--- files/fas-client/fas-client.cron | 1 - files/fas-client/fas.conf.j2 | 92 ---------------------------------- files/fas-client/nsswitch.conf | 45 ----------------- handlers/restart_services.yml | 3 +- playbooks/groups/arm-packager.yml | 2 +- playbooks/groups/arm-qa.yml | 2 +- playbooks/groups/arm-releng.yml | 5 +- playbooks/groups/backup-server.yml | 2 +- playbooks/groups/badges-backend.yml | 2 +- playbooks/groups/badges-web.yml | 2 +- playbooks/groups/beaker.yml | 2 +- playbooks/groups/gallery.yml | 2 +- playbooks/groups/kernel-qa.yml | 2 +- playbooks/groups/keyserver.yml | 2 +- playbooks/groups/koji-hub.yml | 2 +- playbooks/groups/mailman.yml | 2 +- playbooks/groups/mirrorlist.yml | 2 +- playbooks/groups/postgresl-server.yml | 2 +- playbooks/groups/taskbot.yml | 2 +- playbooks/groups/virthost.yml | 2 +- roles/fas_client/files/fas-client.cron | 1 + roles/fas_client/files/nsswitch.conf | 45 +++++++++++++++++ roles/fas_client/handlers/main.yml | 3 ++ roles/fas_client/tasks/main.yml | 80 +++++++++++++++++++++++++++++ roles/fas_client/templates/fas.conf.j2 | 92 ++++++++++++++++++++++++++++++++++ tasks/fas_client.yml | 80 ----------------------------- 26 files changed, 240 insertions(+), 237 deletions(-) delete mode 100644 files/fas-client/fas-client.cron delete mode 100644 files/fas-client/fas.conf.j2 delete mode 100644 files/fas-client/nsswitch.conf create mode 100644 roles/fas_client/files/fas-client.cron create mode 100644 roles/fas_client/files/nsswitch.conf create mode 100644 roles/fas_client/handlers/main.yml create mode 100644 roles/fas_client/tasks/main.yml create mode 100644 roles/fas_client/templates/fas.conf.j2 delete mode 100644 tasks/fas_client.yml diff --git a/files/fas-client/fas-client.cron b/files/fas-client/fas-client.cron deleted file mode 100644 index 4ec50f9..0000000 --- a/files/fas-client/fas-client.cron +++ /dev/null @@ -1 +0,0 @@ -*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1" diff --git a/files/fas-client/fas.conf.j2 b/files/fas-client/fas.conf.j2 deleted file mode 100644 index d3af01d..0000000 --- a/files/fas-client/fas.conf.j2 +++ /dev/null @@ -1,92 +0,0 @@ -[global] -; url - Location to fas server -url = https://admin.fedoraproject.org/accounts/ - -; temp - Location to generate files while user creation process is happening -temp = /var/db - -; login - username to contact fas -login = {{ fedorathirdpartyUser }} - -; password - password for login name -password = {{ fedorathirdpartyPassword }} - -; prefix - install to a location other than / -prefix = / - -; modefile - Location of a file containing saved home directory modes -modefile = /var/lib/fas/client_dir_perms - -; cla_group - Group for CLA requirements -cla_group = cla_done - -[host] -; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups -; so if someone is in all 3, the client behaves the same as if they were just -; in 'groups' - -; groups that should have a shell account on this system. -{% if fas_client_groups %} -groups = sysadmin-main,{{ fas_client_groups }} -{% else %} -groups = sysadmin-main -{% endif %} - -; groups that should have a restricted account on this system. -; restricted accounts use the restricted_shell value in [users] -restricted_groups = - -; ssh_restricted_groups: groups that should be restricted by ssh key. You will -; need to disable password based logins in order for this value to have any -; security meaning. Group types can be placed here as well, for example -; @hg,@git,@svn -{% if fas_client_ssh_groups %} -ssh_restricted_groups = {{ fas_client_ssh_groups }} -{% else %} -ssh_restricted_groups = -{% endif %} - -; aliases_template: Gets prepended to the aliases file when it is generated by -; fasClient -aliases_template = /etc/aliases.template - -[users] -; default shell given to people in [host] groups -shell = /bin/bash - -; home - the location for fas user home dirs -home = /home/fedora - -; home_backup_dir - Location home dirs should get moved to when a user is -; deleted this location should be tmpwatched -home_backup_dir = /home/fedora.bak - -; ssh_restricted_app - This is the path to the restricted shell script. It -; will not work automatically for most people though through alterations it -; is a powerfull way to restrict access to a machine. An alternative example -; could be given to people who should only have cvs access on the machine. -; setting this value to "/usr/bin/cvs server" would do this. -{% if fas_client_restricted_app %} -ssh_restricted_app = {{ fas_client_restricted_app }} -{% else %} -ssh_restricted_app = -{% endif %} - -; ssh_admin_app - This is the path to an app that an admin is allowed to use. -{% if fas_client_admin_app %} -ssh_admin_app = {{ fas_client_admin_app }} -{% else %} -ssh_admin_app = -{% endif %} - -; restricted_shell - The shell given to users in the ssh_restricted_groups -restricted_shell = /sbin/nologin - -; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups -ssh_restricted_shell = /bin/bash - -; ssh_key_options - Options to be appended to people ssh keys. Users in the -; ssh_restricted_groups will have the keys they uploaded altered when they are -; installed on this machine, appended with the options below. -ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty - diff --git a/files/fas-client/nsswitch.conf b/files/fas-client/nsswitch.conf deleted file mode 100644 index fb4ff62..0000000 --- a/files/fas-client/nsswitch.conf +++ /dev/null @@ -1,45 +0,0 @@ -# /etc/nsswitch.conf -# -# An example Name Service Switch config file. This file should be -# sorted with the most-used services at the beginning. -# -# The entry '[NOTFOUND=return]' means that the search for an -# entry should stop if the search in the previous entry turned -# up nothing. Note that if the search failed due to some other reason -# (like no NIS server responding) then the search continues with the -# next entry. -# -# Legal entries are: -# -# nisplus or nis+ Use NIS+ (NIS version 3) -# nis or yp Use NIS (NIS version 2), also called YP -# dns Use DNS (Domain Name Service) -# files Use the local files -# db Use the local database (.db) files -# compat Use NIS on compat mode -# hesiod Use Hesiod for user lookups -# [NOTFOUND=return] Stop searching if not found so far -# - -passwd: db files -shadow: db files -group: db files - -#hosts: db files nisplus nis dns -hosts: files dns - -bootparams: nisplus [NOTFOUND=return] files - -ethers: files -netmasks: files -networks: files -protocols: files -rpc: files -services: files - -netgroup: files - -publickey: nisplus - -automount: files -aliases: files nisplus diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 993d799..e11a2c7 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -89,5 +89,4 @@ - name: restart xinetd action: service name=xinetd state=restarted -- name: run fasclient - action: command /usr/bin/fasClient -i + diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index 2f33e92..fa02fa4 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -14,13 +14,13 @@ roles: - rkhunter - denyhosts + - fas_client tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index b92184b..3f281af 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -14,13 +14,13 @@ roles: - rkhunter - denyhosts + - fas_client tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml index d2f3212..3858ee9 100644 --- a/playbooks/groups/arm-releng.yml +++ b/playbooks/groups/arm-releng.yml @@ -10,9 +10,10 @@ - /srv/web/infra/ansible/vars/global.yml - ${private}/vars.yml + roles: + - fas_client + tasks: - # This task sets up fas_client for user management - - include: $tasks/fas_client.yml # This task sets up /etc/hosts for us - include: $tasks/hosts.yml # This task includes our common scripts diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index 2b30af4..90a4dd4 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -17,12 +17,12 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index 59b145e..696cf09 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -33,12 +33,12 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index 6c33548..41a70f2 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -36,12 +36,12 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index 5ec502e..6296bd2 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -32,13 +32,13 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index 152455a..17e1961 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -33,12 +33,12 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml index b78c67e..b46335a 100644 --- a/playbooks/groups/kernel-qa.yml +++ b/playbooks/groups/kernel-qa.yml @@ -16,13 +16,13 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index 367a189..9c1c296 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -33,12 +33,12 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index fd077ce..1cf8195 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -34,12 +34,12 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 345aa37..bea5f23 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -32,13 +32,13 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index 08055b1..5763f58 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -43,13 +43,13 @@ - denyhosts - nagios_client - geoip + - fas_client tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/openvpn_client.yml diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index d709057..bb33a36 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -35,12 +35,12 @@ - denyhosts - nagios_client - postgresql_server + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml index 7641266..eab5ae9 100644 --- a/playbooks/groups/taskbot.yml +++ b/playbooks/groups/taskbot.yml @@ -32,13 +32,13 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 763002b..ab93d90 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -16,12 +16,12 @@ - rkhunter - denyhosts - nagios_client + - fas_client tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml diff --git a/roles/fas_client/files/fas-client.cron b/roles/fas_client/files/fas-client.cron new file mode 100644 index 0000000..4ec50f9 --- /dev/null +++ b/roles/fas_client/files/fas-client.cron @@ -0,0 +1 @@ +*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1" diff --git a/roles/fas_client/files/nsswitch.conf b/roles/fas_client/files/nsswitch.conf new file mode 100644 index 0000000..fb4ff62 --- /dev/null +++ b/roles/fas_client/files/nsswitch.conf @@ -0,0 +1,45 @@ +# /etc/nsswitch.conf +# +# An example Name Service Switch config file. This file should be +# sorted with the most-used services at the beginning. +# +# The entry '[NOTFOUND=return]' means that the search for an +# entry should stop if the search in the previous entry turned +# up nothing. Note that if the search failed due to some other reason +# (like no NIS server responding) then the search continues with the +# next entry. +# +# Legal entries are: +# +# nisplus or nis+ Use NIS+ (NIS version 3) +# nis or yp Use NIS (NIS version 2), also called YP +# dns Use DNS (Domain Name Service) +# files Use the local files +# db Use the local database (.db) files +# compat Use NIS on compat mode +# hesiod Use Hesiod for user lookups +# [NOTFOUND=return] Stop searching if not found so far +# + +passwd: db files +shadow: db files +group: db files + +#hosts: db files nisplus nis dns +hosts: files dns + +bootparams: nisplus [NOTFOUND=return] files + +ethers: files +netmasks: files +networks: files +protocols: files +rpc: files +services: files + +netgroup: files + +publickey: nisplus + +automount: files +aliases: files nisplus diff --git a/roles/fas_client/handlers/main.yml b/roles/fas_client/handlers/main.yml new file mode 100644 index 0000000..354ef9d --- /dev/null +++ b/roles/fas_client/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: run fasclient + action: command /usr/bin/fasClient -i diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml new file mode 100644 index 0000000..c2f64c7 --- /dev/null +++ b/roles/fas_client/tasks/main.yml @@ -0,0 +1,80 @@ +--- +# +# This task sets up fasClient on a machine. +# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update. +# + +# +# fas-clients is in the infrastructure repo. +# nss_db is needed to store user/group info. +# +- name: install package needed for fas-client + yum: state=installed name=$item + with_items: + - fas-clients + - cronie + tags: + - packages + +- name: hotfix - python-fedora proxyclient.py + copy: > + src=$files/hotfix/python-fedora/proxyclient.py + dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py + owner=root mode=644 + only_if: "'${ansible_distribution}' == 'RedHat'" + tags: + - hotfix + - packages + +- name: install nss_db on rhel hosts only + yum: state=installed name=nss_db + only_if: "'${ansible_distribution}' == 'RedHat'" + tags: + - packages + +# +# setup /etc/nsswitch.conf to use nssdb +# +- name: setup /etc/nsswitch.conf for client use + copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=644 + tags: + - config + +# +# fasClients needs a valid /etc/fas.conf. +# There's vars used in this template: +# +# fas_client_groups = "sysadmin-main" +# fas_client_restricted_app = "" +# fas_client_admin_app = "" +# fas_client_ssh_groups = "" +# +# if desired, set them on a per host/group basis. +# +# Currently the default template is used, but could be modified on a host basis. +# +- name: setup /etc/fas.conf for client use + template: src=$item dest=/etc/fas.conf owner=root mode=600 + with_first_found: + - ${ansible_fqdn}.fas.conf.j2 + - ${ansible_hostname}.fas.conf.j2 + - ${ansible_hostname}.fas.conf.j2 + - fas.conf.j2 + tags: + - config + notify: + - run fasclient + +# +# setup /etc/cron.d/ file to run sync every 10min +# TODO: use cron module when it's fixed +# +#- name: fas_client cron job +# cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i" +# tags: +# - config + +- name: fas_client cron job + copy: src=fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644 + tags: + - config diff --git a/roles/fas_client/templates/fas.conf.j2 b/roles/fas_client/templates/fas.conf.j2 new file mode 100644 index 0000000..d3af01d --- /dev/null +++ b/roles/fas_client/templates/fas.conf.j2 @@ -0,0 +1,92 @@ +[global] +; url - Location to fas server +url = https://admin.fedoraproject.org/accounts/ + +; temp - Location to generate files while user creation process is happening +temp = /var/db + +; login - username to contact fas +login = {{ fedorathirdpartyUser }} + +; password - password for login name +password = {{ fedorathirdpartyPassword }} + +; prefix - install to a location other than / +prefix = / + +; modefile - Location of a file containing saved home directory modes +modefile = /var/lib/fas/client_dir_perms + +; cla_group - Group for CLA requirements +cla_group = cla_done + +[host] +; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups +; so if someone is in all 3, the client behaves the same as if they were just +; in 'groups' + +; groups that should have a shell account on this system. +{% if fas_client_groups %} +groups = sysadmin-main,{{ fas_client_groups }} +{% else %} +groups = sysadmin-main +{% endif %} + +; groups that should have a restricted account on this system. +; restricted accounts use the restricted_shell value in [users] +restricted_groups = + +; ssh_restricted_groups: groups that should be restricted by ssh key. You will +; need to disable password based logins in order for this value to have any +; security meaning. Group types can be placed here as well, for example +; @hg,@git,@svn +{% if fas_client_ssh_groups %} +ssh_restricted_groups = {{ fas_client_ssh_groups }} +{% else %} +ssh_restricted_groups = +{% endif %} + +; aliases_template: Gets prepended to the aliases file when it is generated by +; fasClient +aliases_template = /etc/aliases.template + +[users] +; default shell given to people in [host] groups +shell = /bin/bash + +; home - the location for fas user home dirs +home = /home/fedora + +; home_backup_dir - Location home dirs should get moved to when a user is +; deleted this location should be tmpwatched +home_backup_dir = /home/fedora.bak + +; ssh_restricted_app - This is the path to the restricted shell script. It +; will not work automatically for most people though through alterations it +; is a powerfull way to restrict access to a machine. An alternative example +; could be given to people who should only have cvs access on the machine. +; setting this value to "/usr/bin/cvs server" would do this. +{% if fas_client_restricted_app %} +ssh_restricted_app = {{ fas_client_restricted_app }} +{% else %} +ssh_restricted_app = +{% endif %} + +; ssh_admin_app - This is the path to an app that an admin is allowed to use. +{% if fas_client_admin_app %} +ssh_admin_app = {{ fas_client_admin_app }} +{% else %} +ssh_admin_app = +{% endif %} + +; restricted_shell - The shell given to users in the ssh_restricted_groups +restricted_shell = /sbin/nologin + +; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups +ssh_restricted_shell = /bin/bash + +; ssh_key_options - Options to be appended to people ssh keys. Users in the +; ssh_restricted_groups will have the keys they uploaded altered when they are +; installed on this machine, appended with the options below. +ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty + diff --git a/tasks/fas_client.yml b/tasks/fas_client.yml deleted file mode 100644 index fedeb5b..0000000 --- a/tasks/fas_client.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -# -# This task sets up fasClient on a machine. -# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update. -# - -# -# fas-clients is in the infrastructure repo. -# nss_db is needed to store user/group info. -# -- name: install package needed for fas-client - action: yum state=installed name=$item - with_items: - - fas-clients - - cronie - tags: - - packages - -- name: hotfix - python-fedora proxyclient.py - copy: > - src=$files/hotfix/python-fedora/proxyclient.py - dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py - owner=root mode=644 - only_if: "'${ansible_distribution}' == 'RedHat'" - tags: - - hotfix - - packages - -- name: install nss_db on rhel hosts only - action: yum state=installed name=nss_db - only_if: "'${ansible_distribution}' == 'RedHat'" - tags: - - packages - -# -# setup /etc/nsswitch.conf to use nssdb -# -- name: setup /etc/nsswitch.conf for client use - action: copy src=$files/fas-client/nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=644 - tags: - - config - -# -# fasClients needs a valid /etc/fas.conf. -# There's vars used in this template: -# -# fas_client_groups = "sysadmin-main" -# fas_client_restricted_app = "" -# fas_client_admin_app = "" -# fas_client_ssh_groups = "" -# -# if desired, set them on a per host/group basis. -# -# Currently the default template is used, but could be modified on a host basis. -# -- name: setup /etc/fas.conf for client use - action: template src=$item dest=/etc/fas.conf owner=root mode=600 - with_first_found: - - $files/fas-client/${ansible_fqdn}.fas.conf.j2 - - $files/fas-client/${ansible_hostname}.fas.conf.j2 - - $files/fas-client/${ansible_hostname}.fas.conf.j2 - - $files/fas-client/fas.conf.j2 - tags: - - config - notify: - - run fasclient - -# -# setup /etc/cron.d/ file to run sync every 10min -# TODO: use cron module when it's fixed -# -#- name: fas_client cron job -# cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i" -# tags: -# - config - -- name: fas_client cron job - action: copy src=$files/fas-client/fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644 - tags: - - config -- 1.8.3.1 _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
