mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-19 19:46:38 +08:00
0d56b527a6
selinux was preventing anubis from reading its policy file. So, set the right context here so it is happy. Note that we cannot use :Z in the podman call, because it runs as the anubis user which cannot chcon those files on the host. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
140 lines
2.6 KiB
YAML
140 lines
2.6 KiB
YAML
---
|
|
|
|
- name: Install podman for anubis container
|
|
ansible.builtin.package:
|
|
name: podman
|
|
state: present
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Add anubis group
|
|
ansible.builtin.group:
|
|
name: anubis
|
|
system: yes
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Add anubis user
|
|
ansible.builtin.user:
|
|
name: anubis
|
|
group: anubis
|
|
system: yes
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: install subuid file
|
|
ansible.builtin.copy:
|
|
dest: /etc/subuid
|
|
src: subuid
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: install subgid file
|
|
ansible.builtin.copy:
|
|
dest: /etc/subgid
|
|
src: subuid
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Check semanage ports
|
|
ansible.builtin.command: semanage port -l
|
|
register: semanageoutput
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Set ports so httpd can bind to 3923
|
|
ansible.builtin.command: semanage port -a -t http_port_t -p tcp 3923
|
|
when: semanageoutput.stdout.find("3923") == -1
|
|
|
|
- name: Create the directory to store the anubis policy file
|
|
ansible.builtin.file:
|
|
dest: /srv/anubis/cfg/
|
|
state: directory
|
|
recurse: true
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Add the anubis bot config file
|
|
ansible.builtin.copy:
|
|
src: botPolicy.yaml
|
|
dest: /srv/anubis/cfg/botPolicy.yaml
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify:
|
|
- Restart anubis-el
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Set SELinux context for anubis directory
|
|
community.general.sefcontext:
|
|
target: "/srv/anubis(/.*)?"
|
|
setype: container_file_t
|
|
state: present
|
|
tags:
|
|
- config
|
|
- anubis
|
|
- selinux
|
|
|
|
- name: Apply SELinux changes to anubis directory
|
|
ansible.builtin.command: restorecon -irv "/srv/anubis/"
|
|
register: restorecon_output
|
|
changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0
|
|
tags:
|
|
- config
|
|
- anubis
|
|
- selinux
|
|
|
|
# This service calls podman to pull the anubis container,
|
|
# then sets various env variables for the service and runs it.
|
|
|
|
- name: Add the anubis systemd service
|
|
ansible.builtin.copy:
|
|
src: anubis.service
|
|
dest: /etc/systemd/system/anubis.service
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
notify:
|
|
- Reload systemd
|
|
|
|
- name: Add the anubis env file
|
|
ansible.builtin.template:
|
|
src: env.j2
|
|
dest: /srv/anubis/cfg/env
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify:
|
|
- Restart anubis-el
|
|
|
|
- name: Enable and make sure pod is started
|
|
ansible.builtin.systemd:
|
|
name: anubis
|
|
state: started
|
|
enabled: true
|
|
tags:
|
|
- config
|
|
- anubis
|