ansible/roles/fedmsg/base/tasks/main.yml

---
# tasklist for setting up fedmsg
# This is the base set of files needed for fedmsg

- name: install needed packages
  yum: pkg={{ item }} state=installed
  with_items:
  - fedmsg
  - libsemanage-python
  - python-psutil
  - policycoreutils-python  # This is in the kickstart now.  Here for old hosts.
  tags:
  - packages

- name: setup /etc/fedmsg.d directory
  file: path=/etc/fedmsg.d owner=root group=root mode=0755 state=directory
  tags:
  - config

# Any files that change need to restart any services that depend on them.  A
# trick here is that some hosts have an httpd that uses fedmsg, while others do
# not.  Some hosts have a fedmsg-hub that uses this config, while others do not.
# Our handlers in handlers/restart_services.yml are smart enough to
# *conditionally* restart these services, only if they are installed on the
# system.
- name: setup basic /etc/fedmsg.d/ contents
  template: >
    src="{{ item }}.j2"
    dest="/etc/fedmsg.d/{{ item }}"
    owner=root
    group=root
    mode=644
  with_items:
  - ssl.py
  - endpoints.py
  - endpoints-fedocal.py
  - endpoints-elections.py
  - endpoints-fedbadges.py
  - endpoints-fmn-web.py
  - endpoints-fmn-backend.py
  - endpoints-nuancier.py
  - endpoints-mailman.py
  - endpoints-summershum.py
  - endpoints-kerneltest.py
  - endpoints-fedimg.py
  - endpoints-github2fedmsg.py
  - endpoints-bugzilla2fedmsg.py
  - relay.py
  - pkgdb.py
  - logging.py
  - base.py
  tags:
  - config
  - fedmsgdconfig
  notify:
  - restart httpd
  - restart fedmsg-gateway
  - restart fedmsg-hub
  - restart fedmsg-irc
  - restart fedmsg-relay

- name: setup /etc/pki/fedmsg directory
  file: path=/etc/pki/fedmsg owner=root group=root mode=0755 state=directory
  tags:
  - config

- name: install fedmsg ca.cert
  copy: >
    src="{{ puppet_private }}/fedmsg-certs/keys/ca.crt"
    dest=/etc/pki/fedmsg/ca.crt
    owner=root
    group=root
    mode=0644
  tags:
  - config

- name: fedmsg certs
  copy: >
    src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(ansible_fqdn)}}.crt"
    dest=/etc/pki/fedmsg/
    mode=644
    owner={{item['owner']}}
    group={{item['group']}}
  with_items:
  - "{{ fedmsg_certs }}"
  when: fedmsg_certs != []
  tags:
  - config

- name: fedmsg keys
  copy: >
    src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(ansible_fqdn)}}.key"
    dest=/etc/pki/fedmsg/
    mode=0640
    owner={{item['owner']}}
    group={{item['group']}}
  with_items:
  - "{{ fedmsg_certs }}"
  when: fedmsg_certs != []
  tags:
  - config

# Three tasks for handling our custom selinux module
- name: ensure a directory exists for our custom selinux module
  file: dest=/usr/local/share/fedmsg state=directory

- name: copy over our custom selinux module
  copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
  register: selinux_module

- name: install our custom selinux module
  command: semodule -i /usr/local/share/fedmsg/fedmsg.pp
  when: selinux_module|changed

# Also, label the ports that we commonly use for fedmsg under mod_wsgi
# to be http_port_t so selinux lets apache bind there.
- name: check semanage ports
  command: semanage port -l
  register: semanageoutput
  always_run: yes
  changed_when: "1 != 1"

- name: set ports so httpd can bind to fedmsg endpoints
  command: semanage port -a -t http_port_t -p tcp 3000-3100
  when: semanageoutput.stdout.find("3000-3100") == -1
First stab at a fedmsg base and hub tasks 2013-06-07 20:01:23 +00:00			`---`
			`# tasklist for setting up fedmsg`
			`# This is the base set of files needed for fedmsg`

Just rearrange some of the fedmsg_base stuff. 2013-06-13 15:31:57 +00:00			`- name: install needed packages`
Fix old variable usage. Patch from janeznemanic. Thanks! 2014-01-01 19:15:11 +00:00			`yum: pkg={{ item }} state=installed`
Just rearrange some of the fedmsg_base stuff. 2013-06-13 15:31:57 +00:00			`with_items:`
			`- fedmsg`
A stab at summershum deployment. 2014-02-19 17:25:50 +00:00			`- libsemanage-python`
That new logging stuff requires python-psutil. 2014-02-27 14:48:49 +00:00			`- python-psutil`
Throw in policycoreutils-python for old hosts that don't have semanage from the kickstart yet. 2014-03-14 15:59:20 +00:00			`- policycoreutils-python # This is in the kickstart now. Here for old hosts.`
Just rearrange some of the fedmsg_base stuff. 2013-06-13 15:31:57 +00:00			`tags:`
			`- packages`

