[ansible] Disable keytab for now
by Nicolas Chauvet
commit b37346af8b32f5f268d3d2b4898259e2c49fb842
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 16:06:51 2017 +0100
Disable keytab for now
roles/base/tasks/main.yml | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
---
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 3288a72..027eb0e 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -442,3 +442,4 @@
- name: Setup host keytab
include: keytab.yml
+ when: env == 'DISABLED'
7 years, 9 months
[ansible] Add keytab
by Nicolas Chauvet
commit 47c0040e3672f1614547362a567512fa272daa9e
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 16:03:38 2017 +0100
Add keytab
roles/base/tasks/keytab.yml | 130 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 130 insertions(+), 0 deletions(-)
---
diff --git a/roles/base/tasks/keytab.yml b/roles/base/tasks/keytab.yml
new file mode 100644
index 0000000..a6f43cc
--- /dev/null
+++ b/roles/base/tasks/keytab.yml
@@ -0,0 +1,130 @@
+---
+# Get host keytab
+- name: Determine whether we need to get host keytab
+ stat: path=/etc/krb5.keytab
+ register: host_keytab_status
+ tags:
+ - base
+ - config
+ - krb5
+
+- name: Get admin keytab
+ delegate_to: "{{ ipa_server }}"
+ shell: echo "{{ipa_admin_password}}" | kinit admin
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Create host entry
+ delegate_to: "{{ ipa_server }}"
+ command: ipa host-add {{inventory_hostname}}
+ register: host_add_result
+ changed_when: "'Added host' in host_add_result.stdout"
+ failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stderr)"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Create additional host entries
+ delegate_to: "{{ ipa_server }}"
+ command: ipa host-add {{item}}
+ with_items: "{{ additional_host_keytabs }}"
+ register: hosts_add_result
+ changed_when: "'Added host' in hosts_add_result.stdout"
+ failed_when: "not ('Added host' in hosts_add_result.stdout or 'already exists' in hosts_add_result.stderr)"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Generate host keytab
+ delegate_to: "{{ ipa_server }}"
+ command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt
+ register: getkeytab_result
+ changed_when: false
+ failed_when: "'successfully retrieved' not in getkeytab_result.stderr"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Add additional host keytabs
+ delegate_to: "{{ ipa_server }}"
+ command: ipa-getkeytab -s {{ipa_server}} -p host/{{item}} -k /tmp/{{inventory_hostname}}.kt
+ with_items: "{{ additional_host_keytabs }}"
+ register: getkeytabs_result
+ changed_when: false
+ failed_when: "'successfully retrieved' not in getkeytabs_result.stderr"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Destroy kerberos ticket
+ delegate_to: "{{ ipa_server }}"
+ command: kdestroy -A
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Get keytab
+ delegate_to: "{{ ipa_server }}"
+ command: base64 /tmp/{{inventory_hostname}}.kt
+ register: keytab
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Destroy stored keytab
+ delegate_to: "{{ ipa_server }}"
+ file: path=/tmp/{{inventory_hostname}}.kt state=absent
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Deploy base64 keytab
+ copy: dest=/etc/krb5.keytab.b64
+ content={{keytab.stdout}}
+ owner=root group=root mode=0600
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Base64-decode keytab
+ shell: "umask 077; base64 -d /etc/krb5.keytab.b64 >/etc/krb5.keytab"
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Set keytab permissions
+ file: path=/etc/krb5.keytab owner=root group=root mode=0600
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
+
+- name: Destroy encoded keytab
+ file: path=/etc/krb5.keytab.b64 state=absent
+ tags:
+ - base
+ - config
+ - krb5
+ when: not host_keytab_status.stat.exists
7 years, 9 months
[ansible] Update main variables
by Nicolas Chauvet
commit 8b16a33aafba0d74cf66644b190fa819b5e969ad
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 16:01:25 2017 +0100
Update main variables
inventory/group_vars/all | 108 ++++++++++++++++++++++++++++++++++++++-------
1 files changed, 91 insertions(+), 17 deletions(-)
---
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index c0ff01d..256d81f 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -1,12 +1,30 @@
---
+#######
+# BEGIN: Ansible roles_path variables
+#
+# Background/reference about external repos pulled in:
+# https://pagure.io/fedora-infrastructure/issue/5476
+#
+ansible_base: /srv/web/infra
+
+# Path to the openshift-ansible checkout as external git repo brought into
+# Fedora Infra
+openshift_ansible: /srv/web/infra/openshift-ansible/
+
+#
+# END: Ansible roles_path variables
+#######
+
freezes: true
# most of our systems are in online
datacenter: online
+# for httpd/website
+server_admin: root(a)rpmfusion.org
# usually we do not want to enable nested virt, only on some virthosts
nested: false
-# most of our systems are 64bit.
