Merge tasks/enable.yml into main.yml

Signed-off-by: Radovan Sroka <[email protected]>
linux-system-roles · Nov 14, 2023 · 2d79485 · 2d79485
1 parent f1e3db3
commit 2d79485
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 113 deletions.
diff --git a/tasks/enable.yml b/tasks/enable.yml
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -7,7 +7,121 @@
       - distribution_major_version
   when: ansible_facts.distribution_major_version is not defined
 
-- name: Enable fapolicyd
-  include_tasks: enable.yml
+- name: System check
+  fail:
+    msg: >-
+      Only Red Hat Enterprise Linux >= 8.1 is supported;
+      System: {{ ansible_facts.os_family }}
+      Version: {{ ansible_facts.distribution_version }}
+  when: (ansible_facts.os_family != "RedHat") or
+    (ansible_facts.distribution_version is version("8.1", "<"))
+
+- name: Check trust compatibility
+  fail:
+    msg: >-
+      Fapolicyd does not support trust setting fapolicyd_setup_trust
+      on EL version < 8.3
+  ignore_errors: true
+  when:
+    - fapolicyd_setup_trust | length > 0
+    - ansible_facts.distribution_version is version("8.2", "<=")
+  register: __failed_check_trust
+
+- name: Check integrity compatibility
+  fail:
+    msg: >-
+      Fapolicyd does not support integrity setting fapolicyd_setup_integrity
+      on EL version < 8.4
+  ignore_errors: true
+  when:
+    - fapolicyd_setup_integrity | length > 0
+    - ansible_facts.distribution_version is version("8.3", "<=")
+  register: __failed_check_integrity
+
+- name: Check trust files compatibility
+  fail:
+    msg: >-
+      Fapolicyd does not support trust files setting fapolicyd_add_trusted_file
+      on EL version < 8.4
+  ignore_errors: true
+  when:
+    - fapolicyd_add_trusted_file | length > 0
+    - ansible_facts.distribution_version is version("8.3", "<=")
+  register: __failed_check_trusted_file
+
+- name: Check failed conditions
+  fail:
+    msg: Multiple failed conditions
+  when: __failed_check_trust is failed or __failed_check_integrity is failed  or
+    __failed_check_trusted_file is failed
+
+- name: Install fapolicyd packages
+  package:
+    name:
+      - "{{ __fapolicyd_packages }}"
+    state: present
+
+- name: Install fapolicyd-selinux packages
+  package:
+    name:
+      - "{{ __fapolicyd_selinux_packages }}"
+    state: present
+  when: ansible_facts.distribution_version is version("8.3", ">=")
+
+- name: Copy fapolicyd configuration file
+  template:
+    src: "{{ __fapolicyd_conf }}.j2"
+    dest: "{{ __fapolicyd_dir }}/{{ __fapolicyd_conf }}"
+    owner: root
+    group: fapolicyd
+    mode: '0644'
+
+- name: Run fapolicyd configuration check
+  command: fapolicyd-cli --check-config
+  check_mode: false
+  changed_when: false
+  when: ansible_facts.distribution_version is version("8.6", ">=")
+
+- name: Trustdb cleanup
+  command: fapolicyd-cli --file delete /
+  when: ansible_facts.distribution_version is version("8.3", ">=")
+  changed_when: true
+  failed_when: false
+
+- name: Add file to trustdb
+  command: fapolicyd-cli --file add {{ item | quote }}
+  loop: "{{ (fapolicyd_add_trusted_file is string) |
+    ternary([fapolicyd_add_trusted_file], fapolicyd_add_trusted_file) }}"
+  when:
+    - fapolicyd_add_trusted_file | length > 0
+    - ansible_facts.distribution_version is version("8.3", ">=")
+  changed_when: true
+
+- name: Start fapolicyd service
+  service:
+    name: "{{ __fapolicyd_services }}"
+    state: restarted
+    enabled: true
+  ignore_errors: true
+  register: __fapolicyd_restart
+
+- name: Check fapolicyd logs
+  command: journalctl -n5 -u "{{ __fapolicyd_services }}"
+  register: __fapolicyd_results
+  changed_when: false
+  when: __fapolicyd_restart is failed
+
+- name: Making sure fapolicyd does not run if it was set so
+  service:
+    name: "{{ __fapolicyd_services }}"
+    state: stopped
+    enabled: false
+  when: not fapolicyd_setup_enable_service
+
+- name: Print fapolicyd logs
+  debug:
+    msg: "{{ __fapolicyd_results.stdout_lines }}"
+  failed_when: true
   when:
-    - ansible_facts.distribution_version is version("8.1", ">=")
+    - __fapolicyd_restart is failed
+    - __fapolicyd_results.stdout_lines is defined