mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-29 08:26:28 +00:00
Merge pull request #14960 from rocky-linux/develop
Kojid, Rearranging, Special adhocs
This commit is contained in:
commit
46001435e5
@ -91,7 +91,8 @@ At a minimum, there should be `pre_tasks` and `post_tasks` that can judge whethe
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
# Import roles/tasks here
|
# Import roles/tasks here
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
|
44
ansible/playbooks/adhoc-ipadnsrecord.yml
Normal file
44
ansible/playbooks/adhoc-ipadnsrecord.yml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
---
|
||||||
|
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||||
|
# What: Creates dns records in the idm infrastructure based on the variables
|
||||||
|
# provided.
|
||||||
|
# What is expected:
|
||||||
|
# -> ipaadmin_password: This should be the password of the admin user
|
||||||
|
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
|
||||||
|
# -> ipa_zone: The zone name (eg, rockylinux.org)
|
||||||
|
# -> ipa_name: The shortname (eg, buildbox instead of buildbox.rockylinux.org)
|
||||||
|
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
|
||||||
|
# -> ipa_name_value: Record value (depends on type of record)
|
||||||
|
# -> ipa_presence: present or absent
|
||||||
|
|
||||||
|
- name: Create a DNS Record
|
||||||
|
hosts: ipaserver
|
||||||
|
become: false
|
||||||
|
gather_facts: false
|
||||||
|
vars_files:
|
||||||
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: "Checking for user variables"
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- ipaadmin_password | mandatory
|
||||||
|
- ipa_zone | mandatory
|
||||||
|
- ipa_name | mandatory
|
||||||
|
- ipa_name_type | mandatory
|
||||||
|
- ipa_name_value | mandatory
|
||||||
|
- ipa_presence | mandatory
|
||||||
|
success_msg: "Required variables provided"
|
||||||
|
fail_msg: "We are missing zone information or ipa admin password"
|
||||||
|
|
||||||
|
- name: "Creating DNS Record"
|
||||||
|
freeipa.ansible_freeipa.ipadnsrecord:
|
||||||
|
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
|
||||||
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
|
zone_name: "{{ ipa_zone }}"
|
||||||
|
name: "{{ ipa_name }}"
|
||||||
|
record_type: "{{ ipa_name_type }}"
|
||||||
|
record_value: "{{ ipa_name_value }}"
|
||||||
|
state: "{{ ipa_presence }}"
|
||||||
|
tags:
|
||||||
|
- dns
|
@ -1,18 +1,24 @@
|
|||||||
---
|
---
|
||||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||||
|
# Special thanks to @remyabel for assisting in improving this playbook with
|
||||||
|
# extended security posture
|
||||||
# What: Pulls keytabs for a kerberos service
|
# What: Pulls keytabs for a kerberos service
|
||||||
# What is expected:
|
# What is expected:
|
||||||
# -> ipa_service, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
|
# -> host: The host in the inventory, this MUST be FQDN.
|
||||||
|
# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
|
||||||
|
# Note: This service MUST exist
|
||||||
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
|
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
|
||||||
# -> ipa_server: This needs to be one of the IPA servers
|
# -> ipa_server: This needs to be one of the IPA servers
|
||||||
# -> ipa_owner: If applicable, the local account that will own this keytab (eg for Apache)
|
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
|
||||||
|
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
|
||||||
|
# -> ipaadmin_password: This should be the password of the admin user
|
||||||
|
|
||||||
- name: Pull keytab from IPA
|
- name: Pull keytab from IPA
|
||||||
hosts: "{{ host }}"
|
hosts: "{{ host }}"
|
||||||
become: false
|
become: true
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
@ -25,21 +31,106 @@
|
|||||||
success_msg: "Required variables provided"
|
success_msg: "Required variables provided"
|
||||||
fail_msg: "We are missing required information"
|
fail_msg: "We are missing required information"
|
||||||
|
|
||||||
- name: "Pulling keytab"
|
- name: "Check that a keytab doesn't already exist"
|
||||||
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k {{ ipa_keytab_fullpath }}"
|
stat:
|
||||||
register: ipakeytab_result
|
path: "{{ ipa_keytab_fullpath }}"
|
||||||
changed_when:
|
register: keytab_status
|
||||||
- ipakeytab_result.rc == 0
|
check_mode: false
|
||||||
tags:
|
changed_when: "1 != 1"
|
||||||
- keytab
|
|
||||||
|
|
||||||
- name: "Set ownership if applicable"
|
- name: "Verify keytab existence"
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "not keytab_status.stat.exists"
|
||||||
|
success_msg: "Keytab doesn't exist, moving on..."
