[PATCH 7/8] move fas_client task to roles

Monday, 19 August 2013

---
 files/fas-client/fas-client.cron       |  1 -
 files/fas-client/fas.conf.j2           | 92 ----------------------------------
 files/fas-client/nsswitch.conf         | 45 -----------------
 handlers/restart_services.yml          |  3 +-
 playbooks/groups/arm-packager.yml      |  2 +-
 playbooks/groups/arm-qa.yml            |  2 +-
 playbooks/groups/arm-releng.yml        |  5 +-
 playbooks/groups/backup-server.yml     |  2 +-
 playbooks/groups/badges-backend.yml    |  2 +-
 playbooks/groups/badges-web.yml        |  2 +-
 playbooks/groups/beaker.yml            |  2 +-
 playbooks/groups/gallery.yml           |  2 +-
 playbooks/groups/kernel-qa.yml         |  2 +-
 playbooks/groups/keyserver.yml         |  2 +-
 playbooks/groups/koji-hub.yml          |  2 +-
 playbooks/groups/mailman.yml           |  2 +-
 playbooks/groups/mirrorlist.yml        |  2 +-
 playbooks/groups/postgresl-server.yml  |  2 +-
 playbooks/groups/taskbot.yml           |  2 +-
 playbooks/groups/virthost.yml          |  2 +-
 roles/fas_client/files/fas-client.cron |  1 +
 roles/fas_client/files/nsswitch.conf   | 45 +++++++++++++++++
 roles/fas_client/handlers/main.yml     |  3 ++
 roles/fas_client/tasks/main.yml        | 80 +++++++++++++++++++++++++++++
 roles/fas_client/templates/fas.conf.j2 | 92 ++++++++++++++++++++++++++++++++++
 tasks/fas_client.yml                   | 80 -----------------------------
 26 files changed, 240 insertions(+), 237 deletions(-)
 delete mode 100644 files/fas-client/fas-client.cron
 delete mode 100644 files/fas-client/fas.conf.j2
 delete mode 100644 files/fas-client/nsswitch.conf
 create mode 100644 roles/fas_client/files/fas-client.cron
 create mode 100644 roles/fas_client/files/nsswitch.conf
 create mode 100644 roles/fas_client/handlers/main.yml
 create mode 100644 roles/fas_client/tasks/main.yml
 create mode 100644 roles/fas_client/templates/fas.conf.j2
 delete mode 100644 tasks/fas_client.yml

diff --git a/files/fas-client/fas-client.cron b/files/fas-client/fas-client.cron
deleted file mode 100644
index 4ec50f9..0000000
--- a/files/fas-client/fas-client.cron
+++ /dev/null
@@ -1 +0,0 @@
-*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \%
180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"
diff --git a/files/fas-client/fas.conf.j2 b/files/fas-client/fas.conf.j2
deleted file mode 100644
index d3af01d..0000000
--- a/files/fas-client/fas.conf.j2
+++ /dev/null
@@ -1,92 +0,0 @@
-[global]
-; url - Location to fas server
-url = https://admin.fedoraproject.org/accounts/
-
-; temp - Location to generate files while user creation process is happening
-temp = /var/db
-
-; login - username to contact fas
-login = {{ fedorathirdpartyUser }}
-
-; password - password for login name
-password = {{ fedorathirdpartyPassword }}
-
-; prefix - install to a location other than /
-prefix = /
-
-; modefile - Location of a file containing saved home directory modes
-modefile = /var/lib/fas/client_dir_perms
-
-; cla_group - Group for CLA requirements
-cla_group = cla_done
-
-[host]
-; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
-; so if someone is in all 3, the client behaves the same as if they were just
-; in 'groups'
-
-; groups that should have a shell account on this system.
-{% if fas_client_groups %}
-groups = sysadmin-main,{{ fas_client_groups }}
-{% else %}
-groups = sysadmin-main
-{% endif %}
-
-; groups that should have a restricted account on this system.
-; restricted accounts use the restricted_shell value in [users]
-restricted_groups =
-
-; ssh_restricted_groups: groups that should be restricted by ssh key.  You will
-; need to disable password based logins in order for this value to have any
-; security meaning.  Group types can be placed here as well, for example
-; @hg,@git,@svn
-{% if fas_client_ssh_groups %}
-ssh_restricted_groups = {{ fas_client_ssh_groups }}
-{% else %}
-ssh_restricted_groups = 
-{% endif %}
-
-; aliases_template: Gets prepended to the aliases file when it is generated by
-; fasClient
-aliases_template = /etc/aliases.template
-
-[users]
-; default shell given to people in [host] groups
-shell = /bin/bash
-
-; home - the location for fas user home dirs
-home = /home/fedora
-
-; home_backup_dir - Location home dirs should get moved to when a user is
-; deleted this location should be tmpwatched
-home_backup_dir = /home/fedora.bak
-
-; ssh_restricted_app - This is the path to the restricted shell script.  It
-; will not work automatically for most people though through alterations it
-; is a powerfull way to restrict access to a machine.  An alternative example
-; could be given to people who should only have cvs access on the machine.
-; setting this value to "/usr/bin/cvs server" would do this.
-{% if fas_client_restricted_app %}
-ssh_restricted_app = {{ fas_client_restricted_app }}
-{% else %}
-ssh_restricted_app = 
-{% endif %}
-
-; ssh_admin_app - This is the path to an app that an admin is allowed to use.
-{% if fas_client_admin_app %}
-ssh_admin_app = {{ fas_client_admin_app }}
-{% else %}
-ssh_admin_app = 
-{% endif %}
-
-; restricted_shell - The shell given to users in the ssh_restricted_groups
-restricted_shell = /sbin/nologin
-
-; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
-ssh_restricted_shell = /bin/bash
-
-; ssh_key_options - Options to be appended to people ssh keys.  Users in the
-; ssh_restricted_groups will have the keys they uploaded altered when they are
-; installed on this machine, appended with the options below.
-ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
-
diff --git a/files/fas-client/nsswitch.conf b/files/fas-client/nsswitch.conf
deleted file mode 100644
index fb4ff62..0000000
--- a/files/fas-client/nsswitch.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-# /etc/nsswitch.conf
-#
-# An example Name Service Switch config file. This file should be
-# sorted with the most-used services at the beginning.
-#
-# The entry '[NOTFOUND=return]' means that the search for an
-# entry should stop if the search in the previous entry turned
-# up nothing. Note that if the search failed due to some other reason
-# (like no NIS server responding) then the search continues with the
-# next entry.
-#
-# Legal entries are:
-#
-#	nisplus or nis+		Use NIS+ (NIS version 3)
-#	nis or yp		Use NIS (NIS version 2), also called YP
-#	dns			Use DNS (Domain Name Service)
-#	files			Use the local files
-#	db			Use the local database (.db) files
-#	compat			Use NIS on compat mode
-#	hesiod			Use Hesiod for user lookups
-#	[NOTFOUND=return]	Stop searching if not found so far
-#
-
-passwd:     db files
-shadow:     db files
-group:      db files
-
-#hosts:     db files nisplus nis dns
-hosts:      files dns
-
-bootparams: nisplus [NOTFOUND=return] files
-
-ethers:     files
-netmasks:   files
-networks:   files
-protocols:  files
-rpc:        files
-services:   files
-
-netgroup:   files
-
-publickey:  nisplus
-
-automount:  files
-aliases:    files nisplus
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 993d799..e11a2c7 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -89,5 +89,4 @@
 - name: restart xinetd
   action: service name=xinetd state=restarted
 
-- name: run fasclient
-  action: command /usr/bin/fasClient -i
+
diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml
index 2f33e92..fa02fa4 100644
--- a/playbooks/groups/arm-packager.yml
+++ b/playbooks/groups/arm-packager.yml
@@ -14,13 +14,13 @@
   roles:
   - rkhunter
   - denyhosts
+  - fas_client
 
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml
index b92184b..3f281af 100644
--- a/playbooks/groups/arm-qa.yml
+++ b/playbooks/groups/arm-qa.yml
@@ -14,13 +14,13 @@
   roles:
   - rkhunter
   - denyhosts
+  - fas_client
 
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml
index d2f3212..3858ee9 100644
--- a/playbooks/groups/arm-releng.yml
+++ b/playbooks/groups/arm-releng.yml
@@ -10,9 +10,10 @@
    - /srv/web/infra/ansible/vars/global.yml
    - ${private}/vars.yml
 
+  roles:
+  - fas_client
+
   tasks:
-  # This task sets up fas_client for user management
-  - include: $tasks/fas_client.yml
   # This task sets up /etc/hosts for us
   - include: $tasks/hosts.yml
   # This task includes our common scripts
diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml
index 2b30af4..90a4dd4 100644
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@@ -17,12 +17,12 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml
index 59b145e..696cf09 100644
--- a/playbooks/groups/badges-backend.yml
+++ b/playbooks/groups/badges-backend.yml
@@ -33,12 +33,12 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml
index 6c33548..41a70f2 100644
--- a/playbooks/groups/badges-web.yml
+++ b/playbooks/groups/badges-web.yml
@@ -36,12 +36,12 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml
index 5ec502e..6296bd2 100644
--- a/playbooks/groups/beaker.yml
+++ b/playbooks/groups/beaker.yml
@@ -32,13 +32,13 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml
diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml
index 152455a..17e1961 100644
--- a/playbooks/groups/gallery.yml
+++ b/playbooks/groups/gallery.yml
@@ -33,12 +33,12 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml
index b78c67e..b46335a 100644
--- a/playbooks/groups/kernel-qa.yml
+++ b/playbooks/groups/kernel-qa.yml
@@ -16,13 +16,13 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml
index 367a189..9c1c296 100644
--- a/playbooks/groups/keyserver.yml
+++ b/playbooks/groups/keyserver.yml
@@ -33,12 +33,12 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index fd077ce..1cf8195 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -34,12 +34,12 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml
index 345aa37..bea5f23 100644
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -32,13 +32,13 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml
diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml
index 08055b1..5763f58 100644
--- a/playbooks/groups/mirrorlist.yml
+++ b/playbooks/groups/mirrorlist.yml
@@ -43,13 +43,13 @@
   - denyhosts
   - nagios_client
   - geoip
+  - fas_client
 
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/openvpn_client.yml
diff --git a/playbooks/groups/postgresl-server.yml
b/playbooks/groups/postgresl-server.yml
index d709057..bb33a36 100644
--- a/playbooks/groups/postgresl-server.yml
+++ b/playbooks/groups/postgresl-server.yml
@@ -35,12 +35,12 @@
   - denyhosts
   - nagios_client
   - postgresql_server
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml
index 7641266..eab5ae9 100644
--- a/playbooks/groups/taskbot.yml
+++ b/playbooks/groups/taskbot.yml
@@ -32,13 +32,13 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml
diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index 763002b..ab93d90 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -16,12 +16,12 @@
   - rkhunter
   - denyhosts
   - nagios_client
+  - fas_client
 
