WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-26 19:42:55 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
012447730e5696794deac2deb741bab16d2f28b2
fedora-infra_ansible/roles/fas_server/tasks/main.yml
Aurélien Bompard ea1c8eabd2 fas_client / fas_server: update package command to not use items 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2019-06-11 15:07:12 +00:00

387 lines
8.0 KiB
YAML
Raw Blame History

---
# Tasks to set up fas_server
- name: install needed packages
package:
state: present
name:
- fas
- fas-plugin-yubikey
- python-turbojson
- python-tgcaptcha
- httpd
- mod_wsgi
- python-bunch
- python-requests-kerberos
tags:
- packages
- fas
- name: install needed packages
package:
state: present
name:
- krb5-workstation
- python-requests-kerberos
tags:
- packages
- fas
- name: install IPA keytab
copy: >
src="{{ private }}/files/keytabs/{{env}}/fas_sync"
dest="/etc/fas_sync_keytab"
owner=fas
group=fas
mode=0600
tags:
- config
- fas
- name: install ipa public cert
copy: src=ipa.{{env}}.pem dest=/etc/fas_sync_cert.pem owner=root group=root mode=0644
tags:
- config
- fas
- name: enable httpd_can_network_connect selinux boolean
seboolean: name={{ item }} state=yes persistent=yes
with_items:
- httpd_can_network_connect
- allow_ypbind
tags:
- config
- fas
- name: setup /var/www/.python-eggs directory
file: path=/var/www/.python-eggs owner=apache group=apache mode=0700 state=directory
tags:
- config
- fas
- name: setup /etc/fas-gpg directory
file: path=/etc/fas-gpg owner=fas group=fas mode=0700 state=directory setype=httpd_sys_rw_content_t
tags:
- config
- fas
- name: install /etc/httpd/conf.d/accounts.conf file
template: >
src="fas-app.conf.j2"
dest="/etc/httpd/conf.d/accounts.conf"
owner=root
group=root
mode=0644
notify:
- reload httpd
tags:
- config
- fas
- name: setup /etc/pki/fas directory
file: path=/etc/pki/fas owner=fas group=fas mode=0755 state=directory
tags:
- config
- fas
- name: install pythonsitelib/fas/config/log.cfg
copy: >
src="fas-log.cfg"
dest="/usr/lib/python2.6/site-packages/fas/config/log.cfg"
owner=root
group=root
mode=0644
notify:
- reload httpd
tags:
- config
- fas
# $bugzillaUser = "fedora-admin-xmlrpc@redhat.com"
- name: install /etc/fas-gpg/pubring.gpg file
copy: >
src="{{ private }}/files/fas-gpg/pubring.gpg"
dest="/etc/fas-gpg/pubring.gpg"
owner=fas
group=fas
mode=0600
tags:
- config
- fas
- name: install /etc/pki/fas/fedora-server-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/etc/pki/fas/fedora-server-ca.cert"
owner=fas
group=fas
mode=0644
tags:
- config
- fas
- name: install /etc/pki/fas/fedora-upload-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/etc/pki/fas/fedora-upload-ca.cert"
owner=fas
group=fas
mode=0644
tags:
- config
- fas
- name: install /usr/share/fas/static/fedora-server-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/usr/share/fas/static/fedora-server-ca.cert"
owner=root
group=root
mode=0644
tags:
- config
- fas
- name: install /usr/share/fas/static/fedora-upload-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/usr/share/fas/static/fedora-upload-ca.cert"
owner=root
group=root
mode=0644
tags:
- config
- fas
- name: install /etc/fas.cfg file
template: >
src="fas.cfg.j2"
dest="/etc/fas.cfg"
owner=fas
group=apache
mode=0640
notify:
- reload httpd
tags:
- config
- fas
- name: install /usr/local/bin/yubikey-remove.py file
template: >
src="yubikey-remove.py.j2"
dest="/usr/local/bin/yubikey-remove.py"
owner=fas
group=fas
mode=0750
tags:
- config
- fas
# $gen_cert = "True"
- name: install /etc/fas.cfg file
template: >
src="fas.cfg.j2"
dest="/etc/fas.cfg"
owner=fas
group=apache
mode=0640
when: master_fas_node == True
notify:
- reload httpd
tags:
- config
- fas
- name: setup /var/lock/fedora-ca directory