|
||||||
|
fail_msg: "Keytab with that name already exists, skipping."
|
||||||
|
|
||||||
|
- name: "Grant {{ host }} and {{ ipa_admin }} access to the service keytab"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
freeipa.ansible_freeipa.ipaservice:
|
||||||
|
ipaadmin_principal: "{{ ipa_admin }}"
|
||||||
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
|
name: "{{ ipa_service }}"
|
||||||
|
allow_retrieve_keytab_user:
|
||||||
|
- "{{ ipa_admin }}"
|
||||||
|
allow_retrieve_keytab_host:
|
||||||
|
- "{{ host }}"
|
||||||
|
action: member
|
||||||
|
|
||||||
|
- name: "Grant {{ host }} and {{ ipa_admin }} access to the host keytab"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
freeipa.ansible_freeipa.ipahost:
|
||||||
|
ipaadmin_principal: "{{ ipa_admin }}"
|
||||||
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
|
name: "{{ host }}"
|
||||||
|
state: present
|
||||||
|
allow_retrieve_keytab_user:
|
||||||
|
- "{{ ipa_admin }}"
|
||||||
|
managedby_host: "{{ host }}"
|
||||||
|
action: member
|
||||||
|
|
||||||
|
- name: "Get kerberos ticket"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
|
||||||
|
check_mode: false
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
when: not keytab_status.stat.exists
|
||||||
|
|
||||||
|
- name: "Attempt to retrieve keytab"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||||
|
register: ret_result
|
||||||
|
check_mode: false
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
failed_when: "not ('Keytab successfully retrieved' in ret_result.stderr or 'krbPrincipalKey not found' in ret_result.stderr)"
|
||||||
|
|
||||||
|
- name: "Create keytab if it didn't exist, based on the last task"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
|
||||||
|
when: "'krbPrincipalKey not found' in ret_result.stderr"
|
||||||
|
|
||||||
|
- name: "Destroy admin ticket"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
command: "kdestroy -A"
|
||||||
|
register: kdestroy_result
|
||||||
|
changed_when: "kdestroy_result.rc == 0"
|
||||||
|
|
||||||
|
- name: "Put the keytab into a register"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
command: "base64 /tmp/{{ host }}.kt"
|
||||||
|
register: keytab
|
||||||
|
check_mode: false
|
||||||
|
changed_when: "keytab.rc == 0"
|
||||||
|
|
||||||
|
- name: "Destroy local keytab"
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
file:
|
||||||
|
path: "/tmp/{{ host }}.kt"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: "Deploy keytab to {{ host }} from register"
|
||||||
|
copy:
|
||||||
|
dest: "{{ ipa_keytab_fullpath }}.b64"
|
||||||
|
content: "{{ keytab.stdout }}"
|
||||||
|
owner: "{{ ipa_owner|default('root') }}"
|
||||||
|
group: "{{ ipa_owner|default('root') }}"
|
||||||
|
mode: '0600'
|
||||||
|
|
||||||
|
- name: "Decode keytab"
|
||||||
|
shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
|
- name: "Destroy encoded keytab"
|
||||||
|
file:
|
||||||
|
path: "{{ ipa_keytab_fullpath }}.b64"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: "Set ownership if applicable, otherwise it's root owned"
|
||||||
file:
|
file:
|
||||||
path: "{{ ipa_keytab_fullpath }}"
|
path: "{{ ipa_keytab_fullpath }}"
|
||||||
owner: "{{ ipa_owner }}"
|
owner: "{{ ipa_owner|default('root') }}"
|
||||||
group: "{{ ipa_owner }}"
|
group: "{{ ipa_owner|default('root') }}"
|
||||||
mode: '0600'
|
mode: '0600'
|
||||||
state: file
|
state: file
|
||||||
when: ipa_owner
|
|
||||||
tags:
|
tags:
|
||||||
- keytab
|
- keytab
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/rabbitmq.yml
|
- vars/rabbitmq.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/rabbitmq.yml
|
- vars/rabbitmq.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
51
ansible/playbooks/files/usr/local/bin/lock-wrapper
Normal file
51
ansible/playbooks/files/usr/local/bin/lock-wrapper
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Borrowed from Fedora Infra for Rocky Linux
|
||||||
|
|
||||||
|
if [ $# -lt 2 ]; then
