infrastructure/ansible-ops-management
7
1
Fork 0
Code Issues Pull Requests Projects Releases Activity

Use FQCN

Browse Source
This commit is contained in:
nazunalika 2022-03-27 22:01:23 -07:00
parent 460acc21ef
commit dfe4f60ab8
Signed by: label
GPG Key ID: 6735C0E1BD65D048
43 changed files with 158 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored Normal file
View File

@ -0,0 +1,6 @@
roles/*
collections/*
!roles/README.md
!roles/requirements.yml
!collections/README.md
!collections/requirements.yml

2
adhoc-facts-refresh.yml
View File

@ -3,6 +3,6 @@
become: true become: true
tasks: tasks:
- name: Force a fact refresh to have those available in local cache - name: Force a fact refresh to have those available in local cache
setup: ansible.builtin.setup:
gather_timeout: 30 gather_timeout: 30
... ...

4
adhoc-rabbitmqqueue.yml
View File

@ -26,7 +26,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- username != "admin" - username != "admin"
- username != "guest" - username != "guest"
@ -37,7 +37,7 @@
- rabbitmq - rabbitmq
- name: "Validate username queue name" - name: "Validate username queue name"
assert: ansible.builtin.assert:
that: that:
- "queue_name.startswith(username)" - "queue_name.startswith(username)"
tags: tags:

2
adhoc-rabbitmquser.yml
View File

@ -12,7 +12,7 @@
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
assert: ansible.builtin.assert:
that: that:
- username != "admin" - username != "admin"
- username != "guest" - username != "guest"

1
collections/requirements.yml
View File

@ -2,7 +2,6 @@
collections: collections:
# freeipa # freeipa
- name: freeipa.ansible_freeipa - name: freeipa.ansible_freeipa
version: 1.6.3
- name: community.general - name: community.general
- name: community.mysql - name: community.mysql
- name: community.rabbitmq - name: community.rabbitmq

14
handlers/main.yml
View File

@ -1,22 +1,22 @@
--- ---
# Handlers # Handlers
- name: restart_sshd - name: restart_sshd
service: ansible.builtin.service:
name: sshd name: sshd
state: restarted state: restarted
- name: restart_httpd - name: restart_httpd
service: ansible.builtin.service:
name: httpd name: httpd
state: restarted state: restarted
- name: restart_nginx - name: restart_nginx
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
- name: reload_networkmanager - name: reload_networkmanager
service: ansible.builtin.service:
name: NetworkManager name: NetworkManager
state: reloaded state: reloaded
@ -24,7 +24,7 @@
command: /sbin/augenrules command: /sbin/augenrules
- name: reload_chrony - name: reload_chrony
systemd: ansible.builtin.systemd:
name: "{{ chrony_service_name }}" name: "{{ chrony_service_name }}"
state: restarted state: restarted
listen: "chrony service restart" listen: "chrony service restart"
@ -35,7 +35,7 @@
failed_when: gitlab_restart_handler_failed_when | bool failed_when: gitlab_restart_handler_failed_when | bool
- name: restart_noggin - name: restart_noggin
service: ansible.builtin.service:
name: noggin name: noggin
state: restarted state: restarted
@ -43,7 +43,7 @@
command: "postmap /etc/postfix/sasl_passwd" command: "postmap /etc/postfix/sasl_passwd"
- name: restart_postfix - name: restart_postfix
service: ansible.builtin.service:
name: postfix name: postfix
state: restarted state: restarted
... ...

4
init-rocky-account-services.yml
View File

@ -14,7 +14,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node" success_msg: "We are not able to run on this node"
@ -26,7 +26,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

6
init-rocky-ansible-host.yml
View File

@ -20,7 +20,7 @@
# - twine # - twine
- name: Remove existing public roles - name: Remove existing public roles
file: ansible.builtin.file:
path: "{{ installation_prefix }}{{ roles_installation_dir }}" path: "{{ installation_prefix }}{{ roles_installation_dir }}"
state: absent state: absent
when: force_purge | bool when: force_purge | bool
@ -44,13 +44,13 @@
changed_when: '"Installing " in galaxy_install_collection.stdout' changed_when: '"Installing " in galaxy_install_collection.stdout'
- name: cleanup old ssh known_hosts - remove - name: cleanup old ssh known_hosts - remove
file: ansible.builtin.file:
path: "../tmp/known_hosts" path: "../tmp/known_hosts"
state: absent state: absent
mode: "0644" mode: "0644"
- name: cleanup old ssh known_hosts - blank - name: cleanup old ssh known_hosts - blank
file: ansible.builtin.file:
path: "../tmp/known_hosts" path: "../tmp/known_hosts"
state: touch state: touch
mode: "0644" mode: "0644"

6
init-rocky-bugzilla.yml
View File

@ -17,7 +17,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node" success_msg: "We are not able to run on this node"
@ -43,13 +43,13 @@
- https - https
- name: Ensure httpd is enabled and running - name: Ensure httpd is enabled and running
service: ansible.builtin.service:
name: httpd name: httpd
enabled: true enabled: true
state: started state: started
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
init-rocky-chrony.yml
View File

@ -20,7 +20,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -32,7 +32,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

