diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 046adb7e1f..1491f3727b 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -77,8 +77,8 @@ #notify: #- fix openvpn routing -- name: restart openvpn (RHEL7) - when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7 +- name: restart openvpn (RHEL7+) + when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int >= 7 action: service name=openvpn-client@openvpn state=restarted #notify: #- fix openvpn routing diff --git a/playbooks/check-host.yml b/playbooks/check-host.yml index 33bff7b99e..dbe61a4e52 100644 --- a/playbooks/check-host.yml +++ b/playbooks/check-host.yml @@ -17,7 +17,16 @@ - name: Get list of active loaded services with systemctl shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1' changed_when: False - when: ansible_distribution_major_version|int > 6 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' + register: loaded_active_services_systemctl + tags: + - check + - services + + - name: Get list of active loaded services with systemctl + shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1' + changed_when: False + when: ansible_distribution_major_version|int > 6 and ansible_distribution is 'RedHat' register: loaded_active_services_systemctl tags: - check @@ -26,7 +35,16 @@ - name: Get list of inactive loaded services with systemctl shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1' changed_when: False - when: ansible_distribution_major_version|int > 6 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' + register: loaded_inactive_services_systemctl + tags: + - check + - services + + - name: Get list of inactive loaded services with systemctl + shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1' + changed_when: False + when: ansible_distribution_major_version|int > 6 and ansible_distribution is 'RedHat' register: loaded_inactive_services_systemctl tags: - check @@ -36,7 +54,7 @@ - name: Get list of enabled services with chkconfig at current runlevel shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:on\" | awk '{print $1}'" changed_when: False - when: ansible_distribution_major_version|int <= 6 + when: ansible_distribution_major_version|int <= 6 and ansible_distribution is 'RedHat' register: enabled_services_chkconfig tags: - check @@ -45,7 +63,7 @@ - name: Get list of disabled services with chkconfig at current runlevel shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:off\" | awk '{print $1}'" changed_when: False - when: ansible_distribution_major_version|int <= 6 + when: ansible_distribution_major_version|int <= 6 and ansible_distribution is 'RedHat' register: disabled_services_chkconfig tags: - check diff --git a/playbooks/groups/download.yml b/playbooks/groups/download.yml index f578aabc07..698ab7b9b1 100644 --- a/playbooks/groups/download.yml +++ b/playbooks/groups/download.yml @@ -26,6 +26,7 @@ - "/srv/private/ansible/vars.yml" - "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml" +# FIXME: is checking for RedHat correct here ? roles: - base - rkhunter @@ -35,7 +36,7 @@ - collectd/base - apache - download - - { role: mod_limitipconn, when: ansible_distribution_major_version|int != '7'} + - { role: mod_limitipconn, when: ansible_distribution_major_version|int != '7' and ansible_distribution is 'RedHat'} - rsyncd - { role: nfs/client, when: datacenter == "phx2", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' } - { role: nfs/client, when: datacenter == "rdu", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' } diff --git a/playbooks/groups/maintainer-test.yml b/playbooks/groups/maintainer-test.yml index edb108c050..32e735e6e3 100644 --- a/playbooks/groups/maintainer-test.yml +++ b/playbooks/groups/maintainer-test.yml @@ -65,7 +65,7 @@ dnf: state=present pkg={{ item }} with_items: - fedora-packager - when: ansible_distribution_major_version|int > 21 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' tags: - packages diff --git a/playbooks/manual/update-packages.yml b/playbooks/manual/update-packages.yml index 7b6eb9344d..78a250e302 100644 --- a/playbooks/manual/update-packages.yml +++ b/playbooks/manual/update-packages.yml @@ -17,25 +17,25 @@ - name: yum update {{ package }} from main repo yum: name="{{ package }}" state=latest update_cache=yes - when: not testing and ansible_distribution_major_version|int < 22 + when: not testing and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: yum update {{ package }} from testing repo yum: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg update_cache=yes - when: testing and ansible_distribution_major_version|int < 22 + when: testing and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: dnf clean all (since we can't do it when updating) command: dnf clean all - when: not testing and ansible_distribution_major_version|int > 21 + when: not testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora' - name: dnf update {{ package }} from main repo dnf: name="{{ package }}" state=latest - when: not testing and ansible_distribution_major_version|int > 21 + when: not testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora' - name: dnf clean all (since we can't do it when updating) command: dnf clean all --enablerepo=infrastructure-tags-stg - when: testing and ansible_distribution_major_version|int > 21 + when: testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora' - name: dnf update {{ package }} from testing repo dnf: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg - when: testing and ansible_distribution_major_version|int > 21 + when: testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora' diff --git a/playbooks/transient_cloud_instance.yml b/playbooks/transient_cloud_instance.yml index 3ce042cf7b..53300ccff2 100644 --- a/playbooks/transient_cloud_instance.yml +++ b/playbooks/transient_cloud_instance.yml @@ -69,11 +69,12 @@ tasks: - name: install cloud-utils (yum) package: name=cloud-utils state=present - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' +# FIXME no Fedora ? - name: install cloud-utils (dnf) command: dnf install -y cloud-utils - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml" diff --git a/playbooks/transient_newcloud_instance.yml