init gerrit management

This commit is contained in:
Louis Abel 2023-07-25 01:49:15 -07:00
commit c2c4a82b85
Signed by: label
GPG Key ID: 2A6975660E424560
24 changed files with 448 additions and 0 deletions

6
.ansible-lint Normal file
View File

@ -0,0 +1,6 @@
# .ansible-lint
warn_list:
- '204' # Lines should be less than 160 characters
- '701' # meta/main.yml should contain relevant info
skip_list:
- '106' # Role name must match ^[a-z][a-z0-9_]+$ pattern

7
.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
inventory
roles/*
collections/*
!roles/README.md
!roles/requirements.yml
!collections/README.md
!collections/requirements.yml

35
.pre-commit-config.yaml Normal file
View File

@ -0,0 +1,35 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-added-large-files
- id: check-case-conflict
- id: check-executables-have-shebangs
- id: check-json
- id: pretty-format-json
- id: detect-private-key
- repo: local
hooks:
- id: ansible-lint
name: Ansible-lint
description: This hook runs ansible-lint.
entry: ansible-lint -v --force-color
language: python
# do not pass files to ansible-lint, see:
# https://github.com/ansible/ansible-lint/issues/611
pass_filenames: false
always_run: true
additional_dependencies:
- ansible-core>=2.13.3
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.29.0
hooks:
- id: yamllint
files: \.(yaml|yml)$
types: [file, yaml]
entry: yamllint

7
.yamllint Normal file
View File

@ -0,0 +1,7 @@
---
extends: default
rules:
line-length:
max: 140
level: warning

7
README.md Normal file
View File

@ -0,0 +1,7 @@
# Ansible AWX Template: Gerrit
Ansible AWX is the method used for the Rocky Linux infrastructure, as a replacement for using the CLI. This is for installing and maintaining Gerrit.
## Provides / Information
This provides the configuration and installation of gerrit.

14
collections/README.md Normal file
View File

@ -0,0 +1,14 @@
# Collections
If you are wanting to use a collection specifically for this, you will need to define it in a `requirements.yml`, otherwise AWX will not install what you need to run your tasks.
Example:
```
---
# Roles
collections:
- netbox.netbox
- community.aws
- containers.podman
```

57
defaults/main.yml Normal file
View File

@ -0,0 +1,57 @@
---
# Defaults
gerrit_user: "git"
gerrit_group: "git"
gerrit_version: "3.8.1"
#gerrit_home_dir: "/opt/gerrit-{{ gerrit_version }}"
gerrit_home_dir: "/opt/gerrit"
gerrit_site: "rlgitsvc"
gerrit_container_user: "{{ gerrit_user }}"
gerrit_container_heap_limit: "1g"
gerrit_container_java_options: "-server -XX:+PrintGCDetails -XX:MaxPermSize=256M"
gerrit_database_type: "postgresql"
gerrit_database_user: "gerrit"
gerrit_database_name: "gerrit"
gerrit_database_password: "gerrit"
gerrit_database_host: "localhost"
gerrit_allow_insecure_passwords: false
# Gerrit vars
gerrit_config_base_path: "git"
gerrit_config_canonical_weburl: "https://git.rockylinux.org"
# Gerrit index. Default LUCENE
gerrit_index_type: "LUCENE"
# Gerrit auth type
gerrit_auth_type: "LDAP"
# Gerrit sshd
gerrit_sshd_listen_address: "*:22220"
gerrit_sshd_threads: "32"
# Gerrit httpd
gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
gerrit_referenced_objects_reachable: false
# Gerrit setup
gerrit_directories:
- "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc"
- "{{ gerrit_home_dir }}/{{ gerrit_site }}/lib"
- "{{ gerrit_home_dir }}/{{ gerrit_site }}/static"
- "{{ gerrit_home_dir }}/{{ gerrit_site }}/hooks"
- "{{ gerrit_home_dir }}/{{ gerrit_site }}/plugins"
- "{{ gerrit_home_dir }}/{{ gerrit_site }}/cache"
# oauth if enabled
oauth_base_url: "https://accounts.rockylinux.org/auth"
oauth_realm: "rocky"
oauth_client_id: "gerrit"
oauth_client_secret: "NONE"
# ldap if enabled
ldap_url_list:
- ldap://ipa-us-east-2.rockylinux.org
...

1
files/README.md Normal file
View File

@ -0,0 +1 @@
Files come here

11
handlers/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: restart_gerrit
ansible.builtin.systemd:
name: gerrit.service
state: restarted
daemon_reload: true
- name: reload_systemd
ansible.builtin.systemd:
daemon_reload: true
...

