Add a new main tasks file for pre-service setup

There are a number of tasks and use of the ssh keypair setup role
which must happen on all of the keystone hosts before the service
itself is deployed.

Previously, the keystone role ran with serial (1,100%), and the
pre-service setup tasks iterated over ansible_play_hosts
during the deployment of the first keystone host using delegate_to.
This makes the control flow of the role hard to understand and
causes issues when the pre-service tasks need to include further
roles which also use delegate_to, such as the ssh-keypairs role.

This change introduces a new 'main' tasks file for the pre-service
setup  which can be called independantly with no restriction on
serial:. This means that the pre-service setup can be completed
on all keystone hosts using normal ansible tasks without iteration
or delegate_to, and the role can be called a second time with the usual
main.yml and serial: settings to deploy the service itself and
maintain operation in a H/A deployment. In addition, the behaviour
of --limit will now be more obvious.

Change-Id: Ifcd2afe217205684b0ea3917a3776666d10ffae7

tasks/main_pre.yml

@@ -0,0 +1,83 @@
+---
+# Copyright 2022, BBC R&D
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create the system group
+  group:
+    name: "{{ keystone_system_group_name }}"
+    state: "present"
+    system: "yes"
+
+- name: create additional groups
+  group:
+    name: "{{ item }}"
+    state: "present"
+    system: "yes"
+  with_items:
+    - "{{ keystone_system_additional_groups }}"
+
+- name: Create the keystone system user
+  user:
+    name: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    groups: "{{ keystone_system_additional_groups | join(',') }}"
+    comment: "{{ keystone_system_comment }}"
+    shell: "{{ keystone_system_shell }}"
+    system: "yes"
+    createhome: "yes"
+    home: "{{ keystone_system_user_home }}"
+
+- name: Create keystone dir
+  file:
+    path: "{{ item.path | default(omit) }}"
+    src: "{{ item.src | default(omit) }}"
+    dest: "{{ item.dest | default(omit) }}"
+    state: "{{ item.state | default('directory') }}"
+    owner: "{{ item.owner|default(keystone_system_user_name) }}"
+    group: "{{ item.group|default(keystone_system_group_name) }}"
+    mode: "{{ item.mode | default(omit) }}"
+    force: "{{ item.force | default(omit) }}"
+  with_items:
+    - path: "/openstack"
+      mode: "0755"
+      owner: "root"
+      group: "root"
+    - dest: "/etc/keystone"
+      mode: "0755"
+    - path: "{{ keystone_credential_key_repository }}"
+      mode: "0750"
+    - path: "{{ keystone_ldap_domain_config_dir }}"
+      mode: "0750"
+    - path: "/etc/keystone/ssl"
+    - path: "{{ keystone_fernet_tokens_key_repository }}"
+      mode: "2750"
+    - path: "{{ keystone_system_user_home }}"
+    - path: "/var/www/cgi-bin"
+      owner: root
+      group: root
+    - path: "/var/www/cgi-bin/keystone"
+    - path: "{{ keystone_security_txt_dir }}"
+    - path: "/etc/ansible/facts.d"
+      owner: root
+      group: root
+
+- name: Create security.txt file
+  copy:
+    content: "{{ keystone_security_txt_content }}"
+    dest: "{{ keystone_security_txt_dir }}/security.txt"
+  when: keystone_security_txt_content is defined
+
+- import_tasks: keystone_key_setup.yml
+  tags:
+    - keystone-install