b/playbooks/transient_newcloud_instance.yml index 3b01af90b8..207679d613 100644 --- a/playbooks/transient_newcloud_instance.yml +++ b/playbooks/transient_newcloud_instance.yml @@ -76,11 +76,12 @@ tasks: - name: install cloud-utils (yum) package: name=cloud-utils state=present - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' +# FIXME no Fedora ? - name: install cloud-utils (dnf) command: dnf install -y cloud-utils - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml" diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 78ffe45b97..f65c7472ef 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -24,7 +24,19 @@ - name: hotfix - copy over new httpd init script copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd owner=root group=root mode=0755 - when: ansible_distribution_major_version|int < 30 + when: ansible_distribution_major_version|int < 30 and ansible_distribution is 'Fedora' + notify: + - reload apache + tags: + - config + - hotfix + - apache + +# install hash randomization hotfix +- name: hotfix - copy over new httpd init script + copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd + owner=root group=root mode=0755 + when: ansible_distribution_major_version|int <= 8 and ansible_distribution is 'RedHat' notify: - reload apache tags: @@ -34,7 +46,7 @@ - name: hotfix - copy over new httpd sysconfig (el6) copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd - when: ansible_distribution_major_version|int == 6 + when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat' notify: - reload apache tags: @@ -44,7 +56,7 @@ - name: hotfix - copy over new httpd sysconfig (el7) copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' notify: - reload apache tags: diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index ab1b7447f6..2b15887a71 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,11 +11,11 @@ - policycoreutils-python tags: - selinux - when: ansible_distribution_major_version|int < 8 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: ensure packages required for semanage are installed (dnf) package: name=policycoreutils-python-utils state=present - when: ansible_distribution_major_version|int > 27 and ansible_cmdline.ostree is not defined + when: (ansible_distribution_major_version|int > 27 and ansible_distribution is 'Fedora') or (ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat') and ansible_cmdline.ostree is not defined tags: - selinux @@ -52,7 +52,18 @@ ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none notify: - restart NetworkManager - when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + when: ansible_distribution_major_version|int >=7 and ansible_distribution is 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + tags: + - config + - resolvconf + - base + - ifcfg + +- name: disable resolv.conf control from NM + ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none + notify: + - restart NetworkManager + when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv tags: - config - resolvconf @@ -65,7 +76,19 @@ changed_when: false failed_when: 'if_uuid.stdout == ""' check_mode: no - when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist ) + when: ansible_distribution_major_version|int >=7 and ansible_distribution is 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist ) + tags: + - config + - ifcfg + - base + +- name: get interface uuid + shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br|^em' + register: if_uuid + changed_when: false + failed_when: 'if_uuid.stdout == ""' + check_mode: no + when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist ) tags: - config - ifcfg @@ -92,17 +115,25 @@ tags: - packages - base - when: ansible_distribution_major_version|int < 22 and ansible_distribution_major_version|int != 8 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: global default packages to install (dnf) dnf: state=present name="{{ global_pkgs_inst }}" tags: - packages - base - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined + +- name: global default packages to install (dnf) + dnf: state=present name="{{ global_pkgs_inst }}" + tags: + - packages + - base + when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined - name: make sure hostname is set right on rhel7 hosts hostname: name="{{inventory_hostname}}" + when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' # # We set builders root password in the koji_builder role, so do not set those here @@ -137,7 +168,7 @@ tags: - packages - base - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: dist pkgs to install (yum) package: state=present name={{ item }} @@ -146,21 +177,35 @@ tags: - packages - base - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: dist pkgs to remove (dnf) dnf: state=absent name="{{ base_pkgs_erase }}" tags: - packages - base - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: dist pkgs to remove (dnf) + dnf: state=absent name="{{ base_pkgs_erase }}" + tags: + - packages + - base + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: dist pkgs to install (dnf) dnf: state=present name="{{ base_pkgs_inst }}" tags: - packages - base - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: dist pkgs to install (dnf) + dnf: state=present name="{{ base_pkgs_inst }}" + tags: + - packages + - base + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: dist disabled services service: state=stopped enabled=false name={{ item }} @@ -234,7 +279,18 @@ - name: enable journald persistence file: path=/var/log/journal state=directory owner=root group=systemd-journal mode=2755 - when: ansible_distribution_major_version|int >= 7 + when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' + tags: + - journald + - config + - base + notify: + - flush journald tmpfiles to persistent store + +- name: enable journald persistence + file: path=/var/log/journal state=directory + owner=root group=systemd-journal mode=2755 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' tags: - journald - config @@ -346,7 +402,16 @@ - name: copy over our custom selinux module copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp register: selinux_module - when: ansible_distribution_major_version|int >= 27 