diff --git a/ansible/README.md b/ansible/README.md index 6886d57..6b111ce 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -91,7 +91,8 @@ At a minimum, there should be `pre_tasks` and `post_tasks` that can judge whethe assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" # Import roles/tasks here diff --git a/ansible/playbooks/adhoc-ipadns.yml b/ansible/playbooks/adhoc-ipadns.yml index 3d35b06..ce56a73 100644 --- a/ansible/playbooks/adhoc-ipadns.yml +++ b/ansible/playbooks/adhoc-ipadns.yml @@ -8,7 +8,7 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml tasks: - name: "Checking for user variables" diff --git a/ansible/playbooks/adhoc-ipadnsrecord.yml b/ansible/playbooks/adhoc-ipadnsrecord.yml new file mode 100644 index 0000000..e95a1a1 --- /dev/null +++ b/ansible/playbooks/adhoc-ipadnsrecord.yml @@ -0,0 +1,44 @@ +--- +# This playbook is meant to be used with callable variables, like adhoc or AWX. +# What: Creates dns records in the idm infrastructure based on the variables +# provided. +# What is expected: +# -> ipaadmin_password: This should be the password of the admin user +# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) +# -> ipa_zone: The zone name (eg, rockylinux.org) +# -> ipa_name: The shortname (eg, buildbox instead of buildbox.rockylinux.org) +# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR) +# -> ipa_name_value: Record value (depends on type of record) +# -> ipa_presence: present or absent + +- name: Create a DNS Record + hosts: ipaserver + become: false + gather_facts: false + vars_files: + - vars/vaults/encpass.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + - ipa_zone | mandatory + - ipa_name | mandatory + - ipa_name_type | mandatory + - ipa_name_value | mandatory + - ipa_presence | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing zone information or ipa admin password" + + - name: "Creating DNS Record" + freeipa.ansible_freeipa.ipadnsrecord: + ipaadmin_principal: "{{ ipa_admin|default('admin') }}" + ipaadmin_password: "{{ ipaadmin_password }}" + zone_name: "{{ ipa_zone }}" + name: "{{ ipa_name }}" + record_type: "{{ ipa_name_type }}" + record_value: "{{ ipa_name_value }}" + state: "{{ ipa_presence }}" + tags: + - dns diff --git a/ansible/playbooks/adhoc-ipagetkeytab.yml b/ansible/playbooks/adhoc-ipagetkeytab.yml index 30fbe03..e610693 100644 --- a/ansible/playbooks/adhoc-ipagetkeytab.yml +++ b/ansible/playbooks/adhoc-ipagetkeytab.yml @@ -1,18 +1,24 @@ --- # This playbook is meant to be used with callable variables, like adhoc or AWX. +# Special thanks to @remyabel for assisting in improving this playbook with +# extended security posture # What: Pulls keytabs for a kerberos service # What is expected: -# -> ipa_service, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG +# -> host: The host in the inventory, this MUST be FQDN. +# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG +# Note: This service MUST exist # -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab # -> ipa_server: This needs to be one of the IPA servers -# -> ipa_owner: If applicable, the local account that will own this keytab (eg for Apache) +# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache) +# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) +# -> ipaadmin_password: This should be the password of the admin user - name: Pull keytab from IPA hosts: "{{ host }}" - become: false + become: true gather_facts: false vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml tasks: - name: "Checking for user