diff --git a/molecule/account/molecule.yml b/molecule/account/molecule.yml index 3b262340..9d3c118e 100644 --- a/molecule/account/molecule.yml +++ b/molecule/account/molecule.yml @@ -1,12 +1,6 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - requirements-file: molecule/default/requirements.yml driver: - name: podman + name: docker platforms: - name: instance image: registry.access.redhat.com/ubi8/ubi-init:latest @@ -17,18 +11,25 @@ platforms: - sudo provisioner: name: ansible + config_options: + defaults: + interpreter_python: auto_silent + ssh_connection: + pipelining: false playbooks: + prepare: prepare.yml converge: converge.yml verify: verify.yml env: + ANSIBLE_FORCE_COLOR: "true" ANSIBLE_ROLES_PATH: "../../roles" verifier: name: ansible scenario: test_sequence: - - dependency - cleanup - destroy + - syntax - create - prepare - converge diff --git a/molecule/account/verify.yml b/molecule/account/verify.yml index fb54c919..d51c2b6e 100644 --- a/molecule/account/verify.yml +++ b/molecule/account/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for account role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/aphrodite/converge.yml b/molecule/aphrodite/converge.yml index f5959227..9438fac5 100644 --- a/molecule/aphrodite/converge.yml +++ b/molecule/aphrodite/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml diff --git a/molecule/aphrodite/prepare.yml b/molecule/aphrodite/prepare.yml index 358e1b0b..cbc0e834 100644 --- a/molecule/aphrodite/prepare.yml +++ b/molecule/aphrodite/prepare.yml @@ -1,14 +1,27 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" - name: Add the user jenkins ansible.builtin.user: name: jenkins - name: Creates directory + become: yes ansible.builtin.file: path: /opt/tools state: directory @@ -17,6 +30,7 @@ mode: 0644 - name: "Deploy aphrodite configuration to {{ aphrodite.path }}" + become: yes ansible.builtin.template: src: "../../roles/aphrodite/templates/aphrodite.json.j2" dest: "{{ aphrodite.path }}" diff --git a/molecule/aphrodite/verify.yml b/molecule/aphrodite/verify.yml index 8c4a3f97..2d9e4a61 100644 --- a/molecule/aphrodite/verify.yml +++ b/molecule/aphrodite/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for aphrodite role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/bashrc/molecule.yml b/molecule/bashrc/molecule.yml index 68995115..e7f9bb85 100644 --- a/molecule/bashrc/molecule.yml +++ b/molecule/bashrc/molecule.yml @@ -20,7 +20,7 @@ provisioner: playbooks: converge: converge.yml verify: verify.yml - prepare: ../prepare.yml + prepare: prepare.yml env: ANSIBLE_ROLES_PATH: "../../roles" verifier: diff --git a/molecule/cron/molecule.yml b/molecule/cron/molecule.yml index e7f9bb85..bd24f45f 100644 --- a/molecule/cron/molecule.yml +++ b/molecule/cron/molecule.yml @@ -1,12 +1,6 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - requirements-file: molecule/default/requirements.yml driver: - name: podman + name: docker platforms: - name: instance image: registry.access.redhat.com/ubi8/ubi-init:latest @@ -17,6 +11,11 @@ platforms: - sudo provisioner: name: ansible + config_options: + defaults: + interpreter_python: auto_silent + ssh_connection: + pipelining: false playbooks: converge: converge.yml verify: verify.yml @@ -27,9 +26,9 @@ verifier: name: ansible scenario: test_sequence: - - dependency - cleanup - destroy + - syntax - create - prepare - converge diff --git a/molecule/cron/prepare.yml b/molecule/cron/prepare.yml index a6d7aad8..fbafd3cc 100644 --- a/molecule/cron/prepare.yml +++ b/molecule/cron/prepare.yml @@ -1,13 +1,27 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Creates directory + become: yes ansible.builtin.file: path: /opt/tools state: directory owner: root group: root - mode: 0745 \ No newline at end of file + mode: 0745 diff --git a/molecule/fast_yum_install/converge.yml b/molecule/fast_yum_install/converge.yml index 5528b223..fbc4e1bc 100644 --- a/molecule/fast_yum_install/converge.yml +++ b/molecule/fast_yum_install/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/fast_yum_install/molecule.yml b/molecule/fast_yum_install/molecule.yml index 3b262340..2b1a1b15 100644 --- a/molecule/fast_yum_install/molecule.yml +++ b/molecule/fast_yum_install/molecule.yml @@ -18,6 +18,7 @@ platforms: provisioner: name: ansible playbooks: + prepare: prepare.yml converge: converge.yml verify: verify.yml env: diff --git a/molecule/git/prepare.yml b/molecule/git/prepare.yml index 495a00e2..9ef50b3c 100644 --- a/molecule/git/prepare.yml +++ b/molecule/git/prepare.yml @@ -1,16 +1,32 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Add the user jenkins + become: yes ansible.builtin.user: name: jenkins + - name: Creates directory + become: yes ansible.builtin.file: path: /home/jenkins state: directory owner: jenkins group: jenkins - mode: 0644 \ No newline at end of file + mode: 0644 diff --git a/molecule/hosts/converge.yml b/molecule/hosts/converge.yml index 717ea1a1..238187e0 100644 --- a/molecule/hosts/converge.yml +++ b/molecule/hosts/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/hosts/prepare.yml b/molecule/hosts/prepare.yml index f78fae88..938ec0b6 100644 --- a/molecule/hosts/prepare.yml +++ b/molecule/hosts/prepare.yml @@ -1,20 +1,34 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: "Include fast_yum_install" ansible.builtin.include_role: name: "fast_yum_install" - name: Creates /etc/fake_hosts directory + become: yes ansible.builtin.file: path: /etc/fake_hosts state: touch mode: 0644 - name: Creates /etc/real_hosts directory + become: yes ansible.builtin.file: path: /etc/real_hosts state: touch diff --git a/molecule/hosts/verify.yml b/molecule/hosts/verify.yml index a6b5ccf8..b8a467a1 100644 --- a/molecule/hosts/verify.yml +++ b/molecule/hosts/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for hosts role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/java/molecule.yml b/molecule/java/molecule.yml index 68995115..e7f9bb85 100644 --- a/molecule/java/molecule.yml +++ b/molecule/java/molecule.yml @@ -20,7 +20,7 @@ provisioner: playbooks: converge: converge.yml verify: verify.yml - prepare: ../prepare.yml + prepare: prepare.yml env: ANSIBLE_ROLES_PATH: "../../roles" verifier: diff --git a/molecule/java/prepare.yml b/molecule/java/prepare.yml index 59dc62dc..97188bc5 100644 --- a/molecule/java/prepare.yml +++ b/molecule/java/prepare.yml @@ -1,9 +1,21 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - ansible.builtin.assert: that: - jdk_list is defined diff --git a/molecule/kdump/converge.yml b/molecule/kdump/converge.yml index b5a8956d..be89b97f 100644 --- a/molecule/kdump/converge.yml +++ b/molecule/kdump/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/kdump/verify.yml b/molecule/kdump/verify.yml index f0c6e013..b2a7e9ca 100644 --- a/molecule/kdump/verify.yml +++ b/molecule/kdump/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for kdump role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/motd/molecule.yml b/molecule/motd/molecule.yml index 68995115..e7f9bb85 100644 --- a/molecule/motd/molecule.yml +++ b/molecule/motd/molecule.yml @@ -20,7 +20,7 @@ provisioner: playbooks: converge: converge.yml verify: verify.yml - prepare: ../prepare.yml + prepare: prepare.yml env: ANSIBLE_ROLES_PATH: "../../roles" verifier: diff --git a/molecule/motd/prepare.yml b/molecule/motd/prepare.yml index 9ee714cb..f7a34b82 100644 --- a/molecule/motd/prepare.yml +++ b/molecule/motd/prepare.yml @@ -1,9 +1,22 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - ansible.builtin.assert: that: - motd_path is defined diff --git a/molecule/motd/verify.yml b/molecule/motd/verify.yml index 77f84296..81d64502 100644 --- a/molecule/motd/verify.yml +++ b/molecule/motd/verify.yml @@ -3,10 +3,10 @@ hosts: all vars_files: - vars.yml - gather_facts: false - + gather_facts: yes tasks: - name: Add a duplicate motd + become: yes ansible.builtin.copy: src: "../../roles/motd/files/motd.standard" dest: /etc/duplicateMotd diff --git a/molecule/netrc/converge.yml b/molecule/netrc/converge.yml index 38aa857c..487c27cd 100644 --- a/molecule/netrc/converge.yml +++ b/molecule/netrc/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/netrc/prepare.yml b/molecule/netrc/prepare.yml index 495a00e2..5b558c17 100644 --- a/molecule/netrc/prepare.yml +++ b/molecule/netrc/prepare.yml @@ -1,9 +1,21 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Add the user jenkins ansible.builtin.user: name: jenkins @@ -13,4 +25,4 @@ state: directory owner: jenkins group: jenkins - mode: 0644 \ No newline at end of file + mode: 0644 diff --git a/molecule/netrc/verify.yml b/molecule/netrc/verify.yml index 1da71070..e4c18fa4 100644 --- a/molecule/netrc/verify.yml +++ b/molecule/netrc/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for netrc role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/prepare.yml b/molecule/prepare.yml index 79270639..68a403bd 100644 --- a/molecule/prepare.yml +++ b/molecule/prepare.yml @@ -5,4 +5,4 @@ - name: Display Ansible version ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" + msg: "Ansible version is {{ ansible_version.full }}" diff --git a/molecule/qualys_fix/converge.yml b/molecule/qualys_fix/converge.yml index 6b65155e..f1cb3e55 100644 --- a/molecule/qualys_fix/converge.yml +++ b/molecule/qualys_fix/converge.yml @@ -1,5 +1,6 @@ --- - name: Converge + become: yes hosts: all tasks: diff --git a/molecule/qualys_fix/molecule.yml b/molecule/qualys_fix/molecule.yml index 3b262340..2b1a1b15 100644 --- a/molecule/qualys_fix/molecule.yml +++ b/molecule/qualys_fix/molecule.yml @@ -18,6 +18,7 @@ platforms: provisioner: name: ansible playbooks: + prepare: prepare.yml converge: converge.yml verify: verify.yml env: diff --git a/molecule/qualys_fix/prepare.yml b/molecule/qualys_fix/prepare.yml index b7d32566..44d2cabb 100644 --- a/molecule/qualys_fix/prepare.yml +++ b/molecule/qualys_fix/prepare.yml @@ -1,10 +1,21 @@ --- - name: Prepare hosts: all - + gather_facts: yes tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Creates directory ansible.builtin.file: path: /root/.ansible/roles/infosec.qualys-cloud-agent/tasks/ state: directory - mode: 0644 \ No newline at end of file + mode: 0644 diff --git a/molecule/vault/converge.yml b/molecule/vault/converge.yml index 9a443a68..ee6de08b 100644 --- a/molecule/vault/converge.yml +++ b/molecule/vault/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/vault/prepare.yml b/molecule/vault/prepare.yml index 15c0e42f..7effc83e 100644 --- a/molecule/vault/prepare.yml +++ b/molecule/vault/prepare.yml @@ -1,18 +1,22 