Use FQCN
This commit is contained in:
parent
460acc21ef
commit
dfe4f60ab8
43 changed files with 158 additions and 153 deletions
6
.gitignore
vendored
Normal file
6
.gitignore
vendored
Normal file
|
@ -0,0 +1,6 @@
|
|||
roles/*
|
||||
collections/*
|
||||
!roles/README.md
|
||||
!roles/requirements.yml
|
||||
!collections/README.md
|
||||
!collections/requirements.yml
|
|
@ -3,6 +3,6 @@
|
|||
become: true
|
||||
tasks:
|
||||
- name: Force a fact refresh to have those available in local cache
|
||||
setup:
|
||||
ansible.builtin.setup:
|
||||
gather_timeout: 30
|
||||
...
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- username != "admin"
|
||||
- username != "guest"
|
||||
|
@ -37,7 +37,7 @@
|
|||
- rabbitmq
|
||||
|
||||
- name: "Validate username queue name"
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "queue_name.startswith(username)"
|
||||
tags:
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- username != "admin"
|
||||
- username != "guest"
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
collections:
|
||||
# freeipa
|
||||
- name: freeipa.ansible_freeipa
|
||||
version: 1.6.3
|
||||
- name: community.general
|
||||
- name: community.mysql
|
||||
- name: community.rabbitmq
|
||||
|
|
|
@ -1,22 +1,22 @@
|
|||
---
|
||||
# Handlers
|
||||
- name: restart_sshd
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
- name: restart_httpd
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: httpd
|
||||
state: restarted
|
||||
|
||||
- name: restart_nginx
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
|
||||
- name: reload_networkmanager
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: NetworkManager
|
||||
state: reloaded
|
||||
|
||||
|
@ -24,7 +24,7 @@
|
|||
command: /sbin/augenrules
|
||||
|
||||
- name: reload_chrony
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: "{{ chrony_service_name }}"
|
||||
state: restarted
|
||||
listen: "chrony service restart"
|
||||
|
@ -35,7 +35,7 @@
|
|||
failed_when: gitlab_restart_handler_failed_when | bool
|
||||
|
||||
- name: restart_noggin
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: noggin
|
||||
state: restarted
|
||||
|
||||
|
@ -43,7 +43,7 @@
|
|||
command: "postmap /etc/postfix/sasl_passwd"
|
||||
|
||||
- name: restart_postfix
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
...
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
|
@ -26,7 +26,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
# - twine
|
||||
|
||||
- name: Remove existing public roles
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ installation_prefix }}{{ roles_installation_dir }}"
|
||||
state: absent
|
||||
when: force_purge | bool
|
||||
|
@ -44,13 +44,13 @@
|
|||
changed_when: '"Installing " in galaxy_install_collection.stdout'
|
||||
|
||||
- name: cleanup old ssh known_hosts - remove
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "../tmp/known_hosts"
|
||||
state: absent
|
||||
mode: "0644"
|
||||
|
||||
- name: cleanup old ssh known_hosts - blank
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "../tmp/known_hosts"
|
||||
state: touch
|
||||
mode: "0644"
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
|
@ -43,13 +43,13 @@
|
|||
- https
|
||||
|
||||
- name: Ensure httpd is enabled and running
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: httpd
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -32,7 +32,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -28,7 +28,7 @@
|
|||
|
||||
# Install KVM packages
|
||||
- name: Installing KVM Packages
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- qemu-kvm
|
||||
- libvirt
|
||||
|
@ -38,7 +38,7 @@
|
|||
state: present
|
||||
|
||||
- name: Enable and Start libvirtd
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: libvirtd
|
||||
state: started
|
||||
enabled: true
|
||||
|
@ -51,7 +51,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
|
@ -44,13 +44,13 @@
|
|||
- https
|
||||
|
||||
- name: Ensure httpd is enabled and running
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: httpd
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
|
@ -32,7 +32,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
|
@ -26,7 +26,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -44,7 +44,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
|
@ -28,7 +28,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
become: true
|
||||
|
||||
handlers:
|
||||
- import_tasks: handers/main.yml
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
|
@ -14,7 +14,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
|
@ -26,7 +26,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -48,7 +48,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -32,7 +32,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -24,14 +24,14 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
|
@ -58,7 +58,7 @@
|
|||
loop: "{{ graylog_server_firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -29,13 +29,13 @@
