diff --git a/development/playbooks/deploy-dev/deploy-dev.yaml b/development/playbooks/deploy-dev/deploy-dev.yaml index caf89c1d9..07d8de1b6 100644 --- a/development/playbooks/deploy-dev/deploy-dev.yaml +++ b/development/playbooks/deploy-dev/deploy-dev.yaml @@ -55,6 +55,7 @@ foreman_development_enabled_plugins: "{{ foreman_development_enabled_plugins + ['foreman_ansible'] }}" roles: - role: pre_install + - role: crypto_policy - role: certificates - role: postgresql - role: redis diff --git a/development/playbooks/remote-database/remote-database.yaml b/development/playbooks/remote-database/remote-database.yaml index 0ea469c1d..3b1885302 100644 --- a/development/playbooks/remote-database/remote-database.yaml +++ b/development/playbooks/remote-database/remote-database.yaml @@ -13,6 +13,7 @@ postgresql_ssl_key: "{{ certificates_ca_directory }}/private/{{ ansible_facts['fqdn'] }}.key" roles: - role: pre_install + - role: crypto_policy - role: certificates - role: postgresql diff --git a/src/playbooks/deploy/deploy.yaml b/src/playbooks/deploy/deploy.yaml index 837d36c98..d70a02584 100644 --- a/src/playbooks/deploy/deploy.yaml +++ b/src/playbooks/deploy/deploy.yaml @@ -29,6 +29,7 @@ roles: - role: pre_install - role: checks + - role: crypto_policy - role: certificates when: "certificates_source in ['default', 'custom_server']" - role: certificate_checks diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml index 4b2628138..e6d44851a 100644 --- a/src/roles/candlepin/tasks/main.yml +++ b/src/roles/candlepin/tasks/main.yml @@ -90,6 +90,7 @@ volumes: - /var/log/candlepin:/var/log/candlepin:Z - /var/log/tomcat:/var/log/tomcat:Z + - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z quadlet_options: - | [Install] diff --git a/src/roles/crypto_policy/defaults/main.yml b/src/roles/crypto_policy/defaults/main.yml new file mode 100644 index 000000000..5891b83a4 --- /dev/null +++ b/src/roles/crypto_policy/defaults/main.yml @@ -0,0 +1,3 @@ +--- +crypto_policy_container: "centos:stream9" +crypto_policy_policy: FUTURE diff --git a/src/roles/crypto_policy/tasks/main.yml b/src/roles/crypto_policy/tasks/main.yml new file mode 100644 index 000000000..05d6fe2b6 --- /dev/null +++ b/src/roles/crypto_policy/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Create /var/lib/foremanctl/ + ansible.builtin.file: + path: /var/lib/foremanctl/ + state: directory + owner: root + group: root + mode: '0750' + +- name: Create temporary container for data extraction + containers.podman.podman_container: + name: crypto-policy-tmp + image: "{{ crypto_policy_container }}" + state: started + command: sleep 600 + +- name: Set the policy + containers.podman.podman_container_exec: + name: crypto-policy-tmp + command: "update-crypto-policies --set {{ crypto_policy_policy }}" + +- name: Extract data from container + containers.podman.podman_container_copy: + container: crypto-policy-tmp + src: "/etc/crypto-policies" + dest: "/var/lib/foremanctl/etc_crypto_policies" + from_container: true + +- name: Remove temporary container + containers.podman.podman_container: + name: crypto-policy-tmp + state: absent diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index f08ac17f9..1a518c037 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -105,6 +105,7 @@ hostname: "{{ ansible_facts['hostname'] }}.local" volume: - 'foreman-data-run:/var/run/foreman:z' + - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z secrets: - 'foreman-database-url,type=env,target=DATABASE_URL' - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER' @@ -143,6 +144,7 @@ hostname: "{{ ansible_facts['hostname'] }}.local" volume: - 'foreman-data-run:/var/run/foreman:z' + - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z secrets: - 'foreman-database-url,type=env,target=DATABASE_URL' - 'foreman-settings-yaml,type=mount,target=/etc/foreman/settings.yaml' @@ -198,6 +200,7 @@ command: "foreman-rake {{ item.rake }}" volume: - 'foreman-data-run:/var/run/foreman:z' + - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z secrets: - 'foreman-database-url,type=env,target=DATABASE_URL' - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER' diff --git a/src/roles/postgresql/tasks/main.yml b/src/roles/postgresql/tasks/main.yml index fe13649ed..0f36562f0 100644 --- a/src/roles/postgresql/tasks/main.yml +++ b/src/roles/postgresql/tasks/main.yml @@ -31,6 +31,7 @@ network: host volumes: - "{{ postgresql_data_dir }}:/var/lib/pgsql/data:Z" + - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z secrets: - 'postgresql-admin-password,target=POSTGRESQL_ADMIN_PASSWORD,type=env' env: diff --git a/src/roles/pulp/defaults/main.yaml b/src/roles/pulp/defaults/main.yaml index a4b9fa44a..513af3b37 100644 --- a/src/roles/pulp/defaults/main.yaml +++ b/src/roles/pulp/defaults/main.yaml @@ -12,6 +12,7 @@ pulp_api_service_worker_count: "{{ ([4, ansible_facts['processor_nproc']] | min) pulp_volumes: - /var/lib/pulp:/var/lib/pulp + - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z pulp_api_container_name: pulp-api pulp_content_container_name: pulp-content diff --git a/src/roles/redis/tasks/main.yaml b/src/roles/redis/tasks/main.yaml index 93837c90c..a49fce5f7 100644 --- a/src/roles/redis/tasks/main.yaml +++ b/src/roles/redis/tasks/main.yaml @@ -24,6 +24,7 @@ command: ["run-redis", "--supervised", "systemd"] volumes: - /var/lib/redis:/data:Z + - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z quadlet_options: - | [Install]