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' + tags: + - config + - selinux + +# Custom selinux policy to allow unix_chkpwd to map PAM database +- name: copy over our custom selinux module + copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp + register: selinux_module + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' tags: - config - selinux diff --git a/roles/base/templates/krb5.conf.j2 b/roles/base/templates/krb5.conf.j2 index 5cad5d7674..2ae9aa3747 100644 --- a/roles/base/templates/krb5.conf.j2 +++ b/roles/base/templates/krb5.conf.j2 @@ -15,7 +15,7 @@ [realms] {{ ipa_realm }} = { -{% if ansible_distribution_major_version|default(0)|int == 6 %} +{% if ansible_distribution_major_version|default(0)|int == 6 and and ansible_distribution is "RedHat" %} kdc = ipa01{{ env_suffix }}.phx2.fedoraproject.org {% else %} kdc = https://id{{ env_suffix }}.fedoraproject.org/KdcProxy diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index 7183607e9e..a02b91df7d 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -33,7 +33,17 @@ - config - sshd - selinux - when: ansible_distribution_major_version|int < 30 and ansible_distribution_major_version|int != 8 + when: ansible_distribution_major_version|int < 30 and ansible_distribution is 'Fedora' + +- name: make sure libselinux-python is installed + package: name=libselinux-python state=present + tags: + - basessh + - sshd_config + - config + - sshd + - selinux + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: make sure python3-libselinux is installed package: name=python3-libselinux state=present @@ -43,7 +53,17 @@ - config - sshd - selinux - when: ansible_distribution_major_version|int >= 30 or ansible_distribution_major_version|int == 8 + when: ansible_distribution_major_version|int >= 30 and ansible_distribution is 'Fedora' + +- name: make sure python3-libselinux is installed + package: name=python3-libselinux state=present + tags: + - basessh + - sshd_config + - config + - sshd + - selinux + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' - name: check if sshd port is already known by selinux shell: semanage port -l | grep ssh diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config index 7ec4a855e1..43f9b4d849 100644 --- a/roles/basessh/templates/sshd_config +++ b/roles/basessh/templates/sshd_config @@ -2,7 +2,7 @@ Protocol 2 Port {{ sshd_port }} -{% if ansible_distribution_major_version == "6" %} +{% if ansible_distribution_major_version == "6" and ansible_distribution is 'RedHat' %} KexAlgorithms diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512,hmac-sha2-256 Ciphers aes256-ctr,aes192-ctr,aes128-ctr @@ -31,9 +31,10 @@ AllowAgentForwarding no X11Forwarding no PermitTunnel no -{% if ansible_distribution_major_version == "6" %} +{% if ansible_distribution_major_version == "6" and ansible_distribution is 'RedHat' %} UsePrivilegeSeparation yes -{% elif ansible_distribution_major_version == "7" %} +#FIXME: How about RHEL8 and Fedora ? sandbox as well ? +{% elif ansible_distribution_major_version == "7" and ansible_distribution is 'RedHat' %} UsePrivilegeSeparation sandbox {% endif %} diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yml index 2e5609f32f..471207eda0 100644 --- a/roles/chrony/tasks/main.yml +++ b/roles/chrony/tasks/main.yml @@ -26,3 +26,4 @@ - chrony - service - base + when: ansible_distribution_major_version|int != 8 diff --git a/roles/collectd/base/tasks/main.yml b/roles/collectd/base/tasks/main.yml index 23d4427746..7c8fc2e9b2 100644 --- a/roles/collectd/base/tasks/main.yml +++ b/roles/collectd/base/tasks/main.yml @@ -6,21 +6,35 @@ package: name=collectd state=present tags: - collectd - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' # install pkg - name: install collectd dnf: name=collectd state=present tags: - collectd - when: ansible_distribution_major_version|int > 21 + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' + +# install pkg +- name: install collectd + dnf: name=collectd state=present + tags: + - collectd + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' + +# install collectd-disk (it was split out) +- name: install collectd-disk + dnf: name=collectd-disk state=present + tags: + - collectd + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' # install collectd-disk on F25+ (it was split out) - name: install collectd-disk dnf: name=collectd-disk state=present tags: - collectd - when: ansible_distribution_major_version|int > 24 + when: ansible_distribution_major_version|int > 24 and ansible_distribution is 'Fedora' # install collected.conf - name: /etc/collectd.conf @@ -55,7 +69,7 @@ - collectd notify: - restart collectd - when: collectd_apache and ansible_distribution_major_version|int < 22 + when: collectd_apache and ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: install collectd-apache (dnf) dnf: state=present name=collectd-apache @@ -63,7 +77,15 @@ - collectd notify: - restart collectd - when: collectd_apache and ansible_distribution_major_version|int > 21 + when: collectd_apache and ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' + +- name: install collectd-apache (dnf) + dnf: state=present name=collectd-apache + tags: + - collectd + notify: + - restart collectd + when: collectd_apache and ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' - name: /etc/collectd/apache.conf copy: src=apache.conf dest=/etc/collectd.d/apache.conf @@ -77,7 +99,7 @@ package: name=libsemanage-python state=present tags: - collectd - when: collectd_apache is defined and ansible_distribution_major_version|int < 22 + when: collectd_apache is defined and ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: Let collectd talk to things over tcp seboolean: name=collectd_tcp_network_connect state=yes persistent=yes diff --git a/roles/dnf-automatic/tasks/main.yml b/roles/dnf-automatic/tasks/main.yml index e8ccdecec9..0ae3418567 100644 --- a/roles/dnf-automatic/tasks/main.yml +++ b/roles/dnf-automatic/tasks/main.yml @@ -23,7 +23,7 @@ - name: enable and start dnf-automatic command: systemctl enable dnf-automatic.timer - when: ansible_distribution_major_version|int < 26 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' args: creates: /etc/systemd/system/basic.target.wants/dnf-automatic.timer