+# most of our systems are 64bit.
# Used to install various nagios scripts and the like.
libdir: /usr/lib64
@@ -34,8 +52,8 @@ mem_size: 1024
num_cpus: 1
lvm_size: 20000
-# Default netmask. Almost all our phx2 nets are /24's with the
-# exception of 10.5.124.128/25. Almost all of our non phx2 sites are
+# Default netmask. Almost all our phx2 nets are /24's with the
+# exception of 10.5.124.128/25. Almost all of our non phx2 sites are
# less than a /24.
eth0_nm: 255.255.255.0
eth1_nm: 255.255.255.0
@@ -58,7 +76,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
- --network bridge=br1,model=virtio
+ --network bridge={{ main_bridge }},model=virtio
--autostart --noautoconsole --watchdog default
virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
@@ -72,6 +90,27 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
--network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
--autostart --noautoconsole --watchdog default
+virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
+ --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
+ --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
+ hostname={{ inventory_hostname }} nameserver={{ dns }}
+ ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
+ --network bridge={{ main_bridge }},model=virtio
+ --autostart --noautoconsole
+
+virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
+ --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
+ --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
+ hostname={{ inventory_hostname }} nameserver={{ dns }}
+ ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
+ ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none'
+ --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
+ --autostart --noautoconsole
+
virt_install_command_rhel6: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }}
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
@@ -87,6 +126,16 @@ max_cpu: "{{ num_cpus * 1 }}"
# This is the wildcard certname for our proxies. It has a different name for
# the staging group and is used in the proxies.yml playbook.
wildcard_cert_name: wildcard-2016.rpmfusion.org
+wildcard_crt_file: wildcard-2016.rpmfusion.org.cert
+wildcard_key_file: wildcard-2016.rpmfusion.org.key
+wildcard_int_file: wildcard-2016.rpmfusion.org.intermediate.cert
+SSLCertificateChainFile: wildcard-2016.rpmfusion.org.intermediate.cert
+
+# Everywhere, always, we should sign messages and validate signatures.
+# However, we allow individual hosts and groups to override this. Use this very
+# carefully.. and never in production (good for testing stuff in staging).
+fedmsg_sign_messages: True
+fedmsg_validate_signatures: True
# By default, nodes get no fedmsg certs. They need to declare them explicitly.
fedmsg_certs: []
@@ -132,29 +181,22 @@ nrpe_procs_crit: 300
nrpe_check_postfix_queue_warn: 2
nrpe_check_postfix_queue_crit: 5
-# env is staging or production, we default it to production here.
+# env is staging or production, we default it to production here.
env: production
env_suffix:
# nfs mount options, override at the group/host level
-nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
+nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
-# by default set become to false here We can override it as needed.
-# Note that if become is true, you need to unset requiretty for
-# ssh controlpersist to work.
+# by default set become to false here We can override it as needed.
+# Note that if become is true, you need to unset requiretty for
+# ssh controlpersist to work.
become: false
-# default the root_auth_users to nothing.
+# default the root_auth_users to nothing.
# This should be set for cloud instances in their host or group vars.
root_auth_users: ''
-# default path for ansible-server
-ansible_base: /srv/web/infra
-
-# for httpd/website
-server_admin: root(a)rpmfusion.org
-SSLCertificateChainFile: wildcard-2016.rpmfusion.org.intermediate.cert
-
# This vars get shoved into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
@@ -167,3 +209,35 @@ csi_relationship: |
* What hosts/services rely on this?
To update this text, add the csi_* vars to group_vars/ in ansible.
