commit
1a1aedf1b8
|
@ -1,3 +1,5 @@
|
|||
warn_list:
|
||||
- internal-error
|
||||
- syntax-check
|
||||
skip_list:
|
||||
- '204'
|
||||
|
|
|
@ -188,11 +188,19 @@ role-rocky-ipa-client.yml
|
|||
init-rocky-system-config.yml
|
||||
```
|
||||
|
||||
### Initializing a base system
|
||||
|
||||
```
|
||||
# All clients should be listed under [ipaclients]
|
||||
role-rocky-ipa-client.yml
|
||||
# All systems should be hardened
|
||||
init-rocky-system-config.yml
|
||||
```
|
||||
|
||||
## Current Set
|
||||
|
||||
```
|
||||
.
|
||||
├── README.md
|
||||
├── ansible.cfg
|
||||
├── collections
|
||||
│ └── Readme.md
|
||||
|
@ -231,6 +239,10 @@ init-rocky-system-config.yml
|
|||
│ └── hosts.ini
|
||||
├── playbooks
|
||||
│ ├── adhoc-facts-refresh.yml
|
||||
│ ├── adhoc-gitlab-creategroup.yml
|
||||
│ ├── adhoc-gitlab-createproject.yml
|
||||
│ ├── adhoc-gitlab-deletegroup.yml
|
||||
│ ├── adhoc-gitlab-deleteproject.yml
|
||||
│ ├── adhoc-ipabinder.yml
|
||||
│ ├── adhoc-ipadnsrecord.yml
|
||||
│ ├── adhoc-ipadnszone.yml
|
||||
|
@ -238,6 +250,7 @@ init-rocky-system-config.yml
|
|||
│ ├── adhoc-ipagetkeytab.yml
|
||||
│ ├── adhoc-ipagroup.yml
|
||||
│ ├── adhoc-ipaservice.yml
|
||||
│ ├── adhoc-ipauser-disable-pdr.yml
|
||||
│ ├── adhoc-ipauser-disable.yml
|
||||
│ ├── adhoc-ipauser-enable.yml
|
||||
│ ├── adhoc-ipauser.yml
|
||||
|
@ -255,8 +268,11 @@ init-rocky-system-config.yml
|
|||
│ │ │ │ ├── CentOS-7-system-auth-ac -> RedHat-7-system-auth-ac
|
||||
│ │ │ │ └── RedHat-7-system-auth-ac
|
||||
│ │ │ ├── rockybanner
|
||||
│ │ │ └── sudoers.d
|
||||
│ │ │ └── cis
|
||||
│ │ │ ├── sudoers.d
|
||||
│ │ │ │ └── cis
|
||||
│ │ │ └── systemd
|
||||
│ │ │ └── system
|
||||
│ │ │ └── noggin.service
|
||||
│ │ ├── tmp
|
||||
│ │ └── usr
|
||||
│ │ └── local
|
||||
|
@ -277,15 +293,22 @@ init-rocky-system-config.yml
|
|||
│ ├── init-rocky-install-kvm-hosts.yml
|
||||
│ ├── init-rocky-ipa-internal-dns.yml
|
||||
│ ├── init-rocky-ipa-team.yml
|
||||
│ ├── init-rocky-koji-ecosystem.yml
|
||||
│ ├── init-rocky-mantisbt.yml
|
||||
│ ├── init-rocky-noggin-theme.yml
|
||||
│ ├── init-rocky-noggin.yml
|
||||
│ ├── init-rocky-repo-servers.yml
|
||||
│ ├── init-rocky-system-config.yml
|
||||
│ ├── rocky-rocky-gitlab-ee.yml
|
||||
│ ├── role-rocky-gitlab-runner.yml
|
||||
│ ├── role-rocky-graylog.yml
|
||||
│ ├── role-rocky-ipa-client.yml
|
||||
│ ├── role-rocky-ipa-replica.yml
|
||||
│ ├── role-rocky-ipa.yml
|
||||
│ ├── role-rocky-ipsilon.yml
|
||||
│ ├── role-rocky-kojid-staging.yml
|
||||
│ ├── role-rocky-kojid.yml
|
||||
│ ├── role-rocky-kojihub-staging.yml
|
||||
│ ├── role-rocky-kojihub.yml
|
||||
│ ├── role-rocky-monitoring.yml
|
||||
│ ├── role-rocky-mqtt.yml
|
||||
|
@ -293,19 +316,27 @@ init-rocky-system-config.yml
|
|||
│ ├── role-rocky-rabbitmq.yml
|
||||
│ ├── role-rocky-sigul-bridge.yml
|
||||
│ ├── role-rocky-sigul-server.yml
|
||||
│ ├── role-rocky-wikijs.yml
|
||||
│ ├── tasks
|
||||
│ │ ├── account_services.yml
|
||||
│ │ ├── auditd.yml
|
||||
│ │ ├── authentication.yml
|
||||
│ │ ├── bugzilla_install.yml
|
||||
│ │ ├── bugzilla.yml
|
||||
│ │ ├── chrony.yml
|
||||
│ │ ├── gitlab-reconfigure.yml
|
||||
│ │ ├── gitlab-runner.yml
|
||||
│ │ ├── grub.yml
|
||||
│ │ ├── harden.yml
|
||||
│ │ ├── init-koji.yml
|
||||
│ │ ├── koji_efs.yml
|
||||
│ │ ├── main.yml
|
||||
│ │ ├── mantispatch.yml
|
||||
│ │ ├── mantis.yml
|
||||
│ │ ├── noggin.yml
