# # This role sets up the various packages and scripts needed for a batcave # # # make directory for nfs mounts to live in # --- - name: Create /srv/web/pub for nfs mounts ansible.builtin.file: dest=/srv/web/pub state=directory mode=0755 tags: - batcave - config - name: Install packages needed ansible.builtin.package: name={{ item }} state=present with_items: - ansible-core # This is our ansible master, needs ansible installed. - ansible_utils # Needed for rbac-playbook - createrepo_c # Needed for rhn sync - ostree # Needed for rhn sync - bind # named-checkzone for dns repo - emacs-nox - nano - diff-so-fancy - rpm-sign # for the sign-and-import playbook - createrepo # for the sign-and-import playbook - unzip # general useful util - fpaste # general useful util - mtr # useful for network debugging - lftp # needed to easily pull in builds from koji for internal repos - git-email # needed to send patches for review to the mailing list - python3-dns # needed to have ansible remove ip-based known_host entries - libvirt-client # needed to allow migrations to be run from here. - easy-rsa # For easy copying into ansible-private for certs. - dnf # To get dnf reposync - dnf-plugins-core # To get dnf reposync - fedora-messaging # To send/receive messages on the amqp bus - ansible-freeipa # For the IPA server configuration tasks - moreutils # needed for pee command for dns repo hook + chronic for cron emails # - python39-jmespath # for the copr playbooks - rhel-system-roles # for networking - python3-requests-kerberos # for authentication via kinit inside ansible - python3-sqlalchemy # needed for rhel2json tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Setup ssh_known_hosts file ansible.builtin.copy: src=ssh_known_hosts dest=/etc/ssh/ssh_known_hosts mode=0644 tags: - batcave - config - fingerprints # # This is our ansible master, setup ansible # - name: Setup roots bashrc to note about agents ansible.builtin.copy: src=root_bashrc dest=/root/.bashrc tags: - batcave - config - name: Run daily logview report for ansible actions. ansible.builtin.copy: src=logview.cron dest=/etc/cron.daily/logview.cron mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Install program for generating ticket key ansible.builtin.copy: src=generate_ticketkey dest=/usr/local/bin/generate_ticketkey mode=0755 tags: - batcave - config - name: Setup cron for daily ticketkey reollover ansible.builtin.copy: src=ticketkey.cron dest=/etc/cron.hourly/ticketkey.cron mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Setup cron for removing old pdr requests ansible.builtin.copy: src=pdr.cron dest=/etc/cron.d/pdr.cron mode=0644 tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Setup cron to expose the rabbitmq certs ansible.builtin.copy: src: make-rabbitmq-certs-public.sh dest: /etc/cron.daily/make-rabbitmq-certs-public mode: "0755" tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Set selinux booleans we need # - name: Set selinux booleans seboolean: name={{ item }} persistent=yes state=yes with_items: - httpd_can_network_connect - httpd_use_nfs - httpd_can_network_relay - polyinstantiation_enabled tags: - batcave - config # # fedora-messaging configuration file for the applications sending messages from # batcave # - name: Install the fedora-messaging configuration file ansible.builtin.template: src=batcave-messaging.toml dest=/etc/fedora-messaging/batcave-messaging.toml tags: - batcave - config - fedora-messaging - name: Create folder where we'll place the certs ansible.builtin.file: path=/etc/pki/rabbitmq/ owner=root group=root mode=0755 state=directory tags: - batcave - config - fedora-messaging - name: Install the rabbitmq certificates for batcave ansible.builtin.copy: src={{ item.src }} dest=/etc/pki/rabbitmq/{{ item.dest }} owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }} with_items: - src: "{{private}}/files/rabbitmq/{{ env }}/pki/issued/batcave{{ env_suffix }}.crt" dest: batcave.crt owner: root group: root mode: "444" - src: "{{private}}/files/rabbitmq/{{ env }}/pki/private/batcave{{ env_suffix }}.key" dest: batcave.key owner: root group: root mode: "440" - src: "{{private}}/files/rabbitmq/{{ env }}/ca-combined.crt" dest: batcave.ca owner: root group: root mode: "444" tags: - batcave - config - fedora-messaging # # Scripts # # # Hook to notify on git commits used in git repos # - name: Setup git-notifier script ansible.builtin.copy: src=git-notifier dest=/usr/local/bin/git-notifier mode=0755 tags: - batcave - config # Hook to republish our bare repos for web viewing. - name: Setup syncgittree.sh script ansible.builtin.copy: src=syncgittree.sh dest=/usr/local/bin/syncgittree.sh mode=0755 tags: - batcave - config # The zodbot server must allow TCP on whatever port zodbot is listening on # for this to work (currently TCP port 5050). # Once that is done, you can symlink /usr/local/bin/zodbot-announce-commits.py # to the 'hooks' directory of the bare repo you're wishing to receive commits # for, then add a hooks.zodbotchannel to the repo's config file. # Lastly, add the following lines to your 'update' hook: # reposource=$(git config hooks.reposource) # zodbot_channel=$(git config hooks.zodbotchannel) # python $reposource/hooks/zodbot-announce-commits.py $reposource $zodbot_channel $oldrev $newrev ${1#refs/heads/} - name: Install zodbot-announce-commits script ansible.builtin.copy: src=zodbot-announce-commits.py dest=/usr/local/bin/zodbot-announce-commits.py mode=0755 tags: - batcave - config - zodbot # # This is another script to announce commits, this time to the fedora messaging # - name: Install packages needed ansible.builtin.package: name: fedora-messaging-git-hook state: present tags: - batcave - config # # This script checks all the virthosts and logs what guests they are running. # - name: Install vmdiff.sh cron ansible.builtin.copy: src=vmdiff.sh dest=/etc/cron.hourly/vmdiff.sh mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Install infradocs.sh cron ansible.builtin.copy: src=infradocs.sh dest=/etc/cron.hourly/infradocs.sh mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup public db copy script. # - name: Setup public db copy script ansible.builtin.copy: src=public-db-copy.sh dest=/usr/local/bin/public-db-copy.sh mode=0755 tags: - batcave - config # # Setup public db copy cron. # - name: Setup public db copy script ansible.builtin.copy: src=public-db-copy.cron dest=/etc/cron.d/public-db-copy.cron mode=0644 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup job that runs a check/diff ansible run over all playbooks each night. # - name: Setup checkdiff ansible job ansible.builtin.copy: src=ansible-playbook-check-diff.cron dest=/etc/cron.daily/ansible-playbook-check-diff.cron mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup job that runs gets updates/uptimes for hosts each night (via. ansible). # - name: Install updates+uptime command ansible.builtin.copy: src={{ files }}/scripts/updates-uptime-cmd.py dest=/usr/local/bin/updates-uptime-cmd.py mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Setup updates+uptime ansible job ansible.builtin.copy: src=ansible-hosts-updates-uptime.cron dest=/etc/cron.daily/ansible-hosts-updates-uptime.cron mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup job that runs letsencrypt on proxies each week # - name: Setup letsencrypt run for proxies ansible.builtin.copy: src=proxy-certs-check-renew.cron dest=/etc/cron.weekly/proxy-certs-check-renew.cron mode=0755 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # Setup rhel8 sync script. # - name: Setup rhel8 sync copy script ansible.builtin.copy: src=rhel8-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel8/rhel8-sync mode=0775 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup rhel9 sync script. # - name: Setup rhel9 sync copy script ansible.builtin.copy: src=rhel9-sync dest=/mnt/fedora/app/fi-repo/rhel/rhel9/rhel9-sync mode=0775 tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Setup rhel10 sync copy script ansible.builtin.copy: src: rhel10-sync dest: /mnt/fedora/app/fi-repo/rhel/rhel10/rhel10-sync mode: '0775' tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # sync-rhn cron job # - name: Setup sync-rhn cron ansible.builtin.copy: src=sync-rhn dest=/etc/cron.d/sync-rhn mode=0644 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # sync-centos cron job # - name: Setup sync-rhn cron ansible.builtin.copy: src=sync-centos dest=/etc/cron.d/sync-centos mode=0644 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup centos 9s sync script. # - name: Setup centos 9s sync script ansible.builtin.copy: src=centos-9s-sync dest=/mnt/fedora/app/fi-repo/centos/centos-9s-sync mode=0775 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup centos 10 sync script. # - name: Setup centos 10 sync script ansible.builtin.copy: src=centos-10-sync dest=/mnt/fedora/app/fi-repo/centos/centos-10-sync mode=0775 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # Setup web server config # - name: Install web server config for batcave (mimetypes) ansible.builtin.copy: src=mime-types.conf dest=/etc/httpd/conf.d/mime-types.conf mode=0644 notify: - Reload httpd tags: - batcave - config - httpd - name: Install web server config for batcave (access rules) ansible.builtin.copy: src=allows dest=/etc/httpd/conf.d/allows mode=0644 notify: - Reload httpd tags: - batcave - config - httpd - name: Install web server config for batcave (main config) ansible.builtin.template: src=infrastructure.fedoraproject.org.conf.j2 dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644 notify: - Reload httpd tags: - batcave - config - httpd - sslciphers # # this cron job creates a json file from the rhel repos # - name: Create repo2json directory ansible.builtin.file: dest=/srv/web/repo/json mode=0755 state=directory owner=apache group=apache tags: - batcave - config when: inventory_hostname.startswith('batcave01') - name: Create repo2json cron job ansible.builtin.copy: src=repo2json.cron dest=/etc/cron.d/repo2json.cron mode=0644 tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # ansible utils includes our rbac-playbook # - name: Install the ansible_utils/rbac config ansible.builtin.copy: src={{ private }}/files/rbac/rbac.yaml dest=/etc/ansible_utils/rbac.yaml mode=0540 group=sysadmin tags: - rbac - batcave - config # # Setup geoip scripts. # Other machines pull current geoip data from here. # - name: Install geoip download databases script ansible.builtin.template: src: geoip-download-databases dest: /usr/local/bin/geoip-download-databases mode: "0700" tags: - batcave - config - name: Install geoip download cron ansible.builtin.copy: src: geoip-download-databases.cron dest: /etc/cron.d/geoip-download-databases.cron mode: "0644" tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # set selinux context for /srv/web/infra # - name: Check the selinux context of webdir ansible.builtin.command: matchpathcon /srv/web register: webdir check_mode: no changed_when: "1 != 1" tags: - config - batcave - selinux - httpd - httpd/website - name: /srv/web file contexts ansible.builtin.command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?" when: webdir.stdout.find('httpd_sys_content_t') == -1 tags: - config - batcave - selinux - httpd - httpd/website # # Setup public-db-copy target directory for datanommer-incremental. # - name: Create db-dumps/datanommer-incremental directory ansible.builtin.file: dest=/srv/web/infra/db-dumps/datanommer-incremental mode=2755 state=directory owner=root group=sysadmin-main setype=httpd_sys_content_t tags: - batcave - config when: inventory_hostname.startswith('batcave01') # # set selinux context for public git repos # - name: Check the selinux context of ansible ansible.builtin.command: matchpathcon /srv/git/ansible.git register: webdir check_mode: no changed_when: "1 != 1" tags: - config - batcave - selinux - httpd - httpd/website - name: /srv/git/ansible file contexts ansible.builtin.command: semanage fcontext -a -t git_content_t "/srv/git/ansible.git(/.*)?" when: webdir.stdout.find('git_content_t') == -1 tags: - config - batcave - selinux - httpd - httpd/website - name: Check the selinux context of badges ansible.builtin.command: matchpathcon /srv/git/badges register: webdir check_mode: no changed_when: "1 != 1" tags: - config - batcave - selinux - httpd - httpd/website - name: /srv/git/badges file contexts ansible.builtin.command: semanage fcontext -a -t git_content_t "/srv/git/badges(/.