+
+
+# docker images required by OpenShift Origin
+openshift_required_images:
+ - "openshift/origin-pod"
+
+# docker images required by OSBS for builds
+fedora_required_images:
+ - "fedora:24"
+ - "fedora:25"
+ - "fedora:latest"
+
+#
+# say if we want the apache role dependency for mod_wsgi or not
+# In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
+#
+wsgi_wants_apache: true
+
+# IPA settings
+additional_host_keytabs: []
+ipa_server: ipa01.online.rpmfusion.org
+ipa_realm: RPMFUSION.ORG
+ipa_admin_password: "{{ ipa_prod_admin_password }}"
+
+# Normal default sshd port is 22
+sshd_port: 22
+
+# assume collectd apache
+collectd_apache: true
+
+# assume vpn is false
+vpn: False
7 years, 9 months
[ansible] Update roles/base tasks
by Nicolas Chauvet
commit 693720c8d7bc90bbab15dcf3b62fc2812ebceb26
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 15:48:07 2017 +0100
Update roles/base tasks
roles/base/tasks/main.yml | 121 ++++++++++++++++++++++++++++--------
roles/base/tasks/postfix.yml | 10 +--
roles/base/tasks/watchdog.yml | 4 +-
roles/base/templates/krb5.conf.j2 | 29 +++++++++
4 files changed, 129 insertions(+), 35 deletions(-)
---
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index c32728b..3288a72 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -5,12 +5,28 @@
# Things in here are things we want to do to every machine no matter what.
#
+- name: ensure packages required for semanage are installed (yum)
+ yum: name={{ item }} state=present
+ when: ansible_distribution_major_version|int < 22
+ with_items:
+ - policycoreutils-python
+ tags:
+ - selinux
+
+- name: ensure packages required for semanage are installed (dnf)
+ dnf: name={{ item }} state=present
+ when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ with_items:
+ - policycoreutils-python-utils
+ tags:
+ - selinux
+
# XXX fixme # a datacenter 'fact' from setup
- name: /etc/resolv.conf
copy: src={{ item }} dest=/etc/resolv.conf
with_first_found:
- "{{ resolvconf }}"
- - resolv.conf/{{ ansible_fqdn }}
+ - resolv.conf/{{ inventory_hostname }}
- resolv.conf/{{ host_group }}
- resolv.conf/{{ datacenter }}
- resolv.conf/resolv.conf
@@ -26,7 +42,7 @@
ignore_errors: true
changed_when: false
failed_when: "1 != 1"
- always_run: true
+ check_mode: no
tags:
- config
- resolvconf
@@ -49,7 +65,7 @@
register: if_uuid
changed_when: false
failed_when: 'if_uuid.stdout == ""'
- always_run: yes
+ check_mode: no
when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist )
tags:
- config
@@ -88,17 +104,36 @@
- base
when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
-- debug: msg="{{ansible_nodename}} {{inventory_hostname}} {{ansible_distribution_major_version|int}}"
-
- name: make sure hostname is set right on rhel7 hosts
- command: hostnamectl set-hostname {{ inventory_hostname }}
- when: ( ansible_nodename != inventory_hostname ) and ansible_distribution_major_version|int == 7
+ hostname: name="{{inventory_hostname}}"
+
+- name: check if sshd port is already known by selinux
+ shell: semanage port -l | grep ssh
+ register: sshd_selinux_port
+ check_mode: no
+ changed_when: false
+ tags:
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ - base
+
+- name: allow alternate sshd port
+ command: semanage port -a -t ssh_port_t -p tcp {{ sshd_port }}
+ when: sshd_selinux_port.stdout.find('{{ sshd_port }}') == -1
+ tags:
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ - base
- name: sshd_config
- copy: src={{ item }} dest=/etc/ssh/sshd_config mode=600
+ copy: src={{ item }} dest=/etc/ssh/sshd_config mode=0600
with_first_found:
- "{{ sshd_config }}"
- - ssh/sshd_config.{{ ansible_fqdn }}
+ - ssh/sshd_config.{{ inventory_hostname }}
- ssh/sshd_config.{{ host_group }}
- ssh/sshd_config.{{ dist_tag }}
- ssh/sshd_config.{{ ansible_distribution }}
@@ -117,7 +152,7 @@
tags:
- rootpw
- base
- when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09'))
+ when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09') or inventory_hostname.startswith('ppc8-04'))
- name: add ansible root key
authorized_key: user=root key="{{ item }}"
@@ -188,14 +223,14 @@
- base
- name: iptables
