[PATCH 7/8] move fas_client task to roles
Michael Scherer
misc at zarb.org
Mon Aug 19 19:35:23 UTC 2013
---
files/fas-client/fas-client.cron | 1 -
files/fas-client/fas.conf.j2 | 92 ----------------------------------
files/fas-client/nsswitch.conf | 45 -----------------
handlers/restart_services.yml | 3 +-
playbooks/groups/arm-packager.yml | 2 +-
playbooks/groups/arm-qa.yml | 2 +-
playbooks/groups/arm-releng.yml | 5 +-
playbooks/groups/backup-server.yml | 2 +-
playbooks/groups/badges-backend.yml | 2 +-
playbooks/groups/badges-web.yml | 2 +-
playbooks/groups/beaker.yml | 2 +-
playbooks/groups/gallery.yml | 2 +-
playbooks/groups/kernel-qa.yml | 2 +-
playbooks/groups/keyserver.yml | 2 +-
playbooks/groups/koji-hub.yml | 2 +-
playbooks/groups/mailman.yml | 2 +-
playbooks/groups/mirrorlist.yml | 2 +-
playbooks/groups/postgresl-server.yml | 2 +-
playbooks/groups/taskbot.yml | 2 +-
playbooks/groups/virthost.yml | 2 +-
roles/fas_client/files/fas-client.cron | 1 +
roles/fas_client/files/nsswitch.conf | 45 +++++++++++++++++
roles/fas_client/handlers/main.yml | 3 ++
roles/fas_client/tasks/main.yml | 80 +++++++++++++++++++++++++++++
roles/fas_client/templates/fas.conf.j2 | 92 ++++++++++++++++++++++++++++++++++
tasks/fas_client.yml | 80 -----------------------------
26 files changed, 240 insertions(+), 237 deletions(-)
delete mode 100644 files/fas-client/fas-client.cron
delete mode 100644 files/fas-client/fas.conf.j2
delete mode 100644 files/fas-client/nsswitch.conf
create mode 100644 roles/fas_client/files/fas-client.cron
create mode 100644 roles/fas_client/files/nsswitch.conf
create mode 100644 roles/fas_client/handlers/main.yml
create mode 100644 roles/fas_client/tasks/main.yml
create mode 100644 roles/fas_client/templates/fas.conf.j2
delete mode 100644 tasks/fas_client.yml
diff --git a/files/fas-client/fas-client.cron b/files/fas-client/fas-client.cron
deleted file mode 100644
index 4ec50f9..0000000
--- a/files/fas-client/fas-client.cron
+++ /dev/null
@@ -1 +0,0 @@
-*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"
diff --git a/files/fas-client/fas.conf.j2 b/files/fas-client/fas.conf.j2
deleted file mode 100644
index d3af01d..0000000
--- a/files/fas-client/fas.conf.j2
+++ /dev/null
@@ -1,92 +0,0 @@
-[global]
-; url - Location to fas server
-url = https://admin.fedoraproject.org/accounts/
-
-; temp - Location to generate files while user creation process is happening
-temp = /var/db
-
-; login - username to contact fas
-login = {{ fedorathirdpartyUser }}
-
-; password - password for login name
-password = {{ fedorathirdpartyPassword }}
-
-; prefix - install to a location other than /
-prefix = /
-
-; modefile - Location of a file containing saved home directory modes
-modefile = /var/lib/fas/client_dir_perms
-
-; cla_group - Group for CLA requirements
-cla_group = cla_done
-
-[host]
-; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
-; so if someone is in all 3, the client behaves the same as if they were just
-; in 'groups'
-
-; groups that should have a shell account on this system.
-{% if fas_client_groups %}
-groups = sysadmin-main,{{ fas_client_groups }}
-{% else %}
-groups = sysadmin-main
-{% endif %}
-
-; groups that should have a restricted account on this system.
