mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-02-02 20:59:02 +08:00
4e9729d938
I mistakenly changed the port in the fedora/non el one, that was correct. Need to add the port in the el one for selinux to allow httpd to work. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
176 lines
4.1 KiB
YAML
176 lines
4.1 KiB
YAML
---
|
|
- name: Install Anubis Bot Blocker
|
|
ansible.builtin.dnf:
|
|
name: anubis
|
|
state: present
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Add anubis group
|
|
ansible.builtin.group:
|
|
name: anubis
|
|
state: present
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Add anubis user
|
|
ansible.builtin.user:
|
|
name: anubis
|
|
group: anubis
|
|
system: yes
|
|
tags:
|
|
- config
|
|
- anubis
|
|
|
|
- name: Install httpd config for backend listener
|
|
ansible.builtin.copy:
|
|
src: "httpd/{{ item }}"
|
|
dest: "/etc/httpd/conf.d/{{ item }}"
|
|
mode: '0644'
|
|
with_items:
|
|
- 00-backend-listen.conf
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Check semanage ports
|
|
ansible.builtin.command: semanage port -l
|
|
register: semanageoutput
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Set ports so httpd can bind to 8345
|
|
ansible.builtin.command: semanage port -a -t http_port_t -p tcp 8345
|
|
when: semanageoutput.stdout.find("8345") == -1
|
|
|
|
- name: Allow Apache to make network connections for proxy
|
|
ansible.posix.seboolean:
|
|
name: httpd_can_network_connect
|
|
state: true
|
|
persistent: true
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Ensure Anubis service is enabled and started
|
|
ansible.builtin.service:
|
|
name: anubis@default.service
|
|
enabled: true
|
|
state: started
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Install Anubis env config
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "/etc/anubis/default.env"
|
|
mode: '0600'
|
|
owner: anubis
|
|
with_first_found:
|
|
- files:
|
|
- "default.env.j2.{{ ipa_host_group }}"
|
|
- "default.env.j2"
|
|
paths:
|
|
- "templates/"
|
|
notify:
|
|
- Restart anubis
|
|
- Reload httpd
|
|
tags:
|
|
- anubis
|
|
|
|
- name: Install Anubis rules
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "/etc/anubis/policies.yaml"
|
|
mode: '0600'
|
|
owner: anubis
|
|
with_first_found:
|
|
- files:
|
|
- "policies.yaml.j2.{{ ipa_host_group }}"
|
|
- "policies.yaml.j2"
|
|
paths:
|
|
- "templates/"
|
|
notify:
|
|
- Restart anubis
|
|
- Reload httpd
|
|
tags:
|
|
- anubis
|
|
|
|
### Monitoring config
|
|
# Custom SELinux requirements for Zabbix to execute monitoring binaries
|
|
- name: Ensure a directory exists for Anubis Zabbix selinux module
|
|
ansible.builtin.file:
|
|
path: /usr/local/share/zabbix
|
|
state: directory
|
|
mode: '0755'
|
|
tags:
|
|
- anubis
|
|
- selinux
|
|
- zabbix_agent
|
|
|
|
- name: Copy Anubis Zabbix SELinux module
|
|
ansible.builtin.copy:
|
|
src: zabbix/selinux_anubis.te
|
|
dest: /usr/local/share/zabbix/zabbix_anubis.te
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
register: selinux_zabbix_file
|
|
tags:
|
|
- anubis
|
|
- selinux
|
|
- zabbix_agent
|
|
|
|
- name: Compile and install SELinux module
|
|
ansible.builtin.include_tasks: "{{ tasks_path }}/compile-selinux.yml"
|
|
vars:
|
|
selinux_module_dir: /usr/local/share/zabbix
|
|
selinux_module_name: zabbix_anubis
|
|
when: selinux_zabbix_file.changed
|
|
tags:
|
|
- anubis
|
|
- selinux
|
|
- zabbix_agent
|
|
|
|
- name: Install Zabbix agent config drop-in
|
|
ansible.builtin.copy:
|
|
src: zabbix/agent-anubis.conf
|
|
dest: /etc/zabbix/zabbix_agentd.d/anubis.conf
|
|
mode: '0644'
|
|
tags:
|
|
- zabbix_agent
|
|
- anubis
|
|
notify:
|
|
- Restart zabbix agent
|
|
|
|
- name: Zabbix API Block
|
|
vars:
|
|
ansible_zabbix_auth_key: "{{ zabbix_auth_key }}"
|
|
ansible_network_os: "{{ zabbix_network_os }}"
|
|
ansible_connection: "{{ zabbix_connection }}"
|
|
ansible_httpapi_port: "{{ zabbix_httpapi_port }}"
|
|
ansible_httpapi_use_ssl: "{{ zabbix_httpapi_use_ssl }}"
|
|
ansible_httpapi_validate_certs: "{{ zabbix_httpapi_validate_certs }}"
|
|
ansible_host: "{{ zabbix_server }}"
|
|
ansible_zabbix_url_path: "{{ zabbix_url_path }}"
|
|
tags:
|
|
- zabbix_api
|
|
- anubis
|
|
block:
|
|
- name: Import Anubis template file
|
|
community.zabbix.zabbix_template:
|
|
template_yaml: "{{ lookup('file', 'zabbix/template-anubis.yml') }}"
|
|
state: present
|
|
- name: Ensure Anubis hostgroup is present
|
|
community.zabbix.zabbix_group:
|
|
host_groups:
|
|
- Anubis servers
|
|
state: present
|
|
- name: Add self to Anubis in Zabbix
|
|
community.zabbix.zabbix_host:
|
|
host_name: "{{ inventory_hostname }}"
|
|
host_groups: Anubis servers
|
|
link_templates: Anubis Monitoring
|
|
force: false
|