This commit is contained in:
nazunalika 2022-03-27 22:01:23 -07:00
parent 460acc21ef
commit dfe4f60ab8
Signed by: label
GPG key ID: 6735C0E1BD65D048
43 changed files with 158 additions and 153 deletions

6
.gitignore vendored Normal file
View file

@ -0,0 +1,6 @@
roles/*
collections/*
!roles/README.md
!roles/requirements.yml
!collections/README.md
!collections/requirements.yml

View file

@ -3,6 +3,6 @@
become: true
tasks:
- name: Force a fact refresh to have those available in local cache
setup:
ansible.builtin.setup:
gather_timeout: 30
...

View file

@ -26,7 +26,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- username != "admin"
- username != "guest"
@ -37,7 +37,7 @@
- rabbitmq
- name: "Validate username queue name"
assert:
ansible.builtin.assert:
that:
- "queue_name.startswith(username)"
tags:

View file

@ -12,7 +12,7 @@
tasks:
- name: "Checking for user variables"
assert:
ansible.builtin.assert:
that:
- username != "admin"
- username != "guest"

View file

@ -2,7 +2,6 @@
collections:
# freeipa
- name: freeipa.ansible_freeipa
version: 1.6.3
- name: community.general
- name: community.mysql
- name: community.rabbitmq

View file

@ -1,22 +1,22 @@
---
# Handlers
- name: restart_sshd
service:
ansible.builtin.service:
name: sshd
state: restarted
- name: restart_httpd
service:
ansible.builtin.service:
name: httpd
state: restarted
- name: restart_nginx
service:
ansible.builtin.service:
name: nginx
state: restarted
- name: reload_networkmanager
service:
ansible.builtin.service:
name: NetworkManager
state: reloaded
@ -24,7 +24,7 @@
command: /sbin/augenrules
- name: reload_chrony
systemd:
ansible.builtin.systemd:
name: "{{ chrony_service_name }}"
state: restarted
listen: "chrony service restart"
@ -35,7 +35,7 @@
failed_when: gitlab_restart_handler_failed_when | bool
- name: restart_noggin
service:
ansible.builtin.service:
name: noggin
state: restarted
@ -43,7 +43,7 @@
command: "postmap /etc/postfix/sasl_passwd"
- name: restart_postfix
service:
ansible.builtin.service:
name: postfix
state: restarted
...

View file

@ -14,7 +14,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
@ -26,7 +26,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -20,7 +20,7 @@
# - twine
- name: Remove existing public roles
file:
ansible.builtin.file:
path: "{{ installation_prefix }}{{ roles_installation_dir }}"
state: absent
when: force_purge | bool
@ -44,13 +44,13 @@
changed_when: '"Installing " in galaxy_install_collection.stdout'
- name: cleanup old ssh known_hosts - remove
file:
ansible.builtin.file:
path: "../tmp/known_hosts"
state: absent
mode: "0644"
- name: cleanup old ssh known_hosts - blank
file:
ansible.builtin.file:
path: "../tmp/known_hosts"
state: touch
mode: "0644"

