diff --git a/handlers/main.yml b/handlers/main.yml index 7473183..03493b0 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -57,6 +57,11 @@ name: rsyncd state: restarted +- name: restart_rabbitmq + ansible.builtin.service: + name: rabbitmq-server + state: restarted + - name: enable_crb ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable" changed_when: "1 != 1" diff --git a/init-rocky-mantisbt.yml b/init-rocky-mantisbt.yml index b2bc80d..d501d4a 100644 --- a/init-rocky-mantisbt.yml +++ b/init-rocky-mantisbt.yml @@ -30,7 +30,7 @@ tasks: - name: Deploy Mantis - import_tasks: tasks/mantis.yml + import_tasks: tasks/mantis/mantis.yml post_tasks: - name: Open firewalld ports diff --git a/role-rocky-rabbitmq.yml b/role-rocky-rabbitmq.yml index 05247a1..a0075a4 100644 --- a/role-rocky-rabbitmq.yml +++ b/role-rocky-rabbitmq.yml @@ -7,6 +7,8 @@ # vars/vaults/encpass.yml - vars/common.yml - vars/rabbitmq.yml + - vars/rabbitmq_vhost.yml + - vars/rabbitmq_users.yml # This is to try to avoid the handler issue in pre/post tasks handlers: @@ -43,22 +45,33 @@ - name: Flush handlers ansible.builtin.meta: flush_handlers - # This will change eventually to a rocky-release-messaging repo or to a - # rocky-release-rabbitmq repo - #- name: Install centos rabbitmq - # yum: - # name: centos-release-rabbitmq-38 - # state: present - # tags: - # - packages + - name: Install centos rabbitmq + yum: + name: centos-release-rabbitmq-39 + state: present + tags: + - packages roles: - role: rockylinux.ipagetcert state: present when: rabbitmq_private - - role: rockylinux.rabbitmq - state: present + tasks: + - name: Run rabbitmq installation + ansible.builtin.import_tasks: "tasks/rabbitmq/rabbitmq.yml" + tags: + - rabbitmq_cluster + + - name: Run rabbitmq vhosts + ansible.builtin.import_tasks: "tasks/rabbitmq/vhost.yml" + tags: + - vhosts + + - name: Run rabbitmq users + ansible.builtin.import_tasks: "tasks/rabbitmq/users.yml" + tags: + - vhosts post_tasks: - name: Touching run file that ansible has ran here diff --git a/tasks/mantis.yml b/tasks/mantis/mantis.yml similarity index 91% rename from tasks/mantis.yml rename to tasks/mantis/mantis.yml index 64a9ca7..2156c57 100644 --- a/tasks/mantis.yml +++ b/tasks/mantis/mantis.yml @@ -18,13 +18,13 @@ - packages - name: Download the bugtracker - get_url: + ansible.builtin.get_url: url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz" dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz" checksum: "{{ mantis_checksum }}" - name: Extract mantis - unarchive: + ansible.builtin.unarchive: src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz" dest: "/var/www" owner: apache @@ -33,7 +33,7 @@ remote_src: true - name: Generate crypto salt - shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0" + ansible.builtin.shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0" changed_when: "1 != 1" register: cryptosalt_string @@ -57,7 +57,7 @@ - "custom_strings_inc.php" - name: Deploy plugins from Mantis GitHub - git: + ansible.builtin.git: repo: "https://github.com/mantisbt-plugins/{{ item }}.git" dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}" update: true @@ -66,14 +66,14 @@ - Snippets - name: Deploy custom libravatar plugin - git: + ansible.builtin.git: repo: "https://github.com/nazunalika/mantisbt-libravatar.git" dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar" update: true version: main - name: Deploy custom mattermost plugin - git: + ansible.builtin.git: repo: "https://github.com/nazunalika/mantisbt-mattermost.git" dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Mattermost" update: true @@ -107,5 +107,5 @@ # login_password: "{{ mantis_db_pass }}" - name: Patch up some pages - import_tasks: mantispatch.yml + ansible.builtin.import_tasks: mantispatch.yml ... diff --git a/tasks/mantispatch.yml b/tasks/mantis/mantispatch.yml similarity index 100% rename from tasks/mantispatch.yml rename to tasks/mantis/mantispatch.yml diff --git a/tasks/rabbitmq/rabbitmq.yml b/tasks/rabbitmq/rabbitmq.yml new file mode 100644 index 0000000..cc4e572 --- /dev/null +++ b/tasks/rabbitmq/rabbitmq.yml @@ -0,0 +1,111 @@ +--- +- name: Install RabbitMQ + ansible.builtin.dnf: + name: rabbitmq-server + state: present + +- name: Enable SELinux boolean + ansible.posix.seboolean: + name: nis_enabled + persistent: true + state: true + +- name: Deploy RabbitMQ configuration + ansible.builtin.template: + src: "etc/rabbitmq/{{ item }}.j2" + dest: "/etc/rabbitmq/{{ item }}" + owner: rabbitmq + group: rabbitmq + mode: '0644' + loop: + - rabbitmq.conf + - rabbitmq-env.conf + notify: + - restart_rabbitmq + +- name: Deploy erlang cookie + ansible.builtin.copy: + owner: rabbitmq + group: rabbitmq + mode: '0600' + content: "{{ rabbitmq_cookie }}" + dest: "/var/lib/rabbitmq/.erlang.cookie" + notify: + - restart_rabbitmq + +- name: Create systemd override for RabbitMQ + ansible.builtin.file: + path: /etc/systemd/system/rabbitmq-server.service.d + state: directory + owner: root + group: root + mode: '0755' + +- name: Override nofile limit for RabbitMQ + ansible.builtin.copy: + dest: /etc/systemd/system/rabbitmq-server.service.d/99-override.conf + owner: root + group: root + mode: '0644' + content: | + [Service] + LimitNOFILE={{ rabbitmq_file_limit }} + +# We are doing it the command line way +- name: Enable RabbitMQ Plugins + ansible.builtin.command: "rabbitmq-plugins enable {{ rabbitmq_plugins | join(' ') }}" + changed_when: "1 != 1" + +- name: Ensure file ownership for plugins + ansible.builtin.file: + path: /etc/rabbitmq/enabled_plugins + owner: rabbitmq + group: rabbitmq + mode: '0644' + state: file + +- name: Ensure file ownership for certificate + ansible.builtin.file: + path: "{{ item }}" + owner: rabbitmq + group: rabbitmq + mode: '0600' + state: file + loop: + - "{{ rabbitmq_tls_cert }}" + - "{{ rabbitmq_tls_key }}" + +- name: Open applicable firewall rules + ansible.posix.firewalld: + port: "{{ item }}" + permanent: true + state: enabled + immediate: true + loop: "{{ rabbitmq_ports }}" + +- name: Non-master nodes should wait for 001 to be up first + ansible.builtin.wait_for: + host: "{{ rabbitmq_cluster_list[0] }}" + port: '5672' + delay: '15' + connect_timeout: '10' + state: started + when: "'rabbitmq001' not in inventory_hostname" + +- name: Ensure RabbitMQ is running + ansible.builtin.service: + name: rabbitmq-server + state: started + enabled: true + +- name: Drop the admin password in a file if available + ansible.builtin.copy: + dest: /root/.rabbitmqpass + content: "{{ rabbitmq_admin_password }}" + mode: '0600' + owner: root + group: root + when: rabbitmq_admin_password is defined + tags: + - rabbitmq_cluster +... diff --git a/tasks/rabbitmq/users.yml b/tasks/rabbitmq/users.yml new file mode 100644 index 0000000..da1a2bf --- /dev/null +++ b/tasks/rabbitmq/users.yml @@ -0,0 +1,61 @@ +--- +rabbitmq_users: + - user: guest + state: absent + - user: rockyadmin + state: present + tags: "administrator" + permissions: + - vhost: / + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: pubsub + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: public_pubsub + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: mbs + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: distrobuild + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: odcs + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - user: mbs + state: present + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + vhost: mbs + - user: distrobuild + state: present + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + vhost: distrobuild + - user: rockymonitor + state: present + permissions: + - vhost: / + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: public_pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + tags: "monitoring" +... diff --git a/tasks/rabbitmq/vhost.yml b/tasks/rabbitmq/vhost.yml new file mode 100644 index 0000000..7ad1b69 --- /dev/null +++ b/tasks/rabbitmq/vhost.yml @@ -0,0 +1,22 @@ +--- +- name: Create virtual hosts + community.rabbitmq.rabbitmq_vhost: + name: "{{ item.vhost }}" + state: "{{ item.state }}" + loop: "{{ rabbitmq_vhosts }}" + tags: + - rabbitmq_cluster + +- name: Manage virtual host policies + community.rabbitmq.rabbitmq_policy: + name: "{{ item.1.name }}" + apply_to: "{{ item.1.apply_to }}" + pattern: "{{ item.1.pattern }}" + tags: "{{ item.1.tags }}" + vhost: "{{ item.0.vhost }}" + state: present + loop: "{{ rabbitmq_vhosts | subelements('policy', 'skip_missing=True') }}" + when: item.0.state == 'present' + tags: + - rabbitmq_cluster +... diff --git a/templates/etc/rabbitmq/rabbitmq-env.conf.j2 b/templates/etc/rabbitmq/rabbitmq-env.conf.j2 new file mode 100644 index 0000000..7e97dc7 --- /dev/null +++ b/templates/etc/rabbitmq/rabbitmq-env.conf.j2 @@ -0,0 +1,2 @@ +NODENAME="{{ rabbitmq_cluster_name }}" +USE_LONGNAME="true" diff --git a/templates/etc/rabbitmq/rabbitmq.conf.j2 b/templates/etc/rabbitmq/rabbitmq.conf.j2 new file mode 100644 index 0000000..fbb2493 --- /dev/null +++ b/templates/etc/rabbitmq/rabbitmq.conf.j2 @@ -0,0 +1,53 @@ +listeners.ssl.default = 5671 +listeners.tcp.default = 5672 + +num_acceptors.tcp = 10 +num_acceptors.ssl = 10 + +reverse_dns_lookups = true + +ssl_options.verify = verify_peer +ssl_options.fail_if_no_peer_cert = false +ssl_options.cacertfile = {{ rabbitmq_tls_ca_cert }} +ssl_options.certfile = {{ rabbitmq_tls_cert }} +ssl_options.keyfile = {{ rabbitmq_tls_key }} + +# Authentication Backends +auth_backends.1.authn = ldap +auth_backends.1.authz = internal +auth_backends.2 = internal +auth_mechanisms.1 = PLAIN +auth_mechanisms.1 = EXTERNAL +auth_mechanisms.2 = PLAIN +auth_mechanisms.2 = EXTERNAL + +ssl_cert_login_from = common_name +auth_ldap.dn_lookup_bind.user_dn = {{ rabbitmq_ldap_bind_dn }} +auth_ldap.dn_lookup_bind.password = {{ rabbitmq_ldap_bind_pw }} +auth_ldap.dn_lookup_attribute = uid +auth_ldap.dn_lookup_base = {{ rabbitmq_ldap_basedn }} +auth_ldap.port = 389 +auth_ldap.connection_pool_size = 256 +auth_ldap.idle_timeout = 120000 +auth_ldap.use_starttls = true +{% for ldapsrv in rabbitmq_ldap_servers %} +auth_ldap.servers.{{ loop.index }} = {{ ldapsrv }} +{% endfor %} + +cluster_name = {{ rabbitmq_cluster_name }} +password_hashing_module = rabbit_password_hashing_sha256 + +cluster_partition_handling = autoheal +cluster_formation.node_type = disc +cluster_formation.peer_discovery_backend = classic_config + +product.name = RockyMQ! +product.version = 0.0.1 + +#disk_free_limit.relative = 2.0 +disk_free_limit.absolute = 2GB + +# Cluster Nodes +{% for mqsrv in rabbitmq_cluster_list %} +cluster_formation.classic_config.nodes.{{ loop.index }} = rabbit@{{ mqsrv }} +{% endfor %} diff --git a/vars/rabbitmq.yml b/vars/rabbitmq.yml index edec714..1ffd61b 100644 --- a/vars/rabbitmq.yml +++ b/vars/rabbitmq.yml @@ -42,4 +42,15 @@ ipa_getcert_requested_hostnames: postcmd: "/bin/systemctl restart rabbitmq-server" cnames: - "rabbitmq-{{ rabbitmq_env }}.rockylinux.org" + +# Rabbitmq settings +rabbitmq_ports: + - 1883/tcp + - 4369/tcp + - 5671/tcp + - 5672/tcp + - 8883/tcp + - 15672/tcp + - 25672/tcp + - 35672-35682/tcp ... diff --git a/vars/rabbitmq_users.yml b/vars/rabbitmq_users.yml new file mode 100644 index 0000000..3067675 --- /dev/null +++ b/vars/rabbitmq_users.yml @@ -0,0 +1,35 @@ +--- +- name: Remove users from rabbitmq + community.rabbitmq.rabbitmq_user: + user: "{{ item.user }}" + state: absent + when: item.state == 'absent' + +- name: Add and configure single vhost users + community.rabbitmq.rabbitmq_user: + user: "{{ item.user }}" + password: "{{ item.password|default(omit) }}" + update_password: "{{ item.update_password|default(omit) }}" + topic_permissions: "{{ item.topic_permissions|default(omit) }}" + configure_priv: "{{ item.configure_priv|default(omit) }}" + write_priv: "{{ item.write_priv|default(omit) }}" + read_priv: "{{ item.read_priv|default(omit) }}" + vhost: "{{ item.vhost }}" + tags: "{{ item.tags|default(omit) }}" + loop: "{{ rabbitmq_users }}" + when: item.vhost is defined + +- name: Add and configure multi-vhost users + community.rabbitmq.rabbitmq_user: + user: "{{ item.user }}" + password: "{{ item.password|default(omit) }}" + update_password: "{{ item.update_password|default(omit) }}" + permissions: "{{ item.permissions }}" + topic_permissions: "{{ item.topic_permissions|default(omit) }}" + vhost: "{{ item.vhost }}" + tags: "{{ item.tags|default(omit) }}" + loop: "{{ rabbitmq_users }}" + when: + - item.vhost is not defined + - item.permissions is defined +... diff --git a/vars/rabbitmq_vhost.yml b/vars/rabbitmq_vhost.yml new file mode 100644 index 0000000..e87bb63 --- /dev/null +++ b/vars/rabbitmq_vhost.yml @@ -0,0 +1,71 @@ +--- +rabbitmq_vhosts: + - vhost: pubsub + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: '10000' + - name: pubsub_sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: '111600000' + max-length-bytes: '1073741824' + - vhost: public_pubsub + state: present + policy: + - name: sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: '3600000' + max-length-bytes: '52428800' + - vhost: mbs + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: '10000' + - vhost: distrobuild + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: '10000' + - vhost: odcs + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: '10000' + - name: pubsub_sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: '111600000' + max-length-bytes: '1073741824' +...