file: path=/var/lock/fedora-ca owner=fas group=fas mode=0700 state=directory setype=var_lock_t
when: master_fas_node == True
tags:
- config
- fas
- name: setup /var/lib/fedora-ca directory
file: path=/var/lib/fedora-ca owner=fas group=fas mode=0771 state=directory setype=httpd_sys_content_t
when: master_fas_node == True
tags:
- config
- fas
#- name: install /var/lib/fedora-ca/.rnd file
# file: path=/var/lib/fedora-ca/.rnd owner=fas group=fas mode=0600 setype=httpd_sys_content_t
# when: master_fas_node == True
# tags:
# - config
# - fas
- name: setup /var/lib/fedora-ca/newcerts directory
file: path=/var/lib/fedora-ca/newcerts owner=fas group=fas mode=0700 state=directory
when: master_fas_node == True
tags:
- config
- fas
- name: setup /var/lib/fedora-ca/private directory
file: path=/var/lib/fedora-ca/private owner=fas group=fas mode=0700 state=directory
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/private/cakey.pem file
copy: >
src="{{ private }}/files/cakey.pem"
dest="/var/lib/fedora-ca/private/cakey.pem"
owner=fas
group=fas
mode=0400
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/Makefile file
copy: >
src="Makefile.fedora-ca"
dest="/var/lib/fedora-ca/Makefile"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/openssl.cnf file
copy: >
src="fedora-ca-client-openssl.cnf"
dest="/var/lib/fedora-ca/openssl.cnf"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/certhelper.py file
copy: >
src="certhelper.py"
dest="/var/lib/fedora-ca/certhelper.py"
owner=root
group=root
mode=0755
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/cacert.pem file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/var/lib/fedora-ca/cacert.pem"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- fas
#For publishing the crl
- name: setup /srv/web/ca directory
file: path=/srv/web/ca owner=apache group=apache mode=0755 state=directory
when: master_fas_node == True
tags:
- config
- fas
- name: twice every month, force a new crl to be created
cron: >
name="gen-crl"
job="cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null"
user="fas"
minute="0"
hour="0"
day="1,15"
when: master_fas_node == True
tags:
- config
- fas
- name: create directory /var/lib/fedora-ca/crl/
file: path={{ item }} state=directory
with_items:
- /var/lib/fedora-ca/crl/
tags:
- fas
- name: touch /var/lib/fedora-ca/crl/crl.pem and /var/lib/fedora-ca/cacert.pem
command: touch /var/lib/fedora-ca/cacert.pem /var/lib/fedora-ca/crl/crl.pem
when: master_fas_node == True
changed_when: "1 != 1"
tags:
- config
- fas
- name: create /srv/web/ca/crl.pem link
file: path="/srv/web/ca/crl.pem" state=link src="/var/lib/fedora-ca/crl/crl.pem"
when: master_fas_node == True
tags:
- config
- fas
- name: create /srv/web/ca/cacert.pem link
file: path="/srv/web/ca/cacert.pem" state=link src="/var/lib/fedora-ca/cacert.pem"
when: master_fas_node == True
tags:
- config
- fas
- name: install /etc/export-bugzilla.cfg file
template: >
src="export-bugzilla.cfg.j2"
dest="/etc/export-bugzilla.cfg"
owner=fas
group=fas
mode=0600
when: master_fas_node == True
tags:
- config
- fas
- name: HOTFIX fix the export-bugzilla cron to not store bugzilla token
copy: >
src="export-bugzilla"
dest="/usr/sbin/export-bugzilla"
owner=root
group=root
mode=0755
tags:
- config
- hotfix
- fas
- name: run export-bugzilla program
cron: >
name="export-bugzilla"
job="cd /etc; MAILTO=root; /usr/sbin/export-bugzilla fedorabugs fedora_contrib"
user="fas"
minute="10"
when: master_fas_node == True
tags:
- config
- fas
- name: HOTFIX make sure only fas01 cleans up sessions
copy: src={{ roles_path }}/fas_server/files/controllers.py
dest=/usr/lib/python2.6/site-packages/fas/controllers.py
mode=644 owner=root group=root
tags:
- config
- fas
- hotfixfas
Reference in New Issue View Git Blame Copy Permalink