*)?" when: webdir.stdout.find('git_content_t') == -1 tags: - config - batcave - selinux - httpd - httpd/website - name: Check the selinux context of dns ansible.builtin.command: matchpathcon /srv/git/dns register: webdir check_mode: no changed_when: "1 != 1" tags: - config - batcave - selinux - httpd - httpd/website - name: /srv/git/dns file contexts ansible.builtin.command: semanage fcontext -a -t git_content_t "/srv/git/dns(/.*)?" when: webdir.stdout.find('git_content_t') == -1 tags: - config - batcave - selinux - httpd - httpd/website - name: Check the selinux context of infra-docs ansible.builtin.command: matchpathcon /srv/git/infra-docs register: webdir check_mode: no changed_when: "1 != 1" tags: - config - batcave - selinux - httpd - httpd/website - name: /srv/git/infra-docs file contexts ansible.builtin.command: semanage fcontext -a -t git_content_t "/srv/git/infra-docs(/.*)?" when: webdir.stdout.find('git_content_t') == -1 tags: - config - batcave - selinux - httpd - httpd/website # On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it. - name: Configure git directories as safe git_config: name: safe.directory scope: system value: "*" tags: - config - batcave - name: Add SAR script for koji ansible.builtin.copy: src=koji_sar.py dest=/usr/local/bin/koji_sar.py owner=root mode=0700 tags: - SAR - GDPR - koji - batcave - name: Create some tmp dirs ansible.builtin.file: path=/tmp-inst mode=000 owner=root group=root state=directory tags: - config - batcave - selinux - name: Create some tmp dirs ansible.builtin.file: path=/var/tmp-inst mode=000 owner=root group=root state=directory tags: - config - batcave - selinux - name: Put in place namespace.conf file ansible.builtin.copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 owner=root group=root tags: - config - batcave - selinux - name: Create the /var/tmux folder for shared tmux session ansible.builtin.file: path=/var/tmux mode=2774 owner=root group=sysadmin state=directory tags: - batcave - tmux - name: Let the /var/tmux folder be writable to fi-apprentice as well ansible.builtin.command: setfacl -R -m d:g:fi-apprentice:rwx -m g:fi-apprentice:rwx /var/tmux tags: - batcave - tmux - name: Create dir for openshift pxe boot files ansible.builtin.file: path=/srv/web/infra/bigfiles/{{item}} mode=2660 owner=root group=sysadmin-openshift state=directory with_items: - openshiftboot - tftpboot/rhcos tags: - batcave - openshiftboot - name: Let the openshift dir be writeable by sysadmin-openshift ansible.builtin.command: setfacl -R -m d:g:sysadmin-openshift:rwx -m g:sysadmin-openshift:rwx /srv/web/infra/bigfiles/{{item}} with_items: - openshiftboot - tftpboot/rhcos tags: - batcave - openshiftboot - name: Let the dns repo dir be writeable by sysadmin-dns ansible.builtin.command: setfacl -R -m d:g:sysadmin-dns:rwx -m g:sysadmin-dns:rwx /srv/git/dns tags: - batcave - dns - name: Let the private repo dir be writeable by sysadmin-main ansible.builtin.command: setfacl -R -m d:g:sysadmin-main:rwx -m g:sysadmin-main:rwx /srv/git/ansible-private tags: - batcave - private # # install psql to allow for some ro queries against db-datanommer02 # - name: Enable the postgresql 12 module for psql on batcave ansible.builtin.copy: dest: /etc/dnf/modules.d/postgresql.module content: | [postgresql] name=postgresql stream=12 profiles= state=enabled tags: - batcave - postgres - name: Install psql client ansible.builtin.package: name=postgresql state=present tags: - batcave - postgres - config - packages # # apply patch for uri module to allow it to work with newer python (fedora) machines # from old python (rhel9 control host/batcave01) # # https://github.com/ansible/ansible/issues/81256 # https://github.com/ansible/ansible/pull/81257 # # keep this until ansible-core updates to 2.15.x # - name: Apply uri module patch to ansible ansible.posix.patch: src: urls.py.patch basedir: /usr/lib/python3.9/site-packages/ansible/module_utils/ tags: - batcave - hotfix - name: Empty default welcome.conf ansible.builtin.copy: dest=/etc/httpd/conf.d/welcome.conf content="" tags: - batcave - config