init gerrit management

2023-07-25 01:49:15 -07:00 · 2023-07-25 01:49:15 -07:00 · c2c4a82b85
commit c2c4a82b85
24 changed files with 448 additions and 0 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -0,0 +1,6 @@
+# .ansible-lint
+warn_list:
+  - '204' # Lines should be less than 160 characters
+  - '701' # meta/main.yml should contain relevant info
+skip_list:
+  - '106' # Role name must match ^[a-z][a-z0-9_]+$ pattern
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,7 @@
+inventory
+roles/*
+collections/*
+!roles/README.md
+!roles/requirements.yml
+!collections/README.md
+!collections/requirements.yml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,35 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: pretty-format-json
+      - id: detect-private-key
+
+  - repo: local
+    hooks:
+      - id: ansible-lint
+        name: Ansible-lint
+        description: This hook runs ansible-lint.
+        entry: ansible-lint -v --force-color
+        language: python
+        # do not pass files to ansible-lint, see:
+        # https://github.com/ansible/ansible-lint/issues/611
+        pass_filenames: false
+        always_run: true
+        additional_dependencies:
+          - ansible-core>=2.13.3
+
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.29.0
+    hooks:
+      - id: yamllint
+        files: \.(yaml|yml)$
+        types: [file, yaml]
+        entry: yamllint
--- a/.yamllint
+++ b/.yamllint
@ -0,0 +1,7 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 140
+    level: warning
--- a/README.md
+++ b/README.md
@ -0,0 +1,7 @@
+# Ansible AWX Template: Gerrit
+
+Ansible AWX is the method used for the Rocky Linux infrastructure, as a replacement for using the CLI. This is for installing and maintaining Gerrit.
+
+## Provides / Information
+
+This provides the configuration and installation of gerrit.
--- a/collections/README.md
+++ b/collections/README.md
@ -0,0 +1,14 @@
+# Collections
+
+If you are wanting to use a collection specifically for this, you will need to define it in a `requirements.yml`, otherwise AWX will not install what you need to run your tasks.
+
+Example:
+
+```
+---
+# Roles
+collections:
+  - netbox.netbox
+  - community.aws
+  - containers.podman
+```
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,57 @@
+---
+# Defaults
+gerrit_user: "git"
+gerrit_group: "git"
+gerrit_version: "3.8.1"
+#gerrit_home_dir: "/opt/gerrit-{{ gerrit_version }}"
+gerrit_home_dir: "/opt/gerrit"
+gerrit_site: "rlgitsvc"
+gerrit_container_user: "{{ gerrit_user }}"
+gerrit_container_heap_limit: "1g"
+gerrit_container_java_options: "-server -XX:+PrintGCDetails -XX:MaxPermSize=256M"
+
+gerrit_database_type: "postgresql"
+gerrit_database_user: "gerrit"
+gerrit_database_name: "gerrit"
+gerrit_database_password: "gerrit"
+gerrit_database_host: "localhost"
+
+gerrit_allow_insecure_passwords: false
+
+# Gerrit vars
+gerrit_config_base_path: "git"
+gerrit_config_canonical_weburl: "https://git.rockylinux.org"
+
+# Gerrit index. Default LUCENE
+gerrit_index_type: "LUCENE"
+
+# Gerrit auth type
+gerrit_auth_type: "LDAP"
+
+# Gerrit sshd
+gerrit_sshd_listen_address: "*:22220"
+gerrit_sshd_threads: "32"
+
+# Gerrit httpd
+gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
+gerrit_referenced_objects_reachable: false
+
+# Gerrit setup
+gerrit_directories:
+  - "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc"
+  - "{{ gerrit_home_dir }}/{{ gerrit_site }}/lib"
+  - "{{ gerrit_home_dir }}/{{ gerrit_site }}/static"
+  - "{{ gerrit_home_dir }}/{{ gerrit_site }}/hooks"
+  - "{{ gerrit_home_dir }}/{{ gerrit_site }}/plugins"
+  - "{{ gerrit_home_dir }}/{{ gerrit_site }}/cache"
+
+# oauth if enabled
+oauth_base_url: "https://accounts.rockylinux.org/auth"
+oauth_realm: "rocky"
+oauth_client_id: "gerrit"
+oauth_client_secret: "NONE"
+
+# ldap if enabled
+ldap_url_list:
+  - ldap://ipa-us-east-2.rockylinux.org
+...
