main.yml #1

  • //
  • guest/
  • russell_jackson/
  • ansible-sdp/
  • inventories/
  • group_vars/
  • main/
  • main.yml
  • View
  • Commits
  • Open Download .zip Download (2 KB)
---
#  NOTE: This cannot be overriden in the inventory file unless used as host_vars
perforce_domain: "example.com"
perforce_mailfrom_email: "perforce-admin@{{ perforce_domain }}"
perforce_mailto_email: "rustyjackson@{{ perforce_domain }}"
perforce_smtp_server: "smtp.{{ perforce_domain }}"
update_dependencies: true

new_sdp: true
new_p4d: false
p4d_enabled: true
install_broker: true

perforce_id: "1"
perforce_case_sensitive: "0"
perforce_service: "p4d_{{ perforce_id }}"
perforce_ssl_prefix: ""
perforce_p4_port: "1666"
perforce_p4broker_port: "ssl:1667"
perforce_p4broker_target_port: "1666"

perforce_user: "perforce"
perforce_uid: "10666"
perforce_group: "perforce"
perforce_gid: "10666"
commit_dns: "perforce-commit.p4.example.com"
perforce_version: "25.2"
perforce_broker_version: "25.2"

perforce_admin_user: "p4admin"
# Override with ansible-vault in production
perforce_admin_user_pass: "F@stSCM!"

# Password hash created with: openssl passwd -6 -salt saltsecret
# Override with ansible-vault in production
perforce_user_password: "$6$PerforceRules$DahgNsXI/V89vqPAXzwflxe7wU09fotIVI5waJACxVd01.EQpQqd5zdnbtgaV.ylstYfQq30xGEBC7yznkE6X1"

# Additional admin users to create sudoers files for
admin_users:
  - russelljackson

# --- Group resource guardrails: fleet-wide naming convention ---------------
# The role templates the SDP keep_group_unset.py trigger and update_limits.py
# from these, so no group/user name is hardcoded. Override per commit server in
# host_vars if an environment uses different names. The per-environment limit
# VALUES and the enable flag live in each commit server's host_vars.
guardrails_enabled: false                 # fleet default; flip per commit server
# Every group name is its own variable -- referenced by the templated trigger,
# the membership updater, and the per-environment p4_group_limits in host_vars.
p4_baseline_group: limits                 # populated with all users by update_limits.py
p4_integrators_group: integrators         # standing elevated access
p4_unlimited_group: p4-unlimited          # approval-gated, unlimited everything
p4_admins_group: p4-admins                # admin group (trigger-exempt)
p4_replicas_group: p4-replicas            # replication service group (trigger-exempt)
p4_trigger_exempt_users:                  # users the trigger never rewrites
  - "{{ perforce_admin_user }}"
p4_trigger_exempt_groups:                 # groups allowed to keep elevated/unlimited Max*
  - "{{ p4_admins_group }}"
  - "{{ p4_replicas_group }}"
  - "{{ p4_unlimited_group }}"
# Change User Description Committed
#1 32894 Russell C. Jackson (Rusty) Add group resource guardrails to perforce-sdp-install; inventory cleanup

Guardrails (gated on guardrails_enabled, commit server):
- New group_limits phase (thin orchestrator + group_limits/ subdir:
  deploy_scripts, set_limits, populate) included from main.yml. Templates the
  SDP keep_group_unset.py trigger and update_limits.py from inventory so no
  group/user name is hardcoded; sets Max* on each managed group via the new
  idempotent files/manage_p4group.py helper; populates the limits group once
  (marker-guarded). No new cron -- the SDP's hourly master cron maintains
  membership.
- Every group name is its own variable (p4_baseline_group, p4_integrators_group,
  p4_unlimited_group, p4_admins_group, p4_replicas_group); p4_group_limits is a
  list of {name, limits}. Naming convention in group_vars/main; per-environment
  values + enable flag in each commit server's host_vars; safe fallbacks in
  defaults.
- Molecule: install scenario now runs the guardrails phase after
  configure_new_server and verifies the scripts are deployed and the
  limits/p4-unlimited groups carry the expected values. README + docs updated.

Inventory cleanup:
- Removed the 2kgla1tst2 and la1v-rjackson commit hosts (host_vars + inventory).
- Renamed the top-level inventory group central -> main (group_vars dir moved,
  references updated across inventory, molecule, README, CLAUDE.md).

ansible-lint production-clean; playbooks syntax-check; helper/templates compile.
//guest/russell_jackson/ansible-sdp/inventories/group_vars/central/main.yml
#3 32493 Russell C. Jackson (Rusty) Created some dummy files to allow the install to run.
#2 32492 Russell C. Jackson (Rusty) Fix bugs, remove orphaned files, and apply best practices to ansible-sdp

- Fix broken Jinja2 filter syntax (|bool|) in main-playbook.yml
- Fix target_server logic comparing string literals instead of variables
- Fix package install failing on RedHat due to missing OS family guard
- Split packages into OS-agnostic and Debian-specific lists, remove duplicates
- Switch all binary downloads from HTTP to HTTPS
- Remove 7 orphaned files (unused templates, scripts, configs)
- Replace hardcoded emails in cron with template variables
- Fix inconsistent journal rotations (06:00/08:00) to use rotate_journal.sh
- Parameterize admin sudoers and perforce user password
- Fix ansible.cfg malformed vars block
- Fix ansibleuser sudo group for RedHat (wheel) vs Debian (sudo)
- Remove redundant triple broker start/restart in install.yml
- Replace shell sed with ansible.builtin.replace in monitoring role
- Fix duplicate handler and undefined variable in monitoring handlers
- Use notify handlers instead of inline commands for sysctl/THP
- Add idempotency (creates:) to pyenv install
#1 32488 Russell C. Jackson (Rusty) Ansible scaffolding for the sdp - Needs work.