Merge pull request #14980 from rocky-linux/develop

Develop

ansible/README.md

@@ -167,3 +167,23 @@ When initializing the ansible host, you should be in `./infrastructure/ansible`
 % cd infrastructure/ansible
 % ansible-playbook playbooks/init-rocky-ansible-host.yml
 ```
+
+## Initializing the environment
+
+To get a base environment, you will need to run the playbooks in this order.
+
+```
+# Ansible host
+init-rocky-ansible-host.yml
+# First IPA server
+role-rocky-ipa.yml
+# Replicas
+role-rocky-ipa-replica.yml
+# Base users, groups, and DNS
+init-rocky-ipa-team.yml
+init-rocky-ipa-internal-dns.yml
+# All clients should be listed under [ipaclients]
+role-rocky-ipa-client.yml
+# All systems should be hardened
+init-rocky-system-config.yml
+```

ansible/playbooks/adhoc-ipagetcert.yml

@@ -17,14 +17,14 @@
   vars:
     ipa_getcert_requested_hostnames:
       - name: "{{ getcert_name|default(ansible_fqdn) }}"
-        owner: "{{ getcert_owner|default(omit) }}"
-        key_location: "{{ getcert_key|default(omit) }}"
-        cert_location: "{{ getcert_cert|default(omit) }}"
-        nss_db_dir: "{{ getcert_nss_db_dir|default(omit) }}"
+        owner: "{{ getcert_owner|default('root') }}"
+        key_location: "{{ getcert_key|default('/etc/pki/tls/private/newcert.key') }}"
+        cert_location: "{{ getcert_cert|default('/etc/pki/tls/certs/newcert.crt') }}"
+        nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
         nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
-        postcmd: "{{ getcert_postcmd|default(omit) }}"
-    ipa_getcert_chain: "{{ getcert_chain|default(omit) }}"
-    ipa_getcert_chain_location: "{{ getcert_chain_location|default(omit) }}"
+        postcmd: "{{ getcert_postcmd|default(false) }}"
+    ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
+    ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
     ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
 
   roles:

ansible/playbooks/init-rocky-account-services.yml

@@ -4,7 +4,7 @@
   hosts: "{{ host }}"
   become: true
 
-  handers:
+  handlers:
     - import_tasks: handlers/main.yml
 
   pre_tasks:

ansible/playbooks/init-rocky-bugzilla.yml

@@ -4,7 +4,7 @@
   hosts: "{{ host }}"
   become: true
 
-  handers:
+  handlers:
     - import_tasks: handlers/main.yml
 
   pre_tasks:

ansible/playbooks/init-rocky-builder-postfix.yml

@@ -6,7 +6,7 @@
   vars_files:
     - vars/buildsys.yml
 
-  handers:
+  handlers:
     - import_tasks: handlers/main.yml
 
   pre_tasks:

ansible/playbooks/init-rocky-noggin-theme.yml

@@ -4,7 +4,7 @@
   hosts: "idp"
   become: true
 
-  handers:
+  handlers:
     - import_tasks: handlers/main.yml
 
   pre_tasks:

ansible/playbooks/role-rocky-kojid.yml

@@ -7,6 +7,7 @@
   - vars/vaults/encpass.yml
   - vars/common.yml
   - vars/kojid.yml
+  - vars/koji-common.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
   handlers:
@@ -28,13 +29,13 @@
     - name: Check for keytabs - kojid
       stat:
         path: /etc/kojid.keytab
-      register: kojid_keytab
+      register: kojid_keytab_check
       changed_when: "1 != 1"
 
     - name: Verify keytab
       assert:
         that:
-          - "kojid_keytab.stat.exists"
+          - "kojid_keytab_check.stat.exists"
         success_msg: "It is likely we have all keytabs"
         fail_msg: "There are no keytabs. Please build the keytabs."
 
@@ -77,6 +78,9 @@
       state: present
 
   post_tasks:
+    - name: "Setup shared filesystem mount"
+      import_tasks: tasks/koji_efs.yml
+
     - name: Touching run file that ansible has ran here
       file:
         path: /var/log/ansible.run

ansible/playbooks/role-rocky-kojihub.yml

@@ -7,6 +7,7 @@
   - vars/vaults/encpass.yml
   - vars/common.yml
   - vars/kojihub.yml
+  - vars/koji-common.yml
 
   # This is to try to avoid the handler issue in pre/post tasks
   handlers:
@@ -110,6 +111,9 @@
       state: present
 
   post_tasks:
+    - name: "Setup shared filesystem mount"
+      import_tasks: tasks/koji_efs.yml
+
     - name: Touching run file that ansible has ran here
       file:
         path: /var/log/ansible.run

ansible/playbooks/tasks/koji_efs.yml

@@ -0,0 +1,21 @@
+---
+# Sets up the EFS mount for /mnt/koji {{ koji_efs_mount_path }}
+# Requires amazon-efs-utils; included
+#
+- name: Installing amazon-efs-utils
+  yum:
+    name: amazon-efs-utils
+    state: present
+  tags:
+    - amazon_efs_utils
+    - packages
+
+- name: "Creating and mounting {{ koji_efs_fsid }} at {{ koji_efs_mount_path }}"
+  ansible.posix.mount:
+    path: "{{ koji_efs_mount_path }}"
+    src: "{{ koji_efs_fsid }}:/"
+    fstype: "{{ koji_efs_fs_type }}"
+    opts: "{{ koji_efs_fs_opts | join(',') }}"
+    state: "{{ koji_efs_fs_state | default('mounted') }}"
+  tags:
+    - mounts

ansible/playbooks/tasks/postfix_relay.yml

@@ -33,5 +33,5 @@
 - name: Ensure postfix is running and enabled
   service:
     name: postfix
-    state: running
+    state: restarted
     enabled: true

ansible/playbooks/vars/koji-common.yml

@@ -0,0 +1,8 @@
+---
+# Koji common
+koji_efs_mount_path: /mnt/koji
+koji_efs_fsid: whatever.amazonaws.com
+koji_efs_fs_type: efs
+koji_efs_fs_opts:
+  - tls
+  - iam

ansible/roles/requirements.yml

@@ -38,3 +38,4 @@ collections:
   - name: ansible.posix
   - name: ktdreyer.koji_ansible
   - name: netbox.netbox
+  - name: community.aws