diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini index 9fde623..0d3fe9a 100644 --- a/ansible/inventories/production/hosts.ini +++ b/ansible/inventories/production/hosts.ini @@ -19,61 +19,88 @@ ipa002.rockylinux.org ansible_host=10.100.1.111 ipa003.rockylinux.org ansible_host=10.100.1.112 [ipaclients] -build-a-box.rockylinux.org ansible_host=10.100.1.112 -idp001.rockylinux.org ansible_host=10.100.x.x -chrony001.rockylinux.org ansiblehost=10.100.3.110 -chrony002.rockylinux.org ansiblehost=10.200.3.111 -git.rockylinux.org ansible_host=10.100.1.113 +#chrony001.rockylinux.org ansiblehost=10.100.3.110 +#chrony002.rockylinux.org ansiblehost=10.200.3.111 +#git.rockylinux.org ansible_host=10.100.1.113 + +[ipaclients:children] +idp +sigul +mbs +koji +rabbitmq +bugtracker +monitoringservers +gitlabservers +matomo [idp] idp001.rockylinux.org ansible_host=10.100.x.x idp002.rockylinux.org ansible_host=10.100.x.x +[grafana] +grafana.rockylinux.org ansible_host=10.100.xx.xx + +[graylogservers] +graylog001.rockylinux.org ansible_host=10.100.xx.xx + +[monitoringservers:children] +grafana + [chronyservers] chrony001.rockylinux.org ansiblehost=10.100.3.110 chrony002.rockylinux.org ansiblehost=10.200.3.111 [gitlabservers] -git.rockylinux.org ansible_host=10.100.1.113 +git.rockylinux.org ansible_host=10.xx.xx.xx # Koji System - These names and IP's are not permanent as some machines can be # in a different location. This is the case with ppc64le +[buildsys:children] +koji +gitlabservers +bugtracker + [koji:children] kojihub kojid -mqtt +rabbitmq [kojihub] -koji.boxbuild.rockylinux.org ansible_host=10.100.1.200 +koji.rockylinux.org ansible_host=10.xx.xx.xx [kojid] -x86-01.boxbuild.rockylinux.org ansible_host=10.100.1.201 -x86-02.boxbuild.rockylinux.org ansible_host=10.100.1.202 -x86-repo.boxbuild.rockylinux.org ansible_host=10.100.1.203 -aarch64-01.boxbuild.rockylinux.org ansible_host=10.100.1.204 -aarch64-02.boxbuild.rockylinux.org ansible_host=10.100.1.205 -aarch64-03.boxbuild.rockylinux.org ansible_host=10.100.1.206 -aarch64-04.boxbuild.rockylinux.org ansible_host=10.100.1.207 -aarch64-05.boxbuild.rockylinux.org ansible_host=10.100.1.208 -aarch64-06.boxbuild.rockylinux.org ansible_host=10.100.1.209 -ppc64le-01.boxbuild.rockylinux.org ansible_host=10.100.1.210 -ppc64le-02.boxbuild.rockylinux.org ansible_host=10.100.1.211 -ppc64le-03.boxbuild.rockylinux.org ansible_host=10.100.1.212 - -[mqtt] -mqtt.boxbuild.rockylinux.org ansible_host=10.100.1.213 +x86build001.rockylinux.org ansible_host=10.100.xx.xx +x86build002.rockylinux.org ansible_host=10.100.xx.xx +x86build003.rockylinux.org ansible_host=10.100.xx.xx +aarch64build001.rockylinux.org ansible_host=10.100.xx.xx +aarch64build002.rockylinux.org ansible_host=10.100.xx.xx +aarch64build003.rockylinux.org ansible_host=10.100.xx.xx [rabbitmq] -rabbitmq01.rockylinux.org ansible_host=10.100.1.214 -rabbitmq02.rockylinux.org ansible_host=10.100.1.215 -rabbitmq03.rockylinux.org ansible_host=10.100.1.216 +rabbitmq001.rockylinux.org ansible_host=10.100.xx.xx +rabbitmq002.rockylinux.org ansible_host=10.100.xx.xx +rabbitmq003.rockylinux.org