tags: @@ -35,15 +35,23 @@ check_mode: no changed_when: 1 != 1 ignore_errors: true - when: ansible_distribution_major_version|int < 26 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: start dnf-automatic.timer if it is not active command: systemctl start dnf-automatic.timer - when: automaticative is failed and ansible_distribution_major_version|int < 26 + when: automaticative is failed and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: enable and start dnf-automatic f26+ command: systemctl enable dnf-automatic-install.timer - when: ansible_distribution_major_version|int >= 26 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' + register: dnfautomaticenable + changed_when: dnfautomaticenable.rc != 0 + tags: + - config + + - name: enable and start dnf-automatic RHEL8+ + command: systemctl enable dnf-automatic-install.timer + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' register: dnfautomaticenable changed_when: dnfautomaticenable.rc != 0 tags: @@ -55,11 +63,23 @@ check_mode: no changed_when: 1 != 1 ignore_errors: true - when: ansible_distribution_major_version|int >= 26 + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' + + - name: check if dnf-automatic-install.timer is active + command: systemctl is-active dnf-automatic-install.timer + register: automaticative + check_mode: no + changed_when: 1 != 1 + ignore_errors: true + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' - name: start dnf-automatic-install.timer if it is not active command: systemctl start dnf-automatic-install.timer - when: automaticative is failed and ansible_distribution_major_version|int >= 26 + when: automaticative is failed and ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' + + - name: start dnf-automatic-install.timer if it is not active + command: systemctl start dnf-automatic-install.timer + when: automaticative is failed and ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' - name: disable silly makecache timer systemd: name=dnf-makecache masked=yes diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml index 19f8bb1caf..8d61314fbb 100644 --- a/roles/fas_client/tasks/main.yml +++ b/roles/fas_client/tasks/main.yml @@ -21,7 +21,7 @@ - name: install nss_db on rhel or fedora 25 or greater hosts only package: state=present name=nss_db - when: ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int > 24 + when: ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora' tags: - packages - fas_client diff --git a/roles/git/server/tasks/main.yml b/roles/git/server/tasks/main.yml index 11cf165ded..78fb6db47e 100644 --- a/roles/git/server/tasks/main.yml +++ b/roles/git/server/tasks/main.yml @@ -8,7 +8,12 @@ # If NOT using xinetd - name: delete stock git daemon config file: path="/usr/lib/systemd/system/git.service" state=absent - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' + tags: git/server + +- name: delete stock git daemon config + file: path="/usr/lib/systemd/system/git.service" state=absent + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' tags: git/server - name: configure git daemon @@ -16,13 +21,21 @@ src="git@.service.j2" dest="/usr/lib/systemd/system/git@.service" mode=0644 - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' + tags: git/server + +- name: configure git daemon + template: > + src="git@.service.j2" + dest="/usr/lib/systemd/system/git@.service" + mode=0644 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' tags: git/server # If using xinetd - name: install xinetd package: name=xinetd state=present - when: ansible_distribution_major_version|int == 6 + when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat' tags: git/server - name: install the xinetd config file @@ -30,7 +43,7 @@ src="git.j2" dest="/etc/xinetd.d/git" mode=0644 - when: ansible_distribution_major_version|int == 6 + when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat' tags: git/server notify: - restart xinetd diff --git a/roles/iscsi_client/tasks/main.yml b/roles/iscsi_client/tasks/main.yml index c03caeca16..336dd76110 100644 --- a/roles/iscsi_client/tasks/main.yml +++ b/roles/iscsi_client/tasks/main.yml @@ -11,7 +11,7 @@ - device-mapper-multipath tags: - packages - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution == "RedHat" - name: install packages needed for iscsi_client (dnf) package: @@ -21,7 +21,17 @@ - device-mapper-multipath tags: - packages - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution == "Fedora" and ansible_cmdline.ostree is not defined + +- name: install packages needed for iscsi_client (dnf) + package: + state: present + name: + - iscsi-initiator-utils + - device-mapper-multipath + tags: + - packages + when: ansible_distribution_major_version|int >= 8 and ansible_distribution == "RedHat" and ansible_cmdline.ostree is not defined - name: enable iscsi service service: state=started enabled=yes name=iscsi diff --git a/roles/kerneltest/templates/kerneltest.conf b/roles/kerneltest/templates/kerneltest.conf index 13681c63ec..a665f515b8 100644 --- a/roles/kerneltest/templates/kerneltest.conf +++ b/roles/kerneltest/templates/kerneltest.conf @@ -1,5 +1,5 @@ -{% if ansible_distribution_major_version == '6' %} +{% if ansible_distribution_major_version == '6 and ansible_distribution is 'RedHat' %} Alias /kerneltest/static /usr/lib/python2.6/site-packages/kerneltest/static/ {% else %} Alias /kerneltest/static /usr/lib/python2.7/site-packages/kerneltest/static/ diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index b620cfb7b1..8cfffa77bd 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -363,6 +363,7 @@ - selinux - koji_hub when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7 +# FIXME wht about RHEL8+ ? - name: Set httpd to run on boot service: name=httpd enabled=yes diff --git a/roles/mariadb_server/tasks/main.yml b/roles/mariadb_server/tasks/main.yml index 494020e2ec..e382ca26b6 100644 --- a/roles/mariadb_server/tasks/main.yml +++ b/roles/mariadb_server/tasks/main.yml @@ -1,18 +1,10 @@ -- name: ensure packages required for mariadb are installed - package: - state: present - name: - - mariadb-server - - MySQL-python - when: ansible_distribution_major_version|int < 22 - - name: ensure