From 15abc8add121d623f30b2fcd6acf342091aabcf9 Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Thu, 13 Apr 2023 15:19:30 -0700 Subject: [PATCH] add koji playbooks to ops repo --- init-rocky-koji-ecosystem.yml | 35 +++++++++ role-rocky-kojid-staging.yml | 91 +++++++++++++++++++++++ role-rocky-kojid.yml | 91 +++++++++++++++++++++++ role-rocky-kojihub-staging.yml | 124 ++++++++++++++++++++++++++++++++ role-rocky-kojihub.yml | 124 ++++++++++++++++++++++++++++++++ tasks/init-koji.yml | 75 +++++++++++++++++++ tasks/koji_efs.yml | 36 ++++++++++ vars/production/koji-common.yml | 14 ++++ vars/production/kojid.yml | 16 +++++ vars/production/kojihub.yml | 120 +++++++++++++++++++++++++++++++ vars/staging/koji-common.yml | 14 ++++ vars/staging/kojid.yml | 16 +++++ vars/staging/kojihub.yml | 120 +++++++++++++++++++++++++++++++ 13 files changed, 876 insertions(+) create mode 100644 init-rocky-koji-ecosystem.yml create mode 100644 role-rocky-kojid-staging.yml create mode 100644 role-rocky-kojid.yml create mode 100644 role-rocky-kojihub-staging.yml create mode 100644 role-rocky-kojihub.yml create mode 100644 tasks/init-koji.yml create mode 100644 tasks/koji_efs.yml create mode 100644 vars/production/koji-common.yml create mode 100644 vars/production/kojid.yml create mode 100644 vars/production/kojihub.yml create mode 100644 vars/staging/koji-common.yml create mode 100644 vars/staging/kojid.yml create mode 100644 vars/staging/kojihub.yml diff --git a/init-rocky-koji-ecosystem.yml b/init-rocky-koji-ecosystem.yml new file mode 100644 index 0000000..2668701 --- /dev/null +++ b/init-rocky-koji-ecosystem.yml @@ -0,0 +1,35 @@ +--- +# Configures the koji ecosystem +- name: Configure Koji + hosts: "kojihub" + become: true + + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are not able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - name: Build out relevant accounts and components + import_tasks: tasks/init-koji.yml + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/role-rocky-kojid-staging.yml b/role-rocky-kojid-staging.yml new file mode 100644 index 0000000..6b33570 --- /dev/null +++ b/role-rocky-kojid-staging.yml @@ -0,0 +1,91 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/staging/kojid.yml + - vars/staging/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - kojid + stat: + path: /etc/kojid.keytab + register: kojid_keytab_check + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "kojid_keytab_check.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: rockylinux.kojid + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/role-rocky-kojid.yml b/role-rocky-kojid.yml new file mode 100644 index 0000000..a8fe405 --- /dev/null +++ b/role-rocky-kojid.yml @@ -0,0 +1,91 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/production/kojid.yml + - vars/production/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - kojid + stat: + path: /etc/kojid.keytab + register: kojid_keytab_check + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "kojid_keytab_check.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: rockylinux.kojid + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/role-rocky-kojihub-staging.yml b/role-rocky-kojihub-staging.yml new file mode 100644 index 0000000..e0a1be8 --- /dev/null +++ b/role-rocky-kojihub-staging.yml @@ -0,0 +1,124 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/staging/kojihub.yml + - vars/staging/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - web + stat: + path: /etc/keytabs/koji-web.keytab + register: koji_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - kojira + stat: + path: /etc/keytabs/kojira.keytab + register: kojira_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - gc + stat: + path: /etc/keytabs/koji-gc.keytab + register: gc_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - host + stat: + path: /etc/keytabs/host.keytab + register: host_keytab + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "koji_keytab.stat.exists" + - "kojira_keytab.stat.exists" + - "gc_keytab.stat.exists" + - "host_keytab.