8
init-rocky-install-kvm-hosts.yml
View File

@ -13,7 +13,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -28,7 +28,7 @@
# Install KVM packages # Install KVM packages
- name: Installing KVM Packages - name: Installing KVM Packages
package: ansible.builtin.package:
name: name:
- qemu-kvm - qemu-kvm
- libvirt - libvirt
@ -38,7 +38,7 @@
state: present state: present
- name: Enable and Start libvirtd - name: Enable and Start libvirtd
systemd: ansible.builtin.systemd:
name: libvirtd name: libvirtd
state: started state: started
enabled: true enabled: true
@ -51,7 +51,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

6
init-rocky-mantisbt.yml
View File

@ -18,7 +18,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node" success_msg: "We are not able to run on this node"
@ -44,13 +44,13 @@
- https - https
- name: Ensure httpd is enabled and running - name: Ensure httpd is enabled and running
service: ansible.builtin.service:
name: httpd name: httpd
enabled: true enabled: true
state: started state: started
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
init-rocky-noggin-theme.yml
View File

@ -14,7 +14,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node" success_msg: "We are not able to run on this node"
@ -32,7 +32,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
init-rocky-noggin.yml
View File

@ -14,7 +14,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node" success_msg: "We are not able to run on this node"
@ -26,7 +26,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
init-rocky-openqa-developer-host.yml
View File

@ -32,7 +32,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -44,7 +44,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
init-rocky-postfix-relay.yml
View File

@ -16,7 +16,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node" success_msg: "We are not able to run on this node"
@ -28,7 +28,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

6
init-rocky-repo-servers.yml
View File

@ -5,7 +5,7 @@
become: true become: true
handlers: handlers:
- import_tasks: handers/main.yml - import_tasks: handlers/main.yml
pre_tasks: pre_tasks:
- name: Check if ansible cannot be run here - name: Check if ansible cannot be run here
@ -14,7 +14,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node" success_msg: "We are not able to run on this node"
@ -26,7 +26,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
init-rocky-system-config.yml
View File

@ -18,7 +18,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -48,7 +48,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
role-rocky-bootstrap_staging.yml
View File

@ -18,7 +18,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -32,7 +32,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

6
role-rocky-graylog.yml
View File

@ -24,14 +24,14 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages - name: Install SELinux packages
package: ansible.builtin.package:
name: python3-policycoreutils.noarch name: python3-policycoreutils.noarch
state: present state: present
@ -58,7 +58,7 @@
loop: "{{ graylog_server_firewall_rules }}" loop: "{{ graylog_server_firewall_rules }}"
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

8
role-rocky-mirrormanager.yml
View File

@ -21,7 +21,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -29,13 +29,13 @@
- name: Install git - name: Install git
become: true become: true
package: ansible.builtin.package:
name: git name: git
state: present state: present
- name: Install SELinux packages - name: Install SELinux packages
become: true become: true
package: ansible.builtin.package:
name: python3-policycoreutils.noarch name: python3-policycoreutils.noarch
state: present state: present
@ -63,7 +63,7 @@
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
become: true become: true
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

6
role-rocky-monitoring.yml
View File

@ -25,14 +25,14 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages - name: Install SELinux packages
package: ansible.builtin.package:
name: python3-policycoreutils.noarch name: python3-policycoreutils.noarch
state: present state: present
@ -55,7 +55,7 @@
loop: "{{ monitoring_server_firewall_rules }}" loop: "{{ monitoring_server_firewall_rules }}"
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

6
role-rocky-mqtt.yml
View File

@ -18,7 +18,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -50,7 +50,7 @@
# The CentOS extras repos has epel-release provided # The CentOS extras repos has epel-release provided
- name: Enable the EPEL repository - name: Enable the EPEL repository
yum: ansible.builtin.dnf:
name: epel-release name: epel-release
state: present state: present
tags: tags:
@ -65,7 +65,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
role-rocky-node_exporter.yml
View File

@ -5,12 +5,12 @@
pre_tasks: pre_tasks:
- name: Install SELinux packages - name: Install SELinux packages
package: ansible.builtin.package:
name: python3-policycoreutils.noarch name: python3-policycoreutils.noarch
state: present state: present
roles: roles:
- role: cloudalchemy.node-exporter - role: cloudalchemy.node_exporter
state: present state: present
post_tasks: post_tasks:

6
role-rocky-pinnwand.yml
View File

@ -19,14 +19,14 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node" fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages - name: Install SELinux packages
package: ansible.builtin.package:
name: python3-policycoreutils.noarch name: python3-policycoreutils.noarch
state: present state: present
@ -58,7 +58,7 @@
loop: "{{ firewall_rules }}" loop: "{{ firewall_rules }}"
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
role-rocky-rabbitmq.yml
View File

@ -19,7 +19,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -81,7 +81,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

4
role-rocky-repopool.yml
View File

@ -19,7 +19,7 @@
register: no_ansible register: no_ansible
- name: Verify if we can run ansible - name: Verify if we can run ansible
assert: ansible.builtin.assert:
that: that:
- "not no_ansible.stat.exists" - "not no_ansible.stat.exists"
success_msg: "We are able to run on this node" success_msg: "We are able to run on this node"
@ -33,7 +33,7 @@
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here
file: ansible.builtin.file:
path: /var/log/ansible.run path: /var/log/ansible.run
state: touch state: touch
mode: '0644' mode: '0644'

