WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-11 10:32:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
be1b1503d64a2be5a1dfd32ebdda931679d1ebdb
fedora-infra_ansible/roles/base/tasks/main.yml
Kevin Fenzi 2a2f75daf1 base / iptables: don't remove iptables for now 
This was a good change in theory, but in practice it's not.
The 'iptables-legacy' package provides 'iptables' so it gets removed,
but there's some things we still install that depend on it, so it just
gets pulled in later as a dependency.

Examples:

build* machines install oz and ImageFactory that need it
(but we can possibly drop those now)

virthosts have some libvirt subpackages that require it.

I'm not sure we can readd this in a targeted way or should just drop it
for now entirely.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2025-08-09 09:17:18 -07:00

684 lines
17 KiB
YAML
Raw Blame History

---
#
# This is the base role for all machines.
# Things in here are things we want to do to every machine no matter what.
#
# On fedora and rhel larger than 7, all we need is policycoreutils-python-utils,
# which in turn pulls in python3-policycoreutils
#
- name: Ensure packages required for semanage are installed (fedora/rhel8)
ansible.builtin.package: name=policycoreutils-python-utils state=present
when: ansible_distribution_major_version|int > 7
tags:
- selinux
- name: Global default packages to install (dnf)
dnf: state=present name="{{ global_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int >= 8 and
ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
- name: Global default packages to install (dnf)
dnf: state=present name="{{ global_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int > 29 and
ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: Make sure hostname is set right on all hosts
hostname: name="{{inventory_hostname}}"
#
# We set builders root password in the koji_builder role, so do not set those here
#
- name: Set root passwd
user: name=root password={{ rootpw }} state=present
tags:
- rootpw
- base
when:
- not inventory_hostname.startswith(('buildvm-','buildhw-','bkernel','koji','compose'))
- not inventory_hostname.startswith('copr')
- name: Add ansible root key
authorized_key: user=root key="{{ item }}"
with_file:
- ansible-pub-key
tags:
- config
- base
- name: Dist pkgs to remove (yum)
ansible.builtin.package: state=absent name={{ item }}
with_items:
- "{{ base_pkgs_erase }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: Dist pkgs to install (yum)
ansible.builtin.package: state=present name={{ item }}
with_items:
- "{{ base_pkgs_inst }}"
tags:
- packages
- base
when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
- name: Dist pkgs to remove (dnf)
dnf: state=absent name="{{ base_pkgs_erase }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int > 29 and
ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
- name: Dist pkgs to remove (dnf)
dnf: state=absent name="{{ base_pkgs_erase }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int >= 8 and
ansible_distribution == 'RedHat' and
ansible_cmdline.ostree is not defined
- name: Dist pkgs to install (dnf)
dnf: state=present name="{{ base_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int > 29 and
ansible_distribution == 'Fedora' and
ansible_cmdline.ostree is not defined
- name: Dist pkgs to install (dnf)
dnf: state=present name="{{ base_pkgs_inst }}"
tags:
- packages
- base
when: >
ansible_distribution_major_version|int >= 8 and
ansible_distribution == 'RedHat' and
ansible_cmdline.ostree is not defined
- name: Dist disabled services
service: state=stopped enabled=false name={{ item }}
with_items:
- "{{ service_disabled }}"
tags:
- service
- config
- base
- name: Dist enabled services
service: state=started enabled=true name={{ item }}
with_items:
- "{{ service_enabled }}"
tags:
- service
- config
- base
when: >
ansible_distribution_major_version|int > 31 and
ansible_distribution == 'Fedora' or
ansible_distribution == 'RedHat'
- name: Ensure iptables is installed
ansible.builtin.package: state=present name=iptables
tags:
- packages
- base
when: not nftables
- name: On F42+ ppc64le Ensure iptables-legacy is installed as well
ansible.builtin.package: state=present name=iptables-legacy
tags:
- packages
- base
when: >
not nftables and
ansible_distribution_major_version|int >= 42 and
ansible_distribution == 'Fedora' and
ansible_architecture == 'ppc64le'
- name: Ensure nftables is not installed
ansible.builtin.package: state=absent name=nftables
tags:
- packages
- base
when: not nftables
- name: Ensure nftables is installed
ansible.builtin.package: state=present name=nftables
tags:
- packages
- base
when: nftables
#- name: Ensure iptables is not installed
# ansible.builtin.package: state=absent name=iptables
# tags:
# - packages
# - base
# when: nftables
- name: Ensure ipset is installed
ansible.builtin.package: state=present name=ipset
tags:
- packages
- base
when: not nftables
- name: Setup builder ipset if this is a new install
ansible.builtin.shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi"
args:
creates: /etc/sysconfig/ipset-osbuildapi
when:
- "'osbuild' in group_names"
- not nftables
tags:
- base
- iptables
# Note that these should do both iptables/ipset and nftables...
- name: Install blocklist update script
ansible.builtin.copy:
src: "{{ private }}/files/blocklist/blocklist-update.sh"
dest: /usr/local/bin/blocklist-update.sh
owner: root
group: root
mode: "0700"
tags:
- base
- iptables
- blocklist
when: "'rdu3' not in inventory_hostname or (external is defined and external | bool)"
- name: Setup blocklist update cron job
cron:
name: blocklist-update
user: root
minute: 15
hour: "*/2"
job: "/usr/local/bin/blocklist-update.sh force >& /dev/null"
when: "'rdu3' not in inventory_hostname or (external is defined and external | bool)"
tags:
- base
- iptables
- blocklist
- name: Iptables
ansible.builtin.template:
src: "{{ item }}"
dest: /etc/sysconfig/iptables
mode: '0600'
validate: "/sbin/iptables-restore --test %s"
with_first_found:
- iptables/iptables.{{ datacenter }}
- iptables/iptables.{{ inventory_hostname }}
- iptables/iptables.{{ host_group }}
- iptables/iptables.{{ env }}
- iptables/iptables
when:
- baseiptables|bool
- not nftables
notify:
- Restart iptables
- Reload libvirtd
tags:
- iptables
- config
- base
- name: Nftables ipv4
ansible.builtin.template:
src: "{{ item }}"
dest: /etc/nftables/fedora-infra-ipv4.nft
mode: '0600'
validate: "/sbin/nft --check --file %s"
with_first_found:
- nftables/nftables.{{ datacenter }}
- nftables/nftables.{{ inventory_hostname }}
- nftables/nftables.{{ host_group }}
- nftables/nftables.{{ env }}
- nftables/nftables
when:
- baseiptables|bool
- nftables
notify:
- Restart nftables
- Reload libvirtd
tags:
- iptables
- config
- base
- name: Iptables service enabled
service: name=iptables state=started enabled=true
tags:
- iptables
- service
- base
when:
- baseiptables|bool
- not nftables
- name: Nftables service enabled
service: name=nftables state=started enabled=true
tags:
- iptables
- service
- base
when:
- baseiptables|bool
- nftables
- name: Ip6tables
ansible.builtin.template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
with_first_found:
- iptables/ip6tables.{{ datacenter }}
- iptables/ip6tables.{{ inventory_hostname }}
- iptables/ip6tables.{{ host_group }}
- iptables/ip6tables.{{ env }}
- iptables/ip6tables
when:
- baseiptables|bool
- not nftables
notify:
- Restart ip6tables
- Reload libvirtd
tags:
- ip6tables
- config
- base
- name: Nftables ipv6
ansible.builtin.template:
src: "{{ item }}"
dest: /etc/nftables/fedora-infra-ipv6.nft
mode: '0600'
validate: "/sbin/nft --check --file %s"
with_first_found:
- nftables/nftables-ipv6.{{ datacenter }}
- nftables/nftables-ipv6.{{ inventory_hostname }}
- nftables/nftables-ipv6.{{ host_group }}
- nftables/nftables-ipv6.{{ env }}
- nftables/nftables-ipv6
when:
- baseiptables|bool
- nftables
notify:
- Restart nftables
- Reload libvirtd
tags:
- ip6tables
- config
- base
- name: Nftables sysconfig
ansible.builtin.template:
src: "{{ item }}"
dest: /etc/sysconfig/nftables.conf
mode: '0600'
validate: "/sbin/nft --check --file %s"
with_first_found:
- nftables/sysconfig.conf
when:
- baseiptables|bool
- nftables
notify:
- Restart nftables
- Reload libvirtd
tags:
- iptables
- config
- base
- name: Ip6tables service enabled
service: name=ip6tables state=started enabled=true
tags:
- ip6tables
- service
- base
when:
- baseiptables|bool
- not nftables
- name: Ip6tables service disabled
service: name=ip6tables state=stopped enabled=false
tags:
- ip6tables
- service
- base
when:
- baseiptables|bool
- nftables
- ansible_distribution_major_version|int > 8
- name: Enable journald persistence
ansible.builtin.file: path=/var/log/journal state=directory
owner=root group=systemd-journal mode=2755
when: ansible_distribution_major_version|int >= 7 and ansible_distribution == 'RedHat'
tags:
- journald
- config
- base
notify:
- Flush journald tmpfiles to persistent store
- name: Enable journald persistence
ansible.builtin.file: path=/var/log/journal state=directory
owner=root group=systemd-journal mode=2755
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
tags:
- journald
- config
- base
notify:
- Flush journald tmpfiles to persistent store
- name: Install rh ca for splunk
ansible.builtin.copy: src={{ private }}/files/splunk-certs/2022-IT-Root-CA.pem
dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem
tags:
- rsyslogd
- config
- base
when: inventory_hostname.startswith('log01')
- name: Ensure packages required for rsyslog are installed
ansible.builtin.package: name={{ item }} state=present
with_items:
- rsyslog-gnutls
tags:
- rsyslogd
- config
- base
when: inventory_hostname.startswith('log01')
- name: Rsyslog.conf
ansible.builtin.copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644
with_first_found:
- rsyslog/rsyslog.conf.{{ inventory_hostname }}
- rsyslog/rsyslog.conf.{{ dist_tag }}
- rsyslog/rsyslog.conf.default
notify:
- Restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Rsyslog log rotate for rsyslog servers
ansible.builtin.copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=0644
when: inventory_hostname.startswith('log')
notify:
- Restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Add rsyslog config to /etc/rsyslog.d
ansible.builtin.copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
with_fileglob:
- rsyslog/*.conf
notify:
- Restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Rsyslog-audit.conf
ansible.builtin.copy: src={{ item }} dest=/etc/rsyslog.d/rsyslog-audit.conf owner=root group=root mode=0644
with_first_found:
- rsyslog/rsyslog-audit.conf.{{ datacenter }}
- rsyslog/rsyslog-audit.conf.default
notify:
- Restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Log everything to log01 except on mirrorlist, do not log local4 there.
ansible.builtin.copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: not inventory_hostname.startswith(('mirrorlist','copr'))
tags:
- rsyslogd
- config
- base
- name: Log everything to log01 except on mirrorlist, do log local4 there.
ansible.builtin.copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
when: inventory_hostname.startswith('mirrorlist')
tags:
- rsyslogd
- config
- base
- name: Rsyslogd make systemd limits directory for file handles
ansible.builtin.file: dest=/etc/systemd/system/rsyslog.service.d/ mode=0755 owner=root group=root state=directory
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
tags:
- rsyslogd
- config
- name: Rsyslogd put systemd limits directory for file handles
ansible.builtin.copy: src=rsyslog/rsyslog-limits-systemd
dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
tags:
- rsyslogd
- config
# Custom selinux policy to allow rsyslog to read and send audit to log01
- name: Ensure a directory exists for our custom selinux module
ansible.builtin.file: dest=/usr/local/share/rsyslog state=directory
tags:
- rsyslogd
- config
- rsyslog-audit
- name: Copy over our custom selinux module
ansible.builtin.copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp
register: selinux_module
tags:
- rsyslogd
- config
- rsyslog-audit
- name: Install our custom selinux module
ansible.builtin.command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp
when: selinux_module is changed and ansible_distribution_major_version|int > 6
tags:
- rsyslogd
- config
- rsyslog-audit
# Custom selinux policy to allow unix_chkpwd to map PAM database
- name: Copy over our custom selinux module
ansible.builtin.copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
register: selinux_module
when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora'
tags:
- config
- selinux
# Custom selinux policy to allow unix_chkpwd to map PAM database
- name: Copy over our custom selinux module
ansible.builtin.copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
register: selinux_module
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat'
tags:
- config
- selinux
- name: Install our custom selinux module
ansible.builtin.command: semodule -i /usr/local/share/mapchkpwd.pp
when: selinux_module is changed
tags:
- selinux
- config
- name: Setup postfix
import_tasks: postfix.yml
#
# This task installs some common scripts to /usr/local/bin
# scripts are under roles/base/files/common-scripts
#
- name: Install common scripts
ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
with_fileglob:
- common-scripts/*
tags:
- config
- base
- common-scripts
#
# Watchdog stuff
#
- name: Set up watchdog
import_tasks: watchdog.yml
# Set PS1 to show stage environment at PS1
#
- name: Set PS1 for stage in /etc/profile.d
ansible.builtin.copy: >
src=setstgps1.sh
dest="/etc/profile.d/setstgps1.sh"
owner=root
group=root
mode=0644
when: env == 'staging'
tags:
- base
- config
- prompt
# Set PS1 to show prod environment at PS1
#
- name: Set PS1 for prod in /etc/profile.d
ansible.builtin.copy: >
src=setprodps1.sh
dest="/etc/profile.d/setprodps1.sh"
owner=root
group=root
mode=0644
when: env == 'production' and datacenter != 'rdu3'
tags:
- base
- config
- prompt
# Set PS1 to show prod-rdu3 environment at PS1
#
- name: Set PS1 for prod rdu3 in /etc/profile.d
ansible.builtin.copy: >
src=setprodrdu3ps1.sh
dest="/etc/profile.d/setprodrdu3ps1.sh"
owner=root
group=root
mode=0644
when: env == 'production' and datacenter == 'rdu3'
tags:
- base
- config
- prompt
# Set krb5 conf
- name: Configure krb5
ansible.builtin.template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
when: not inventory_hostname.startswith('ipa')
tags:
- base
- config
- krb5
- name: Configure krb5 (IPA master)
ansible.builtin.template: src=krb5.conf.master.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
when: inventory_hostname.startswith('ipa')
tags:
- base
- config
- krb5
- name: Setup host keytab
import_tasks: keytab.yml
when: not inventory_hostname.startswith('ipa')
# SSSD-KCM has been showing way too many bugs with it saying "I have a ticket" while the ticket
# is actually expired, and kinit's still not refreshing them and such alike.
# Let's just nuke it for now.
- name: We do NOT use sssd-kcm
ansible.builtin.file: path=/etc/krb5.conf.d/kcm_default_ccache state=absent
tags:
- base
- config
- krb5
# rhel8 hosts do not have /usr/bin/python, but there are a few things we call
# with that because they also run the same on python2 hosts.
# So, we set python3 to /usr/bin/python on those hosts:
- name: Ensure that platform-python is installed on EL8 boxes
ansible.builtin.package: name={{ item }} state=present
with_items:
- platform-python
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8
tags:
- base
- config
- python3alternative
- name: Set /usr/bin/python to python3 on rhel8 hosts
alternatives:
name: python
link: /usr/bin/python
path: /usr/bin/python3
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8
tags:
- base
- config
- python3alternative
- name: Cron jobs to compress logs under /var/log/hosts and /mnt/fedora_stats
ansible.builtin.copy: src=compress-log.cron dest=/etc/cron.d/ mode=0644
tags:
- compress
when: inventory_hostname.startswith('log0')
- name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
import_tasks: crypto-policies.yml
- name: Proxy log rotate for proxy servers
ansible.builtin.copy: src="{{ files }}/common/rsyslog-logrotate" dest=/etc/logrotate.d/rsyslog mode=0644
when: inventory_hostname.startswith('proxy')
notify:
- Restart rsyslog
tags:
- rsyslogd
- config
- base
- name: Setup Message of the Day (motd)
import_tasks: motd.yml
Reference in New Issue View Git Blame Copy Permalink