First stab at a fedmsg base and hub tasks 2013-06-07 20:01:23 +00:00			`- name: setup /etc/fedmsg.d directory`
These are directories. 2013-06-07 20:07:56 +00:00			`file: path=/etc/fedmsg.d owner=root group=root mode=0755 state=directory`
First stab at a fedmsg base and hub tasks 2013-06-07 20:01:23 +00:00			`tags:`
			`- config`

Try out this conditional restart stuff. 2014-03-14 15:30:32 +00:00			`# Any files that change need to restart any services that depend on them. A`
			`# trick here is that some hosts have an httpd that uses fedmsg, while others do`
			`# not. Some hosts have a fedmsg-hub that uses this config, while others do not.`
			`# Our handlers in handlers/restart_services.yml are smart enough to`
			`# conditionally restart these services, only if they are installed on the`
			`# system.`
Just rearrange some of the fedmsg_base stuff. 2013-06-13 15:31:57 +00:00			`- name: setup basic /etc/fedmsg.d/ contents`
Try out this conditional restart stuff. 2014-03-14 15:30:32 +00:00			`template: >`
			`src="{{ item }}.j2"`
			`dest="/etc/fedmsg.d/{{ item }}"`
			`owner=root`
			`group=root`
			`mode=644`
Just rearrange some of the fedmsg_base stuff. 2013-06-13 15:31:57 +00:00			`with_items:`
			`- ssl.py`
			`- endpoints.py`
Add fedocal fedmsg endpoints. 2014-01-28 18:51:52 +00:00			`- endpoints-fedocal.py`
Add endpoint-elections creating the corresponding endpoints for fedmsg 2014-06-16 17:17:18 +02:00			`- endpoints-elections.py`
endpoints-fedbadges should eventually be distributed globally. 2013-06-14 04:40:01 +00:00			`- endpoints-fedbadges.py`
Add fedmsg declarations for new fmn.web messages. 2014-06-11 19:01:59 +00:00			`- endpoints-fmn-web.py`
Cert and endpoint setup for fmn backend. 2014-07-07 14:20:27 +00:00			`- endpoints-fmn-backend.py`
Declare fedmsg endpoints for nuancier. 2013-09-26 14:30:04 +00:00			`- endpoints-nuancier.py`
fedmsg for mailman01.stg. 2013-11-07 14:37:15 +00:00			`- endpoints-mailman.py`
A stab at summershum deployment. 2014-02-19 17:25:50 +00:00			`- endpoints-summershum.py`
Add endpoints and fedmsg cert declarations for github2fedmsg and kerneltest. 2014-06-16 18:47:15 +00:00			`- endpoints-kerneltest.py`
fedmsg endpoints and certs for fedimg01. 2014-07-09 14:15:47 +00:00			`- endpoints-fedimg.py`
Add endpoints and fedmsg cert declarations for github2fedmsg and kerneltest. 2014-06-16 18:47:15 +00:00			`- endpoints-github2fedmsg.py`
Add generic fedmsg config for bugzilla2fedmsg. 2014-06-23 20:22:01 +00:00			`- endpoints-bugzilla2fedmsg.py`
Just rearrange some of the fedmsg_base stuff. 2013-06-13 15:31:57 +00:00			`- relay.py`
			`- pkgdb.py`
			`- logging.py`
			`- base.py`
			`tags:`
			`- config`
Add a tag to this fedmsg.d config that changes somewhat often so we can just run it. 2014-05-28 17:24:06 +00:00			`- fedmsgdconfig`
Try out this conditional restart stuff. 2014-03-14 15:30:32 +00:00			`notify:`
			`- restart httpd`
			`- restart fedmsg-gateway`
			`- restart fedmsg-hub`
			`- restart fedmsg-irc`
			`- restart fedmsg-relay`
Just rearrange some of the fedmsg_base stuff. 2013-06-13 15:31:57 +00:00
First stab at a fedmsg base and hub tasks 2013-06-07 20:01:23 +00:00			`- name: setup /etc/pki/fedmsg directory`
These are directories. 2013-06-07 20:07:56 +00:00			`file: path=/etc/pki/fedmsg owner=root group=root mode=0755 state=directory`
First stab at a fedmsg base and hub tasks 2013-06-07 20:01:23 +00:00			`tags:`
			`- config`