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml environment: - VAULT_ADDR: "{{ ansible_hashi_vault_addr }}" tasks: - - name: "Import Vault repo for installation" - ansible.builtin.yum_repository: - name: 'vault' - description: 'The vault repository' - file: external_repos - baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable - gpgcheck: no + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" - name: "Install Vault and pip" ansible.builtin.package: diff --git a/molecule/vault/verify.yml b/molecule/vault/verify.yml index 013863c1..1bddf8b6 100644 --- a/molecule/vault/verify.yml +++ b/molecule/vault/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for vault role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/roles/account/tasks/main.yml b/roles/account/tasks/main.yml index 6f38a957..38ed89c9 100644 --- a/roles/account/tasks/main.yml +++ b/roles/account/tasks/main.yml @@ -12,27 +12,30 @@ - account.home != "" quiet: true -- name: "Ensure group {{ account.group }} exists." - ansible.builtin.group: - name: "{{ account.group }}" - gid: "{{ account.gid }}" - state: present +- name: "Escalate privilege" + become: yes + block: + - name: "Ensure group {{ account.group }} exists." + ansible.builtin.group: + name: "{{ account.group }}" + gid: "{{ account.gid }}" + state: present -- name: "Ensure user {{ account.username }} with UID {{ account.uid }} exists." - ansible.builtin.user: - name: "{{ account.username }}" - uid: "{{ account.uid }}" - group: "{{ account.group }}" + - name: "Ensure user {{ account.username }} with UID {{ account.uid }} exists." + ansible.builtin.user: + name: "{{ account.username }}" + uid: "{{ account.uid }}" + group: "{{ account.group }}" -- name: "Ensure path provided for home is valid: {{ account.home }}" - ansible.builtin.stat: - path: "{{ account.home }}" - register: account_home + - name: "Ensure path provided for home is valid: {{ account.home }}" + ansible.builtin.stat: + path: "{{ account.home }}" + register: account_home -- name: "Ensure home directory {{ account.home }} exists." - ansible.builtin.file: - state: directory - path: "{{ account.home }}" - owner: "{{ account.username }}" - group: "{{ account.group }}" - when: account_home.stat is defined + - name: "Ensure home directory {{ account.home }} exists." + ansible.builtin.file: + state: directory + path: "{{ account.home }}" + owner: "{{ account.username }}" + group: "{{ account.group }}" + when: account_home.stat is defined diff --git a/roles/aphrodite/tasks/main.yml b/roles/aphrodite/tasks/main.yml index 63f4944b..44b2d70e 100644 --- a/roles/aphrodite/tasks/main.yml +++ b/roles/aphrodite/tasks/main.yml @@ -8,6 +8,7 @@ quiet: true - name: "Deploy aphrodite configuration to {{ aphrodite.path }}" + become: yes ansible.builtin.template: src: "{{ aphrodite.template }}" dest: "{{ aphrodite.path }}" diff --git a/roles/bashrc/tasks/main.yml b/roles/bashrc/tasks/main.yml index 02226cc8..6aa509ad 100644 --- a/roles/bashrc/tasks/main.yml +++ b/roles/bashrc/tasks/main.yml @@ -1,5 +1,6 @@ --- - name: Check bashrc configuration + become: yes ansible.builtin.template: src: templates/bashrc.j2 dest: /etc/bashrc diff --git a/roles/cci_worker/tasks/main.yml b/roles/cci_worker/tasks/main.yml index f77a976b..2607b329 100644 --- a/roles/cci_worker/tasks/main.yml +++ b/roles/cci_worker/tasks/main.yml @@ -9,116 +9,119 @@ - cci_worker.account.home is defined quiet: true -- name: "Creating {{ cci_worker.account.username }} user." - ansible.builtin.user: - name: "{{ cci_worker.account.username }}" - state: present - password: "{{ cci_worker.account.password | password_hash('sha512', 'A512') }}" - shell: /bin/bash - -- name: "Ensure path provided for home is valid" - ansible.builtin.stat: - path: "{{ cci_worker.account.home }}" - register: account_home - -- name: "Ensure home directory {{ cci_worker.account.home }} exists." - ansible.builtin.file: - state: directory - path: "{{ cci_worker.account.home }}" - owner: "{{ cci_worker.account.username }}" - when: account_home.stat is defined - -- name: "Ensure ssh directory for {{ cci_worker.account.username }} exists" - ansible.builtin.file: - state: directory - path: "{{ cci_worker.account.home }}/.ssh" - owner: "{{ cci_worker.account.username }}" - -- name: "Deploy authorized key" - ansible.posix.authorized_key: - user: "{{ cci_worker.account.username }}" - state: present - key: "{{ files }}" - with_file: - - "{{ cci_worker.pubkey_file }}" - loop_control: - loop_var: files - -- name: "Deploy fix_multicast script" - ansible.builtin.copy: - src: "files/setup_multicast.sh" - dest: "/usr/local/sbin/setup_multicast.sh" - owner: "root" - group: "root" - mode: "0755" - -- name: "Create boot-time service to fix multicast" - ansible.builtin.copy: - src: "files/setup_multicast.service" - dest: "/etc/systemd/system/setup_multicast.service" - owner: "root" - group: "root" - mode: "0644" - -- name: "Ensures setup_multicast service is running" - ansible.builtin.service: - name: "setup_multicast.service" - state: started - enabled: yes - -- name: Set environment variables +- name: "Privilege escalation" become: yes - become_user: "{{ cci_worker_username }}" - ansible.builtin.template: - src: templates/bashrc_template.j2 - dest: "/home/{{ cci_worker_username }}/.bashrc" - mode: "0644" - owner: "{{ cci_worker_username }}" - -- name: "Enable Linger for {{ cci_worker_username }}" - become: yes - become_user: "{{ cci_worker_username }}" - ansible.builtin.shell: loginctl enable-linger {{ cci_worker_username }} - -- name: Enable podman - become: yes - become_user: "{{ cci_worker_username }}" - ansible.builtin.systemd: - name: "podman.socket" - state: started - scope: user - enabled: true - -- name: "Configure testcontainers" - ansible.builtin.copy: - src: files/testcontainers.properties - dest: "/home/{{ cci_worker_username }}/.testcontainers.properties" - mode: "0644" - owner: "{{ cci_worker_username }}" - group: "{{ cci_worker_username }}" - -- name: "Configure Maven settings.xml" - ansible.builtin.template: - src: templates/settings.xml.j2 - dest: "/home/{{ cci_worker_username }}/.m2/settings.xml" - mode: "0644" - owner: "{{ cci_worker_username }}" - group: "{{ cci_worker_username }}" - -- name: Ensure CA certificates directory exists - ansible.builtin.file: - path: "{{ ca_certs_path }}" - state: directory - -- name: Download RedHat CA certificates - ansible.builtin.get_url: - url: "{{ cert.url }}" - dest: "{{ ca_certs_path}}/{{ cert.alias }}" - with_items: "{{ root_ca_certs }}" - loop_control: - loop_var: cert - register: cert_results - -- name: Update CA trust - ansible.builtin.command: update-ca-trust - changed_when: cert_results.changed \ No newline at end of file + block: + - name: "Creating {{ cci_worker.account.username }} user." + ansible.builtin.user: + name: "{{ cci_worker.account.username }}" + state: present + password: "{{ cci_worker.account.password | password_hash('sha512', 'A512') }}" + shell: /bin/bash + + - name: "Ensure path provided for home is valid" + ansible.builtin.stat: + path: "{{ cci_worker.account.home }}" + register: account_home + + - name: "Ensure home directory {{ cci_worker.account.home }} exists." + ansible.builtin.file: + state: directory + path: "{{ cci_worker.account.home }}" + owner: "{{ cci_worker.account.username }}" + when: account_home.stat is defined + + - name: "Ensure ssh directory for {{ cci_worker.account.username }} exists" + ansible.builtin.file: + state: directory + path: "{{ cci_worker.account.home }}/.ssh" + owner: "{{ cci_worker.account.username }}" + + - name: "Deploy authorized key" + ansible.posix.authorized_key: + user: "{{ cci_worker.account.username }}" + state: present + key: "{{ files }}" + with_file: + - "{{ cci_worker.pubkey_file }}" + loop_control: + loop_var: files + + - name: "Deploy fix_multicast script" + ansible.builtin.copy: + src: "files/setup_multicast.sh" + dest: "/usr/local/sbin/setup_multicast.sh" + owner: "root" + group: "root" + mode: "0755" + + - name: "Create boot-time service to fix multicast" + ansible.builtin.copy: + src: "files/setup_multicast.service" + dest: "/etc/systemd/system/setup_multicast.service" + owner: "root" + group: "root" + mode: "0644" + + - name: "Ensures setup_multicast service is running" + ansible.builtin.service: + name: "setup_multicast.service" + state: started + enabled: yes + + - name: Set environment variables + become: yes + become_user: "{{ cci_worker_username }}" + ansible.builtin.template: + src: templates/bashrc_template.j2 + dest: "/home/{{ cci_worker_username }}/.bashrc" + mode: "0644" + owner: "{{ cci_worker_username }}" + + - name: "Enable Linger for {{ cci_worker_username }}" + become: yes + become_user: "{{ cci_worker_username }}" + ansible.builtin.shell: loginctl enable-linger {{ cci_worker_username }} + + - name: Enable podman + become: yes + become_user: "{{ cci_worker_username }}" + ansible.builtin.systemd: + name: "podman.socket" + state: started + scope: user + enabled: true + + - name: "Configure testcontainers" + ansible.builtin.copy: + src: files/testcontainers.properties + dest: "/home/{{ cci_worker_username }}/.testcontainers.properties" + mode: "0644" + owner: "{{ cci_worker_username }}" + group: "{{ cci_worker_username }}" + + - name: "Configure Maven settings.xml" + ansible.builtin.template: + src: templates/settings.xml.j2 + dest: "/home/{{ cci_worker_username }}/.m2/settings.xml" + mode: "0644" + owner: "{{ cci_worker_username }}" + group: "{{ cci_worker_username }}" + + - name: Ensure CA certificates directory exists + ansible.builtin.file: + path: "{{ ca_certs_path }}" + state: directory + + - name: Download RedHat CA certificates + ansible.builtin.get_url: + url: "{{ cert.url }}" + dest: "{{ ca_certs_path}}/{{ cert.alias }}" + with_items: "{{ root_ca_certs }}" + loop_control: + loop_var: cert + register: cert_results + + - name: Update CA trust + ansible.builtin.command: update-ca-trust + changed_when: cert_results.changed diff --git a/roles/cron/defaults/main.yml b/roles/cron/defaults/main.yml index 914c0a4b..adc3c0aa 100644 --- a/roles/cron/defaults/main.yml +++ b/roles/cron/defaults/main.yml @@ -1,3 +1,4 @@ --- +cron_mail_pkg_name: mailx cronjobs: - { name: "ansible-daily-run", dest: "/opt/tools/ansible-daily-run.sh", src: "ansible-daily-run.sh.j2", special_time: "daily" } diff --git a/roles/cron/tasks/cronjob.yml b/roles/cron/tasks/cronjob.yml index d9ebc3b9..7cf2d6cb 100644 --- a/roles/cron/tasks/cronjob.yml +++ b/roles/cron/tasks/cronjob.yml @@ -10,29 +10,32 @@ - jobs.dest != "" quiet: true -- name: "Ensures script