r/useproxy: Configure system-wide proxy

The *useproxy* role configures the `http_proxy` et al. environmet
variables for systemd services and interactive shells.  Additionally, it
configures Yum repositories to use a single mirror via the `baseurl`
setting, rather than a list of mirrors via `metalink`, since the proxy
a) the proxy only allows access to _dl.fedoraproject.org_ and b) the
proxy caches RPM files, but this is only effective if all clients use
the same mirror all the time.

The `useproxy.yml` playbook applies this role to servers in the
*needproxy* group.

group_vars/Fedora.yml

@@ -0,0 +1,10 @@
+useproxy_yum_repos:
+  - file: fedora
+    name: fedora
+    baseurl: http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
+  - file: fedora-cisco-openh264
+    name: fedora-cisco-openh264
+    baseurl: https://codecs.fedoraproject.org/openh264/$releasever/$basearch/os/
+  - file: fedora-updates
+    name: updates
+    baseurl: http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/

group_vars/needproxy.yml

@@ -0,0 +1,4 @@
+http_proxy: http://proxy.pyrocufflink.blue:3128
+https_proxy: '{{ http_proxy }}'
+all_proxy: '{{ http_proxy }}'
+no_proxy: localhost,pyrocufflink.blue,*.pyrocufflink.blue,127.0.0.1,172.30.0.*,172.30.0.0/24

hosts

@@ -81,6 +81,8 @@ burp-server
 [nfs-client:children]
 k8s-node
 
+[needproxy]
+
 [nextcloud]
 cloud0.pyrocufflink.blue
 

roles/useproxy/defaults/main.yml

@@ -0,0 +1 @@
+useproxy_yum_repos: []

roles/useproxy/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: reset connection
+  meta: reset_connection

roles/useproxy/tasks/main.yml

@@ -0,0 +1,73 @@
+- name: ensure environment.d directory exists
+  file:
+    path: /etc/environment.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - config
+- name: ensure proxy environment variables are set
+  template:
+    src: proxy.env.j2
+    dest: /etc/environment.d/40-proxy.env
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+
+- name: ensure /etc/environment is assembled
+  assemble:
+    src: /etc/environment.d
+    dest: /etc/environment
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reset connection
+  tags:
+  - config
+
+- name: ensure systemd default service drop-in directory exists
+  file:
+    path: /etc/systemd/system/service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure proxy is configured for systemd services
+  copy:
+    dest: /etc/systemd/system/service.d/40-proxy.conf
+    content: |
+      [Service]
+      EnvironmentFile=-/etc/environment.d/40-proxy.env
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
+- name: ensure yum repos are configured to use baseurl
+  ini_file:
+    path: /etc/yum.repos.d/{{ item.file }}.repo
+    section: '{{ item.name }}'
+    option: baseurl
+    value: '{{ item.baseurl }}'
+    state: present
+  loop: '{{ useproxy_yum_repos }}'
+  tags:
+  - yum
+- name: ensure yum repos are configured to not use metalink
+  ini_file:
+    path: /etc/yum.repos.d/{{ item.file }}.repo
+    section: '{{ item.name }}'
+    option: metalink
+    state: absent
+  loop: '{{ useproxy_yum_repos }}'
+  tags:
+  - yum
+
+- name: flush handlers
+  meta: flush_handlers

roles/useproxy/templates/proxy.env.j2

@@ -0,0 +1,16 @@
+{% if http_proxy|d %}
+http_proxy={{ http_proxy }}
+HTTP_PROXY={{ http_proxy }}
+{% endif %}
+{% if https_proxy|d %}
+https_proxy={{ https_proxy }}
+HTTPS_PROXY={{ https_proxy }}
+{% endif %}
+{% if all_proxy|d %}
+all_proxy={{ all_proxy }}
+ALL_PROXY={{ all_proxy }}
+{% endif %}
+{% if no_proxy %}
+no_proxy={{ no_proxy }}
+NO_PROXY={{ no_proxy }}
+{% endif %}

useproxy.yml

@@ -0,0 +1,5 @@
+- import_playbook: dyngroups.yml
+
+- hosts: needproxy
+  roles:
+  - useproxy