RabbitMQ near completion

2024-12-04 18:36:26 +00:00 · 2020-12-29 19:40:15 -07:00 · 2020-12-29 19:40:15 -07:00 · f1052e2e03
commit f1052e2e03
parent 596a19aca9
5 changed files with 80 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -17,6 +17,9 @@ rabbitmq_cluster_list:
  - rabbitmq02.rockylinux.org
  - rabbitmq03.rockylinux.org
 rabbitmq_env: "default"
+rabbitmq_ldap_servers:
+  - ipa001.rockylinux.org
+  - ipa002.rockylinux.org

 # You can override this in your playbooks as well
 rabbitmq_plugins:
--- a/tasks/federation.yml
+++ b/tasks/federation.yml
@ -5,7 +5,7 @@
  run_once: true
  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
  community.rabbitmq.rabbitmq_user:
-    user: "rockypublic"
+    user: rockypubsub
    permissions:
      - vhost:
        configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
@ -40,7 +40,7 @@
  community.rabbitmq.rabbitmq_parameter:
    component: "federation-upstream"
    name: "pubsub-to-public_pubsub"
-    value: '{"uri": "amqps://pubsub_federation:@{{ rabbitmq_cluster_list[0]  }}/%2Fpubsub?cacertfile=%2Fetc%2Fipa%2Fca.crt&certfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.pem&keyfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.key&verify=verify_peer&fail_if_no_peer_cert=true&server_name_indication=disabled&auth_mechanism=external", "ack-mode": "on-confirm"}'
+    value: 'novalue'
    state: present
    vhost: /public_pubsub
  when: rabbitmq_enable_public
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -8,6 +8,10 @@
 - name: Deploy RabbitMQ configuration
  template:
    src: "etc/rabbitmq/{{ item }}.j2"
+    dest: "etc/rabbitmq/{{ item }}"
+    owner: rabbitmq
+    group: rabbitmq
+    mode: '0644'

 - name: Deploy erlang cookie
  copy:
@ -23,10 +27,16 @@
  file:
    path: /etc/systemd/system/rabbitmq-server.service.d
    state: directory
+    owner: root
+    group: root
+    mode: '0755'

 - name: Override nofile limit for RabbitMQ
  copy:
    dest: /etc/systemd/system/rabbitmq-server.service.d/99-override.conf
+    owner: root
+    group: root
+    mode: '0644'
    content: |
      [Service]
      LimitNOFILE={{ rabbitmq_cluster_file_limit }}
@ -36,6 +46,22 @@
    names: "{{ rabbitmq_plugins | join(',') }}"
    state: enabled

+- name: Open applicable firewall rules
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+    immediate: true
+  loop:
+    - 1883/tcp
+    - 4369/tcp
+    - 5671/tcp
+    - 5672/tcp
+    - 8883/tcp
+    - 15672/tcp
+    - 25672/tcp
+    - 35672-35682/tcp
+
 - name: Ensure RabbitMQ is running
  service:
    name: rabbitmq-server
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -13,9 +13,9 @@
    user: rockyadmin
    password: "{{ rabbitmq_admin_password }}"
    vhost: "{{ item }}"
-    configure_priv: .*
-    read_priv: .*
-    write_priv: .*
+    configure_priv: ".*"
+    read_priv: ".*"
+    write_priv: ".*"
    tags: administrator
  when: inventory_hostname.startswith('rabbitmq01')
  with_items:
--- a/templates/etc/rabbitmq/rabbitmq.conf.j2
+++ b/templates/etc/rabbitmq/rabbitmq.conf.j2
@ -0,0 +1,46 @@
+listeners.ssl.default = 5671
+listeners.tcp.default = 5672
+
+num_acceptors.tcp = 10
+num_acceptors.ssl = 10
+
+reverse_dns_lookups = true
+
+rabbitmq_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
+rabbitmq_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn  }}.crt"
+rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn  }}.key"
+
+ssl_options.verify               = verify_peer
+ssl_options.fail_if_no_peer_cert = false
+ssl_options.cacertfile           = {{ rabbitmq_tls_ca_cert }}
+ssl_options.certfile             = {{ rabbitmq_tls_cert }}
+ssl_options.keyfile              = {{ rabbitmq_tls_key }}
+
+# Authentication Backends
+auth_backends.1.authn = ldap
+auth_backends.1.authz = internal
+auth_backends.2       = internal
+auth_mechanisms.1     = PLAIN
+auth_mechanisms.2     = EXTERNAL
+auth_mechanisms.3     = AMQPLAIN
+
+ssl_cert_login_from   = common_name
+auth_ldap.dn_lookup_bind.user_dn  = {{ rocky_ldap_bind_dn }}
+auth_ldap.dn_lookup_bind.password = {{ rocky_ldap_bind_pw }}
+auth_ldap.dn_lookup_attribute     = uid
+auth_ldap.dn_lookup_base          = {{ rocky_ldap_account_basedn }}
+auth_ldap.port                    = 389
+{% for ldapsrv in rabbitmq_ldap_servers %}
+auth_ldap.servers.{{ loop.index }} = {{ ldapsrv }}
+{% endfor %}
+
+cluster_name = {{ rabbitmq_cluster_name }}
+password_hashing_module = rabbit_password_hashing_sha256
+
+uster_partition_handling    = autoheal
+cluster_formation.node_type = disc
+
+product.name    = RockyMQ!
+product.version = 0.0.1
+
+disk_free_limit.relative = 2.0