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
   - include: $tasks/base.yml
-  - include: $tasks/fas_client.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
diff --git a/roles/fas_client/files/fas-client.cron
b/roles/fas_client/files/fas-client.cron
new file mode 100644
index 0000000..4ec50f9
--- /dev/null
+++ b/roles/fas_client/files/fas-client.cron
@@ -0,0 +1 @@
+*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \%
180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"
diff --git a/roles/fas_client/files/nsswitch.conf b/roles/fas_client/files/nsswitch.conf
new file mode 100644
index 0000000..fb4ff62
--- /dev/null
+++ b/roles/fas_client/files/nsswitch.conf
@@ -0,0 +1,45 @@
+# /etc/nsswitch.conf
+#
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# The entry '[NOTFOUND=return]' means that the search for an
+# entry should stop if the search in the previous entry turned
+# up nothing. Note that if the search failed due to some other reason
+# (like no NIS server responding) then the search continues with the
+# next entry.
+#
+# Legal entries are:
+#
+#	nisplus or nis+		Use NIS+ (NIS version 3)
+#	nis or yp		Use NIS (NIS version 2), also called YP
+#	dns			Use DNS (Domain Name Service)
+#	files			Use the local files
+#	db			Use the local database (.db) files
+#	compat			Use NIS on compat mode
+#	hesiod			Use Hesiod for user lookups
+#	[NOTFOUND=return]	Stop searching if not found so far
+#
+
+passwd:     db files
+shadow:     db files
+group:      db files
+
+#hosts:     db files nisplus nis dns
+hosts:      files dns
+
+bootparams: nisplus [NOTFOUND=return] files
+
+ethers:     files
+netmasks:   files
+networks:   files
+protocols:  files
+rpc:        files
+services:   files
+
+netgroup:   files
+
+publickey:  nisplus
+
+automount:  files
+aliases:    files nisplus
diff --git a/roles/fas_client/handlers/main.yml b/roles/fas_client/handlers/main.yml
new file mode 100644
index 0000000..354ef9d
--- /dev/null
+++ b/roles/fas_client/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: run fasclient
+  action: command /usr/bin/fasClient -i
diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml
new file mode 100644
index 0000000..c2f64c7
--- /dev/null
+++ b/roles/fas_client/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+#
+# This task sets up fasClient on a machine. 
+# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job
update.
+#
+
+#
+# fas-clients is in the infrastructure repo. 
+# nss_db is needed to store user/group info.
+#
+- name: install package needed for fas-client
+  yum: state=installed name=$item
+  with_items:
+  - fas-clients
+  - cronie
+  tags:
+  - packages
+
+- name: hotfix - python-fedora proxyclient.py 
+  copy: >
+    src=$files/hotfix/python-fedora/proxyclient.py
+    dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py
+    owner=root mode=644
+  only_if: "'${ansible_distribution}' == 'RedHat'"
+  tags:
+  - hotfix
+  - packages
+
+- name: install nss_db on rhel hosts only
+  yum: state=installed name=nss_db
+  only_if: "'${ansible_distribution}' == 'RedHat'"
+  tags:
+  - packages
+
+#
+# setup /etc/nsswitch.conf to use nssdb
+#
+- name: setup /etc/nsswitch.conf for client use
+  copy: src=nsswitch.conf  dest=/etc/nsswitch.conf owner=root mode=644
+  tags:
+  - config
+
+#
+# fasClients needs a valid /etc/fas.conf. 
+# There's vars used in this template: 
+#
+# fas_client_groups = "sysadmin-main"
+# fas_client_restricted_app = ""
+# fas_client_admin_app = ""
+# fas_client_ssh_groups = ""
+#
+# if desired, set them on a per host/group basis. 
+#
+# Currently the default template is used, but could be modified on a host basis. 
+#
+- name: setup /etc/fas.conf for client use
+  template: src=$item dest=/etc/fas.conf owner=root mode=600
+  with_first_found:
+  - ${ansible_fqdn}.fas.conf.j2 
+  - ${ansible_hostname}.fas.conf.j2 
+  - ${ansible_hostname}.fas.conf.j2 
+  - fas.conf.j2
+  tags:
+  - config
+  notify:
+  - run fasclient
+
+#
+# setup /etc/cron.d/ file to run sync every 10min
+# TODO: use cron module when it's fixed
+#
+#- name: fas_client cron job
+#  cron: name="fas client" user=root cron_file=fas-client
minute="*/10" job="/usr/bin/fasClient -i"
+#  tags:
+#  - config
+
+- name: fas_client cron job
+  copy: src=fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644
+  tags:
+  - config
diff --git a/roles/fas_client/templates/fas.conf.j2
b/roles/fas_client/templates/fas.conf.j2
new file mode 100644
index 0000000..d3af01d
--- /dev/null
+++ b/roles/fas_client/templates/fas.conf.j2
@@ -0,0 +1,92 @@
+[global]
+; url - Location to fas server
+url = https://admin.fedoraproject.org/accounts/
+
+; temp - Location to generate files while user creation process is happening
+temp = /var/db
+
+; login - username to contact fas
+login = {{ fedorathirdpartyUser }}
+
+; password - password for login name