|
||||
│ │ ├── postfix_relay.yml
|
||||
│ │ ├── rabbitmq-reconfigure.yml
|
||||
│ │ ├── repository.yml
|
||||
│ │ ├── scripts.yml
|
||||
│ │ ├── ssh_config.yml
|
||||
│ │ └── variable_loader_common.yml
|
||||
|
@ -319,6 +350,7 @@ init-rocky-system-config.yml
|
|||
│ │ │ │ └── rocky_gitlab.rb
|
||||
│ │ │ ├── httpd
|
||||
│ │ │ │ └── conf.d
|
||||
│ │ │ │ ├── bugzilla.conf.j2
|
||||
│ │ │ │ ├── id.conf.j2
|
||||
│ │ │ │ └── mantis.conf.j2
|
||||
│ │ │ ├── modprobe.d
|
||||
|
@ -338,25 +370,34 @@ init-rocky-system-config.yml
|
|||
│ │ │ │ └── RedHat-8-sshd_config.j2
|
||||
│ │ │ └── sssd
|
||||
│ │ ├── hidden
|
||||
│ │ │ ├── README.md
|
||||
│ │ │ └── home
|
||||
│ │ │ └── noggin
|
||||
│ │ │ └── noggin.cfg
|
||||
│ │ │ ├── home
|
||||
│ │ │ │ └── noggin
|
||||
│ │ │ │ └── noggin.cfg
|
||||
│ │ │ └── README.md
|
||||
│ │ ├── opt
|
||||
│ │ │ └── noggin
|
||||
│ │ │ ├── noggin.cfg
|
||||
│ │ │ └── start_noggin.sh.j2
|
||||
│ │ ├── tmp
|
||||
│ │ │ ├── binder_template.update
|
||||
│ │ │ ├── binder.update
|
||||
│ │ │ └── binder_template.update
|
||||
│ │ │ └── mantis_import.sql.j2
|
||||
│ │ └── var
|
||||
│ │ └── www
|
||||
│ │ ├── bugzilla
|
||||
│ │ │ ├── answer
|
||||
│ │ │ └── localconfig.j2
|
||||
│ │ └── mantis
|
||||
│ │ └── config
|
||||
│ │ └── config_inc.php.j2
|
||||
│ └── vars
|
||||
│ ├── CentOS.yml -> RedHat.yml
|
||||
│ ├── RedHat.yml
|
||||
│ ├── bugzilla.yml
|
||||
│ ├── buildsys.yml
|
||||
│ ├── chrony.yml
|
||||
│ ├── CentOS.yml -> RedHat.yml
|
||||
│ ├── chronyserver.yml
|
||||
│ ├── chrony.yml
|
||||
│ ├── common.yml
|
||||
│ ├── gitlab_runner.yml
|
||||
│ ├── gitlab.yml
|
||||
│ ├── graylog.yml
|
||||
│ ├── ipa
|
||||
|
@ -374,20 +415,28 @@ init-rocky-system-config.yml
|
|||
│ │ └── users.yml
|
||||
│ ├── ipaserver.yml
|
||||
│ ├── ipsilon.yml
|
||||
│ ├── koji-common.yml
|
||||
│ ├── kojid.yml
|
||||
│ ├── kojihub.yml
|
||||
│ ├── mantis.yml
|
||||
│ ├── matterbridge.yml
|
||||
│ ├── monitoring
|
||||
│ │ └── README.md
|
||||
│ ├── monitoring.yml
|
||||
│ ├── mqtt.yml
|
||||
│ ├── production
|
||||
│ │ ├── koji-common.yml
|
||||
│ │ ├── kojid.yml
|
||||
│ │ └── kojihub.yml
|
||||
│ ├── rabbitmq.yml
|
||||
│ ├── RedHat.yml
|
||||
│ ├── sigul_bridge.yml
|
||||
│ ├── sigul_server.yml
|
||||
│ └── vaults
|
||||
│ └── README.md
|
||||
│ ├── staging
|
||||
│ │ ├── koji-common.yml
|
||||
│ │ ├── kojid.yml
|
||||
│ │ └── kojihub.yml
|
||||
│ ├── vaults
|
||||
│ │ └── README.md
|
||||
│ └── wikijs.yml
|
||||
├── README.md
|
||||
├── roles
|
||||
│ ├── local
|
||||
│ │ └── Readme.md
|
||||
|
@ -398,7 +447,7 @@ init-rocky-system-config.yml
|
|||
├── tasks -> playbooks/tasks
|
||||
├── templates -> playbooks/templates
|
||||
├── tmp
|
||||
│ ├── Readme.md
|
||||
│ └── ansible.log
|
||||
│ ├── ansible.log
|
||||
│ └── Readme.md
|
||||
└── vars -> playbooks/vars
|
||||
```
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
- users
|
||||
|
||||
- name: "Remove personal information attributes"
|
||||
community.general.ldap_attr:
|
||||
community.general.ldap_attrs:
|
||||
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
name: "{{ item }}"
|
||||
values: []
|
||||
|
@ -64,7 +64,7 @@
|
|||
- homePhone
|
||||
|
||||
- name: "Set FAS Status Note"
|
||||
community.general.ldap_attr:
|
||||
community.general.ldap_attrs:
|
||||
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
name: "fasStatusNote"
|
||||
