start to decommission rabbitmq role

This commit is contained in:
Louis Abel 2023-07-15 00:10:52 -07:00
parent efda833629
commit cc42eb6dad
Signed by: label
GPG Key ID: 3331F061D1D9990E
13 changed files with 402 additions and 18 deletions

View File

@ -57,6 +57,11 @@
name: rsyncd name: rsyncd
state: restarted state: restarted
- name: restart_rabbitmq
ansible.builtin.service:
name: rabbitmq-server
state: restarted
- name: enable_crb - name: enable_crb
ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable" ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable"
changed_when: "1 != 1" changed_when: "1 != 1"

View File

@ -30,7 +30,7 @@
tasks: tasks:
- name: Deploy Mantis - name: Deploy Mantis
import_tasks: tasks/mantis.yml import_tasks: tasks/mantis/mantis.yml
post_tasks: post_tasks:
- name: Open firewalld ports - name: Open firewalld ports

View File

@ -7,6 +7,8 @@
# vars/vaults/encpass.yml # vars/vaults/encpass.yml
- vars/common.yml - vars/common.yml
- vars/rabbitmq.yml - vars/rabbitmq.yml
- vars/rabbitmq_vhost.yml
- vars/rabbitmq_users.yml
# This is to try to avoid the handler issue in pre/post tasks # This is to try to avoid the handler issue in pre/post tasks
handlers: handlers:
@ -43,22 +45,33 @@
- name: Flush handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers
# This will change eventually to a rocky-release-messaging repo or to a - name: Install centos rabbitmq
# rocky-release-rabbitmq repo yum:
#- name: Install centos rabbitmq name: centos-release-rabbitmq-39
# yum: state: present
# name: centos-release-rabbitmq-38 tags:
# state: present - packages
# tags:
# - packages
roles: roles:
- role: rockylinux.ipagetcert - role: rockylinux.ipagetcert
state: present state: present
when: rabbitmq_private when: rabbitmq_private
- role: rockylinux.rabbitmq tasks:
state: present - name: Run rabbitmq installation
ansible.builtin.import_tasks: "tasks/rabbitmq/rabbitmq.yml"
tags:
- rabbitmq_cluster
- name: Run rabbitmq vhosts
ansible.builtin.import_tasks: "tasks/rabbitmq/vhost.yml"
tags:
- vhosts
- name: Run rabbitmq users
ansible.builtin.import_tasks: "tasks/rabbitmq/users.yml"
tags:
- vhosts
post_tasks: post_tasks:
- name: Touching run file that ansible has ran here - name: Touching run file that ansible has ran here

View File

@ -18,13 +18,13 @@
- packages - packages
- name: Download the bugtracker - name: Download the bugtracker
get_url: ansible.builtin.get_url:
url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz" url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz" dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
checksum: "{{ mantis_checksum }}" checksum: "{{ mantis_checksum }}"
- name: Extract mantis - name: Extract mantis
unarchive: ansible.builtin.unarchive:
src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz" src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
dest: "/var/www" dest: "/var/www"
owner: apache owner: apache
@ -33,7 +33,7 @@
remote_src: true remote_src: true
- name: Generate crypto salt - name: Generate crypto salt
shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0" ansible.builtin.shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0"
changed_when: "1 != 1" changed_when: "1 != 1"
register: cryptosalt_string register: cryptosalt_string
@ -57,7 +57,7 @@
- "custom_strings_inc.php" - "custom_strings_inc.php"
- name: Deploy plugins from Mantis GitHub - name: Deploy plugins from Mantis GitHub
git: ansible.builtin.git:
repo: "https://github.com/mantisbt-plugins/{{ item }}.git" repo: "https://github.com/mantisbt-plugins/{{ item }}.git"
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}" dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}"
update: true update: true
@ -66,14 +66,14 @@
- Snippets - Snippets
- name: Deploy custom libravatar plugin - name: Deploy custom libravatar plugin
git: ansible.builtin.git:
repo: "https://github.com/nazunalika/mantisbt-libravatar.git" repo: "https://github.com/nazunalika/mantisbt-libravatar.git"
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar" dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar"
update: true update: true
version: main version: main
- name: Deploy custom mattermost plugin - name: Deploy custom mattermost plugin
git: ansible.builtin.git:
repo: "https://github.com/nazunalika/mantisbt-mattermost.git" repo: "https://github.com/nazunalika/mantisbt-mattermost.git"
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Mattermost" dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Mattermost"
update: true update: true
@ -107,5 +107,5 @@
# login_password: "{{ mantis_db_pass }}" # login_password: "{{ mantis_db_pass }}"
- name: Patch up some pages - name: Patch up some pages
import_tasks: mantispatch.yml ansible.builtin.import_tasks: mantispatch.yml
... ...

