405 lines
9.1 KiB
YAML
405 lines
9.1 KiB
YAML
#
|
|
# This role sets up the various packages and scripts needed for a batcave
|
|
#
|
|
|
|
#
|
|
# make directory for nfs mounts to live in
|
|
#
|
|
|
|
- name: create /srv/web/pub for nfs mounts
|
|
file: dest=/srv/web/pub state=directory mode=755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: install packages needed
|
|
yum: pkg={{ item }} state=present
|
|
with_items:
|
|
- srm # secure rm to delete sensitive files.
|
|
- ansible # This is our ansible master, needs ansible installed.
|
|
- ansible-openstack-modules # Needed to manage cloud with ansible
|
|
- yum-metadata-parser # Needed for rhn sync
|
|
- yum-rhn-plugin # Needed for rhn sync
|
|
- createrepo_c # Needed for rhn sync
|
|
- python-sqlalchemy # Needed for repo2json
|
|
- pyliblzma # Needed for repo2json
|
|
- ansible_utils # Needed for rbac-playbook
|
|
- python-GeoIP # Needed for geoip scripts
|
|
- python-fedmsg-fasclient # fasClient fedmsg job
|
|
- bind # named-checkzone for dns repo
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: setup ssh_known_hosts file
|
|
copy: src=ssh_known_hosts dest=/etc/ssh/ssh_known_hosts mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: Set up RHOS repo for cloud client stuff
|
|
copy: src=rhel7-rhos.repo dest=/etc/yum.repos.d/rhel7-rhos.repo
|
|
tags:
|
|
- cloud
|
|
- batcave
|
|
- config
|
|
|
|
- name: install cloud client packages
|
|
yum: pkg={{ item }} state=present
|
|
with_items:
|
|
- python-novaclient
|
|
- python-neutronclient
|
|
- python-oslo-config
|
|
- python-six
|
|
- python-keystoneclient
|
|
- python-glanceclient
|
|
tags:
|
|
- cloud
|
|
- batcave
|
|
- config
|
|
|
|
|
|
#
|
|
# This is our ansible master, setup ansible
|
|
#
|
|
|
|
- name: setup roots bashrc to note about agents
|
|
copy: src=root_bashrc dest=/root/.bashrc
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: run daily logview report for ansible actions.
|
|
copy: src=logview.cron dest=/etc/cron.daily/logview.cron
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Set selinux booleans we need
|
|
#
|
|
|
|
- name: set selinux booleans
|
|
seboolean: name={{ item }} persistent=yes state=yes
|
|
with_items:
|
|
- httpd_can_network_connect
|
|
- httpd_use_nfs
|
|
- httpd_can_network_relay
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Scripts
|
|
#
|
|
|
|
#
|
|
# Hook to notify on git commits used in git repos
|
|
#
|
|
|
|
- name: setup git-notifier script
|
|
copy: src=git-notifier dest=/usr/local/bin/git-notifier mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
|
|
# Hook to republish our bare repos for web viewing.
|
|
- name: setup syncgittree.sh script
|
|
copy: src=syncgittree.sh dest=/usr/local/bin/syncgittree.sh mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
|
|
#
|
|
# Script used to gather encrypted security questions from fas
|
|
#
|
|
|
|
- name: setup /usr/local/bin/retrieve-security-question.py
|
|
copy: src=retrieve-security-question.py dest=/usr/local/bin/retrieve-security-question.py mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Script to sync ssh keys from fas to openshift instances.
|
|
#
|
|
|
|
- name: setup python module for openshift sync script
|
|
copy: src=oshift_mod.py dest=/usr/local/bin/oshift_mod.py mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: setup setup sync-openshift-keys config
|
|
template: src=sync-openshift-keys.conf.j2 dest=/etc/sync-openshift-keys.conf mode=0600
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: setup setup sync-openshift-keys script
|
|
copy: src=sync-openshift-keys.py dest=/usr/local/bin/sync-openshift-keys.py mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
# The zodbot server must allow TCP on whatever port zodbot is listening on
|
|
# for this to work (currently TCP port 5050).
|
|
# Once that is done, you can symlink /usr/local/bin/zodbot-announce-commits.py
|
|
# to the 'hooks' directory of the bare repo you're wishing to receive commits
|
|
# for, then add a hooks.zodbotchannel to the repo's config file.
|
|
# Lastly, add the following lines to your 'update' hook:
|
|
# reposource=$(git config hooks.reposource)
|
|
# zodbot_channel=$(git config hooks.zodbotchannel)
|
|
# python $reposource/hooks/zodbot-announce-commits.py $reposource $zodbot_channel $oldrev $newrev ${1#refs/heads/}
|
|
|
|
- name: install zodbot-announce-commits script
|
|
copy: src=zodbot-announce-commits.py dest=/usr/local/bin/zodbot-announce-commits.py mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# This is another script to announce commits, this time to the fedmsg bus
|
|
#
|
|
|
|
- name: install fedmsg-announce-commits script
|
|
copy: src=fedmsg-announce-commits.py dest=/usr/local/bin/fedmsg-announce-commits.py mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# This script checks all the virthosts and logs what guests they are running.
|
|
#
|
|
|
|
- name: install vmdiff.sh cron
|
|
copy: src=vmdiff.sh dest=/etc/cron.hourly/vmdiff.sh mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Setup public db copy script.
|
|
#
|
|
|
|
- name: setup public db copy script
|
|
copy: src=public-db-copy.cron dest=/etc/cron.daily/public-db-copy.cron mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Setup job that runs a check/diff ansible run over all playbooks each night.
|
|
#
|
|
|
|
- name: setup checkdiff ansible job
|
|
copy: src=ansible-playbook-check-diff.cron dest=/etc/cron.daily/ansible-playbook-check-diff.cron mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# sync-rhn cron job
|
|
#
|
|
- name: setup sync-rhn cron
|
|
copy: src=sync-rhn dest=/etc/cron.d/sync-rhn mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Setup web server config
|
|
#
|
|
- name: install web server config for batcave (mimetypes)
|
|
copy: src=mime-types.conf dest=/etc/httpd/conf.d/mime-types.conf mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- httpd
|
|
|
|
- name: install web server config for batcave (access rules)
|
|
copy: src=allows dest=/etc/httpd/conf.d/allows mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- httpd
|
|
|
|
- name: install web server config for batcave (main config)
|
|
copy: src=infrastructure.fedoraproject.org.conf dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
- httpd
|
|
|
|
#
|
|
# this cron job creates a json file from the rhel repos
|
|
#
|
|
|
|
- name: create repo2json directory
|
|
file: dest=/srv/web/repo/json mode=0755 state=directory owner=apache group=apache
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: create repo2json cron job
|
|
copy: src=repo2json.cron dest=/etc/cron.d/repo2json.cron mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# ansible utils includes our rbac-playbook
|
|
#
|
|
|
|
- name: install ansible_utils config
|
|
copy: src={{ private }}/files/rbac/rbac.yaml dest=/etc/ansible_utils/rbac.yaml mode=0500
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# Setup geoip scripts.
|
|
# Other machines pull current geoip data from here.
|
|
#
|
|
|
|
- name: Install geoip download databases script
|
|
copy: src=geoip-download-databases dest=/usr/local/bin/geoip-download-databases mode=0755
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
- name: Install geoip download cron
|
|
copy: src=geoip-download-databases.cron dest=/etc/cron.d/geoip-download-databases.cron mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# fasClient fedmsg job
|
|
#
|
|
|
|
- name: Install config for fedmsg tigger for fasClient runs
|
|
copy: src=fedmsg-fasclient.py dest=/etc/fedmsg.d/fasclient.py mode=0644
|
|
tags:
|
|
- batcave
|
|
- config
|
|
|
|
#
|
|
# set selinux context for /srv/web/infra
|
|
#
|
|
|
|
- name: check the selinux context of webdir
|
|
command: matchpathcon /srv/web
|
|
register: webdir
|
|
always_run: yes
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /srv/web file contexts
|
|
command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
|
|
when: webdir.stdout.find('httpd_sys_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
#
|
|
# set selinux context for public git repos
|
|
#
|
|
|
|
- name: check the selinux context of ansible
|
|
command: matchpathcon /git/ansible
|
|
register: webdir
|
|
always_run: yes
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /git/ansible file contexts
|
|
command: semanage fcontext -a -t git_content_t "/git/ansible(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: check the selinux context of badges
|
|
command: matchpathcon /git/badges
|
|
register: webdir
|
|
always_run: yes
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /git/badges file contexts
|
|
command: semanage fcontext -a -t git_content_t "/git/badges(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: check the selinux context of dns
|
|
command: matchpathcon /git/dns
|
|
register: webdir
|
|
always_run: yes
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /git/dns file contexts
|
|
command: semanage fcontext -a -t git_content_t "/git/dns(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: check the selinux context of infra-docs
|
|
command: matchpathcon /git/infra-docs
|
|
register: webdir
|
|
always_run: yes
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|
|
|
|
- name: /git/infra-docs file contexts
|
|
command: semanage fcontext -a -t git_content_t "/git/infra-docs(/.*)?"
|
|
when: webdir.stdout.find('git_content_t') == -1
|
|
tags:
|
|
- config
|
|
- batcave
|
|
- selinux
|
|
- httpd
|
|
- httpd/website
|