From dc1395daf143dd53c0dc5e3931aa212348a24ccc Mon Sep 17 00:00:00 2001 From: Ethan Paul Date: Tue, 17 Mar 2020 22:51:10 -0400 Subject: [PATCH] Refactor roles to support new variable schema Add common-env and docker roles --- roles/common_env/tasks/main.yml | 12 ++++ roles/docker/tasks/install.yml | 45 +++++++++++++++ roles/docker/tasks/main.yml | 19 +++++++ roles/networkd/defaults/main.yml | 2 + roles/networkd/tasks/main.yml | 44 +++++++-------- roles/networkd/tasks/packages.yml | 20 ++++--- roles/networkd/tasks/services.yml | 3 +- roles/packages/tasks/centos-8-dracut.yml | 71 ------------------------ roles/packages/tasks/clean.yml | 8 +-- roles/packages/tasks/repos.yml | 8 +++ roles/packages/tasks/update.yml | 3 - roles/sshd/defaults/main.yml | 1 + roles/sshd/tasks/install.yml | 14 +++++ roles/sshd/tasks/main.yml | 6 +- 14 files changed, 144 insertions(+), 112 deletions(-) create mode 100644 roles/common_env/tasks/main.yml create mode 100644 roles/docker/tasks/install.yml create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/networkd/defaults/main.yml delete mode 100644 roles/packages/tasks/centos-8-dracut.yml create mode 100644 roles/sshd/tasks/install.yml diff --git a/roles/common_env/tasks/main.yml b/roles/common_env/tasks/main.yml new file mode 100644 index 0000000..b7f9a65 --- /dev/null +++ b/roles/common_env/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Set hostname + become: true + hostname: + name: "{{ ansible_host }}" + +- name: Install global bashrc + become: true + copy: + src: bashrc.sh + dest: /etc/profile.d/ZA-enpn-bashrc.sh + mode: 0644 diff --git a/roles/docker/tasks/install.yml b/roles/docker/tasks/install.yml new file mode 100644 index 0000000..306cc1c --- /dev/null +++ b/roles/docker/tasks/install.yml @@ -0,0 +1,45 @@ +--- +# Just use the same repo for cent7 and cent8 because ¯\_(ツ)_/¯ +- name: Install Docker repository + become: true + when: ansible_distribution == "CentOS" + yum_repository: + name: docker-ce-stable + description: Docker CE Stable - $basearch + file: docker-ce-stable + baseurl: https://download.docker.com/linux/centos/7/$basearch/stable + gpgcheck: false + gpgcakey: https://download.docker.com/linux/centos/gpg + +- name: Install Docker on Cent7 + become: true + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + yum: + # Update the cache to update with the new docker repo + update_cache: yes + state: latest + name: + - device-mapper-persistent-data # Required for docker devicestorage driver + - lvm2 # same + - docker-ce + - containerd.io + +- name: Install Docker on Cent8 + become: true + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" + dnf: + # Update the cache to update with the new docker repo + update_cache: yes + state: latest + name: + - device-mapper-persistent-data # Required for docker devicestorage driver + - lvm2 # same + - docker-ce-3:18.09.1-3.el7 + +- name: Install python bindings + become: true + pip: + name: + - docker==4.2.0 + - docker-compose==1.25.4 + state: present diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..05ecfa7 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- import_tasks: install.yml + +- name: Start and enable docker service + become: true + systemd: + name: docker + state: started + enabled: yes + +- import_tasks: tasks/preprocess-users.yml + +- name: Add superusers to the docker group + become: true + user: + name: "{{ item.name }}" + groups: docker + append: yes + loop: "{{ _users_local_admin }}" diff --git a/roles/networkd/defaults/main.yml b/roles/networkd/defaults/main.yml new file mode 100644 index 0000000..f0e20b5 --- /dev/null +++ b/roles/networkd/defaults/main.yml @@ -0,0 +1,2 @@ +--- +omni_restart_services: false diff --git a/roles/networkd/tasks/main.yml b/roles/networkd/tasks/main.yml index 7f494f1..bdd780e 100644 --- a/roles/networkd/tasks/main.yml +++ b/roles/networkd/tasks/main.yml @@ -1,33 +1,31 @@ --- - import_tasks: packages.yml -- name: Delete networkd config directory +- name: Configure networking via systemd become: true - file: - path: /etc/systemd/network - state: absent + when: omni_networking is defined + block: + - name: Delete networkd config directory + file: + path: /etc/systemd/network + state: absent -- name: Create the networkd config directory - become: true - file: - path: /etc/systemd/network - state: directory + - name: Create the networkd config directory + file: + path: /etc/systemd/network + state: directory -- name: Make network files - when: networking is defined - become: true - template: - src: network.j2 - dest: "/etc/systemd/network/{{ item.key }}.network" - loop: "{{ networking | dict2items }}" + - name: Make network files + template: + src: network.j2 + dest: "/etc/systemd/network/{{ item.key }}.network" + loop: "{{ omni_networking | dict2items }}" -- name: Make netdev files - when: networking is defined - become: true - template: - src: netdev.j2 - dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev" - loop: "{{ networking | dict2items | subelements('value.vlans', true) }}" + - name: Make netdev files + template: + src: netdev.j2 + dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev" + loop: "{{ omni_networking | dict2items | subelements('value.vlans', true) }}" - import_tasks: services.yml diff --git a/roles/networkd/tasks/packages.yml b/roles/networkd/tasks/packages.yml index 08bf747..6a047e9 100644 --- a/roles/networkd/tasks/packages.yml +++ b/roles/networkd/tasks/packages.yml @@ -21,14 +21,18 @@ when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" become: true block: - - name: Install this super-legitimate and definitely vetted COPR repo - shell: - creates: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:fschwarz:systemd-networkd.repo - cmd: dnf copr enable fschwarz/systemd-networkd - warn: false + # The systemd-networkd EPEL package is currently in the testing phase, so we have + # to enable the testing EPEL repo to install it. Note that this is also done in + # the packages role + # https://bugzilla.redhat.com/show_bug.cgi?id=1789146 + - name: Enable EPEL-Testing repository on CentOS 8s + lineinfile: + path: /etc/yum.repos.d/epel-testing.repo + regexp: "enabled=(0|1)" + line: "enabled=1" + insertbefore: "^$" + firstmatch: true - name: Install networkd dnf: state: latest - name: - # This now comes from aforementioned very good COPR repo - - systemd-networkd + name: systemd-networkd diff --git a/roles/networkd/tasks/services.yml b/roles/networkd/tasks/services.yml index 3905b81..428f085 100644 --- a/roles/networkd/tasks/services.yml +++ b/roles/networkd/tasks/services.yml @@ -19,7 +19,7 @@ - systemd-networkd-wait-online - name: Stop NetworkManager - when: restart_services | default(false) == true + when: omni_restart_services == true become: true systemd: name: "{{ item }}" @@ -29,6 +29,7 @@ - NetworkManager-wait-online - name: Start systemd-networkd + when: omni_restart_services == true become: true systemd: name: "{{ item }}" diff --git a/roles/packages/tasks/centos-8-dracut.yml b/roles/packages/tasks/centos-8-dracut.yml deleted file mode 100644 index 048e138..0000000 --- a/roles/packages/tasks/centos-8-dracut.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- -# The dracut patch is an issue uniquely bound to the fact that I'm using several -# old-as-shit hardware RAID cards. Specifically the Dell PERC H200 and the Dell PERC -# H310, both of which had their hardware drivers dropped in Cent8 (despite the drivers -# being included in the upstream fedora kernel, but whatever). OS installation and the -# process in this set of tasks is based off of this blog post: -# https://www.centos.org/forums/viewtopic.php?t=71862#p302447 -# -# TODO: Host the RPMs locally. The internet may never forget, but it's also never there -# when you need it -# -# NOTE: These tasks only need to be run on Cent8 -# -# NOTE: We assume- since this file literally has 'centos' in the name- that the -# ansible_distribution check has already been done at import time -# - -- name: Determine dracut version - shell: - cmd: rpm -qa | grep dracut-[0-9] - warn: false - register: dracut_version_check - -- name: Install patched version of dracut - when: dracut_version_check.stdout != "dracut-049-13.git20190614.p1.el8_0.elrepo.x86_64" - block: - - name: Create temporary download directory - file: - path: /tmp/dracut-patch - state: directory - - - name: Download patched dracut tool RPMs - get_url: - url: "{{ item.source }}" - dest: /tmp/dracut-patch/{{ item.dest }} - loop: - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut.rpm - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-caps-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut-caps.rpm - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-config-generic-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut-config-generic.rpm - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-config-rescue-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut-config-rescue.rpm - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-live-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut-live.rpm - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-network-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut-network.rpm - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-squash-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut-squash.rpm - - source: http://elrepo.org/people/akemi/testing/el8/dracut/dracut-tools-049-13.git20190614.p1.el8_0.elrepo.x86_64.rpm - dest: dracut-tools.rpm - - - name: Install patched dracut toolchain - become: true - dnf: - state: latest - name: - - /tmp/dracut-patch/dracut.rpm - - /tmp/dracut-patch/dracut-caps.rpm - - /tmp/dracut-patch/dracut-config-generic.rpm - - /tmp/dracut-patch/dracut-config-rescue.rpm - - /tmp/dracut-patch/dracut-live.rpm - - /tmp/dracut-patch/dracut-network.rpm - - /tmp/dracut-patch/dracut-squash.rpm - - /tmp/dracut-patch/dracut-tools.rpm - - - name: Remove temporary download directory - file: - path: /tmp/dracut-patch - state: absent diff --git a/roles/packages/tasks/clean.yml b/roles/packages/tasks/clean.yml index c4524ed..e0a03c7 100644 --- a/roles/packages/tasks/clean.yml +++ b/roles/packages/tasks/clean.yml @@ -2,13 +2,13 @@ - name: Clean DNF cache become: true when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") - shell: - cmd: dnf clean all + command: + cmd: /usr/bin/dnf clean all warn: false - name: Clean YUM cache become: true when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" - shell: - cmd: yum clean all + command: + cmd: /usr/bin/yum clean all warn: false diff --git a/roles/packages/tasks/repos.yml b/roles/packages/tasks/repos.yml index a0a8bfc..213bfbe 100644 --- a/roles/packages/tasks/repos.yml +++ b/roles/packages/tasks/repos.yml @@ -8,6 +8,14 @@ state: latest name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm + - name: Enable EPEL-Testing repository on CentOS 8s + lineinfile: + path: /etc/yum.repos.d/epel-testing.repo + regexp: "enabled=(0|1)" + line: "enabled=1" + insertbefore: "^$" + firstmatch: true + - name: Enable the power tools repository on CentOS 8 lineinfile: path: /etc/yum.repos.d/CentOS-PowerTools.repo diff --git a/roles/packages/tasks/update.yml b/roles/packages/tasks/update.yml index d09b3fd..66c1aed 100644 --- a/roles/packages/tasks/update.yml +++ b/roles/packages/tasks/update.yml @@ -1,7 +1,4 @@ --- -- import_tasks: centos-8-dracut.yml - when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" - # Gotta hate this, but I have to hardcode the systemd exclusion on cent8 # Because I'm using "janky-systemd-networkd-2-the-jankening" (see the networkd role) # there are a pile of conflicts when you run "dnf update" with it installed. I found diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index f0e20b5..4042d3a 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -1,2 +1,3 @@ --- omni_restart_services: false +omni_ssh_enabled: true diff --git a/roles/sshd/tasks/install.yml b/roles/sshd/tasks/install.yml new file mode 100644 index 0000000..1607095 --- /dev/null +++ b/roles/sshd/tasks/install.yml @@ -0,0 +1,14 @@ +--- +- name: Install OpenSSH server on Fedora and CentOS 8 + when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") + become: true + dnf: + name: openssh-server + state: latest + +- name: Install OpenSSH server on CentOS 7 + when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7" + become: true + yum: + name: openssh-server + state: latest diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 39dfe35..06c54c3 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,4 +1,6 @@ --- +- import_tasks: install.yml + - name: Install SSH Banner become: true template: @@ -26,8 +28,8 @@ set: "ChallengeResponseAuthentication no" - name: Restart sshd service - when: omni_restart_services == true become: true systemd: name: sshd - state: restarted + state: "{{ 'restarted' if omni_restart_services == true else 'started' }}" + enabled: "{{ omni_ssh_enabled }}"