|
||||||
|
echo "Usage: $0 [name] [script]"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
NAME=$1
|
||||||
|
SCRIPT=$2
|
||||||
|
|
||||||
|
SILENT="no"
|
||||||
|
if [ $# -ge 3 -a "$3" == "--silent" ]; then
|
||||||
|
SILENT="yes"
|
||||||
|
shift
|
||||||
|
fi
|
||||||
|
|
||||||
|
shift 2
|
||||||
|
|
||||||
|
LOCKDIR="/var/tmp/$NAME"
|
||||||
|
PIDFILE="$LOCKDIR/pid"
|
||||||
|
|
||||||
|
function cleanup {
|
||||||
|
rm -rf "$LOCKDIR"
|
||||||
|
}
|
||||||
|
|
||||||
|
RESTORE_UMASK=$(umask -p)
|
||||||
|
umask 0077
|
||||||
|
mkdir "$LOCKDIR" >& /dev/null
|
||||||
|
if [ $? != 0 ]; then
|
||||||
|
PID=$(cat "$PIDFILE")
|
||||||
|
if [ -n "$PID" ] && /bin/ps $PID > /dev/null
|
||||||
|
then
|
||||||
|
if [ "$SILENT" != "yes" ]; then
|
||||||
|
echo "$PID is still running"
|
||||||
|
/bin/ps -o user,pid,start,time,comm $PID
|
||||||
|
fi
|
||||||
|
exit 1;
|
||||||
|
else
|
||||||
|
echo "$LOCKDIR exists but $PID is dead"
|
||||||
|
echo "Removing lockdir and re-running"
|
||||||
|
/bin/rm -rf $LOCKDIR
|
||||||
|
mkdir $LOCKDIR || exit
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
trap cleanup EXIT SIGQUIT SIGHUP SIGTERM
|
||||||
|
echo $$ > "$PIDFILE"
|
||||||
|
|
||||||
|
$RESTORE_UMASK
|
||||||
|
eval "$SCRIPT $*"
|
@ -46,3 +46,25 @@
|
|||||||
loop: "{{ svcusers }}"
|
loop: "{{ svcusers }}"
|
||||||
tags:
|
tags:
|
||||||
- users
|
- users
|
||||||
|
|
||||||
|
- name: "Creating bind account template - binder"
|
||||||
|
template:
|
||||||
|
src: "tmp/binder.update"
|
||||||
|
dest: "/tmp/binder.update"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
tags:
|
||||||
|
- users
|
||||||
|
|
||||||
|
- name: "Adding in the bind account - binder"
|
||||||
|
command: "/usr/sbin/ipa-ldap-updater /tmp/binder.update"
|
||||||
|
register: bind_account
|
||||||
|
changed_when: "bind_account.rc == 0"
|
||||||
|
tags:
|
||||||
|
- users
|
||||||
|
|
||||||
|
- name: "Remove template"
|
||||||
|
file:
|
||||||
|
path: "/tmp/binder.update"
|
||||||
|
state: absent
|
||||||
|
@ -23,7 +23,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Configure Chrony
|
- name: Configure Chrony
|
||||||
|
@ -16,7 +16,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Check for CPU Virtualization
|
- name: Check for CPU Virtualization
|
||||||
|
@ -5,9 +5,9 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/rdns.yml
|
- vars/ipa/rdns.yml
|
||||||
- vars/fdns.yml
|
- vars/ipa/fdns.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
|
@ -5,12 +5,12 @@
|
|||||||
become: false
|
become: false
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/users.yml
|
- vars/ipa/users.yml
|
||||||
- vars/adminusers.yml
|
- vars/ipa/adminusers.yml
|
||||||
- vars/svcusers.yml
|
- vars/ipa/svcusers.yml
|
||||||
- vars/groups.yml
|
- vars/ipa/groups.yml
|
||||||
- vars/ipaprivs.yml
|
- vars/ipa/ipaprivs.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
|
@ -18,7 +18,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Loading Variables from OS Common
|
- name: Loading Variables from OS Common
|
||||||
@ -39,6 +40,9 @@
|
|||||||
- name: Configure grub
|
- name: Configure grub
|
||||||
import_tasks: tasks/grub.yml
|
import_tasks: tasks/grub.yml
|
||||||
|
|
||||||
|
- name: Configure common scripts
|
||||||
|
import_tasks: tasks/scripts.yml
|
||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Touching run file that ansible has ran here
|
- name: Touching run file that ansible has ran here
|
||||||
file:
|
file:
|
||||||
|
@ -21,7 +21,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping un on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping un on this node"
|
||||||
|
|
||||||
- name: Install SELinux packages
|
- name: Install SELinux packages
|
||||||
package:
|
package:
|
||||||
|
@ -5,8 +5,8 @@
|
|||||||
hosts: ipaclients
|
hosts: ipaclients
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/ipaclient.yml
|
- vars/ipa/ipaclient.yml
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Check if ansible cannot be run here
