ansible/tasks/cloud_setup_basic.yml

---
- name: Install desired extra packages (yum)
  yum: state=present pkg={{ item }}
  with_items:
  - ntpdate
  - ntp
  - libsemanage-python
  - libselinux-python
  when: ansible_distribution_major_version|int < 22
  tags:
  - packages

- name: Install desired extra packages (dnf)
  dnf: state=present pkg={{ item }}
  with_items:
  - ntpdate
  - ntp
  - libsemanage-python
  - libselinux-python
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
  tags:
  - packages

- name: remove some packages (yum)
  yum: state=absent pkg={{ item }}
  with_items:
  - chrony
  tags:
  - packages
  when: ansible_distribution_major_version|int < 22

- name: remove some packages (dnf)
  dnf: state=absent pkg={{ item }}
  with_items:
  - chrony
  tags:
  - packages
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined

- name: put step-tickers in place
  copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers
  when: ansible_cmdline.ostree is not defined
  tags:
  - ntp
  - config

- name: enable the service
  service: name=ntpd state=running enabled=true
  when: ansible_cmdline.ostree is not defined

#- name: edit hostname to be instance name - prefix hostbase var if it exists
#  shell: hostname  {{ hostbase }}`curl -s http://169.254.169.254/latest/meta-data/instance-id`
#  tags:
#  - config

- name: add ansible root key
  authorized_key: user=root key="{{ item }}"
  with_file:
  - /srv/web/infra/ansible/roles/base/files/ansible-pub-key
  tags:
  - config
  - sshkeys

- name: add root keys for sysadmin-main and other allowed users
  authorized_key: user=root key="{{ item }}"
  with_lines: "/srv/web/infra/ansible/scripts/auth-keys-from-fas @sysadmin-main {{ root_auth_users }}"
  tags:
  - config
  - sshkeys
  ignore_errors: true

- name: enable ssh_sysadm_login sebool
  seboolean: name=ssh_sysadm_login state=yes persistent=yes
  ignore_errors: true

# note - kinda should be a handler - but handlers need args
- name: restorecon
  file: path=/root/.ssh setype=ssh_home_t recurse=yes
  tags:
  - config

- name: update all
  command: yum -y update creates=/etc/sysconfig/global-update-applied
  register: updated
  when: ansible_distribution_major_version|int < 22
  tags:
  - packages

- name: update all
  command: dnf -y update creates=/etc/sysconfig/global-update-applied
  register: updated
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
  tags:
  - packages

- name: write out global-update-applied file if we updated
  copy: content="updated" dest=/etc/sysconfig/global-update-applied
  when: updated is defined
  tags:
  - packages
first commit to the ansible public repo 2012-10-08 19:35:54 +00:00			`---`
Rework this area so we don't get chrony check failures all the time 2016-06-25 17:52:30 +00:00			`- name: Install desired extra packages (yum)`
Re-work the cloud_setup_basic. 2015-05-13 23:34:00 +00:00			`yum: state=present pkg={{ item }}`
- make the global update only run on first setup - make the ntp/date install faster 2013-06-25 18:31:36 +00:00			`with_items:`
			`- ntpdate`
			`- ntp`
Make sure required package are installed 2013-10-14 18:21:44 +02:00			`- libsemanage-python`
			`- libselinux-python`
Change all instances of ansible_distribution_major_version to filter to int for comparisons. 2015-05-27 22:27:39 +00:00			`when: ansible_distribution_major_version\|int < 22`
make sure all cloud instances have ntp installed, configured and running 2012-12-05 06:19:23 +00:00			`tags:`
			`- packages`

Rework this area so we don't get chrony check failures all the time 2016-06-25 17:52:30 +00:00			`- name: Install desired extra packages (dnf)`
			`dnf: state=present pkg={{ item }}`
			`with_items:`
			`- ntpdate`
			`- ntp`
			`- libsemanage-python`
			`- libselinux-python`
Try this. 2015-05-27 22:09:03 +00:00			`when: ansible_distribution_major_version\|int > 21 and ansible_cmdline.ostree is not defined`
Apparently order matters 2013-10-16 12:00:11 +02:00			`tags:`
			`- packages`

Rework this area so we don't get chrony check failures all the time 2016-06-25 17:52:30 +00:00			`- name: remove some packages (yum)`
			`yum: state=absent pkg={{ item }}`
			`with_items:`
			`- chrony`
			`tags:`
			`- packages`
			`when: ansible_distribution_major_version\|int < 22`

			`- name: remove some packages (dnf)`
			`dnf: state=absent pkg={{ item }}`
			`with_items:`
			`- chrony`
			`tags:`
			`- packages`
			`when: ansible_distribution_major_version\|int > 21 and ansible_cmdline.ostree is not defined`

