---
# NOTE: This cannot be overriden in the inventory file unless used as host_vars
perforce_domain: "example.com"
perforce_mailfrom_email: "perforce-admin@{{ perforce_domain }}"
perforce_mailto_email: "rustyjackson@{{ perforce_domain }}"
perforce_smtp_server: "smtp.{{ perforce_domain }}"
update_dependencies: true
new_sdp: true
new_p4d: false
p4d_enabled: true
install_broker: true
perforce_id: "1"
perforce_case_sensitive: "0"
perforce_service: "p4d_{{ perforce_id }}"
perforce_ssl_prefix: ""
perforce_p4_port: "1666"
perforce_p4broker_port: "ssl:1667"
perforce_p4broker_target_port: "1666"
perforce_user: "perforce"
perforce_uid: "10666"
perforce_group: "perforce"
perforce_gid: "10666"
commit_dns: "perforce-commit.p4.example.com"
perforce_version: "25.2"
perforce_broker_version: "25.2"
perforce_admin_user: "p4admin"
# Override with ansible-vault in production
perforce_admin_user_pass: "F@stSCM!"
# Password hash created with: openssl passwd -6 -salt saltsecret
# Override with ansible-vault in production
perforce_user_password: "$6$PerforceRules$DahgNsXI/V89vqPAXzwflxe7wU09fotIVI5waJACxVd01.EQpQqd5zdnbtgaV.ylstYfQq30xGEBC7yznkE6X1"
# Additional admin users to create sudoers files for
admin_users:
- russelljackson
# --- Group resource guardrails: fleet-wide naming convention ---------------
# The role templates the SDP keep_group_unset.py trigger and update_limits.py
# from these, so no group/user name is hardcoded. Override per commit server in
# host_vars if an environment uses different names. The per-environment limit
# VALUES and the enable flag live in each commit server's host_vars.
guardrails_enabled: false # fleet default; flip per commit server
# Every group name is its own variable -- referenced by the templated trigger,
# the membership updater, and the per-environment p4_group_limits in host_vars.
p4_baseline_group: limits # populated with all users by update_limits.py
p4_integrators_group: integrators # standing elevated access
p4_unlimited_group: p4-unlimited # approval-gated, unlimited everything
p4_admins_group: p4-admins # admin group (trigger-exempt)
p4_replicas_group: p4-replicas # replication service group (trigger-exempt)
p4_trigger_exempt_users: # users the trigger never rewrites
- "{{ perforce_admin_user }}"
p4_trigger_exempt_groups: # groups allowed to keep elevated/unlimited Max*
- "{{ p4_admins_group }}"
- "{{ p4_replicas_group }}"
- "{{ p4_unlimited_group }}"
| # | Change | User | Description | Committed | |
|---|---|---|---|---|---|
| #1 | 32894 | Russell C. Jackson (Rusty) |
Add group resource guardrails to perforce-sdp-install; inventory cleanup Guardrails (gated on guardrails_enabled, commit server): - New group_limits phase (thin orchestrator + group_limits/ subdir: deploy_scripts, set_limits, populate) included from main.yml. Templates the SDP keep_group_unset.py trigger and update_limits.py from inventory so no group/user name is hardcoded; sets Max* on each managed group via the new idempotent files/manage_p4group.py helper; populates the limits group once (marker-guarded). No new cron -- the SDP's hourly master cron maintains membership. - Every group name is its own variable (p4_baseline_group, p4_integrators_group, p4_unlimited_group, p4_admins_group, p4_replicas_group); p4_group_limits is a list of {name, limits}. Naming convention in group_vars/main; per-environment values + enable flag in each commit server's host_vars; safe fallbacks in defaults. - Molecule: install scenario now runs the guardrails phase after configure_new_server and verifies the scripts are deployed and the limits/p4-unlimited groups carry the expected values. README + docs updated. Inventory cleanup: - Removed the 2kgla1tst2 and la1v-rjackson commit hosts (host_vars + inventory). - Renamed the top-level inventory group central -> main (group_vars dir moved, references updated across inventory, molecule, README, CLAUDE.md). ansible-lint production-clean; playbooks syntax-check; helper/templates compile. |
||
| //guest/russell_jackson/ansible-sdp/inventories/group_vars/central/main.yml | |||||
| #3 | 32493 | Russell C. Jackson (Rusty) | Created some dummy files to allow the install to run. | ||
| #2 | 32492 | Russell C. Jackson (Rusty) |
Fix bugs, remove orphaned files, and apply best practices to ansible-sdp - Fix broken Jinja2 filter syntax (|bool|) in main-playbook.yml - Fix target_server logic comparing string literals instead of variables - Fix package install failing on RedHat due to missing OS family guard - Split packages into OS-agnostic and Debian-specific lists, remove duplicates - Switch all binary downloads from HTTP to HTTPS - Remove 7 orphaned files (unused templates, scripts, configs) - Replace hardcoded emails in cron with template variables - Fix inconsistent journal rotations (06:00/08:00) to use rotate_journal.sh - Parameterize admin sudoers and perforce user password - Fix ansible.cfg malformed vars block - Fix ansibleuser sudo group for RedHat (wheel) vs Debian (sudo) - Remove redundant triple broker start/restart in install.yml - Replace shell sed with ansible.builtin.replace in monitoring role - Fix duplicate handler and undefined variable in monitoring handlers - Use notify handlers instead of inline commands for sysctl/THP - Add idempotency (creates:) to pyenv install |
||
| #1 | 32488 | Russell C. Jackson (Rusty) | Ansible scaffolding for the sdp - Needs work. | ||