[ansible] Update handlers
by Nicolas Chauvet
commit 5e1c4d6601b1063a3ddb5a61a4812ff9c387f201
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 19:24:01 2018 +0100
Update handlers
handlers/restart_services.yml | 22 ++++++++++++++++++++--
roles/base/handlers/main.yml | 7 ++++---
2 files changed, 24 insertions(+), 5 deletions(-)
---
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 85f1193..89740cb 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -26,6 +26,9 @@
- name: restart fedmsg-relay
command: /usr/local/bin/conditional-restart.sh fedmsg-relay fedmsg-relay
+- name: restart koji-sync-listener
+ action: service name=koji-sync-listener state=restarted
+
- name: reload httpd
command: /usr/local/bin/conditional-reload.sh httpd httpd
@@ -52,7 +55,7 @@
- name: restart openvpn (Fedora)
when: ansible_distribution == "Fedora"
- action: service name=openvpn@openvpn state=restarted
+ action: service name=openvpn-client@openvpn state=restarted
#notify:
#- fix openvpn routing
@@ -64,7 +67,7 @@
- name: restart openvpn (RHEL7)
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
- action: service name=openvpn@openvpn state=restarted
+ action: service name=openvpn-client@openvpn state=restarted
#notify:
#- fix openvpn routing
@@ -89,6 +92,9 @@
- name: restart postfix
service: name=postfix state=restarted
+- name: reload proxyhttpd
+ command: /usr/local/bin/proxy-conditional-reload.sh httpd httpd
+
- name: restart glusterd
service: name=glusterd state=restarted
@@ -124,6 +130,9 @@
ignore_errors: true
when: ansible_virtualization_role == 'host'
+- name: restart pagure_ev
+ service: name=pagure_ev state=restarted
+
- name: "update ca-trust"
command: /usr/bin/update-ca-trust
@@ -163,3 +172,12 @@
- name: flush journald tmpfiles to persistent store
command: pkill -f -USR1 systemd-journald
+
+- name: restart idmapd
+ service: name=nfs-idmapd state=restarted
+
+- name: restart darkserver
+ service: name=darkserver state=restarted
+
+- name: restart buildmaster
+ service: name=buildmaster state=restarted
diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml
index 5852fa8..0140247 100644
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@@ -9,6 +9,10 @@
- name: restart iptables
service: name=iptables state=restarted
+- name: restart docker
+ command: systemctl try-restart docker
+ ignore_errors: true
+
- name: restart ip6tables
service: name=ip6tables state=restarted
@@ -24,9 +28,6 @@
- name: restart rsyslog
service: name=rsyslog state=restarted
-- name: restart sshd
- service: name=sshd state=restarted
-
- name: restart watchdog
service: name=watchdog state=restarted
6 years, 10 months
- 1
- 0
[ansible] Fix nmclitest
by Nicolas Chauvet
commit 63a372690a3057e173465a106f0e52ba3aa3db47
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 19:01:43 2018 +0100
Fix nmclitest
roles/base/tasks/main.yml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 5ed59ef..a44f9b7 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -54,7 +54,7 @@
ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
notify:
- restart NetworkManager
- when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
+ when: ansible_distribution_major_version|int >=7 and nmclitest.rc == 0 and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
tags:
- config
- resolvconf
@@ -67,7 +67,7 @@
changed_when: false
failed_when: 'if_uuid.stdout == ""'
check_mode: no
- when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist )
+ when: ansible_distribution_major_version|int >=7 and nmclitest.rc == 0 and ( not ansible_ifcfg_blacklist )
tags:
- config
- ifcfg
@@ -81,7 +81,7 @@
# - restart NetworkManager
- reload NetworkManager-connections
- apply interface-changes
- when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest|success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist )
+ when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest.rc == 0 and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist )
tags:
- config
- ifcfg
6 years, 10 months
- 1
- 0
[ansible] Sync with fedora
by Nicolas Chauvet
commit e5ff576338e4459acd21684364a39b6c116c259b
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 18:31:25 2018 +0100
Sync with fedora
inventory/group_vars/all | 76 +++++++++++++++++++++++++++++++++-------------
1 files changed, 55 insertions(+), 21 deletions(-)
---
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 256d81f..07889ee 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -18,6 +18,7 @@ openshift_ansible: /srv/web/infra/openshift-ansible/
freezes: true
# most of our systems are in online
datacenter: online
+postfix_group: "none"
# for httpd/website
server_admin: root(a)rpmfusion.org
@@ -61,6 +62,8 @@ br0_nm: 255.255.255.0
br1_nm: 255.255.255.0
# Default to managing the network, we want to not do this on select hosts (like cloud nodes)
ansible_ifcfg_blacklist: false
+# List of interfaces to explicitly disable
+ansible_ifcfg_disabled: []
#
# The default virt-install works for rhel7 or fedora with 1 nic
#
@@ -69,20 +72,20 @@ virt_install_command: "{{ virt_install_command_one_nic }}"
main_bridge: br0
nfs_bridge: br1
-virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
+virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
- --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
--network bridge={{ main_bridge }},model=virtio
--autostart --noautoconsole --watchdog default
-virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
+virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
- --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
@@ -93,7 +96,7 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
- --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
@@ -103,7 +106,7 @@ virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
- --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
hostname={{ inventory_hostname }} nameserver={{ dns }}
ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
@@ -111,13 +114,23 @@ virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }}
--network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
--autostart --noautoconsole
+virt_install_command_armv7_one_nic: virt-install -n {{ inventory_hostname }} --arch armv7l
+ --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
+ --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ 'net.ifnames=0 ksdevice=eth0 ks={{ ks_url }} console=tty0 console=ttyAMA0
+ hostname={{ inventory_hostname }} nameserver={{ dns }}
+ ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
+ --network bridge={{ main_bridge }},model=virtio
+ --autostart --noautoconsole
+
virt_install_command_rhel6: virt-install -n {{ inventory_hostname }}
--memory={{ mem_size }},maxmemory={{ max_mem_size }}
--disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }}
- --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
- "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
+ --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
+ "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
- hostname={{ inventory_hostname }}"
+ hostname={{ inventory_hostname }}"
--network=bridge=br1 --autostart --noautoconsole --watchdog default
max_mem_size: "{{ mem_size * 1 }}"
@@ -155,6 +168,9 @@ fedmsg_active: False
fedmsg_prefix: org.rpmfusion
fedmsg_env: prod
+# Amount of time to wait for connections after a socket is first established.
+fedmsg_post_init_sleep: 1.0
+
# A special flag that, when set to true, will disconnect the host from the
# global fedmsg-relay instance and set it up with its own local one. You can
# temporarily set this to true for a specific host to do some debugging -- so
@@ -186,7 +202,7 @@ env: production
env_suffix:
# nfs mount options, override at the group/host level
-nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
# by default set become to false here We can override it as needed.
# Note that if become is true, you need to unset requiretty for
@@ -210,17 +226,6 @@ csi_relationship: |
To update this text, add the csi_* vars to group_vars/ in ansible.
-
-# docker images required by OpenShift Origin
-openshift_required_images:
- - "openshift/origin-pod"
-
-# docker images required by OSBS for builds
-fedora_required_images:
- - "fedora:24"
- - "fedora:25"
- - "fedora:latest"
-
#
# say if we want the apache role dependency for mod_wsgi or not
# In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
@@ -236,8 +241,37 @@ ipa_admin_password: "{{ ipa_prod_admin_password }}"
# Normal default sshd port is 22
sshd_port: 22
+# List of names under which the host is available
+ssh_hostnames: []
+
# assume collectd apache
collectd_apache: true
# assume vpn is false
vpn: False
+
+# assume createrepo is true and this builder has the koji nfs mount to do that
+createrepo: True
+
+# Nagios global variables
+nagios_Check_Services:
+ nrpe: true
+ sshd: true
+ named: false
+ dhcpd: false
+ httpd: false
+ swap: true
+ ping: true
+
+# Set variable if we want to use our global iptables defaults
+# Some things need to set their own.
+baseiptables: True
+
+# Most of our machines have manual resolv.conf files
+# These settings are for machines where NM is supposed to control resolv.conf.
+nm_controlled_resolv: False
+dns1: "192.168.181.254"
+dns2: "62.210.16.6"
+
+# This is a list of services that need to wait for VPN to be up before getting started.
+postvpnservices: []
6 years, 10 months
- 1
- 0
[ansible] sync base with fedora
by Nicolas Chauvet
commit d4b9c4ad704228ff72ba6a4a58a3be1003b8fc94
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 5 18:18:47 2018 +0100
sync base with fedora
roles/base/tasks/main.yml | 115 ++++++++++++++++++++++-------------------
roles/base/tasks/postfix.yml | 53 ++++++++++++++++++-
roles/base/tasks/watchdog.yml | 2 +-
3 files changed, 115 insertions(+), 55 deletions(-)
---
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 027eb0e..5ed59ef 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -6,7 +6,7 @@
#
- name: ensure packages required for semanage are installed (yum)
- yum: name={{ item }} state=present
+ package: name={{ item }} state=present
when: ansible_distribution_major_version|int < 22
with_items:
- policycoreutils-python
@@ -24,6 +24,7 @@
# XXX fixme # a datacenter 'fact' from setup
- name: /etc/resolv.conf
copy: src={{ item }} dest=/etc/resolv.conf
+ when: not nm_controlled_resolv
with_first_found:
- "{{ resolvconf }}"
- resolv.conf/{{ inventory_hostname }}
@@ -53,7 +54,7 @@
ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
notify:
- restart NetworkManager
- when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist)
+ when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
tags:
- config
- resolvconf
@@ -80,14 +81,14 @@
# - restart NetworkManager
- reload NetworkManager-connections
- apply interface-changes
- when: (virthost is not defined) and (item.startswith(('eth','br'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest|success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist )
+ when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest|success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist )
tags:
- config
- ifcfg
- base
- name: global default packages to install (yum)
- yum: state=present name={{ item }}
+ package: state=present name={{ item }}
with_items:
- "{{ global_pkgs_inst }}"
tags:
@@ -107,52 +108,16 @@
- name: make sure hostname is set right on rhel7 hosts
hostname: name="{{inventory_hostname}}"
-- name: check if sshd port is already known by selinux
- shell: semanage port -l | grep ssh
- register: sshd_selinux_port
- check_mode: no
- changed_when: false
- tags:
- - sshd_config
- - config
- - sshd
- - selinux
- - base
-
-- name: allow alternate sshd port
- command: semanage port -a -t ssh_port_t -p tcp {{ sshd_port }}
- when: sshd_selinux_port.stdout.find('{{ sshd_port }}') == -1
- tags:
- - sshd_config
- - config
- - sshd
- - selinux
- - base
-
-- name: sshd_config
- copy: src={{ item }} dest=/etc/ssh/sshd_config mode=0600
- with_first_found:
- - "{{ sshd_config }}"
- - ssh/sshd_config.{{ inventory_hostname }}
- - ssh/sshd_config.{{ host_group }}
- - ssh/sshd_config.{{ dist_tag }}
- - ssh/sshd_config.{{ ansible_distribution }}
- - ssh/sshd_config.{{ ansible_distribution_version }}
- - ssh/sshd_config.default
- notify:
- - restart sshd
- tags:
- - sshd_config
- - config
- - sshd
- - base
+#
+# We set builders root password in the koji_builder role, so do not set those here
+#
- name: set root passwd
user: name=root password={{ rootpw }} state=present
tags:
- rootpw
- base
- when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09') or inventory_hostname.startswith('ppc8-04'))
+ when: not inventory_hostname.startswith(('build','bkernel','koji01.stg','s390','fed-cloud09'))
- name: add ansible root key
authorized_key: user=root key="{{ item }}"
@@ -164,12 +129,13 @@
- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network
lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS=
+ when: not nm_controlled_resolv
tags:
- config
- base
- name: dist pkgs to remove (yum)
- yum: state=absent name={{ item }}
+ package: state=absent name={{ item }}
with_items:
- "{{ base_pkgs_erase }}"
tags:
@@ -178,7 +144,7 @@
when: ansible_distribution_major_version|int < 22
- name: dist pkgs to install (yum)
- yum: state=present name={{ item }}
+ package: state=present name={{ item }}
with_items:
- "{{ base_pkgs_inst }}"
tags:
@@ -214,7 +180,7 @@
- base
- name: dist enabled services
- service: state=running enabled=true name={{ item }}
+ service: state=started enabled=true name={{ item }}
with_items:
- "{{ service_enabled }}"
tags:
@@ -230,10 +196,11 @@
- iptables/iptables.{{ host_group }}
- iptables/iptables.{{ env }}
- iptables/iptables