make sure all cloud instances have ntp installed, configured and running 2012-12-05 06:19:23 +00:00			`- name: put step-tickers in place`
Fix all tasks to not use old action: statements. 2016-01-06 21:25:10 +00:00			`copy: src="{{ files }}/common/step-tickers" dest=/etc/ntp/step-tickers`
try this 2015-05-14 16:05:56 +02:00			`when: ansible_cmdline.ostree is not defined`
Tag all the various ntp tasks so we can run over all of them at once. 2015-09-07 15:53:13 +00:00			`tags:`
			`- ntp`
			`- config`
make sure all cloud instances have ntp installed, configured and running 2012-12-05 06:19:23 +00:00
			`- name: enable the service`
Fix all tasks to not use old action: statements. 2016-01-06 21:25:10 +00:00			`service: name=ntpd state=running enabled=true`
change the condition so it works even when the variable is not defined 2015-05-14 16:08:56 +02:00			`when: ansible_cmdline.ostree is not defined`
make sure all cloud instances have ntp installed, configured and running 2012-12-05 06:19:23 +00:00
Disable this for now, breaks copr playbooks 2014-10-04 23:39:47 +00:00			`#- name: edit hostname to be instance name - prefix hostbase var if it exists`
Fix all tasks to not use old action: statements. 2016-01-06 21:25:10 +00:00			# shell: hostname {{ hostbase }}`curl -s http://169.254.169.254/latest/meta-data/instance-id`
Disable this for now, breaks copr playbooks 2014-10-04 23:39:47 +00:00			`# tags:`
			`# - config`
make the ansible key addition and other users key addition a little less scary 2012-11-02 06:22:19 +00:00
Death to all trailing whitespace. 2016-08-08 19:36:31 +00:00			`- name: add ansible root key`
Fix all tasks to not use old action: statements. 2016-01-06 21:25:10 +00:00			`authorized_key: user=root key="{{ item }}"`
ansible 1.2 breaks $FILE and $PIPE - so I went and fixed it everywhere :( 2013-06-17 13:54:17 +00:00			`with_file:`
Fix path to root key 2013-08-30 19:32:00 +00:00			`- /srv/web/infra/ansible/roles/base/files/ansible-pub-key`
first commit to the ansible public repo 2012-10-08 19:35:54 +00:00			`tags:`
			`- config`
Tag ssh keys play in cloud setup. This allows us to run this over all the cloud nodes when a key changes. 2015-07-13 13:36:06 +00:00			`- sshkeys`
Death to all trailing whitespace. 2016-08-08 19:36:31 +00:00
make the ansible key addition and other users key addition a little less scary 2012-11-02 06:22:19 +00:00			`- name: add root keys for sysadmin-main and other allowed users`
Perhaps this needs quotes 2014-03-28 15:07:34 +00:00			`authorized_key: user=root key="{{ item }}"`
How about this? 2015-03-17 21:23:00 +00:00			`with_lines: "/srv/web/infra/ansible/scripts/auth-keys-from-fas @sysadmin-main {{ root_auth_users }}"`
make the root auth_keys setup part of the cloud_setup_basic tasks 2012-10-26 17:31:32 +00:00			`tags:`
			`- config`
Tag ssh keys play in cloud setup. This allows us to run this over all the cloud nodes when a key changes. 2015-07-13 13:36:06 +00:00			`- sshkeys`
when putting the keys on - don't die if someone typos a username - just complain and move along 2013-07-02 19:26:24 +00:00			`ignore_errors: true`
make the ansible key addition and other users key addition a little less scary 2012-11-02 06:22:19 +00:00
enable ssh_sysadm_login sebool for all clouds addressing: type=AVC msg=audit(1380833385.268:173): avc: denied { getattr } for pid=781 comm="sshd" path="/root/.ssh/authorized_keys" dev="vda1" ino=6493 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file 2013-10-04 07:36:31 +00:00			`- name: enable ssh_sysadm_login sebool`
Fix all tasks to not use old action: statements. 2016-01-06 21:25:10 +00:00			`seboolean: name=ssh_sysadm_login state=yes persistent=yes`
ignore errors here for the case of instances with selinux disabled. 2015-11-27 00:05:36 +00:00			`ignore_errors: true`
enable ssh_sysadm_login sebool for all clouds addressing: type=AVC msg=audit(1380833385.268:173): avc: denied { getattr } for pid=781 comm="sshd" path="/root/.ssh/authorized_keys" dev="vda1" ino=6493 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file 2013-10-04 07:36:31 +00:00
add a restorecon on the ssh keys for those silly people who like selinux and security :) 2012-10-19 20:17:20 +00:00			`# note - kinda should be a handler - but handlers need args`
			`- name: restorecon`
Fix up some more non idempotent things. 2016-06-25 18:09:34 +00:00			`file: path=/root/.ssh setype=ssh_home_t recurse=yes`
add a restorecon on the ssh keys for those silly people who like selinux and security :) 2012-10-19 20:17:20 +00:00			`tags:`
			`- config`

Re-work the cloud_setup_basic. 2015-05-13 23:34:00 +00:00			`- name: update all`
			`command: yum -y update creates=/etc/sysconfig/global-update-applied`
			`register: updated`
Change all instances of ansible_distribution_major_version to filter to int for comparisons. 2015-05-27 22:27:39 +00:00			`when: ansible_distribution_major_version\|int < 22`
Re-work the cloud_setup_basic. 2015-05-13 23:34:00 +00:00			`tags:`
			`- packages`

			`- name: update all`
			`command: dnf -y update creates=/etc/sysconfig/global-update-applied`
			`register: updated`
Change all instances of ansible_distribution_major_version to filter to int for comparisons. 2015-05-27 22:27:39 +00:00			`when: ansible_distribution_major_version\|int > 21 and ansible_cmdline.ostree is not defined`
Re-work the cloud_setup_basic. 2015-05-13 23:34:00 +00:00			`tags:`
			`- packages`

			`- name: write out global-update-applied file if we updated`
Death to all trailing whitespace. 2016-08-08 19:36:31 +00:00			`copy: content="updated" dest=/etc/sysconfig/global-update-applied`
Re-work the cloud_setup_basic. 2015-05-13 23:34:00 +00:00			`when: updated is defined`
			`tags:`
			`- packages`