packages required for mariadb are installed package: state: present name: - mariadb-server - MySQL-python - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_cmdline.ostree is not defined - name: copy my.cnf copy: src={{ item }} dest=/etc/my.cnf owner=root group=root mode=0644 diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 4fc1616cad..385e72474d 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -77,7 +77,7 @@ - name: install our custom selinux module command: semodule -i /usr/share/nrpe/fi-nrpe.pp - when: ansible_distribution_major_version|int == 7 and selinux_module is changed + when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' and selinux_module is changed tags: - config - nagios_client diff --git a/roles/nfs/client/tasks/main.yml b/roles/nfs/client/tasks/main.yml index e1d6a29d86..1302ffeb45 100644 --- a/roles/nfs/client/tasks/main.yml +++ b/roles/nfs/client/tasks/main.yml @@ -1,6 +1,6 @@ - name: install network-scripts package package: name=network-scripts state=installed - when: ansible_distribution_major_version|int >= 29 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' tags: - nfs/client @@ -51,12 +51,12 @@ tags: - nfs/client -- name: enable nfs-related services and run them (rhel 7 and Fedora) +- name: enable nfs-related services and run them (rhel 7+ and Fedora) service: name={{ item }} enabled=true state=started with_items: - rpcbind - nfs-lock - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' tags: - nfs/client @@ -67,7 +67,7 @@ - rpcbind - nfs - nfslock - when: ansible_distribution_major_version|int == 6 + when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat' tags: - nfs/client diff --git a/roles/nginx/templates/etc/nginx/nginx.conf.j2 b/roles/nginx/templates/etc/nginx/nginx.conf.j2 index 0f396060cf..ad3eba0684 100644 --- a/roles/nginx/templates/etc/nginx/nginx.conf.j2 +++ b/roles/nginx/templates/etc/nginx/nginx.conf.j2 @@ -2,7 +2,7 @@ user nginx; worker_processes {{ nginx_worker_processes }}; error_log /var/log/nginx/error.log {{ nginx_error_level }}; -{% if ansible_distribution_major_version == "7" %} +{% if ansible_distribution_major_version == "7" and ansible_distribution is "RedHat" %} pid /run/nginx.pid; {% else %} pid /var/run/nginx.pid; diff --git a/roles/openqa/worker/tasks/tap-setup.yml b/roles/openqa/worker/tasks/tap-setup.yml index 5949dd7395..87ea98764d 100644 --- a/roles/openqa/worker/tasks/tap-setup.yml +++ b/roles/openqa/worker/tasks/tap-setup.yml @@ -11,7 +11,7 @@ state: present tags: - packages - when: ansible_distribution_major_version|int >= 29 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' - name: Enable ipv4_forward in sysctl sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml index 8ca236528b..8550c60cd9 100644 --- a/roles/openvpn/base/tasks/main.yml +++ b/roles/openvpn/base/tasks/main.yml @@ -1,6 +1,8 @@ --- # OpenVpn basic configuration +# FIXME lots of changes, please review carefully: +# - name: Install needed package package: state: present @@ -9,7 +11,7 @@ tags: - openvpn - packages - when: ansible_distribution_major_version|int < 8 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: Install needed package (dnf) package: @@ -21,7 +23,7 @@ - packages when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined -- name: Install certificate and key (rhel6 and fedora24 and older) +- name: Install certificate and key (rhel6) copy: src={{ private }}/files/vpn/pki/ca.crt dest=/etc/openvpn/ca.crt owner=root group=root mode=0600 @@ -29,12 +31,21 @@ - install - openvpn #notify: - #- restart openvpn (Fedora) - #- restart openvpn (RHEL7) #- restart openvpn (RHEL6) - when: ansible_distribution_major_version|int < 25 + when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat' -- name: Install certificate and key (rhel7 or fedora) for client +- name: Install certificate and key (rhel7+) for client + copy: src={{ private }}/files/vpn/pki/ca.crt + dest=/etc/openvpn/client/ca.crt + owner=root group=root mode=0600 + tags: + - install + - openvpn + #notify: + #- restart openvpn (RHEL7+) + when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' ) and ansible_cmdline.ostree is not defined + +- name: Install certificate and key (Fedora) for client copy: src={{ private }}/files/vpn/pki/ca.crt dest=/etc/openvpn/client/ca.crt owner=root group=root mode=0600 @@ -43,9 +54,29 @@ - openvpn #notify: #- restart openvpn (Fedora) - #- restart openvpn (RHEL7) - #- restart openvpn (RHEL6) - when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24 ) and ansible_cmdline.ostree is not defined + when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' ) and ansible_cmdline.ostree is not defined + +- name: Install certificate and key (fedora) for server + copy: src={{ private }}/files/vpn/pki/ca.crt + dest=/etc/openvpn/server/ca.crt + owner=root group=root mode=0600 + tags: + - install + - openvpn + #notify: + #- restart openvpn (Fedora) + when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' ) and ansible_cmdline.ostree is not defined + +- name: Install certificate and key (rhel7+) for server + copy: src={{ private }}/files/vpn/pki/ca.crt + dest=/etc/openvpn/server/ca.crt + owner=root group=root mode=0600 + tags: + - install + - openvpn + #notify: + #- restart openvpn (RHEL7+) + when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' ) and ansible_cmdline.ostree is not defined - name: Install certificate and key (rhel7 or fedora) for server copy: src={{ private }}/files/vpn/pki/ca.crt diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 56f3cf6d0f..9fef474e30 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -9,7 +9,7 @@ tags: - packages - openvpn - when: ansible_distribution_major_version|int < 8 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: Install needed packages package: @@ -19,7 +19,17 @@ tags: - packages - openvpn - when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined + +- name: Install needed packages + package: + state: present + name: + - openvpn + tags: + - packages + - openvpn + when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined - name: Install main config file (rhel7 and fedora) template: src=client.conf @@ -30,9 +40,8 @@ - openvpn # notify: # - restart