values: "Account Disabled: {{ ticket_id }}"
|
||||
|
@ -74,7 +74,7 @@
|
|||
bind_pw: "{{ ipaadmin_password }}"
|
||||
|
||||
- name: "Set FAS Account Information to Private"
|
||||
community.general.ldap_attr:
|
||||
community.general.ldap_attrs:
|
||||
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
name: "fasisprivate"
|
||||
values: "TRUE"
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
RedHat-8-system-auth
|
|
@ -5,7 +5,7 @@
|
|||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.group }}"
|
||||
minlife: "{{ item.minlife | default(0) }}"
|
||||
maxlife: "{{ item.maxlife | default(84) }}"
|
||||
maxlife: "{{ item.maxlife | default(0) }}"
|
||||
history: "{{ item.history | default(5) }}"
|
||||
priority: "{{ item.priority | default(1) }}"
|
||||
lockouttime: "{{ item.lockout | default(300) }}"
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
# Manage bootstrap hosts
|
||||
#
|
||||
- name: Manage and configure bootstrap hosts
|
||||
hosts: bootstrap_staging
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/mounts/bootstrap_staging.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- include_tasks: tasks/efs_mount.yml
|
||||
loop: "{{ mounts }}"
|
||||
|
||||
- include_tasks: tasks/srpmproc.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -30,9 +30,17 @@
|
|||
state: present
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
when:
|
||||
- "not gitlab_create_self_signed_cert|bool"
|
||||
- "gitlab_ipa_cert|bool"
|
||||
|
||||
- role: geerlingguy.certbot
|
||||
state: present
|
||||
when: not gitlab_create_self_signed_cert
|
||||
when:
|
||||
- "not gitlab_create_self_signed_cert|bool"
|
||||
- "gitlab_certbot|bool"
|
||||
|
||||
- role: geerlingguy.gitlab
|
||||
state: present
|
|
@ -37,8 +37,8 @@
|
|||
state: present
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
#- role: rockylinux.ipagetcert
|
||||
# state: present
|
||||
- role: cloudalchemy.prometheus
|
||||
state: present
|
||||
- role: cloudalchemy.alertmanager
|
||||
|
@ -61,24 +61,3 @@
|
|||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install Prometheus Node Exporter
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
pre_tasks:
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- role: cloudalchemy.node-exporter
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewall for node-exporter
|
||||
ansible.posix.firewalld:
|
||||
port: 9100/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
---
|
||||
# pinnwand
|
||||
- name: Install pinnwand
|
||||
hosts: pinnwand
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/hostman.yml
|
||||
- vars/vaults/pinnwand.yml
|
||||
- vars/pinnwand.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
tasks:
|
||||
#- include_tasks: tasks/pinnwand.yml
|
||||
# tags: ['includetasks']
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
tags: ['certs']
|
||||
|
||||
- role: rockylinux.pinnwand
|
||||
state: present
|
||||
tags: ['role_pinnwand']
|
||||
|
||||
# Define variables in vars/matomo/nginx.yml
|
||||
- role: nginxinc.nginx_core.nginx
|
||||
tags: ['nginx']
|
||||
#- role: nginxinc.nginx_core.nginx_config
|
||||
# tags: ['nginx']
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewalld ports
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item.port }}"
|
||||
permanent: "{{ item.permanent | default(yes) }}"
|
||||
state: "{{ item.state | default(present) }}"
|
||||