|
- name: Check if ansible cannot be run here
|
||||||
@ -18,9 +18,10 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
# - name: Check if we can see LDAP srv records
|
# - name: Check if we can see LDAP srv records
|
||||||
|
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
hosts: ipareplicas
|
hosts: ipareplicas
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
handlers:
|
handlers:
|
||||||
@ -21,7 +21,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
- name: Ensure 'dns=none' is set for Network Manager
|
- name: Ensure 'dns=none' is set for Network Manager
|
||||||
ini_file:
|
ini_file:
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
hosts: ipaserver
|
hosts: ipaserver
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
handlers:
|
handlers:
|
||||||
@ -25,7 +25,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
- name: Ensure 'dns=none' is set for Network Manager to avoid change
|
- name: Ensure 'dns=none' is set for Network Manager to avoid change
|
||||||
ini_file:
|
ini_file:
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
hosts: ipsilon
|
hosts: ipsilon
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/ipsilon.yml
|
- vars/ipsilon.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
@ -21,7 +21,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
# EPEL and PowerTools are required for ipsilon to function
|
# EPEL and PowerTools are required for ipsilon to function
|
||||||
# I also couldn't find an ansible built-in to do this
|
# I also couldn't find an ansible built-in to do this
|
||||||
|
85
ansible/playbooks/role-rocky-kojid.yml
Normal file
85
ansible/playbooks/role-rocky-kojid.yml
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
---
|
||||||
|
# Stands up an ipsilon instance for simple SSO
|
||||||
|
- name: Configure koji hub and web server
|
||||||
|
hosts: kojihub
|
||||||
|
become: true
|
||||||
|
vars_files:
|
||||||
|
- vars/vaults/encpass.yml
|
||||||
|
- vars/kojid.yml
|
||||||
|
|
||||||
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
|
handlers:
|
||||||
|
- import_tasks: handlers/main.yml
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: Check if ansible cannot be run here
|
||||||
|
stat:
|
||||||
|
path: /etc/no-ansible
|
||||||
|
register: no_ansible
|
||||||
|
|
||||||
|
- name: Verify if we can run ansible
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "not no_ansible.stat.exists"
|
||||||
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
|
- name: Check for keytabs - kojid
|
||||||
|
stat:
|
||||||
|
path: /etc/kojid.keytab
|
||||||
|
register: kojid_keytab
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
|
- name: Verify keytab
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "kojid_keytab.stat.exists"
|
||||||
|
success_msg: "It is likely we have all keytabs"
|
||||||
|
fail_msg: "There are no keytabs. Please build the keytabs."
|
||||||
|
|
||||||
|
# EPEL and PowerTools are required for ipsilon to function
|
||||||
|
# I also couldn't find an ansible built-in to do this
|
||||||
|
- name: Enable the PowerTools repository
|
||||||
|
ini_file:
|
||||||
|
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
|
||||||
|
section: powertools
|
||||||
|
option: enabled
|
||||||
|
value: 1
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
# The CentOS extras repos has epel-release provided
|
||||||
|
- name: Enable the EPEL repository
|
||||||
|
yum:
|
||||||
|
name: epel-release
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
|
- name: Install rocky-tools copr
|
||||||
|
yum_repository:
|
||||||
|
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
|
||||||
|
description: Copr repo for rockylinux-tools owned by nalika
|
||||||
|
file: copr_repos
|
||||||
|
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
|
||||||
|
gpgcheck: true
|
||||||
|
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# Right now, we are not sure how or where we'll get our certificates. So we