openvpn (Fedora) -# - restart openvpn (RHEL7) -# - restart openvpn (RHEL6) - when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined +# - restart openvpn (RHEL6+) + when: (ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora') and ansible_cmdline.ostree is not defined - name: Install configuration files (rhel7 and fedora) copy: src={{ item.file }} @@ -51,8 +60,7 @@ # notify: # - restart openvpn (Fedora) # - restart openvpn (RHEL7) -# - restart openvpn (RHEL6) - when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined + when: (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat') or (ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora') and ansible_cmdline.ostree is not defined - name: Install configuration files (rhel6) copy: src={{ item.file }} @@ -72,35 +80,26 @@ - install - openvpn # notify: -# - restart openvpn (Fedora) -# - restart openvpn (RHEL7) # - restart openvpn (RHEL6) - when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined + when: (ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat') and ansible_cmdline.ostree is not defined - name: enable openvpn service for rhel 6 service: name=openvpn state=started enabled=true - when: ansible_distribution_major_version|int == 6 - tags: - - service - - openvpn - -- name: enable openvpn service for fedora 24 - service: name=openvpn@openvpn state=started enabled=true - when: ansible_distribution_major_version|int == 24 + when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat' tags: - service - openvpn - name: Make sure old openvpn is not running in rhel 7 service: name=openvpn@openvpn state=stopped enabled=false - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' tags: - service - openvpn -- name: Make sure openvpn is running in rhel 7 +- name: Make sure openvpn is running in rhel 7+ service: name=openvpn-client@openvpn state=started enabled=true - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' tags: - service - openvpn @@ -115,7 +114,7 @@ - name: Create directories for post-vpn service configs file: path="/etc/systemd/system/{{item}}.service.d" state=directory with_items: "{{postvpnservices}}" - when: is_fedora is defined or ansible_distribution_major_version|int == 7 + when: is_fedora is defined or (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat') tags: - service - openvpn @@ -123,7 +122,7 @@ - name: Deploy postvpn.conf for post-vpn services copy: src=postvpn.conf dest="/etc/systemd/system/{{item}}.service.d/postvpn.conf" with_items: "{{postvpnservices}}" - when: is_fedora is defined or ansible_distribution_major_version|int == 7 + when: is_fedora is defined or (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat') tags: - service - openvpn diff --git a/roles/packages3/web/tasks/main.yml b/roles/packages3/web/tasks/main.yml index 2bcc8fac6a..23a28e1d3a 100644 --- a/roles/packages3/web/tasks/main.yml +++ b/roles/packages3/web/tasks/main.yml @@ -1,4 +1,6 @@ --- +# FIXME: Are these hosts really running RHEL or do we need to check for CentOS ? +# # Configuration for the fedora-packages webapp - name: install needed packages package: name={{ item }} state=present @@ -91,7 +93,7 @@ tags: - packages - packages/web - when: ansible_distribution_major_version|int < 7 + when: ansible_distribution_major_version|int < 7 and ansible_distribution is 'RedHat' # Here's the indexer stuff - name: Create cache structure @@ -134,7 +136,7 @@ - packages - packages/web - hotfix - when: ansible_distribution_major_version|int < 7 + when: ansible_distribution_major_version|int < 7 and ansible_distribution is 'RedHat' # Lastly, here's some selinux stuff. - name: set some selinux booleans @@ -163,4 +165,4 @@ - packages - packages/web - selinux - when: ansible_distribution_major_version|int > 6 + when: ansible_distribution_major_version|int > 6 and (ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora') diff --git a/roles/postgresql_server/tasks/main.yml b/roles/postgresql_server/tasks/main.yml index 7db600518a..e1e380eab9 100644 --- a/roles/postgresql_server/tasks/main.yml +++ b/roles/postgresql_server/tasks/main.yml @@ -11,7 +11,7 @@ - postgresql-plpython - python-psycopg2 - pxz - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' tags: - packages - postgresql @@ -25,7 +25,21 @@ - postgresql-plpython - python-psycopg2 - pxz - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + tags: + - packages + - postgresql + +- name: install postgresql server packages (dnf) + package: + state: present + name: + - postgresql-server + - postgresql-contrib + - postgresql-plpython + - python-psycopg2 + - pxz + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined tags: - packages - postgresql diff --git a/roles/postgresql_server_bdr/tasks/main.yml b/roles/postgresql_server_bdr/tasks/main.yml index 908099a4dd..2420172628 100644 --- a/roles/postgresql_server_bdr/tasks/main.yml +++ b/roles/postgresql_server_bdr/tasks/main.yml @@ -11,6 +11,7 @@ - packages - postgresql-bdr +# No Fedora packages available for F25+ - name: install postgresql server packages (yum) package: name={{ item }} state=present with_items: @@ -20,7 +21,7 @@ - postgresql-bdr94-bdr - postgresql-bdr94-plpython - python-psycopg2 - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' tags: - packages - postgresql-bdr diff --git a/roles/rkhunter/tasks/main.yml b/roles/rkhunter/tasks/main.yml index 83788c3386..a56958c5e5 100644 --- a/roles/rkhunter/tasks/main.yml +++ b/roles/rkhunter/tasks/main.yml @@ -1,13 +1,4 @@ --- -- name: install rkhunter (yum) - package: name=rkhunter state=present - notify: - - run rkhunter - tags: - - rkhunter - - packages - when: ansible_distribution_major_version|int < 22 - - name: install rkhunter (dnf) package: name=rkhunter state=present notify: @@ -15,7 +6,7 @@ tags: - rkhunter - packages - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined - name: rkhunter.conf diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index b79a21b014..c2f08d8580 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -165,13 +165,8 @@ ALLOW_SSH_ROOT_USER=without-password # configuration file, then a value of '2' may be set here in order to # suppress a warning message. This option has a default value of '0'. # -{% if