix }}.key"
|
|
dest: batcave.key
|
|
owner: root
|
|
group: root
|
|
mode: "440"
|
|
- src: "{{private}}/files/rabbitmq/{{ env }}/pki/ca.crt"
|
|
dest: batcave.ca
|
|
owner: root
|
|
group: root
|
|
mode: "444"
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- fedora-messaging
|
|
|
|
#
|
|
# Scripts
|
|
#
|
|
|
|
#
|
|
# Hook to notify on git commits used in git repos
|
|
#
|
|
|
|
- name: Setup git-notifier script
|
|
copy: src=git-notifier dest=/usr/local/bin/git-notifier mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
|
|
# Hook to republish our bare repos for web viewing.
|
|
- name: Setup syncgittree.sh script
|
|
copy: src=syncgittree.sh dest=/usr/local/bin/syncgittree.sh mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
|
|
# The zodbot server must allow TCP on whatever port zodbot is listening on
|
|
# for this to work (currently TCP port 5050).
|
|
# Once that is done, you can symlink /usr/local/bin/zodbot-announce-commits.py
|
|
# to the 'hooks' directory of the bare repo you're wishing to receive commits
|
|
# for, then add a hooks.zodbotchannel to the repo's config file.
|
|
# Lastly, add the following lines to your 'update' hook:
|
|
# reposource=$(git config hooks.reposource)
|
|
# zodbot_channel=$(git config hooks.zodbotchannel)
|
|
# python $reposource/hooks/zodbot-announce-commits.py $reposource $zodbot_channel $oldrev $newrev ${1#refs/heads/}
|
|
|
|
- name: Install zodbot-announce-commits script
|
|
copy: src=zodbot-announce-commits.py dest=/usr/local/bin/zodbot-announce-commits.py mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- zodbot
|
|
|
|
#
|
|
# This is another script to announce commits, this time to the fedmsg bus
|
|
#
|
|
|
|
- name: Install packages needed
|
|
package:
|
|
name: fedora-messaging-git-hook
|
|
state: present
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# This script checks all the virthosts and logs what guests they are running.
|
|
#
|
|
|
|
- name: Install vmdiff.sh cron
|
|
copy: src=vmdiff.sh dest=/etc/cron.hourly/vmdiff.sh mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
- name: Install infradocs.sh cron
|
|
copy: src=infradocs.sh dest=/etc/cron.hourly/infradocs.sh mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
|
|
#
|
|
# Setup public db copy script.
|
|
#
|
|
|
|
- name: Setup public db copy script
|
|
copy: src=public-db-copy.sh dest=/usr/local/bin/public-db-copy.sh mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
#
|
|
# Setup public db copy cron.
|
|
#
|
|
|
|
- name: Setup public db copy script
|
|
copy: src=public-db-copy.cron dest=/etc/cron.d/public-db-copy.cron mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# Setup job that runs a check/diff ansible run over all playbooks each night.
|
|
#
|
|
|
|
- name: Setup checkdiff ansible job
|
|
copy: src=ansible-playbook-check-diff.cron dest=/etc/cron.daily/ansible-playbook-check-diff.cron mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# Setup job that runs letsencrypt on proxies each week
|
|
#
|
|
|
|
- name: Setup letsencrypt run for proxies
|
|
copy: src=proxy-certs-check-renew.cron dest=/etc/cron.weekly/proxy-certs-check-renew.cron mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
|
|
# Setup rhel8 sync script.
|
|
#
|
|
|
|
- name: Setup rhel8 sync copy script
|
|
copy: src=rhel8-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel8/rhel8-sync mode=0775
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
#
|
|
# Setup rhel9 sync script.
|
|
#
|
|
|
|
- name: Setup rhel9 sync copy script
|
|
copy: src=rhel9-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel9/rhel9-sync mode=0775
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# sync-rhn cron job
|
|
#
|
|
- name: Setup sync-rhn cron
|
|
copy: src=sync-rhn dest=/etc/cron.d/sync-rhn mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
|
|
#
|
|
# sync-centos cron job
|
|
#
|
|
- name: Setup sync-rhn cron
|
|
copy: src=sync-centos dest=/etc/cron.d/sync-centos mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# Setup centos 9s sync script.
