mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-24 22:21:26 +00:00
Attempt Sync
This is attempting a sync of some stuff from our ansible server. Some data is either missing or obfuscated.
This commit is contained in:
parent
d9c5608349
commit
f118ec9571
@ -188,6 +188,15 @@ role-rocky-ipa-client.yml
|
||||
init-rocky-system-config.yml
|
||||
```
|
||||
|
||||
### Initializing a base system
|
||||
|
||||
```
|
||||
# All clients should be listed under [ipaclients]
|
||||
role-rocky-ipa-client.yml
|
||||
# All systems should be hardened
|
||||
init-rocky-system-config.yml
|
||||
```
|
||||
|
||||
## Current Set
|
||||
|
||||
```
|
||||
|
@ -5,7 +5,7 @@
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.group }}"
|
||||
minlife: "{{ item.minlife | default(0) }}"
|
||||
maxlife: "{{ item.maxlife | default(84) }}"
|
||||
maxlife: "{{ item.maxlife | default(0) }}"
|
||||
history: "{{ item.history | default(5) }}"
|
||||
priority: "{{ item.priority | default(1) }}"
|
||||
lockouttime: "{{ item.lockout | default(300) }}"
|
||||
|
40
ansible/playbooks/role-rocky-bootstrap_staging.yml
Normal file
40
ansible/playbooks/role-rocky-bootstrap_staging.yml
Normal file
@ -0,0 +1,40 @@
|
||||
---
|
||||
# Manage bootstrap hosts
|
||||
#
|
||||
- name: Manage and configure bootstrap hosts
|
||||
hosts: bootstrap_staging
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/mounts/bootstrap_staging.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- include_tasks: tasks/efs_mount.yml
|
||||
loop: "{{ mounts }}"
|
||||
|
||||
- include_tasks: tasks/srpmproc.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
@ -37,8 +37,8 @@
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
#- role: rockylinux.ipagetcert
|
||||
# state: present
|
||||
- role: cloudalchemy.prometheus
|
||||
state: present
|
||||
- role: cloudalchemy.alertmanager
|
||||
@ -61,24 +61,3 @@
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install Prometheus Node Exporter
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
pre_tasks:
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- role: cloudalchemy.node-exporter
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewall for node-exporter
|
||||
ansible.posix.firewalld:
|
||||
port: 9100/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
66
ansible/playbooks/role-rocky-pinnwand.yml
Normal file
66
ansible/playbooks/role-rocky-pinnwand.yml
Normal file
@ -0,0 +1,66 @@
|
||||
---
|
||||
# pinnwand
|
||||
- name: Install pinnwand
|
||||
hosts: pinnwand
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/hostman.yml
|
||||
- vars/vaults/pinnwand.yml
|
||||
- vars/pinnwand.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
tasks:
|
||||
#- include_tasks: tasks/pinnwand.yml
|
||||
# tags: ['includetasks']
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
tags: ['certs']
|
||||
|
||||
- role: rockylinux.pinnwand
|
||||
state: present
|
||||
tags: ['role_pinnwand']
|
||||
|
||||
# Define variables in vars/matomo/nginx.yml
|
||||
- role: nginxinc.nginx_core.nginx
|
||||
tags: ['nginx']
|
||||
#- role: nginxinc.nginx_core.nginx_config
|
||||
# tags: ['nginx']
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewalld ports
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item.port }}"
|
||||
permanent: "{{ item.permanent | default(yes) }}"
|
||||
state: "{{ item.state | default(present) }}"
|
||||
loop: "{{ firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
41
ansible/playbooks/role-rocky-repopool.yml
Normal file
41
ansible/playbooks/role-rocky-repopool.yml
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
# Configures an instance to function as a HTTP serving member of repopool
|
||||
- name: Configure Repo Pool hosts
|
||||
hosts: repopool
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/common.yml
|
||||
- vars/mounts/repopool.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: "Setup shared filesystem mount"
|
||||
include_tasks: tasks/efs_mount.yml
|
||||
with_items: "{{ mounts }}"
|
||||
tags: ["koji_efs_mount"]
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
40
ansible/playbooks/role-rocky-srpmproc.yml
Normal file
40
ansible/playbooks/role-rocky-srpmproc.yml
Normal file
@ -0,0 +1,40 @@
|
||||
---
|
||||
# Manage srpmproc
|
||||
#
|
||||
- name: Manage and configure srpmproc
|
||||
hosts: srpmproc
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/mounts/srpmproc.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- include_tasks: tasks/efs_mount.yml
|
||||
loop: "{{ mounts }}"
|
||||
|
||||
- include_tasks: tasks/srpmproc.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