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: geerlingguy.certbot + state: present + when: not koji_internal_ca + + - role: rockylinux.ipagetcert + state: present + when: koji_internal_ca + + - role: geerlingguy.postgresql + state: present + when: koji_postgresql_vm + + - role: rockylinux.kojihub + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/role-rocky-kojihub.yml b/role-rocky-kojihub.yml new file mode 100644 index 0000000..7790731 --- /dev/null +++ b/role-rocky-kojihub.yml @@ -0,0 +1,124 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/production/kojihub.yml + - vars/production/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - web + stat: + path: /etc/keytabs/koji-web.keytab + register: koji_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - kojira + stat: + path: /etc/keytabs/kojira.keytab + register: kojira_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - gc + stat: + path: /etc/keytabs/koji-gc.keytab + register: gc_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - host + stat: + path: /etc/keytabs/host.keytab + register: host_keytab + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "koji_keytab.stat.exists" + - "kojira_keytab.stat.exists" + - "gc_keytab.stat.exists" + - "host_keytab.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: geerlingguy.certbot + state: present + when: not koji_internal_ca + + - role: rockylinux.ipagetcert + state: present + when: koji_internal_ca + + - role: geerlingguy.postgresql + state: present + when: koji_postgresql_vm + + - role: rockylinux.kojihub + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/tasks/init-koji.yml b/tasks/init-koji.yml new file mode 100644 index 0000000..694c01d --- /dev/null +++ b/tasks/init-koji.yml @@ -0,0 +1,75 @@ +--- +# Init koji +- name: kinit as koji admin using password + shell: "set -o pipefail && echo \"{{ rockykoji_password }}\" | kinit rockykoji@ROCKYLINUX.ORG" + check_mode: false + changed_when: "1 != 1" + become: true + become_user: koji + when: rockykoji_has_password | bool + +- name: kinit as koji admin using keytab + shell: "set -o pipefail && kinit -kt /home/koji/.koji/keytab koji/rockykoji@ROCKYLINUX.ORG" + check_mode: false + changed_when: "1 != 1" + become: true + become_user: koji + when: not rockykoji_has_password | bool + +- name: Import current necessary tags + shell: "set -o pipefail && koji add-tag {{ item }}" + changed_when: "1 != 1" + become: true + become_user: koji + loop: + - build-modules + - dist-rocky8 + - dist-rocky8-build + - dist-rocky8-compose + - dist-rocky8-extras + - dist-rocky8-gcc-toolset-9-build + - dist-rocky8-modular-buildrequires + - dist-rocky8-module-compose + - dist-rocky8-plus + - dist-rocky8-rust-bootstrap + - dist-rocky8-rust-bootstrap-build + - dist-rocky8-updates + - dist-rocky8-updates-build + - dist-rocky8_0-updates-build + - dist-rocky8_1-gcc-toolset-9-build + - dist-rocky8_1-updates-build + - dist-rocky8_2-updates-build + - dist-rocky8_3-updates-build + - dist-rocky8_4-updates-build + - dist-rocky8_5-updates-build + - dist-rocky8_6-updates-build + - dist-rocky8_7-updates-build + - dist-rocky8_8-updates-build + - dist-rocky9 + - el8 + - el8_0 + - el8_1 + - el8_2 + - el8_3 + - el8_4 + - el8_5 + - el8_6 + - el8_7 + - el8_8 + - el8_infra + - el9 + - el9_infra + - eln + - modular-updates-candidate + - module-rocky-8.0.0-build + - module-rocky-8.1.0-build + - module-rocky-8.2.0-build + - module-rocky-8.3.0-build + - module-rocky-8.5.0-build + - module-rocky-8.6.0-build + - module-rocky-8.7.0-build + - module-rocky-8.8.0-build + - module-rocky-8.9.0-build + - trash + - trashcan +... diff --git a/tasks/koji_efs.yml b/tasks/koji_efs.yml new file mode 100644 index 0000000..e35867c --- /dev/null +++ b/tasks/koji_efs.yml @@ -0,0 +1,36 @@ +--- +# Sets up the EFS mount for /mnt/koji {{ koji_efs_mount_path }} +# Requires amazon-efs-utils; included +# +- name: Installing amazon-efs-utils + yum: + name: amazon-efs-utils + state: present + tags: + - amazon_efs_utils + - packages + +- name: "Gathering ec2 facts" + amazon.aws.ec2_metadata_facts: + tags: + - mounts + +# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1 +- name: "Install custom hosts file because ~~fml~~ amazon said so." + ansible.builtin.lineinfile: + path: /etc/hosts + line: "{{ koji_efs_fs_ip_map[ansible_ec2_placement_availability_zone] }} {{ koji_efs_fsid }}" + create: true + tags: + - mounts + +- name: "Creating and mounting {{ koji_efs_fsid }} at {{ koji_efs_mount_path }}" + ansible.posix.mount: + path: "{{ koji_efs_mount_path }}" + src: "{{ koji_efs_fsid }}:/" + fstype: "{{ koji_efs_fs_type }}" + opts: "{{ koji_efs_fs_opts | join(',') }}" + state: "{{ koji_efs_fs_state | default('mounted') }}" + tags: + - mounts +... diff --git a/vars/production/koji-common.yml b/vars/production/koji-common.yml new file mode 100644 index 0000000..feab453 --- /dev/null +++ b/vars/production/koji-common.yml @@ -0,0 +1,14 @@ +--- +# Koji common +koji_efs_mount_path: /mnt/koji +koji_efs_fsid: whatever.amazonaws.com +koji_efs_fs_ip_map: + us-east-2a: 10.x.x.x + us-east-2b: 10.x.x.x + us-east-2c: 10.x.x.x +koji_efs_fs_type: efs +koji_efs_fs_opts: + - _netdev + - tls + - iam +... diff --git a/vars/production/kojid.yml b/vars/production/kojid.yml new file mode 100644 index 0000000..813ad90 --- /dev/null +++ b/vars/production/kojid.yml @@ -0,0 +1,16 @@ +--- +# vars for kojid + +kojid_vendor: Rocky +kojid_packager: infrastructure@rockylinux.org +kojid_distribution: Rocky +# These three should probably be specified by special vars +# kojid_web_url: https://koji.rockylinux.org/koji +# kojid_hub_url: https://koji.rockylinux.org/kojihub +# kojid_files_url: https://koji.rockylinux.org/kojifiles + +kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt +kojid_keytab: /etc/kojid.keytab +kojid_smtp_host: smtp.rockylinux.org +kojid_allowed_scm: "git.rockylinux.org:/staging/rpms/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/rocky/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/original/rpms/*:off:/var/srpmproc/srpmproc_wrapper" +... diff --git a/vars/production/kojihub.yml b/vars/production/kojihub.yml new file mode 100644 index 0000000..0c0d7de --- /dev/null +++ b/vars/production/kojihub.yml @@ -0,0 +1,120 @@ +--- +# koji hub settings +# This should be the front-facing URL of koji +# koji_url_name: koji.rockylinux.org + +# Use an internal CA (IPA) +koji_internal_ca: true + +# Use postgresql on this machine rather than managed service +koji_postgresql_vm: true + +# Database settings +koji_db_name: koji +koji_db_user: koji +# This will need to change when koji_postgresql_vm is false +koji_db_host: "{{ ansible_fqdn }}" + +koji_web_url: "https://{{ koji_url_name }}/koji" +koji_hub_url: "https://{{ koji_url_name }}/kojihub" +koji_files_url: "https://{{ koji_url_name }}/kojifiles" + +# The IPA internal CA is combined with the others +# Change before deployment or store in vault +koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu +koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt +koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +# Kojira +koji_kojira: true +koji_kojira_user: kojira +koji_kojira_user_kerb: kojira/koji.rockylinux.org +koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG +koji_kojira_keytab: /etc/keytabs/kojira.keytab + +# MBS +koji_mbs: true +koji_mbs_user: mbs +koji_mbs_user_kerb: mbs/mbs.rockylinux.org +koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG +koji_mbs_keytab: /etc/keytabs/mbs.keytab + +# GC +koji_gc_keytab: /etc/keytabs/koji-gc.keytab +koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG + +# Sigul +koji_sigul: true +koji_sigul_user: sigul +koji_sigul_user_kerb: sigul/sigul.rockylinux.org +koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG + +# NFS? We need a place. +koji_nfs: false +koji_mount: /mnt/koji +koji_nfs_path: nfs.rockylinux.org:/export/koji + +# Koji Admin Settings +koji_admin_client: true +koji_admin_user: rockykoji +koji_admin_principal: rockykoji@ROCKYLINUX.ORG +koji_admin_localuser: true +koji_admin_localuser_name: koji + +# Hub Settings +koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG" +koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG" +koji_hub_keytab: /etc/keytabs/host.keytab +koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG +# This should be sufficient even for LE +koji_hub_ca: "{{ koji_web_cacert }}" + +# Koji FAS Syncing +# This isn't implemented yet in the role +koji_fas_sync: false +koji_fas_url: https://accounts.rockylinux.org + +# IPA Certs if Required +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: apache + key_location: "{{ koji_web_tls_key }}" + cert_location: "{{ koji_web_tls_cert }}" + postcmd: "/bin/systemctl reload httpd" + +# postgresql vars +postgresql_restarted_state: "restarted" +postgresql_python_library: python3-psycopg2 +postgresql_user: postgres +postgresql_group: postgres +postgresql_hba_entries: + - type: local + database: koji + user: koji + auth_method: trust + - type: local + database: all + user: postgres + auth_method: peer + - type: host + database: koji + user: koji + address: '10.100.1.0/24' + auth_method: md5 + +postgresql_databases: + - name: "{{ koji_db_name }}" + owner: "{{ koji_db_user }}" + +postgresql_users: + - name: "{{ koji_db_user }}" + password: "{{ koji_db_pass }}" + role_attr_flags: "NOCREATEDB,NOSUPERUSER,NOCREATEROLE" + db: "{{ koji_db_name }}" + state: present + +postgresql_global_config_options: + - option: listen_addresses + value: '*' +... diff --git a/vars/staging/koji-common.yml b/vars/staging/koji-common.yml new file mode 100644 index 0000000..feab453 --- /dev/null +++ b/vars/staging/koji-common.yml @@ -0,0 +1,14 @@ +--- +# Koji common +koji_efs_mount_path: /mnt/koji +koji_efs_fsid: whatever.amazonaws.com +koji_efs_fs_ip_map: + us-east-2a: 10.x.x.x + us-east-2b: 10.x.x.x + us-east-2c: 10.x.x.x +koji_efs_fs_type: efs +koji_efs_fs_opts: + - _netdev + - tls + - iam +... diff --git a/vars/staging/kojid.yml b/vars/staging/kojid.yml new file mode 100644 index 0000000..b547cad --- /dev/null +++ b/vars/staging/kojid.yml @@ -0,0 +1,16 @@ +--- +# vars for kojid + +kojid_vendor: Rocky +kojid_packager: infrastructure@rockylinux.org +kojid_distribution: Rocky +# These three should probably be specified by special vars +# kojid_web_url: https://kojistg.rockylinux.org/koji +# kojid_hub_url: https://kojistg.rockylinux.org/kojihub +# kojid_files_url: https://kojistg.rockylinux.org/kojifiles + +kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt +kojid_keytab: /etc/kojid.keytab +kojid_smtp_host: smtp.rockylinux.org +kojid_allowed_scm: "git.rockylinux.org:/staging/rpms/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/rocky/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/original/rpms/*:off:/var/srpmproc/srpmproc_wrapper" +... diff --git a/vars/staging/kojihub.yml b/vars/staging/kojihub.yml new file mode 100644 index 0000000..1d6d705 --- /dev/null +++ b/vars/staging/kojihub.yml @@ -0,0 +1,120 @@ +--- +# koji hub settings +# This should be the front-facing URL of koji +# koji_url_name: kojistg.rockylinux.org + +# Use an internal CA (IPA) +koji_internal_ca: true + +# Use postgresql on this machine rather than managed service +koji_postgresql_vm: true + +# Database settings +koji_db_name: koji +koji_db_user: koji +# This will need to change when koji_postgresql_vm is false +koji_db_host: "{{ ansible_fqdn }}" + +koji_web_url: "https://{{ koji_url_name }}/koji" +koji_hub_url: "https://{{ koji_url_name }}/kojihub" +koji_files_url: "https://{{ koji_url_name }}/kojifiles" + +# The IPA internal CA is combined with the others +# Change before deployment or store in vault +koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu +koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt +koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +# Kojira +koji_kojira: true +koji_kojira_user: kojira +koji_kojira_user_kerb: kojira/kojistg.rockylinux.org +koji_kojira_principal: kojira/kojistg.rockylinux.org@ROCKYLINUX.ORG +koji_kojira_keytab: /etc/keytabs/kojira.keytab + +# MBS +koji_mbs: true +koji_mbs_user: mbs +koji_mbs_user_kerb: mbs/mbs.rockylinux.org +koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG +koji_mbs_keytab: /etc/keytabs/mbs.keytab + +# GC +koji_gc_keytab: /etc/keytabs/koji-gc.keytab +koji_gc_principal: koji-gc/kojistg.rockylinux.org@ROCKYLINUX.ORG + +# Sigul +koji_sigul: true +koji_sigul_user: sigul +koji_sigul_user_kerb: sigul/sigul.rockylinux.org +koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG + +# NFS? We need a place. +koji_nfs: false +koji_mount: /mnt/koji +koji_nfs_path: nfs.rockylinux.org:/export/koji + +# Koji Admin Settings +koji_admin_client: true +koji_admin_user: rockykoji +koji_admin_principal: rockykoji@ROCKYLINUX.ORG +koji_admin_localuser: true +koji_admin_localuser_name: koji + +# Hub Settings +koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG" +koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG" +koji_hub_keytab: /etc/keytabs/host.keytab +koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG +# This should be sufficient even for LE +koji_hub_ca: "{{ koji_web_cacert }}" + +# Koji FAS Syncing +# This isn't implemented yet in the role +koji_fas_sync: false +koji_fas_url: https://accounts.rockylinux.org + +# IPA Certs if Required +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: apache + key_location: "{{ koji_web_tls_key }}" + cert_location: "{{ koji_web_tls_cert }}" + postcmd: "/bin/systemctl reload httpd" + +# postgresql vars +postgresql_restarted_state: "restarted" +postgresql_python_library: python3-psycopg2 +postgresql_user: postgres +postgresql_group: postgres +postgresql_hba_entries: + - type: local + database: koji + user: koji + auth_method: trust + - type: local + database: all + user: postgres + auth_method: peer + - type: host + database: koji + user: koji + address: '10.100.1.0/24' + auth_method: md5 + +postgresql_databases: + - name: "{{ koji_db_name }}" + owner: "{{ koji_db_user }}" + +postgresql_users: + - name: "{{ koji_db_user }}" + password: "{{ koji_db_pass }}" + role_attr_flags: "NOCREATEDB,NOSUPERUSER,NOCREATEROLE" + db: "{{ koji_db_name }}" + state: present + +postgresql_global_config_options: + - option: listen_addresses + value: '*' +...