|
||||||
|
# are presenting a choice by setting a variable, koji_internal_ca. There is a
|
||||||
|
# change that we will have to do internal certs for mqtt anyway.
|
||||||
|
# TODO: We need an MQTT role and pre_tasks for the keytabs for this role
|
||||||
|
roles:
|
||||||
|
- role: rockylinux.kojid
|
||||||
|
state: present
|
||||||
|
|
||||||
|
post_tasks:
|
||||||
|
- name: Touching run file that ansible has ran here
|
||||||
|
file:
|
||||||
|
path: /var/log/ansible.run
|
||||||
|
state: touch
|
||||||
|
mode: '0644'
|
||||||
|
owner: root
|
||||||
|
group: root
|
@ -4,7 +4,7 @@
|
|||||||
hosts: kojihub
|
hosts: kojihub
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/kojihub.yml
|
- vars/kojihub.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
@ -21,7 +21,42 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
|
- name: Check for keytabs - web
|
||||||
|
stat:
|
||||||
|
path: /etc/keytabs/koji-web.keytab
|
||||||
|
register: koji_keytab
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
|
- name: Check for keytabs - kojira
|
||||||
|
stat:
|
||||||
|
path: /etc/keytabs/kojira.keytab
|
||||||
|
register: kojira_keytab
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
|
- name: Check for keytabs - gc
|
||||||
|
stat:
|
||||||
|
path: /etc/keytabs/koji-gc.keytab
|
||||||
|
register: gc_keytab
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
|
- name: Check for keytabs - host
|
||||||
|
stat:
|
||||||
|
path: /etc/keytabs/host.keytab
|
||||||
|
register: host_keytab
|
||||||
|
changed_when: "1 != 1"
|
||||||
|
|
||||||
|
- name: Verify keytab
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "koji_keytab.stat.exists"
|
||||||
|
- "kojira_keytab.stat.exists"
|
||||||
|
- "gc_keytab.stat.exists"
|
||||||
|
- "host_keytab.stat.exists"
|
||||||
|
success_msg: "It is likely we have all keytabs"
|
||||||
|
fail_msg: "There are no keytabs. Please build the keytabs."
|
||||||
|
|
||||||
# EPEL and PowerTools are required for ipsilon to function
|
# EPEL and PowerTools are required for ipsilon to function
|
||||||
# I also couldn't find an ansible built-in to do this
|
# I also couldn't find an ansible built-in to do this
|
||||||
|
@ -13,7 +13,9 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
- name: Install SELinux packages
|
- name: Install SELinux packages
|
||||||
package:
|
package:
|
||||||
name: python3-policycoreutils.noarch
|
name: python3-policycoreutils.noarch
|
||||||
@ -50,5 +52,5 @@
|
|||||||
- name: Open firewall for node-exporter
|
- name: Open firewall for node-exporter
|
||||||
ansible.posix.firewalld:
|
ansible.posix.firewalld:
|
||||||
port: 9100/tcp
|
port: 9100/tcp
|
||||||
permanent: yes
|
permanent: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
hosts: kojihub
|
hosts: kojihub
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/mqtt.yml
|
- vars/mqtt.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
@ -21,7 +21,8 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
# EPEL and PowerTools are required for ipsilon to function
|
# EPEL and PowerTools are required for ipsilon to function
|
||||||
# I also couldn't find an ansible built-in to do this
|
# I also couldn't find an ansible built-in to do this
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/common.yml
|
- vars/common.yml
|
||||||
- vars/encpass.yml
|
- vars/vaults/encpass.yml
|
||||||
- vars/rabbitmq.yml
|
- vars/rabbitmq.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
@ -22,12 +22,13 @@
|
|||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "not no_ansible.stat.exists"
|
- "not no_ansible.stat.exists"
|
||||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
success_msg: "We are able to run on this node"
|
||||||
|
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||||
|
|
||||||
# We have separate passwords per rabbitmq env
|
# We have separate passwords per rabbitmq env
|
||||||
- name: Import rabbitmq passwords
|
- name: Import rabbitmq passwords
|
||||||
include_vars:
|
include_vars:
|
||||||
file: "vars/rabbitmq_{{ rabbitmq_env }}.yml"
|
file: "vars/vaults/rabbitmq_{{ rabbitmq_env }}.yml"
|
||||||
|
|
||||||
# EPEL and PowerTools are required for ipsilon to function
|
# EPEL and PowerTools are required for ipsilon to function
|
||||||
# I also couldn't find an ansible built-in to do this
|
# I also couldn't find an ansible built-in to do this
|
||||||
|
9
ansible/playbooks/tasks/scripts.yml
Normal file
9
ansible/playbooks/tasks/scripts.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
# Common scripts that rocky uses on nodes
|
||||||
|
- name: Lock Wrapper script
|
||||||
|
copy:
|
||||||
|
src: "usr/local/bin/lock-wrapper"
|
||||||
|
dest: "/usr/local/bin/lock-wrapper"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0755'
|
7
ansible/playbooks/templates/tmp/binder.update
Normal file
7
ansible/playbooks/templates/tmp/binder.update
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
dn: uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org
|
||||||
|
add:objectclass:account
|
||||||
|
add:objectclass:simplesecurityobject
|
||||||
|
add:uid:binder
|
||||||
|
add:userPassword:{{ ipa_binder_password }}
|
||||||
|
add:passwordExpirationTime:20380119031407Z
|
||||||
|
add:nsIdleTimeout:0
|
@ -1,8 +1,9 @@
|
|||||||
---
|
---
|
||||||
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||||
rocky_ldap_bind_pw: "ThisIsNotThePassword!"