loop: "{{ firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
# Configures an instance to function as a HTTP serving member of repopool
|
||||
- name: Configure Repo Pool hosts
|
||||
hosts: repopool
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/common.yml
|
||||
- vars/mounts/repopool.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: "Setup shared filesystem mount"
|
||||
include_tasks: tasks/efs_mount.yml
|
||||
with_items: "{{ mounts }}"
|
||||
tags: ["koji_efs_mount"]
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
# Manage srpmproc
|
||||
#
|
||||
- name: Manage and configure srpmproc
|
||||
hosts: srpmproc
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/mounts/srpmproc.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- include_tasks: tasks/efs_mount.yml
|
||||
loop: "{{ mounts }}"
|
||||
|
||||
- include_tasks: tasks/srpmproc.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
# Requires amazon-efs-utils; included, but should probably be split out?
|
||||
#
|
||||
|
||||
- name: "Installing amazon-efs-utils"
|
||||
become: yes
|
||||
become_user: root
|
||||
yum:
|
||||
name: 'https://git.rockylinux.org/neil/efs-utils/-/jobs/5/artifacts/raw/build/amazon-efs-utils-1.30.1-1.el8.noarch.rpm?inline=false'
|
||||
disable_gpg_check: yes
|
||||
validate_certs: yes
|
||||
state: present
|
||||
tags:
|
||||
- amazon_efs_utils
|
||||
- packages
|
||||
- mounts
|
||||
|
||||
|
||||
- name: "Gathering ec2 facts"
|
||||
amazon.aws.ec2_metadata_facts:
|
||||
tags:
|
||||
- mounts
|
||||
|
||||
# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1
|
||||
- name: "Install custom hosts file because fmlC-w amazon said so."
|
||||
become: yes
|
||||
become_user: root
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/hosts
|
||||
line: "{{ item.ip_map[ansible_ec2_placement_availability_zone] }} {{ item.fsid }}.efs.{{ ansible_ec2_placement_region }}.amazonaws.com"
|
||||
create: yes
|
||||
tags:
|
||||
- mounts
|
||||
|
||||
|
||||
- name: "Creating and mounting {{ item.fsid }} at {{ item.mount_point }}"
|
||||
become: yes
|
||||
become_user: root
|
||||
ansible.posix.mount:
|
||||
path: "{{ item.mount_point }}"
|
||||
src: "{{ item.fsid }}:/"
|
||||
fstype: "{{ item.fstype }}"
|
||||
opts: "{{ item.fsopts | join(',') }}"
|
||||
state: "{{ item.state | default('mounted') }}"
|
||||
tags:
|
||||
- mounts
|
|
@ -1,46 +1,23 @@
|
|||
---
|
||||
- name: Install nginx normally
|
||||
yum:
|
||||
name: nginx
|
||||
state: present
|
||||
|
||||
- name: Reconfigure Main nginx configuration
|
||||
template:
|
||||
src: "etc/nginx/nginx.conf.j2"
|
||||
dest: "/etc/nginx/nginx.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
backup: true
|
||||
|
||||
- name: Add omnibus nginx configuration
|
||||
template:
|
||||
src: "etc/nginx/conf.d/omnibus.conf.j2"
|
||||
dest: "/etc/nginx/conf.d/omnibus.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
backup: true
|
||||
|
||||
- name: Copy self-signed certificates from GitLab
|
||||
- name: Copy certificates from ipa-getcert directory
|
||||
copy:
|
||||
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
|
||||
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
|
||||
owner: root
|
||||
src: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt"
|
||||
dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
|
||||
owner: gitlab-www
|
||||
group: root
|
||||
mode: '0644'
|