6
tasks/account_services.yml
View File

@ -1,7 +1,7 @@
--- ---
# Account Services # Account Services
- name: Install packages - name: Install packages
package: ansible.builtin.package:
name: name:
- httpd - httpd
- mod_ssl - mod_ssl
@ -11,7 +11,7 @@
state: present state: present
- name: Deploy relevant httpd configuration - name: Deploy relevant httpd configuration
template: ansible.builtin.template:
src: "etc/httpd/conf.d/id.conf.j2" src: "etc/httpd/conf.d/id.conf.j2"
dest: "/etc/httpd/conf.d/id.conf" dest: "/etc/httpd/conf.d/id.conf"
owner: root owner: root
@ -20,7 +20,7 @@
notify: restart_httpd notify: restart_httpd
- name: Enable and start - name: Enable and start
systemd: ansible.builtin.systemd:
name: httpd name: httpd
state: running state: running
enabled: true enabled: true

8
tasks/auditd.yml
View File

@ -1,18 +1,18 @@
--- ---
- name: Ensure auditd is installed - name: Ensure auditd is installed
package: ansible.builtin.package:
name: audit name: audit
state: present state: present
tags: tags:
- harden - harden
- name: Ensure auditd is enabled - name: Ensure auditd is enabled
service: ansible.builtin.service:
name: auditd name: auditd
enabled: true enabled: true
- name: Ensure auditd buffer is OK - name: Ensure auditd buffer is OK
replace: ansible.builtin.replace:
path: /etc/audit/rules.d/audit.rules path: /etc/audit/rules.d/audit.rules
regexp: '-b \d+' regexp: '-b \d+'
replace: '-b {{ audit_buffer }}' replace: '-b {{ audit_buffer }}'
@ -22,7 +22,7 @@
- harden - harden
- name: Ensure collection audit rules are available - name: Ensure collection audit rules are available
template: ansible.builtin.template:
src: "etc/audit/rules.d/collection.rules.j2" src: "etc/audit/rules.d/collection.rules.j2"
dest: "/etc/audit/rules.d/collection.rules" dest: "/etc/audit/rules.d/collection.rules"
owner: root owner: root

6
tasks/authentication.yml
View File

@ -4,7 +4,7 @@
- name: Enterprise Linux 8+ PAM Configuration - name: Enterprise Linux 8+ PAM Configuration
block: block:
- name: Ensure Custom Profile is removed - name: Ensure Custom Profile is removed
file: ansible.builtin.file:
path: /etc/authselect/custom/sssd-rocky path: /etc/authselect/custom/sssd-rocky
state: absent state: absent
@ -20,7 +20,7 @@
changed_when: false changed_when: false
- name: Override system-auth and password-auth - name: Override system-auth and password-auth
copy: ansible.builtin.copy:
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth" src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}" dest: "{{ item }}"
owner: root owner: root
@ -45,7 +45,7 @@
changed_when: false changed_when: false
- name: Enable oddjobd - name: Enable oddjobd
service: ansible.builtin.service:
name: oddjobd name: oddjobd
state: started state: started
enabled: true enabled: true

6
tasks/bugzilla.yml
View File

@ -11,7 +11,7 @@
- httpd_can_sendmail - httpd_can_sendmail
- name: Install necessary packages - name: Install necessary packages
yum: ansible.builtin.dnf:
name: "{{ bugzilla_pkg }}" name: "{{ bugzilla_pkg }}"
state: present state: present
tags: tags:
@ -24,7 +24,7 @@
checksum: "{{ bugzilla_checksum }}" checksum: "{{ bugzilla_checksum }}"
- name: Create initial directory - name: Create initial directory
file: ansible.builtin.file:
path: "{{ bugzilla_dir }}" path: "{{ bugzilla_dir }}"
state: directory state: directory
mode: '0750' mode: '0750'
@ -43,7 +43,7 @@
- '--strip-components=1' - '--strip-components=1'
- name: Configure httpd - name: Configure httpd
template: ansible.builtin.template:
src: "etc/httpd/conf.d/bugzilla.conf.j2" src: "etc/httpd/conf.d/bugzilla.conf.j2"
dest: "/etc/httpd/conf.d/bugzilla.conf" dest: "/etc/httpd/conf.d/bugzilla.conf"
owner: root owner: root

6
tasks/bugzilla_install.yml
View File

@ -7,7 +7,7 @@
register: conf_result register: conf_result
- name: Deploy answer file - name: Deploy answer file
template: ansible.builtin.template:
src: "var/www/bugzilla/answer" src: "var/www/bugzilla/answer"
dest: "{{ bugzilla_dir }}/answer" dest: "{{ bugzilla_dir }}/answer"
owner: root owner: root
@ -23,7 +23,7 @@
when: not conf_result.stat.exists when: not conf_result.stat.exists
- name: Deploy proper configuration - name: Deploy proper configuration
template: ansible.builtin.template:
src: "var/www/bugzilla/localconfig.j2" src: "var/www/bugzilla/localconfig.j2"
dest: "{{ bugzilla_dir }}/localconfig" dest: "{{ bugzilla_dir }}/localconfig"
owner: root owner: root
@ -54,7 +54,7 @@
changed_when: "1 != 1" changed_when: "1 != 1"
- name: Remove answer file - name: Remove answer file
file: ansible.builtin.file:
path: "{{ bugzilla_dir }}/answer" path: "{{ bugzilla_dir }}/answer"
state: absent state: absent
... ...