|
|||
|
||||
- name: Install git
|
||||
become: true
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: Install SELinux packages
|
||||
become: true
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
|
@ -63,7 +63,7 @@
|
|||
|
||||
- name: Touching run file that ansible has ran here
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -25,14 +25,14 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
|
@ -55,7 +55,7 @@
|
|||
loop: "{{ monitoring_server_firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -50,7 +50,7 @@
|
|||
|
||||
# The CentOS extras repos has epel-release provided
|
||||
- name: Enable the EPEL repository
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name: epel-release
|
||||
state: present
|
||||
tags:
|
||||
|
@ -65,7 +65,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -5,12 +5,12 @@
|
|||
|
||||
pre_tasks:
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- role: cloudalchemy.node-exporter
|
||||
- role: cloudalchemy.node_exporter
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
|
|
|
@ -19,14 +19,14 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
|
@ -58,7 +58,7 @@
|
|||
loop: "{{ firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -81,7 +81,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
|
@ -33,7 +33,7 @@
|
|||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
# Account Services
|
||||
- name: Install packages
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- httpd
|
||||
- mod_ssl
|
||||
|
@ -11,7 +11,7 @@
|
|||
state: present
|
||||
|
||||
- name: Deploy relevant httpd configuration
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "etc/httpd/conf.d/id.conf.j2"
|
||||
dest: "/etc/httpd/conf.d/id.conf"
|
||||
owner: root
|
||||
|
@ -20,7 +20,7 @@
|
|||
notify: restart_httpd
|
||||
|
||||
- name: Enable and start
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: httpd
|
||||
state: running
|
||||
enabled: true
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
---
|
||||
- name: Ensure auditd is installed
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: audit
|
||||
state: present
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Ensure auditd is enabled
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: auditd
|
||||
enabled: true
|
||||
|
||||
- name: Ensure auditd buffer is OK
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
path: /etc/audit/rules.d/audit.rules
|
||||
regexp: '-b \d+'
|
||||
replace: '-b {{ audit_buffer }}'
|
||||
|
@ -22,7 +22,7 @@
|
|||
- harden
|
||||
|
||||
- name: Ensure collection audit rules are available
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "etc/audit/rules.d/collection.rules.j2"
|
||||
dest: "/etc/audit/rules.d/collection.rules"
|
||||
owner: root
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
- name: Enterprise Linux 8+ PAM Configuration
|
||||
block:
|
||||
- name: Ensure Custom Profile is removed
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /etc/authselect/custom/sssd-rocky
|
||||
state: absent
|
||||
|
||||
|
@ -20,7 +20,7 @@
|
|||
changed_when: false
|
||||
|
||||
- name: Override system-auth and password-auth
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||
dest: "{{ item }}"
|
||||
owner: root
|
||||
|
@ -45,7 +45,7 @@
|
|||
changed_when: false
|
||||
|
||||
- name: Enable oddjobd
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: oddjobd
|
||||
state: started
|
||||
enabled: true
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
- httpd_can_sendmail
|
||||
|
||||
- name: Install necessary packages
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ bugzilla_pkg }}"
|
||||
state: present
|
||||
tags:
|
||||
|
@ -24,7 +24,7 @@
|
|||
checksum: "{{ bugzilla_checksum }}"
|
||||
|
||||
- name: Create initial directory
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ bugzilla_dir }}"
|
||||
state: directory
|
||||
mode: '0750'
|
||||
|
@ -43,7 +43,7 @@
|
|||
- '--strip-components=1'
|
||||
|
||||
- name: Configure httpd
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "etc/httpd/conf.d/bugzilla.conf.j2"
|
||||
dest: "/etc/httpd/conf.d/bugzilla.conf"
|
||||
owner: root
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
register: conf_result
|
||||
|
||||
- name: Deploy answer file
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "var/www/bugzilla/answer"
|
||||
dest: "{{ bugzilla_dir }}/answer"
|
||||
owner: root
|
||||
|
@ -23,7 +23,7 @@
|
|||
when: not conf_result.stat.exists
|
||||
|
||||
- name: Deploy proper configuration
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "var/www/bugzilla/localconfig.j2"
|
||||
dest: "{{ bugzilla_dir }}/localconfig"
|
||||
owner: root
|
||||
|
@ -54,7 +54,7 @@
|
|||
changed_when: "1 != 1"
|
||||
|
||||
- name: Remove answer file
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ bugzilla_dir }}/answer"
|
||||
state: absent
|
||||
...