ansible_distribution == 'Fedora' and ansible_distribution_major_version|int < 22 %} -# Fedora 21 doesn't set protocol in ssh config -ALLOW_SSH_PROT_V1=2 -{% else %} # For RHEL and Fedora 22+ we set proto to v2 only ALLOW_SSH_PROT_V1=0 -{% endif %} # # This setting tells rkhunter the directory containing the SSH configuration diff --git a/roles/rsyncd/tasks/main.yml b/roles/rsyncd/tasks/main.yml index 327bf274dd..7133f88b24 100644 --- a/roles/rsyncd/tasks/main.yml +++ b/roles/rsyncd/tasks/main.yml @@ -3,7 +3,7 @@ # This role sets up rsyncd on a server # -- name: install rnecessary packages +- name: install necessary packages package: state: present name: @@ -13,9 +13,9 @@ tags: - packages - rsyncd - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' -- name: install rnecessary packages +- name: install necessary packages package: state: present name: @@ -25,7 +25,19 @@ tags: - packages - rsyncd - when: ansible_distribution_major_version|int > 21 + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' + +- name: install necessary packages + package: + state: present + name: + - rsync + - xinetd + - libsemanage-python + tags: + - packages + - rsyncd + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' - name: rsyncd.conf file copy: src={{ item }} dest=/etc/rsyncd.conf mode=0644 diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml index 59f075602a..e5f9e04506 100644 --- a/roles/sigul/server/tasks/main.yml +++ b/roles/sigul/server/tasks/main.yml @@ -30,15 +30,23 @@ package: state=present name={{ item }} with_items: - gnupg1 - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' tags: - packages -- name: install fedora only packages +- name: install gnupg packages package: state=present name={{ item }} with_items: - gnupg - when: ansible_distribution_major_version|int > 23 + when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' + tags: + - packages + +- name: install gnupg packages + package: state=present name={{ item }} + with_items: + - gnupg + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' tags: - packages @@ -50,7 +58,7 @@ - name: Setup gpg link on rhel7 file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg - when: ansible_distribution_major_version|int == 7 + when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' - name: add polkit rules to allow sigul user to access the smartcard/yubikey copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules diff --git a/roles/taskotron/grokmirror/tasks/main.yml b/roles/taskotron/grokmirror/tasks/main.yml index 4112181ef8..6b65a945b2 100644 --- a/roles/taskotron/grokmirror/tasks/main.yml +++ b/roles/taskotron/grokmirror/tasks/main.yml @@ -5,14 +5,21 @@ name: - git - python-grokmirror - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: ensure grokmirror packages are installed (dnf) dnf: name={{ item }} state=present with_items: - git - python-grokmirror - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: ensure grokmirror packages are installed (dnf) + dnf: name={{ item }} state=present + with_items: + - git + - python-grokmirror + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: create grokmirror user user: name={{ grokmirror_user }} diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml index 0b8b144c53..08d5091548 100644 --- a/roles/taskotron/resultsdb-backend/tasks/main.yml +++ b/roles/taskotron/resultsdb-backend/tasks/main.yml @@ -10,7 +10,7 @@ - mod_wsgi - python-psycopg2 - libsemanage-python - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: ensure packages required for resultsdb are installed (dnf) dnf: name={{ item }} state=present @@ -19,7 +19,16 @@ - python3-mod_wsgi - python3-psycopg2 - python2-libsemanage - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: ensure packages required for resultsdb are installed (dnf) + dnf: name={{ item }} state=present + with_items: + - resultsdb + - python3-mod_wsgi + - python3-psycopg2 + - python2-libsemanage + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: ensure database is created delegate_to: "{{ resultsdb_db_host_machine }}" diff --git a/roles/taskotron/resultsdb-frontend/tasks/main.yml b/roles/taskotron/resultsdb-frontend/tasks/main.yml index 1bd0801d16..d603620f5e 100644 --- a/roles/taskotron/resultsdb-frontend/tasks/main.yml +++ b/roles/taskotron/resultsdb-frontend/tasks/main.yml @@ -8,14 +8,21 @@ name: - resultsdb_frontend - mod_wsgi - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: ensure packages required for resultsdb_frontend are installed (dnf) dnf: name={{ item }} state=present with_items: - resultsdb_frontend - python3-mod_wsgi - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: ensure packages required for resultsdb_frontend are installed (dnf) + dnf: name={{ item }} state=present + with_items: + - resultsdb_frontend + - python3-mod_wsgi + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: ensure selinux lets httpd talk to the network seboolean: name=httpd_can_network_connect persistent=yes state=yes diff --git a/roles/taskotron/ssl-taskotron/tasks/main.yml b/roles/taskotron/ssl-taskotron/tasks/main.yml index 91ff4f5d9d..c9c25e5a2e 100644 --- a/roles/taskotron/ssl-taskotron/tasks/main.yml +++ b/roles/taskotron/ssl-taskotron/tasks/main.yml @@ -4,13 +4,19 @@ state: present name: - mod_ssl - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: ensure ssl related packages are installed (dnf) dnf: name={{ item }} state=present with_items: - mod_ssl - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: ensure ssl related packages are installed (dnf) + dnf: name={{ item }} state=present + with_items: + - mod_ssl + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined #- name: copy ssl key # copy: src={{ private }}/files/taskotron/certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key dest=/etc/pki/tls/private/{{ inventory_hostname }}.key diff --git a/roles/taskotron/taskotron-frontend/tasks/main.yml b/roles/taskotron/taskotron-frontend/tasks/main.yml index 89dac238b9..edd4dda5f2 100644 --- a/roles/taskotron/taskotron-frontend/tasks/main.yml +++ b/roles/taskotron/taskotron-frontend/tasks/main.yml @@ -4,13 +4,19 @@ state: present name: - httpd - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: ensure