46
ansible/playbooks/tasks/efs_mount.yml
Normal file
46
ansible/playbooks/tasks/efs_mount.yml
Normal file
@ -0,0 +1,46 @@
|
||||
---
|
||||
# Requires amazon-efs-utils; included, but should probably be split out?
|
||||
#
|
||||
|
||||
- name: "Installing amazon-efs-utils"
|
||||
become: yes
|
||||
become_user: root
|
||||
yum:
|
||||
name: 'https://git.rockylinux.org/neil/efs-utils/-/jobs/5/artifacts/raw/build/amazon-efs-utils-1.30.1-1.el8.noarch.rpm?inline=false'
|
||||
disable_gpg_check: yes
|
||||
validate_certs: yes
|
||||
state: present
|
||||
tags:
|
||||
- amazon_efs_utils
|
||||
- packages
|
||||
- mounts
|
||||
|
||||
|
||||
- name: "Gathering ec2 facts"
|
||||
amazon.aws.ec2_metadata_facts:
|
||||
tags:
|
||||
- mounts
|
||||
|
||||
# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1
|
||||
- name: "Install custom hosts file because fmlC-w amazon said so."
|
||||
become: yes
|
||||
become_user: root
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/hosts
|
||||
line: "{{ item.ip_map[ansible_ec2_placement_availability_zone] }} {{ item.fsid }}.efs.{{ ansible_ec2_placement_region }}.amazonaws.com"
|
||||
create: yes
|
||||
tags:
|
||||
- mounts
|
||||
|
||||
|
||||
- name: "Creating and mounting {{ item.fsid }} at {{ item.mount_point }}"
|
||||
become: yes
|
||||
become_user: root
|
||||
ansible.posix.mount:
|
||||
path: "{{ item.mount_point }}"
|
||||
src: "{{ item.fsid }}:/"
|
||||
fstype: "{{ item.fstype }}"
|
||||
opts: "{{ item.fsopts | join(',') }}"
|
||||
state: "{{ item.state | default('mounted') }}"
|
||||
tags:
|
||||
- mounts
|
9
ansible/playbooks/tasks/srpmproc.yml
Normal file
9
ansible/playbooks/tasks/srpmproc.yml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
- name: Configure SELinux booleans
|
||||
ansible.posix.seboolean:
|
||||
name: "{{ item }}"
|
||||
persistent: true
|
||||
state: true
|
||||
with_items:
|
||||
- httpd_can_network_connect_db
|
||||
- httpd_can_network_connect
|
18
ansible/playbooks/vars/mounts/bootstrap_staging.yml
Normal file
18
ansible/playbooks/vars/mounts/bootstrap_staging.yml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
x-efs_fs_opts_common: &common_fs_opts
|
||||
fstype: efs
|
||||
fsopts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
||||
- rw
|
||||
|
||||
mounts:
|
||||
- name: prod-build-compose
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXXX
|
||||
mount_point: /mnt/compose
|
||||
ip_map:
|
||||
us-east-2a: 10.100.100.250
|
||||
us-east-2b: 10.100.101.250
|
||||
us-east-2c: 10.100.102.250
|
26
ansible/playbooks/vars/mounts/repopool.yml
Normal file
26
ansible/playbooks/vars/mounts/repopool.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
x-efs_fs_opts_common: &common_fs_opts
|
||||
fstype: efs
|
||||
fsopts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
||||
- rw
|
||||
|
||||
mounts:
|
||||
- name: prod-build-repos-staging
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXXX
|
||||
mount_point: /mnt/repos-staging
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.249
|
||||
us-east-2b: 10.101.101.249
|
||||
us-east-2c: 10.101.102.249
|
||||
- name: prod-build-repos-production
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-YYYYYYYY
