fedora-infra_ansible/roles/download/tasks/main.yml

---
- name: Install needed packages
  ansible.builtin.package: name={{ item }} state=present update_cache=yes
  with_items:
  - bzip2
  - mod_ssl
  - nfs-utils
  tags:
  - packages

- name: Create /srv/pub directory
  ansible.builtin.file: path=/srv/pub state=directory

- name: Create /srv/web directory
  ansible.builtin.file: path=/srv/web state=directory

- name: Set httpd_use_nfs seboolean
  seboolean: name=httpd_use_nfs state=yes persistent=yes

- name: Check the selinux context rsyncd log
  ansible.builtin.command: matchpathcon /var/log/rsyncd-fedora.log
  register: rsyncdlog
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - config
  - selinux

- name: /var/log/rsyncd-fedora.log file context
  ansible.builtin.command: semanage fcontext -a -t rsync_log_t /var/log/rsyncd-fedora.log
  when: rsyncdlog.stdout.find('rsync_log_t') == -1
  tags:
  - config
  - selinux

- name: /etc/motd_fedora
  ansible.builtin.template: src=rsync/motd_fedora.j2 dest=/etc/motd_fedora

- name: Configure logrotate for /var/log/rsyncd-fedora.log
  ansible.builtin.copy: src=logrotate-rsync-fedora dest=/etc/logrotate.d/rsync-fedora

- name: Check the selinux context pubdir
  ansible.builtin.command: matchpathcon /srv/pub
  register: pubdir
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - config
  - selinux

- name: /srv/pub file contexts
  ansible.builtin.command: semanage fcontext -a -t httpd_sys_content_t "/srv/pub(/.*)?"
  when: pubdir.stdout.find('httpd_sys_content_t') == -1
  tags:
  - config
  - selinux

- name: Copy wildcard cert from puppet private
  ansible.builtin.copy: src="{{private}}/files/httpd/wildcard-2025.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2025.fedoraproject.org.cert owner=root group=root mode=0644

- name: Copy wildcard key from puppet private
  ansible.builtin.copy: src="{{private}}/files/httpd/wildcard-2025.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2025.fedoraproject.org.key owner=root group=root mode=0600

- name: Copy intermediate wildcard cert from puppet private
  ansible.builtin.copy: src="{{private}}/files/httpd/wildcard-2025.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2025.fedoraproject.org.intermediate.cert owner=root group=root mode=0644

- name: Configure httpd dl main conf
  ansible.builtin.template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
  tags:
  - httpd
  - config
  - sslciphers
  notify:
  - Reload httpd

- name: Make sure apache autoindex.conf is replaced with ours
  ansible.builtin.copy: src=httpd/dl.fedoraproject.org/autoindex.conf dest=/etc/httpd/conf.d/autoindex.conf
  tags:
  - httpd
  - config
  notify:
  - Reload httpd

- name: Configure httpd dl sub conf
  ansible.builtin.copy: src=httpd/dl.fedoraproject.org/ dest=/etc/httpd/conf.d/dl.fedoraproject.org/
  tags:
  - httpd
  - config
  notify:
  - Reload httpd

- name: Install haveged for entropy
  ansible.builtin.package: name=haveged state=present
  tags:
  - httpd
  - httpd/proxy

- name: Set haveged running/enabled
  service: name=haveged enabled=yes state=started
  tags:
  - service
  - httpd
  - httpd/proxy

- name: Set tcp read buffers higher for download improvements
  sysctl:
    name: net.ipv4.tcp_rmem
    value: "4096 131072 67108864"
    sysctl_file: /etc/sysctl.d/10-tcp-socket-buffers.conf
  tags:
  - service
  - config

- name: Set tcp write buffers higher for download improvements
  sysctl:
    name: net.ipv4.tcp_wmem
    value: "4096 16384 67108864"
    sysctl_file: /etc/sysctl.d/10-tcp-socket-buffers.conf
  tags:
  - service
  - config

##

##