|
||||
|
|
|
@ -6,18 +6,18 @@
|
|||
when: "'chronyservers' in group_names"
|
||||
|
||||
- name: Install chrony packages
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ chrony_packages }}"
|
||||
state: present
|
||||
|
||||
- name: Fix permissions for chrony home directory
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ chrony_homedir }}"
|
||||
mode: 0750
|
||||
state: directory
|
||||
|
||||
- name: Deploy configuration
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: chrony.conf.j2
|
||||
dest: "{{ chrony_config_file }}"
|
||||
owner: "{{ chrony_owner }}"
|
||||
|
@ -26,7 +26,7 @@
|
|||
notify: "chrony service restart"
|
||||
|
||||
- name: Manage the state of service
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: "{{ chrony_service_name }}"
|
||||
state: "{{ chrony_service_state }}"
|
||||
enabled: "{{ chrony_service_enabled }}"
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
- name: "Installing amazon-efs-utils"
|
||||
become: true
|
||||
become_user: root
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name: 'https://kojidev.rockylinux.org/kojifiles/packages/amazon-efs-utils/1.31.3/1.5c58a2f.el8/noarch/amazon-efs-utils-1.31.3-1.5c58a2f.el8.noarch.rpm'
|
||||
disable_gpg_check: true
|
||||
validate_certs: true
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
- name: sysctl hardening and limits
|
||||
block:
|
||||
- name: create combined sysctl-dict if overwrites are defined
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||
when: sysctl_overwrite | default()
|
||||
|
||||
|
@ -34,7 +34,7 @@
|
|||
- name: Standard login settings
|
||||
block:
|
||||
- name: useradd defaults
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
line: "INACTIVE=30"
|
||||
regexp: "^INACTIVE=.*"
|
||||
path: "/etc/login.defs"
|
||||
|
@ -42,7 +42,7 @@
|
|||
- harden
|
||||
|
||||
- name: login defs maximum days
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_MAX_DAYS).*\d+'
|
||||
replace: '\1\t{{ login_max_days }}'
|
||||
|
@ -50,7 +50,7 @@
|
|||
- harden
|
||||
|
||||
- name: login defs minimum days
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_MIN_DAYS).*\d+'
|
||||
replace: '\1\t{{ login_min_days }}'
|
||||
|
@ -58,7 +58,7 @@
|
|||
- harden
|
||||
|
||||
- name: login defs minimum length
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_MIN_LEN).*\d+'
|
||||
replace: '\1\t{{ login_min_len }}'
|
||||
|
@ -66,7 +66,7 @@
|
|||
- harden
|
||||
|
||||
- name: login defs warn age
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_WARN_AGE).*\d+'
|
||||
replace: '\1\t{{ login_warn_age }}'
|
||||
|
@ -74,7 +74,7 @@
|
|||
- harden
|
||||
|
||||
- name: cron directories permissions
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: '{{ item }}'
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -85,7 +85,7 @@
|
|||
- harden
|
||||
|
||||
- name: Create cron/at allows
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: '{{ item }}'
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -96,7 +96,7 @@
|
|||
- harden
|
||||
|
||||
- name: Remove cron/at denies
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: '{{ item }}'
|
||||
state: absent
|
||||
loop: '{{ login_cron_denies }}'
|
||||
|
@ -105,7 +105,7 @@
|
|||
|
||||
# TODO: Use pamd module to establish password policy
|
||||
- name: pwquality - minlen
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
line: "minlen = 14"
|
||||
regexp: "^# minlen =.*"
|
||||
path: "/etc/security/pwquality.conf"
|
||||
|
@ -113,7 +113,7 @@