ansible_host=10.100.xx.xx [sigul:children] sigulbridge sigulserver [sigulbridge] -sigul-bridge.rockylinux.org ansible_host=10.100.1.217 +sigul001.rockylinux.org ansible_host=10.100.xx.xx [sigulserver] -sigul-server.rockylinux.org ansible_host=10.100.1.218 +sigul002.rockylinux.org ansible_host=10.100.xx.xx + +[mbs] +mbs001.rockylinux.org ansible_host=10.100.xx.xx +mbs002.rockylinux.org ansible_host=10.100.xx.xx + +[bugtracker] +bugs.rockylinux.org ansible_host=10.100.xx.xx + +[matterbridge] +matterbridge.rockylinux.org ansible_host=10.100.xx.xx + +[matomo] +matomo.rockylinux.org ansible_host=10.100.xx.xx diff --git a/ansible/playbooks/adhoc-rabbitmqqueue.yml b/ansible/playbooks/adhoc-rabbitmqqueue.yml index edd207a..5be4723 100644 --- a/ansible/playbooks/adhoc-rabbitmqqueue.yml +++ b/ansible/playbooks/adhoc-rabbitmqqueue.yml @@ -75,10 +75,13 @@ name: "amq.topic" destination: "{{ queue_name }}" destination_type: queue - routing_key: "{{ item }}" + routing_key: "{{ routing_item }}" vhost: "{{ vhost|default('/pubsub') }}" state: present login_user: admin login_password: "{{ rabbitmq_admin_password }}" + loop: "{{ routing_keys }}" + loop_control: + loop_var: routing_item tags: - rabbitmq diff --git a/ansible/playbooks/role-rocky-graylog.yml b/ansible/playbooks/role-rocky-graylog.yml new file mode 100644 index 0000000..e6e7cbe --- /dev/null +++ b/ansible/playbooks/role-rocky-graylog.yml @@ -0,0 +1,65 @@ +--- +# Configure and setup graylog +# Reccommended specs +# CPU: 2 cores +# Memory: 4GB +# Storage: Yes +- name: Install Graylog + hosts: graylogservers + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/graylog.yml + - vars/vaults/hostman.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Install SELinux packages + package: + name: python3-policycoreutils.noarch + state: present + + - name: "Creating DNS Record for ord-prod-graylog.rockylinux.org" + freeipa.ansible_freeipa.ipadnsrecord: + ipaadmin_principal: "{{ ipa_admin|default('admin') }}" + ipaadmin_password: "{{ ipaadmin_password }}" + zone_name: "{{ graylog_ipa_dnsrecord_zone_name }}" + name: "{{ graylog_ipa_dnsrecord_name }}" + record_type: "{{ graylog_ipa_dnsrecord_record_type }}" + record_value: "{{ graylog_ipa_dnsrecord_record_value }}" + state: "{{ graylog_ipa_dnsrecord_state }}" + + roles: + - role: rockylinux.ipagetcert + state: present + + post_tasks: + - name: Open firewalld ports + ansible.posix.firewalld: + port: "{{ item.port }}" + permanent: "{{ item.permanent }}" + state: "{{ item.state }}" + loop: "{{ graylog_server_firewall_rules }}" + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-node_exporter.yml b/ansible/playbooks/role-rocky-node_exporter.yml new file mode 100644 index 0000000..6e95cf1 --- /dev/null +++ b/ansible/playbooks/role-rocky-node_exporter.yml @@ -0,0 +1,21 @@ +--- +- name: Install Prometheus Node Exporter + hosts: all + become: true + + pre_tasks: + - name: Install SELinux packages + package: + name: python3-policycoreutils.noarch + state: present + + roles: + - role: cloudalchemy.node-exporter + state: present + + post_tasks: + - name: Open firewall for node-exporter + ansible.posix.firewalld: + port: 9100/tcp + permanent: true + state: enabled diff --git a/ansible/playbooks/role-rocky-sigul-bridge.yml b/ansible/playbooks/role-rocky-sigul-bridge.yml index b22cd48..de26d7e 100644 --- a/ansible/playbooks/role-rocky-sigul-bridge.yml +++ b/ansible/playbooks/role-rocky-sigul-bridge.yml @@ -28,13 +28,13 @@ - name: Check for keytabs - sigul stat: path: /etc/sigul.keytab - register: sigul_keytab + register: sigul_keytab_register changed_when: "1 != 1" - name: Verify keytab assert: that: - - "sigul_keytab.stat.exists" + - "sigul_keytab_register.stat.exists" success_msg: "It is likely we have all keytabs" fail_msg: "There are no keytabs. Please build the keytabs." @@ -79,7 +79,7 @@ - name: Enable the sigul bridge systemd: name: sigul_bridge - state: running + state: restarted enabled: true - name: Touching run file that ansible has ran here diff --git a/ansible/playbooks/role-rocky-sigul-server.yml b/ansible/playbooks/role-rocky-sigul-server.yml index 00b064e..12a7e7b 100644 --- a/ansible/playbooks/role-rocky-sigul-server.yml +++ b/ansible/playbooks/role-rocky-sigul-server.yml @@ -66,7 +66,7 @@ - name: Enable the sigul server systemd: name: sigul_server - state: running + state: restarted enabled: true - name: Touching run file that ansible has ran here diff --git a/ansible/playbooks/tasks/koji_efs.yml b/ansible/playbooks/tasks/koji_efs.yml index 007d44a..de57bb7 100644 --- a/ansible/playbooks/tasks/koji_efs.yml +++ b/ansible/playbooks/tasks/koji_efs.yml @@ -10,6 +10,20 @@ - amazon_efs_utils - packages +- name: "Gathering ec2 facts" + amazon.aws.ec2_metadata_facts: + tags: + - mounts + +# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1 +- name: "Install custom hosts file because ~~fml~~ amazon said so." + ansible.builtin.lineinfile: + path: /etc/hosts + line: "{{ koji_efs_fs_ip_map[ansible_ec2_placement_availability_zone] }} {{ koji_efs_fsid }}" + create: yes + tags: + - mounts + - name: "Creating and mounting {{ koji_efs_fsid }} at {{ koji_efs_mount_path }}" ansible.posix.mount: path: "{{ koji_efs_mount_path }}" diff --git a/ansible/playbooks/vars/buildsys.yml b/ansible/playbooks/vars/buildsys.yml new file mode 100644 index 0000000..ccb2f5f --- /dev/null +++ b/ansible/playbooks/vars/buildsys.yml @@ -0,0 +1,5 @@ +--- +# Build sys +smtp_user_name: "username" +smtp_user_pass: "password" +smtp_relayhost: "smtp.rockylinux.org" diff --git a/ansible/playbooks/vars/graylog.yml b/ansible/playbooks/vars/graylog.yml new file mode 100644 index 0000000..f8c3298 --- /dev/null +++ b/ansible/playbooks/vars/graylog.yml @@ -0,0 +1,31 @@ +--- +# graylog +graylog_server_firewall_rules: + - port: 9000/tcp + permanent: true + state: enabled + - port: 1514/tcp + permanent: true + state: enabled + - port: 1514/udp + permanent: true + state: enabled + +graylog_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt" +graylog_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +graylog_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: graylog + key_location: "{{ monitoring_tls_key }}" + cert_location: "{{ monitoring_tls_cert }}" + postcmd: "/bin/systemctl restart graylog-server" + cnames: + - "graylog.rockylinux.org" + +graylog_ipa_dnsrecord_zone_name: rockylinux.org +graylog_ipa_dnsrecord_name: graylog +graylog_ipa_dnsrecord_record_type: CNAME +graylog_ipa_dnsrecord_record_value: graylog002.rockylinux.org. +graylog_ipa_dnsrecord_state: present diff --git a/ansible/playbooks/vars/koji-common.yml b/ansible/playbooks/vars/koji-common.yml index 67f942d..a08c2df 100644 --- a/ansible/playbooks/vars/koji-common.yml +++ b/ansible/playbooks/vars/koji-common.yml @@ -2,7 +2,12 @@ # Koji common koji_efs_mount_path: /mnt/koji koji_efs_fsid: whatever.amazonaws.com +koji_efs_fs_ip_map: + us-east-2a: 10.x.x.x + us-east-2b: 10.x.x.x + us-east-2c: 10.x.x.x koji_efs_fs_type: efs koji_efs_fs_opts: + - _netdev - tls - iam diff --git a/ansible/playbooks/vars/matterbridge.yml b/ansible/playbooks/vars/matterbridge.yml new file mode 100644 index 0000000..d9c820b --- /dev/null +++ b/ansible/playbooks/vars/matterbridge.yml @@ -0,0 +1,16 @@ +--- +matterbridge_config: + binary_checksum: "0a321cbc90ba467d05c1bd5ec7a1c3b10fb2ba142710311b015f5e8235d39fe6" + version: 1.21.0 + +mbridge_bot_nick: rlf +mbridge_bridge_name: rlf +mbridge_irc_channel: '#irc' +mbridge_irc_ignore_nicks: +mbridge_irc_label: IRC +mbridge_irc_network_server: irc.freenode.net:6697 +mbridge_mattermost_channel: testing +mbridge_mattermost_ignore_nicks: +mbridge_mattermost_label: MM +mbridge_mattermost_server: ws.chat.rockylinux.org +mbridge_mattermost_team: rocky-linux diff --git a/ansible/playbooks/vars/sigul_bridge.yml b/ansible/playbooks/vars/sigul_bridge.yml index 1a17cc0..e483f5e 100644 --- a/ansible/playbooks/vars/sigul_bridge.yml +++ b/ansible/playbooks/vars/sigul_bridge.yml @@ -3,13 +3,14 @@ sigul_type: bridge sigul_ipa_realm: "ROCKYLINUX.ORG" sigul_bridge_cert_nickname: "sigul-bridge" -sigul_principal: "sigul/{{ inventory_hostname }}@{{ sigul_ipa_realm }}" +sigul_principal: "sigul/sigul.rockylinux.org@{{ sigul_ipa_realm }}" sigul_keytab: /etc/sigul.keytab sigul_nss_dir: /etc/pki/tls/sigul # ipa-getcert variables -getcert_name: "{{ ansible_fqdn }}" -getcert_owner: sigul -getcert_nss_db_dir: "{{ sigul_nss_dir }}" -getcert_nss_nickname: "{{ sigul_bridge_cert_nickname }}" -getcert_nss: true +ipa_getcert_nss: true +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: sigul + nss_db_dir: "{{ sigul_nss_dir }}" + nss_nickname: "{{ sigul_bridge_cert_nickname }}" diff --git a/ansible/playbooks/vars/sigul_server.yml b/ansible/playbooks/vars/sigul_server.yml index 5ecd243..5b2ef00 100644 --- a/ansible/playbooks/vars/sigul_server.yml +++ b/ansible/playbooks/vars/sigul_server.yml @@ -3,11 +3,12 @@ sigul_type: server sigul_server_cert_nickname: "sigul-server" sigul_nss_dir: /etc/pki/tls/sigul -sigul_bridge_name: "sigul-bridge.rockylinux.org" +sigul_bridge_name: "" # ipa-getcert variables -getcert_name: "{{ ansible_fqdn }}" -getcert_owner: sigul -getcert_nss_db_dir: "{{ sigul_nss_dir }}" -getcert_nss_nickname: "{{ sigul_bridge_cert_nickname }}" -getcert_nss: true +ipa_getcert_nss: true +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: sigul + nss_db_dir: "{{ sigul_nss_dir }}" + nss_nickname: "{{ sigul_server_cert_nickname }}"