mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-20 03:57:02 +08:00
a75f88d99d
It seems like somebody just copied the production tasks for staging without changing the LDAP domain, which caused the staging task to fail. This commit is fixing that. And tagging the related tasks as well. Signed-off-by: Michal Konecny <mkonecny@redhat.com>
150 lines
4.1 KiB
YAML
150 lines
4.1 KiB
YAML
---
|
|
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml"
|
|
vars:
|
|
myhosts: "ipa:ipa_stg"
|
|
|
|
- name: Make the box be real
|
|
hosts: ipa:ipa_stg
|
|
user: root
|
|
gather_facts: true
|
|
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
|
|
roles:
|
|
- base
|
|
- rkhunter
|
|
- nagios_client
|
|
- zabbix/zabbix_agent
|
|
- collectd/base
|
|
- hosts
|
|
- {role: openvpn/client,
|
|
when: env != "staging"}
|
|
- ipa/client
|
|
- rsyncd
|
|
- sudo
|
|
# Set up for fedora-messaging
|
|
- role: rabbit/user
|
|
user_name: "ipa{{ env_suffix }}"
|
|
user_sent_topics: ^org\.fedoraproject\.{{ env_short }}\.ipa\..*
|
|
when: inventory_hostname.startswith('ipa01')
|
|
|
|
pre_tasks:
|
|
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
|
|
|
|
handlers:
|
|
- import_tasks: "{{ handlers_path }}/restart_services.yml"
|
|
|
|
- name: Deploy ipa itself
|
|
hosts: ipa:ipa_stg
|
|
user: root
|
|
gather_facts: true
|
|
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- "{{ vars_path }}/{{ ansible_distribution }}.yml"
|
|
|
|
roles:
|
|
- ipa/server
|
|
- role: keytab/service
|
|
owner_user: apache
|
|
owner_group: apache
|
|
service: HTTP
|
|
host: "id{{env_suffix}}.fedoraproject.org"
|
|
notify:
|
|
- Combine IPA http keytabs
|
|
|
|
handlers:
|
|
- import_tasks: "{{ handlers_path }}/restart_services.yml"
|
|
|
|
tasks:
|
|
- name: Combine IPA keytabs
|
|
ansible.builtin.shell: printf "%b" "read_kt /etc/httpd/conf/ipa.keytab\nread_kt /etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab\nwrite_kt /etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab.combined" | ktutil
|
|
changed_when: false
|
|
tags:
|
|
- krb5
|
|
- ipa/server
|
|
- name: Set owner and permissions on combined keytab
|
|
ansible.builtin.file: path="/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab.combined"
|
|
owner=apache
|
|
group=apache
|
|
mode=0600
|
|
tags:
|
|
- krb5
|
|
- ipa/server
|
|
# original: /etc/httpd/conf/ipa.keytab
|
|
# - name: Make IPA HTTP use the combined keytab
|
|
# lineinfile: dest=/etc/httpd/conf.d/ipa.conf
|
|
# regexp='GssapiCredStore keytab:'
|
|
# line=' GssapiCredStore keytab:/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab.combined'
|
|
# tags:
|
|
# - krb5
|
|
# - ipa/server
|
|
# - config
|
|
# - name: Make IPA HTTP use the id.fp.o client keytab
|
|
# lineinfile: dest=/etc/httpd/conf.d/ipa.conf
|
|
# regexp='GssapiCredStore client_keytab:'
|
|
# line=' GssapiCredStore client_keytab:/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab'
|
|
# tags:
|
|
# - krb5
|
|
# - ipa/server
|
|
# - config
|
|
|
|
- name: Do base role once more to revert any resolvconf changes
|
|
hosts: ipa:ipa_stg
|
|
user: root
|
|
gather_facts: true
|
|
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- "{{ vars_path }}/{{ ansible_distribution }}.yml"
|
|
|
|
roles:
|
|
- base
|
|
|
|
- name: Enable audit logs on ipa01/ipa01.stg
|
|
hosts: ipa[0]:ipa_stg[0]
|
|
user: root
|
|
gather_facts: true
|
|
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- "{{ vars_path }}/{{ ansible_distribution }}.yml"
|
|
|
|
tasks:
|
|
- name: Check audit log file size (prod)
|
|
stat:
|
|
path: /var/log/dirsrv/slapd-FEDORAPROJECT-ORG/audit
|
|
when: env == "production"
|
|
register: ansible_stat_result
|
|
tags:
|
|
- audit
|
|
|
|
- name: Enable audit logs (prod)
|
|
command: dsconf FEDORAPROJECT-ORG config replace nsslapd-auditlog-logging-enabled=on nsslapd-auditfaillog-logging-enabled=on
|
|
when: env == "production" and ansible_stat_result.stat.size != 0
|
|
tags:
|
|
- audit
|
|
|
|
- name: Check audit log file size (stg)
|
|
stat:
|
|
path: /var/log/dirsrv/slapd-STG-FEDORAPROJECT-ORG/audit
|
|
register: ansible_stat_result
|
|
when: env == "staging"
|
|
tags:
|
|
- audit
|
|
|
|
- name: Enable audit logs (staging)
|
|
command: dsconf STG-FEDORAPROJECT-ORG config replace nsslapd-auditlog-logging-enabled=on nsslapd-auditfaillog-logging-enabled=on
|
|
when: env == "staging" and ansible_stat_result.stat.size != 0
|
|
tags:
|
|
- audit
|
|
|
|
handlers:
|
|
- import_tasks: "{{ handlers_path }}/restart_services.yml"
|