View file

@ -17,7 +17,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
@ -43,13 +43,13 @@
- https
- name: Ensure httpd is enabled and running
service:
ansible.builtin.service:
name: httpd
enabled: true
state: started
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -20,7 +20,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -32,7 +32,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -13,7 +13,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -28,7 +28,7 @@
# Install KVM packages
- name: Installing KVM Packages
package:
ansible.builtin.package:
name:
- qemu-kvm
- libvirt
@ -38,7 +38,7 @@
state: present
- name: Enable and Start libvirtd
systemd:
ansible.builtin.systemd:
name: libvirtd
state: started
enabled: true
@ -51,7 +51,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -18,7 +18,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
@ -44,13 +44,13 @@
- https
- name: Ensure httpd is enabled and running
service:
ansible.builtin.service:
name: httpd
enabled: true
state: started
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -14,7 +14,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
@ -32,7 +32,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -14,7 +14,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
@ -26,7 +26,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -32,7 +32,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -44,7 +44,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -16,7 +16,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
@ -28,7 +28,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -5,7 +5,7 @@
become: true
handlers:
- import_tasks: handers/main.yml
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
@ -14,7 +14,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
@ -26,7 +26,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -18,7 +18,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -48,7 +48,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -18,7 +18,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -32,7 +32,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -24,14 +24,14 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages
package:
ansible.builtin.package:
name: python3-policycoreutils.noarch
state: present
@ -58,7 +58,7 @@
loop: "{{ graylog_server_firewall_rules }}"
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -21,7 +21,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -29,13 +29,13 @@
- name: Install git
become: true
package:
ansible.builtin.package:
name: git
state: present
- name: Install SELinux packages
become: true
package:
ansible.builtin.package:
name: python3-policycoreutils.noarch
state: present
@ -63,7 +63,7 @@
- name: Touching run file that ansible has ran here
become: true
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -25,14 +25,14 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages
package:
ansible.builtin.package:
name: python3-policycoreutils.noarch
state: present
@ -55,7 +55,7 @@
loop: "{{ monitoring_server_firewall_rules }}"
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -18,7 +18,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -50,7 +50,7 @@
# The CentOS extras repos has epel-release provided
- name: Enable the EPEL repository
yum:
ansible.builtin.dnf:
name: epel-release
state: present
tags:
@ -65,7 +65,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -5,12 +5,12 @@
pre_tasks:
- name: Install SELinux packages
package:
ansible.builtin.package:
name: python3-policycoreutils.noarch
state: present
roles:
- role: cloudalchemy.node-exporter
- role: cloudalchemy.node_exporter
state: present
post_tasks:

View file

@ -19,14 +19,14 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages
package:
ansible.builtin.package:
name: python3-policycoreutils.noarch
state: present
@ -58,7 +58,7 @@
loop: "{{ firewall_rules }}"
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -19,7 +19,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -81,7 +81,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -19,7 +19,7 @@
register: no_ansible
- name: Verify if we can run ansible
assert:
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
@ -33,7 +33,7 @@
post_tasks:
- name: Touching run file that ansible has ran here
file:
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'

View file

@ -1,7 +1,7 @@
---
# Account Services
- name: Install packages
package:
ansible.builtin.package:
name:
- httpd
- mod_ssl
@ -11,7 +11,7 @@
state: present
- name: Deploy relevant httpd configuration
template:
ansible.builtin.template:
src: "etc/httpd/conf.d/id.conf.j2"
dest: "/etc/httpd/conf.d/id.conf"
owner: root
@ -20,7 +20,7 @@
notify: restart_httpd
- name: Enable and start
systemd:
ansible.builtin.systemd:
name: httpd
state: running
enabled: true

View file

@ -1,18 +1,18 @@
---
- name: Ensure auditd is installed
package:
ansible.builtin.package:
name: audit
state: present
tags:
- harden
- name: Ensure auditd is enabled
service:
ansible.builtin.service:
name: auditd
enabled: true
- name: Ensure auditd buffer is OK
replace:
ansible.builtin.replace:
path: /etc/audit/rules.d/audit.rules
regexp: '-b \d+'
replace: '-b {{ audit_buffer }}'
@ -22,7 +22,7 @@
- harden
- name: Ensure collection audit rules are available
template:
ansible.builtin.template:
src: "etc/audit/rules.d/collection.rules.j2"
dest: "/etc/audit/rules.d/collection.rules"
owner: root

View file

@ -4,7 +4,7 @@
- name: Enterprise Linux 8+ PAM Configuration
block:
- name: Ensure Custom Profile is removed
file:
ansible.builtin.file:
path: /etc/authselect/custom/sssd-rocky
state: absent
@ -20,7 +20,7 @@
changed_when: false
- name: Override system-auth and password-auth
copy:
ansible.builtin.copy:
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}"
owner: root
@ -45,7 +45,7 @@
changed_when: false
- name: Enable oddjobd
service:
ansible.builtin.service:
name: oddjobd
state: started
enabled: true

View file

@ -11,7 +11,7 @@
- httpd_can_sendmail
- name: Install necessary packages
yum:
ansible.builtin.dnf:
name: "{{ bugzilla_pkg }}"
state: present
tags:
@ -24,7 +24,7 @@
checksum: "{{ bugzilla_checksum }}"
- name: Create initial directory
file:
ansible.builtin.file:
path: "{{ bugzilla_dir }}"
state: directory
mode: '0750'
@ -43,7 +43,7 @@
- '--strip-components=1'
- name: Configure httpd
template:
ansible.builtin.template:
src: "etc/httpd/conf.d/bugzilla.conf.j2"
dest: "/etc/httpd/conf.d/bugzilla.conf"
owner: root