||||
remote_src: true
|
||||
when: gitlab_create_self_signed_cert
|
||||
when: "not gitlab_create_self_signed_cert|bool"
|
||||
|
||||
- name: Copy self-signed certificate key
|
||||
- name: Copy keys from ipa-getcert directory
|
||||
copy:
|
||||
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
|
||||
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
|
||||
owner: root
|
||||
src: "/etc/pki/tls/private/{{ gitlab_domain }}.key"
|
||||
dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
|
||||
owner: gitlab-www
|
||||
group: root
|
||||
mode: '0644'
|
||||
mode: '0600'
|
||||
remote_src: true
|
||||
when: gitlab_create_self_signed_cert
|
||||
when: "not gitlab_create_self_signed_cert|bool"
|
||||
|
||||
- name: Symlink the IPA CA
|
||||
file:
|
||||
|
@ -50,10 +27,6 @@
|
|||
group: root
|
||||
state: link
|
||||
|
||||
- name: Symlink the hash
|
||||
command: "openssl rehash /etc/gitlab/trusted-certs"
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Turn on necessary SELinux booleans
|
||||
ansible.posix.seboolean:
|
||||
name: "{{ item }}"
|
||||
|
@ -65,16 +38,12 @@
|
|||
- httpd_can_connect_ldap
|
||||
- httpd_read_user_content
|
||||
|
||||
- name: Change fcontext to GitLab unix socket for nginx
|
||||
community.general.sefcontext:
|
||||
target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
|
||||
setype: httpd_var_run_t
|
||||
state: present
|
||||
|
||||
- name: Apply fcontext to GitLab unix socket for nginx
|
||||
command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
|
||||
register: restorecon_result
|
||||
changed_when: "restorecon_result.rc == 0"
|
||||
- name: Reconfigure gitlab is we're asked to
|
||||
command: /usr/bin/gitlab-ctl reconfigure
|
||||
register: gitlab_ctl_result
|
||||
changed_when: "gitlab_ctl_result.rc == 0"
|
||||
when:
|
||||
- "gitlab_reconfigure_only is defined and (gitlab_reconfigure_only|bool)"
|
||||
|
||||
- name: Add firewall rules - http/s
|
||||
ansible.posix.firewalld:
|
||||
|
@ -86,15 +55,10 @@
|
|||
- http
|
||||
- https
|
||||
|
||||
- name: Add nginx user to git groups
|
||||
user:
|
||||
name: nginx
|
||||
shell: /sbin/nologin
|
||||
groups: gitlab-www,git
|
||||
append: yes
|
||||
|
||||
- name: Enable and Start nginx
|
||||
service:
|
||||
name: nginx
|
||||
enabled: true
|
||||
state: started
|
||||
- name: Deploy correct script
|
||||
template:
|
||||
src: "usr/local/bin/fix_gitlab_certs.sh"
|
||||
dest: "/usr/local/bin/fix_gitlab_certs.sh"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0750'
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- name: Configure SELinux booleans
|
||||
ansible.posix.seboolean:
|
||||
name: "{{ item }}"
|
||||
persistent: true
|
||||
state: true
|
||||
with_items:
|
||||
- httpd_can_network_connect_db
|
||||
- httpd_can_network_connect
|
|
@ -18,6 +18,7 @@ gitlab_rails['gitlab_default_theme'] = "{{ gitlab_default_theme }}"
|
|||
nginx['redirect_http_to_https'] = {{ gitlab_redirect_http_to_https }}
|
||||
nginx['ssl_certificate'] = "{{ gitlab_ssl_certificate }}"
|
||||
nginx['ssl_certificate_key'] = "{{ gitlab_ssl_certificate_key }}"
|
||||
letsencrypt['enable'] = false
|
||||
|
||||
# The directory where Git repositories will be stored.
|
||||
git_data_dirs({"default" => {"path" => "{{ gitlab_git_data_dir }}"} })
|
||||
|
@ -95,8 +96,8 @@ nginx['ssl_client_certificate'] = "{{ gitlab_nginx_ssl_client_certificate }}"