52
install-gerrit.yml Normal file
View File

@ -0,0 +1,52 @@
---
# Deploys gerrit
- name: Deploy gerrit
hosts: '{{ host }}'
become: true
vars_files:
- vars/gerrit.yml
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Verify if we are Rocky Linux 9 or higher
ansible.builtin.assert:
that:
- ansible_distribution_major_version|int >= 9
- ansible_distribution | lower == "rocky"
success_msg: "We are on a supported system"
fail_msg: "Only Rocky Linux versions 9 or higher are supported."
- name: Check that variables are set properly
ansible.builtin.assert:
that:
- gerrit_database_password != "gerrit"
success_msg: "Proper password is set."
fail_msg: "Please set a proper database password."
when: not gerrit_allow_insecure_passwords|bool
tasks:
- name: Deploy gerrit as needed
ansible.builtin.import_tasks: tasks/install.yml
post_tasks:
- name: Touching run file that ansible has ran here
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root
...

14
roles/README.md Normal file
View File

@ -0,0 +1,14 @@
# Roles
If you are wanting to use role specifically for this, you will need to define it in a `requirements.yml`, otherwise AWX will not install what you need to run your tasks.
Example:
```
---
# Roles
roles:
- rockylinux.ipagetcert
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
version: main
```

70
tasks/deploy.yml Normal file
View File

@ -0,0 +1,70 @@
---
- name: Download gerrit
ansible.builtin.get_url:
url: "{{ gerrit_download_url }}"
dest: "{{ gerrit_home_dir }}"
owner: "{{ gerrit_user }}"
group: "{{ gerrit_group }}"
mode: "0644"
- name: Drop gerrit config
ansible.builtin.template:
src: gerrit.config.j2
dest: "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc/gerrit.config"
owner: "{{ gerrit_user }}"
group: "{{ gerrit_group }}"
mode: "0644"
notify: restart_gerrit
register: gerrit_config
- name: Drop secure gerrit config
ansible.builtin.template:
src: secure.config.j2
dest: "{{ gerrit_home_dir }}/{{ gerrit_site }}/etc/secure.config"
owner: "{{ gerrit_user }}"
group: "{{ gerrit_group }}"
mode: "0600"
notify: restart_gerrit
register: gerrit_secure_config
- name: Drop systemd unit
ansible.builtin.template:
src: gerrit.service.j2
dest: /etc/systemd/system/gerrit.service
owner: root
group: root
mode: "0644"
notify: reload_systemd
register: gerrit_systemd
- name: Perform gerrit tasks if configuration has changed
when:
- gerrit_secure_config.changed
- gerrit_config.changed
block:
- name: Stop gerrit
ansible.builtin.systemd:
name: gerrit.service
state: stopped
- name: Re-init gerrit
ansible.builtin.shell: "{{ gerrit_java_path }} -jar gerrit-{{ gerrit_version }}.war init --batch --no-auto-start -d {{ gerrit_home_dir }}/{{ gerrit_site }}"
args:
chdir: "{{ gerrit_home_dir }}"
become: true
become_user: "{{ gerrit_user }}"
changed_when: "1 != 1"
- name: Re-index gerrit
ansible.builtin.shell: "{{ gerrit_java_path }} -jar gerrit-{{ gerrit_version }}.war reindex -d {{ gerrit_home_dir }}/{{ gerrit_site }}"
args:
chdir: "{{ gerrit_home_dir }}"
become: true
become_user: "{{ gerrit_user }}"
changed_when: "1 != 1"
- name: Ensure gerrit is enabled
ansible.builtin.systemd:
name: gerrit.service
enabled: true
...

7
tasks/install.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Setup gerrit basics
ansible.builtin.include_tasks: setup.yml
- name: Install gerrit
ansible.builtin.include_tasks: deploy.yml
...

4
tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
# No tasks
- debug: msg="No tasks are provided here. Please import the task as needed in your playbook."
...

22
tasks/setup.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Create gerrit group
ansible.builtin.group:
name: "{{ gerrit_group }}"
state: present
- name: Create gerrit user
ansible.builtin.user:
name: "{{ gerrit_user }}"
group: "{{ gerrit_group }}"
state: present
- name: Create gerrit directories
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ gerrit_user }}"
group: "{{ gerrit_group }}"
mode: "0755"
state: directory
recurse: true
loop: "{{ gerrit_directories }}"
...

1
templates/README.md Normal file
View File

@ -0,0 +1 @@
Templates go here

View File

@ -0,0 +1,59 @@
[gerrit]
basePath = git
canonicalWebUrl = {{ gerrit_config_canonical_weburl }}
[container]
javaOptions = {{ gerrit_container_java_options }}
user = {{ gerrit_user }}
heapLimit = {{ gerrit_container_heap_limit }}
javaHome = /usr/lib/jvm/jre/
[index]
type = {{ gerrit_index_type }}
[auth]
type = {{ gerrit_auth_type }}
userNameCaseInsensitive = true
{% if gerrit_auth_type == 'OAUTH' %}
gitBasicAuthPolicy = HTTP
[plugin "oauth-keycloak-oauth"]
root-url = {{ oauth_base_url }}
realm = {{ oauth_realm }}
client-id = {{ oauth_client_id }}
client-secret = {{ oauth_client_secret }}
{% endif %}
[receive]
enableSignedPush = true
checkReferencedObjectsAreReachable = {{ gerrit_referenced_objects_reachable }}
[sendemail]
smtpServer = localhost
[sshd]
listenAddress = {{ gerrit_sshd_listen_address }}
threads = {{ gerrit_sshd_threads }}
[httpd]
listenUrl = {{ gerrit_httpd_listen_url }}
[cache]
directory = cache
{% if gerrit_auth_type == "LDAP" %}
[ldap]
server = {{ ldap_url_list|join(' ') }}
accountBase = cn=users,cn=accounts,dc=rockylinux,dc=org
accountPattern = (&(objectClass=posixAccount)(memberOf=cn=signed_rgca,cn=groups,cn=accounts,dc=rockylinux,dc=org)(uid=${username}))
accountFullName = displayName
accountEmailAddress = mail
accountMemberField = memberOf
groupBase = cn=groups,cn=accounts,dc=rockylinux,dc=org
groupPattern = (cn=${groupname})
localUsernameToLowerCase = true
startTls = true
sslVerify = true
{% endif %}
[plugin "avatars-gravatar"]
url = https://seccdn.libravatar.org/avatar/

View File

@ -0,0 +1,17 @@
[Unit]
Description=Gerrit
After=network.target
[Service]
Type=simple
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=gerrit
WorkingDirectory={{ gerrit_home_dir }}
User={{ gerrit_user|default('git') }}
ExecStart={{ gerrit_java_path|default('/usr/bin/java') }} -DGerritCodeReview=1 -jar {{ gerrit_home_dir }}/gerrit-{{ gerrit_version }}.war daemon -d {{ gerrit_site|default('rlgitsvc') }}
ExecStop=/bin/kill -s SIGINT $MAINPID
PIDFile=/run/gerrit.pid
[Install]
WantedBy=multi-user.target

14
templates/motd.config.j2 Normal file
View File

@ -0,0 +1,14 @@
[gerrit]
motd = .:^~~~~^:.
motd = .^!?JJJJJJJJJJ?!^.
motd = ~?JJJJJJJJJJJJJJJJ?~
motd = :?JJJJJJJJJJJJJJJJJJJJ?:
motd = .?JJJJJJJJJJJJJJ7?JJJJJJ?.
motd = !JJJJJJJJJJJJJ7: ^?JJJJJ!
motd = 7JJJJJJJJJJJ!: ^7JJJ7
motd = !JJJJJJJJJ!. :. :7J!
motd = .?JJJJJ?~. :7JJ!. :.
motd = :?JJ?~. ^7JJJJJJ!:
motd = .~~ ^?JJJJJJJJY?:
motd = ^?YYJJJJJJ?!^.
motd = .:^~~~~^:.

View File

@ -0,0 +1,6 @@
[database]
type = {{ gerrit_database_type }}
username = {{ gerrit_database_user }}
database = {{ gerrit_database_name }}
password = {{ gerrit_database_password }}
hostname = {{ gerrit_database_host }}

3
tests/README.md Normal file
View File

@ -0,0 +1,3 @@
# Tests
Basic tests for the playbooks and tasks come here. Generally you need a `test.yml` and `inventory` file with at least `localhost`

5
tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
tasks:
- import_tasks: example.yml

26
vars/gerrit.yml Normal file
View File

@ -0,0 +1,26 @@
---
# Vars that should not be overridden
gerrit_download_url: "https://gerrit-releases.storage.googleapis.com/gerrit-{{ gerrit_version }}.war"
gerrit_java_path: "/usr/bin/java"
gerrit_plugin_urls:
- https://gerrit-ci.gerritforge.com/job/plugin-reviewers-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/reviewers/reviewers.jar
- https://gerrit-ci.gerritforge.com/job/plugin-serviceuser-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/serviceuser/serviceuser.jar
- https://gerrit-ci.gerritforge.com/job/plugin-zuul-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul/zuul.jar
- https://gerrit-ci.gerritforge.com/job/plugin-zuul-status-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul-status/zuul-status.jar
- https://gerrit-ci.gerritforge.com/job/plugin-zuul-results-summary-bazel-main-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/zuul-results-summary/zuul-results-summary.jar
- https://gerrit-ci.gerritforge.com/job/plugin-motd-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/motd/motd.jar
- https://gerrit-ci.gerritforge.com/job/plugin-events-rabbitmq-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/events-rabbitmq/events-rabbitmq.jar
- https://gerrit-ci.gerritforge.com/job/plugin-avatars-gravatar-bazel-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/avatars-gravatar/avatars-gravatar.jar
- https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/oauth/oauth.jar
gerrit_plugins_on_standby:
- https://gerrit-ci.gerritforge.com/job/plugin-reviewers-by-blame-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/reviewers-by-blame/reviewers-by-blame.jar
- https://gerrit-ci.gerritforge.com/job/plugin-avatars-external-bazel-master-master/lastSuccessfulBuild/artifact/bazel-bin/plugins/avatars-external/avatars-external.jar
installed_packages:
- java-11-openjdk
- java-11-openjdk-headless
- tzdata-java
- postfix
- httpd
- mod_ssl
...

3
vars/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
# Vars that should not be overridden
...