variables" @@ -25,21 +31,106 @@ success_msg: "Required variables provided" fail_msg: "We are missing required information" - - name: "Pulling keytab" - command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k {{ ipa_keytab_fullpath }}" - register: ipakeytab_result - changed_when: - - ipakeytab_result.rc == 0 - tags: - - keytab + - name: "Check that a keytab doesn't already exist" + stat: + path: "{{ ipa_keytab_fullpath }}" + register: keytab_status + check_mode: false + changed_when: "1 != 1" - - name: "Set ownership if applicable" + - name: "Verify keytab existence" + assert: + that: + - "not keytab_status.stat.exists" + success_msg: "Keytab doesn't exist, moving on..." + fail_msg: "Keytab with that name already exists, skipping." + + - name: "Grant {{ host }} and {{ ipa_admin }} access to the service keytab" + delegate_to: "{{ ipa_server }}" + freeipa.ansible_freeipa.ipaservice: + ipaadmin_principal: "{{ ipa_admin }}" + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ ipa_service }}" + allow_retrieve_keytab_user: + - "{{ ipa_admin }}" + allow_retrieve_keytab_host: + - "{{ host }}" + action: member + + - name: "Grant {{ host }} and {{ ipa_admin }} access to the host keytab" + delegate_to: "{{ ipa_server }}" + freeipa.ansible_freeipa.ipahost: + ipaadmin_principal: "{{ ipa_admin }}" + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ host }}" + state: present + allow_retrieve_keytab_user: + - "{{ ipa_admin }}" + managedby_host: "{{ host }}" + action: member + + - name: "Get kerberos ticket" + delegate_to: "{{ ipa_server }}" + shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}" + check_mode: false + changed_when: "1 != 1" + when: not keytab_status.stat.exists + + - name: "Attempt to retrieve keytab" + delegate_to: "{{ ipa_server }}" + command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt" + register: ret_result + check_mode: false + changed_when: "1 != 1" + failed_when: "not ('Keytab successfully retrieved' in ret_result.stderr or 'krbPrincipalKey not found' in ret_result.stderr)" + + - name: "Create keytab if it didn't exist, based on the last task" + delegate_to: "{{ ipa_server }}" + command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt" + when: "'krbPrincipalKey not found' in ret_result.stderr" + + - name: "Destroy admin ticket" + delegate_to: "{{ ipa_server }}" + command: "kdestroy -A" + register: kdestroy_result + changed_when: "kdestroy_result.rc == 0" + + - name: "Put the keytab into a register" + delegate_to: "{{ ipa_server }}" + command: "base64 /tmp/{{ host }}.kt" + register: keytab + check_mode: false + changed_when: "keytab.rc == 0" + + - name: "Destroy local keytab" + delegate_to: "{{ ipa_server }}" + file: + path: "/tmp/{{ host }}.kt" + state: absent + + - name: "Deploy keytab to {{ host }} from register" + copy: + dest: "{{ ipa_keytab_fullpath }}.b64" + content: "{{ keytab.stdout }}" + owner: "{{ ipa_owner|default('root') }}" + group: "{{ ipa_owner|default('root') }}" + mode: '0600' + + - name: "Decode keytab" + shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}" + changed_when: "1 != 1" + + - name: "Destroy encoded keytab" + file: + path: "{{ ipa_keytab_fullpath }}.b64" + state: absent + + - name: "Set ownership if applicable, otherwise it's root owned" file: path: "{{ ipa_keytab_fullpath }}" - owner: "{{ ipa_owner }}" - group: "{{ ipa_owner }}" + owner: "{{ ipa_owner|default('root') }}" + group: "{{ ipa_owner|default('root') }}" mode: '0600' state: file - when: ipa_owner tags: - keytab diff --git