ansible/inventory/group_vars/dbserver_stg at dbbf94a41102e5f79be2172ced0914aab60d989f - infrastructure/ansible - Forgejo: Beyond coding. We forge.

infrastructure/ansible

Nils Philippsen dbbf94a411 ipa/client: configure global shell access and sudo

Almost global anyway, i.e. inside the VPN.

The ipa/client-based shell access and sudo rules are only effective for
staging right now, the respective playbook bits are masked out for prod.

- Assign Ansible host groups to IPA host groups, the latter don't care
  about 'stg' in the name and use dashes rather than underscores.
- Distill shell access groups from fas_client_groups in group and host
  vars.
- Let all `sysadmin-*` groups in the previous list run anything via sudo
  in the host group (except bastion & batcave).
- Remove `fas_client_groups` from staging host and group vars.
- Remove sudoers from staging host and group vars if only `sysadmin-*`
  groups have shell access.
- Set up `ipa_client_shell_groups` on bastion to be a super set of the
  same on batcave.

Newly created IPA host groups:
- autosign
- badges
- basset
- bastion
- batcave
- blockerbugs
- bodhi
- bugzilla2fedmsg
- busgateway
- datagrepper
- dbserver
- dns
- fedimg
- github2fedmsg
- ipa
- kernel-qa
- kerneltest
- kojibuilder
- kojihub
- kojipkgs
- logging
- mailman
- memcached
- mirrormanager
- nagios
- notifs
- oci-registry
- odcs
- openqa
- openqa-workers
- osbs
- packages
- pdc-web
- pkgs
- proxies
- rabbitmq
- releng-compose
- resultsdb
- secondary
- sign-bridge
- sundries
- value
- wiki

Signed-off-by: Nils Philippsen <nils@redhat.com>

2021-02-01 22:23:41 +00:00

11 lines

219 B

Text

Raw Blame History

 ---
 ipa_host_group: dbserver
 ipa_host_group_desc: Database server hosts
 ipa_client_shell_groups:
 - sysadmin-dba
 - sysadmin-noc
 - sysadmin-veteran
 ipa_client_sudo_groups:
 - sysadmin-dba
 - sysadmin-noc
 - sysadmin-veteran