+password = {{ fedorathirdpartyPassword }}
+
+; prefix - install to a location other than /
+prefix = /
+
+; modefile - Location of a file containing saved home directory modes
+modefile = /var/lib/fas/client_dir_perms
+
+; cla_group - Group for CLA requirements
+cla_group = cla_done
+
+[host]
+; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
+; so if someone is in all 3, the client behaves the same as if they were just
+; in 'groups'
+
+; groups that should have a shell account on this system.
+{% if fas_client_groups %}
+groups = sysadmin-main,{{ fas_client_groups }}
+{% else %}
+groups = sysadmin-main
+{% endif %}
+
+; groups that should have a restricted account on this system.
+; restricted accounts use the restricted_shell value in [users]
+restricted_groups =
+
+; ssh_restricted_groups: groups that should be restricted by ssh key.  You will
+; need to disable password based logins in order for this value to have any
+; security meaning.  Group types can be placed here as well, for example
+; @hg,@git,@svn
+{% if fas_client_ssh_groups %}
+ssh_restricted_groups = {{ fas_client_ssh_groups }}
+{% else %}
+ssh_restricted_groups = 
+{% endif %}
+
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /etc/aliases.template
+
+[users]
+; default shell given to people in [host] groups
+shell = /bin/bash
+
+; home - the location for fas user home dirs
+home = /home/fedora
+
+; home_backup_dir - Location home dirs should get moved to when a user is
+; deleted this location should be tmpwatched
+home_backup_dir = /home/fedora.bak
+
+; ssh_restricted_app - This is the path to the restricted shell script.  It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine.  An alternative example
+; could be given to people who should only have cvs access on the machine.
+; setting this value to "/usr/bin/cvs server" would do this.
+{% if fas_client_restricted_app %}
+ssh_restricted_app = {{ fas_client_restricted_app }}
+{% else %}
+ssh_restricted_app = 
+{% endif %}
+
+; ssh_admin_app - This is the path to an app that an admin is allowed to use.
+{% if fas_client_admin_app %}
+ssh_admin_app = {{ fas_client_admin_app }}
+{% else %}
+ssh_admin_app = 
+{% endif %}
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
+restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys.  Users in the
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+
diff --git a/tasks/fas_client.yml b/tasks/fas_client.yml
deleted file mode 100644
index fedeb5b..0000000
--- a/tasks/fas_client.yml
+++ /dev/null
@@ -1,80 +0,0 @@
----
-#
-# This task sets up fasClient on a machine. 
-# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job
update.
-#
-
-#
-# fas-clients is in the infrastructure repo. 
-# nss_db is needed to store user/group info.
-#
-- name: install package needed for fas-client
-  action: yum state=installed name=$item
-  with_items:
-  - fas-clients
-  - cronie
-  tags:
-  - packages
-
-- name: hotfix - python-fedora proxyclient.py 
-  copy: >
-    src=$files/hotfix/python-fedora/proxyclient.py
-    dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py
-    owner=root mode=644
-  only_if: "'${ansible_distribution}' == 'RedHat'"
-  tags:
-  - hotfix
-  - packages
-
-- name: install nss_db on rhel hosts only
-  action: yum state=installed name=nss_db
-  only_if: "'${ansible_distribution}' == 'RedHat'"
-  tags:
-  - packages
-
-#
-# setup /etc/nsswitch.conf to use nssdb
-#
-- name: setup /etc/nsswitch.conf for client use
-  action: copy src=$files/fas-client/nsswitch.conf  dest=/etc/nsswitch.conf owner=root
mode=644
-  tags:
-  - config
-
-#
-# fasClients needs a valid /etc/fas.conf. 
-# There's vars used in this template: 
-#
-# fas_client_groups = "sysadmin-main"
-# fas_client_restricted_app = ""
-# fas_client_admin_app = ""
-# fas_client_ssh_groups = ""
-#
-# if desired, set them on a per host/group basis. 
-#
-# Currently the default template is used, but could be modified on a host basis. 
-#
-- name: setup /etc/fas.conf for client use
-  action: template src=$item dest=/etc/fas.conf owner=root mode=600
-  with_first_found:
-  - $files/fas-client/${ansible_fqdn}.fas.conf.j2 
-  - $files/fas-client/${ansible_hostname}.fas.conf.j2 
-  - $files/fas-client/${ansible_hostname}.fas.conf.j2 
-  - $files/fas-client/fas.conf.j2
-  tags:
-  - config
-  notify:
-  - run fasclient
-
-#
-# setup /etc/cron.d/ file to run sync every 10min
-# TODO: use cron module when it's fixed
-#
-#- name: fas_client cron job
-#  cron: name="fas client" user=root cron_file=fas-client
minute="*/10" job="/usr/bin/fasClient -i"
-#  tags:
-#  - config
-
-- name: fas_client cron job
-  action: copy src=$files/fas-client/fas-client.cron dest=/etc/cron.d/fas-client
owner=root mode=644
-  tags:
-  - config
-- 
1.8.3.1


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[PATCH 7/8] move fas_client task to roles