a/ansible/playbooks/adhoc-ipagroups.yml b/ansible/playbooks/adhoc-ipagroups.yml index ec3af08..dbb751a 100644 --- a/ansible/playbooks/adhoc-ipagroups.yml +++ b/ansible/playbooks/adhoc-ipagroups.yml @@ -7,7 +7,7 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml tasks: - name: "Checking for user variables" diff --git a/ansible/playbooks/adhoc-ipaservice.yml b/ansible/playbooks/adhoc-ipaservice.yml index 13ba128..ec3c7fc 100644 --- a/ansible/playbooks/adhoc-ipaservice.yml +++ b/ansible/playbooks/adhoc-ipaservice.yml @@ -7,7 +7,7 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml tasks: - name: "Checking for user variables" diff --git a/ansible/playbooks/adhoc-ipausers.yml b/ansible/playbooks/adhoc-ipausers.yml index b85e430..4599d90 100644 --- a/ansible/playbooks/adhoc-ipausers.yml +++ b/ansible/playbooks/adhoc-ipausers.yml @@ -7,7 +7,7 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml tasks: - name: "Checking for user variables" diff --git a/ansible/playbooks/adhoc-rabbitmqqueue.yml b/ansible/playbooks/adhoc-rabbitmqqueue.yml index ee7aa5a..edd207a 100644 --- a/ansible/playbooks/adhoc-rabbitmqqueue.yml +++ b/ansible/playbooks/adhoc-rabbitmqqueue.yml @@ -22,7 +22,7 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml - vars/rabbitmq.yml tasks: diff --git a/ansible/playbooks/adhoc-rabbitmquser.yml b/ansible/playbooks/adhoc-rabbitmquser.yml index 31fb6fe..14b326b 100644 --- a/ansible/playbooks/adhoc-rabbitmquser.yml +++ b/ansible/playbooks/adhoc-rabbitmquser.yml @@ -8,7 +8,7 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml - vars/rabbitmq.yml tasks: diff --git a/ansible/playbooks/files/usr/local/bin/lock-wrapper b/ansible/playbooks/files/usr/local/bin/lock-wrapper new file mode 100644 index 0000000..17c96ff --- /dev/null +++ b/ansible/playbooks/files/usr/local/bin/lock-wrapper @@ -0,0 +1,51 @@ +#!/bin/bash +# Borrowed from Fedora Infra for Rocky Linux + +if [ $# -lt 2 ]; then + echo "Usage: $0 [name] [script]" + exit 1; +fi + +NAME=$1 +SCRIPT=$2 + +SILENT="no" +if [ $# -ge 3 -a "$3" == "--silent" ]; then + SILENT="yes" + shift +fi + +shift 2 + +LOCKDIR="/var/tmp/$NAME" +PIDFILE="$LOCKDIR/pid" + +function cleanup { + rm -rf "$LOCKDIR" +} + +RESTORE_UMASK=$(umask -p) +umask 0077 +mkdir "$LOCKDIR" >& /dev/null +if [ $? != 0 ]; then + PID=$(cat "$PIDFILE") + if [ -n "$PID" ] && /bin/ps $PID > /dev/null + then + if [ "$SILENT" != "yes" ]; then + echo "$PID is still running" + /bin/ps -o user,pid,start,time,comm $PID + fi + exit 1; + else + echo "$LOCKDIR exists but $PID is dead" + echo "Removing lockdir and re-running" + /bin/rm -rf $LOCKDIR + mkdir $LOCKDIR || exit + fi +fi + +trap cleanup EXIT SIGQUIT SIGHUP SIGTERM +echo $$ > "$PIDFILE" + +$RESTORE_UMASK +eval "$SCRIPT $*" diff --git a/ansible/playbooks/import-rockyusers.yml b/ansible/playbooks/import-rockyusers.yml index 3aed65d..5ee7c94 100644 --- a/ansible/playbooks/import-rockyusers.yml +++ b/ansible/playbooks/import-rockyusers.yml @@ -46,3 +46,25 @@ loop: "{{ svcusers }}" tags: - users + +- name: "Creating bind account template - binder" + template: + src: "tmp/binder.update" + dest: "/tmp/binder.update" + owner: root + group: root + mode: '0600' + tags: + - users + +- name: "Adding in the bind account - binder" + command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update" + register: bind_account + changed_when: "bind_account.rc == 0" + tags: + - users + +- name: "Remove template" + file: + path: "/tmp/binder.update" + state: absent diff --git a/ansible/playbooks/init-rocky-chrony.yml b/ansible/playbooks/init-rocky-chrony.yml index 6482d08..d013d4b 100644 --- a/ansible/playbooks/init-rocky-chrony.yml +++ b/ansible/playbooks/init-rocky-chrony.yml @@ -23,7 +23,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" tasks: - name: Configure Chrony diff --git a/ansible/playbooks/init-rocky-install-kvm-hosts.yml b/ansible/playbooks/init-rocky-install-kvm-hosts.yml index c20b1de..a59dad5 100644 --- a/ansible/playbooks/init-rocky-install-kvm-hosts.yml +++ b/ansible/playbooks/init-rocky-install-kvm-hosts.yml @@ -16,7 +16,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" tasks: - name: Check for CPU Virtualization diff --git a/ansible/playbooks/init-rocky-ipa-internal-dns.yml b/ansible/playbooks/init-rocky-ipa-internal-dns.yml index dba3d5d..7720216 100644 --- a/ansible/playbooks/init-rocky-ipa-internal-dns.yml +++ b/ansible/playbooks/init-rocky-ipa-internal-dns.yml @@ -5,9 +5,9 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml - - vars/rdns.yml - - vars/fdns.yml + - vars/vaults/encpass.yml + - vars/ipa/rdns.yml + - vars/ipa/fdns.yml tasks: - name: "Checking for user variables" diff --git a/ansible/playbooks/init-rocky-ipa-team.yml b/ansible/playbooks/init-rocky-ipa-team.yml index 56fdcac..2bf1c39 100644 --- a/ansible/playbooks/init-rocky-ipa-team.yml +++ b/ansible/playbooks/init-rocky-ipa-team.yml @@ -5,12 +5,12 @@ become: false gather_facts: false vars_files: - - vars/encpass.yml - - vars/users.yml - - vars/adminusers.yml - - vars/svcusers.yml - - vars/groups.yml - - vars/ipaprivs.yml + - vars/vaults/encpass.yml + - vars/ipa/users.yml + - vars/ipa/adminusers.yml + - vars/ipa/svcusers.yml + - vars/ipa/groups.yml + - vars/ipa/ipaprivs.yml tasks: - name: "Checking for user variables" diff --git a/ansible/playbooks/init-rocky-system-config.yml b/ansible/playbooks/init-rocky-system-config.yml index b57b649..7a8d771 100644 --- a/ansible/playbooks/init-rocky-system-config.yml +++ b/ansible/playbooks/init-rocky-system-config.yml @@ -18,7 +18,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" tasks: - name: Loading Variables from OS Common @@ -39,6 +40,9 @@ - name: Configure grub import_tasks: tasks/grub.yml + - name: Configure common scripts + import_tasks: tasks/scripts.yml + post_tasks: - name: Touching run file that ansible has ran here file: diff --git a/ansible/playbooks/role-gitlab-ee.yml b/ansible/playbooks/role-gitlab-ee.yml index 5c725c9..3d57fee 100644 --- a/ansible/playbooks/role-gitlab-ee.yml +++ b/ansible/playbooks/role-gitlab-ee.yml @@ -21,7 +21,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping un on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping un on this node" - name: Install SELinux packages package: diff --git a/ansible/playbooks/role-rocky-ipa-client.yml b/ansible/playbooks/role-rocky-ipa-client.yml index a75eccb..19feebb 100644 --- a/ansible/playbooks/role-rocky-ipa-client.yml +++ b/ansible/playbooks/role-rocky-ipa-client.yml @@ -5,8 +5,8 @@ hosts: ipaclients become: true vars_files: - - vars/encpass.yml - - vars/ipaclient.yml + - vars/vaults/encpass.yml + - vars/ipa/ipaclient.yml pre_tasks: - name: Check if ansible cannot be run here @@ -18,9 +18,10 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" -# - name: Check if we can see LDAP srv records +# - name: Check if we can see LDAP srv records roles: diff --git a/ansible/playbooks/role-rocky-ipa-replica.yml b/ansible/playbooks/role-rocky-ipa-replica.yml index df13c85..d600c90 100644 --- a/ansible/playbooks/role-rocky-ipa-replica.yml +++ b/ansible/playbooks/role-rocky-ipa-replica.yml @@ -5,7 +5,7 @@ hosts: ipareplicas become: true vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml # This is to try to avoid the handler issue in pre/post tasks handlers: @@ -21,7 +21,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" - name: Ensure 'dns=none' is set for Network Manager ini_file: diff --git a/ansible/playbooks/role-rocky-ipa.yml b/ansible/playbooks/role-rocky-ipa.yml index 64dee29..43feecb 100644 --- a/ansible/playbooks/role-rocky-ipa.yml +++ b/ansible/playbooks/role-rocky-ipa.yml @@ -9,7 +9,7 @@ hosts: ipaserver become: true vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml # This is to try to avoid the handler issue in pre/post tasks handlers: @@ -25,7 +25,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" - name: Ensure 'dns=none' is set for Network Manager to avoid change ini_file: diff --git a/ansible/playbooks/role-rocky-ipsilon.yml b/ansible/playbooks/role-rocky-ipsilon.yml index b1e08b9..02551f8 100644 --- a/ansible/playbooks/role-rocky-ipsilon.yml +++ b/ansible/playbooks/role-rocky-ipsilon.yml @@ -4,7 +4,7 @@ hosts: ipsilon become: true vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml - vars/ipsilon.yml # This is to try to avoid the handler issue in pre/post tasks @@ -21,7 +21,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" # EPEL and PowerTools are required for ipsilon to function # I also couldn't find an ansible built-in to do this diff --git a/ansible/playbooks/role-rocky-kojid.yml b/ansible/playbooks/role-rocky-kojid.yml new file mode 100644 index 0000000..75bd9ef --- /dev/null +++ b/ansible/playbooks/role-rocky-kojid.yml @@ -0,0 +1,85 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/kojid.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - kojid + stat: + path: /etc/kojid.keytab + register: kojid_keytab + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "kojid_keytab.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: rockylinux.kojid + state: present + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-kojihub.yml b/ansible/playbooks/role-rocky-kojihub.yml index fec3d07..81ddd7e 100644 --- a/ansible/playbooks/role-rocky-kojihub.yml +++ b/ansible/playbooks/role-rocky-kojihub.yml @@ -4,7 +4,7 @@ hosts: kojihub become: true vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml - vars/kojihub.yml # This is to try to avoid the handler issue in pre/post tasks @@ -21,7 +21,42 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - web + stat: + path: /etc/keytabs/koji-web.keytab + register: koji_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - kojira + stat: + path: /etc/keytabs/kojira.keytab + register: kojira_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - gc + stat: + path: /etc/keytabs/koji-gc.keytab + register: gc_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - host + stat: + path: /etc/keytabs/host.keytab + register: host_keytab + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "koji_keytab.stat.exists" + - "kojira_keytab.stat.exists" + - "gc_keytab.stat.exists" + - "host_keytab.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." # EPEL and PowerTools are required for ipsilon to function # I also couldn't find an ansible built-in to do this diff --git a/ansible/playbooks/role-rocky-monitoring.yml b/ansible/playbooks/role-rocky-monitoring.yml index 218a9c1..f351d0b 100644 --- a/ansible/playbooks/role-rocky-monitoring.yml +++ b/ansible/playbooks/role-rocky-monitoring.yml @@ -13,7 +13,9 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + - name: Install SELinux packages package: name: python3-policycoreutils.noarch @@ -50,5 +52,5 @@ - name: Open firewall for node-exporter ansible.posix.firewalld: port: 9100/tcp - permanent: yes + permanent: true state: enabled diff --git a/ansible/playbooks/role-rocky-mqtt.yml b/ansible/playbooks/role-rocky-mqtt.yml index bba8629..e7972ff 100644 --- a/ansible/playbooks/role-rocky-mqtt.yml +++ b/ansible/playbooks/role-rocky-mqtt.yml @@ -4,7 +4,7 @@ hosts: kojihub become: true vars_files: - - vars/encpass.yml + - vars/vaults/encpass.yml - vars/mqtt.yml # This is to try to avoid the handler issue in pre/post tasks @@ -21,7 +21,8 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" # EPEL and PowerTools are required for ipsilon to function # I also couldn't find an ansible built-in to do this diff --git a/ansible/playbooks/role-rocky-rabbitmq.yml b/ansible/playbooks/role-rocky-rabbitmq.yml index c5a07ac..e837a1a 100644 --- a/ansible/playbooks/role-rocky-rabbitmq.yml +++ b/ansible/playbooks/role-rocky-rabbitmq.yml @@ -5,7 +5,7 @@ become: true vars_files: - vars/common.yml - - vars/encpass.yml + - vars/vaults/encpass.yml - vars/rabbitmq.yml # This is to try to avoid the handler issue in pre/post tasks @@ -22,12 +22,13 @@ assert: that: - "not no_ansible.stat.exists" - msg: "/etc/no-ansible exists - skipping run on this node" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" # We have separate passwords per rabbitmq env - name: Import rabbitmq passwords include_vars: - file: "vars/rabbitmq_{{ rabbitmq_env }}.yml" + file: "vars/vaults/rabbitmq_{{ rabbitmq_env }}.yml" # EPEL and PowerTools are required for ipsilon to function # I also couldn't find an ansible built-in to do this diff --git a/ansible/playbooks/tasks/scripts.yml b/ansible/playbooks/tasks/scripts.yml new file mode 100644 index 0000000..7f430ff --- /dev/null +++ b/ansible/playbooks/tasks/scripts.yml @@ -0,0 +1,9 @@ +--- +# Common scripts that rocky uses on nodes +- name: Lock Wrapper script + copy: + src: "usr/local/bin/lock-wrapper" + dest: "/usr/local/bin/lock-wrapper" + owner: root + group: root + mode: '0755' diff --git a/ansible/playbooks/templates/tmp/binder.update b/ansible/playbooks/templates/tmp/binder.update new file mode 100644 index 0000000..aaab225 --- /dev/null +++ b/ansible/playbooks/templates/tmp/binder.update @@ -0,0 +1,7 @@ +dn: uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org +add:objectclass:account +add:objectclass:simplesecurityobject +add:uid:binder +add:userPassword:{{ ipa_binder_password }} +add:passwordExpirationTime:20380119031407Z +add:nsIdleTimeout:0 diff --git a/ansible/playbooks/vars/common.yml b/ansible/playbooks/vars/common.yml index 3e4bfe1..98fd358 100644 --- a/ansible/playbooks/vars/common.yml +++ b/ansible/playbooks/vars/common.yml @@ -1,8 +1,9 @@ --- rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org" -rocky_ldap_bind_pw: "ThisIsNotThePassword!" rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org" rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org" rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org" # Requires jinja 2.9+ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}" +# This will need to be vaulted +# rocky_ldap_bind_pw: "ThisIsNotThePassword!" diff --git a/ansible/playbooks/vars/adminusers.yml b/ansible/playbooks/vars/ipa/adminusers.yml similarity index 100% rename from ansible/playbooks/vars/adminusers.yml rename to ansible/playbooks/vars/ipa/adminusers.yml diff --git a/ansible/playbooks/vars/fdns.yml b/ansible/playbooks/vars/ipa/fdns.yml similarity index 100% rename from ansible/playbooks/vars/fdns.yml rename to ansible/playbooks/vars/ipa/fdns.yml diff --git a/ansible/playbooks/vars/groups.yml b/ansible/playbooks/vars/ipa/groups.yml similarity index 100% rename from ansible/playbooks/vars/groups.yml rename to ansible/playbooks/vars/ipa/groups.yml diff --git a/ansible/playbooks/vars/ipaclient.yml b/ansible/playbooks/vars/ipa/ipaclient.yml similarity index 100% rename from ansible/playbooks/vars/ipaclient.yml rename to ansible/playbooks/vars/ipa/ipaclient.yml diff --git a/ansible/playbooks/vars/ipaprivs.yml b/ansible/playbooks/vars/ipa/ipaprivs.yml similarity index 74% rename from ansible/playbooks/vars/ipaprivs.yml rename to ansible/playbooks/vars/ipa/ipaprivs.yml index a1a49b1..dd17ddd 100644 --- a/ansible/playbooks/vars/ipaprivs.yml +++ b/ansible/playbooks/vars/ipa/ipaprivs.yml @@ -26,3 +26,10 @@ iparoles: - "Netgroups Administrators" user: - hostman + - role: IPA User Managers + description: Rocky IPA User Managers responsible for idm flow + privileges: + - "Group Administrators" + - "Stage User Administrators" + - "User Administrators" + - "FAS Agreement Administrators" diff --git a/ansible/playbooks/vars/ipaserver.yml b/ansible/playbooks/vars/ipa/ipaserver.yml similarity index 100% rename from ansible/playbooks/vars/ipaserver.yml rename to ansible/playbooks/vars/ipa/ipaserver.yml diff --git a/ansible/playbooks/vars/rdns.yml b/ansible/playbooks/vars/ipa/rdns.yml similarity index 100% rename from ansible/playbooks/vars/rdns.yml rename to ansible/playbooks/vars/ipa/rdns.yml diff --git a/ansible/playbooks/vars/sudorules.yml b/ansible/playbooks/vars/ipa/sudorules.yml similarity index 100% rename from ansible/playbooks/vars/sudorules.yml rename to ansible/playbooks/vars/ipa/sudorules.yml diff --git a/ansible/playbooks/vars/svcusers.yml b/ansible/playbooks/vars/ipa/svcusers.yml similarity index 86% rename from ansible/playbooks/vars/svcusers.yml rename to ansible/playbooks/vars/ipa/svcusers.yml index 1399637..7387e92 100644 --- a/ansible/playbooks/vars/svcusers.yml +++ b/ansible/playbooks/vars/ipa/svcusers.yml @@ -14,6 +14,13 @@ svcusers: password: ThisIsNotMyPassword1! title: System Account - Kerberos Key Manager loginshell: /sbin/nologin + - name: userman + first: User + last: Manager + email: infrastructure@rockylinux.org + password: ThisIsNotMyPassword1! + title: System Account - User Manager + loginshell: /sbin/nologin - name: rockykoji first: Koji last: Manager diff --git a/ansible/playbooks/vars/users.yml b/ansible/playbooks/vars/ipa/users.yml similarity index 100% rename from ansible/playbooks/vars/users.yml rename to ansible/playbooks/vars/ipa/users.yml diff --git a/ansible/playbooks/vars/kojid.yml b/ansible/playbooks/vars/kojid.yml new file mode 100644 index 0000000..592b97a --- /dev/null +++ b/ansible/playbooks/vars/kojid.yml @@ -0,0 +1,15 @@ +--- +# vars for kojid + +kojid_vendor: Rocky +kojid_packager: infrastructure@rockylinux.org +kojid_distribution: Rocky +# These three should probably be specified by special vars +# kojid_web_url: https://koji.rockylinux.org/koji +# kojid_hub_url: https://koji.rockylinux.org/kojihub +# kojid_files_url: https://koji.rockylinux.org/kojifiles + +kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt +kojid_keytab: /etc/kojid.keytab +kojid_smtp_host: smtp.rockylinux.org +kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*" diff --git a/ansible/playbooks/vars/kojihub.yml b/ansible/playbooks/vars/kojihub.yml index ec3cdb2..b835192 100644 --- a/ansible/playbooks/vars/kojihub.yml +++ b/ansible/playbooks/vars/kojihub.yml @@ -1,5 +1,7 @@ --- # koji hub settings +# This should be the front-facing URL of koji +#koji_url_name: koji.rockylinux.org # Use an internal CA (IPA) koji_internal_ca: true @@ -13,9 +15,9 @@ koji_db_user: koji # This will need to change when koji_postgresql_vm is false koji_db_host: "{{ ansible_fqdn }}" -koji_web_url: "https://{{ ansible_fqdn }}/koji" -koji_hub_url: "https://{{ ansible_fqdn }}/kojihub" -koji_files_url: "https://{{ ansible_fqdn }}/kojifiles" +koji_web_url: "https://{{ koji_url_name }}/koji" +koji_hub_url: "https://{{ koji_url_name }}/kojihub" +koji_files_url: "https://{{ koji_url_name }}/kojifiles" # The IPA internal CA is combined with the others koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt @@ -35,9 +37,9 @@ koji_admin_localuser: true koji_admin_localuser_name: koji # Hub Settings -koji_hub_principal: "HTTP/{{ ansible_fqdn }}@ROCKYLINUX.ORG" -koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG -koji_hub_keytab: /etc/koji.keytab +koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG" +koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG" +koji_hub_keytab: /etc/keytabs/host.keytab koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG # This should be sufficient even for LE koji_hub_ca: "{{ koji_web_cacert }}" @@ -47,15 +49,6 @@ koji_hub_ca: "{{ koji_web_cacert }}" koji_fas_sync: false koji_fas_url: https://accounts.rockylinux.org -# Not implemented yet -koji_hub_plugin_mqtt_host: mqtt.rockylinux.org -koji_hub_plugin_mqtt_topic: koji -koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}" -koji_hub_plugin_mqtt_tls_cert: /etc/pki/tls/certs/mqtt.pem -koji_hub_plugin_mqtt_tls_key: /etc/pki/tls/certs/mqtt.key -koji_hub_plugin_mqtt_excluded_tags: - - testing-tag - # IPA Certs if Required ipa_getcert_requested_hostnames: - name: "{{ ansible_fqdn }}" diff --git a/ansible/playbooks/vars/encpass.yml b/ansible/playbooks/vars/vaults/encpass.yml similarity index 89% rename from ansible/playbooks/vars/encpass.yml rename to ansible/playbooks/vars/vaults/encpass.yml index 7b43fdd..6d7cd0f 100644 --- a/ansible/playbooks/vars/encpass.yml +++ b/ansible/playbooks/vars/vaults/encpass.yml @@ -10,6 +10,9 @@ ipaadmin_password: !vault | ipadm_password: !vault | $ANSIBLE_VAULT;1.1;AES256 REDACTED +ipa_binder_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + REDACTED ipsilon_db_password: !vault | $ANSIBLE_VAULT;1.1;AES256 REDACTED diff --git a/ansible/playbooks/vars/rabbitmq_production.yml b/ansible/playbooks/vars/vaults/rabbitmq_production.yml similarity index 100% rename from ansible/playbooks/vars/rabbitmq_production.yml rename to ansible/playbooks/vars/vaults/rabbitmq_production.yml diff --git a/ansible/playbooks/vars/rabbitmq_staging.yml b/ansible/playbooks/vars/vaults/rabbitmq_staging.yml similarity index 100% rename from ansible/playbooks/vars/rabbitmq_staging.yml rename to ansible/playbooks/vars/vaults/rabbitmq_staging.yml diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index 3baf6c8..874baab 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -16,6 +16,9 @@ roles: - name: rockylinux.kojihub src: https://github.com/rocky-linux/ansible-role-kojihub version: main + - name: rockylinux.kojid + src: https://github.com/rocky-linux/ansible-role-kojid + version: main - name: rockylinux.rabbitmq src: https://github.com/rocky-linux/ansible-role-rabbitmq version: main