|
|||
- harden
|
||||
|
||||
- name: pwquality - dcredit
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
line: "dcredit = -1"
|
||||
regexp: "^# dcredit =.*"
|
||||
path: "/etc/security/pwquality.conf"
|
||||
|
@ -121,7 +121,7 @@
|
|||
- harden
|
||||
|
||||
- name: pwquality - ucredit
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
line: "ucredit = -1"
|
||||
regexp: "^# ucredit =.*"
|
||||
path: "/etc/security/pwquality.conf"
|
||||
|
@ -129,7 +129,7 @@
|
|||
- harden
|
||||
|
||||
- name: pwquality - lcredit
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
line: "lcredit = -1"
|
||||
regexp: "^# lcredit =.*"
|
||||
path: "/etc/security/pwquality.conf"
|
||||
|
@ -137,7 +137,7 @@
|
|||
- harden
|
||||
|
||||
- name: pwquality - ocredit
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
line: "ocredit = -1"
|
||||
regexp: "^# ocredit =.*"
|
||||
path: "/etc/security/pwquality.conf"
|
||||
|
@ -145,14 +145,14 @@
|
|||
- harden
|
||||
|
||||
- name: Remove packages not allowed by CIS
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: "{{ remove_packages }}"
|
||||
state: absent
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Disable Services
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: "{{ item }}"
|
||||
enabled: false
|
||||
state: stopped
|
||||
|
@ -166,7 +166,7 @@
|
|||
- name: modprobe settings
|
||||
block:
|
||||
- name: remove vfat from filesystem list if we are EFI
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
|
||||
when:
|
||||
- efi_installed.stat.isdir is defined
|
||||
|
@ -175,7 +175,7 @@
|
|||
- efi
|
||||
|
||||
- name: disable unused filesystems
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "etc/modprobe.d/cis.conf.j2"
|
||||
dest: "/etc/modprobe.d/cis.conf"
|
||||
owner: 'root'
|
||||
|
@ -185,7 +185,7 @@
|
|||
- harden
|
||||
|
||||
- name: Set init umask
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/sysconfig/init
|
||||
state: present
|
||||
regexp: ^umask
|
||||
|
@ -199,7 +199,7 @@
|
|||
- harden
|
||||
|
||||
- name: CIS sudoers configuration
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "etc/sudoers.d/cis"
|
||||
dest: "/etc/sudoers.d/cis"
|
||||
owner: root
|
||||
|
@ -209,7 +209,7 @@
|
|||
- harden
|
||||
|
||||
- name: Remove packages not allowed by CIS
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: "{{ remove_packages }}"
|
||||
state: absent
|
||||
tags:
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
- httpd_can_sendmail
|
||||
|
||||
- name: Install necessary packages
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ mantis_pkg }}"
|
||||
state: present
|
||||
tags:
|
||||
|
@ -38,7 +38,7 @@
|
|||
register: cryptosalt_string
|
||||
|
||||
- name: Configure mantis
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "var/www/mantis/config/config_inc.php.j2"
|
||||
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
|
||||
owner: apache
|
||||
|
@ -69,7 +69,7 @@
|
|||
version: main
|
||||
|
||||
- name: Configure httpd
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "etc/httpd/conf.d/mantis.conf.j2"
|
||||
dest: "/etc/httpd/conf.d/mantis.conf"
|
||||
owner: root
|
||||
|
@ -77,7 +77,7 @@
|
|||
mode: '0644'
|
||||
|
||||
- name: Database import template
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "tmp/mantis_import.sql.j2"
|
||||
dest: "/tmp/mantis_import.sql.j2"
|
||||
owner: root
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# bug tracker accounts. We are doing regex instead of just replacing the
|
||||
# file as a whole. Should make it easier to deal with upgrades in theory.
|
||||
- name: Change signup_page.php to Account Services
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
|
||||
regexp: 'signup_page.php'
|
||||
replace: 'https://accounts.rockylinux.org'
|
||||
|
@ -13,13 +13,13 @@
|
|||
- login_page.php
|
||||
|
||||
- name: Change special signup_page.php reference
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
|
||||
regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
|
||||
replace: 'https://accounts.rockylinux.org'
|
||||
|
||||
- name: Remove LDAP from checks for signup button
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
|
||||
state: absent
|
||||
regex: 'LDAP != config_get_global'
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
|
||||
- name: Create webroot directory
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ mirrormanager_dir }}"
|
||||
state: directory
|
||||
group: "{{ mirrormanager_user.group }}"
|
||||
|
@ -55,7 +55,7 @@
|
|||
|
||||
- name: Deploy MM2 config
|
||||
become: true
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "opt/mirrormanager/mirrormanager2.cfg.j2"
|
||||
dest: "{{ mirrormanager_dir }}/app/mirrormanager2.cfg"
|
||||
group: "{{ mirrormanager_user.group }}"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: Ensure python is installed
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- python3
|
||||
- python3-pip
|
||||
|
@ -12,7 +12,7 @@
|
|||
comment: "Noggin FAS"
|
||||
|
||||
- name: Create noggin directory
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /opt/noggin
|
||||
state: directory
|
||||
mode: '0700'
|
||||
|
@ -36,7 +36,7 @@
|
|||
become_user: noggin
|
||||
|
||||
- name: Remove any pycache
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "/home/noggin/.cache/pypoetry"
|
||||
state: absent
|
||||
|
||||
|
@ -58,7 +58,7 @@
|
|||
register: virtualenv_location
|
||||
|
||||
- name: Deploy start up script
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "opt/noggin/start_noggin.sh.j2"
|
||||
dest: "/opt/noggin/start_noggin.sh"
|
||||
mode: '0750'
|
||||
|
@ -66,7 +66,7 @@
|
|||
group: noggin
|
||||
|
||||
- name: Deploy systemd unit
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "etc/systemd/system/noggin.service"
|
||||
dest: "/etc/systemd/system/noggin.service"
|
||||
owner: root
|
||||
|
@ -74,7 +74,7 @@
|
|||
mode: '0644'
|
||||
|
||||
- name: Deploy noggin configuration
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "opt/noggin/noggin.cfg.j2"
|
||||
dest: "/opt/noggin/noggin.cfg"
|
||||
owner: noggin
|
||||
|
@ -83,7 +83,7 @@
|
|||
|
||||
# The only way to run it properly, at least on EL8, is we need this line
|
||||
- name: Add missing create_app call
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: "/opt/noggin/noggin/noggin/app.py"
|
||||
line: "app = create_app()"
|
||||
...
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
- name: Install OpenQA packages
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ openqa_packages }}"
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Copy httpd configuration files
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
remote_src: true
|
||||
src: /etc/httpd/conf.d/{{ item }}.template
|
||||
dest: /etc/httpd/conf.d/{{ item }}
|
||||
|
@ -22,7 +22,7 @@
|
|||
- configure
|
||||
|
||||
- name: Template OpenQA configuration files
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/openqa/{{ item }}.j2
|
||||
dest: /etc/openqa/{{ item }}
|
||||
owner: "{{ openqa_user }}"
|
||||
|
@ -38,17 +38,17 @@
|
|||
service_facts:
|
||||
|
||||
- name: Check for non-empty postgres data directory
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: /var/lib/pgsql/data/base
|
||||
register: postgres_data_dir
|
||||
|
||||
- name: If postgresql is not already running, initialize database
|
||||
command: postgresql-setup --initdb
|
||||
ansible.builtin.command: postgresql-setup --initdb
|
||||
when: not ( ansible_facts.services["postgresql.service"]["state"] == "running" )
|
||||
and not postgres_data_dir.stat.exists
|
||||
|
||||
- name: Enable and start postgresql service
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: postgresql
|
||||
state: started
|
||||
enabled: true
|
||||
|
@ -56,7 +56,7 @@
|
|||
and not postgres_data_dir.stat.exists
|
||||
|
||||
- name: Configure SELinux to allow httpd connection to network
|
||||
seboolean:
|
||||
ansible.posix.seboolean:
|
||||
name: httpd_can_network_connect
|
||||
state: true
|
||||
persistent: true
|
||||
|
@ -64,7 +64,7 @@
|
|||
- configure
|
||||
|
||||
- name: Enable and start OpenQA services
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
enabled: true
|
||||
|
@ -73,7 +73,7 @@
|
|||
- configure
|
||||
|
||||
- name: Create openqa-vnc firewalld service
