commit c2c4a82b8518ae0d6359144dafe953a8fb3565e0 Author: Louis Abel Date: Tue Jul 25 01:49:15 2023 -0700 init gerrit management diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..2394b2a --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,6 @@ +# .ansible-lint +warn_list: + - '204' # Lines should be less than 160 characters + - '701' # meta/main.yml should contain relevant info +skip_list: + - '106' # Role name must match ^[a-z][a-z0-9_]+$ pattern diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cdc6381 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +inventory +roles/* +collections/* +!roles/README.md +!roles/requirements.yml +!collections/README.md +!collections/requirements.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..f64d238 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,35 @@ +--- +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-added-large-files + - id: check-case-conflict + - id: check-executables-have-shebangs + - id: check-json + - id: pretty-format-json + - id: detect-private-key + + - repo: local + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: ansible-lint -v --force-color + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + - ansible-core>=2.13.3 + + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.29.0 + hooks: + - id: yamllint + files: \.(yaml|yml)$ + types: [file, yaml] + entry: yamllint diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..04c5633 --- /dev/null +++ b/.yamllint @@ -0,0 +1,7 @@ +--- +extends: default + +rules: + line-length: + max: 140 + level: warning diff --git a/README.md b/README.md new file mode 100644 index 0000000..2a60e2c --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# Ansible AWX Template: Gerrit + +Ansible AWX is the method used for the Rocky Linux infrastructure, as a replacement for using the CLI. This is for installing and maintaining Gerrit. + +## Provides / Information + +This provides the configuration and installation of gerrit. diff --git a/collections/README.md b/collections/README.md new file mode 100644 index 0000000..a70c7ef --- /dev/null +++ b/collections/README.md @@ -0,0 +1,14 @@ +# Collections + +If you are wanting to use a collection specifically for this, you will need to define it in a `requirements.yml`, otherwise AWX will not install what you need to run your tasks. + +Example: + +``` +--- +# Roles +collections: + - netbox.netbox + - community.aws + - containers.podman +``` diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..0e31899 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,57 @@ +--- +# Defaults +gerrit_user: "git" +gerrit_group: "git" +gerrit_version: "3.8.1" +#gerrit_home_dir: "/opt/gerrit-{{ gerrit_version }}" +gerrit_home_dir: "/opt/gerrit" +gerrit_site: "rlgitsvc" +gerrit_container_user: "{{ gerrit_user }}" +gerrit_container_heap_limit: "1g" +gerrit_container_java_options: "-server -XX:+PrintGCDetails -XX:MaxPermSize=256M" + +gerrit_database_type: "postgresql" +gerrit_database_user: "gerrit" +gerrit_database_name: "gerrit" +gerrit_database_password: "gerrit" +gerrit_database_host: "localhost" + +gerrit_allow_insecure_passwords: false + +# Gerrit vars +gerrit_config_base_path: "git" +gerrit_config_canonical_weburl: "https://git.rockylinux.org" + +# Gerrit index. Default LUCENE +gerrit_index_type: "LUCENE" + +# Gerrit auth type +gerrit_auth_type: "LDAP" + +# Gerrit sshd +gerrit_sshd_listen_address: "*:22220" +gerrit_sshd_threads: "32" + +# Gerrit httpd +gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/" +gerrit_referenced_objects_reachable: false + +# Gerrit setup +gerrit_directories: + - "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc" + - "{{ gerrit_home_dir }}/{{ gerrit_site }}/lib" + - "{{ gerrit_home_dir }}/{{ gerrit_site }}/static" + - "{{ gerrit_home_dir }}/{{ gerrit_site }}/hooks" + - "{{ gerrit_home_dir }}/{{ gerrit_site }}/plugins" + - "{{ gerrit_home_dir }}/{{ gerrit_site }}/cache" + +# oauth if enabled +oauth_base_url: "https://accounts.rockylinux.org/auth" +oauth_realm: "rocky" +oauth_client_id: "gerrit" +oauth_client_secret: "NONE" + +# ldap if enabled +ldap_url_list: + - ldap://ipa-us-east-2.rockylinux.org +... diff --git a/files/README.md b/files/README.md new file mode 100644 index 0000000..f154f20 --- /dev/null +++ b/files/README.md @@ -0,0 +1 @@ +Files come here diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..7411166 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: restart_gerrit + ansible.builtin.systemd: + name: gerrit.service + state: restarted + daemon_reload: true + +- name: reload_systemd + ansible.builtin.systemd: + daemon_reload: true +... diff --git a/install-gerrit.yml b/install-gerrit.yml new file mode 100644 index 0000000..91899c9 --- /dev/null +++ b/install-gerrit.yml @@ -0,0 +1,52 @@ +--- +# Deploys gerrit +- name: Deploy gerrit + hosts: '{{ host }}' + become: true + vars_files: + - vars/gerrit.yml + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + ansible.builtin.assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Verify if we are Rocky Linux 9 or higher + ansible.builtin.assert: + that: + - ansible_distribution_major_version|int >= 9 + - ansible_distribution | lower == "rocky" + success_msg: "We are on a supported system" + fail_msg: "Only Rocky Linux versions 9 or higher are supported." + + - name: Check that variables are set properly + ansible.builtin.assert: + that: + - gerrit_database_password != "gerrit" + success_msg: "Proper password is set." + fail_msg: "Please set a proper database password." + when: not gerrit_allow_insecure_passwords|bool + + tasks: + - name: Deploy gerrit as needed + ansible.builtin.import_tasks: tasks/install.yml + + post_tasks: + - name: Touching run file that ansible has ran here + ansible.builtin.file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/roles/README.md b/roles/README.md new file mode 100644 index 0000000..169dbf3 --- /dev/null +++ b/roles/README.md @@ -0,0 +1,14 @@ +# Roles + +If you are wanting to use role specifically for this, you will need to define it in a `requirements.yml`, otherwise AWX will not install what you need to run your tasks. + +Example: + +``` +--- +# Roles +roles: + - rockylinux.ipagetcert + src: https://github.com/rocky-linux/ansible-role-ipa-getcert + version: main +``` diff --git a/tasks/deploy.yml b/tasks/deploy.yml new file mode 100644 index 0000000..6be0bc8 --- /dev/null +++ b/tasks/deploy.yml @@ -0,0 +1,70 @@ +--- +- name: Download gerrit + ansible.builtin.get_url: + url: "{{ gerrit_download_url }}" + dest: "{{ gerrit_home_dir }}" + owner: "{{ gerrit_user }}" + group: "{{ gerrit_group }}" + mode: "0644" + +- name: Drop gerrit config + ansible.builtin.template: + src: gerrit.config.j2 + dest: "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc/gerrit.config" + owner: "{{ gerrit_user }}" + group: "{{ gerrit_group }}" + mode: "0644" + notify: restart_gerrit + register: gerrit_config + +- name: Drop secure gerrit config + ansible.builtin.template: + src: secure.config.j2 + dest: "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc/secure.config" + owner: "{{ gerrit_user }}" + group: "{{ gerrit_group }}" + mode: "0600" + notify: restart_gerrit + register: gerrit_secure_config + +- name: Drop systemd unit + ansible.builtin.template: + src: gerrit.service.j2 + dest: /etc/systemd/system/gerrit.service + owner: root + group: root + mode: "0644" + notify: reload_systemd + register: gerrit_systemd + +- name: Perform gerrit tasks if configuration has changed + when: + - gerrit_secure_config.changed + - gerrit_config.changed + block: + - name: Stop gerrit + ansible.builtin.systemd: + name: gerrit.service + state: stopped + + - name: Re-init gerrit + ansible.builtin.shell: "{{ gerrit_java_path }} -jar gerrit-{{ gerrit_version }}.war init --batch --no-auto-start -d {{ gerrit_home_dir }}/{{ gerrit_site }}" + args: + chdir: "{{ gerrit_home_dir }}" + become: true + become_user: "{{ gerrit_user }}" + changed_when: "1 != 1" + + - name: Re-index gerrit + ansible.builtin.shell: "{{ gerrit_java_path }} -jar gerrit-{{ gerrit_version }}.war reindex -d {{ gerrit_home_dir }}/{{ gerrit_site }}" + args: + chdir: "{{ gerrit_home_dir }}" + become: true + become_user: "{{ gerrit_user }}" + changed_when: "1 != 1" + +- name: Ensure gerrit is enabled + ansible.builtin.systemd: + name: gerrit.service + enabled: true +... diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..47eec4c --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,7 @@ +--- +- name: Setup gerrit basics + ansible.builtin.include_tasks: setup.yml + +- name: Install gerrit + ansible.builtin.include_tasks: deploy.yml +... diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..68a6567 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# No tasks +- debug: msg="No tasks are provided here. Please import the task as needed in your playbook." +... diff --git a/tasks/setup.yml b/tasks/setup.yml new file mode 100644 index 0000000..56e2e91 --- /dev/null +++ b/tasks/setup.yml @@ -0,0 +1,22 @@ +--- +- name: Create gerrit group + ansible.builtin.group: + name: "{{ gerrit_group }}" + state: present + +- name: Create gerrit user + ansible.builtin.user: + name: "{{ gerrit_user }}" + group: "{{ gerrit_group }}" + state: present + +- name: Create gerrit directories + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ gerrit_user }}" + group: "{{ gerrit_group }}" + mode: "0755" + state: directory + recurse: true + loop: "{{ gerrit_directories }}" +... diff --git a/templates/README.md b/templates/README.md new file mode 100644 index 0000000..25a2632 --- /dev/null +++ b/templates/README.md @@ -0,0 +1 @@ +Templates go here diff --git a/templates/gerrit.config.j2 b/templates/gerrit.config.j2 new file mode 100644 index 0000000..53cf7b5 --- /dev/null +++ b/templates/gerrit.config.j2 @@ -0,0 +1,59 @@ +[gerrit] + basePath = git + canonicalWebUrl = {{ gerrit_config_canonical_weburl }} + +[container] + javaOptions = {{ gerrit_container_java_options }} + user = {{ gerrit_user }} + heapLimit = {{ gerrit_container_heap_limit }} + javaHome = /usr/lib/jvm/jre/ + +[index] + type = {{ gerrit_index_type }} + +[auth] + type = {{ gerrit_auth_type }} + userNameCaseInsensitive = true +{% if gerrit_auth_type == 'OAUTH' %} + gitBasicAuthPolicy = HTTP +[plugin "oauth-keycloak-oauth"] + root-url = {{ oauth_base_url }} + realm = {{ oauth_realm }} + client-id = {{ oauth_client_id }} + client-secret = {{ oauth_client_secret }} +{% endif %} + +[receive] + enableSignedPush = true + checkReferencedObjectsAreReachable = {{ gerrit_referenced_objects_reachable }} + +[sendemail] + smtpServer = localhost + +[sshd] + listenAddress = {{ gerrit_sshd_listen_address }} + threads = {{ gerrit_sshd_threads }} + +[httpd] + listenUrl = {{ gerrit_httpd_listen_url }} + +[cache] + directory = cache + +{% if gerrit_auth_type == "LDAP" %} +[ldap] + server = {{ ldap_url_list|join(' ') }} + accountBase = cn=users,cn=accounts,dc=rockylinux,dc=org + accountPattern = (&(objectClass=posixAccount)(memberOf=cn=signed_rgca,cn=groups,cn=accounts,dc=rockylinux,dc=org)(uid=${username})) + accountFullName = displayName + accountEmailAddress = mail + accountMemberField = memberOf + groupBase = cn=groups,cn=accounts,dc=rockylinux,dc=org + groupPattern = (cn=${groupname}) + localUsernameToLowerCase = true + startTls = true + sslVerify = true +{% endif %} + +[plugin "avatars-gravatar"] + url = https://seccdn.libravatar.org/avatar/ diff --git a/templates/gerrit.service.j2 b/templates/gerrit.service.j2 new file mode 100644 index 0000000..99fb6d9 --- /dev/null +++ b/templates/gerrit.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Gerrit +After=network.target + +[Service] +Type=simple +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=gerrit +WorkingDirectory={{ gerrit_home_dir }} +User={{ gerrit_user|default('git') }} +ExecStart={{ gerrit_java_path|default('/usr/bin/java') }} -DGerritCodeReview=1 -jar {{ gerrit_home_dir }}/gerrit-{{ gerrit_version }}.war daemon -d {{ gerrit_site|default('rlgitsvc') }} +ExecStop=/bin/kill -s SIGINT $MAINPID +PIDFile=/run/gerrit.pid + +[Install] +WantedBy=multi-user.target diff --git a/templates/motd.config.j2 b/templates/motd.config.j2 new file mode 100644 index 0000000..58d3117 --- /dev/null +++ b/templates/motd.config.j2 @@ -0,0 +1,14 @@ +[gerrit] + motd = .:^~~~~^:. + motd = .^!?JJJJJJJJJJ?!^. + motd = ~?JJJJJJJJJJJJJJJJ?~ + motd = :?JJJJJJJJJJJJJJJJJJJJ?: + motd = .?JJJJJJJJJJJJJJ7?JJJJJJ?. + motd = !JJJJJJJJJJJJJ7: ^?JJJJJ! + motd = 7JJJJJJJJJJJ!: ^7JJJ7 + motd = !JJJJJJJJJ!. :. :7J! + motd = .?JJJJJ?~. :7JJ!. :. + motd = :?JJ?~. ^7JJJJJJ!: + motd = .~~ ^?JJJJJJJJY?: + motd = ^?YYJJJJJJ?!^. + motd = .:^~~~~^:. diff --git a/templates/secure.config.j2 b/templates/secure.config.j2 new file mode 100644 index 0000000..983fc6b --- /dev/null +++ b/templates/secure.config.j2 @@ -0,0 +1,6 @@ +[database] + type = {{ gerrit_database_type }} + username = {{ gerrit_database_user }} + database = {{ gerrit_database_name }} + password = {{ gerrit_database_password }} + hostname = {{ gerrit_database_host }} diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..9876b7a --- /dev/null +++ b/tests/README.md @@ -0,0 +1,3 @@ +# Tests + +Basic tests for the playbooks and tasks come here. Generally you need a `test.yml` and `inventory` file with at least `localhost` diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..27fe873 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + tasks: + - import_tasks: example.yml diff --git a/vars/gerrit.yml b/vars/gerrit.yml new file mode 100644 index 0000000..e1d21cf --- /dev/null +++ b/vars/gerrit.yml @@ -0,0 +1,26 @@ +--- +# Vars that should not be overridden +gerrit_download_url: "https://gerrit-releases.storage.googleapis.com/gerrit-{{ gerrit_version }}.war" +gerrit_java_path: "/usr/bin/java" +gerrit_plugin_urls: + - https://gerrit-ci.gerritforge.com/job/plugin-reviewers-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/reviewers/reviewers.jar + - https://gerrit-ci.gerritforge.com/job/plugin-serviceuser-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/serviceuser/serviceuser.jar + - https://gerrit-ci.gerritforge.com/job/plugin-zuul-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul/zuul.jar + - https://gerrit-ci.gerritforge.com/job/plugin-zuul-status-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul-status/zuul-status.jar + - https://gerrit-ci.gerritforge.com/job/plugin-zuul-results-summary-bazel-main-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul-results-summary/zuul-results-summary.jar + - https://gerrit-ci.gerritforge.com/job/plugin-motd-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/motd/motd.jar + - https://gerrit-ci.gerritforge.com/job/plugin-events-rabbitmq-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/events-rabbitmq/events-rabbitmq.jar + - https://gerrit-ci.gerritforge.com/job/plugin-avatars-gravatar-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/avatars-gravatar/avatars-gravatar.jar + - https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/oauth/oauth.jar +gerrit_plugins_on_standby: + - https://gerrit-ci.gerritforge.com/job/plugin-reviewers-by-blame-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/reviewers-by-blame/reviewers-by-blame.jar + - https://gerrit-ci.gerritforge.com/job/plugin-avatars-external-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/avatars-external/avatars-external.jar + +installed_packages: + - java-11-openjdk + - java-11-openjdk-headless + - tzdata-java + - postfix + - httpd + - mod_ssl +... diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..9ba7251 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,3 @@ +--- +# Vars that should not be overridden +...