mirror of
https://github.com/rocky-linux/ansible-role-rabbitmq.git
synced 2024-12-03 18:06:25 +00:00
RabbitMQ near completion
This commit is contained in:
parent
596a19aca9
commit
f1052e2e03
@ -17,6 +17,9 @@ rabbitmq_cluster_list:
|
||||
- rabbitmq02.rockylinux.org
|
||||
- rabbitmq03.rockylinux.org
|
||||
rabbitmq_env: "default"
|
||||
rabbitmq_ldap_servers:
|
||||
- ipa001.rockylinux.org
|
||||
- ipa002.rockylinux.org
|
||||
|
||||
# You can override this in your playbooks as well
|
||||
rabbitmq_plugins:
|
||||
|
@ -5,7 +5,7 @@
|
||||
run_once: true
|
||||
delegate_to: "{{ rabbitmq_cluster_list[0] }}"
|
||||
community.rabbitmq.rabbitmq_user:
|
||||
user: "rockypublic"
|
||||
user: rockypubsub
|
||||
permissions:
|
||||
- vhost:
|
||||
configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
|
||||
@ -40,7 +40,7 @@
|
||||
community.rabbitmq.rabbitmq_parameter:
|
||||
component: "federation-upstream"
|
||||
name: "pubsub-to-public_pubsub"
|
||||
value: '{"uri": "amqps://pubsub_federation:@{{ rabbitmq_cluster_list[0] }}/%2Fpubsub?cacertfile=%2Fetc%2Fipa%2Fca.crt&certfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.pem&keyfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.key&verify=verify_peer&fail_if_no_peer_cert=true&server_name_indication=disabled&auth_mechanism=external", "ack-mode": "on-confirm"}'
|
||||
value: 'novalue'
|
||||
state: present
|
||||
vhost: /public_pubsub
|
||||
when: rabbitmq_enable_public
|
||||
|
@ -8,6 +8,10 @@
|
||||
- name: Deploy RabbitMQ configuration
|
||||
template:
|
||||
src: "etc/rabbitmq/{{ item }}.j2"
|
||||
dest: "etc/rabbitmq/{{ item }}"
|
||||
owner: rabbitmq
|
||||
group: rabbitmq
|
||||
mode: '0644'
|
||||
|
||||
- name: Deploy erlang cookie
|
||||
copy:
|
||||
@ -23,10 +27,16 @@
|
||||
file:
|
||||
path: /etc/systemd/system/rabbitmq-server.service.d
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
|
||||
- name: Override nofile limit for RabbitMQ
|
||||
copy:
|
||||
dest: /etc/systemd/system/rabbitmq-server.service.d/99-override.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
content: |
|
||||
[Service]
|
||||
LimitNOFILE={{ rabbitmq_cluster_file_limit }}
|
||||
@ -36,6 +46,22 @@
|
||||
names: "{{ rabbitmq_plugins | join(',') }}"
|
||||
state: enabled
|
||||
|
||||
- name: Open applicable firewall rules
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item }}"
|
||||
permanent: true
|
||||
state: enabled
|
||||
immediate: true
|
||||
loop:
|
||||
- 1883/tcp
|
||||
- 4369/tcp
|
||||
- 5671/tcp
|
||||
- 5672/tcp
|
||||
- 8883/tcp
|
||||
- 15672/tcp
|
||||
- 25672/tcp
|
||||
- 35672-35682/tcp
|
||||
|
||||
- name: Ensure RabbitMQ is running
|
||||
service:
|
||||
name: rabbitmq-server
|
||||
|
@ -13,9 +13,9 @@
|
||||
user: rockyadmin
|
||||
password: "{{ rabbitmq_admin_password }}"
|
||||
vhost: "{{ item }}"
|
||||
configure_priv: .*
|
||||
read_priv: .*
|
||||
write_priv: .*
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
tags: administrator
|
||||
when: inventory_hostname.startswith('rabbitmq01')
|
||||
with_items:
|
||||
|
46
templates/etc/rabbitmq/rabbitmq.conf.j2
Normal file
46
templates/etc/rabbitmq/rabbitmq.conf.j2
Normal file
@ -0,0 +1,46 @@
|
||||
listeners.ssl.default = 5671
|
||||
listeners.tcp.default = 5672
|
||||
|
||||
num_acceptors.tcp = 10
|
||||
num_acceptors.ssl = 10
|
||||
|
||||
reverse_dns_lookups = true
|
||||
|
||||
rabbitmq_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
rabbitmq_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
ssl_options.verify = verify_peer
|
||||
ssl_options.fail_if_no_peer_cert = false
|
||||
ssl_options.cacertfile = {{ rabbitmq_tls_ca_cert }}
|
||||
ssl_options.certfile = {{ rabbitmq_tls_cert }}
|
||||
ssl_options.keyfile = {{ rabbitmq_tls_key }}
|
||||
|
||||
# Authentication Backends
|
||||
auth_backends.1.authn = ldap
|
||||
auth_backends.1.authz = internal
|
||||
auth_backends.2 = internal
|
||||
auth_mechanisms.1 = PLAIN
|
||||
auth_mechanisms.2 = EXTERNAL
|
||||
auth_mechanisms.3 = AMQPLAIN
|
||||
|
||||
ssl_cert_login_from = common_name
|
||||
auth_ldap.dn_lookup_bind.user_dn = {{ rocky_ldap_bind_dn }}
|
||||
auth_ldap.dn_lookup_bind.password = {{ rocky_ldap_bind_pw }}
|
||||
auth_ldap.dn_lookup_attribute = uid
|
||||
auth_ldap.dn_lookup_base = {{ rocky_ldap_account_basedn }}
|
||||
auth_ldap.port = 389
|
||||
{% for ldapsrv in rabbitmq_ldap_servers %}
|
||||
auth_ldap.servers.{{ loop.index }} = {{ ldapsrv }}
|
||||
{% endfor %}
|
||||
|
||||
cluster_name = {{ rabbitmq_cluster_name }}
|
||||
password_hashing_module = rabbit_password_hashing_sha256
|
||||
|
||||
uster_partition_handling = autoheal
|
||||
cluster_formation.node_type = disc
|
||||
|
||||
product.name = RockyMQ!
|
||||
product.version = 0.0.1
|
||||
|
||||
disk_free_limit.relative = 2.0
|
Loading…
Reference in New Issue
Block a user