111
tasks/rabbitmq/rabbitmq.yml Normal file
View File

@ -0,0 +1,111 @@
---
- name: Install RabbitMQ
ansible.builtin.dnf:
name: rabbitmq-server
state: present
- name: Enable SELinux boolean
ansible.posix.seboolean:
name: nis_enabled
persistent: true
state: true
- name: Deploy RabbitMQ configuration
ansible.builtin.template:
src: "etc/rabbitmq/{{ item }}.j2"
dest: "/etc/rabbitmq/{{ item }}"
owner: rabbitmq
group: rabbitmq
mode: '0644'
loop:
- rabbitmq.conf
- rabbitmq-env.conf
notify:
- restart_rabbitmq
- name: Deploy erlang cookie
ansible.builtin.copy:
owner: rabbitmq
group: rabbitmq
mode: '0600'
content: "{{ rabbitmq_cookie }}"
dest: "/var/lib/rabbitmq/.erlang.cookie"
notify:
- restart_rabbitmq
- name: Create systemd override for RabbitMQ
ansible.builtin.file:
path: /etc/systemd/system/rabbitmq-server.service.d
state: directory
owner: root
group: root
mode: '0755'
- name: Override nofile limit for RabbitMQ
ansible.builtin.copy:
dest: /etc/systemd/system/rabbitmq-server.service.d/99-override.conf
owner: root
group: root
mode: '0644'
content: |
[Service]
LimitNOFILE={{ rabbitmq_file_limit }}
# We are doing it the command line way
- name: Enable RabbitMQ Plugins
ansible.builtin.command: "rabbitmq-plugins enable {{ rabbitmq_plugins | join(' ') }}"
changed_when: "1 != 1"
- name: Ensure file ownership for plugins
ansible.builtin.file:
path: /etc/rabbitmq/enabled_plugins
owner: rabbitmq
group: rabbitmq
mode: '0644'
state: file
- name: Ensure file ownership for certificate
ansible.builtin.file:
path: "{{ item }}"
owner: rabbitmq
group: rabbitmq
mode: '0600'
state: file
loop:
- "{{ rabbitmq_tls_cert }}"
- "{{ rabbitmq_tls_key }}"
- name: Open applicable firewall rules
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: true
loop: "{{ rabbitmq_ports }}"
- name: Non-master nodes should wait for 001 to be up first
ansible.builtin.wait_for:
host: "{{ rabbitmq_cluster_list[0] }}"
port: '5672'
delay: '15'
connect_timeout: '10'
state: started
when: "'rabbitmq001' not in inventory_hostname"
- name: Ensure RabbitMQ is running
ansible.builtin.service:
name: rabbitmq-server
state: started
enabled: true
- name: Drop the admin password in a file if available
ansible.builtin.copy:
dest: /root/.rabbitmqpass
content: "{{ rabbitmq_admin_password }}"
mode: '0600'
owner: root
group: root
when: rabbitmq_admin_password is defined
tags:
- rabbitmq_cluster
...

61
tasks/rabbitmq/users.yml Normal file
View File

@ -0,0 +1,61 @@
---
rabbitmq_users:
- user: guest
state: absent
- user: rockyadmin
state: present
tags: "administrator"
permissions:
- vhost: /
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
- vhost: pubsub
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
- vhost: public_pubsub
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
- vhost: mbs
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
- vhost: distrobuild
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
- vhost: odcs
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
- user: mbs
state: present
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
vhost: mbs
- user: distrobuild
state: present
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
vhost: distrobuild
- user: rockymonitor
state: present
permissions:
- vhost: /
configure_priv: "^$"
read_priv: "^$"
write_priv: "^$"
- vhost: pubsub
configure_priv: "^$"
read_priv: "^$"
write_priv: "^$"
- vhost: public_pubsub
configure_priv: "^$"
read_priv: "^$"
write_priv: "^$"
tags: "monitoring"
...

22
tasks/rabbitmq/vhost.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Create virtual hosts
community.rabbitmq.rabbitmq_vhost:
name: "{{ item.vhost }}"
state: "{{ item.state }}"
loop: "{{ rabbitmq_vhosts }}"
tags:
- rabbitmq_cluster
- name: Manage virtual host policies
community.rabbitmq.rabbitmq_policy:
name: "{{ item.1.name }}"
apply_to: "{{ item.1.apply_to }}"
pattern: "{{ item.1.pattern }}"
tags: "{{ item.1.tags }}"
vhost: "{{ item.0.vhost }}"
state: present
loop: "{{ rabbitmq_vhosts | subelements('policy', 'skip_missing=True') }}"
when: item.0.state == 'present'
tags:
- rabbitmq_cluster
...