- template: src={{ item }} dest=/etc/sysconfig/iptables mode=600 validate="/sbin/iptables-restore --text %s"
+ template: src={{ item }} dest=/etc/sysconfig/iptables mode=0600 validate="/sbin/iptables-restore --text %s"
with_first_found:
- iptables/iptables.{{ datacenter }}
- - iptables/iptables.{{ ansible_fqdn }}
+ - iptables/iptables.{{ inventory_hostname }}
- iptables/iptables.{{ host_group }}
- iptables/iptables.{{ env }}
- iptables/iptables
- when: not inventory_hostname.startswith('fed-cloud09')
+ when: not inventory_hostname.startswith(('fed-cloud09','osbs'))
notify:
- restart iptables
- reload libvirtd
@@ -212,10 +247,10 @@
- base
- name: ip6tables
- template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=600 backup=yes
+ template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
with_first_found:
- iptables/ip6tables.{{ datacenter }}
- - iptables/ip6tables.{{ ansible_fqdn }}
+ - iptables/ip6tables.{{ inventory_hostname }}
- iptables/ip6tables.{{ host_group }}
- iptables/ip6tables.{{ env }}
- iptables/ip6tables
@@ -248,9 +283,9 @@
- flush journald tmpfiles to persistent store
- name: rsyslog.conf
- copy: src={{ item }} dest=/etc/rsyslog.conf mode=644
+ copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644
with_first_found:
- - rsyslog/rsyslog.conf.{{ ansible_fqdn }}
+ - rsyslog/rsyslog.conf.{{ inventory_hostname }}
- rsyslog/rsyslog.conf.{{ dist_tag }}
- rsyslog/rsyslog.conf.default
notify:
@@ -261,7 +296,7 @@
- base
- name: rsyslog log rotate for rsyslog servers
- copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=644
+ copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=0644
when: inventory_hostname.startswith('log')
notify:
- restart rsyslog
@@ -282,7 +317,7 @@
- base
- name: log everything to log01 except on mirrorlist, do not log local4 there.
- copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=644
+ copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: not inventory_hostname.startswith(('mirrorlist','copr','jenkins'))
tags:
- rsyslogd
@@ -290,13 +325,26 @@
- base
- name: log everything to log01 except on mirrorlist, do log local4 there.
- copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=644
+ copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: inventory_hostname.startswith('mirrorlist')
tags:
- rsyslogd
- config
- base
- - base
+
+- name: rsyslogd make systemd limits directory for file handles
+ file: dest=/etc/systemd/system/rsyslog.service.d/ mode=0755 owner=root group=root state=directory
+ when: inventory_hostname.startswith('log')
+ tags:
+ - rsyslogd
+ - config
+
+- name: rsyslogd put systemd limits directory for file handles
+ copy: src=rsyslog/rsyslog-limits.conf dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
+ when: inventory_hostname.startswith('log')
+ tags:
+ - rsyslogd
+ - config
- name: Setup postfix
include: postfix.yml
@@ -315,7 +363,7 @@
- base
- name: install a sync httpd logs cron script only on log01
- copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=755
+ copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=0755
when: inventory_hostname.startswith('log01')
tags:
- config
@@ -328,7 +376,7 @@
- base
#
-# Blacklist the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs.
+# Blacklist the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs.
#
- name: Blacklist cdc_ether module
copy: src=blacklist-cdc_ether.conf dest=/etc/modprobe.d/blacklist-cdc_ether.conf
@@ -353,8 +401,8 @@
dest="/etc/profile.d/setstgps1.sh"
owner=root
group=root
- mode=644
- when: env == 'staging'
+ mode=0644
+ when: env == 'staging'
tags:
- base
- config
@@ -368,10 +416,29 @@
dest="/etc/profile.d/setprodps1.sh"
owner=root
group=root
- mode=644
- when: env == 'production'
+ mode=0644
+ when: env == 'production'
tags:
- base
- config
- prompt
+# Set krb5 conf
+- name: configure krb5
+ template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
+ when: not inventory_hostname.startswith('ipa')
+ tags:
+ - base
+ - config
+ - krb5
+
+- name: configure krb5 (IPA master)
+ template: src=krb5.conf.master.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
+ when: inventory_hostname.startswith('ipa')
+ tags:
+ - base
+ - config
+ - krb5
+
+- name: Setup host keytab
+ include: keytab.yml
diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
index f65ba44..254c3bc 100644
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@@ -2,7 +2,7 @@
copy: src={{ item }} dest=/etc/postfix/main.cf
with_first_found:
- "{{ postfix_maincf }}"
- - "postfix/main.cf/main.cf.{{ ansible_fqdn }}"
+ - "postfix/main.cf/main.cf.{{ inventory_hostname }}"
- "postfix/main.cf/main.cf.{{ host_group }}"
- "postfix/main.cf/main.cf.{{ postfix_group }}"
- "postfix/main.cf/main.cf.{{ datacenter }}"
@@ -18,12 +18,11 @@
copy: src={{ item }} dest=/etc/postfix/master.cf mode=0644
with_first_found:
- "{{ postfix_mastercf }}"
- - "postfix/master.cf/master.cf.{{ ansible_fqdn }}"
- "postfix/master.cf/master.cf.{{ inventory_hostname }}"
- "postfix/master.cf/master.cf.{{ host_group }}"
- "postfix/master.cf/master.cf.{{ postfix_group }}"
- "postfix/master.cf/master.cf"
- when: inventory_hostname.startswith('smtp-mm')
+ when: inventory_hostname.startswith(('smtp-mm', 'mailman', 'noc02'))
notify:
- restart postfix
tags:
@@ -39,13 +38,12 @@
- name: install /etc/postfix/transport file
copy: src="postfix/{{ postfix_transport_filename }}" dest=/etc/postfix/transport
- when: inventory_hostname.startswith(('smtp-mm','bastion'))
+ when: inventory_hostname.startswith(('smtp-mm','bastion','noc02'))
notify:
- - restart postfix
- rebuild postfix transport
+ - restart postfix
tags:
- postfix
- base
- config
-
diff --git a/roles/base/tasks/watchdog.yml b/roles/base/tasks/watchdog.yml
index a2c5c11..7b03566 100644
--- a/roles/base/tasks/watchdog.yml
+++ b/roles/base/tasks/watchdog.yml
@@ -1,7 +1,7 @@
- name: See if theres a watchdog device
stat: path=/dev/watchdog
when: ansible_virtualization_role == 'guest'
- always_run: true
+ check_mode: no
failed_when: no
register: watchdog_dev
@@ -17,7 +17,7 @@
- base
- name: watchdog device configuration
- copy: src=watchdog.conf dest=/etc/watchdog.conf owner=root group=root mode=644
+ copy: src=watchdog.conf dest=/etc/watchdog.conf owner=root group=root mode=0644
tags:
- config
- watchdog
diff --git a/roles/base/templates/krb5.conf.j2 b/roles/base/templates/krb5.conf.j2
new file mode 100644
index 0000000..78a450b
--- /dev/null
+++ b/roles/base/templates/krb5.conf.j2
@@ -0,0 +1,29 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = {{ ipa_realm }}
+ rdns = false
+ dns_canonicalize_hostname = false
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+ {{ ipa_realm }} = {
+{% if ansible_distribution_major_version|int == 6 %}
+ kdc = ipa01{{ env_suffix }}.online.rpmfusion.net
+{% else %}
+ kdc = https://id{{ env_suffix }}.rpmfusion.org/KdcProxy
+{% endif %}
+ }
+
+[domain_realm]
+ .rpmfusion.org = RPMFUSION.ORG
+ rpmfusion.org = RPMFUSION.ORG
+ .stg.rpmfusion.org = STG.RPMFUSION.ORG
+ stg.rpmfusion.org = STG.RPMFUSION.ORG
7 years, 9 months
[ansible] Update sigul tasks
by Nicolas Chauvet
commit f7bba21570e51f3842bb2938db513100df0ecfed
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 14:35:10 2017 +0100
Update sigul tasks
roles/sigul/server/tasks/main.yml | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml
index 588a547..df7d722 100644
--- a/roles/sigul/server/tasks/main.yml
+++ b/roles/sigul/server/tasks/main.yml
@@ -60,6 +60,14 @@
when: ansible_distribution_major_version|int == 7
- name: add polkit rules to allow sigul user to access the smartcard/yubikey
- file: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
+ copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
+ tags:
+ - config
+
+- name: Deploy public certs
+ copy: src="{{private}}/files/{{item}}" dest=/etc/sigul/{{item}} mode=0644 owner=root group=root
+ with_items:
+ - rpmfusion-server-ca.cert
+ - rpmfusion-upload-ca.cert
tags:
- config
7 years, 9 months
[ansible] Remove CentOS case
by Nicolas Chauvet
commit 5d3951b181cf3e2897d1f4dae28b358ea96f15fb
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 14:28:20 2017 +0100
Remove CentOS case
roles/sigul/server/tasks/main.yml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml
index 5dee411..588a547 100644
--- a/roles/sigul/server/tasks/main.yml
+++ b/roles/sigul/server/tasks/main.yml
@@ -1,6 +1,6 @@
