Commit fas server ansible playbook from ticket 4394

This commit is contained in:
Kevin Fenzi 2014-12-06 18:33:44 +00:00
parent 676ea12ff3
commit edbeca3a90
4 changed files with 369 additions and 0 deletions

26
inventory/group_vars/fas Normal file
View File

@ -0,0 +1,26 @@
---
# Define resources for this group of hosts here.
lvm_size: 30000
mem_size: 2048
num_cpus: 2
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
tcp_ports: [ 80, 8443, 8444,
# fas has 32 wsgi processes, each of which need their own port
# open for outbound fedmsg messages.
8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007,
8008, 8009, 8010, 8011, 8012, 8013, 8014, 8015,
8016, 8017, 8018, 8019, 8020, 8021, 8022, 8023,
8024, 8025, 8026, 8027, 8028, 8029, 8030, 8031, ]
fas_client_groups: sysadmin-main,sysadmin-accounts
master_fas_node: False
# A host group for rsync config
rsync_group: fas
nrpe_procs_warn: 300
nrpe_procs_crit: 500

View File

@ -0,0 +1,10 @@
---
nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-6
ks_repo: http://10.5.126.23/repo/rhel/RHEL6-x86_64/
volgroup: /dev/vg_virthost10
eth0_ip: 10.5.126.86
vmhost: virthost10.phx2.fedoraproject.org
datacenter: phx2

53
playbooks/groups/fas.yml Normal file
View File

@ -0,0 +1,53 @@
# create a new fas server
#
#
- name: make fas server
hosts: fas-stg
user: root
gather_facts: False
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/virt_instance_create.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: fas-stg
user: root
gather_facts: True
accelerate: "{{ accelerated }}"
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "{{ private }}/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- denyhosts
- nagios_client
- fas_client
- collectd/base
- rsyncd
- fas_server
tasks:
- include: "{{ tasks }}/hosts.yml"
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/sudo.yml"
- include: "{{ tasks }}/apache.yml"
- include: "{{ tasks }}/mod_wsgi.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"

View File

@ -0,0 +1,280 @@
---
# Tasks to set up fas_server
- name: install needed packages
yum: pkg={{ item }} state=installed
with_items:
- fas
- fas-plugin-yubikey
tags:
- packages
- name: enable httpd_can_network_connect selinux boolean
seboolean: name=httpd_can_network_connect state=yes persistent=yes
tags:
- config
- name: setup /var/www/.python-eggs directory
file: path=/var/www/.python-eggs owner=apache group=apache mode=0700 state=directory
tags:
- config
- name: setup /etc/fas-gpg directory
file: path=/etc/fas-gpg owner=fas group=fas mode=0700 state=directory
tags:
- config
- name: install /etc/httpd/conf.d/accounts.conf file
template: >
src="fas-app.conf.j2"
dest="/etc/httpd/conf.d/accounts.conf"
owner=root
group=root
mode=0644
notify:
- restart httpd
tags:
- config
- name: setup /etc/pki/fas directory
file: path=/etc/pki/fas owner=fas group=fas mode=0755 state=directory
tags:
- config
- name: install $pythonsitelib/fas/config/log.cfg
copy: >
src="fas-log.cfg"
dest="$pythonsitelib/fas/config/log.cfg" # $pythonsitelib=?
owner=root
group=root
mode=0644
notify:
- restart httpd
tags:
- config
# $bugzillaUser = "fedora-admin-xmlrpc@redhat.com"
- name: install /etc/fas-gpg/pubring.gpg file
copy: >
src="{{ puppet_private }}/fas-gpg/pubring.gpg"
dest="/etc/fas-gpg/pubring.gpg"
owner=fas
group=fas
mode=0600
tags:
- config
- name: install /etc/pki/fas/fedora-server-ca.cert file
copy: >
src="{{ puppet_private }}/fedora-ca.cert"
dest="/etc/pki/fas/fedora-server-ca.cert"
owner=fas
group=fas
mode=0644
tags:
- config
- name: install /etc/pki/fas/fedora-upload-ca.cert file
copy: >
src="{{ puppet_private }}/fedora-ca.cert"
dest="/etc/pki/fas/fedora-upload-ca.cert"
owner=fas
group=fas
mode=0644
tags:
- config
- name: install /usr/share/fas/static/fedora-server-ca.cert file
copy: >
src="{{ puppet_private }}/fedora-ca.cert"
dest="/usr/share/fas/static/fedora-server-ca.cert"
owner=root
group=root
mode=0644
tags:
- config
- name: install /usr/share/fas/static/fedora-upload-ca.cert file
copy: >
src="{{ puppet_private }}/fedora-ca.cert"
dest="/usr/share/fas/static/fedora-upload-ca.cert"
owner=root
group=root
mode=0644
tags:
- config
- name: install /etc/fas.cfg file
template: >
src="fas.cfg.j2"
dest="/etc/fas.cfg"
owner=fas
group=apache
mode=0640
notify:
- restart httpd
tags:
- config
- name: install /usr/local/bin/yubikey-remove.py file
template: >
src="yubikey-remove.py.j2"
dest="/usr/local/bin/yubikey-remove.py"
owner=fas
group=fas
mode=0750
tags:
- config
# $gen_cert = "True"
- name: install /etc/fas.cfg file
template: >
src="fas.cfg.j2"
dest="/etc/fas.cfg"
owner=fas
group=apache
mode=0640
when: master_fas_node == True
notify:
- restart httpd
tags:
- config
- name: setup /var/lock/fedora-ca directory
file: path=/var/lock/fedora-ca owner=fas group=fas mode=0700 state=directory setype=var_lock_t
when: master_fas_node == True
tags:
- config
- name: setup /var/lib/fedora-ca directory
file: path=/var/lib/fedora-ca owner=fas group=fas mode=0771 state=directory setype=httpd_sys_content_t
when: master_fas_node == True
tags:
- config
- name: install /var/lib/fedora-ca/.rnd file
file: path=/var/lib/fedora-ca/.rnd owner=fas group=fas mode=0600 setype=httpd_sys_content_t
when: master_fas_node == True
tags:
- config
- name: setup /var/lib/fedora-ca/newcerts directory
file: path=/var/lib/fedora-ca/newcerts owner=fas group=fas mode=0700 state=directory
when: master_fas_node == True
tags:
- config
- name: setup /var/lib/fedora-ca/private directory
file: path=/var/lib/fedora-ca/private owner=fas group=fas mode=0700 state=directory
when: master_fas_node == True
tags:
- config
- name: install /var/lib/fedora-ca/private/cakey.pem file
copy: >
src="{{ puppet_private }}/cakey.pem"
dest="/var/lib/fedora-ca/private/cakey.pem"
owner=fas
group=fas
mode=0400
when: master_fas_node == True
tags:
- config
- name: install /var/lib/fedora-ca/Makefile file
copy: >
src="Makefile.fedora-ca"
dest="/var/lib/fedora-ca/Makefile"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- name: install /var/lib/fedora-ca/openssl.cnf file
copy: >
src="fedora-ca-client-openssl.cnf"
dest="/var/lib/fedora-ca/openssl.cnf"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- name: install /var/lib/fedora-ca/certhelper.py file
copy: >
src="certhelper.py"
dest="/var/lib/fedora-ca/certhelper.py"
owner=root
group=root
mode=0755
when: master_fas_node == True
tags:
- config
- name: install /var/lib/fedora-ca/cacert.pem file
copy: >
src="{{ puppet_private }}/fedora-ca.cert"
dest="/var/lib/fedora-ca/cacert.pem"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
#For publishing the crl
- name: setup /srv/web/ca directory
file: path=/srv/web/ca owner=apache group=apache mode=0755 state=directory
when: master_fas_node == True
tags:
- config
- name: twice every month, force a new crl to be created
cron: >
name="gen-crl"
job="cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null"
user="fas"
minute="0"
hour="0"
day="1,15"
when: master_fas_node == True
tags:
- config
- name: create /srv/web/ca/crl.pem link
file: path="/srv/web/ca/crl.pem" state=link src="/var/lib/fedora-ca/crl/crl.pem"
when: master_fas_node == True
tags:
- config
- name: create /srv/web/ca/cacert.pem link
file: path="/srv/web/ca/cacert.pem" state=link src="/var/lib/fedora-ca/cacert.pem"
when: master_fas_node == True
tags:
- config
- name: install /etc/export-bugzilla.cfg file
template: >
src="export-bugzilla.cgf.j2"
dest="/etc/export-bugzilla.cfg"
owner=fas
group=fas
mode=0600
when: master_fas_node == True
tags:
- config
- name: run export-bugzilla program
cron: >
name="export-bugzilla"
job="cd /etc; MAILTO=root; /usr/sbin/export-bugzilla fedorabugs fedora_contrib"
user="fas"
minute="10"
when: master_fas_node == True
tags:
- config