RabbitMQ Almost Finished

defaults/main.yml

@@ -27,3 +27,10 @@ rabbitmq_plugins:
   - rabbitmq_mqtt
   - rabbitmq_federation
   - rabbitmq_federation_management
+
+# If you want monitoring, set these in your playbooks
+#rabbitmq_monitoring_username: mq-monitoring
+#rabbitmq_monitoring_password: NotASafePassword
+
+# Enable the public pubsub or not
+rabbitmq_enable_public: false

tasks/federation.yml

@@ -1 +1,59 @@
 ---
+# Create necessary federation pieces
+# This public user can write UUID objects and read anything else
+- name: Create a public access user
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_user:
+    user: "rockypublic"
+    permissions:
+      - vhost:
+        configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
+        write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
+        read_priv: ".*"
+    state: present
+  tags:
+    - rabbitmq_cluster
+
+# You will need to address the certificates yourself. Right now we are trying
+# to figure out how to deal with SNI using FreeIPA.
+# /etc/rabbitmq/pubsub_federation.pem
+# /etc/rabbitmq/pubsub_federation.key
+
+- name: Create a federation user
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_user:
+    user: pubsub_federation
+    permissions:
+      - vhost: /pubsub
+        configure_priv: "^federation.*"
+        write_priv: "^federation.*"
+        read_priv: ".*"
+    state: present
+  tags:
+    - rabbitmq_cluster
+
+- name: Configure Federation Upstream from pubsub to public
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_parameter:
+    component: "federation-upstream"
+    name: "pubsub-to-public_pubsub"
+    value: '{"uri": "amqps://pubsub_federation:@{{ rabbitmq_cluster_list[0]  }}/%2Fpubsub?cacertfile=%2Fetc%2Fipa%2Fca.crt&certfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.pem&keyfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.key&verify=verify_peer&fail_if_no_peer_cert=true&server_name_indication=disabled&auth_mechanism=external", "ack-mode": "on-confirm"}'
+    state: present
+    vhost: /public_pubsub
+  when: rabbitmq_enable_public
+
+- name: Configure a policy to federate the topic exchange to public
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_policy:
+    apply_to: exchanges
+    name: pubsub-to-public_pubsub
+    state: present
+    pattern: "^(amq|zmq)\\.topic$"
+    tags:
+      federation-upstream: "pubsub-to-public_pubsub"
+    vhost: /public_pubsub
+  when: rabbitmq_enable_public

tasks/main.yml

@@ -36,12 +36,18 @@
     names: "{{ rabbitmq_plugins | join(',') }}"
     state: enabled
 
-- name: Users Tasks
+- name: Ensure RabbitMQ is running
-  include_tasks: users.yml
+  service:
+    name: rabbitmq-server
+    state: started
+    enabled: true
 
 - name: Vhost tasks
   include_tasks: vhosts.yml
 
+- name: Users Tasks
+  include_tasks: users.yml
+
 - name: Topic Tasks
   include_tasks: topics.yml
 

tasks/topics.yml

@@ -1 +1,39 @@
 ---
+# Create our topics
+- name: Create the zmq.topic exchange in the pubsub vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_exchange:
+    name: "zmq.topic"
+    exchange_type: "topic"
+    vhost: "/pubsub"
+    login_user: admin
+    login_password: "{{ rabbitmq_admin_password }}"
+  tags:
+    - rabbitmq_cluster
+
+- name: Create the zmq.topic exchange in the public pubsub vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_exchange:
+    name: "zmq.topic"
+    exchange_type: "topic"
+    vhost: "/public_pubsub"
+    login_user: admin
+    login_password: "{{ rabbitmq_admin_password }}"
+  tags:
+    - rabbitmq_cluster
+
+- name: Forward all zmq.topic and amq.topic in public_pubsub
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_binding:
+    destination_type: exchange
+    name: zmq.topic
+    dest: amq.topic
+    routing_key: "#"
+    vhost: "/public_pubsub"
+    login_user: admin
+    login_password: "{{ rabbitmq_admin_password }}"
+  tags:
+    - rabbitmq_cluster

tasks/users.yml

@@ -1 +1,61 @@
 ---
+# No guest users
+- name: Remove guest user
+  community.rabbitmq.rabbitmq_user:
+    user: guest
+    state: absent
+  tags:
+    - rabbitmq_cluster
+
+# Add the admin user
+- name: Create the admin user for our vhosts
+  community.rabbitmq.rabbitmq_user:
+    user: rockyadmin
+    password: "{{ rabbitmq_admin_password }}"
+    vhost: "{{ item }}"
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+    tags: administrator
+  when: inventory_hostname.startswith('rabbitmq01')
+  with_items:
+    - /
+    - /pubsub
+    - /public_pubsub
+  tags:
+    - rabbitmq_cluster
+
+- name: Drop the admin password in a file for admin operations
+  copy:
+    dest: /root/.rabbitmqpass
+    content: "{{ rabbitmq_admin_password }}"
+    mode: '0600'
+    owner: root
+    group: root
+  tags:
+    - rabbitmq_cluster
+
+# Create a monitoring user as long as the vars are set
+- name: Create monitoring user
+  community.rabbitmq.rabbitmq_user:
+    user: "{{ rabbitmq_monitoring_username }}"
+    password: "{{ rabbitmq_monitoring_password }}"
+    update_password: always
+    permissions:
+      - vhost: /
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+      - vhost: /pubsub
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+      - vhost: /public_pubsub
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+    tags: monitoring
+  when:
+    - inventory_hostname.startswith('rabbitmq01')
+    - rabbitmq_monitoring_username
+    - rabbitmq_monitoring_password

tasks/vhosts.yml

@@ -1 +1,60 @@
 ---
+# Create vhosts
+- name: Configure pubsub virtual host
+  community.rabbitmq.rabbitmq_vhost:
+    name: /pubsub
+    state: present
+  tags:
+    - rabbitmq_cluster
+
+- name: Configure publicly accessible vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_vhost:
+    name: /public_pubsub
+    state: present
+  tags:
+    - rabbitmq_cluster
+
+- name: Configure the HA policy for pubsub
+  community.rabbitmq.rabbitmq_policy:
+    name: HA
+    apply_to: queues
+    pattern: ".*"
+    tags:
+      ha-mode: all
+      ha-sync-mode: automatic
+      ha-sync-batch-size: 10000
+    vhost: /pubsub
+  tags:
+    - rabbitmq_cluster
+
+- name: Add a policy to limit queues to 1GB and sweep after a month
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_policy:
+    apply_to: queues
+    name: pubsub_sweeper
+    state: present
+    pattern: ".*"
+    tags:
+      expires: 111600000
+      max-length-bytes: 1073741824
+    vhost: /pubsub
+  tags:
+    - rabbitmq_cluster
+
+- name: Add a policy to keep the public vhost swept
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_policy:
+    apply_to: queues
+    name: sweeper
+    state: present
+    pattern: ".*"
+    tags:
+      expires: 3600000
+      max-length-bytes: 52428800
+    vhost: /public_pubsub
+  tags:
+    - rabbitmq_cluster