- when: not inventory_hostname.startswith(('fed-cloud09','osbs'))
+ when: baseiptables
notify:
- restart iptables
- reload libvirtd
+ - restart docker
tags:
- iptables
- config
@@ -245,6 +212,7 @@
- iptables
- service
- base
+ when: baseiptables
- name: ip6tables
template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
@@ -254,7 +222,7 @@
- iptables/ip6tables.{{ host_group }}
- iptables/ip6tables.{{ env }}
- iptables/ip6tables
- when: not inventory_hostname.startswith('arm-build')
+ when: baseiptables
notify:
- restart ip6tables
- reload libvirtd
@@ -269,7 +237,7 @@
- ip6tables
- service
- base
- when: not inventory_hostname.startswith('arm-build')
+ when: baseiptables
- name: enable journald persistence
file: path=/var/log/journal state=directory
@@ -346,8 +314,48 @@
- rsyslogd
- config
+# Custom selinux policy to allow rsyslog to read and send audit to log01
+- name: ensure a directory exists for our custom selinux module
+ file: dest=/usr/local/share/rsyslog state=directory
+ tags:
+ - rsyslogd
+ - config
+ - rsyslog-audit
+
+- name: copy over our custom selinux module
+ copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp
+ register: selinux_module
+ tags:
+ - rsyslogd
+ - config
+ - rsyslog-audit
+
+- name: install our custom selinux module
+ command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp
+ when: selinux_module|changed
+ tags:
+ - rsyslogd
+ - config
+ - rsyslog-audit
+
+# Custom selinux policy to allow unix_chkpwd to map PAM database
+- name: copy over our custom selinux module
+ copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
+ register: selinux_module
+ when: ansible_distribution_major_version|int >= 27
+ tags:
+ - config
+ - selinux
+
+- name: install our custom selinux module
+ command: semodule -i /usr/local/share/mapchkpwd.pp
+ when: selinux_module|changed
+ tags:
+ - selinux
+ - config
+
- name: Setup postfix
- include: postfix.yml
+ import_tasks: postfix.yml
#
# This task installs some common scripts to /usr/local/bin
@@ -361,6 +369,7 @@
tags:
- config
- base
+ - common-scripts
- name: install a sync httpd logs cron script only on log01
copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=0755
@@ -390,7 +399,7 @@
# Watchdog stuff
#
- name: Set up watchdog
- include: watchdog.yml
+ import_tasks: watchdog.yml
#Set PS1 to show stage environment at PS1
@@ -441,5 +450,5 @@
- krb5
- name: Setup host keytab
- include: keytab.yml
+ import_tasks: keytab.yml
when: env == 'DISABLED'
diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
index 254c3bc..a1bb2da 100644
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@@ -30,8 +30,25 @@
- config
- base
+- name: Deploy sender_access file
+ copy: src="{{private}}/files/smtpd/sender_access" dest="/etc/postfix/sender_access"
+ when: postfix_group == "smtp-mm"
+ tags:
+ - postfix
+ - config
+ - base
+
+- name: Create sender_access hash
+ command: postmap hash:/etc/postfix/sender_access
+ changed_when: false
+ when: postfix_group == "smtp-mm"
+ tags:
+ - postfix
+ - config
+ - base
+
- name: enable postfix to start
- service: name=postfix state=running enabled=true
+ service: name=postfix state=started enabled=true
tags:
- service
- base
@@ -47,3 +64,37 @@
- base
- config
+- name: create /etc/postfix/tls_policy
+ copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy
+ when: inventory_hostname.startswith(('bastion','smtp-mm'))
+ notify:
+ - rebuild postfix tls_policy
+ - restart postfix
+ tags:
+ - postfix
+
+- name: install /etc/pki/tls/certs/gateway.crt
+ copy:
+ src="{{private}}/files/smtpd/gateway.complete.crt"
+ dest=/etc/pki/tls/certs/gateway.crt
+ owner=root
+ group=root
+ mode=0644
+ when: inventory_hostname.startswith(('bastion','smtp-mm'))
+ notify:
+ - restart postfix
+ tags:
+ - postfix
+
+- name: Copy gateway.key
+ copy:
+ src="{{private}}/files/smtpd/gateway.key"
+ dest=/etc/pki/tls/private/
+ owner=root
+ group=postfix
+ mode=0640
+ when: inventory_hostname.startswith(('bastion','smtp-mm'))
+ notify:
+ - restart postfix
+ tags:
+ - postfix
diff --git a/roles/base/tasks/watchdog.yml b/roles/base/tasks/watchdog.yml
index 7b03566..06a8969 100644
--- a/roles/base/tasks/watchdog.yml
+++ b/roles/base/tasks/watchdog.yml
@@ -8,7 +8,7 @@
- block:
- name: install watchdog
- package: pkg={{ item }} state=present
+ package: name={{ item }} state=present
with_items:
- watchdog
tags:
6 years, 10 months
- 1
- 0