View File

@ -0,0 +1,2 @@
NODENAME="{{ rabbitmq_cluster_name }}"
USE_LONGNAME="true"

View File

@ -0,0 +1,53 @@
listeners.ssl.default = 5671
listeners.tcp.default = 5672
num_acceptors.tcp = 10
num_acceptors.ssl = 10
reverse_dns_lookups = true
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = {{ rabbitmq_tls_ca_cert }}
ssl_options.certfile = {{ rabbitmq_tls_cert }}
ssl_options.keyfile = {{ rabbitmq_tls_key }}
# Authentication Backends
auth_backends.1.authn = ldap
auth_backends.1.authz = internal
auth_backends.2 = internal
auth_mechanisms.1 = PLAIN
auth_mechanisms.1 = EXTERNAL
auth_mechanisms.2 = PLAIN
auth_mechanisms.2 = EXTERNAL
ssl_cert_login_from = common_name
auth_ldap.dn_lookup_bind.user_dn = {{ rabbitmq_ldap_bind_dn }}
auth_ldap.dn_lookup_bind.password = {{ rabbitmq_ldap_bind_pw }}
auth_ldap.dn_lookup_attribute = uid
auth_ldap.dn_lookup_base = {{ rabbitmq_ldap_basedn }}
auth_ldap.port = 389
auth_ldap.connection_pool_size = 256
auth_ldap.idle_timeout = 120000
auth_ldap.use_starttls = true
{% for ldapsrv in rabbitmq_ldap_servers %}
auth_ldap.servers.{{ loop.index }} = {{ ldapsrv }}
{% endfor %}
cluster_name = {{ rabbitmq_cluster_name }}
password_hashing_module = rabbit_password_hashing_sha256
cluster_partition_handling = autoheal
cluster_formation.node_type = disc
cluster_formation.peer_discovery_backend = classic_config
product.name = RockyMQ!
product.version = 0.0.1
#disk_free_limit.relative = 2.0
disk_free_limit.absolute = 2GB
# Cluster Nodes
{% for mqsrv in rabbitmq_cluster_list %}
cluster_formation.classic_config.nodes.{{ loop.index }} = rabbit@{{ mqsrv }}
{% endfor %}

View File

@ -42,4 +42,15 @@ ipa_getcert_requested_hostnames:
postcmd: "/bin/systemctl restart rabbitmq-server" postcmd: "/bin/systemctl restart rabbitmq-server"
cnames: cnames:
- "rabbitmq-{{ rabbitmq_env }}.rockylinux.org" - "rabbitmq-{{ rabbitmq_env }}.rockylinux.org"
# Rabbitmq settings
rabbitmq_ports:
- 1883/tcp
- 4369/tcp
- 5671/tcp
- 5672/tcp
- 8883/tcp
- 15672/tcp
- 25672/tcp
- 35672-35682/tcp
... ...

35
vars/rabbitmq_users.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Remove users from rabbitmq
community.rabbitmq.rabbitmq_user:
user: "{{ item.user }}"
state: absent
when: item.state == 'absent'
- name: Add and configure single vhost users
community.rabbitmq.rabbitmq_user:
user: "{{ item.user }}"
password: "{{ item.password|default(omit) }}"
update_password: "{{ item.update_password|default(omit) }}"
topic_permissions: "{{ item.topic_permissions|default(omit) }}"
configure_priv: "{{ item.configure_priv|default(omit) }}"
write_priv: "{{ item.write_priv|default(omit) }}"
read_priv: "{{ item.read_priv|default(omit) }}"
vhost: "{{ item.vhost }}"
tags: "{{ item.tags|default(omit) }}"
loop: "{{ rabbitmq_users }}"
when: item.vhost is defined
- name: Add and configure multi-vhost users
community.rabbitmq.rabbitmq_user:
user: "{{ item.user }}"
password: "{{ item.password|default(omit) }}"
update_password: "{{ item.update_password|default(omit) }}"
permissions: "{{ item.permissions }}"
topic_permissions: "{{ item.topic_permissions|default(omit) }}"
vhost: "{{ item.vhost }}"
tags: "{{ item.tags|default(omit) }}"
loop: "{{ rabbitmq_users }}"
when:
- item.vhost is not defined
- item.permissions is defined
...

71
vars/rabbitmq_vhost.yml Normal file
View File

@ -0,0 +1,71 @@
---
rabbitmq_vhosts:
- vhost: pubsub
state: present
policy:
- name: HA
apply_to: queues
state: present
pattern: ".*"
tags:
ha-mode: 'all'
ha-sync-mode: 'automatic'
ha-sync-batch-size: '10000'
- name: pubsub_sweeper
apply_to: queues
state: present
pattern: ".*"
tags:
expires: '111600000'
max-length-bytes: '1073741824'
- vhost: public_pubsub
state: present
policy:
- name: sweeper
apply_to: queues
state: present
pattern: ".*"
tags:
expires: '3600000'
max-length-bytes: '52428800'
- vhost: mbs
state: present
policy:
- name: HA
apply_to: queues
state: present
pattern: ".*"
tags:
ha-mode: 'all'
ha-sync-mode: 'automatic'
ha-sync-batch-size: '10000'
- vhost: distrobuild
state: present
policy:
- name: HA
apply_to: queues
state: present
pattern: ".*"
tags:
ha-mode: 'all'
ha-sync-mode: 'automatic'
ha-sync-batch-size: '10000'
- vhost: odcs
state: present
policy:
- name: HA
apply_to: queues
state: present
pattern: ".*"
tags:
ha-mode: 'all'
ha-sync-mode: 'automatic'
ha-sync-batch-size: '10000'
- name: pubsub_sweeper
apply_to: queues
state: present
pattern: ".*"
tags:
expires: '111600000'
max-length-bytes: '1073741824'
...