View file

@ -7,7 +7,7 @@
register: conf_result
- name: Deploy answer file
template:
ansible.builtin.template:
src: "var/www/bugzilla/answer"
dest: "{{ bugzilla_dir }}/answer"
owner: root
@ -23,7 +23,7 @@
when: not conf_result.stat.exists
- name: Deploy proper configuration
template:
ansible.builtin.template:
src: "var/www/bugzilla/localconfig.j2"
dest: "{{ bugzilla_dir }}/localconfig"
owner: root
@ -54,7 +54,7 @@
changed_when: "1 != 1"
- name: Remove answer file
file:
ansible.builtin.file:
path: "{{ bugzilla_dir }}/answer"
state: absent
...

View file

@ -6,18 +6,18 @@
when: "'chronyservers' in group_names"
- name: Install chrony packages
yum:
ansible.builtin.dnf:
name: "{{ chrony_packages }}"
state: present
- name: Fix permissions for chrony home directory
file:
ansible.builtin.file:
path: "{{ chrony_homedir }}"
mode: 0750
state: directory
- name: Deploy configuration
template:
ansible.builtin.template:
src: chrony.conf.j2
dest: "{{ chrony_config_file }}"
owner: "{{ chrony_owner }}"
@ -26,7 +26,7 @@
notify: "chrony service restart"
- name: Manage the state of service
systemd:
ansible.builtin.systemd:
name: "{{ chrony_service_name }}"
state: "{{ chrony_service_state }}"
enabled: "{{ chrony_service_enabled }}"

View file

@ -5,7 +5,7 @@
- name: "Installing amazon-efs-utils"
become: true
become_user: root
yum:
ansible.builtin.dnf:
name: 'https://kojidev.rockylinux.org/kojifiles/packages/amazon-efs-utils/1.31.3/1.5c58a2f.el8/noarch/amazon-efs-utils-1.31.3-1.5c58a2f.el8.noarch.rpm'
disable_gpg_check: true
validate_certs: true

View file

@ -3,7 +3,7 @@
- name: sysctl hardening and limits
block:
- name: create combined sysctl-dict if overwrites are defined
set_fact:
ansible.builtin.set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
@ -34,7 +34,7 @@
- name: Standard login settings
block:
- name: useradd defaults
lineinfile:
ansible.builtin.lineinfile:
line: "INACTIVE=30"
regexp: "^INACTIVE=.*"
path: "/etc/login.defs"
@ -42,7 +42,7 @@
- harden
- name: login defs maximum days
replace:
ansible.builtin.replace:
path: /etc/login.defs
regexp: '(PASS_MAX_DAYS).*\d+'
replace: '\1\t{{ login_max_days }}'
@ -50,7 +50,7 @@
- harden
- name: login defs minimum days
replace:
ansible.builtin.replace:
path: /etc/login.defs
regexp: '(PASS_MIN_DAYS).*\d+'
replace: '\1\t{{ login_min_days }}'
@ -58,7 +58,7 @@
- harden
- name: login defs minimum length
replace:
ansible.builtin.replace:
path: /etc/login.defs
regexp: '(PASS_MIN_LEN).*\d+'
replace: '\1\t{{ login_min_len }}'
@ -66,7 +66,7 @@
- harden
- name: login defs warn age
replace:
ansible.builtin.replace:
path: /etc/login.defs
regexp: '(PASS_WARN_AGE).*\d+'
replace: '\1\t{{ login_warn_age }}'
@ -74,7 +74,7 @@
- harden
- name: cron directories permissions
file:
ansible.builtin.file:
path: '{{ item }}'
owner: root
group: root
@ -85,7 +85,7 @@
- harden
- name: Create cron/at allows
file:
ansible.builtin.file:
path: '{{ item }}'
owner: root
group: root
@ -96,7 +96,7 @@
- harden
- name: Remove cron/at denies
file:
ansible.builtin.file:
path: '{{ item }}'
state: absent
loop: '{{ login_cron_denies }}'
@ -105,7 +105,7 @@
# TODO: Use pamd module to establish password policy
- name: pwquality - minlen
lineinfile:
ansible.builtin.lineinfile:
line: "minlen = 14"
regexp: "^# minlen =.*"
path: "/etc/security/pwquality.conf"
@ -113,7 +113,7 @@
- harden
- name: pwquality - dcredit
lineinfile:
ansible.builtin.lineinfile:
line: "dcredit = -1"
regexp: "^# dcredit =.*"
path: "/etc/security/pwquality.conf"
@ -121,7 +121,7 @@
- harden
- name: pwquality - ucredit
lineinfile:
ansible.builtin.lineinfile:
line: "ucredit = -1"
regexp: "^# ucredit =.*"
path: "/etc/security/pwquality.conf"
@ -129,7 +129,7 @@
- harden
- name: pwquality - lcredit
lineinfile:
ansible.builtin.lineinfile:
line: "lcredit = -1"
regexp: "^# lcredit =.*"
path: "/etc/security/pwquality.conf"
@ -137,7 +137,7 @@
- harden
- name: pwquality - ocredit
lineinfile:
ansible.builtin.lineinfile:
line: "ocredit = -1"
regexp: "^# ocredit =.*"
path: "/etc/security/pwquality.conf"
@ -145,14 +145,14 @@
- harden
- name: Remove packages not allowed by CIS
package:
ansible.builtin.package:
name: "{{ remove_packages }}"
state: absent
tags:
- harden
- name: Disable Services
service:
ansible.builtin.service:
name: "{{ item }}"
enabled: false
state: stopped
@ -166,7 +166,7 @@
- name: modprobe settings
block:
- name: remove vfat from filesystem list if we are EFI
set_fact:
ansible.builtin.set_fact:
modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
when:
- efi_installed.stat.isdir is defined
@ -175,7 +175,7 @@
- efi
- name: disable unused filesystems
template:
ansible.builtin.template:
src: "etc/modprobe.d/cis.conf.j2"
dest: "/etc/modprobe.d/cis.conf"
owner: 'root'
@ -185,7 +185,7 @@
- harden
- name: Set init umask
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/sysconfig/init
state: present
regexp: ^umask
@ -199,7 +199,7 @@
- harden
- name: CIS sudoers configuration
copy:
ansible.builtin.copy:
src: "etc/sudoers.d/cis"
dest: "/etc/sudoers.d/cis"
owner: root
@ -209,7 +209,7 @@
- harden
- name: Remove packages not allowed by CIS
package:
ansible.builtin.package:
name: "{{ remove_packages }}"
state: absent
tags:

View file

@ -11,7 +11,7 @@
- httpd_can_sendmail
- name: Install necessary packages
yum:
ansible.builtin.dnf:
name: "{{ mantis_pkg }}"
state: present
tags:
@ -38,7 +38,7 @@
register: cryptosalt_string
- name: Configure mantis
template:
ansible.builtin.template:
src: "var/www/mantis/config/config_inc.php.j2"
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
owner: apache
@ -69,7 +69,7 @@
version: main
- name: Configure httpd
template:
ansible.builtin.template:
src: "etc/httpd/conf.d/mantis.conf.j2"
dest: "/etc/httpd/conf.d/mantis.conf"
owner: root
@ -77,7 +77,7 @@
mode: '0644'
- name: Database import template
template:
ansible.builtin.template:
src: "tmp/mantis_import.sql.j2"
dest: "/tmp/mantis_import.sql.j2"
owner: root

View file

@ -3,7 +3,7 @@
# bug tracker accounts. We are doing regex instead of just replacing the
# file as a whole. Should make it easier to deal with upgrades in theory.
- name: Change signup_page.php to Account Services
replace:
ansible.builtin.replace:
path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
regexp: 'signup_page.php'
replace: 'https://accounts.rockylinux.org'
@ -13,13 +13,13 @@
- login_page.php
- name: Change special signup_page.php reference
replace:
ansible.builtin.replace:
path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
replace: 'https://accounts.rockylinux.org'
- name: Remove LDAP from checks for signup button
lineinfile:
ansible.builtin.lineinfile:
path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
state: absent
regex: 'LDAP != config_get_global'

View file

@ -33,7 +33,7 @@
- name: Create webroot directory
become: true
file:
ansible.builtin.file:
path: "{{ mirrormanager_dir }}"
state: directory
group: "{{ mirrormanager_user.group }}"
@ -55,7 +55,7 @@
- name: Deploy MM2 config
become: true
template:
ansible.builtin.template:
src: "opt/mirrormanager/mirrormanager2.cfg.j2"
dest: "{{ mirrormanager_dir }}/app/mirrormanager2.cfg"
group: "{{ mirrormanager_user.group }}"

View file

@ -1,6 +1,6 @@
---
- name: Ensure python is installed
yum:
ansible.builtin.dnf:
name:
- python3
- python3-pip
@ -12,7 +12,7 @@
comment: "Noggin FAS"
- name: Create noggin directory
file:
ansible.builtin.file:
path: /opt/noggin
state: directory
mode: '0700'
@ -36,7 +36,7 @@
become_user: noggin
- name: Remove any pycache
file:
ansible.builtin.file:
path: "/home/noggin/.cache/pypoetry"
state: absent
@ -58,7 +58,7 @@
register: virtualenv_location
- name: Deploy start up script
template:
ansible.builtin.template:
src: "opt/noggin/start_noggin.sh.j2"
dest: "/opt/noggin/start_noggin.sh"
mode: '0750'
@ -66,7 +66,7 @@
group: noggin
- name: Deploy systemd unit
copy:
ansible.builtin.copy:
src: "etc/systemd/system/noggin.service"
dest: "/etc/systemd/system/noggin.service"
owner: root
@ -74,7 +74,7 @@
mode: '0644'
- name: Deploy noggin configuration
template:
ansible.builtin.template:
src: "opt/noggin/noggin.cfg.j2"
dest: "/opt/noggin/noggin.cfg"
owner: noggin
@ -83,7 +83,7 @@
# The only way to run it properly, at least on EL8, is we need this line
- name: Add missing create_app call
lineinfile:
ansible.builtin.lineinfile:
path: "/opt/noggin/noggin/noggin/app.py"
line: "app = create_app()"
...

View file

@ -1,13 +1,13 @@
---
- name: Install OpenQA packages
yum:
ansible.builtin.dnf:
name: "{{ openqa_packages }}"
state: present
tags:
- packages
- name: Copy httpd configuration files
copy:
ansible.builtin.copy:
remote_src: true
src: /etc/httpd/conf.d/{{ item }}.template
dest: /etc/httpd/conf.d/{{ item }}
@ -22,7 +22,7 @@
- configure
- name: Template OpenQA configuration files
template:
ansible.builtin.template:
src: etc/openqa/{{ item }}.j2
dest: /etc/openqa/{{ item }}
owner: "{{ openqa_user }}"
@ -38,17 +38,17 @@
service_facts:
- name: Check for non-empty postgres data directory
stat:
ansible.builtin.stat:
path: /var/lib/pgsql/data/base
register: postgres_data_dir
- name: If postgresql is not already running, initialize database
command: postgresql-setup --initdb
ansible.builtin.command: postgresql-setup --initdb
when: not ( ansible_facts.services["postgresql.service"]["state"] == "running" )
and not postgres_data_dir.stat.exists
- name: Enable and start postgresql service
systemd:
ansible.builtin.systemd:
name: postgresql
state: started
enabled: true
@ -56,7 +56,7 @@
and not postgres_data_dir.stat.exists
- name: Configure SELinux to allow httpd connection to network
seboolean:
ansible.posix.seboolean:
name: httpd_can_network_connect
state: true
persistent: true
@ -64,7 +64,7 @@
- configure
- name: Enable and start OpenQA services
systemd:
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
@ -73,7 +73,7 @@
- configure
- name: Create openqa-vnc firewalld service
template:
ansible.builtin.template:
src: etc/firewalld/services/openqa-vnc.xml.j2
dest: /etc/firewalld/services/openqa-vnc.xml
owner: root
@ -83,7 +83,7 @@
- configure
- name: Load openqa-vnc firewalld service
systemd:
ansible.builtin.systemd:
name: firewalld
state: reloaded
tags:
@ -101,7 +101,7 @@
- configure
- name: Reload FirewallD
systemd:
ansible.builtin.systemd:
name: firewalld
state: reloaded
tags:
@ -115,7 +115,7 @@
- configure
- name: Clone repository if it does not already exist
git:
ansible.builtin.git:
accept_hostkey: true
dest: "{{ openqa_homedir }}/share/tests/rocky"
repo: "{{ openqa_rocky_testing_repo }}"
@ -125,7 +125,7 @@
- configure
- name: Set owner/group/permissions on repo contents
file:
ansible.builtin.file:
path: "{{ openqa_homedir }}/share/tests/rocky"
recurse: true
owner: "{{ openqa_user }}"
@ -136,17 +136,17 @@
# fifloader.py will fail if the Demo user is not logged in
- name: Authenticate to web UI the first time
uri:
ansible.builtin.uri:
url: "http://{{ openqa_host }}/login"
- name: Run fifloader.py
command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json
ansible.builtin.command: ./fifloader.py -l -c templates.fif.json templates-updates.fif.json
changed_when: "1 != 1"
args:
chdir: "{{ openqa_homedir }}/share/tests/rocky"
- name: Create ISO directory
file:
ansible.builtin.file:
path: "{{ openqa_homedir }}/share/factory/iso/fixed"
state: directory
owner: "{{ openqa_user }}"
@ -156,7 +156,7 @@
- download_isos
- name: Download ISOs
get_url:
ansible.builtin.get_url:
dest: "{{ openqa_homedir }}/share/factory/iso/fixed/{{ item.name }}"
url: "{{ rocky_iso_download_url }}/{{ item.name }}"
checksum: "{{ item.checksum }}"
@ -180,7 +180,7 @@
- configure
- name: POST a job
command: |
ansible.builtin.command: |
openqa-cli api -X POST isos \
ISO=Rocky-{{ rocky_version }}-{{ rocky_arch }}-minimal.iso \
ARCH={{ rocky_arch }} \

View file

@ -1,14 +1,14 @@
---
# Configure relay
- name: Ensure postfix is installed
yum:
ansible.builtin.dnf:
name:
- postfix
- cyrus-sasl-plain
state: present
- name: Add password map
template:
ansible.builtin.template:
src: etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd
owner: root
@ -17,7 +17,7 @@
notify: rehash_postfix_sasl
- name: Add relay information to postfix
blockinfile:
ansible.builtin.blockinfile:
path: /etc/postfix/main.cf
marker: "## ANSIBLE MANAGED ##"
block: |
@ -31,7 +31,7 @@
notify: restart_postfix
- name: Ensure postfix is running and enabled
service:
ansible.builtin.service:
name: postfix
state: restarted
enabled: true

View file

@ -1,7 +1,7 @@
---
# Common scripts that rocky uses on nodes
- name: Lock Wrapper script
copy:
ansible.builtin.copy:
src: "usr/local/bin/lock-wrapper"
dest: "/usr/local/bin/lock-wrapper"
owner: root
@ -9,7 +9,7 @@
mode: '0755'
- name: dmidecode pretty script
copy:
ansible.builtin.copy:
src: "usr/local/bin/dmidecode-pretty"
dest: "/usr/local/bin/dmidecode-pretty"
owner: root

View file

@ -1,11 +1,11 @@
---
- name: Ensure SSH server is installed
package:
ansible.builtin.package:
name: openssh-server
state: present
- name: Ensure SSH daemon is enabled
service:
ansible.builtin.service:
name: sshd
enabled: true
@ -13,7 +13,7 @@
- name: SSH daemon configuration - global
block:
- name: SSH daemon configuration - base
template:
ansible.builtin.template:
src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2"
dest: "/etc/ssh/sshd_config"
owner: root
@ -28,7 +28,7 @@
msg: "Error in SSH daemon configuration or template"
- name: SSH banner
copy:
ansible.builtin.copy:
src: "etc/rockybanner"
dest: "/etc/rockybanner"
owner: root
@ -37,7 +37,7 @@
notify: restart_sshd
- name: Remove DSA keys
file:
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items: