--- # # This is the base role for all machines. # Things in here are things we want to do to every machine no matter what. # # On fedora and rhel larger than 7, all we need is policycoreutils-python-utils, # which in turn pulls in python3-policycoreutils # - name: Ensure packages required for semanage are installed (fedora/rhel8) ansible.builtin.package: name=policycoreutils-python-utils state=present when: ansible_distribution_major_version|int > 7 tags: - selinux - name: Global default packages to install (dnf) dnf: state=present name="{{ global_pkgs_inst }}" tags: - packages - base when: > ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined - name: Global default packages to install (dnf) dnf: state=present name="{{ global_pkgs_inst }}" tags: - packages - base when: > ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined - name: Make sure hostname is set right on all hosts hostname: name="{{inventory_hostname}}" # # We set builders root password in the koji_builder role, so do not set those here # - name: Set root passwd user: name=root password={{ rootpw }} state=present tags: - rootpw - base when: - not inventory_hostname.startswith(('buildvm-','buildhw-','bkernel','koji','compose')) - not inventory_hostname.startswith('copr') - name: Add ansible root key authorized_key: user=root key="{{ item }}" with_file: - ansible-pub-key tags: - config - base - name: Dist pkgs to remove (yum) ansible.builtin.package: state=absent name={{ item }} with_items: - "{{ base_pkgs_erase }}" tags: - packages - base when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat' - name: Dist pkgs to install (yum) ansible.builtin.package: state=present name={{ item }} with_items: - "{{ base_pkgs_inst }}" tags: - packages - base when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat' - name: Dist pkgs to remove (dnf) dnf: state=absent name="{{ base_pkgs_erase }}" tags: - packages - base when: > ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined - name: Dist pkgs to remove (dnf) dnf: state=absent name="{{ base_pkgs_erase }}" tags: - packages - base when: > ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined - name: Dist pkgs to install (dnf) dnf: state=present name="{{ base_pkgs_inst }}" tags: - packages - base when: > ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined - name: Dist pkgs to install (dnf) dnf: state=present name="{{ base_pkgs_inst }}" tags: - packages - base when: > ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined - name: Dist disabled services service: state=stopped enabled=false name={{ item }} with_items: - "{{ service_disabled }}" tags: - service - config - base - name: Dist enabled services service: state=started enabled=true name={{ item }} with_items: - "{{ service_enabled }}" tags: - service - config - base when: > ansible_distribution_major_version|int > 31 and ansible_distribution == 'Fedora' or ansible_distribution == 'RedHat' - name: Ensure iptables is installed ansible.builtin.package: state=present name=iptables tags: - packages - base when: not nftables - name: On F42+ ppc64le Ensure iptables-legacy is installed as well ansible.builtin.package: state=present name=iptables-legacy tags: - packages - base when: > not nftables and ansible_distribution_major_version|int >= 42 and ansible_distribution == 'Fedora' and ansible_architecture == 'ppc64le' - name: Ensure nftables is not installed ansible.builtin.package: state=absent name=nftables tags: - packages - base when: not nftables - name: Ensure nftables is installed ansible.builtin.package: state=present name=nftables tags: - packages - base when: nftables - name: Ensure iptables is not installed ansible.builtin.package: state=absent name=iptables tags: - packages - base when: nftables - name: Ensure ipset is installed ansible.builtin.package: state=present name=ipset tags: - packages - base when: not nftables - name: Setup builder ipset if this is a new install ansible.builtin.shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi" args: creates: /etc/sysconfig/ipset-osbuildapi when: - "'osbuild' in group_names" - not nftables tags: - base - iptables # Note that these should do both iptables/ipset and nftables... - name: Install blocklist update script ansible.builtin.copy: src: "{{ private }}/files/blocklist/blocklist-update.sh" dest: /usr/local/bin/blocklist-update.sh owner: root group: root mode: "0700" tags: - base - iptables - blocklist when: "'rdu3' not in inventory_hostname or (external is defined and external | bool)" - name: Setup blocklist update cron job cron: name: blocklist-update user: root minute: 15 hour: "*/2" job: "/usr/local/bin/blocklist-update.sh force >& /dev/null" when: "'rdu3' not in inventory_hostname or (external is defined and external | bool)" tags: - base - iptables - blocklist - name: Iptables ansible.builtin.template: src: "{{ item }}" dest: /etc/sysconfig/iptables mode: '0600' validate: "/sbin/iptables-restore --test %s" with_first_found: - iptables/iptables.{{ datacenter }} - iptables/iptables.{{ inventory_hostname }} - iptables/iptables.{{ host_group }} - iptables/iptables.{{ env }} - iptables/iptables when: - baseiptables|bool - not nftables notify: - Restart iptables - Reload libvirtd tags: - iptables - config - base - name: Nftables ipv4 ansible.builtin.template: src: "{{ item }}" dest: /etc/nftables/fedora-infra-ipv4.nft mode: '0600' validate: "/sbin/nft --check --file %s" with_first_found: - nftables/nftables.{{ datacenter }} - nftables/nftables.{{ inventory_hostname }} - nftables/nftables.{{ host_group }} - nftables/nftables.{{ env }} - nftables/nftables when: - baseiptables|bool - nftables notify: - Restart nftables - Reload libvirtd tags: - iptables - config - base - name: Iptables service enabled service: name=iptables state=started enabled=true tags: - iptables - service - base when: - baseiptables|bool - not nftables - name: Nftables service enabled service: name=nftables state=started enabled=true tags: - iptables - service - base when: - baseiptables|bool - nftables - name: Ip6tables ansible.builtin.template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes with_first_found: - iptables/ip6tables.{{ datacenter }} - iptables/ip6tables.{{ inventory_hostname }} - iptables/ip6tables.{{ host_group }} - iptables/ip6tables.{{ env }} - iptables/ip6tables when: - baseiptables|bool - not nftables notify: - Restart ip6tables - Reload libvirtd tags: - ip6tables - config - base - name: Nftables ipv6 ansible.builtin.template: src: "{{ item }}" dest: /etc/nftables/fedora-infra-ipv6.nft mode: '0600' validate: "/sbin/nft --check --file %s" with_first_found: - nftables/nftables-ipv6.{{ datacenter }} - nftables/nftables-ipv6.{{ inventory_hostname }} - nftables/nftables-ipv6.{{ host_group }} - nftables/nftables-ipv6.{{ env }} - nftables/nftables-ipv6 when: - baseiptables|bool - nftables notify: - Restart nftables - Reload libvirtd tags: - ip6tables - config - base - name: Nftables sysconfig ansible.builtin.template: src: "{{ item }}" dest: /etc/sysconfig/nftables.conf mode: '0600' validate: "/sbin/nft --check --file %s" with_first_found: - nftables/sysconfig.conf when: - baseiptables|bool - nftables notify: - Restart nftables - Reload libvirtd tags: - iptables - config - base - name: Ip6tables service enabled service: name=ip6tables state=started enabled=true tags: - ip6tables - service - base when: - baseiptables|bool - not nftables - name: Ip6tables service disabled service: name=ip6tables state=stopped enabled=false tags: - ip6tables - service - base when: - baseiptables|bool - nftables - ansible_distribution_major_version|int > 8 - name: Enable journald persistence ansible.builtin.file: path=/var/log/journal state=directory owner=root group=systemd-journal mode=2755 when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat' tags: - journald - config - base notify: - Flush journald tmpfiles to persistent store - name: Enable journald persistence ansible.builtin.file: path=/var/log/journal state=directory owner=root group=systemd-journal mode=2755 when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' tags: - journald - config - base notify: - Flush journald tmpfiles to persistent store - name: Install rh ca for splunk ansible.builtin.copy: src={{ private }}/files/splunk-certs/2022-IT-Root-CA.pem dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem tags: - rsyslogd - config - base when: inventory_hostname.startswith('log01') - name: Ensure packages required for rsyslog are installed ansible.builtin.package: name={{ item }} state=present with_items: - rsyslog-gnutls tags: - rsyslogd - config - base when: inventory_hostname.startswith('log01') - name: Rsyslog.conf ansible.builtin.copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644 with_first_found: - rsyslog/rsyslog.conf.{{ inventory_hostname }} - rsyslog/rsyslog.conf.{{ dist_tag }} - rsyslog/rsyslog.conf.default notify: - Restart rsyslog tags: - rsyslogd - config - base - name: Rsyslog log rotate for rsyslog servers ansible.builtin.copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=0644 when: inventory_hostname.startswith('log') notify: - Restart rsyslog tags: - rsyslogd - config - base - name: Add rsyslog config to /etc/rsyslog.d ansible.builtin.copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644 with_fileglob: - rsyslog/*.conf notify: - Restart rsyslog tags: - rsyslogd - config - base - name: Rsyslog-audit.conf ansible.builtin.copy: src={{ item }} dest=/etc/rsyslog.d/rsyslog-audit.conf owner=root group=root mode=0644 with_first_found: - rsyslog/rsyslog-audit.conf.{{ datacenter }} - rsyslog/rsyslog-audit.conf.default notify: - Restart rsyslog tags: - rsyslogd - config - base - name: Log everything to log01 except on mirrorlist, do not log local4 there. ansible.builtin.copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644 when: not inventory_hostname.startswith(('mirrorlist','copr')) tags: - rsyslogd - config - base - name: Log everything to log01 except on mirrorlist, do log local4 there. ansible.builtin.copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644 when: inventory_hostname.startswith('mirrorlist') tags: - rsyslogd - config - base - name: Rsyslogd make systemd limits directory for file handles ansible.builtin.file: dest=/etc/systemd/system/rsyslog.service.d/ mode=0755 owner=root group=root state=directory when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people') tags: - rsyslogd - config - name: Rsyslogd put systemd limits directory for file handles ansible.builtin.copy: src=rsyslog/rsyslog-limits-systemd dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644 when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people') tags: - rsyslogd - config # Custom selinux policy to allow rsyslog to read and send audit to log01 - name: Ensure a directory exists for our custom selinux module ansible.builtin.file: dest=/usr/local/share/rsyslog state=directory tags: - rsyslogd - config - rsyslog-audit - name: Copy over our custom selinux module ansible.builtin.copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp register: selinux_module tags: - rsyslogd - config - rsyslog-audit - name: Install our custom selinux module ansible.builtin.command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp when: selinux_module is changed and ansible_distribution_major_version|int > 6 tags: - rsyslogd - config - rsyslog-audit # Custom selinux policy to allow unix_chkpwd to map PAM database - name: Copy over our custom selinux module ansible.builtin.copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp register: selinux_module when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' tags: - config - selinux # Custom selinux policy to allow unix_chkpwd to map PAM database - name: Copy over our custom selinux module ansible.builtin.copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp register: selinux_module when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' tags: - config - selinux - name: Install our custom selinux module ansible.builtin.command: semodule -i /usr/local/share/mapchkpwd.pp when: selinux_module is changed tags: - selinux - config - name: Setup postfix import_tasks: postfix.yml # # This task installs some common scripts to /usr/local/bin # scripts are under roles/base/files/common-scripts # - name: Install common scripts ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755 with_fileglob: - common-scripts/* tags: - config - base - common-scripts # # Watchdog stuff # - name: Set up watchdog import_tasks: watchdog.yml # Set PS1 to show stage environment at PS1 # - name: Set PS1 for stage in /etc/profile.d ansible.builtin.copy: > src=setstgps1.sh dest="/etc/profile.d/setstgps1.sh" owner=root group=root mode=0644 when: env == 'staging' tags: - base - config - prompt # Set PS1 to show prod environment at PS1 # - name: Set PS1 for prod in /etc/profile.d ansible.builtin.copy: > src=setprodps1.sh dest="/etc/profile.d/setprodps1.sh" owner=root group=root mode=0644 when: env == 'production' and datacenter != 'rdu3' tags: - base - config - prompt # Set PS1 to show prod-rdu3 environment at PS1 # - name: Set PS1 for prod rdu3 in /etc/profile.d ansible.builtin.copy: > src=setprodrdu3ps1.sh dest="/etc/profile.d/setprodrdu3ps1.sh" owner=root group=root mode=0644 when: env == 'production' and datacenter == 'rdu3' tags: - base - config - prompt # Set krb5 conf - name: Configure krb5 ansible.builtin.template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 when: not inventory_hostname.startswith('ipa') tags: - base - config - krb5 - name: Configure krb5 (IPA master) ansible.builtin.template: src=krb5.conf.master.j2 dest=/etc/krb5.conf owner=root group=root mode=0644 when: inventory_hostname.startswith('ipa') tags: - base - config - krb5 - name: Setup host keytab import_tasks: keytab.yml when: not inventory_hostname.startswith('ipa') # SSSD-KCM has been showing way too many bugs with it saying "I have a ticket" while the ticket # is actually expired, and kinit's still not refreshing them and such alike. # Let's just nuke it for now. - name: We do NOT use sssd-kcm ansible.builtin.file: path=/etc/krb5.conf.d/kcm_default_ccache state=absent tags: - base - config - krb5 # rhel8 hosts do not have /usr/bin/python, but there are a few things we call # with that because they also run the same on python2 hosts. # So, we set python3 to /usr/bin/python on those hosts: - name: Ensure that platform-python is installed on EL8 boxes ansible.builtin.package: name={{ item }} state=present with_items: - platform-python when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8 tags: - base - config - python3alternative - name: Set /usr/bin/python to python3 on rhel8 hosts alternatives: name: python link: /usr/bin/python path: /usr/bin/python3 when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8 tags: - base - config - python3alternative - name: Cron jobs to compress logs under /var/log/hosts and /mnt/fedora_stats ansible.builtin.copy: src=compress-log.cron dest=/etc/cron.d/ mode=0644 tags: - compress when: inventory_hostname.startswith('log0') - name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working import_tasks: crypto-policies.yml - name: Proxy log rotate for proxy servers ansible.builtin.copy: src="{{ files }}/common/rsyslog-logrotate" dest=/etc/logrotate.d/rsyslog mode=0644 when: inventory_hostname.startswith('proxy') notify: - Restart rsyslog tags: - rsyslogd - config - base - name: Setup Message of the Day (motd) import_tasks: motd.yml