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/firewalld/services/openqa-vnc.xml.j2
|
||||
dest: /etc/firewalld/services/openqa-vnc.xml
|
||||
owner: root
|
||||
|
@ -83,7 +83,7 @@
|
|||
- configure
|
||||
|
||||
- name: Load openqa-vnc firewalld service
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: firewalld
|
||||
state: reloaded
|
||||
tags:
|
||||
|
@ -101,7 +101,7 @@
|
|||
- configure
|
||||
|
||||
- name: Reload FirewallD
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: firewalld
|
||||
state: reloaded
|
||||
tags:
|
||||
|
@ -115,7 +115,7 @@
|
|||
- configure
|
||||
|
||||
- name: Clone repository if it does not already exist
|
||||
git:
|
||||
ansible.builtin.git:
|
||||
accept_hostkey: true
|
||||
dest: "{{ openqa_homedir }}/share/tests/rocky"
|
||||
repo: "{{ openqa_rocky_testing_repo }}"
|
||||
|
@ -125,7 +125,7 @@
|
|||
- configure
|
||||
|
||||
- name: Set owner/group/permissions on repo contents
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ openqa_homedir }}/share/tests/rocky"
|
||||
recurse: true
|
||||
owner: "{{ openqa_user }}"
|
||||
|
@ -136,17 +136,17 @@
|
|||
|
||||
# fifloader.py will fail if the Demo user is not logged in
|
||||
- name: Authenticate to web UI the first time
|
||||
uri:
|
||||
ansible.builtin.uri:
|
||||
url: "http://{{ openqa_host }}/login"
|
||||
|
||||
- name: Run fifloader.py
|
||||
command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json
|
||||
ansible.builtin.command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json
|
||||
changed_when: "1 != 1"
|
||||
args:
|
||||
chdir: "{{ openqa_homedir }}/share/tests/rocky"
|
||||
|
||||
- name: Create ISO directory
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ openqa_homedir }}/share/factory/iso/fixed"
|
||||
state: directory
|
||||
owner: "{{ openqa_user }}"
|
||||
|
@ -156,7 +156,7 @@
|
|||
- download_isos
|
||||
|
||||
- name: Download ISOs
|
||||
get_url:
|
||||
ansible.builtin.get_url:
|
||||
dest: "{{ openqa_homedir }}/share/factory/iso/fixed/{{ item.name }}"
|
||||
url: "{{ rocky_iso_download_url }}/{{ item.name }}"
|
||||
checksum: "{{ item.checksum }}"
|
||||
|
@ -180,7 +180,7 @@
|
|||
- configure
|
||||
|
||||
- name: POST a job
|
||||
command: |
|
||||
ansible.builtin.command: |
|
||||
openqa-cli api -X POST isos \
|
||||
ISO=Rocky-{{ rocky_version }}-{{ rocky_arch }}-minimal.iso \
|
||||
ARCH={{ rocky_arch }} \
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
# Configure relay
|
||||
- name: Ensure postfix is installed
|
||||
yum:
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- postfix
|
||||
- cyrus-sasl-plain
|
||||
state: present
|
||||
|
||||
- name: Add password map
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/postfix/sasl_passwd.j2
|
||||
dest: /etc/postfix/sasl_passwd
|
||||
owner: root
|
||||
|
@ -17,7 +17,7 @@
|
|||
notify: rehash_postfix_sasl
|
||||
|
||||
- name: Add relay information to postfix
|
||||
blockinfile:
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/postfix/main.cf
|
||||
marker: "## ANSIBLE MANAGED ##"
|
||||
block: |
|
||||
|
@ -31,7 +31,7 @@
|
|||
notify: restart_postfix
|
||||
|
||||
- name: Ensure postfix is running and enabled
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
enabled: true
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
# Common scripts that rocky uses on nodes
|
||||
- name: Lock Wrapper script
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "usr/local/bin/lock-wrapper"
|
||||
dest: "/usr/local/bin/lock-wrapper"
|
||||
owner: root
|
||||
|
@ -9,7 +9,7 @@
|
|||
mode: '0755'
|
||||
|
||||
- name: dmidecode pretty script
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "usr/local/bin/dmidecode-pretty"
|
||||
dest: "/usr/local/bin/dmidecode-pretty"
|
||||
owner: root
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
---
|
||||
- name: Ensure SSH server is installed
|
||||
package:
|
||||
ansible.builtin.package:
|
||||
name: openssh-server
|
||||
state: present
|
||||
|
||||
- name: Ensure SSH daemon is enabled
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
enabled: true
|
||||
|
||||
|
@ -13,7 +13,7 @@
|
|||
- name: SSH daemon configuration - global
|
||||
block:
|
||||
- name: SSH daemon configuration - base
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2"
|
||||
dest: "/etc/ssh/sshd_config"
|
||||
owner: root
|
||||
|
@ -28,7 +28,7 @@
|
|||
msg: "Error in SSH daemon configuration or template"
|
||||
|
||||
- name: SSH banner
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "etc/rockybanner"
|
||||
dest: "/etc/rockybanner"
|
||||
owner: root
|
||||
|
@ -37,7 +37,7 @@
|
|||
notify: restart_sshd
|
||||
|
||||
- name: Remove DSA keys
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
|
|
Loading…
Reference in a new issue