8
tasks/chrony.yml
View File

@ -6,18 +6,18 @@
when: "'chronyservers' in group_names" when: "'chronyservers' in group_names"
- name: Install chrony packages - name: Install chrony packages
yum: ansible.builtin.dnf:
name: "{{ chrony_packages }}" name: "{{ chrony_packages }}"
state: present state: present
- name: Fix permissions for chrony home directory - name: Fix permissions for chrony home directory
file: ansible.builtin.file:
path: "{{ chrony_homedir }}" path: "{{ chrony_homedir }}"
mode: 0750 mode: 0750
state: directory state: directory
- name: Deploy configuration - name: Deploy configuration
template: ansible.builtin.template:
src: chrony.conf.j2 src: chrony.conf.j2
dest: "{{ chrony_config_file }}" dest: "{{ chrony_config_file }}"
owner: "{{ chrony_owner }}" owner: "{{ chrony_owner }}"
@ -26,7 +26,7 @@
notify: "chrony service restart" notify: "chrony service restart"
- name: Manage the state of service - name: Manage the state of service
systemd: ansible.builtin.systemd:
name: "{{ chrony_service_name }}" name: "{{ chrony_service_name }}"
state: "{{ chrony_service_state }}" state: "{{ chrony_service_state }}"
enabled: "{{ chrony_service_enabled }}" enabled: "{{ chrony_service_enabled }}"

2
tasks/efs_mount.yml
View File

@ -5,7 +5,7 @@
- name: "Installing amazon-efs-utils" - name: "Installing amazon-efs-utils"
become: true become: true
become_user: root become_user: root
yum: ansible.builtin.dnf:
name: 'https://kojidev.rockylinux.org/kojifiles/packages/amazon-efs-utils/1.31.3/1.5c58a2f.el8/noarch/amazon-efs-utils-1.31.3-1.5c58a2f.el8.noarch.rpm' name: 'https://kojidev.rockylinux.org/kojifiles/packages/amazon-efs-utils/1.31.3/1.5c58a2f.el8/noarch/amazon-efs-utils-1.31.3-1.5c58a2f.el8.noarch.rpm'
disable_gpg_check: true disable_gpg_check: true
validate_certs: true validate_certs: true

42
tasks/harden.yml
View File

@ -3,7 +3,7 @@
- name: sysctl hardening and limits - name: sysctl hardening and limits
block: block:
- name: create combined sysctl-dict if overwrites are defined - name: create combined sysctl-dict if overwrites are defined
set_fact: ansible.builtin.set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default() when: sysctl_overwrite | default()
@ -34,7 +34,7 @@
- name: Standard login settings - name: Standard login settings
block: block:
- name: useradd defaults - name: useradd defaults
lineinfile: ansible.builtin.lineinfile:
line: "INACTIVE=30" line: "INACTIVE=30"
regexp: "^INACTIVE=.*" regexp: "^INACTIVE=.*"
path: "/etc/login.defs" path: "/etc/login.defs"
@ -42,7 +42,7 @@
- harden - harden
- name: login defs maximum days - name: login defs maximum days
replace: ansible.builtin.replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '(PASS_MAX_DAYS).*\d+' regexp: '(PASS_MAX_DAYS).*\d+'
replace: '\1\t{{ login_max_days }}' replace: '\1\t{{ login_max_days }}'
@ -50,7 +50,7 @@
- harden - harden
- name: login defs minimum days - name: login defs minimum days
replace: ansible.builtin.replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '(PASS_MIN_DAYS).*\d+' regexp: '(PASS_MIN_DAYS).*\d+'
replace: '\1\t{{ login_min_days }}' replace: '\1\t{{ login_min_days }}'
@ -58,7 +58,7 @@
- harden - harden
- name: login defs minimum length - name: login defs minimum length
replace: ansible.builtin.replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '(PASS_MIN_LEN).*\d+' regexp: '(PASS_MIN_LEN).*\d+'
replace: '\1\t{{ login_min_len }}' replace: '\1\t{{ login_min_len }}'
@ -66,7 +66,7 @@
- harden - harden
- name: login defs warn age - name: login defs warn age
replace: ansible.builtin.replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '(PASS_WARN_AGE).*\d+' regexp: '(PASS_WARN_AGE).*\d+'
replace: '\1\t{{ login_warn_age }}' replace: '\1\t{{ login_warn_age }}'
@ -74,7 +74,7 @@
- harden - harden
- name: cron directories permissions - name: cron directories permissions
file: ansible.builtin.file:
path: '{{ item }}' path: '{{ item }}'
owner: root owner: root
group: root group: root
@ -85,7 +85,7 @@
- harden - harden
- name: Create cron/at allows - name: Create cron/at allows
file: ansible.builtin.file:
path: '{{ item }}' path: '{{ item }}'
owner: root owner: root
group: root group: root
@ -96,7 +96,7 @@
- harden - harden
- name: Remove cron/at denies - name: Remove cron/at denies
file: ansible.builtin.file:
path: '{{ item }}' path: '{{ item }}'
state: absent state: absent
loop: '{{ login_cron_denies }}' loop: '{{ login_cron_denies }}'
@ -105,7 +105,7 @@
# TODO: Use pamd module to establish password policy # TODO: Use pamd module to establish password policy
- name: pwquality - minlen - name: pwquality - minlen
lineinfile: ansible.builtin.lineinfile:
line: "minlen = 14" line: "minlen = 14"
regexp: "^# minlen =.*" regexp: "^# minlen =.*"
path: "/etc/security/pwquality.conf" path: "/etc/security/pwquality.conf"
@ -113,7 +113,7 @@
- harden - harden
- name: pwquality - dcredit - name: pwquality - dcredit
lineinfile: ansible.builtin.lineinfile:
line: "dcredit = -1" line: "dcredit = -1"
regexp: "^# dcredit =.*" regexp: "^# dcredit =.*"
path: "/etc/security/pwquality.conf" path: "/etc/security/pwquality.conf"
@ -121,7 +121,7 @@
- harden - harden
- name: pwquality - ucredit - name: pwquality - ucredit
lineinfile: ansible.builtin.lineinfile:
line: "ucredit = -1" line: "ucredit = -1"
regexp: "^# ucredit =.*" regexp: "^# ucredit =.*"
path: "/etc/security/pwquality.conf" path: "/etc/security/pwquality.conf"
@ -129,7 +129,7 @@
- harden - harden
- name: pwquality - lcredit - name: pwquality - lcredit
lineinfile: ansible.builtin.lineinfile:
line: "lcredit = -1" line: "lcredit = -1"
regexp: "^# lcredit =.*" regexp: "^# lcredit =.*"
path: "/etc/security/pwquality.conf" path: "/etc/security/pwquality.conf"
@ -137,7 +137,7 @@
- harden - harden
- name: pwquality - ocredit - name: pwquality - ocredit
lineinfile: ansible.builtin.lineinfile:
line: "ocredit = -1" line: "ocredit = -1"
regexp: "^# ocredit =.*" regexp: "^# ocredit =.*"
path: "/etc/security/pwquality.conf" path: "/etc/security/pwquality.conf"
@ -145,14 +145,14 @@
- harden - harden
- name: Remove packages not allowed by CIS - name: Remove packages not allowed by CIS
package: ansible.builtin.package:
name: "{{ remove_packages }}" name: "{{ remove_packages }}"
state: absent state: absent
tags: tags:
- harden - harden
- name: Disable Services - name: Disable Services
service: ansible.builtin.service:
name: "{{ item }}" name: "{{ item }}"
enabled: false enabled: false
state: stopped state: stopped
@ -166,7 +166,7 @@
- name: modprobe settings - name: modprobe settings
block: block:
- name: remove vfat from filesystem list if we are EFI - name: remove vfat from filesystem list if we are EFI
set_fact: ansible.builtin.set_fact:
modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}" modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
when: when:
- efi_installed.stat.isdir is defined - efi_installed.stat.isdir is defined
@ -175,7 +175,7 @@
- efi - efi
- name: disable unused filesystems - name: disable unused filesystems
template: ansible.builtin.template:
src: "etc/modprobe.d/cis.conf.j2" src: "etc/modprobe.d/cis.conf.j2"
dest: "/etc/modprobe.d/cis.conf" dest: "/etc/modprobe.d/cis.conf"
owner: 'root' owner: 'root'
@ -185,7 +185,7 @@
- harden - harden
- name: Set init umask - name: Set init umask
lineinfile: ansible.builtin.lineinfile:
dest: /etc/sysconfig/init dest: /etc/sysconfig/init
state: present state: present
regexp: ^umask regexp: ^umask
@ -199,7 +199,7 @@
- harden - harden
- name: CIS sudoers configuration - name: CIS sudoers configuration
copy: ansible.builtin.copy:
src: "etc/sudoers.d/cis" src: "etc/sudoers.d/cis"
dest: "/etc/sudoers.d/cis" dest: "/etc/sudoers.d/cis"
owner: root owner: root
@ -209,7 +209,7 @@
- harden - harden
- name: Remove packages not allowed by CIS - name: Remove packages not allowed by CIS
package: ansible.builtin.package:
name: "{{ remove_packages }}" name: "{{ remove_packages }}"
state: absent state: absent
tags: tags:

8
tasks/mantis.yml
View File

@ -11,7 +11,7 @@
- httpd_can_sendmail - httpd_can_sendmail
- name: Install necessary packages - name: Install necessary packages
yum: ansible.builtin.dnf:
name: "{{ mantis_pkg }}" name: "{{ mantis_pkg }}"
state: present state: present
tags: tags:
@ -38,7 +38,7 @@
register: cryptosalt_string register: cryptosalt_string
- name: Configure mantis - name: Configure mantis
template: ansible.builtin.template:
src: "var/www/mantis/config/config_inc.php.j2" src: "var/www/mantis/config/config_inc.php.j2"
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php" dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
owner: apache owner: apache
@ -69,7 +69,7 @@
version: main version: main
- name: Configure httpd - name: Configure httpd
template: ansible.builtin.template:
src: "etc/httpd/conf.d/mantis.conf.j2" src: "etc/httpd/conf.d/mantis.conf.j2"
dest: "/etc/httpd/conf.d/mantis.conf" dest: "/etc/httpd/conf.d/mantis.conf"
owner: root owner: root
@ -77,7 +77,7 @@
mode: '0644' mode: '0644'
- name: Database import template - name: Database import template
template: ansible.builtin.template:
src: "tmp/mantis_import.sql.j2" src: "tmp/mantis_import.sql.j2"
dest: "/tmp/mantis_import.sql.j2" dest: "/tmp/mantis_import.sql.j2"
owner: root owner: root

6
tasks/mantispatch.yml
View File

@ -3,7 +3,7 @@
# bug tracker accounts. We are doing regex instead of just replacing the # bug tracker accounts. We are doing regex instead of just replacing the
# file as a whole. Should make it easier to deal with upgrades in theory. # file as a whole. Should make it easier to deal with upgrades in theory.
- name: Change signup_page.php to Account Services - name: Change signup_page.php to Account Services
replace: ansible.builtin.replace:
path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}" path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
regexp: 'signup_page.php' regexp: 'signup_page.php'
replace: 'https://accounts.rockylinux.org' replace: 'https://accounts.rockylinux.org'
@ -13,13 +13,13 @@
- login_page.php - login_page.php
- name: Change special signup_page.php reference - name: Change special signup_page.php reference
replace: ansible.builtin.replace:
path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php" path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
regexp: "' . helper_mantis_url( 'signup_page.php' ) . '" regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
replace: 'https://accounts.rockylinux.org' replace: 'https://accounts.rockylinux.org'
- name: Remove LDAP from checks for signup button - name: Remove LDAP from checks for signup button
lineinfile: ansible.builtin.lineinfile:
path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php" path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
state: absent state: absent
regex: 'LDAP != config_get_global' regex: 'LDAP != config_get_global'

4
tasks/mirrormanager.yml
View File

@ -33,7 +33,7 @@
- name: Create webroot directory - name: Create webroot directory
become: true become: true
file: ansible.builtin.file:
path: "{{ mirrormanager_dir }}" path: "{{ mirrormanager_dir }}"
state: directory state: directory
group: "{{ mirrormanager_user.group }}" group: "{{ mirrormanager_user.group }}"
@ -55,7 +55,7 @@
- name: Deploy MM2 config - name: Deploy MM2 config
become: true become: true
template: ansible.builtin.template:
src: "opt/mirrormanager/mirrormanager2.cfg.j2" src: "opt/mirrormanager/mirrormanager2.cfg.j2"
dest: "{{ mirrormanager_dir }}/app/mirrormanager2.cfg" dest: "{{ mirrormanager_dir }}/app/mirrormanager2.cfg"
group: "{{ mirrormanager_user.group }}" group: "{{ mirrormanager_user.group }}"

14
tasks/noggin.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Ensure python is installed - name: Ensure python is installed
yum: ansible.builtin.dnf:
name: name:
- python3 - python3
- python3-pip - python3-pip
@ -12,7 +12,7 @@
comment: "Noggin FAS" comment: "Noggin FAS"
- name: Create noggin directory - name: Create noggin directory
file: ansible.builtin.file:
path: /opt/noggin path: /opt/noggin
state: directory state: directory
mode: '0700' mode: '0700'
@ -36,7 +36,7 @@
become_user: noggin become_user: noggin
- name: Remove any pycache - name: Remove any pycache
file: ansible.builtin.file:
path: "/home/noggin/.cache/pypoetry" path: "/home/noggin/.cache/pypoetry"
state: absent state: absent
@ -58,7 +58,7 @@
register: virtualenv_location register: virtualenv_location
- name: Deploy start up script - name: Deploy start up script
template: ansible.builtin.template:
src: "opt/noggin/start_noggin.sh.j2" src: "opt/noggin/start_noggin.sh.j2"
dest: "/opt/noggin/start_noggin.sh" dest: "/opt/noggin/start_noggin.sh"
mode: '0750' mode: '0750'
@ -66,7 +66,7 @@
group: noggin group: noggin
- name: Deploy systemd unit - name: Deploy systemd unit
copy: ansible.builtin.copy:
src: "etc/systemd/system/noggin.service" src: "etc/systemd/system/noggin.service"
dest: "/etc/systemd/system/noggin.service" dest: "/etc/systemd/system/noggin.service"
owner: root owner: root
@ -74,7 +74,7 @@
mode: '0644' mode: '0644'
- name: Deploy noggin configuration - name: Deploy noggin configuration
template: ansible.builtin.template:
src: "opt/noggin/noggin.cfg.j2" src: "opt/noggin/noggin.cfg.j2"
dest: "/opt/noggin/noggin.cfg" dest: "/opt/noggin/noggin.cfg"
owner: noggin owner: noggin
@ -83,7 +83,7 @@
# The only way to run it properly, at least on EL8, is we need this line # The only way to run it properly, at least on EL8, is we need this line
- name: Add missing create_app call - name: Add missing create_app call
lineinfile: ansible.builtin.lineinfile:
path: "/opt/noggin/noggin/noggin/app.py" path: "/opt/noggin/noggin/noggin/app.py"
line: "app = create_app()" line: "app = create_app()"
... ...

36
tasks/openqa.yml
View File

@ -1,13 +1,13 @@
--- ---
- name: Install OpenQA packages - name: Install OpenQA packages
yum: ansible.builtin.dnf:
name: "{{ openqa_packages }}" name: "{{ openqa_packages }}"
state: present state: present
tags: tags:
- packages - packages
- name: Copy httpd configuration files - name: Copy httpd configuration files
copy: ansible.builtin.copy:
remote_src: true remote_src: true
src: /etc/httpd/conf.d/{{ item }}.template src: /etc/httpd/conf.d/{{ item }}.template
dest: /etc/httpd/conf.d/{{ item }} dest: /etc/httpd/conf.d/{{ item }}
@ -22,7 +22,7 @@
- configure - configure
- name: Template OpenQA configuration files - name: Template OpenQA configuration files
template: ansible.builtin.template:
src: etc/openqa/{{ item }}.j2 src: etc/openqa/{{ item }}.j2
dest: /etc/openqa/{{ item }} dest: /etc/openqa/{{ item }}
owner: "{{ openqa_user }}" owner: "{{ openqa_user }}"
@ -38,17 +38,17 @@
service_facts: service_facts:
- name: Check for non-empty postgres data directory - name: Check for non-empty postgres data directory
stat: ansible.builtin.stat:
path: /var/lib/pgsql/data/base path: /var/lib/pgsql/data/base
register: postgres_data_dir register: postgres_data_dir
- name: If postgresql is not already running, initialize database - name: If postgresql is not already running, initialize database
command: postgresql-setup --initdb ansible.builtin.command: postgresql-setup --initdb
when: not ( ansible_facts.services["postgresql.service"]["state"] == "running" ) when: not ( ansible_facts.services["postgresql.service"]["state"] == "running" )
and not postgres_data_dir.stat.exists and not postgres_data_dir.stat.exists
- name: Enable and start postgresql service - name: Enable and start postgresql service
systemd: ansible.builtin.systemd:
name: postgresql name: postgresql
state: started state: started
enabled: true enabled: true
@ -56,7 +56,7 @@
and not postgres_data_dir.stat.exists and not postgres_data_dir.stat.exists
- name: Configure SELinux to allow httpd connection to network - name: Configure SELinux to allow httpd connection to network
seboolean: ansible.posix.seboolean:
name: httpd_can_network_connect name: httpd_can_network_connect
state: true state: true
persistent: true persistent: true
@ -64,7 +64,7 @@
- configure - configure
- name: Enable and start OpenQA services - name: Enable and start OpenQA services
systemd: ansible.builtin.systemd:
name: "{{ item }}" name: "{{ item }}"
state: started state: started
enabled: true enabled: true
@ -73,7 +73,7 @@
- configure - configure
- name: Create openqa-vnc firewalld service - name: Create openqa-vnc firewalld service
template: ansible.builtin.template:
src: etc/firewalld/services/openqa-vnc.xml.j2 src: etc/firewalld/services/openqa-vnc.xml.j2
dest: /etc/firewalld/services/openqa-vnc.xml dest: /etc/firewalld/services/openqa-vnc.xml
owner: root owner: root
@ -83,7 +83,7 @@
- configure - configure
- name: Load openqa-vnc firewalld service - name: Load openqa-vnc firewalld service
systemd: ansible.builtin.systemd:
name: firewalld name: firewalld
state: reloaded state: reloaded
tags: tags:
@ -101,7 +101,7 @@
- configure - configure
- name: Reload FirewallD - name: Reload FirewallD
systemd: ansible.builtin.systemd:
name: firewalld name: firewalld
state: reloaded state: reloaded
tags: tags:
@ -115,7 +115,7 @@
- configure - configure
- name: Clone repository if it does not already exist - name: Clone repository if it does not already exist
git: ansible.builtin.git:
accept_hostkey: true accept_hostkey: true
dest: "{{ openqa_homedir }}/share/tests/rocky" dest: "{{ openqa_homedir }}/share/tests/rocky"
repo: "{{ openqa_rocky_testing_repo }}" repo: "{{ openqa_rocky_testing_repo }}"
@ -125,7 +125,7 @@
- configure - configure
- name: Set owner/group/permissions on repo contents - name: Set owner/group/permissions on repo contents
file: ansible.builtin.file:
path: "{{ openqa_homedir }}/share/tests/rocky" path: "{{ openqa_homedir }}/share/tests/rocky"
recurse: true recurse: true
owner: "{{ openqa_user }}" owner: "{{ openqa_user }}"
@ -136,17 +136,17 @@
# fifloader.py will fail if the Demo user is not logged in # fifloader.py will fail if the Demo user is not logged in
- name: Authenticate to web UI the first time - name: Authenticate to web UI the first time
uri: ansible.builtin.uri:
url: "http://{{ openqa_host }}/login" url: "http://{{ openqa_host }}/login"
- name: Run fifloader.py - name: Run fifloader.py
command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json ansible.builtin.command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json
changed_when: "1 != 1" changed_when: "1 != 1"
args: args:
chdir: "{{ openqa_homedir }}/share/tests/rocky" chdir: "{{ openqa_homedir }}/share/tests/rocky"
- name: Create ISO directory - name: Create ISO directory
file: ansible.builtin.file:
path: "{{ openqa_homedir }}/share/factory/iso/fixed" path: "{{ openqa_homedir }}/share/factory/iso/fixed"
state: directory state: directory
owner: "{{ openqa_user }}" owner: "{{ openqa_user }}"
@ -156,7 +156,7 @@
- download_isos - download_isos
- name: Download ISOs - name: Download ISOs
get_url: ansible.builtin.get_url:
dest: "{{ openqa_homedir }}/share/factory/iso/fixed/{{ item.name }}" dest: "{{ openqa_homedir }}/share/factory/iso/fixed/{{ item.name }}"
url: "{{ rocky_iso_download_url }}/{{ item.name }}" url: "{{ rocky_iso_download_url }}/{{ item.name }}"
checksum: "{{ item.checksum }}" checksum: "{{ item.checksum }}"
@ -180,7 +180,7 @@
- configure - configure
- name: POST a job - name: POST a job
command: | ansible.builtin.command: |
openqa-cli api -X POST isos \ openqa-cli api -X POST isos \
ISO=Rocky-{{ rocky_version }}-{{ rocky_arch }}-minimal.iso \ ISO=Rocky-{{ rocky_version }}-{{ rocky_arch }}-minimal.iso \
ARCH={{ rocky_arch }} \ ARCH={{ rocky_arch }} \

8
tasks/postfix_relay.yml
View File

@ -1,14 +1,14 @@
--- ---
# Configure relay # Configure relay
- name: Ensure postfix is installed - name: Ensure postfix is installed
yum: ansible.builtin.dnf:
name: name:
- postfix - postfix
- cyrus-sasl-plain - cyrus-sasl-plain
state: present state: present
- name: Add password map - name: Add password map
template: ansible.builtin.template:
src: etc/postfix/sasl_passwd.j2 src: etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd dest: /etc/postfix/sasl_passwd
owner: root owner: root
@ -17,7 +17,7 @@
notify: rehash_postfix_sasl notify: rehash_postfix_sasl
- name: Add relay information to postfix - name: Add relay information to postfix
blockinfile: ansible.builtin.blockinfile:
path: /etc/postfix/main.cf path: /etc/postfix/main.cf
marker: "## ANSIBLE MANAGED ##" marker: "## ANSIBLE MANAGED ##"
block: | block: |
@ -31,7 +31,7 @@
notify: restart_postfix notify: restart_postfix
- name: Ensure postfix is running and enabled - name: Ensure postfix is running and enabled
service: ansible.builtin.service:
name: postfix name: postfix
state: restarted state: restarted
enabled: true enabled: true

4
tasks/scripts.yml
View File

@ -1,7 +1,7 @@
--- ---
# Common scripts that rocky uses on nodes # Common scripts that rocky uses on nodes
- name: Lock Wrapper script - name: Lock Wrapper script
copy: ansible.builtin.copy:
src: "usr/local/bin/lock-wrapper" src: "usr/local/bin/lock-wrapper"
dest: "/usr/local/bin/lock-wrapper" dest: "/usr/local/bin/lock-wrapper"
owner: root owner: root
@ -9,7 +9,7 @@
mode: '0755' mode: '0755'
- name: dmidecode pretty script - name: dmidecode pretty script
copy: ansible.builtin.copy:
src: "usr/local/bin/dmidecode-pretty" src: "usr/local/bin/dmidecode-pretty"
dest: "/usr/local/bin/dmidecode-pretty" dest: "/usr/local/bin/dmidecode-pretty"
owner: root owner: root

10
tasks/ssh_config.yml
View File

@ -1,11 +1,11 @@
--- ---
- name: Ensure SSH server is installed - name: Ensure SSH server is installed
package: ansible.builtin.package:
name: openssh-server name: openssh-server
state: present state: present
- name: Ensure SSH daemon is enabled - name: Ensure SSH daemon is enabled
service: ansible.builtin.service:
name: sshd name: sshd
enabled: true enabled: true
@ -13,7 +13,7 @@
- name: SSH daemon configuration - global - name: SSH daemon configuration - global
block: block:
- name: SSH daemon configuration - base - name: SSH daemon configuration - base
template: ansible.builtin.template:
src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2" src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2"
dest: "/etc/ssh/sshd_config" dest: "/etc/ssh/sshd_config"
owner: root owner: root
@ -28,7 +28,7 @@
msg: "Error in SSH daemon configuration or template" msg: "Error in SSH daemon configuration or template"
- name: SSH banner - name: SSH banner
copy: ansible.builtin.copy:
src: "etc/rockybanner" src: "etc/rockybanner"
dest: "/etc/rockybanner" dest: "/etc/rockybanner"
owner: root owner: root
@ -37,7 +37,7 @@
notify: restart_sshd notify: restart_sshd
- name: Remove DSA keys - name: Remove DSA keys
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
with_items: with_items: