Merge branch 't38273-extract-roles-reconfigurations' into 'main'

Extract roles reconfigurations | refs #38273 See merge request sys/ansible-public!62

Merge branch 't38273-extract-roles-reconfigurations' into 'main'
260eb985 · Antoine SCHILDKNECHT · b578cea5 · 192ee7a7 · 260eb985 · 260eb985
Commit 260eb985 authored 1 year ago by Antoine SCHILDKNECHT
--- a/playbooks/postgres.yml
+++ b/playbooks/postgres.yml
@@ -3,7 +3,6 @@
 - name: POSTGRESQL
  hosts: postgres
-  tags: postgres
  roles:
    - postgres
  post_tasks:

--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -4,54 +4,50 @@
 - name: PYTHON
  hosts: all
  gather_facts: false
  tasks:
    - name: ensure python3 is installed
      register: python_install
      changed_when: "'es_pyinstall' in python_install.stdout_lines"
      ansible.builtin.raw: command -v python3 || echo es_pyinstall && apt update && apt install -y python3-minimal python3-apt iproute2
-      tags: always
+# Should be in a installation role (see #39283)
+- name: UPDATE PACKAGES
+  hosts: base
+  gather_facts: false
+  tags: install
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: true
+        cache_valid_time: 86400
+      changed_when: false
 - import_playbook: base.yml
-  tags: base
 - import_playbook: firewall.yml
-  tags: firewall
 - import_playbook: "{{ 'postgres-ha' if groups['postgres']|d('') | length > 1 else 'postgres' }}.yml"
-  tags: postgres
 - import_playbook: mirismanager.yml
-  tags: manager
 - import_playbook: celerity.yml
-  tags: celerity
 - import_playbook: mediaworker.yml
-  tags: worker
 - import_playbook: mediaserver.yml
-  tags: server
 - import_playbook: live/live.yml
-  tags: live
 - import_playbook: mediacache/mediacache.yml
-  tags: mediacache
 - import_playbook: mediavault/deploy.yml
-  tags: vault
 - import_playbook: mediaimport.yml
-  tags: import
 - import_playbook: netcapture/netcapture.yml
-  tags: netcapture
 - import_playbook: monitor/all.yml
-  tags: monitor
 - import_playbook: tester.yml
-  tags: tester
 ...
--- a/playbooks/tester.yml
+++ b/playbooks/tester.yml
@@ -3,7 +3,6 @@
 - name: Install UbiCast tester
  hosts: tester
-  tags: all
  roles:
    - tester

--- a/playbooks/users.yml
+++ b/playbooks/users.yml
-#!/usr/bin/env ansible-playbook
---
- name: USERS
-  hosts: all
-  tags: all
-  roles:
-    - conf
-    - sysuser
-...
--- a/roles/base/meta/main.yml
+++ b/roles/base/meta/main.yml
 ---
 dependencies:
-  - role: conf
-  - role: init
  - role: sysconfig
  - role: sysuser
  - role: postfix

--- a/roles/celerity/README.md
+++ b/roles/celerity/README.md
@@ -9,11 +9,6 @@ The celerity group is used to configure the hosts that balance the transcoding t
 Available variables are listed below, along with the descriptions and the default values.
-`nudgis_front_system_user`: Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key) (Optional)
-```
-nudgis_front_system_user: "msuser"
-```
 `nudgis_front_api_key`: Nudgis API key, used to communicate with the nudgis portal
 ```
 nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"

--- a/roles/celerity/defaults/main.yml
+++ b/roles/celerity/defaults/main.yml
 ---
-celerity_signing_key: "changeit"
-celerity_server_domain: "celerity.example.com"
-nudgis_front_domain: "nudgis.example.com"
+# Nudgis API key, used to communicate with the nudgis portal
 nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
-nudgis_front_system_user: "msuser"
+# Defines the default deployed Nudgis portal domain (will be the URL of the portal when adding the HTTP(S) prefix)
+nudgis_front_domain: "nudgis.example.com"
+# IP or domain on which the celerity server service can be joined
+celerity_server_domain: "celerity.example.com"
+# Secret key shared between celerity server and workers for communications (should be the same everywhere for communication)
+celerity_signing_key: "changeit"
 ...
--- a/roles/celerity/tasks/base.yml
+++ b/roles/celerity/tasks/base.yml
+---
+- import_tasks: ../../shared/tasks/firewall_rules_files.yml  # noqa: name[missing]
+...
--- a/roles/celerity/tasks/configure.yml
+++ b/roles/celerity/tasks/configure.yml
+---
+- name: CONFIGURE CELERITY
+  ansible.builtin.include_tasks: "configure/celerity-conf.yml"
+  when:
+    - nudgis_front_api_key is defined
+    - nudgis_front_domain is defined
+    - celerity_server_domain is defined
+    - celerity_signing_key is defined
+...
--- a/roles/shared/tasks/celerity_base_config.yml
+++ b/roles/shared/tasks/celerity_base_config.yml
 ---
 - name: copy celerity example configuration
-  notify: "restart {{ _celerity_service }}"
+  notify: "restart celerity-server"
  ansible.builtin.copy:
    remote_src: true
    src: /etc/celerity/config.example.py
@@ -10,7 +10,7 @@
    force: false
 - name: celerity base configuration
-  notify: "restart {{ _celerity_service }}"
+  notify: "restart celerity-server"
  ansible.builtin.replace:
    path: /etc/celerity/config.py
    regexp: '^(\s*)#?{{ item.name }}\s*=.*$'
@@ -21,7 +21,7 @@
  when: item.value != "" and item.value != '""'
 - name: celerity add nudgis portal
-  notify: "restart {{ _celerity_service }}"
+  notify: "restart celerity-server"
  ansible.builtin.command:
    cmd: >
      celerity-configurator add-portal
@@ -31,9 +31,9 @@
  register: celerity_add_portal
  changed_when: celerity_add_portal.stdout != 'The configuration file is already up to date.'
- name: "ensure {{ _celerity_service }} is running"
+- name: "ensure celerity-server is running"
  ansible.builtin.service:
-    name: "{{ _celerity_service }}"
+    name: "celerity-server"
    enabled: true
    state: started

--- a/roles/init/tasks/main.yml
+++ b/roles/init/tasks/main.yml
 ---
- name: install initial packages
+- name: celerity server install
+  notify: "reload fail2ban"
  ansible.builtin.apt:
    force_apt_get: true
    install_recommends: false
-    name: "{{ init_packages }}"
+    name: ubicast-celerity-server
  register: apt_status
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: configure proxy
-  when: proxy_when is not defined or proxy_when != "end"
-  ansible.builtin.include_role:
-    name: proxy
-    allow_duplicates: true
 ...
--- a/roles/celerity/tasks/main.yml
+++ b/roles/celerity/tasks/main.yml
 ---
- name: celerity server install
+- name: INSTALL
-  notify: "reload fail2ban"
+  ansible.builtin.include_tasks:
-  ansible.builtin.apt:
+    file: "install.yml"
-    force_apt_get: true
+    apply:
-    install_recommends: false
+      become: true
-    name: ubicast-celerity-server
+      tags:
-  register: apt_status
+        - install
-  retries: 60
+  tags:
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+    - always
- name: configure celerity
+- name: BASE CONFIGURATION
-  ansible.builtin.include_tasks: celerity_base_config.yml
+  ansible.builtin.include_tasks:
-  vars:
+    file: "base.yml"
-    _celerity_service: "celerity-server"
+    apply:
+      become: true
+      tags:
+        - base
+  tags:
+    - always
- import_tasks: ../../shared/tasks/firewall_rules_files.yml  # noqa: name[missing]
+- name: CONFIGURE
+  ansible.builtin.include_tasks:
- name: flush handlers
+    file: "configure.yml"
-  ansible.builtin.meta: flush_handlers
+    apply:
+      become: true
+      tags:
+        - configure
+  tags:
+    - always
 ...
--- a/roles/celerity/vars/main.yml
+++ b/roles/celerity/vars/main.yml
 ---
-firewall_rules_files: ['celerity']
+# Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key) **shared with mediaserver and mediaworker roles**
+nudgis_front_system_user: "msuser"
+# Group firewall rules filename, see roles/shared/files/nftables/
+firewall_rules_files:
+  - celerity
 ...
--- a/roles/conf/defaults/main.yml
+++ b/roles/conf/defaults/main.yml
---
-# nothing
-...
--- a/roles/conf/vars/main.yml
+++ b/roles/conf/vars/main.yml
---
-conf_req_packages:
-  - ca-certificates
-  - openssh-client
-...
--- a/roles/fail2ban/README.md
+++ b/roles/fail2ban/README.md
 # Fail2ban
 ## Description
-Used by the "base" metagroup to provide and configure ban capabilities for various services
+The fail2ban group handles the installation and configuration of fail2ban.
 ## Role Variables
 Available variables are listed below, along with the descriptions and the default values.
-`fail2ban_ignoreip`: IP addresses exceptions (no monitored by fail2ban) (Optional)
-```
-fail2ban_ignoreip: "127.0.0.1/8 ::1"
-```
-`fail2ban_maxretry`: Number of acceptable failures before banning an IP (Optional)
-```
-fail2ban_maxretry: "5"
-```
-`fail2ban_bantime`: Duration of bans (Optional)
-```
-fail2ban_bantime: "10m"
-```
 `fail2ban_email_from`: Email sender of the fail2ban reports (Optional)
 ```
 fail2ban_email_from: "root@localhost"
@@ -31,8 +16,3 @@ fail2ban_email_from: "root@localhost"
 ```
 fail2ban_email_to: "noreply@example.com"
 ```
-`fail2ban_action`: Define the default action to do when a ban occurs ("action_mwl" to send whois and logs via email or "action_" for default) (Optional)
-```
-fail2ban_action: "action_mwl"
-```
--- a/roles/fail2ban/defaults/main.yml
+++ b/roles/fail2ban/defaults/main.yml
 ---
-fail2ban_ignoreip: "127.0.0.1/8 ::1"
-fail2ban_maxretry: "5"
+# Email sender of the fail2ban reports
-fail2ban_bantime: "10m"
 fail2ban_email_from: "root@localhost"
+# Email reciepient of the fail2ban reports
 fail2ban_email_to: "noreply@example.com"
-fail2ban_action: "action_mwl"
 ...
--- a/roles/fail2ban/tasks/base.yml
+++ b/roles/fail2ban/tasks/base.yml
+---
+- name: create fail2ban path-overrides
+  notify: restart fail2ban
+  ansible.builtin.copy:
+    dest: /etc/fail2ban/paths-overrides.local
+    mode: "644"
+    force: false
+    content: |
+      [DEFAULT]
+- name: configure sshd jail backend
+  notify: restart fail2ban
+  ansible.builtin.lineinfile:
+    path: /etc/fail2ban/paths-overrides.local
+    regexp: '^sshd_backend'
+    insertafter: '[DEFAULT]'
+    line: 'sshd_backend = systemd'
+- name: service
+  ansible.builtin.systemd:
+    name: fail2ban
+    enabled: true
+    state: started
+...
--- a/roles/fail2ban/tasks/configure.yml
+++ b/roles/fail2ban/tasks/configure.yml
+---
+- name: CONFIGURE FAIL2BAN
+  ansible.builtin.include_tasks: "configure/f2b-configure.yml"
+  when:
+    - fail2ban_email_from is defined
+    - fail2ban_email_to is defined
+...
--- a/roles/fail2ban/tasks/configure/f2b-configure.yml
+++ b/roles/fail2ban/tasks/configure/f2b-configure.yml
+---
+- name: jail defaults
+  notify: restart fail2ban
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    mode: "644"
+...