- name: put rhel AH repos on rhel systems
copy: src="{{ files }}/common/rhel7ah.repo" dest="/etc/yum.repos.d/rhel7ah.repo"
- when: ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS'
+ when: ansible_distribution == 'RedHat'
tags:
- config
- packages
7 years, 9 months
[ansible] Add centos repo task
by Nicolas Chauvet
commit fe71f6a0ee0ab280d0f17bd9aa42c69c1df755f7
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 14:26:03 2017 +0100
Add centos repo task
roles/sigul/server/tasks/main.yml | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml
index d368ea6..5dee411 100644
--- a/roles/sigul/server/tasks/main.yml
+++ b/roles/sigul/server/tasks/main.yml
@@ -6,6 +6,14 @@
- packages
- yumrepos
+- name: put CentOS AH repos on rhel systems
+ copy: src="{{ files }}/common/centos7ah.repo" dest="/etc/yum.repos.d/centos7ah.repo"
+ when: ansible_distribution == 'CentOS'
+ tags:
+ - config
+ - packages
+ - yumrepos
+
- name: Install sigul server
package: state=present name={{ item }}
with_items:
7 years, 9 months
[ansible] Add centos7ha repo
by Nicolas Chauvet
commit e5a2db2b1b030fe47d6b906fb1cae05e848eb5de
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 14:24:48 2017 +0100
Add centos7ha repo
files/common/centos7ah.repo | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
---
diff --git a/files/common/centos7ah.repo b/files/common/centos7ah.repo
new file mode 100644
index 0000000..f23d6fd
--- /dev/null
+++ b/files/common/centos7ah.repo
@@ -0,0 +1,5 @@
+[ah]
+name=ah
+baseurl=http://cbs.centos.org/repos/atomic7-testing/x86_64/os/
+enabled=1
+gpgcheck=0
7 years, 9 months
[ansible] Add serial console role
by Nicolas Chauvet
commit 9e5773ecc7fbb38bdbe595159113cd46aad2bcb8
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 11:05:59 2017 +0100
Add serial console role
roles/serial-console/files/serial-getty@.service | 35 ++++++++++++++++++++++
roles/serial-console/tasks/main.yml | 31 +++++++++++++++++++
2 files changed, 66 insertions(+), 0 deletions(-)
---
diff --git a/roles/serial-console/files/serial-getty@.service b/roles/serial-console/files/serial-getty@.service
new file mode 100644
index 0000000..6539556
--- /dev/null
+++ b/roles/serial-console/files/serial-getty@.service
@@ -0,0 +1,35 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Serial Getty on %I
+Documentation=man:agetty(8) man:systemd-getty-generator(8)
+Documentation=http://0pointer.de/blog/projects/serial-console.html
+BindsTo=dev-%i.device
+After=dev-%i.device systemd-user-sessions.service plymouth-quit-wait.service
+After=rc-local.service
+
+# If additional gettys are spawned during boot then we should make
+# sure that this is synchronized before getty.target, even though
+# getty.target didn't actually pull it in.
+Before=getty.target
+IgnoreOnIsolate=yes
+
+[Service]
+ExecStart=-/sbin/agetty --keep-baud 115200,38400,9600 %I $TERM
+Type=idle
+Restart=always
+UtmpIdentifier=%I
+TTYPath=/dev/%I
+TTYReset=yes
+TTYVHangup=yes
+KillMode=process
+IgnoreSIGPIPE=no
+SendSIGHUP=yes
+
+[Install]
+WantedBy=getty.target
diff --git a/roles/serial-console/tasks/main.yml b/roles/serial-console/tasks/main.yml
new file mode 100644
index 0000000..a333188
--- /dev/null
+++ b/roles/serial-console/tasks/main.yml
@@ -0,0 +1,31 @@
+#
+# This role sets up serial console on ttyS0
+#
+- name: check for grub serial setup
+ command: cat /etc/grub2.cfg
+ register: serial
+ check_mode: no
+ changed_when: '1 != 1'
+ tags:
+ - serial-console
+
+- name: set grub to use serial console
+ command: /sbin/grubby --update-kernel=ALL --args="console=tty0 console=ttyS0,115200"
+ when: serial is defined and serial.stdout.find("console=tty0 console=ttyS0,115200") == -1
+ tags:
+ - serial-console
+
+- name: setup systemd links for getty (S0)
+ copy: src=serial-getty@.service dest=/etc/systemd/system/serial-getty(a)ttyS0.service
+ tags:
+ - serial-console
+
+- name: link template in
+ file: dest=/etc/systemd/system/getty.target.wants/serial-getty@ttyS0 src=/etc/systemd/system/serial-getty(a)ttyS0.service state=link
+ tags:
+ - serial-console
+
+- name: start and enable
+ service: name=serial-getty@ttyS0 enabled=yes state=started
+ tags:
+ - serial-console
7 years, 9 months