forked from rciam/rciam-deploy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
monservers.yml
197 lines (177 loc) · 5.78 KB
/
monservers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#
---
- name: Deploy monitoring servers
hosts: monservers
vars:
extra_yum_repositories:
- "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
extra_yum_keys:
- "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
roles:
- { role: apache, tags: apache }
- { role: php, tags: php }
- { role: rciam-probes, tags: rciam-probes }
tasks:
- name: Ensure Repositories are installed (RedHat)
ansible.builtin.yum:
name: "{{ item }}"
state: present
loop: "{{ extra_yum_repositories }}"
become: true
when: ansible_os_family == 'RedHat' and extra_yum_repositories is defined
tags:
- common
- never
- name: Import repositories GPG key (RedHat).
ansible.builtin.rpm_key:
key: "{{ item }}"
state: present
loop: "{{ extra_yum_keys }}"
become: true
when: ansible_os_family == 'RedHat' and extra_yum_keys is defined
tags:
- common
- never
- name: Upgrade all
ansible.builtin.yum:
name: '*'
state: latest # noqa package-latest
update_cache: true
become: true
when: ansible_os_family == 'RedHat'
tags:
- never
- upgrade
- name: Ensure common packages are installed (RedHat)
ansible.builtin.yum:
name: "{{ item }}"
state: present
update_cache: true
loop:
- tree
- wget
- ca-certificates
- vim-enhanced
- yum-utils
become: true
when: ansible_os_family == 'RedHat'
tags:
- common
- never
- name: Configure timezone # noqa syntax-check[unknown-module]
community.general.timezone:
name: "{{ timezone }}"
become: true
notify: restart crond
tags:
- common
- never
- name: Register private connection uuid (RedHat)
ansible.builtin.command: "nmcli -g GENERAL.CON-UUID d show {{ item }}"
loop: "{{ firewall_private_interfaces | default([]) }}"
register: firewall_private_uuids
when: ansible_os_family == 'RedHat'
changed_when: false
tags: firewall
- name: Set zone internal to connections on network managed private interfaces (RedHat)
ansible.builtin.command: "nmcli connection modify {{ item.stdout }} connection.zone internal"
loop: "{{ firewall_private_uuids.results }}"
changed_when: false
when: ansible_os_family == 'RedHat'
tags: firewall
- name: Clear firewall state (RedHat)
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/firewalld/services
- /etc/firewalld/zones
- /etc/firewalld/helpers
- /etc/firewalld/icmptypes
- /etc/firewalld/ipsets
- /etc/firewalld/direct.xml
tags: firewall
when: ansible_os_family == 'RedHat'
notify: restart firewall
- name: Add default services to public zone (RedHat)
ansible.posix.firewalld:
zone: public
service: "{{ item }}"
permanent: true
state: enabled
loop:
- ssh
- dhcpv6-client
tags: firewall
when: ansible_os_family == 'RedHat'
notify: restart firewall
- name: Flush handlers
ansible.builtin.meta: flush_handlers
when: ansible_os_family == 'RedHat'
- name: Create firewall new zones (RedHat)
ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}"
loop: "{{ firewall_zones | default([]) }}"
notify: restart firewall
tags: firewall
when: ansible_os_family == 'RedHat'
ignore_errors: true # noqa ignore-errors
changed_when: false
- name: Create firewall new services (RedHat)
ansible.builtin.command: firewall-cmd --permanent --new-service="{{ item.name }}"
loop: "{{ firewall_services | default([]) }}"
notify: restart firewall
tags: firewall
when: ansible_os_family == 'RedHat'
ignore_errors: true # noqa ignore-errors
changed_when: false
- name: Add port to services (RedHat)
ansible.builtin.command: firewall-cmd --permanent --service="{{ item.name }}" --add-port={{ item.port }}
loop: "{{ firewall_services | default([]) }}"
notify: restart firewall
tags: firewall
when: ansible_os_family == 'RedHat'
ignore_errors: true # noqa ignore-errors
changed_when: false
- name: Firewall add services to zones (RedHat)
ansible.posix.firewalld:
zone: "{{ item.zone }}"
service: "{{ item.service }}"
permanent: true
state: enabled
loop: "{{ firewall_services_zones | default([]) }}"
tags: firewall
when: ansible_os_family == 'RedHat'
notify: restart firewall
- name: Add sources to zones (RedHat)
ansible.posix.firewalld:
zone: "{{ item.zone }}"
source: "{{ item.source }}"
permanent: true
state: enabled
loop: "{{ firewall_sources | default([]) }}"
tags: firewall
when: ansible_os_family == 'RedHat'
notify: restart firewall
- name: Add interfaces to zones (RedHat)
ansible.posix.firewalld:
zone: "{{ item.zone }}"
interface: "{{ item.interface }}"
permanent: true
state: enabled
loop: "{{ firewall_interfaces | default([]) }}"
tags: firewall
when: ansible_os_family == 'RedHat'
notify: restart firewall
handlers:
- name: Reload firewall
ansible.builtin.command: "firewall-cmd --reload"
changed_when: false
- name: Restart firewall
ansible.builtin.service:
name: firewalld
state: restarted
- name: Restart crond
ansible.builtin.service:
name: crond
state: restarted
become: true