| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 |
- ---
- # These are the temporary tasks needed on various machines before classroom build is finished.
- - name: Fixes required on workstation VM.
- hosts: workstation.lab.example.com
- become: yes
- gather_subset: min
- tasks:
- - name: Remove Google from resolv.conf
- ansible.builtin.lineinfile:
- path: /etc/resolv.conf
- line: "nameserver 8.8.8.8"
- state: absent
- - name: Fixes required on utility VM.
- hosts: utility.lab.example.com
- become: yes
- gather_subset: min
- tasks:
- # XXX DONE XXX # Fixing the DNS first.
- # XXX DONE XXX - name: add ocp4.example.com hosts to /etc/hosts
- # XXX DONE XXX become: yes
- # XXX DONE XXX ansible.builtin.lineinfile:
- # XXX DONE XXX path: /etc/hosts
- # XXX DONE XXX mode: 0644
- # XXX DONE XXX regex: "{{ item.hostname }}"
- # XXX DONE XXX line: "{{ item.addr }} {{ item.hostname }}"
- # XXX DONE XXX state: present
- # XXX DONE XXX loop:
- # XXX DONE XXX - addr: 192.168.50.40
- # XXX DONE XXX hostname: idm.ocp4.example.com
- # XXX DONE XXX - addr: 192.168.50.50
- # XXX DONE XXX hostname: registry.ocp4.example.com
- # XXX DONE XXX - addr: 192.168.50.10
- # XXX DONE XXX hostname: master01.ocp4.example.com
- # XXX DONE XXX - addr: 192.168.50.11
- # XXX DONE XXX hostname: master02.ocp4.example.com
- # XXX DONE XXX - addr: 192.168.50.12
- # XXX DONE XXX hostname: master03.ocp4.example.com
- # XXX DONE XXX - addr: 192.168.50.13
- # XXX DONE XXX hostname: worker01.ocp4.example.com
- # XXX DONE XXX - addr: 192.168.50.14
- # XXX DONE XXX hostname: worker02.ocp4.example.com
- # XXX DONE XXX
- # XXX DONE XXX - name: Ensure dnsmasq is installed.
- # XXX DONE XXX ansible.builtin.yum:
- # XXX DONE XXX name:
- # XXX DONE XXX - dnsmasq
- # XXX DONE XXX - dnsmasq-utils
- # XXX DONE XXX state: present
- # XXX DONE XXX
- # XXX DONE XXX - name: Ensure dnsmasq is listening on all interfaces
- # XXX DONE XXX ansible.builtin.lineinfile:
- # XXX DONE XXX path: /etc/dnsmasq.conf
- # XXX DONE XXX mode: 0644
- # XXX DONE XXX regex: "^interface=(.*)$"
- # XXX DONE XXX line: '#interface=\g<1>'
- # XXX DONE XXX backrefs: yes
- # XXX DONE XXX
- # XXX DONE XXX - name: Ensure dnsmasq is enabled and running.
- # XXX DONE XXX ansible.builtin.systemd_service:
- # XXX DONE XXX name: dnsmasq
- # XXX DONE XXX enabled: yes
- # XXX DONE XXX state: started
- # XXX DONE XXX
- # XXX DONE XXX - name: Ensure DNS is open in the firewall.
- # XXX DONE XXX ansible.posix.firewalld:
- # XXX DONE XXX immediate: yes
- # XXX DONE XXX permanent: yes
- # XXX DONE XXX zone: "{{ item }}"
- # XXX DONE XXX service: dns
- # XXX DONE XXX state: enabled
- # XXX DONE XXX loop:
- # XXX DONE XXX - external
- # XXX DONE XXX - public
- - name: Ensure idm is in ocp4.example.com zone.
- ansible.builtin.lineinfile:
- path: /var/named/ocp4.example.com.db
- regex: '^idm[[:space:]]'
- insertafter: '.*IN NS dns\.ocp4\.example\.com\.$'
- line: 'idm IN A 192.168.50.40'
- notify:
- - fix forward zone serial
- - restart named
- - name: Ensure idm is in ocp4.example.com reverse zone.
- ansible.builtin.lineinfile:
- path: /var/named/ocp4.example.com.reverse.db
- regex: '^40[[:space:]]'
- insertafter: '.*IN NS dns\.ocp4\.example\.com\.$'
- line: '40 IN PTR idm.ocp4.example.com.'
- notify:
- - fix reverse zone serial
- - restart named
- - name: Ensure utility allows forwarding traffic from external to public/trusted zones.
- ansible.builtin.copy:
- dest: /etc/firewalld/policies/fwd-stud-to-ocp.xml
- mode: 0644
- owner: root
- group: root
- content: |
- <?xml version="1.0" encoding="utf-8"?>
- <policy target="ACCEPT">
- <ingress-zone name="external"/>
- <egress-zone name="public"/>
- <egress-zone name="trusted"/>
- </policy>
- notify:
- - reload utility firewalld
- handlers:
- - name: reload utility firewalld
- ansible.builtin.service:
- name: firewalld
- state: reloaded
- - name: fix forward zone serial
- ansible.builtin.lineinfile:
- path: /var/named/ocp4.example.com.db
- regex: '.*; serial$'
- line: " {{ ansible_facts['date_time']['year'] }}{{ ansible_facts['date_time']['month'] }}{{ ansible_facts['date_time']['day'] }}00"
- - name: fix reverse zone serial
- ansible.builtin.lineinfile:
- path: /var/named/ocp4.example.com.reverse.db
- regex: '.*; serial$'
- line: " {{ ansible_facts['date_time']['year'] }}{{ ansible_facts['date_time']['month'] }}{{ ansible_facts['date_time']['day'] }}00"
- - name: restart named
- ansible.builtin.service:
- name: named
- state: restarted
- - name: Fix registry VM configuration.
- hosts: registry.ocp4.example.com
- become: yes
- gather_facts: no
- tasks:
- - name: Ensure eth1 interface is in public zone.
- ansible.builtin.firewalld:
- zone: public
- interface: eth1
- immediate: yes
- permanent: yes
- state: enabled
- notify:
- - reload registry firewalld
- # XXX DONE XXX #- name: Ensure registry is using bastion as the DNS
- # XXX DONE XXX # community.general.nmcli:
- # XXX DONE XXX # conn_name: "System eth1"
- # XXX DONE XXX # dns4: 172.25.250.254
- # XXX DONE XXX # state: present
- # XXX DONE XXX # notify:
- # XXX DONE XXX # - bounce eth1
- handlers:
- - name: reload registry firewalld
- ansible.builtin.service:
- name: firewalld
- state: reloaded
- # XXX DONE XXX #- name: reload connections
- # XXX DONE XXX # listen: bounce eth1
- # XXX DONE XXX # ansible.builtin.command: nmcli con reload
- # XXX DONE XXX
- # XXX DONE XXX #- name: take eth1 down
- # XXX DONE XXX # listen: bounce eth1
- # XXX DONE XXX # ansible.builtin.command: nmcli con down "System eth1"
- # XXX DONE XXX
- # XXX DONE XXX #- name: bring eth1 up
- # XXX DONE XXX # listen: bounce eth1
- # XXX DONE XXX # ansible.builtin.command: nmcli con up "System eth1"
- ...
|