|
|
#
|
|
|
|
- name: Setup centos 9s sync script
|
|
copy: src=centos-9s-sync dest=/mnt/fedora/app/fi-repo/centos/centos-9s-sync mode=0775
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
#
|
|
# Setup centos 10 sync script.
|
|
#
|
|
|
|
- name: Setup centos 10 sync script
|
|
copy: src=centos-10-sync dest=/mnt/fedora/app/fi-repo/centos/centos-10-sync mode=0775
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# Setup web server config
|
|
#
|
|
- name: Install web server config for batcave (mimetypes)
|
|
copy: src=mime-types.conf dest=/etc/httpd/conf.d/mime-types.conf mode=0644
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- httpd
|
|
|
|
- name: Install web server config for batcave (access rules)
|
|
copy: src=allows dest=/etc/httpd/conf.d/allows mode=0644
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- httpd
|
|
|
|
- name: Install web server config for batcave (main config)
|
|
template: src=infrastructure.fedoraproject.org.conf.j2 dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- httpd
|
|
- sslciphers
|
|
|
|
#
|
|
# this cron job creates a json file from the rhel repos
|
|
#
|
|
|
|
- name: Create repo2json directory
|
|
ansible.builtin.file: dest=/srv/web/repo/json mode=0755 state=directory owner=apache group=apache
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
- name: Create repo2json cron job
|
|
copy: src=repo2json.cron dest=/etc/cron.d/repo2json.cron mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# ansible utils includes our rbac-playbook
|
|
#
|
|
|
|
- name: Install the ansible_utils/rbac config
|
|
copy: src={{ private }}/files/rbac/rbac.yaml dest=/etc/ansible_utils/rbac.yaml mode=0540 group=sysadmin
|
|
tags:
|
|
- rbac
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Setup geoip scripts.
|
|
# Other machines pull current geoip data from here.
|
|
#
|
|
|
|
- name: Install geoip download databases script
|
|
template:
|
|
src: geoip-download-databases
|
|
dest: /usr/local/bin/geoip-download-databases
|
|
mode: "0700"
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: Install geoip download cron
|
|
copy:
|
|
src: geoip-download-databases.cron
|
|
dest: /etc/cron.d/geoip-download-databases.cron
|
|
mode: "0644"
|
|
tags:
|
|
- batcave
|
|
- config
|
|
when: inventory_hostname.startswith('batcave01')
|
|
|
|
#
|
|
# set selinux context for /srv/web/infra
|
|
#
|
|
|
|
- name: Check the selinux context of webdir
|
|
command: matchpathcon /srv/web
|
|
register: webdir
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /srv/web file contexts
|
|
command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
|
|
when: webdir.stdout.find('httpd_sys_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
#
|
|
# set selinux context for public git repos
|
|
#
|
|
|
|
- name: Check the selinux context of ansible
|
|
command: matchpathcon /srv/git/ansible.git
|
|
register: webdir
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /srv/git/ansible file contexts
|
|
command: semanage fcontext -a -t git_content_t "/srv/git/ansible.git(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: Check the selinux context of badges
|
|
command: matchpathcon /srv/git/badges
|
|
register: webdir
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /srv/git/badges file contexts
|
|
command: semanage fcontext -a -t git_content_t "/srv/git/badges(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: Check the selinux context of dns
|
|
command: matchpathcon /srv/git/dns
|
|
register: webdir
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /srv/git/dns file contexts
|
|
command: semanage fcontext -a -t git_content_t "/srv/git/dns(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: Check the selinux context of infra-docs
|
|
command: matchpathcon /srv/git/infra-docs
|
|
register: webdir
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /srv/git/infra-docs file contexts
|
|
command: semanage fcontext -a -t git_content_t "/srv/git/infra-docs(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
# On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it.
|
|
- name: Configure git directories as safe
|
|
git_config:
|
|
name: safe.directory
|
|
scope: system
|
|
value: "*"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
|
|
- name: Add SAR script for koji
|
|
copy: src=koji_sar.py dest=/usr/local/bin/koji_sar.py owner=root mode=0700
|
|
tags:
|
|
- SAR
|
|
- GDPR
|
|
- koji
|
|
- batcave
|
|
|
|
- name: Create some tmp dirs
|
|
ansible.builtin.file: path=/tmp-inst mode=000 owner=root group=root state=directory
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
|
|
- name: Create some tmp dirs
|
|
ansible.builtin.file: path=/var/tmp-inst mode=000 owner=root group=root state=directory
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
|
|
- name: Put in place namespace.conf file
|
|
copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 owner=root group=root
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
|
|
- name: Create the /var/tmux folder for shared tmux session
|
|
ansible.builtin.file: path=/var/tmux mode=2774 owner=root group=sysadmin state=directory
|
|
tags:
|
|
- batcave
|
|
- tmux
|
|
|
|
- name: Let the /var/tmux folder be writable to fi-apprentice as well
|
|
command: setfacl -R -m d:g:fi-apprentice:rwx -m g:fi-apprentice:rwx /var/tmux
|
|
tags:
|
|
- batcave
|
|
- tmux
|
|
|
|
- name: Create dir for openshift pxe boot files
|
|
ansible.builtin.file: path=/srv/web/infra/bigfiles/{{item}} mode=2660 owner=root group=sysadmin-openshift state=directory
|
|
with_items:
|
|
- openshiftboot
|
|
- tftpboot/rhcos
|
|
tags:
|
|
- batcave
|
|
- openshiftboot
|
|
|
|
- name: Let the openshift dir be writeable by sysadmin-openshift
|
|
command: setfacl -R -m d:g:sysadmin-openshift:rwx -m g:sysadmin-openshift:rwx /srv/web/infra/bigfiles/{{item}}
|
|
with_items:
|
|
- openshiftboot
|
|
- tftpboot/rhcos
|
|
tags:
|
|
- batcave
|
|
- openshiftboot
|
|
|
|
|
|
#
|
|
# install psql to allow for some ro queries against db-datanommer02
|
|
#
|
|
|
|
- name: Enable the postgresql 12 module for psql on batcave
|
|
copy:
|
|
dest: /etc/dnf/modules.d/postgresql.module
|
|
content: |
|
|
[postgresql]
|
|
name=postgresql
|
|
stream=12
|
|
profiles=
|
|
state=enabled
|
|
tags:
|
|
- batcave
|
|
- postgres
|
|
|
|
- name: Install psql client
|
|
package: name=postgresql state=present
|
|
tags:
|
|
- batcave
|
|
- postgres
|
|
- config
|
|
- packages
|
|
|
|
#
|
|
# apply patch for uri module to allow it to work with newer python (fedora) machines
|
|
# from old python (rhel9 control host/batcave01)
|
|
#
|
|
# https://github.com/ansible/ansible/issues/81256
|
|
# https://github.com/ansible/ansible/pull/81257
|
|
#
|
|
# keep this until ansible-core updates to 2.15.x
|
|
#
|
|
- name: Apply uri module patch to ansible
|
|
ansible.posix.patch:
|
|
src: urls.py.patch
|
|
basedir: /usr/lib/python3.9/site-packages/ansible/module_utils/
|
|
tags:
|
|
- batcave
|
|
- hotfix
|
|
|
|
- name: Empty default welcome.conf
|
|
copy: dest=/etc/httpd/conf.d/welcome.conf content=""
|
|
tags:
|
|
- batcave
|
|
- config
|