-; restricted accounts use the restricted_shell value in [users]
-restricted_groups =
-
-; ssh_restricted_groups: groups that should be restricted by ssh key. You will
-; need to disable password based logins in order for this value to have any
-; security meaning. Group types can be placed here as well, for example
-; @hg, at git, at svn
-{% if fas_client_ssh_groups %}
-ssh_restricted_groups = {{ fas_client_ssh_groups }}
-{% else %}
-ssh_restricted_groups =
-{% endif %}
-
-; aliases_template: Gets prepended to the aliases file when it is generated by
-; fasClient
-aliases_template = /etc/aliases.template
-
-[users]
-; default shell given to people in [host] groups
-shell = /bin/bash
-
-; home - the location for fas user home dirs
-home = /home/fedora
-
-; home_backup_dir - Location home dirs should get moved to when a user is
-; deleted this location should be tmpwatched
-home_backup_dir = /home/fedora.bak
-
-; ssh_restricted_app - This is the path to the restricted shell script. It
-; will not work automatically for most people though through alterations it
-; is a powerfull way to restrict access to a machine. An alternative example
-; could be given to people who should only have cvs access on the machine.
-; setting this value to "/usr/bin/cvs server" would do this.
-{% if fas_client_restricted_app %}
-ssh_restricted_app = {{ fas_client_restricted_app }}
-{% else %}
-ssh_restricted_app =
-{% endif %}
-
-; ssh_admin_app - This is the path to an app that an admin is allowed to use.
-{% if fas_client_admin_app %}
-ssh_admin_app = {{ fas_client_admin_app }}
-{% else %}
-ssh_admin_app =
-{% endif %}
-
-; restricted_shell - The shell given to users in the ssh_restricted_groups
-restricted_shell = /sbin/nologin
-
-; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
-ssh_restricted_shell = /bin/bash
-
-; ssh_key_options - Options to be appended to people ssh keys. Users in the
-; ssh_restricted_groups will have the keys they uploaded altered when they are
-; installed on this machine, appended with the options below.
-ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
-
diff --git a/files/fas-client/nsswitch.conf b/files/fas-client/nsswitch.conf
deleted file mode 100644
index fb4ff62..0000000
--- a/files/fas-client/nsswitch.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-# /etc/nsswitch.conf
-#
-# An example Name Service Switch config file. This file should be
-# sorted with the most-used services at the beginning.
-#
-# The entry '[NOTFOUND=return]' means that the search for an
-# entry should stop if the search in the previous entry turned
-# up nothing. Note that if the search failed due to some other reason
-# (like no NIS server responding) then the search continues with the
-# next entry.
-#
-# Legal entries are:
-#
-# nisplus or nis+ Use NIS+ (NIS version 3)
-# nis or yp Use NIS (NIS version 2), also called YP
-# dns Use DNS (Domain Name Service)
-# files Use the local files
-# db Use the local database (.db) files
-# compat Use NIS on compat mode
-# hesiod Use Hesiod for user lookups
-# [NOTFOUND=return] Stop searching if not found so far
-#
-
-passwd: db files
-shadow: db files
-group: db files
-
-#hosts: db files nisplus nis dns
-hosts: files dns
-
-bootparams: nisplus [NOTFOUND=return] files
-
-ethers: files
-netmasks: files
-networks: files
-protocols: files
-rpc: files
-services: files
-
-netgroup: files
-
-publickey: nisplus
-
-automount: files
-aliases: files nisplus
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 993d799..e11a2c7 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -89,5 +89,4 @@
- name: restart xinetd
action: service name=xinetd state=restarted
-- name: run fasclient
- action: command /usr/bin/fasClient -i
+
diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml
index 2f33e92..fa02fa4 100644
--- a/playbooks/groups/arm-packager.yml
+++ b/playbooks/groups/arm-packager.yml
@@ -14,13 +14,13 @@
roles:
- rkhunter
- denyhosts
+ - fas_client
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml
index b92184b..3f281af 100644
--- a/playbooks/groups/arm-qa.yml
+++ b/playbooks/groups/arm-qa.yml
@@ -14,13 +14,13 @@
roles:
- rkhunter
- denyhosts
+ - fas_client
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml
index d2f3212..3858ee9 100644
--- a/playbooks/groups/arm-releng.yml
+++ b/playbooks/groups/arm-releng.yml
@@ -10,9 +10,10 @@
- /srv/web/infra/ansible/vars/global.yml
- ${private}/vars.yml
+ roles:
+ - fas_client
+
tasks:
- # This task sets up fas_client for user management
- - include: $tasks/fas_client.yml
# This task sets up /etc/hosts for us
- include: $tasks/hosts.yml
# This task includes our common scripts
diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml
index 2b30af4..90a4dd4 100644
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@@ -17,12 +17,12 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml
index 59b145e..696cf09 100644
--- a/playbooks/groups/badges-backend.yml
+++ b/playbooks/groups/badges-backend.yml
@@ -33,12 +33,12 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml
index 6c33548..41a70f2 100644
--- a/playbooks/groups/badges-web.yml
+++ b/playbooks/groups/badges-web.yml
@@ -36,12 +36,12 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml
index 5ec502e..6296bd2 100644
--- a/playbooks/groups/beaker.yml
+++ b/playbooks/groups/beaker.yml
@@ -32,13 +32,13 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/collectd/client.yml
- include: $tasks/motd.yml
diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml
index 152455a..17e1961 100644
--- a/playbooks/groups/gallery.yml
+++ b/playbooks/groups/gallery.yml
@@ -33,12 +33,12 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml
index b78c67e..b46335a 100644
--- a/playbooks/groups/kernel-qa.yml
+++ b/playbooks/groups/kernel-qa.yml
@@ -16,13 +16,13 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml
index 367a189..9c1c296 100644
--- a/playbooks/groups/keyserver.yml
+++ b/playbooks/groups/keyserver.yml
@@ -33,12 +33,12 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index fd077ce..1cf8195 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -34,12 +34,12 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml
index 345aa37..bea5f23 100644
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -32,13 +32,13 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/collectd/client.yml
- include: $tasks/motd.yml
diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml
index 08055b1..5763f58 100644
--- a/playbooks/groups/mirrorlist.yml
+++ b/playbooks/groups/mirrorlist.yml
@@ -43,13 +43,13 @@
- denyhosts
- nagios_client
- geoip
+ - fas_client
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/collectd/client.yml
- include: $tasks/openvpn_client.yml
diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml
index d709057..bb33a36 100644
--- a/playbooks/groups/postgresl-server.yml
+++ b/playbooks/groups/postgresl-server.yml
@@ -35,12 +35,12 @@
- denyhosts
- nagios_client
- postgresql_server
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml
index 7641266..eab5ae9 100644
--- a/playbooks/groups/taskbot.yml
+++ b/playbooks/groups/taskbot.yml
@@ -32,13 +32,13 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/collectd/client.yml
- include: $tasks/motd.yml
diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index 763002b..ab93d90 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -16,12 +16,12 @@
- rkhunter
- denyhosts
- nagios_client
+ - fas_client
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
- include: $tasks/base.yml
- - include: $tasks/fas_client.yml
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
diff --git a/roles/fas_client/files/fas-client.cron b/roles/fas_client/files/fas-client.cron
new file mode 100644
index 0000000..4ec50f9
--- /dev/null
+++ b/roles/fas_client/files/fas-client.cron
@@ -0,0 +1 @@
+*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"
diff --git a/roles/fas_client/files/nsswitch.conf b/roles/fas_client/files/nsswitch.conf
new file mode 100644
index 0000000..fb4ff62
--- /dev/null
+++ b/roles/fas_client/files/nsswitch.conf
@@ -0,0 +1,45 @@
+# /etc/nsswitch.conf
+#
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# The entry '[NOTFOUND=return]' means that the search for an
+# entry should stop if the search in the previous entry turned
+# up nothing. Note that if the search failed due to some other reason
+# (like no NIS server responding) then the search continues with the
+# next entry.
+#
+# Legal entries are:
+#
+# nisplus or nis+ Use NIS+ (NIS version 3)
+# nis or yp Use NIS (NIS version 2), also called YP
+# dns Use DNS (Domain Name Service)
+# files Use the local files
+# db Use the local database (.db) files
+# compat Use NIS on compat mode
+# hesiod Use Hesiod for user lookups
+# [NOTFOUND=return] Stop searching if not found so far
+#
+
+passwd: db files
+shadow: db files
+group: db files
+
+#hosts: db files nisplus nis dns
+hosts: files dns
+
+bootparams: nisplus [NOTFOUND=return] files
+
+ethers: files
+netmasks: files
+networks: files
+protocols: files
+rpc: files
+services: files
+
+netgroup: files
+
+publickey: nisplus
+
+automount: files
+aliases: files nisplus
diff --git a/roles/fas_client/handlers/main.yml b/roles/fas_client/handlers/main.yml
new file mode 100644
index 0000000..354ef9d
--- /dev/null
+++ b/roles/fas_client/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: run fasclient
+ action: command /usr/bin/fasClient -i
diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml
new file mode 100644
index 0000000..c2f64c7
--- /dev/null
+++ b/roles/fas_client/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+#
+# This task sets up fasClient on a machine.
+# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update.
+#
+
+#
+# fas-clients is in the infrastructure repo.
+# nss_db is needed to store user/group info.
+#
+- name: install package needed for fas-client
+ yum: state=installed name=$item
+ with_items:
+ - fas-clients
+ - cronie
+ tags:
+ - packages
+
+- name: hotfix - python-fedora proxyclient.py
+ copy: >
+ src=$files/hotfix/python-fedora/proxyclient.py
+ dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py
+ owner=root mode=644
+ only_if: "'${ansible_distribution}' == 'RedHat'"
+ tags:
+ - hotfix
+ - packages
+
+- name: install nss_db on rhel hosts only
+ yum: state=installed name=nss_db
+ only_if: "'${ansible_distribution}' == 'RedHat'"
+ tags:
+ - packages
+
+#
+# setup /etc/nsswitch.conf to use nssdb
+#
+- name: setup /etc/nsswitch.conf for client use
+ copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=644
+ tags:
+ - config
+
+#
+# fasClients needs a valid /etc/fas.conf.
+# There's vars used in this template:
+#
+# fas_client_groups = "sysadmin-main"
+# fas_client_restricted_app = ""
+# fas_client_admin_app = ""
+# fas_client_ssh_groups = ""
+#
+# if desired, set them on a per host/group basis.
+#
+# Currently the default template is used, but could be modified on a host basis.
+#
+- name: setup /etc/fas.conf for client use
+ template: src=$item dest=/etc/fas.conf owner=root mode=600
+ with_first_found:
+ - ${ansible_fqdn}.fas.conf.j2
+ - ${ansible_hostname}.fas.conf.j2
+ - ${ansible_hostname}.fas.conf.j2
+ - fas.conf.j2
+ tags:
+ - config
+ notify:
+ - run fasclient
+
+#
+# setup /etc/cron.d/ file to run sync every 10min
+# TODO: use cron module when it's fixed
+#
+#- name: fas_client cron job
+# cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i"
+# tags:
+# - config
+
+- name: fas_client cron job
+ copy: src=fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644
+ tags:
+ - config
diff --git a/roles/fas_client/templates/fas.conf.j2 b/roles/fas_client/templates/fas.conf.j2
new file mode 100644
index 0000000..d3af01d
--- /dev/null
+++ b/roles/fas_client/templates/fas.conf.j2
@@ -0,0 +1,92 @@
+[global]
+; url - Location to fas server
+url = https://admin.fedoraproject.org/accounts/
+
+; temp - Location to generate files while user creation process is happening
+temp = /var/db
+
+; login - username to contact fas
+login = {{ fedorathirdpartyUser }}
+
+; password - password for login name
+password = {{ fedorathirdpartyPassword }}
+
+; prefix - install to a location other than /
+prefix = /
+
+; modefile - Location of a file containing saved home directory modes
+modefile = /var/lib/fas/client_dir_perms
+
+; cla_group - Group for CLA requirements
+cla_group = cla_done
+
+[host]
+; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
+; so if someone is in all 3, the client behaves the same as if they were just
+; in 'groups'
+
+; groups that should have a shell account on this system.
+{% if fas_client_groups %}
+groups = sysadmin-main,{{ fas_client_groups }}
+{% else %}
+groups = sysadmin-main
+{% endif %}
+
+; groups that should have a restricted account on this system.
+; restricted accounts use the restricted_shell value in [users]
+restricted_groups =
+
+; ssh_restricted_groups: groups that should be restricted by ssh key. You will
+; need to disable password based logins in order for this value to have any
+; security meaning. Group types can be placed here as well, for example
+; @hg, at git, at svn
+{% if fas_client_ssh_groups %}
+ssh_restricted_groups = {{ fas_client_ssh_groups }}
+{% else %}
+ssh_restricted_groups =
+{% endif %}
+
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /etc/aliases.template
+
+[users]
+; default shell given to people in [host] groups
+shell = /bin/bash
+
+; home - the location for fas user home dirs
+home = /home/fedora
+
+; home_backup_dir - Location home dirs should get moved to when a user is
+; deleted this location should be tmpwatched
+home_backup_dir = /home/fedora.bak
+
+; ssh_restricted_app - This is the path to the restricted shell script. It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine. An alternative example
+; could be given to people who should only have cvs access on the machine.
+; setting this value to "/usr/bin/cvs server" would do this.
+{% if fas_client_restricted_app %}
+ssh_restricted_app = {{ fas_client_restricted_app }}
+{% else %}
+ssh_restricted_app =
+{% endif %}
+
+; ssh_admin_app - This is the path to an app that an admin is allowed to use.
+{% if fas_client_admin_app %}
+ssh_admin_app = {{ fas_client_admin_app }}
+{% else %}
+ssh_admin_app =
+{% endif %}
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
+restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys. Users in the
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+
diff --git a/tasks/fas_client.yml b/tasks/fas_client.yml
deleted file mode 100644
index fedeb5b..0000000
--- a/tasks/fas_client.yml
+++ /dev/null
@@ -1,80 +0,0 @@
----
-#
-# This task sets up fasClient on a machine.
-# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update.
-#
-
-#
-# fas-clients is in the infrastructure repo.
-# nss_db is needed to store user/group info.
-#
-- name: install package needed for fas-client
- action: yum state=installed name=$item
- with_items:
- - fas-clients
- - cronie
- tags:
- - packages
-
-- name: hotfix - python-fedora proxyclient.py
- copy: >
- src=$files/hotfix/python-fedora/proxyclient.py
- dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py
- owner=root mode=644
- only_if: "'${ansible_distribution}' == 'RedHat'"
- tags:
- - hotfix
- - packages
-
-- name: install nss_db on rhel hosts only
- action: yum state=installed name=nss_db
- only_if: "'${ansible_distribution}' == 'RedHat'"
- tags:
- - packages
-
-#
-# setup /etc/nsswitch.conf to use nssdb
-#
-- name: setup /etc/nsswitch.conf for client use
- action: copy src=$files/fas-client/nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=644
- tags:
- - config
-
-#
-# fasClients needs a valid /etc/fas.conf.
-# There's vars used in this template:
-#
-# fas_client_groups = "sysadmin-main"
-# fas_client_restricted_app = ""
-# fas_client_admin_app = ""
-# fas_client_ssh_groups = ""
-#
-# if desired, set them on a per host/group basis.
-#
-# Currently the default template is used, but could be modified on a host basis.
-#
-- name: setup /etc/fas.conf for client use
- action: template src=$item dest=/etc/fas.conf owner=root mode=600
- with_first_found:
- - $files/fas-client/${ansible_fqdn}.fas.conf.j2
- - $files/fas-client/${ansible_hostname}.fas.conf.j2
- - $files/fas-client/${ansible_hostname}.fas.conf.j2
- - $files/fas-client/fas.conf.j2
- tags:
- - config
- notify:
- - run fasclient
-
-#
-# setup /etc/cron.d/ file to run sync every 10min
-# TODO: use cron module when it's fixed
-#
-#- name: fas_client cron job
-# cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i"
-# tags:
-# - config
-
-- name: fas_client cron job
- action: copy src=$files/fas-client/fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644
- tags:
- - config
--
1.8.3.1
More information about the infrastructure
mailing list