|
||||
mount_point: /mnt/repos-production
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.246
|
||||
us-east-2b: 10.101.101.246
|
||||
us-east-2c: 10.101.102.246
|
50
ansible/playbooks/vars/mounts/srpmproc.yml
Normal file
50
ansible/playbooks/vars/mounts/srpmproc.yml
Normal file
@ -0,0 +1,50 @@
|
||||
---
|
||||
x-efs_fs_opts_common: &common_fs_opts
|
||||
fstype: efs
|
||||
fsopts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
||||
- rw
|
||||
|
||||
mounts:
|
||||
- name: prod-build-repos-internal
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX1
|
||||
mount_point: /mnt/repos-internal
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.248
|
||||
us-east-2b: 10.101.101.248
|
||||
us-east-2c: 10.101.102.248
|
||||
- name: prod-koji
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX2
|
||||
mount_point: /mnt/koji
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.247
|
||||
us-east-2b: 10.101.101.247
|
||||
us-east-2c: 10.101.102.247
|
||||
- name: prod-build-compose
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX3
|
||||
mount_point: /mnt/compose
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.250
|
||||
us-east-2b: 10.101.101.250
|
||||
us-east-2c: 10.101.102.250
|
||||
- name: prod-build-repos-staging
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX4
|
||||
mount_point: /mnt/repos-staging
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.249
|
||||
us-east-2b: 10.101.101.249
|
||||
us-east-2c: 10.101.102.249
|
||||
- name: prod-build-repos-production
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX5
|
||||
mount_point: /mnt/repos-production
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.246
|
||||
us-east-2b: 10.101.101.246
|
||||
us-east-2c: 10.101.102.246
|
64
ansible/playbooks/vars/pinnwand.yml
Normal file
64
ansible/playbooks/vars/pinnwand.yml
Normal file
@ -0,0 +1,64 @@
|
||||
---
|
||||
# pinnwand
|
||||
|
||||
firewall_rules:
|
||||
- port: 443/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
- port: 9100/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: nginx
|
||||
key_location: "{{ tls_key }}"
|
||||
cert_location: "{{ tls_cert }}"
|
||||
postcmd: "/bin/systemctl reload nginx"
|
||||
|
||||
pinnwand_config:
|
||||
database:
|
||||
scheme: postgresql
|
||||
username: pinnwand
|
||||
password: "{{ _pinnwand_db_rw_pass }}"
|
||||
hostname: "db.rockylinux.org"
|
||||
port: 5432
|
||||
database: pinnwand_db
|
||||
paste_size: 10485760
|
||||
preferred_lexers: []
|
||||
logo_path: /opt/pinnwand/logo.png
|
||||
page_path: /tmp
|
||||
page_list:
|
||||
- about
|
||||
- removal
|
||||
- expiry
|
||||
footer: ''
|
||||
paste_help: ''
|
||||
report_email: 'abuse@rockylinux.org'
|
||||
expiries:
|
||||
- name: 1hour
|
||||
time: 3600
|
||||
- name: 1day
|
||||
time: 86400
|
||||
- name: 1week
|
||||
time: 604800
|
||||
- name: forever
|
||||
time: 4294967294
|
||||
ratelimits:
|
||||
- name: read
|
||||
capacity: 100
|
||||
consume: 1
|
||||
refill: 2
|
||||
- name: create
|
||||
capacity: 2
|
||||
consume: 2
|
||||
refill: 1
|
||||
- name: delete
|
||||
capacity: 2
|
||||
consume: 2
|
||||
refill: 1
|
||||
spamscore: 50
|
Loading…
Reference in New Issue
Block a user