			`- name: install fedmsg ca.cert`
Cosmetic. Indent this fedmsg task. 2013-09-27 13:59:29 +00:00			`copy: >`
Fix old variable usage. Patch from janeznemanic. Thanks! 2014-01-01 19:15:11 +00:00			`src="{{ puppet_private }}/fedmsg-certs/keys/ca.crt"`
Cosmetic. Indent this fedmsg task. 2013-09-27 13:59:29 +00:00			`dest=/etc/pki/fedmsg/ca.crt`
			`owner=root`
			`group=root`
			`mode=0644`
First stab at a fedmsg base and hub tasks 2013-06-07 20:01:23 +00:00			`tags:`
			`- config`

Revert "Revert "Try copying fedmsg certs using a nested var."" This reverts commit 7e517cf6f246be2dfe989d1d965a999de90621ce. 2013-06-18 03:13:11 +00:00			`- name: fedmsg certs`
			`copy: >`
Try using a jinja2 "default" filter. 2014-07-10 19:11:31 +00:00			`src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn \| default(ansible_fqdn)}}.crt"`
Revert "Revert "Try copying fedmsg certs using a nested var."" This reverts commit 7e517cf6f246be2dfe989d1d965a999de90621ce. 2013-06-18 03:13:11 +00:00			`dest=/etc/pki/fedmsg/`
			`mode=644`
Use a different syntax for nested var substitution. 2013-06-18 03:14:30 +00:00			`owner={{item['owner']}}`
			`group={{item['group']}}`
Another loop fix 2014-01-01 20:03:52 +00:00			`with_items:`
			`- "{{ fedmsg_certs }}"`
Syntax seems wrong again. 2013-06-18 04:16:57 +00:00			`when: fedmsg_certs != []`
Revert "Revert "Try copying fedmsg certs using a nested var."" This reverts commit 7e517cf6f246be2dfe989d1d965a999de90621ce. 2013-06-18 03:13:11 +00:00			`tags:`
			`- config`

			`- name: fedmsg keys`
			`copy: >`
Try using a jinja2 "default" filter. 2014-07-10 19:11:31 +00:00			`src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn \| default(ansible_fqdn)}}.key"`
Revert "Revert "Try copying fedmsg certs using a nested var."" This reverts commit 7e517cf6f246be2dfe989d1d965a999de90621ce. 2013-06-18 03:13:11 +00:00			`dest=/etc/pki/fedmsg/`
Correct perm for fedmsg keys. 2013-09-27 13:59:50 +00:00			`mode=0640`
Use a different syntax for nested var substitution. 2013-06-18 03:14:30 +00:00			`owner={{item['owner']}}`
			`group={{item['group']}}`
Another loop fix 2014-01-01 20:03:52 +00:00			`with_items:`
			`- "{{ fedmsg_certs }}"`
Syntax seems wrong again. 2013-06-18 04:16:57 +00:00			`when: fedmsg_certs != []`
Revert "Revert "Try copying fedmsg certs using a nested var."" This reverts commit 7e517cf6f246be2dfe989d1d965a999de90621ce. 2013-06-18 03:13:11 +00:00			`tags:`
			`- config`
A custom selinux module for fedmsg. 2014-01-28 19:51:26 +00:00
			`# Three tasks for handling our custom selinux module`
			`- name: ensure a directory exists for our custom selinux module`
			`file: dest=/usr/local/share/fedmsg state=directory`

			`- name: copy over our custom selinux module`
			`copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp`
			`register: selinux_module`

			`- name: install our custom selinux module`
s/semanage/semodule/ 2014-01-28 19:57:21 +00:00			`command: semodule -i /usr/local/share/fedmsg/fedmsg.pp`
A custom selinux module for fedmsg. 2014-01-28 19:51:26 +00:00			`when: selinux_module\|changed`
Move nuancier+fedmsg semanage port stuff over to the base fedmsg module. 2014-03-03 17:02:58 +00:00
			`# Also, label the ports that we commonly use for fedmsg under mod_wsgi`
			`# to be http_port_t so selinux lets apache bind there.`
			`- name: check semanage ports`
			`command: semanage port -l`
			`register: semanageoutput`
Fix this to work with --check/--diff runs. 2014-05-27 22:26:23 +00:00			`always_run: yes`
			`changed_when: "1 != 1"`
Move nuancier+fedmsg semanage port stuff over to the base fedmsg module. 2014-03-03 17:02:58 +00:00
			`- name: set ports so httpd can bind to fedmsg endpoints`
			`command: semanage port -a -t http_port_t -p tcp 3000-3100`
			`when: semanageoutput.stdout.find("3000-3100") == -1`