|
|
||||||
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
|
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||||
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||||
rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
|
rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
|
||||||
# Requires jinja 2.9+
|
# Requires jinja 2.9+
|
||||||
rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
|
rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
|
||||||
|
# This will need to be vaulted
|
||||||
|
# rocky_ldap_bind_pw: "ThisIsNotThePassword!"
|
||||||
|
@ -26,3 +26,10 @@ iparoles:
|
|||||||
- "Netgroups Administrators"
|
- "Netgroups Administrators"
|
||||||
user:
|
user:
|
||||||
- hostman
|
- hostman
|
||||||
|
- role: IPA User Managers
|
||||||
|
description: Rocky IPA User Managers responsible for idm flow
|
||||||
|
privileges:
|
||||||
|
- "Group Administrators"
|
||||||
|
- "Stage User Administrators"
|
||||||
|
- "User Administrators"
|
||||||
|
- "FAS Agreement Administrators"
|
@ -14,6 +14,13 @@ svcusers:
|
|||||||
password: ThisIsNotMyPassword1!
|
password: ThisIsNotMyPassword1!
|
||||||
title: System Account - Kerberos Key Manager
|
title: System Account - Kerberos Key Manager
|
||||||
loginshell: /sbin/nologin
|
loginshell: /sbin/nologin
|
||||||
|
- name: userman
|
||||||
|
first: User
|
||||||
|
last: Manager
|
||||||
|
email: infrastructure@rockylinux.org
|
||||||
|
password: ThisIsNotMyPassword1!
|
||||||
|
title: System Account - User Manager
|
||||||
|
loginshell: /sbin/nologin
|
||||||
- name: rockykoji
|
- name: rockykoji
|
||||||
first: Koji
|
first: Koji
|
||||||
last: Manager
|
last: Manager
|
15
ansible/playbooks/vars/kojid.yml
Normal file
15
ansible/playbooks/vars/kojid.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
# vars for kojid
|
||||||
|
|
||||||
|
kojid_vendor: Rocky
|
||||||
|
kojid_packager: infrastructure@rockylinux.org
|
||||||
|
kojid_distribution: Rocky
|
||||||
|
# These three should probably be specified by special vars
|
||||||
|
# kojid_web_url: https://koji.rockylinux.org/koji
|
||||||
|
# kojid_hub_url: https://koji.rockylinux.org/kojihub
|
||||||
|
# kojid_files_url: https://koji.rockylinux.org/kojifiles
|
||||||
|
|
||||||
|
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
kojid_keytab: /etc/kojid.keytab
|
||||||
|
kojid_smtp_host: smtp.rockylinux.org
|
||||||
|
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"
|
@ -1,5 +1,7 @@
|
|||||||
---
|
---
|
||||||
# koji hub settings
|
# koji hub settings
|
||||||
|
# This should be the front-facing URL of koji
|
||||||
|
#koji_url_name: koji.rockylinux.org
|
||||||
|
|
||||||
# Use an internal CA (IPA)
|
# Use an internal CA (IPA)
|
||||||
koji_internal_ca: true
|
koji_internal_ca: true
|
||||||
@ -13,9 +15,9 @@ koji_db_user: koji
|
|||||||
# This will need to change when koji_postgresql_vm is false
|
# This will need to change when koji_postgresql_vm is false
|
||||||
koji_db_host: "{{ ansible_fqdn }}"
|
koji_db_host: "{{ ansible_fqdn }}"
|
||||||
|
|
||||||
koji_web_url: "https://{{ ansible_fqdn }}/koji"
|
koji_web_url: "https://{{ koji_url_name }}/koji"
|
||||||
koji_hub_url: "https://{{ ansible_fqdn }}/kojihub"