job for {{ jobs.name }} is deployed" - ansible.builtin.template: - src: "{{ jobs.src }}" - dest: "{{ jobs.dest }}" - owner: root - group: root - mode: 0745 +- name: "Escalate privileges" + become: yes + block: + - name: "Ensures script job for {{ jobs.name }} is deployed" + ansible.builtin.template: + src: "{{ jobs.src }}" + dest: "{{ jobs.dest }}" + owner: root + group: root + mode: 0745 -- name: "Ensures cron task for {{ jobs.name }} is defined." - ansible.builtin.cron: - name: "{{ jobs.name }}" - job: "{{ jobs.dest }}" - special_time: "{{ jobs.special_time }}" - when: - - jobs.special_time is defined + - name: "Ensures cron task for {{ jobs.name }} is defined." + ansible.builtin.cron: + name: "{{ jobs.name }}" + job: "{{ jobs.dest }}" + special_time: "{{ jobs.special_time }}" + when: + - jobs.special_time is defined -- name: "Ensures cron task for {{ jobs.name }} is defined." - ansible.builtin.cron: - name: "{{ jobs.name }}" - job: "{{ jobs.dest }}" - weekday: "{{ jobs.weekday | default(omit) }}" - minute: "{{ jobs.minute | default(omit) }}" - hour: "{{ jobs.hour | default(omit) }}" - day: "{{ jobs.day | default(omit) }}" - when: - - not jobs.special_time is defined + - name: "Ensures cron task for {{ jobs.name }} is defined." + ansible.builtin.cron: + name: "{{ jobs.name }}" + job: "{{ jobs.dest }}" + weekday: "{{ jobs.weekday | default(omit) }}" + minute: "{{ jobs.minute | default(omit) }}" + hour: "{{ jobs.hour | default(omit) }}" + day: "{{ jobs.day | default(omit) }}" + when: + - not jobs.special_time is defined diff --git a/roles/cron/tasks/main.yml b/roles/cron/tasks/main.yml index b49eeb60..0d5ae23c 100644 --- a/roles/cron/tasks/main.yml +++ b/roles/cron/tasks/main.yml @@ -4,12 +4,18 @@ - cronjobs is defined - cronjobs | length > 0 +- name: "Change mail tool package name if running on RHEL9 ({{ ansible_distribution_major_version }})" + ansible.builtin.set_fact: + cron_mail_pkg_name: s-nail + when: + - ansible_distribution_major_version == "9" + - ansible.builtin.include_role: name: fast_yum_install vars: package_name: "{{ files }}" with_items: - - mailx + - "{{ cron_mail_pkg_name }}" - cronie loop_control: loop_var: files diff --git a/roles/fast_yum_install/tasks/main.yml b/roles/fast_yum_install/tasks/main.yml index d5ae9ffe..6cfe518f 100644 --- a/roles/fast_yum_install/tasks/main.yml +++ b/roles/fast_yum_install/tasks/main.yml @@ -4,15 +4,17 @@ - yum.cache_update is defined quiet: true -- block: - - name: "Test if package {{ package_name }} is already installed" - ansible.builtin.command: rpm -q {{ package_name }} - register: rpm_info - changed_when: rpm_info.failed +- name: "Escalate privileges" + become: yes + block: + - name: "Test if package {{ package_name }} is already installed" + ansible.builtin.command: rpm -q {{ package_name }} + register: rpm_info + changed_when: rpm_info.failed rescue: - - name: "If package {{ package_name }} is missing, install package using yum.(cache update: {{ yum.cache_update }})" - ansible.builtin.yum: - name: "{{ package_name }}" - update_cache: "{{ yum.cache_update }}" - state: installed - when: rpm_info.failed + - name: "If package {{ package_name }} is missing, install package using yum.(cache update: {{ yum.cache_update }})" + ansible.builtin.yum: + name: "{{ package_name }}" + update_cache: "{{ yum.cache_update }}" + state: installed + when: rpm_info.failed diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index a7e5e688..569a16a3 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -3,8 +3,9 @@ name: fast_yum_install vars: package_name: git - + - name: "Ensures gitconfig is deployed for user root" + become: yes ansible.builtin.template: src: templates/gitconfig.j2 dest: "{{ config.home }}/.gitconfig" diff --git a/roles/java/tasks/archive_tool_install.yml b/roles/java/tasks/archive_tool_install.yml index cde54e2e..22c14493 100644 --- a/roles/java/tasks/archive_tool_install.yml +++ b/roles/java/tasks/archive_tool_install.yml @@ -13,35 +13,38 @@ - ansible.builtin.set_fact: path_to_archive: "{{ home_folder }}/{{ files.name }}{{ files.ext | default('.tgz') }}" -- ansible.builtin.stat: - path: "{{ path_to_archive }}" - register: archive +- name: "Escalate priviliges" + become: yes + block: + - ansible.builtin.stat: + path: "{{ path_to_archive }}" + register: archive -- name: "Download archive from {{ files.source }}" - ansible.builtin.get_url: - url: "{{ files.source }}" - dest: "{{ path_to_archive }}" - retries: 3 - delay: 5 - register: archive_download - when: - - archive.stat is defined - - not archive.stat.exists + - name: "Download archive from {{ files.source }}" + ansible.builtin.get_url: + url: "{{ files.source }}" + dest: "{{ path_to_archive }}" + retries: 3 + delay: 5 + register: archive_download + when: + - archive.stat is defined + - not archive.stat.exists -- ansible.builtin.stat: - path: "{{ files.home }}" - register: path_to_home + - ansible.builtin.stat: + path: "{{ files.home }}" + register: path_to_home -- ansible.builtin.stat: - path: "{{ files.home }}/{{ files.name }}" - register: path_to_home + - ansible.builtin.stat: + path: "{{ files.home }}/{{ files.name }}" + register: path_to_home -- name: "Unpack archive {{ path_to_archive }} to {{ files.home }}" - ansible.builtin.unarchive: - src: "{{ path_to_archive }}" - dest: "{{ files.home }}" - remote_src: yes - when: - - path_to_home is defined - - path_to_home.stat is defined - - not path_to_home.stat.exists + - name: "Unpack archive {{ path_to_archive }} to {{ files.home }}" + ansible.builtin.unarchive: + src: "{{ path_to_archive }}" + dest: "{{ files.home }}" + remote_src: yes + when: + - path_to_home is defined + - path_to_home.stat is defined + - not path_to_home.stat.exists diff --git a/roles/java/tasks/install_and_default.yml b/roles/java/tasks/install_and_default.yml index 9e8e81be..78c78a94 100644 --- a/roles/java/tasks/install_and_default.yml +++ b/roles/java/tasks/install_and_default.yml @@ -18,6 +18,7 @@ loop_var: files - name: "Symlink {{ tool_default_link }} to default version: {{ tool_default }}." + become: yes ansible.builtin.file: src: "{{ tool_default }}" dest: "{{ tool_default_link }}" diff --git a/roles/java/tasks/main.yml b/roles/java/tasks/main.yml index 4e8e01c4..a5642d0e 100644 --- a/roles/java/tasks/main.yml +++ b/roles/java/tasks/main.yml @@ -7,6 +7,7 @@ quiet: true - name: "Ensures the tools home folder exits." + become: yes ansible.builtin.file: state: directory path: "{{ folders }}" diff --git a/roles/motd/tasks/main.yml b/roles/motd/tasks/main.yml index db0ee156..e8674df3 100644 --- a/roles/motd/tasks/main.yml +++ b/roles/motd/tasks/main.yml @@ -10,17 +10,10 @@ motd_src_file: "files/motd.{{ motd.font }}" - name: Add a specific motd + become: yes ansible.builtin.copy: src: "files/motd.{{ motd.font }}" dest: /etc/motd owner: root group: root mode: 0644 - -#- include_tasks: tasks/remove_file.yml -# loop: "{{ motd.files.to_remove }}" -# when: -# - motd is defined -# - motd.files is defined -# - motd.files.to_remove is defined -# - motd.files.to_remove is iterable