fMerge branch 'master' of /git/ansible

1 files changed, 412 insertions, 0 deletions

diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
new file mode 100644
index 000000000..8139bb042
--- /dev/null
+++ b/roles/base/tasks/main.yml
@@ -0,0 +1,412 @@
+---
+
+#
+# This is the base role for all machines.
+# Things in here are things we want to do to every machine no matter what.
+#
+
+# XXX fixme # a datacenter 'fact' from setup
+- name: /etc/resolv.conf
+  copy: src={{ item }} dest=/etc/resolv.conf
+  with_first_found:
+  - "{{ resolvconf }}"
+  - resolv.conf/{{ ansible_fqdn }}
+  - resolv.conf/{{ host_group }}
+  - resolv.conf/{{ datacenter }}
+  - resolv.conf/resolv.conf
+  tags:
+  - config
+  - resolvconf
+  - base
+  - ifcfg
+
+- name: check for NetworkManager/nmcli
+  command: /usr/bin/test -f /usr/bin/nmcli
+  register: nmclitest
+  ignore_errors: true
+  changed_when: false
+  failed_when: "1 != 1"
+  always_run: true
+  tags:
+   - config
+   - resolvconf
+   - base
+   - ifcfg
+
+- name: disable resolv.conf control from NM
+  ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
+  notify:
+  - restart NetworkManager
+  when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist)
+  tags:
+   - config
+   - resolvconf
+   - base
+   - ifcfg
+
+- name: get interface uuid
+  shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br'
+  register: if_uuid
+  changed_when: false
+  failed_when: 'if_uuid.stdout == ""'
+  always_run: yes
+  when: ansible_distribution_major_version|int >=7 and nmclitest|success and ( not ansible_ifcfg_blacklist )
+  tags:
+   - config
+   - ifcfg
+   - base
+
+- name: copy ifcfg files - non virthost
+  template: src=ifcfg.j2 dest=/etc/sysconfig/network-scripts/ifcfg-{{item}} mode=644
+  with_items:
+  - "{{ ansible_interfaces }}"
+  notify:
+#  - restart NetworkManager   
+  - reload NetworkManager-connections
+  - apply interface-changes
+  when: (virthost is not defined) and (not item.startswith('tun')) and (not item.startswith('virbr')) and (not item.startswith('vnet')) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest|success and ( not ansible_ifcfg_blacklist )
+  tags:
+   - config
+   - ifcfg
+   - base
+
+- name: global default packages to install (yum)
+  yum: state=present name={{ item }}
+  with_items:
+   - "{{ global_pkgs_inst }}"
+  tags:
+  - packages
+  - base
+  when: ansible_distribution_major_version|int < 22
+
+- name: global default packages to install (dnf)
+  dnf: state=present name={{ item }}
+  with_items:
+   - "{{ global_pkgs_inst }}"
+  tags:
+  - packages
+  - base
+  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+
+- debug: msg="{{ansible_nodename}}  {{inventory_hostname}} {{ansible_distribution_major_version|int}}"
+
+- name: make sure hostname is set right on rhel7 hosts
+  command: hostnamectl set-hostname {{ inventory_hostname }}
+  when: ( ansible_nodename != inventory_hostname ) and ansible_distribution_major_version|int == 7
+
+- name: sshd_config
+  copy: src={{ item }} dest=/etc/ssh/sshd_config mode=600
+  with_first_found:
+    - "{{ sshd_config }}"
+    - ssh/sshd_config.{{ ansible_fqdn }}
+    - ssh/sshd_config.{{ host_group }}
+    - ssh/sshd_config.{{ dist_tag }}
+    - ssh/sshd_config.{{ ansible_distribution }}
+    - ssh/sshd_config.{{ ansible_distribution_version }}
+    - ssh/sshd_config.default
+  notify:
+  - restart sshd
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: set root passwd
+  user: name=root password={{ rootpw }} state=present
+  tags:
+  - rootpw
+  - base
+  when: not (inventory_hostname.startswith('rawhide') or inventory_hostname.startswith('branched') or inventory_hostname.startswith('compose') or inventory_hostname.startswith('build') or inventory_hostname.startswith('arm') or inventory_hostname.startswith('bkernel') or inventory_hostname.startswith('koji01.stg') or inventory_hostname.startswith('aarch64') or inventory_hostname.startswith('s390') or inventory_hostname.startswith('fed-cloud09'))
+
+- name: add ansible root key
+  authorized_key: user=root key="{{ item }}"
+  with_file:
+  - ansible-pub-key
+  tags:
+  - config
+  - base
+
+- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network
+  lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS=
+  tags:
+  - config
+  - base
+
+- name: dist pkgs to remove (yum)
+  yum: state=absent name={{ item }}
+  with_items:
+   - "{{ base_pkgs_erase }}"
+  tags:
+  - packages
+  - base
+  when: ansible_distribution_major_version|int < 22
+
+- name: dist pkgs to install (yum)
+  yum: state=present name={{ item }}
+  with_items:
+   - "{{ base_pkgs_inst }}"
+  tags:
+  - packages
+  - base
+  when: ansible_distribution_major_version|int < 22
+
+- name: dist pkgs to remove (dnf)
+  dnf: state=absent name={{ item }}
+  with_items:
+   - "{{ base_pkgs_erase }}"
+  tags:
+  - packages
+  - base
+  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+
+- name: dist pkgs to install (dnf)
+  dnf: state=present name={{ item }}
+  with_items:
+   - "{{ base_pkgs_inst }}"
+  tags:
+  - packages
+  - base
+  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+
+- name: dist disabled services
+  service: state=stopped enabled=false name={{ item }}
+  with_items:
+   - "{{ service_disabled }}"
+  tags:
+  - service
+  - config
+  - base
+
+- name: dist enabled services
+  service: state=running enabled=true name={{ item }}
+  with_items:
+   - "{{ service_enabled }}"
+  tags:
+  - service
+  - config
+  - base
+
+- name: iptables
+  template: src={{ item }} dest=/etc/sysconfig/iptables mode=600 validate="/sbin/iptables-restore --text %s"
+  with_first_found:
+   - iptables/iptables.{{ datacenter }}
+   - iptables/iptables.{{ ansible_fqdn }}
+   - iptables/iptables.{{ host_group }}
+   - iptables/iptables.{{ env }}
+   - iptables/iptables
+  when: not inventory_hostname.startswith('fed-cloud09')
+  notify:
+  - restart iptables
+  - reload libvirtd
+  tags:
+  - iptables
+  - config
+  - base
+
+- name: iptables service enabled
+  service: name=iptables state=started enabled=true
+  tags:
+  - iptables
+  - service
+  - base
+
+- name: ip6tables
+  template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=600 backup=yes
+  with_first_found:
+   - iptables/ip6tables.{{ datacenter }}
+   - iptables/ip6tables.{{ ansible_fqdn }}
+   - iptables/ip6tables.{{ host_group }}
+   - iptables/ip6tables.{{ env }}
+   - iptables/ip6tables
+  when: not inventory_hostname.startswith('fed-cloud09')
+  notify:
+  - restart ip6tables
+  - reload libvirtd
+  tags:
+  - ip6tables
+  - config
+  - base
+
+- name: ip6tables service enabled
+  service: name=ip6tables state=started enabled=true
+  tags:
+  - ip6tables
+  - service
+  - base
+
+- name: enable journald persistence
+  file: path=/var/log/journal state=directory
+        owner=root group=systemd-journal mode=2755
+  when: ansible_distribution_major_version|int >= 7
+  tags:
+  - journald
+  - config
+  - base
+  notify:
+  - flush journald tmpfiles to persistent store
+
+- name: rsyslog.conf
+  copy: src={{ item }} dest=/etc/rsyslog.conf mode=644
+  with_first_found:
+    - rsyslog/rsyslog.conf.{{ ansible_fqdn }}
+    - rsyslog/rsyslog.conf.{{ dist_tag }}
+    - rsyslog/rsyslog.conf.default
+  notify:
+  - restart rsyslog
+  tags:
+  - rsyslogd
+  - config
+  - base
+
+- name: rsyslog log rotate for rsyslog servers
+  copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=644
+  when: inventory_hostname.startswith('log')
+  notify:
+  - restart rsyslog
+  tags:
+  - rsyslogd
+  - config
+  - base
+
+- name: add rsyslog config to /etc/rsyslog.d
+  copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
+  with_fileglob:
+   - rsyslog/*.conf
+  notify:
+  - restart rsyslog
+  tags:
+  - rsyslogd
+  - config
+  - base
+
+- name: log everything to log01 except on mirrorlist, do not log local4 there.
+  copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=644
+  when: not inventory_hostname.startswith(('mirrorlist','copr','jenkins'))
+  tags:
+  - rsyslogd
+  - config
+  - base
+
+- name: log everything to log01 except on mirrorlist, do log local4 there.
+  copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=644
+  when: inventory_hostname.startswith('mirrorlist')
+  tags:
+  - rsyslogd
+  - config
+  - base
+   - base
+
+- name: /etc/postfix/main.cf
+  copy: src={{ item }} dest=/etc/postfix/main.cf
+  with_first_found:
+    - "{{ postfix_maincf }}"
+    - "postfix/main.cf/main.cf.{{ ansible_fqdn }}"
+    - "postfix/main.cf/main.cf.{{ host_group }}"
+    - "postfix/main.cf/main.cf.{{ postfix_group }}"
+    - "postfix/main.cf/main.cf.{{ datacenter }}"
+    - "postfix/main.cf/main.cf"
+  notify:
+  - restart postfix
+  tags:
+  - postfix
+  - config
+  - base
+
+- name: install /etc/postfix/master.cf file
+  copy: src={{ item }} dest=/etc/postfix/master.cf mode=0644
+  with_first_found:
+    - "{{ postfix_mastercf }}"
+    - "postfix/master.cf/master.cf.{{ ansible_fqdn }}"
+    - "postfix/master.cf/master.cf.{{ inventory_hostname }}"
+    - "postfix/master.cf/master.cf.{{ host_group }}"
+    - "postfix/master.cf/master.cf.{{ postfix_group }}"
+    - "postfix/master.cf/master.cf"
+  when: inventory_hostname.startswith('smtp-mm')
+  notify:
+  - restart postfix
+  tags:
+  - postfix
+  - config
+  - base
+
+- name: enable postfix to start
+  service: name=postfix state=running enabled=true
+  tags:
+  - service
+  - base
+
+- name: install /etc/postfix/transport file
+  copy: src="postfix/{{ postfix_transport_filename }}" dest=/etc/postfix/transport
+  when: inventory_hostname.startswith(('smtp-mm','bastion'))
+  notify:
+  - restart postfix
+  - rebuild postfix transport
+  tags:
+  - postfix
+  - base
+  - config
+
+- name: install ntp.conf
+  template: src=ntp/ntp.conf.j2 dest=/etc/ntp.conf
+  tags:
+  - ntp
+  - config
+  - base
+
+- name: install ntp step-tickers
+  copy: src=ntp/step-tickers dest=/etc/ntp/step-tickers
+  tags:
+  - ntp
+  - config
+  - base
+
+- name: Start ntpd
+  service: name=ntpd state=running enabled=true
+  tags:
+  - ntp
+  - service
+  - base
+
+#
+# This task installs some common scripts to /usr/local/bin
+# scripts are under roles/base/files/common-scripts
+#
+
+- name: Install common scripts
+  copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
+  with_fileglob:
+   - common-scripts/*
+  tags:
+  - config
+  - base
+
+- name: install a sync httpd logs cron script only on log01
+  copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=755
+  when: inventory_hostname.startswith('log01')
+  tags:
+  - config
+  - base
+
+- name: Drop in a little system_identification note
+  template: src=system_identification dest=/etc/system_identification
+  tags:
+  - config
+  - base
+
+#
+# Blacklist the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs. 
+#
+- name: Blacklist cdc_ether module
+  copy: src=blacklist-cdc_ether.conf dest=/etc/modprobe.d/blacklist-cdc_ether.conf
+  when: ansible_virtualization_role == 'host'
+  tags:
+  - config
+  - base
+  - cdc_ether
+
+#
+# Watchdog stuff
+#
+- name: Set up watchdog
+  include: watchdog.yml