forked from usegalaxy-eu/infrastructure-playbook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
maintenance.yml
146 lines (144 loc) · 4.88 KB
/
maintenance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
- name: UseGalaxy EU maintenance server
hosts: maintenance
become: true
become_user: root
vars_files:
- secret_group_vars/db-main.yml
- secret_group_vars/all.yml
- mounts/dest/all.yml
- mounts/mountpoints.yml
- group_vars/maintenance.yml
- group_vars/all.yml
collections:
- devsec.hardening
handlers:
- name: restart rsyslog
service:
name: rsyslog
state: restarted
pre_tasks:
- name: Set additional local mount point
set_fact:
autofs_conf_files: "{{ autofs_conf_files | combine({ 'usrlocal': autofs_conf_files['usrlocal'] + galaxy_mount }) }}"
- name: Install Dependencies
package:
name:
[
'git',
'postgresql',
'python3-psycopg2',
'python3-virtualenv',
'bc',
'python3',
'python3-devel',
]
become: true
post_tasks:
- name: Append some users to the systemd-journal group
user:
name: '{{ item }}'
groups: systemd-journal
append: true
loop:
- '{{ galaxy_user.name }}'
- 'telegraf'
- name: Set authorized SSH key (galaxy user)
ansible.posix.authorized_key:
user: '{{ galaxy_user.name }}'
state: present
key: '{{ item }}'
loop:
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOBINXdjILF6x3WuppXyq6J2a2oSLR6waZ6txgjYJogHdIKPbI0TdReCv4EVxxYRY/NqGpHbjkqfRTsf2VgoU3U= mk@galaxy-mira'
- 'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACB5Q5blymkTIRSzVzXITOGvBuI7W0L9Ykwfz8LJGPraaGVPiezzFGvjhqwX+EyCqQPt7JprR5mimJRw/JN3nBXWAHjekvmB5FuILkk6m5fOiQJ5QhRMyQ5GfxODAvGbHpTuWHbYJLWD5fhcboKPxlXOWy4xY9kDZVuQvEKisNKYBsFLA== sanjay'
- 'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABRaLHL8mgW86rbtdUh6TY4rs7/la8hAGeSQ3jBF7LMwYZnbS32YDMYvDq3KgNu5WqSMFvkxNm3vfTAbd8CXBfakwDBFBaD9kO0b2t4/p4VoFUsd3B2OvmTR7Bsg7OxTGJJ7aUP/SzTg+Z4NzsmHwQ9h31gfI7n/buZD4S1edQke19Y6w== [email protected]'
- name: rsyslog configuration
copy:
content: |
# Accept logs on TCP port 514
module(load="imtcp")
input(type="imtcp" port="514")
# Create a template for log file naming
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
# Store logs from clients in their own directories
if $fromhost-ip != "127.0.0.1" then ?RemoteLogs
dest: /etc/rsyslog.d/remote.conf
owner: root
group: root
mode: '0644'
notify:
- restart rsyslog
- name: Configure OpenStack credentials.
become: true
block:
- name: Get $XDG_CONFIG_HOME for root.
ansible.builtin.shell:
executable: /bin/bash
cmd: "set -u; (echo $XDG_CONFIG_HOME) 2> /dev/null || echo $HOME/.config"
changed_when: false
register: root_config
- name: Ensure $XDG_CONFIG_HOME exists.
become: true
ansible.builtin.file:
path: "{{ root_config.stdout }}"
state: directory
owner: root
group: root
- name: Ensure OpenStack configuration directory exists.
become: true
ansible.builtin.file:
path: "{{ root_config.stdout }}/openstack"
state: directory
owner: root
group: root
mode: "0700"
- name: Copy OpenStack credentials.
ansible.builtin.copy:
src: clouds.yaml
dest: "{{ root_config.stdout }}/openstack/clouds.yaml"
owner: root
group: root
mode: "0600"
- name: Copy script to manage VMs.
ansible.builtin.copy:
src: manage_vms
dest: /usr/local/bin/manage_vms
owner: root
group: root
mode: "0555"
- name: Configure firewalld to open ports
firewalld:
port: "{{ item }}"
immediate: true
permanent: true
state: enabled
with_items:
- 9628/tcp # HTCondor shared port
- 514/tcp # rsyslog
roles:
- usegalaxy-eu.vgcn-monitoring
- usegalaxy_eu.handy.os_setup
- geerlingguy.repo-epel
- usegalaxy-eu.autoupdates
- influxdata.chrony
- usegalaxy-eu.autofs
- hxr.monitor-cluster
- hxr.monitor-galaxy
- usegalaxy-eu.monitoring
- usegalaxy-eu.bashrc
- usegalaxy-eu.dynmotd
- ssh-host-sign
- hxr.postgres-connection
- galaxyproject.gxadmin
- usegalaxy-eu.galaxy-slurp
- usegalaxy_eu.fs_maintenance
# - usegalaxy-eu.htcondor_release
# - usegalaxy-eu.fix-unscheduled-workflows
- usegalaxy-eu.fix-ancient-ftp-data
# - usegalaxy-eu.fix-user-quotas
- usegalaxy-eu.remove-orphan-condor-jobs
- ssh_hardening
- dj-wasabi.telegraf
# - usegalaxy-eu.fix-stop-ITs
- usegalaxy-eu.logrotate
- usegalaxy_eu.walle