|
koji_hub_url: "https://{{ koji_url_name }}/kojihub"
|
||||||
koji_files_url: "https://{{ ansible_fqdn }}/kojifiles"
|
koji_files_url: "https://{{ koji_url_name }}/kojifiles"
|
||||||
|
|
||||||
# The IPA internal CA is combined with the others
|
# The IPA internal CA is combined with the others
|
||||||
koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt
|
koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt
|
||||||
@ -35,9 +37,9 @@ koji_admin_localuser: true
|
|||||||
koji_admin_localuser_name: koji
|
koji_admin_localuser_name: koji
|
||||||
|
|
||||||
# Hub Settings
|
# Hub Settings
|
||||||
koji_hub_principal: "HTTP/{{ ansible_fqdn }}@ROCKYLINUX.ORG"
|
koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
|
||||||
koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG
|
koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
|
||||||
koji_hub_keytab: /etc/koji.keytab
|
koji_hub_keytab: /etc/keytabs/host.keytab
|
||||||
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
|
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
|
||||||
# This should be sufficient even for LE
|
# This should be sufficient even for LE
|
||||||
koji_hub_ca: "{{ koji_web_cacert }}"
|
koji_hub_ca: "{{ koji_web_cacert }}"
|
||||||
@ -47,15 +49,6 @@ koji_hub_ca: "{{ koji_web_cacert }}"
|
|||||||
koji_fas_sync: false
|
koji_fas_sync: false
|
||||||
koji_fas_url: https://accounts.rockylinux.org
|
koji_fas_url: https://accounts.rockylinux.org
|
||||||
|
|
||||||
# Not implemented yet
|
|
||||||
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
|
|
||||||
koji_hub_plugin_mqtt_topic: koji
|
|
||||||
koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}"
|
|
||||||
koji_hub_plugin_mqtt_tls_cert: /etc/pki/tls/certs/mqtt.pem
|
|
||||||
koji_hub_plugin_mqtt_tls_key: /etc/pki/tls/certs/mqtt.key
|
|
||||||
koji_hub_plugin_mqtt_excluded_tags:
|
|
||||||
- testing-tag
|
|
||||||
|
|
||||||
# IPA Certs if Required
|
# IPA Certs if Required
|
||||||
ipa_getcert_requested_hostnames:
|
ipa_getcert_requested_hostnames:
|
||||||
- name: "{{ ansible_fqdn }}"
|
- name: "{{ ansible_fqdn }}"
|
||||||
|
@ -10,6 +10,9 @@ ipaadmin_password: !vault |
|
|||||||
ipadm_password: !vault |
|
ipadm_password: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
REDACTED
|
REDACTED
|
||||||
|
ipa_binder_password: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
REDACTED
|
||||||
ipsilon_db_password: !vault |
|
ipsilon_db_password: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
REDACTED
|
REDACTED
|
@ -16,6 +16,9 @@ roles:
|
|||||||
- name: rockylinux.kojihub
|
- name: rockylinux.kojihub
|
||||||
src: https://github.com/rocky-linux/ansible-role-kojihub
|
src: https://github.com/rocky-linux/ansible-role-kojihub
|
||||||
version: main
|
version: main
|
||||||
|
- name: rockylinux.kojid
|
||||||
|
src: https://github.com/rocky-linux/ansible-role-kojid
|
||||||
|
version: main
|
||||||
- name: rockylinux.rabbitmq
|
- name: rockylinux.rabbitmq
|
||||||
src: https://github.com/rocky-linux/ansible-role-rabbitmq
|
src: https://github.com/rocky-linux/ansible-role-rabbitmq
|
||||||
version: main
|
version: main
|
||||||
|
Loading…
Reference in New Issue
Block a user