From e98e7d3287244c4aaee8e761653ccd3b29a9d0b1 Mon Sep 17 00:00:00 2001
From: Kieran Devany <kieran.devany@gmail.com>
Date: Mon, 24 Feb 2025 13:11:59 -0500
Subject: [PATCH 1/2] add tasks for installing ondemand-selinux rpm and
 configuring sebooleans

---
 defaults/main/install.yml | 18 ++++++++++++++++++
 meta/main.yml             |  3 +++
 molecule/requirements.txt |  2 ++
 tasks/configure.yml       |  9 +++++++++
 tasks/install-package.yml |  6 ++++++
 5 files changed, 38 insertions(+)

diff --git a/defaults/main/install.yml b/defaults/main/install.yml
index 5ff698b..1ffdb90 100644
--- a/defaults/main/install.yml
+++ b/defaults/main/install.yml
@@ -40,6 +40,24 @@ ood_use_existing_repo_file: false
 install_ondemand_dex: false
 ondemand_dex_package: ondemand-dex # behaviour as for ondemand_package
 
+# flip this flag if you want to install the ondemand-selinux RPM
+install_ondemand_selinux: false
+ondemand_selinux_package: ondemand-selinux # behaviour as for ondemand_package
+
+# Defaults values to configure SELinux booleans 
+#seboolean_configuration:
+#  - { boolean: "ondemand_manage_user_home_dir", boolean_value: false }
+#  - { boolean: "ondemand_manage_vmblock", boolean_value: false }
+#  - { boolean: "ondemand_use_nfs", boolean_value: false }
+#  - { boolean: "ondemand_use_ssh", boolean_value: false }
+#  - { boolean: "ondemand_use_sssd", boolean_value: false }
+#  - { boolean: "ondemand_use_slurm", boolean_value: false }
+#  - { boolean: "ondemand_use_torque", boolean_value: false }
+#  - { boolean: "ondemand_use_kubernetes", boolean_value: false }
+#  - { boolean: "ondemand_use_ldap", boolean_value: false }
+#  - { boolean: "ondemand_use_kerberos", boolean_value: false }
+#  - { boolean: "ondemand_use_smtp", boolean_value: false }
+
 # needed for testing. no reason to change these in production.
 disable_htcacheclean: false
 nodejs_version: 20
diff --git a/meta/main.yml b/meta/main.yml
index 62c26be..c307465 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,3 +1,6 @@
+dependencies:
+  - ansible.posix
+
 galaxy_info:
   role_name: open_ondemand
   namespace: osc
diff --git a/molecule/requirements.txt b/molecule/requirements.txt
index c03b410..0ee07cd 100644
--- a/molecule/requirements.txt
+++ b/molecule/requirements.txt
@@ -1,6 +1,8 @@
 # lock ansible-core because 2.18 has issues with EL8.
 # specifically https://github.com/ansible/ansible/issues/82068
 ansible-core<2.17
+# molecule-plugins requires python >= 3.10
+python>=3.10
 ansible
 ansible-lint
 ansible_compat
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 83f2839..de3647c 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -98,3 +98,12 @@
     name: "{{ apache_service_name }}"
     state: "{{ apache_service_state }}"
     enabled: "{{ apache_service_enabled }}"
+
+
+- name: Set httpd_can_network_connect flag on and keep it persistent across reboots
+  ansible.posix.seboolean:
+    name: "{{item.boolean}}"
+    state: "{{item.boolean_value}}"
+    persistent: true
+  with_items: seboolean_configuration
+  when: install_ondemand_selinux and seboolean_configuration is defined
\ No newline at end of file
diff --git a/tasks/install-package.yml b/tasks/install-package.yml
index 9732093..d0a0de5 100644
--- a/tasks/install-package.yml
+++ b/tasks/install-package.yml
@@ -97,3 +97,9 @@
     name: "{{ 'ondemand-dex' if ondemand_dex_package == 'latest' else ondemand_dex_package }}"
     state: "{{ 'latest' if ondemand_dex_package == 'latest' else 'present' }}"
   when: install_ondemand_dex
+
+- name: Install ondemand-selinux
+  ansible.builtin.package:
+    name: "{{ 'ondemand-selinux' if ondemand_selinux_package == 'latest' else ondemand_selinux_package }}"
+    state: "{{ 'latest' if ondemand_selinux_package == 'latest' else 'present' }}"
+  when: install_ondemand_selinux

From 903b860ef27ac6e09b1ad3b2e1782413eb1ff3f6 Mon Sep 17 00:00:00 2001
From: Kieran Devany <kieran.devany@gmail.com>
Date: Tue, 25 Feb 2025 11:27:27 -0500
Subject: [PATCH 2/2] reverting seboolean changes

---
 defaults/main/install.yml | 14 --------------
 meta/main.yml             |  3 ---
 molecule/requirements.txt |  2 --
 tasks/configure.yml       |  9 ---------
 4 files changed, 28 deletions(-)

diff --git a/defaults/main/install.yml b/defaults/main/install.yml
index 1ffdb90..63b95bf 100644
--- a/defaults/main/install.yml
+++ b/defaults/main/install.yml
@@ -44,20 +44,6 @@ ondemand_dex_package: ondemand-dex # behaviour as for ondemand_package
 install_ondemand_selinux: false
 ondemand_selinux_package: ondemand-selinux # behaviour as for ondemand_package
 
-# Defaults values to configure SELinux booleans 
-#seboolean_configuration:
-#  - { boolean: "ondemand_manage_user_home_dir", boolean_value: false }
-#  - { boolean: "ondemand_manage_vmblock", boolean_value: false }
-#  - { boolean: "ondemand_use_nfs", boolean_value: false }
-#  - { boolean: "ondemand_use_ssh", boolean_value: false }
-#  - { boolean: "ondemand_use_sssd", boolean_value: false }
-#  - { boolean: "ondemand_use_slurm", boolean_value: false }
-#  - { boolean: "ondemand_use_torque", boolean_value: false }
-#  - { boolean: "ondemand_use_kubernetes", boolean_value: false }
-#  - { boolean: "ondemand_use_ldap", boolean_value: false }
-#  - { boolean: "ondemand_use_kerberos", boolean_value: false }
-#  - { boolean: "ondemand_use_smtp", boolean_value: false }
-
 # needed for testing. no reason to change these in production.
 disable_htcacheclean: false
 nodejs_version: 20
diff --git a/meta/main.yml b/meta/main.yml
index c307465..62c26be 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,6 +1,3 @@
-dependencies:
-  - ansible.posix
-
 galaxy_info:
   role_name: open_ondemand
   namespace: osc
diff --git a/molecule/requirements.txt b/molecule/requirements.txt
index 0ee07cd..c03b410 100644
--- a/molecule/requirements.txt
+++ b/molecule/requirements.txt
@@ -1,8 +1,6 @@
 # lock ansible-core because 2.18 has issues with EL8.
 # specifically https://github.com/ansible/ansible/issues/82068
 ansible-core<2.17
-# molecule-plugins requires python >= 3.10
-python>=3.10
 ansible
 ansible-lint
 ansible_compat
diff --git a/tasks/configure.yml b/tasks/configure.yml
index de3647c..83f2839 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -98,12 +98,3 @@
     name: "{{ apache_service_name }}"
     state: "{{ apache_service_state }}"
     enabled: "{{ apache_service_enabled }}"
-
-
-- name: Set httpd_can_network_connect flag on and keep it persistent across reboots
-  ansible.posix.seboolean:
-    name: "{{item.boolean}}"
-    state: "{{item.boolean_value}}"
-    persistent: true
-  with_items: seboolean_configuration
-  when: install_ondemand_selinux and seboolean_configuration is defined
\ No newline at end of file