WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-30 21:41:53 +08:00
Code Issues Packages Projects Releases Wiki Activity
43,966 Commits 9 Branches 0 Tags
04dcafe578f9cd6d98ad525529341b35f424ad4e
Commit Graph

342 Commits

Author SHA1 Message Date
Aurélien Bompard
0c6153cebe Create an IPA service for monitoring and use it for check-ipa-free-ids 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-07-10 11:46:05 +02:00
Kevin Fenzi
1b67cfcf3b releng-compose: filter some more users that should be local 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-03 13:58:56 -07:00
Nils Philippsen
6c85fda0c9 Mass remove/replace iad2 -> rdu3, 10.3. -> 10.16. 
Signed-off-by: Nils Philippsen <nils@redhat.com>
 2025-07-03 20:05:02 +02:00
Kevin Fenzi
90ed0a38e0 pkgs: change the pagure user to uid 1000 for suexec, block in sssd 
The pagure user needs to be uid 1000 because suexec won't let users with
uid under that suexec. ;(

Also, filter pagure user out in sssd so we get the local user.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-07-02 15:25:17 -07:00
Michal Konecny
f1b1deb66f [ipa/server] Increase nsslapd sizelimit 
It seems that the issue https://github.com/dogtagpki/pki/issues/5133 we
are hitting now is because the limit on the newly deployed is set only
to 2000, which makes it reach the LDAP administrative limit.
 2025-06-25 11:47:25 +00:00
Aurélien Bompard
2e243f0b28 SSSd wants its conf snippets to have the same perms as sssd.conf 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-06-24 17:38:45 +02:00
Aurélien Bompard
2695b3448a Toddlers in IPA: use the full host name 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-06-23 17:24:03 +02:00
Aurélien Bompard
8be052d10f Toddler cleaning-packager-groups: fix service name 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-06-23 17:05:17 +02:00
Michal Konecny
f431d2f851 [ipa/server] Remove the version restriction 
https://issues.redhat.com/browse/RHEL-97591 is now resolved so we can
remove the versions restriction.
 2025-06-23 09:23:46 +00:00
Michal Konecny
6cbff995cb [ipa/server] Remove parameters from replication 
When trying to debug RDU3 replication issue I found out that these two
parameters actually obfuscating any issues that could happen.

Let's remove them than.
 2025-06-19 15:37:17 +02:00
Michal Konecny
57e5bd9eda [ipa/server] Install older version of ipa-server-dns 
Another package affected by https://issues.redhat.com/browse/RHEL-97591
 2025-06-19 10:53:46 +02:00
Michal Konecny
07d296fbcd [ipa/server] Install older version of ipa-server 
This is just a temporary solution till
https://issues.redhat.com/browse/RHEL-97591 is solved.
 2025-06-19 10:26:08 +02:00
Michal Konecny
9ade63d3ba [ipa/server] Remove KRA role from deployment 
We never used the KRA vault in IPA, so let's remove it till we really
have usage for it.
 2025-06-17 10:17:38 +00:00
Lenka Segura
cdf6c65af3 [ipaserver] Add toddlers tag to Get admin ticket 
Signed-off-by: Lenka Segura <lsegura@redhat.com>
 2025-05-29 11:26:50 +02:00
Lenka Segura
82354291b6 [ipaserver] Include toddlers setup for prod 
Signed-off-by: Lenka Segura <lsegura@redhat.com>
 2025-05-29 10:26:09 +02:00
Michal Konecny
c4948ba32e [ipa] Add kra role to replicas 
As we were finally able to resolve the issue of replica installation
failing when KRA role is enabled. We can now enable it by default in
playbook.

See https://pagure.io/fedora-infrastructure/issue/12158 for more info.
 2025-05-22 15:11:06 +02:00
Aurélien Bompard
d884a0f8ba Use the combined RabbitMQ CA cert in the clients 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-04-11 15:15:45 +02:00
Aurélien Bompard
46a8152c61 Deploy journal2fedmsg to prod 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-04-01 12:05:17 +02:00
Aurélien Bompard
394b92cb19 simplify the config file using a variable 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-04-01 11:47:42 +02:00
Michal Konecny
80adc4e729 [ipa/server] Don't ask for user input 
As the pause module is only executed on first machine in the group I
decided to rather remove it completely.

This means that the replica will only be reinstalled, if the machine
isn't master node and the /var/log/ipainstall.log doesn't exist.

