I just got permission to use coplilot in my IDE.
To test it I asked it how to update fapolicyd trusts.
It came back with this:
- name: Template Copy | Update fapolicyd trusts for {{ item }}
community.general.fapolicyd:
path: "/usr/local/bin/{{ item }}"
trust_file: "{{ ansible_role_name }}"
state: present
when:
- template_copy.changed
- '"fapolicyd" in ansible_facts.packages'
notify: Restart fapolicyd
Wonderful, it can replace my two stanzas:
- name: Template Copy | Remove old trust file entry
ansible.builtin.lineinfile:
path: "/etc/fapolicyd/trust.d/{{ ansible_role_name }}"
state: absent
regexp: "^/usr/local/bin/{{ item }}"
when:
- template_copy.changed
- '"fapolicyd" in ansible_facts.packages'
- name: Template Copy | Update fapolicyd trusts for {{ item }}
ansible.builtin.command: /usr/sbin/fapolicyd-cli --file add "/usr/local/bin/{{ item }}" --trust-file "{{ ansible_role_name }}"
when:
- template_copy.changed
- '"fapolicyd" in ansible_facts.packages'
notify: Restart fapolicyd # handlers are from fapolicyd role
Except it can’t.
The linux-system-roles aren’t swiss army knives (one task and do it well). They are hammers.
I mention this in case the general.fapolicyd was abandoned because of those roles.
The example code; sets up fapolicyd and adds some files to a trust (unnamed).
- name: Example fapolicyd role invocation
hosts: all
vars:
fapolicyd_setup_enable_service: true
fapolicyd_setup_integrity: sha256
fapolicyd_setup_trust: rpmdb,file
fapolicyd_add_trusted_file:
- /etc/passwd
- /etc/fapolicyd/fapolicyd.conf
- /etc/krb5.conf
roles:
- fapolicyd
I don’t need fapolicyd to be setup, it’s already done.
If it went away, the code should be somewhere.
thanks
Peter