packages required for taskotron-frontend are installed (dnf) dnf: name={{ item }} state=present with_items: - httpd - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: ensure packages required for taskotron-frontend are installed (dnf) + dnf: name={{ item }} state=present + with_items: + - httpd + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: create dirs for static files file: path=/var/www/html/{{ item }} state=directory owner=apache group=apache mode=1755 diff --git a/roles/taskotron/taskotron-master/tasks/main.yml b/roles/taskotron/taskotron-master/tasks/main.yml index 5694cdd179..04bd4b945d 100644 --- a/roles/taskotron/taskotron-master/tasks/main.yml +++ b/roles/taskotron/taskotron-master/tasks/main.yml @@ -6,7 +6,13 @@ dnf: name={{ item }} state=present with_items: - tmpwatch - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: ensure packages required for buildmaster are installed (dnf) + dnf: name={{ item }} state=present + with_items: + - tmpwatch + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: create artifacts directory file: path={{ item }} state=directory owner=buildmaster group=buildmaster mode=0775 setype=httpd_sys_content_t diff --git a/roles/taskotron/taskotron-proxy/tasks/main.yml b/roles/taskotron/taskotron-proxy/tasks/main.yml index 58059d4625..12cd7dddb6 100644 --- a/roles/taskotron/taskotron-proxy/tasks/main.yml +++ b/roles/taskotron/taskotron-proxy/tasks/main.yml @@ -11,13 +11,19 @@ state: present name: - libsemanage-python - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat' - name: ensure packages required for proxying are installed (dnf) dnf: name={{ item }} state=present with_items: - libsemanage-python - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined + +- name: ensure packages required for proxying are installed (dnf) + dnf: name={{ item }} state=present + with_items: + - libsemanage-python + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined - name: allow httpd tcp connections with selinux seboolean: name=httpd_can_network_connect state=true persistent=yes diff --git a/roles/varnish/tasks/main.yml b/roles/varnish/tasks/main.yml index e3310ab2e8..f1bd50de84 100644 --- a/roles/varnish/tasks/main.yml +++ b/roles/varnish/tasks/main.yml @@ -22,15 +22,8 @@ - restart varnish tags: - varnish - when: ansible_distribution_major_version|int == 7 - -- name: install varnish /etc/sysconfig/varnish file (fedora 25-28) - template: src=varnish.f25.j2 dest=/etc/varnish/varnish.params owner=root group=root - notify: - - restart varnish - tags: - - varnish - when: ansible_distribution_major_version|int >= 25 and ansible_distribution_major_version|int < 29 + when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' +#FIXME: RHEL8+ ? - name: install varnish /etc/systemd/system/varnish.service file (fedora 29+) template: src=varnish.f29.j2 dest=/etc/systemd/system/varnish.service owner=root group=root @@ -39,7 +32,7 @@ - restart varnish tags: - varnish - when: ansible_distribution_major_version|int >= 29 + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' - name: install /etc/varnish/default.vcl (proxies) template: src={{ varnish_group }}.vcl.j2 dest=/etc/varnish/default.vcl owner=root group=root diff --git a/tasks/2fa_client.yml b/tasks/2fa_client.yml index f86649da48..af35fc3dd8 100644 --- a/tasks/2fa_client.yml +++ b/tasks/2fa_client.yml @@ -3,13 +3,19 @@ package: name=pam_url state=present tags: - packages - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' - name: install pam_url dnf: name=pam_url state=present tags: - packages - when: ansible_distribution_major_version|int > 21 + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' + +- name: install pam_url + dnf: name=pam_url state=present + tags: + - packages + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'RedHat' - name: /etc/pki/tls/private/totpcgi.pem copy: src="{{ private }}/files/2fa-certs/keys/{{ inventory_hostname }}.pem" dest=/etc/pki/tls/private/totpcgi.pem mode=0400 diff --git a/tasks/cloud_setup_basic.yml b/tasks/cloud_setup_basic.yml index 4e57b3dc5b..c70b0be37f 100644 --- a/tasks/cloud_setup_basic.yml +++ b/tasks/cloud_setup_basic.yml @@ -6,7 +6,7 @@ - ntp - libsemanage-python - libselinux-python - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' tags: - packages @@ -15,7 +15,16 @@ with_items: - ntpdate - libselinux-python - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined + tags: + - packages + +- name: Install desired extra packages (dnf) + dnf: state=present pkg={{ item }} + with_items: + - ntpdate + - libselinux-python + when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined tags: - packages @@ -57,14 +66,21 @@ - name: update all command: yum -y update creates=/etc/sysconfig/global-update-applied register: updated - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat' tags: - packages - name: update all command: dnf -y update creates=/etc/sysconfig/global-update-applied register: updated - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined + tags: + - packages + +- name: update all + command: dnf -y update creates=/etc/sysconfig/global-update-applied + register: updated + when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined tags: - packages diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml index ae6360a952..150fc29a12 100644 --- a/tasks/yumrepos.yml +++ b/tasks/yumrepos.yml @@ -88,16 +88,8 @@ - yumrepos - name: add aarch64 server rpms repo - copy: src="{{ files }}/common/rhel-7-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-7-aarch64-server-rpms.repo" - when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version == 7 - tags: - - config - - packages - - yumrepos - -- name: add aarch64 server rpms repo - copy: src="{{ files }}/common/rhel-8-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-8-aarch64-server-rpms.repo" - when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version == 8 + copy: src="{{ files }}/common/rhel-{{ ansible_distribution_major_version }}-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-{{ ansible_distribution_major_version }}-aarch64-server-rpms.repo" + when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version >= 7 tags: - config - packages