diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..297b89e --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +roles/* +collections/* +!roles/README.md +!roles/requirements.yml +!collections/README.md +!collections/requirements.yml diff --git a/adhoc-facts-refresh.yml b/adhoc-facts-refresh.yml index b43b928..1bd3f90 100644 --- a/adhoc-facts-refresh.yml +++ b/adhoc-facts-refresh.yml @@ -3,6 +3,6 @@ become: true tasks: - name: Force a fact refresh to have those available in local cache - setup: + ansible.builtin.setup: gather_timeout: 30 ... diff --git a/adhoc-rabbitmqqueue.yml b/adhoc-rabbitmqqueue.yml index ba5bdb2..3713f4a 100644 --- a/adhoc-rabbitmqqueue.yml +++ b/adhoc-rabbitmqqueue.yml @@ -26,7 +26,7 @@ tasks: - name: "Checking for user variables" - assert: + ansible.builtin.assert: that: - username != "admin" - username != "guest" @@ -37,7 +37,7 @@ - rabbitmq - name: "Validate username queue name" - assert: + ansible.builtin.assert: that: - "queue_name.startswith(username)" tags: diff --git a/adhoc-rabbitmquser.yml b/adhoc-rabbitmquser.yml index 09768c4..692911e 100644 --- a/adhoc-rabbitmquser.yml +++ b/adhoc-rabbitmquser.yml @@ -12,7 +12,7 @@ tasks: - name: "Checking for user variables" - assert: + ansible.builtin.assert: that: - username != "admin" - username != "guest" diff --git a/collections/requirements.yml b/collections/requirements.yml index 7fa8ac2..bec2baf 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,6 @@ collections: # freeipa - name: freeipa.ansible_freeipa - version: 1.6.3 - name: community.general - name: community.mysql - name: community.rabbitmq diff --git a/handlers/main.yml b/handlers/main.yml index 69cbdb4..05bc4ab 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,22 +1,22 @@ --- # Handlers - name: restart_sshd - service: + ansible.builtin.service: name: sshd state: restarted - name: restart_httpd - service: + ansible.builtin.service: name: httpd state: restarted - name: restart_nginx - service: + ansible.builtin.service: name: nginx state: restarted - name: reload_networkmanager - service: + ansible.builtin.service: name: NetworkManager state: reloaded @@ -24,7 +24,7 @@ command: /sbin/augenrules - name: reload_chrony - systemd: + ansible.builtin.systemd: name: "{{ chrony_service_name }}" state: restarted listen: "chrony service restart" @@ -35,7 +35,7 @@ failed_when: gitlab_restart_handler_failed_when | bool - name: restart_noggin - service: + ansible.builtin.service: name: noggin state: restarted @@ -43,7 +43,7 @@ command: "postmap /etc/postfix/sasl_passwd" - name: restart_postfix - service: + ansible.builtin.service: name: postfix state: restarted ... diff --git a/init-rocky-account-services.yml b/init-rocky-account-services.yml index a2c302b..01f4a39 100644 --- a/init-rocky-account-services.yml +++ b/init-rocky-account-services.yml @@ -14,7 +14,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are not able to run on this node" @@ -26,7 +26,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-ansible-host.yml b/init-rocky-ansible-host.yml index 3c48e82..fc2787b 100644 --- a/init-rocky-ansible-host.yml +++ b/init-rocky-ansible-host.yml @@ -20,7 +20,7 @@ # - twine - name: Remove existing public roles - file: + ansible.builtin.file: path: "{{ installation_prefix }}{{ roles_installation_dir }}" state: absent when: force_purge | bool @@ -44,13 +44,13 @@ changed_when: '"Installing " in galaxy_install_collection.stdout' - name: cleanup old ssh known_hosts - remove - file: + ansible.builtin.file: path: "../tmp/known_hosts" state: absent mode: "0644" - name: cleanup old ssh known_hosts - blank - file: + ansible.builtin.file: path: "../tmp/known_hosts" state: touch mode: "0644" diff --git a/init-rocky-bugzilla.yml b/init-rocky-bugzilla.yml index f7a866e..d391b85 100644 --- a/init-rocky-bugzilla.yml +++ b/init-rocky-bugzilla.yml @@ -17,7 +17,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are not able to run on this node" @@ -43,13 +43,13 @@ - https - name: Ensure httpd is enabled and running - service: + ansible.builtin.service: name: httpd enabled: true state: started - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-chrony.yml b/init-rocky-chrony.yml index dd0f6fa..d9e6502 100644 --- a/init-rocky-chrony.yml +++ b/init-rocky-chrony.yml @@ -20,7 +20,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -32,7 +32,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-install-kvm-hosts.yml b/init-rocky-install-kvm-hosts.yml index fe5826d..c342e42 100644 --- a/init-rocky-install-kvm-hosts.yml +++ b/init-rocky-install-kvm-hosts.yml @@ -13,7 +13,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -28,7 +28,7 @@ # Install KVM packages - name: Installing KVM Packages - package: + ansible.builtin.package: name: - qemu-kvm - libvirt @@ -38,7 +38,7 @@ state: present - name: Enable and Start libvirtd - systemd: + ansible.builtin.systemd: name: libvirtd state: started enabled: true @@ -51,7 +51,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-mantisbt.yml b/init-rocky-mantisbt.yml index 68aab0e..b2bc80d 100644 --- a/init-rocky-mantisbt.yml +++ b/init-rocky-mantisbt.yml @@ -18,7 +18,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are not able to run on this node" @@ -44,13 +44,13 @@ - https - name: Ensure httpd is enabled and running - service: + ansible.builtin.service: name: httpd enabled: true state: started - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-noggin-theme.yml b/init-rocky-noggin-theme.yml index 05c29c3..844a66d 100644 --- a/init-rocky-noggin-theme.yml +++ b/init-rocky-noggin-theme.yml @@ -14,7 +14,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are not able to run on this node" @@ -32,7 +32,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-noggin.yml b/init-rocky-noggin.yml index 89031d2..3ec54ba 100644 --- a/init-rocky-noggin.yml +++ b/init-rocky-noggin.yml @@ -14,7 +14,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are not able to run on this node" @@ -26,7 +26,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-openqa-developer-host.yml b/init-rocky-openqa-developer-host.yml index f462e9b..79a6d0b 100644 --- a/init-rocky-openqa-developer-host.yml +++ b/init-rocky-openqa-developer-host.yml @@ -32,7 +32,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -44,7 +44,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-postfix-relay.yml b/init-rocky-postfix-relay.yml index 781affd..dcea53b 100644 --- a/init-rocky-postfix-relay.yml +++ b/init-rocky-postfix-relay.yml @@ -16,7 +16,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are not able to run on this node" @@ -28,7 +28,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-repo-servers.yml b/init-rocky-repo-servers.yml index bfc994b..de2c03e 100644 --- a/init-rocky-repo-servers.yml +++ b/init-rocky-repo-servers.yml @@ -5,7 +5,7 @@ become: true handlers: - - import_tasks: handers/main.yml + - import_tasks: handlers/main.yml pre_tasks: - name: Check if ansible cannot be run here @@ -14,7 +14,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are not able to run on this node" @@ -26,7 +26,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/init-rocky-system-config.yml b/init-rocky-system-config.yml index a337c87..a20e1e1 100644 --- a/init-rocky-system-config.yml +++ b/init-rocky-system-config.yml @@ -18,7 +18,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -48,7 +48,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-bootstrap_staging.yml b/role-rocky-bootstrap_staging.yml index 6b4d087..47dd344 100644 --- a/role-rocky-bootstrap_staging.yml +++ b/role-rocky-bootstrap_staging.yml @@ -18,7 +18,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -32,7 +32,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-graylog.yml b/role-rocky-graylog.yml index 43869f5..8234dc7 100644 --- a/role-rocky-graylog.yml +++ b/role-rocky-graylog.yml @@ -24,14 +24,14 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node" - name: Install SELinux packages - package: + ansible.builtin.package: name: python3-policycoreutils.noarch state: present @@ -58,7 +58,7 @@ loop: "{{ graylog_server_firewall_rules }}" - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-mirrormanager.yml b/role-rocky-mirrormanager.yml index 37493d4..20bee47 100644 --- a/role-rocky-mirrormanager.yml +++ b/role-rocky-mirrormanager.yml @@ -21,7 +21,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -29,13 +29,13 @@ - name: Install git become: true - package: + ansible.builtin.package: name: git state: present - name: Install SELinux packages become: true - package: + ansible.builtin.package: name: python3-policycoreutils.noarch state: present @@ -63,7 +63,7 @@ - name: Touching run file that ansible has ran here become: true - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-monitoring.yml b/role-rocky-monitoring.yml index 431ffab..f853f8c 100644 --- a/role-rocky-monitoring.yml +++ b/role-rocky-monitoring.yml @@ -25,14 +25,14 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node" - name: Install SELinux packages - package: + ansible.builtin.package: name: python3-policycoreutils.noarch state: present @@ -55,7 +55,7 @@ loop: "{{ monitoring_server_firewall_rules }}" - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-mqtt.yml b/role-rocky-mqtt.yml index d2c36a3..74a0229 100644 --- a/role-rocky-mqtt.yml +++ b/role-rocky-mqtt.yml @@ -18,7 +18,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -50,7 +50,7 @@ # The CentOS extras repos has epel-release provided - name: Enable the EPEL repository - yum: + ansible.builtin.dnf: name: epel-release state: present tags: @@ -65,7 +65,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-node_exporter.yml b/role-rocky-node_exporter.yml index 0457451..4879e21 100644 --- a/role-rocky-node_exporter.yml +++ b/role-rocky-node_exporter.yml @@ -5,12 +5,12 @@ pre_tasks: - name: Install SELinux packages - package: + ansible.builtin.package: name: python3-policycoreutils.noarch state: present roles: - - role: cloudalchemy.node-exporter + - role: cloudalchemy.node_exporter state: present post_tasks: diff --git a/role-rocky-pinnwand.yml b/role-rocky-pinnwand.yml index 123f9fd..eade4ce 100644 --- a/role-rocky-pinnwand.yml +++ b/role-rocky-pinnwand.yml @@ -19,14 +19,14 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node" - name: Install SELinux packages - package: + ansible.builtin.package: name: python3-policycoreutils.noarch state: present @@ -58,7 +58,7 @@ loop: "{{ firewall_rules }}" - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-rabbitmq.yml b/role-rocky-rabbitmq.yml index 4033c70..962c740 100644 --- a/role-rocky-rabbitmq.yml +++ b/role-rocky-rabbitmq.yml @@ -19,7 +19,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -81,7 +81,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/role-rocky-repopool.yml b/role-rocky-repopool.yml index c05e697..eaa5665 100644 --- a/role-rocky-repopool.yml +++ b/role-rocky-repopool.yml @@ -19,7 +19,7 @@ register: no_ansible - name: Verify if we can run ansible - assert: + ansible.builtin.assert: that: - "not no_ansible.stat.exists" success_msg: "We are able to run on this node" @@ -33,7 +33,7 @@ post_tasks: - name: Touching run file that ansible has ran here - file: + ansible.builtin.file: path: /var/log/ansible.run state: touch mode: '0644' diff --git a/tasks/account_services.yml b/tasks/account_services.yml index 4bd38a8..cefc5ef 100644 --- a/tasks/account_services.yml +++ b/tasks/account_services.yml @@ -1,7 +1,7 @@ --- # Account Services - name: Install packages - package: + ansible.builtin.package: name: - httpd - mod_ssl @@ -11,7 +11,7 @@ state: present - name: Deploy relevant httpd configuration - template: + ansible.builtin.template: src: "etc/httpd/conf.d/id.conf.j2" dest: "/etc/httpd/conf.d/id.conf" owner: root @@ -20,7 +20,7 @@ notify: restart_httpd - name: Enable and start - systemd: + ansible.builtin.systemd: name: httpd state: running enabled: true diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 455f99a..3ee45d2 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,18 +1,18 @@ --- - name: Ensure auditd is installed - package: + ansible.builtin.package: name: audit state: present tags: - harden - name: Ensure auditd is enabled - service: + ansible.builtin.service: name: auditd enabled: true - name: Ensure auditd buffer is OK - replace: + ansible.builtin.replace: path: /etc/audit/rules.d/audit.rules regexp: '-b \d+' replace: '-b {{ audit_buffer }}' @@ -22,7 +22,7 @@ - harden - name: Ensure collection audit rules are available - template: + ansible.builtin.template: src: "etc/audit/rules.d/collection.rules.j2" dest: "/etc/audit/rules.d/collection.rules" owner: root diff --git a/tasks/authentication.yml b/tasks/authentication.yml index 1d9bf33..751dca8 100644 --- a/tasks/authentication.yml +++ b/tasks/authentication.yml @@ -4,7 +4,7 @@ - name: Enterprise Linux 8+ PAM Configuration block: - name: Ensure Custom Profile is removed - file: + ansible.builtin.file: path: /etc/authselect/custom/sssd-rocky state: absent @@ -20,7 +20,7 @@ changed_when: false - name: Override system-auth and password-auth - copy: + ansible.builtin.copy: src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth" dest: "{{ item }}" owner: root @@ -45,7 +45,7 @@ changed_when: false - name: Enable oddjobd - service: + ansible.builtin.service: name: oddjobd state: started enabled: true diff --git a/tasks/bugzilla.yml b/tasks/bugzilla.yml index f514496..975ae7f 100644 --- a/tasks/bugzilla.yml +++ b/tasks/bugzilla.yml @@ -11,7 +11,7 @@ - httpd_can_sendmail - name: Install necessary packages - yum: + ansible.builtin.dnf: name: "{{ bugzilla_pkg }}" state: present tags: @@ -24,7 +24,7 @@ checksum: "{{ bugzilla_checksum }}" - name: Create initial directory - file: + ansible.builtin.file: path: "{{ bugzilla_dir }}" state: directory mode: '0750' @@ -43,7 +43,7 @@ - '--strip-components=1' - name: Configure httpd - template: + ansible.builtin.template: src: "etc/httpd/conf.d/bugzilla.conf.j2" dest: "/etc/httpd/conf.d/bugzilla.conf" owner: root diff --git a/tasks/bugzilla_install.yml b/tasks/bugzilla_install.yml index 0d7213e..14a41bd 100644 --- a/tasks/bugzilla_install.yml +++ b/tasks/bugzilla_install.yml @@ -7,7 +7,7 @@ register: conf_result - name: Deploy answer file - template: + ansible.builtin.template: src: "var/www/bugzilla/answer" dest: "{{ bugzilla_dir }}/answer" owner: root @@ -23,7 +23,7 @@ when: not conf_result.stat.exists - name: Deploy proper configuration - template: + ansible.builtin.template: src: "var/www/bugzilla/localconfig.j2" dest: "{{ bugzilla_dir }}/localconfig" owner: root @@ -54,7 +54,7 @@ changed_when: "1 != 1" - name: Remove answer file - file: + ansible.builtin.file: path: "{{ bugzilla_dir }}/answer" state: absent ... diff --git a/tasks/chrony.yml b/tasks/chrony.yml index 005fb2a..93d6c93 100644 --- a/tasks/chrony.yml +++ b/tasks/chrony.yml @@ -6,18 +6,18 @@ when: "'chronyservers' in group_names" - name: Install chrony packages - yum: + ansible.builtin.dnf: name: "{{ chrony_packages }}" state: present - name: Fix permissions for chrony home directory - file: + ansible.builtin.file: path: "{{ chrony_homedir }}" mode: 0750 state: directory - name: Deploy configuration - template: + ansible.builtin.template: src: chrony.conf.j2 dest: "{{ chrony_config_file }}" owner: "{{ chrony_owner }}" @@ -26,7 +26,7 @@ notify: "chrony service restart" - name: Manage the state of service - systemd: + ansible.builtin.systemd: name: "{{ chrony_service_name }}" state: "{{ chrony_service_state }}" enabled: "{{ chrony_service_enabled }}" diff --git a/tasks/efs_mount.yml b/tasks/efs_mount.yml index 3dd5886..0a58354 100644 --- a/tasks/efs_mount.yml +++ b/tasks/efs_mount.yml @@ -5,7 +5,7 @@ - name: "Installing amazon-efs-utils" become: true become_user: root - yum: + ansible.builtin.dnf: name: 'https://kojidev.rockylinux.org/kojifiles/packages/amazon-efs-utils/1.31.3/1.5c58a2f.el8/noarch/amazon-efs-utils-1.31.3-1.5c58a2f.el8.noarch.rpm' disable_gpg_check: true validate_certs: true diff --git a/tasks/harden.yml b/tasks/harden.yml index 8bca3f9..31766be 100644 --- a/tasks/harden.yml +++ b/tasks/harden.yml @@ -3,7 +3,7 @@ - name: sysctl hardening and limits block: - name: create combined sysctl-dict if overwrites are defined - set_fact: + ansible.builtin.set_fact: sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' when: sysctl_overwrite | default() @@ -34,7 +34,7 @@ - name: Standard login settings block: - name: useradd defaults - lineinfile: + ansible.builtin.lineinfile: line: "INACTIVE=30" regexp: "^INACTIVE=.*" path: "/etc/login.defs" @@ -42,7 +42,7 @@ - harden - name: login defs maximum days - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: '(PASS_MAX_DAYS).*\d+' replace: '\1\t{{ login_max_days }}' @@ -50,7 +50,7 @@ - harden - name: login defs minimum days - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: '(PASS_MIN_DAYS).*\d+' replace: '\1\t{{ login_min_days }}' @@ -58,7 +58,7 @@ - harden - name: login defs minimum length - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: '(PASS_MIN_LEN).*\d+' replace: '\1\t{{ login_min_len }}' @@ -66,7 +66,7 @@ - harden - name: login defs warn age - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: '(PASS_WARN_AGE).*\d+' replace: '\1\t{{ login_warn_age }}' @@ -74,7 +74,7 @@ - harden - name: cron directories permissions - file: + ansible.builtin.file: path: '{{ item }}' owner: root group: root @@ -85,7 +85,7 @@ - harden - name: Create cron/at allows - file: + ansible.builtin.file: path: '{{ item }}' owner: root group: root @@ -96,7 +96,7 @@ - harden - name: Remove cron/at denies - file: + ansible.builtin.file: path: '{{ item }}' state: absent loop: '{{ login_cron_denies }}' @@ -105,7 +105,7 @@ # TODO: Use pamd module to establish password policy - name: pwquality - minlen - lineinfile: + ansible.builtin.lineinfile: line: "minlen = 14" regexp: "^# minlen =.*" path: "/etc/security/pwquality.conf" @@ -113,7 +113,7 @@ - harden - name: pwquality - dcredit - lineinfile: + ansible.builtin.lineinfile: line: "dcredit = -1" regexp: "^# dcredit =.*" path: "/etc/security/pwquality.conf" @@ -121,7 +121,7 @@ - harden - name: pwquality - ucredit - lineinfile: + ansible.builtin.lineinfile: line: "ucredit = -1" regexp: "^# ucredit =.*" path: "/etc/security/pwquality.conf" @@ -129,7 +129,7 @@ - harden - name: pwquality - lcredit - lineinfile: + ansible.builtin.lineinfile: line: "lcredit = -1" regexp: "^# lcredit =.*" path: "/etc/security/pwquality.conf" @@ -137,7 +137,7 @@ - harden - name: pwquality - ocredit - lineinfile: + ansible.builtin.lineinfile: line: "ocredit = -1" regexp: "^# ocredit =.*" path: "/etc/security/pwquality.conf" @@ -145,14 +145,14 @@ - harden - name: Remove packages not allowed by CIS - package: + ansible.builtin.package: name: "{{ remove_packages }}" state: absent tags: - harden - name: Disable Services - service: + ansible.builtin.service: name: "{{ item }}" enabled: false state: stopped @@ -166,7 +166,7 @@ - name: modprobe settings block: - name: remove vfat from filesystem list if we are EFI - set_fact: + ansible.builtin.set_fact: modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}" when: - efi_installed.stat.isdir is defined @@ -175,7 +175,7 @@ - efi - name: disable unused filesystems - template: + ansible.builtin.template: src: "etc/modprobe.d/cis.conf.j2" dest: "/etc/modprobe.d/cis.conf" owner: 'root' @@ -185,7 +185,7 @@ - harden - name: Set init umask - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sysconfig/init state: present regexp: ^umask @@ -199,7 +199,7 @@ - harden - name: CIS sudoers configuration - copy: + ansible.builtin.copy: src: "etc/sudoers.d/cis" dest: "/etc/sudoers.d/cis" owner: root @@ -209,7 +209,7 @@ - harden - name: Remove packages not allowed by CIS - package: + ansible.builtin.package: name: "{{ remove_packages }}" state: absent tags: diff --git a/tasks/mantis.yml b/tasks/mantis.yml index efa181d..ee722ec 100644 --- a/tasks/mantis.yml +++ b/tasks/mantis.yml @@ -11,7 +11,7 @@ - httpd_can_sendmail - name: Install necessary packages - yum: + ansible.builtin.dnf: name: "{{ mantis_pkg }}" state: present tags: @@ -38,7 +38,7 @@ register: cryptosalt_string - name: Configure mantis - template: + ansible.builtin.template: src: "var/www/mantis/config/config_inc.php.j2" dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php" owner: apache @@ -69,7 +69,7 @@ version: main - name: Configure httpd - template: + ansible.builtin.template: src: "etc/httpd/conf.d/mantis.conf.j2" dest: "/etc/httpd/conf.d/mantis.conf" owner: root @@ -77,7 +77,7 @@ mode: '0644' - name: Database import template - template: + ansible.builtin.template: src: "tmp/mantis_import.sql.j2" dest: "/tmp/mantis_import.sql.j2" owner: root diff --git a/tasks/mantispatch.yml b/tasks/mantispatch.yml index 5ccbe0f..bca8bcb 100644 --- a/tasks/mantispatch.yml +++ b/tasks/mantispatch.yml @@ -3,7 +3,7 @@ # bug tracker accounts. We are doing regex instead of just replacing the # file as a whole. Should make it easier to deal with upgrades in theory. - name: Change signup_page.php to Account Services - replace: + ansible.builtin.replace: path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}" regexp: 'signup_page.php' replace: 'https://accounts.rockylinux.org' @@ -13,13 +13,13 @@ - login_page.php - name: Change special signup_page.php reference - replace: + ansible.builtin.replace: path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php" regexp: "' . helper_mantis_url( 'signup_page.php' ) . '" replace: 'https://accounts.rockylinux.org' - name: Remove LDAP from checks for signup button - lineinfile: + ansible.builtin.lineinfile: path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php" state: absent regex: 'LDAP != config_get_global' diff --git a/tasks/mirrormanager.yml b/tasks/mirrormanager.yml index fee6a1f..88e2b3b 100644 --- a/tasks/mirrormanager.yml +++ b/tasks/mirrormanager.yml @@ -33,7 +33,7 @@ - name: Create webroot directory become: true - file: + ansible.builtin.file: path: "{{ mirrormanager_dir }}" state: directory group: "{{ mirrormanager_user.group }}" @@ -55,7 +55,7 @@ - name: Deploy MM2 config become: true - template: + ansible.builtin.template: src: "opt/mirrormanager/mirrormanager2.cfg.j2" dest: "{{ mirrormanager_dir }}/app/mirrormanager2.cfg" group: "{{ mirrormanager_user.group }}" diff --git a/tasks/noggin.yml b/tasks/noggin.yml index 735afcd..37817f7 100644 --- a/tasks/noggin.yml +++ b/tasks/noggin.yml @@ -1,6 +1,6 @@ --- - name: Ensure python is installed - yum: + ansible.builtin.dnf: name: - python3 - python3-pip @@ -12,7 +12,7 @@ comment: "Noggin FAS" - name: Create noggin directory - file: + ansible.builtin.file: path: /opt/noggin state: directory mode: '0700' @@ -36,7 +36,7 @@ become_user: noggin - name: Remove any pycache - file: + ansible.builtin.file: path: "/home/noggin/.cache/pypoetry" state: absent @@ -58,7 +58,7 @@ register: virtualenv_location - name: Deploy start up script - template: + ansible.builtin.template: src: "opt/noggin/start_noggin.sh.j2" dest: "/opt/noggin/start_noggin.sh" mode: '0750' @@ -66,7 +66,7 @@ group: noggin - name: Deploy systemd unit - copy: + ansible.builtin.copy: src: "etc/systemd/system/noggin.service" dest: "/etc/systemd/system/noggin.service" owner: root @@ -74,7 +74,7 @@ mode: '0644' - name: Deploy noggin configuration - template: + ansible.builtin.template: src: "opt/noggin/noggin.cfg.j2" dest: "/opt/noggin/noggin.cfg" owner: noggin @@ -83,7 +83,7 @@ # The only way to run it properly, at least on EL8, is we need this line - name: Add missing create_app call - lineinfile: + ansible.builtin.lineinfile: path: "/opt/noggin/noggin/noggin/app.py" line: "app = create_app()" ... diff --git a/tasks/openqa.yml b/tasks/openqa.yml index 27d3585..b491f3e 100644 --- a/tasks/openqa.yml +++ b/tasks/openqa.yml @@ -1,13 +1,13 @@ --- - name: Install OpenQA packages - yum: + ansible.builtin.dnf: name: "{{ openqa_packages }}" state: present tags: - packages - name: Copy httpd configuration files - copy: + ansible.builtin.copy: remote_src: true src: /etc/httpd/conf.d/{{ item }}.template dest: /etc/httpd/conf.d/{{ item }} @@ -22,7 +22,7 @@ - configure - name: Template OpenQA configuration files - template: + ansible.builtin.template: src: etc/openqa/{{ item }}.j2 dest: /etc/openqa/{{ item }} owner: "{{ openqa_user }}" @@ -38,17 +38,17 @@ service_facts: - name: Check for non-empty postgres data directory - stat: + ansible.builtin.stat: path: /var/lib/pgsql/data/base register: postgres_data_dir - name: If postgresql is not already running, initialize database - command: postgresql-setup --initdb + ansible.builtin.command: postgresql-setup --initdb when: not ( ansible_facts.services["postgresql.service"]["state"] == "running" ) and not postgres_data_dir.stat.exists - name: Enable and start postgresql service - systemd: + ansible.builtin.systemd: name: postgresql state: started enabled: true @@ -56,7 +56,7 @@ and not postgres_data_dir.stat.exists - name: Configure SELinux to allow httpd connection to network - seboolean: + ansible.posix.seboolean: name: httpd_can_network_connect state: true persistent: true @@ -64,7 +64,7 @@ - configure - name: Enable and start OpenQA services - systemd: + ansible.builtin.systemd: name: "{{ item }}" state: started enabled: true @@ -73,7 +73,7 @@ - configure - name: Create openqa-vnc firewalld service - template: + ansible.builtin.template: src: etc/firewalld/services/openqa-vnc.xml.j2 dest: /etc/firewalld/services/openqa-vnc.xml owner: root @@ -83,7 +83,7 @@ - configure - name: Load openqa-vnc firewalld service - systemd: + ansible.builtin.systemd: name: firewalld state: reloaded tags: @@ -101,7 +101,7 @@ - configure - name: Reload FirewallD - systemd: + ansible.builtin.systemd: name: firewalld state: reloaded tags: @@ -115,7 +115,7 @@ - configure - name: Clone repository if it does not already exist - git: + ansible.builtin.git: accept_hostkey: true dest: "{{ openqa_homedir }}/share/tests/rocky" repo: "{{ openqa_rocky_testing_repo }}" @@ -125,7 +125,7 @@ - configure - name: Set owner/group/permissions on repo contents - file: + ansible.builtin.file: path: "{{ openqa_homedir }}/share/tests/rocky" recurse: true owner: "{{ openqa_user }}" @@ -136,17 +136,17 @@ # fifloader.py will fail if the Demo user is not logged in - name: Authenticate to web UI the first time - uri: + ansible.builtin.uri: url: "http://{{ openqa_host }}/login" - name: Run fifloader.py - command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json + ansible.builtin.command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json changed_when: "1 != 1" args: chdir: "{{ openqa_homedir }}/share/tests/rocky" - name: Create ISO directory - file: + ansible.builtin.file: path: "{{ openqa_homedir }}/share/factory/iso/fixed" state: directory owner: "{{ openqa_user }}" @@ -156,7 +156,7 @@ - download_isos - name: Download ISOs - get_url: + ansible.builtin.get_url: dest: "{{ openqa_homedir }}/share/factory/iso/fixed/{{ item.name }}" url: "{{ rocky_iso_download_url }}/{{ item.name }}" checksum: "{{ item.checksum }}" @@ -180,7 +180,7 @@ - configure - name: POST a job - command: | + ansible.builtin.command: | openqa-cli api -X POST isos \ ISO=Rocky-{{ rocky_version }}-{{ rocky_arch }}-minimal.iso \ ARCH={{ rocky_arch }} \ diff --git a/tasks/postfix_relay.yml b/tasks/postfix_relay.yml index c25b5b7..9aee7c8 100644 --- a/tasks/postfix_relay.yml +++ b/tasks/postfix_relay.yml @@ -1,14 +1,14 @@ --- # Configure relay - name: Ensure postfix is installed - yum: + ansible.builtin.dnf: name: - postfix - cyrus-sasl-plain state: present - name: Add password map - template: + ansible.builtin.template: src: etc/postfix/sasl_passwd.j2 dest: /etc/postfix/sasl_passwd owner: root @@ -17,7 +17,7 @@ notify: rehash_postfix_sasl - name: Add relay information to postfix - blockinfile: + ansible.builtin.blockinfile: path: /etc/postfix/main.cf marker: "## ANSIBLE MANAGED ##" block: | @@ -31,7 +31,7 @@ notify: restart_postfix - name: Ensure postfix is running and enabled - service: + ansible.builtin.service: name: postfix state: restarted enabled: true diff --git a/tasks/scripts.yml b/tasks/scripts.yml index 7e555f6..cb042e2 100644 --- a/tasks/scripts.yml +++ b/tasks/scripts.yml @@ -1,7 +1,7 @@ --- # Common scripts that rocky uses on nodes - name: Lock Wrapper script - copy: + ansible.builtin.copy: src: "usr/local/bin/lock-wrapper" dest: "/usr/local/bin/lock-wrapper" owner: root @@ -9,7 +9,7 @@ mode: '0755' - name: dmidecode pretty script - copy: + ansible.builtin.copy: src: "usr/local/bin/dmidecode-pretty" dest: "/usr/local/bin/dmidecode-pretty" owner: root diff --git a/tasks/ssh_config.yml b/tasks/ssh_config.yml index 15941ac..ab7dd0f 100644 --- a/tasks/ssh_config.yml +++ b/tasks/ssh_config.yml @@ -1,11 +1,11 @@ --- - name: Ensure SSH server is installed - package: + ansible.builtin.package: name: openssh-server state: present - name: Ensure SSH daemon is enabled - service: + ansible.builtin.service: name: sshd enabled: true @@ -13,7 +13,7 @@ - name: SSH daemon configuration - global block: - name: SSH daemon configuration - base - template: + ansible.builtin.template: src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2" dest: "/etc/ssh/sshd_config" owner: root @@ -28,7 +28,7 @@ msg: "Error in SSH daemon configuration or template" - name: SSH banner - copy: + ansible.builtin.copy: src: "etc/rockybanner" dest: "/etc/rockybanner" owner: root @@ -37,7 +37,7 @@ notify: restart_sshd - name: Remove DSA keys - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: