mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-19 19:46:38 +08:00
8104cee874
Right now, podman on el9 isn't reading the policy correctly. This is because the env for the unit isn't getting picked up by podman, so instead pass --env-file to read it from a file. Also, we want to setup a private key for the download servers so they all have the same challenge creation (so if you hit 01 you want your challenge to be good on 02, etc). Signed-off-by: Kevin Fenzi <kevin@scrye.com>
121 lines
2.2 KiB
YAML
121 lines
2.2 KiB
YAML
---
|
|
|
|
- name: Install podman for anubis container
|
|
ansible.builtin.package:
|
|
name: podman
|
|
state: present
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Add anubis group
|
|
ansible.builtin.group:
|
|
name: anubis
|
|
system: yes
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Add anubis user
|
|
ansible.builtin.user:
|
|
name: anubis
|
|
group: anubis
|
|
system: yes
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: install subuid file
|
|
ansible.builtin.copy:
|
|
dest: /etc/subuid
|
|
src: subuid
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: install subgid file
|
|
ansible.builtin.copy:
|
|
dest: /etc/subgid
|
|
src: subuid
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Check semanage ports
|
|
ansible.builtin.command: semanage port -l
|
|
register: semanageoutput
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Set ports so httpd can bind to 3923
|
|
ansible.builtin.command: semanage port -a -t http_port_t -p tcp 3923
|
|
when: semanageoutput.stdout.find("3923") == -1
|
|
|
|
- name: Create the directory to store the anubis policy file
|
|
ansible.builtin.file:
|
|
dest: /srv/anubis/cfg/
|
|
state: directory
|
|
recurse: true
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Add the anubis bot config file
|
|
ansible.builtin.copy:
|
|
src: botPolicy.yaml
|
|
dest: /srv/anubis/cfg/botPolicy.yaml
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify:
|
|
Restart anubis-el
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
# This service calls podman to pull the anubis container,
|
|
# then sets various env variables for the service and runs it.
|
|
|
|
- name: Add the anubis systemd service
|
|
ansible.builtin.copy:
|
|
src: anubis.service
|
|
dest: /etc/systemd/system/anubis.service
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- anubis
|
|
notify:
|
|
- Reload systemd
|
|
|
|
- name: Add the anubis env file
|
|
ansible.builtin.template:
|
|
src: env.j2
|
|
dest: /srv/anubis/cfg/env
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify:
|
|
Restart anubis-el
|
|
|
|
- name: Enable and make sure pod is started
|
|
ansible.builtin.systemd:
|
|
name: anubis
|
|
state: started
|
|
enabled: true
|
|
tags:
|
|
- config
|
|
- anubis
|