infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions
ansible/roles/base/tasks/main.yml
Kevin Fenzi 679f7f6f16 iptables: clean up osbuild and add a external block set scaffolding 
Setup osbuild so it only needs to exist on the specific builders in the
osbuild channel, not all builders.
Also, setup things so we can add a blocklist that will block external
subnets/ip's if we need to do so. Currently it should just be an empty
set, but we can implement it as needed/desired starting with the ips we
already were blocking on just some hosts.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2023-06-26 12:41:07 -07:00

545 lines
14 KiB
YAML
Raw Blame History

---
#
# This is the base role for all machines.
# Things in here are things we want to do to every machine no matter what.
#
#
# on rhel6 and rhel7 installing policycoreutils-python is all we need for ansible
#
- name: ensure packages required for semanage are installed (rhel 6 and 7)
package: name={{ item }} state=present
with_items:
- policycoreutils-python
tags:
- selinux
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
#
# On fedora and rhel larger than 7, all we need is policycoreutils-python-utils,
# which in turn pulls in python3-policycoreutils
#
- name: ensure packages required for semanage are installed (fedora/rhel8)
package: name=policycoreutils-python-utils state=present
when: ansible_distribution_major_version|int > 7
tags:
- selinux
- name: global default packages to install (yum)
package: state=present name={{ item }}
with_items:
- "{{ global_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: global default packages to install (dnf)
dnf: state=present name="{{ global_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
- name: global default packages to install (dnf)
dnf: state=present name="{{ global_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: make sure hostname is set right on all hosts
hostname: name="{{inventory_hostname}}"
#
# We set builders root password in the koji_builder role, so do not set those here
#
- name: set root passwd
user: name=root password={{ rootpw }} state=present
tags:
- rootpw
- base
when: not inventory_hostname.startswith(('buildvm-','buildhw-','bkernel','koji','compose'))
- name: add ansible root key
authorized_key: user=root key="{{ item }}"
with_file:
- ansible-pub-key
tags:
- config
- base
- name: dist pkgs to remove (yum)
package: state=absent name={{ item }}
with_items:
- "{{ base_pkgs_erase }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: dist pkgs to install (yum)
package: state=present name={{ item }}
with_items:
- "{{ base_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: dist pkgs to remove (dnf)
dnf: state=absent name="{{ base_pkgs_erase }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: dist pkgs to remove (dnf)
dnf: state=absent name="{{ base_pkgs_erase }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
- name: dist pkgs to install (dnf)
dnf: state=present name="{{ base_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: dist pkgs to install (dnf)
dnf: state=present name="{{ base_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
- name: dist disabled services
service: state=stopped enabled=false name={{ item }}
with_items:
- "{{ service_disabled }}"
tags:
- service
- config
- base
- name: dist enabled services
service: state=started enabled=true name={{ item }}
with_items:
- "{{ service_enabled }}"
tags:
- service
- config
- base
when: ansible_distribution_major_version|int > 31 and ansible_distribution == 'Fedora' or ansible_distribution == 'RedHat'
- name: Ensure iptables is installed
package: state=present name=iptables
tags:
- packages
- base
- name: Ensure ipset is installed
package: state=present name=ipset
tags:
- packages
- base
- name: setup builder ipset if this is a new install
command: /usr/sbin/ipset create osbuildapi hash:ip
ignore_errors: true
changed_when: false
when: "'osbuild' in group_names"
tags:
- base
- iptables
- name: install blocklist update script
copy:
src: "{{ private }}/files/blocklist/blocklist-update.sh"
dest: /usr/local/bin/blocklist-update.sh
owner: root
group: root
mode: "0700"
tags:
- base
- iptables
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
- name: setup blocklist ipset if this is a new install
command: /usr/sbin/ipset create blocklist hash:ip
ignore_errors: true
changed_when: false
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
tags:
- base
- iptables
- name: setup blocklist update cron job
cron:
name: blocklist-update
user: root
minute: 15
hour: "*/2"
job: /usr/local/bin/blocklist-update.sh
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
tags:
- base
- iptables
- name: iptables
template: src={{ item }} dest=/etc/sysconfig/iptables mode=0600 validate="/sbin/iptables-restore --test %s"
with_first_found:
- iptables/iptables.{{ datacenter }}
- iptables/iptables.{{ inventory_hostname }}
- iptables/iptables.{{ host_group }}
- iptables/iptables.{{ env }}
- iptables/iptables
when: baseiptables|bool
notify:
- restart iptables
- reload libvirtd
tags:
- iptables
- config
- base
- name: iptables service enabled
service: name=iptables state=started enabled=true
tags:
- iptables
- service
- base
when: baseiptables|bool
- name: ip6tables
template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
with_first_found:
- iptables/ip6tables.{{ datacenter }}
- iptables/ip6tables.{{ inventory_hostname }}
- iptables/ip6tables.{{ host_group }}
- iptables/ip6tables.{{ env }}
- iptables/ip6tables
when: baseiptables|bool
notify:
- restart ip6tables
- reload libvirtd
tags:
- ip6tables
- config
- base
- name: ip6tables service enabled
service: name=ip6tables state=started enabled=true
tags:
- ip6tables
- service
- base
when: baseiptables|bool
- name: enable journald persistence
file: path=/var/log/journal state=directory
owner=root group=systemd-journal mode=2755
when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat'
tags:
- journald
- config
- base
notify:
- flush journald tmpfiles to persistent store
- name: enable journald persistence
file: path=/var/log/journal state=directory
owner=root group=systemd-journal mode=2755
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
tags:
- journald
- config
- base
notify:
- flush journald tmpfiles to persistent store
- name: install rh ca for splunk
copy: src={{private}}/files/splunk-certs/2022-IT-Root-CA.pem dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem
tags:
- rsyslogd
- config
- base
when: inventory_hostname.startswith('log01')
- name: ensure packages required for rsyslog are installed
package: name={{ item }} state=present
with_items:
- rsyslog-gnutls
tags:
- rsyslogd
- config
- base
when: inventory_hostname.startswith('log01')
- name: rsyslog.conf
copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644
with_first_found:
- rsyslog/rsyslog.conf.{{ inventory_hostname }}
- rsyslog/rsyslog.conf.{{ dist_tag }}
- rsyslog/rsyslog.conf.default
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: rsyslog log rotate for rsyslog servers
copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=0644
when: inventory_hostname.startswith('log')
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: add rsyslog config to /etc/rsyslog.d
copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
with_fileglob:
- rsyslog/*.conf
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: rsyslog-audit.conf
copy: src={{ item }} dest=/etc/rsyslog.d/rsyslog-audit.conf owner=root group=root mode=0644
with_first_found:
- rsyslog/rsyslog-audit.conf.{{ datacenter }}
- rsyslog/rsyslog-audit.conf.default
notify:
- restart rsyslog
tags:
- rsyslogd
- config
- base
- name: log everything to log01 except on mirrorlist, do not log local4 there.
copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: not inventory_hostname.startswith(('mirrorlist','copr'))
tags:
- rsyslogd
- config
- base
- name: log everything to log01 except on mirrorlist, do log local4 there.
copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: inventory_hostname.startswith('mirrorlist')
tags:
- rsyslogd
- config
- base
- name: rsyslogd make systemd limits directory for file handles
file: dest=/etc/systemd/system/rsyslog.service.d/ mode=0755 owner=root group=root state=directory
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
tags:
- rsyslogd
- config
- name: rsyslogd put systemd limits directory for file handles
copy: src=rsyslog/rsyslog-limits-systemd dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
tags:
- rsyslogd
- config
# Custom selinux policy to allow rsyslog to read and send audit to log01
- name: ensure a directory exists for our custom selinux module
file: dest=/usr/local/share/rsyslog state=directory
tags:
- rsyslogd
- config
- rsyslog-audit
- name: copy over our custom selinux module
copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp
register: selinux_module
tags:
- rsyslogd
- config
- rsyslog-audit
- name: install our custom selinux module
command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp
when: selinux_module is changed and ansible_distribution_major_version|int > 6
tags:
- rsyslogd
- config
- rsyslog-audit
# Custom selinux policy to allow unix_chkpwd to map PAM database
- name: copy over our custom selinux module
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
register: selinux_module
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
tags:
- config
- selinux
# Custom selinux policy to allow unix_chkpwd to map PAM database
- name: copy over our custom selinux module
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
register: selinux_module
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat'
tags:
- config
- selinux
- name: install our custom selinux module
command: semodule -i /usr/local/share/mapchkpwd.pp
when: selinux_module is changed
tags:
- selinux
- config
- name: Setup postfix
import_tasks: postfix.yml
#
# This task installs some common scripts to /usr/local/bin
# scripts are under roles/base/files/common-scripts
#
- name: Install common scripts
copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
with_fileglob:
- common-scripts/*
tags:
- config
- base
- common-scripts
- name: Drop in a little system_identification note
template: src=system_identification dest=/etc/system_identification
tags:
- config
- base
#
# Watchdog stuff
#
- name: Set up watchdog
import_tasks: watchdog.yml
#Set PS1 to show stage environment at PS1
#
- name: set PS1 for stage in /etc/profile.d
copy: >
src=setstgps1.sh
dest="/etc/profile.d/setstgps1.sh"
owner=root
group=root
mode=0644
when: env == 'staging'
tags:
- base
- config
- prompt
#Set PS1 to show prod environment at PS1
#
- name: set PS1 for prod in /etc/profile.d
copy: >
src=setprodps1.sh
dest="/etc/profile.d/setprodps1.sh"
owner=root
group=root
mode=0644
when: env == 'production' and datacenter != 'iad2'
tags:
- base
- config
- prompt
#Set PS1 to show prod-iad2 environment at PS1
#
- name: set PS1 for prod in /etc/profile.d
copy: >
src=setprodiad2ps1.sh
dest="/etc/profile.d/setprodiad2ps1.sh"
owner=root
group=root
mode=0644
when: env == 'production' and datacenter == 'iad2'
tags:
- base
- config
- prompt
# Set krb5 conf
- name: configure krb5
template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
when: not inventory_hostname.startswith('ipa')
tags:
- base
- config
- krb5
- name: configure krb5 (IPA master)
template: src=krb5.conf.master.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
when: inventory_hostname.startswith('ipa')
tags:
- base
- config
- krb5
- name: Setup host keytab
import_tasks: keytab.yml
when: not inventory_hostname.startswith('ipa')
# SSSD-KCM has been showing way too many bugs with it saying "I have a ticket" while the ticket
# is actually expired, and kinit's still not refreshing them and such alike.
# Let's just nuke it for now.
- name: We do NOT use sssd-kcm
file: path=/etc/krb5.conf.d/kcm_default_ccache state=absent
tags:
- base
- config
- krb5
# rhel8 hosts do not have /usr/bin/python, but there are a few things we call
# with that because they also run the same on python2 hosts.
# So, we set python3 to /usr/bin/python on those hosts:
- name: ensure that platform-python is installed on EL8 boxes
package: name={{ item }} state=present
with_items:
- platform-python
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8
tags:
- base
- config
- python3alternative
- name: set /usr/bin/python to python3 on rhel8 hosts
alternatives:
name: python
link: /usr/bin/python
path: /usr/bin/python3
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8
tags:
- base
- config
- python3alternative
- name: daily cron job to compress merged log under /var/log/hosts
copy: src=compress-log.cron dest=/etc/cron.d/ mode=0644
tags:
- compress
- name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
import_tasks: crypto-policies.yml
Reference in a new issue View git blame Copy permalink