--- a/files/README.md
+++ b/files/README.md
@ -0,0 +1 @@
+Files come here
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,11 @@
+---
+- name: restart_gerrit
+  ansible.builtin.systemd:
+    name: gerrit.service
+    state: restarted
+    daemon_reload: true
+
+- name: reload_systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+...
--- a/install-gerrit.yml
+++ b/install-gerrit.yml
@ -0,0 +1,52 @@
+---
+# Deploys gerrit
+- name: Deploy gerrit
+  hosts: '{{ host }}'
+  become: true
+  vars_files:
+    - vars/gerrit.yml
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      ansible.builtin.assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+    - name: Verify if we are Rocky Linux 9 or higher
+      ansible.builtin.assert:
+        that:
+          - ansible_distribution_major_version|int >= 9
+          - ansible_distribution | lower == "rocky"
+        success_msg: "We are on a supported system"
+        fail_msg: "Only Rocky Linux versions 9 or higher are supported."
+
+    - name: Check that variables are set properly
+      ansible.builtin.assert:
+        that:
+          - gerrit_database_password != "gerrit"
+        success_msg: "Proper password is set."
+        fail_msg: "Please set a proper database password."
+      when: not gerrit_allow_insecure_passwords|bool
+
+  tasks:
+    - name: Deploy gerrit as needed
+      ansible.builtin.import_tasks: tasks/install.yml
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      ansible.builtin.file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
+...
--- a/roles/README.md
+++ b/roles/README.md
@ -0,0 +1,14 @@
+# Roles
+
+If you are wanting to use role specifically for this, you will need to define it in a `requirements.yml`, otherwise AWX will not install what you need to run your tasks.
+
+Example:
+
+```
+---
+# Roles
+roles:
+  - rockylinux.ipagetcert
+    src: https://github.com/rocky-linux/ansible-role-ipa-getcert
+    version: main
+```
--- a/tasks/deploy.yml
+++ b/tasks/deploy.yml
@ -0,0 +1,70 @@
+---
+- name: Download gerrit
+  ansible.builtin.get_url:
+    url: "{{ gerrit_download_url }}"
+    dest: "{{ gerrit_home_dir }}"
+    owner: "{{ gerrit_user }}"
+    group: "{{ gerrit_group }}"
+    mode: "0644"
+
+- name: Drop gerrit config
+  ansible.builtin.template:
+    src: gerrit.config.j2
+    dest: "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc/gerrit.config"
+    owner: "{{ gerrit_user }}"
+    group: "{{ gerrit_group }}"
+    mode: "0644"
+  notify: restart_gerrit
+  register: gerrit_config
+
+- name: Drop secure gerrit config
+  ansible.builtin.template:
+    src: secure.config.j2
+    dest: "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc/secure.config"
+    owner: "{{ gerrit_user }}"
+    group: "{{ gerrit_group }}"
+    mode: "0600"
+  notify: restart_gerrit
+  register: gerrit_secure_config
+
+- name: Drop systemd unit
+  ansible.builtin.template:
+    src: gerrit.service.j2
+    dest: /etc/systemd/system/gerrit.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify: reload_systemd
+  register: gerrit_systemd
+
+- name: Perform gerrit tasks if configuration has changed
+  when:
+    - gerrit_secure_config.changed
+    - gerrit_config.changed
+  block:
+    - name: Stop gerrit
+      ansible.builtin.systemd:
+        name: gerrit.service
+        state: stopped
+
+    - name: Re-init gerrit
+      ansible.builtin.shell: "{{ gerrit_java_path }} -jar gerrit-{{ gerrit_version }}.war init --batch --no-auto-start -d {{ gerrit_home_dir }}/{{ gerrit_site }}"
+      args:
+        chdir: "{{ gerrit_home_dir }}"
+      become: true
+      become_user: "{{ gerrit_user }}"
+      changed_when: "1 != 1"
+
+    - name: Re-index gerrit
+      ansible.builtin.shell: "{{ gerrit_java_path }} -jar gerrit-{{ gerrit_version }}.war reindex -d {{ gerrit_home_dir }}/{{ gerrit_site }}"
+      args:
+        chdir: "{{ gerrit_home_dir }}"
+      become: true
+      become_user: "{{ gerrit_user }}"
+      changed_when: "1 != 1"
+
+- name: Ensure gerrit is enabled
+  ansible.builtin.systemd:
+    name: gerrit.service
+    enabled: true
+...
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -0,0 +1,7 @@
+---
+- name: Setup gerrit basics
+  ansible.builtin.include_tasks: setup.yml
+
+- name: Install gerrit
+  ansible.builtin.include_tasks: deploy.yml
+...
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,4 @@
+---
+# No tasks
+- debug: msg="No tasks are provided here. Please import the task as needed in your playbook."
+...
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@ -0,0 +1,22 @@
+---
+- name: Create gerrit group
+  ansible.builtin.group:
+    name: "{{ gerrit_group }}"
+    state: present
+
+- name: Create gerrit user
+  ansible.builtin.user:
+    name: "{{ gerrit_user }}"
+    group: "{{ gerrit_group }}"
+    state: present
+
+- name: Create gerrit directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ gerrit_user }}"
+    group: "{{ gerrit_group }}"
+    mode: "0755"
+    state: directory
+    recurse: true
+  loop: "{{ gerrit_directories }}"
+...
--- a/templates/README.md
+++ b/templates/README.md
@ -0,0 +1 @@
+Templates go here
--- a/templates/gerrit.config.j2
+++ b/templates/gerrit.config.j2
@ -0,0 +1,59 @@
+[gerrit]
+        basePath = git
+        canonicalWebUrl = {{ gerrit_config_canonical_weburl }}
+
+[container]
+        javaOptions = {{ gerrit_container_java_options }}
+        user = {{ gerrit_user }}
+        heapLimit = {{ gerrit_container_heap_limit }}
+        javaHome = /usr/lib/jvm/jre/
+
+[index]
+        type = {{ gerrit_index_type }}
+
+[auth]
+        type = {{ gerrit_auth_type }}
+        userNameCaseInsensitive = true
+{% if gerrit_auth_type == 'OAUTH' %}
+        gitBasicAuthPolicy = HTTP
+[plugin "oauth-keycloak-oauth"]
+        root-url = {{ oauth_base_url }}
+        realm = {{ oauth_realm }}
+        client-id = {{ oauth_client_id }}
+        client-secret = {{ oauth_client_secret }}
+{% endif %}
+
+[receive]
+        enableSignedPush = true
+        checkReferencedObjectsAreReachable = {{ gerrit_referenced_objects_reachable }}
+
+[sendemail]
+        smtpServer = localhost
+
+[sshd]
+        listenAddress = {{ gerrit_sshd_listen_address }}
+        threads = {{ gerrit_sshd_threads }}
+
+[httpd]
+        listenUrl = {{ gerrit_httpd_listen_url }}
+
+[cache]
+        directory = cache
+
+{% if gerrit_auth_type == "LDAP" %}
+[ldap]
+        server = {{ ldap_url_list|join(' ') }}
+        accountBase = cn=users,cn=accounts,dc=rockylinux,dc=org
+        accountPattern = (&(objectClass=posixAccount)(memberOf=cn=signed_rgca,cn=groups,cn=accounts,dc=rockylinux,dc=org)(uid=${username}))
+        accountFullName = displayName
+        accountEmailAddress = mail
+        accountMemberField = memberOf
+        groupBase = cn=groups,cn=accounts,dc=rockylinux,dc=org
+        groupPattern = (cn=${groupname})
+        localUsernameToLowerCase = true
+        startTls = true
+        sslVerify = true
+{% endif %}
+
+[plugin "avatars-gravatar"]
+        url = https://seccdn.libravatar.org/avatar/
--- a/templates/gerrit.service.j2
+++ b/templates/gerrit.service.j2
@ -0,0 +1,17 @@
+[Unit]
+Description=Gerrit
+After=network.target
+
+[Service]
+Type=simple
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=gerrit
+WorkingDirectory={{ gerrit_home_dir }}
+User={{ gerrit_user|default('git') }}
+ExecStart={{ gerrit_java_path|default('/usr/bin/java') }} -DGerritCodeReview=1 -jar {{ gerrit_home_dir }}/gerrit-{{ gerrit_version }}.war daemon -d {{ gerrit_site|default('rlgitsvc') }}
+ExecStop=/bin/kill -s SIGINT $MAINPID
+PIDFile=/run/gerrit.pid
+
+[Install]
+WantedBy=multi-user.target
--- a/templates/motd.config.j2
+++ b/templates/motd.config.j2
@ -0,0 +1,14 @@
+[gerrit]
+  motd =           .:^~~~~^:.
+  motd =       .^!?JJJJJJJJJJ?!^.
+  motd =       ~?JJJJJJJJJJJJJJJJ?~
+  motd =    :?JJJJJJJJJJJJJJJJJJJJ?:
+  motd =   .?JJJJJJJJJJJJJJ7?JJJJJJ?.
+  motd =   !JJJJJJJJJJJJJ7:  ^?JJJJJ!
+  motd =   7JJJJJJJJJJJ!:      ^7JJJ7
+  motd =   !JJJJJJJJJ!.    :.    :7J!
+  motd =   .?JJJJJ?~.    :7JJ!.    :.
+  motd =    :?JJ?~.    ^7JJJJJJ!:
+  motd =     .~~     ^?JJJJJJJJY?:
+  motd =           ^?YYJJJJJJ?!^.
+  motd =           .:^~~~~^:.
--- a/templates/secure.config.j2
+++ b/templates/secure.config.j2
@ -0,0 +1,6 @@
+[database]
+  type = {{ gerrit_database_type }}
+  username = {{ gerrit_database_user }}
+  database = {{ gerrit_database_name }}
+  password = {{ gerrit_database_password }}
+  hostname = {{ gerrit_database_host }}
--- a/tests/README.md
+++ b/tests/README.md
@ -0,0 +1,3 @@
+# Tests
+
+Basic tests for the playbooks and tasks come here. Generally you need a `test.yml` and `inventory` file with at least `localhost`
--- a/tests/test.yml
+++ b/tests/test.yml
@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  tasks:
+    - import_tasks: example.yml
--- a/vars/gerrit.yml
+++ b/vars/gerrit.yml
@ -0,0 +1,26 @@
+---
+# Vars that should not be overridden
+gerrit_download_url: "https://gerrit-releases.storage.googleapis.com/gerrit-{{ gerrit_version }}.war"
+gerrit_java_path: "/usr/bin/java"
+gerrit_plugin_urls:
+  - https://gerrit-ci.gerritforge.com/job/plugin-reviewers-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/reviewers/reviewers.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-serviceuser-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/serviceuser/serviceuser.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-zuul-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul/zuul.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-zuul-status-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul-status/zuul-status.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-zuul-results-summary-bazel-main-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul-results-summary/zuul-results-summary.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-motd-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/motd/motd.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-events-rabbitmq-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/events-rabbitmq/events-rabbitmq.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-avatars-gravatar-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/avatars-gravatar/avatars-gravatar.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/oauth/oauth.jar
+gerrit_plugins_on_standby:
+  - https://gerrit-ci.gerritforge.com/job/plugin-reviewers-by-blame-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/reviewers-by-blame/reviewers-by-blame.jar
+  - https://gerrit-ci.gerritforge.com/job/plugin-avatars-external-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/avatars-external/avatars-external.jar
+
+installed_packages:
+  - java-11-openjdk
+  - java-11-openjdk-headless
+  - tzdata-java
+  - postfix
+  - httpd
+  - mod_ssl
+...
--- a/vars/main.yml
+++ b/vars/main.yml
@ -0,0 +1,3 @@
+---
+# Vars that should not be overridden
+...