WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-02 14:30:45 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7aa7553b84af5dc8efa78e9d8a4e50dde369052d
fedora-infra_ansible/playbooks/groups/proxies.yml
Michal Konecny 2ec055db6f Use first uppercase letter for all handlers 
This will unify all the handlers to use first uppercase letter for
ansible-lint to stop complaining.

I went through all `notify:` occurrences and fixed them by running
```
set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep
-rlz "$TEXT" . | xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g"
```

Then I went through all the changes and removed the ones that wasn't
expected to be changed.

Fixes https://pagure.io/fedora-infrastructure/issue/12391

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
2025-02-10 20:31:49 +00:00

157 lines
4.9 KiB
YAML
Raw Blame History

# create a new proxy server
---
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml"
vars:
myhosts: "proxies:proxies_stg:!proxy05.fedoraproject.org:!cloud_aws"
- name: Make the box be real
hosts: proxies_stg:proxies
user: root
gather_facts: true
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
roles:
- base
- {role: openvpn/client,
when: env != "staging"}
- ipa/client
- rkhunter
- nagios_client
- zabbix/zabbix_agent
- zabbix/zabbix_templates
- collectd/base
- sudo
- rsyncd
- {role: mirrormanager/mirrorlist_proxy,
when: env == "staging" or "'mirrorlist_proxy' in group_names"}
- apache
# when: env == "staging"
tasks:
# You might think we would want these tasks_path on the proxy nodes, but they
# actually deliver a configuration that our proxy-specific roles below then go
# and overwrite... so, let's just leave them out.
# - import_tasks: "{{ tasks_path }}/apache.yml"
# - import_tasks: "{{ tasks_path }}/mod_wsgi.yml"
- name: Ensure nf_conntrack module is loaded before tuning ip_conntrack_max
ansible.builtin.copy:
content: |
nf_conntrack
dest: /etc/modules-load.d/nf_conntrack.conf
owner: root
group: root
mode: "0644"
- name: Set ip_conntrack_max to a high value as the proxies deal with lots of connections
sysctl: name=net.nf_conntrack_max value=26214400 state=present sysctl_set=yes reload=yes
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
# TODO
#
# - fedora-web::build (bapp0*)
# - fedora-docs::build (bapp0*)
# - review-stats::build (bapp0*)
#
## TBD
# - sysctl ip_conntrack_max bits - do we still need this on rhel9 or fedora?
# - semanage ports.. we're likely going to need one for every app.
# - sebooleans.. let's try running first, see what gets blocked, and then
# selectively enable where semanage port fails
#
## Not going to do
# - smolt::proxy -- note going to do this. smolt is dead. long live smolt.
# - domainnotarget stuff - only smolt used this
- name: Set up the proxy basics
hosts: proxies_stg:proxies
user: root
gather_facts: false
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
pre_tasks:
roles:
- httpd/mod_ssl
- httpd/proxy
- varnish
#
# Re-run hosts here so things are ok for the haproxy check
#
- hosts
tasks:
# After setting up the "basics" of the proxy hosts above, here below we break
# out the proxy-specific configuration into a couple different sub-playbooks.
# Othewise, this file would be unbearably long.
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-certificates.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-websites.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-fedorahosted.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-fedora-web.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-reverseproxy.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-rewrites.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-redirects.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml
- name: Make sure we are deployed fully
hosts: proxies_stg:proxies
strategy: free
user: root
gather_facts: false
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
pre_tasks:
#
# If this is an initial deployment, we need the initial ticketkey
# If it's not, doesn't hurt to copy it over again
#
- name: Deploy ticket key
ansible.builtin.copy: src=/root/ticketkey_{{env}}.tkey dest=/etc/httpd/ticketkey_{{env}}.tkey
owner=root group=root mode=0600
notify:
- Reload proxyhttpd
#
# If this is an initial deployment, make sure docs are synced over.
# Do not count these as changed ever
#
- name: Make sure docs are synced. This could take a very very very logtime to finish
ansible.builtin.shell: /usr/local/bin/lock-wrapper docs-sync "/usr/local/bin/docs-rsync" >& /dev/null
changed_when: false
ignore_errors: true
- name: Make sure selinux contexts are right on srv
ansible.builtin.command: restorecon -R /srv
changed_when: false
Reference in New Issue View Git Blame Copy Permalink