If somebody wants to re-install the replica they just need to remove
/var/log/ipainstall.log and the playbook will do the rest.
 2025-03-31 15:44:16 +02:00
Michal Konecny
40136bda42 [ipa/server] Don't ask for reinstall in some cases 
Don't ask for reinstall when this is master node or the install log is
already created.
 2025-03-31 15:17:48 +02:00
Aurélien Bompard
17cd3edbc7 Create missing dir 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-03-28 14:50:37 +01:00
Aurélien Bompard
292c7f6c6e Deploy journal-to-fedora-messaging on IPA (staging for now) 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-03-28 12:37:56 +01:00
David Kirwan
809c90e5da IPA: add user zabbix to fedora-nss-ignore.conf 
Signed-off-by: David Kirwan <davidkirwanirl@gmail.com>
 2025-03-21 16:25:30 +00:00
Kevin Fenzi
58bbbca299 ipa: make sure a bunch of calls do not log sensitive data 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-03-20 14:48:12 -07:00
Aurélien Bompard
097b8f9214 Give the clean packagers groups toddler access to the corresponding service's keytab 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-02-25 08:54:06 +01:00
Aurélien Bompard
a508708744 IPA: do the toddlers user setup before destroying the admin ticket 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-02-19 12:20:08 +01:00
Aurélien Bompard
b3c7a683e2 IPA: setup a toddlers service to remove users from groups 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
 2025-02-19 12:16:05 +01:00
Kevin Fenzi
d3975febbe ipa/client: sssd drop in needs to be same permission as sssd.conf also 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-16 14:35:32 -08:00
Kevin Fenzi
258fa9fd14 ipa/client: sssd drop in needs to be owned by root, sssd changes it on restart 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-02-16 10:31:28 -08:00
Michal Konecny
2ec055db6f Use first uppercase letter for all handlers 
This will unify all the handlers to use first uppercase letter for
ansible-lint to stop complaining.

I went through all `notify:` occurrences and fixed them by running
```
set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep
-rlz "$TEXT" . | xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g"
```

Then I went through all the changes and removed the ones that wasn't
expected to be changed.

Fixes https://pagure.io/fedora-infrastructure/issue/12391

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2025-02-10 20:31:49 +00:00
Kevin Fenzi
9af79d19ee handlers: fix another name change 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-01-24 14:11:11 -08:00
Kevin Fenzi
13266214d2 ipa / handlers: Fix call to 'restart sssd' that is now 'Restart sssd' 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2025-01-15 16:36:11 -08:00
Ryan Lerch
47c68f478d ansiblelint fixes - fqcn[action-core] - template to ansible.builtin.template 
Replaces references to template: with ansible.builtin.template

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:30:29 +10:00
Ryan Lerch
3c41882bb0 ansiblelint fixes - fqcn[action-core] - shell to ansible.builtin.shell 
Replaces references to shell: with ansible.builtin.shell

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:29:10 +10:00
Ryan Lerch
25391e95b7 ansiblelint fixes - fqcn[action-core] - package to ansible.builtin.package 
Replaces many references to  package: with ansible.builtin.package

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:28:00 +10:00
Ryan Lerch
462176464b ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command 
Replaces many references to  command: with ansible.builtin.command

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 11:26:47 +10:00
Ryan Lerch
62952df107 ansiblelint fixes-- fqcn[action-core] - file to ansible.builtin.file 
Replaces many references to  file: with ansible.builtin.file

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-15 10:41:52 +10:00
Ryan Lerch
691adee6ee Fix name[casing] ansible-lint issues 
fix 1900 failures of the following case issue:

`name[casing]: All names should start with an uppercase letter.`

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2025-01-14 20:20:07 +10:00
Kevin Fenzi
ce1f5b02e6 ipa_client: on f40 there is no sssd user, so files are owned by root 
On rhel and f41+ there is a sssd user, so we should use that.
If we don't, sssd will change the ownership on restart, meaning we flip
it back and forth each time we run the playbook.

remember to remove this when fedora 40 is all gone from infra

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2024-12-10 14:43:47 -08:00
Kevin Fenzi
df36530d00 ipa_client: add tag for nss ignore file to allow globally updating it. 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2024-12-10 14:01:54 -08:00
Kevin Fenzi
aaa29839fa ipa_client: the fedora-sss-ignore.conf file should be owned by sssd user/group 
We change this to root/root and then restart sssd and it changes it
back. So, lets do this right and let it be sssd/sssd.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2024-12-09 17:54:13 -08:00
Ryan Lerch
89f6f1fc32 Fix majority of remaining yamllint warnings and errors 
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
 2024-11-28 17:31:45 +10:00
Kevin Fenzi
3a2623218d ipa client: filer out mysql user from ipa/ldap 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2024-11-20 16:48:40 -08:00
Kevin Fenzi
ae7be1e4e0 ipa: add a tag to fix the ipa re-writes 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
 2024-11-20 12:42:36 -08:00
Michal Konecny
3860204d34 [ipa/server] Add tags to logrotate config 
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2024-11-07 14:15:35 +01:00
Michal Konecny
d85e39b488 [ipa/server] Correctly format the failure condition 
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2024-11-07 14:07:38 +01:00
Michal Konecny
f1eae89e18 [ipa/server] Move the files to separate line 
It seems that the command module in argv is adding space at the start of
file name when it's not on it's own line.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2024-11-07 13:41:57 +01:00
Michal Konecny
a40c051f55 [ipa/server] Use full path to ldapmodify binary 
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2024-11-07 13:26:43 +01:00
Michal Konecny
e2ca17657a [ipa/server] Wrap jinja2 parameter in string 
This should hopefully fix the "No such file or directory" error

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
 2024-11-07 11:54:45 +01:00