|
|||
{% endif %}
|
||||
|
||||
# GitLab registry.
|
||||
registry['enable'] = {{ gitlab_registry_enable }}
|
||||
{% if gitlab_registry_enable == "true" %}
|
||||
registry['enable'] = {{ gitlab_registry_enable | string | lower }}
|
||||
{% if gitlab_registry_enable %}
|
||||
registry_external_url "{{ gitlab_registry_external_url }}"
|
||||
registry_nginx['ssl_certificate'] = "{{ gitlab_registry_nginx_ssl_certificate }}"
|
||||
registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificate_key }}"
|
||||
|
@ -120,8 +121,8 @@ registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificat
|
|||
|
||||
# To change other settings, see:
|
||||
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#changing-gitlab-yml-settings
|
||||
nginx['enable'] = false
|
||||
nginx['external_users'] = ['nginx']
|
||||
#nginx['enable'] = false
|
||||
#nginx['external_users'] = ['nginx']
|
||||
|
||||
{% if gitlab_external_db %}
|
||||
postgresql['enable'] = false
|
||||
|
@ -134,8 +135,9 @@ gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
|
|||
{% endif %}
|
||||
|
||||
{% if gitlab_trusted_proxies %}
|
||||
gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
|
||||
gitlab_rails['trusted_proxies'] = [{{ gitlab_trusted_proxies | map("to_json") | join("', '") }}]
|
||||
{% endif %}
|
||||
|
||||
gitlab_rails['gitlab_shell_ssh_port'] = "22220"
|
||||
gitlab_rails['gravatar_enabled'] = true
|
||||
gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
RedHat-8-sshd_config.j2
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
/bin/cp "{{ gitlab_ssl_key }}" /etc/gitlab/ssl/
|
||||
/bin/cp "{{ gitlab_ssl_cert }}" /etc/gitlab/ssl/
|
||||
/bin/chown gitlab-www /etc/gitlab/ssl/*.{crt,key}
|
||||
/bin/chmod 600 /etc/gitlab/ssl/*.key
|
||||
/usr/bin/gitlab-ctl hup nginx
|
|
@ -0,0 +1 @@
|
|||
RedHat.yml
|
|
@ -16,8 +16,10 @@ gitlab_create_self_signed_cert: "true"
|
|||
gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}"
|
||||
gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
|
||||
gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
|
||||
gitlab_ssl_cert: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
|
||||
gitlab_ssl_key: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
|
||||
gitlab_ssl_cert: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt"
|
||||
gitlab_ssl_key: "/etc/pki/tls/private/{{ gitlab_domain }}.key"
|
||||
gitlab_ipa_cert: "true"
|
||||
gitlab_certbot: "false"
|
||||
|
||||
# LDAP Configuration
|
||||
gitlab_ldap_enabled: "true"
|
||||
|
@ -39,10 +41,10 @@ gitlab_download_validate_certs: true
|
|||
|
||||
# Email and SMTP configuration (For the future)
|
||||
# Email configuration.
|
||||
gitlab_email_enabled: "false"
|
||||
gitlab_email_from: "gitlab@rockylinux.org"
|
||||
gitlab_email_enabled: "true"
|
||||
gitlab_email_from: "git@rockylinux.org"
|
||||
gitlab_email_display_name: "Gitlab"
|
||||
gitlab_email_reply_to: "gitlab@rockylinux.org"
|
||||
gitlab_email_reply_to: "noreply@rockylinux.org"
|
||||
# SMTP configuration
|
||||
gitlab_smtp_enable: "false"
|
||||
gitlab_smtp_address: "smtp.gmail.com"
|
||||
|
@ -58,8 +60,7 @@ gitlab_smtp_ca_path: "/etc/pki/tls/certs"
|
|||
gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
|
||||
# In case of reverse proxy
|
||||
gitlab_nginx_listen_port: 8080
|
||||
gitlab_nginx_listen_https: "false"
|
||||
gitlab_nginx_listen_https: "true"
|
||||
|
||||
gitlab_default_theme: 2
|
||||
|
||||
|
@ -68,5 +69,18 @@ gitlab_external_db_host: db.rockylinux.org
|
|||
gitlab_external_db_user: gitlab
|
||||
gitlab_external_db_password: "{{ gitlab_db_pass }}"
|
||||
|
||||
gitlab_registry_enable: "true"
|
||||
gitlab_registry_external_url: "https://git.rockylinux.org:5050"
|
||||
gitlab_registry_nginx_ssl_certificate: "{{ gitlab_ssl_certificate }}"
|
||||
gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_ssl_certificate_key }}"
|
||||
gitlab_trusted_proxies:
|
||||
- 10.100.20.20/32
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: nginx
|
||||
key_location: "{{ gitlab_ssl_key }}"
|
||||
cert_location: "{{ gitlab_ssl_cert }}"
|
||||
postcmd: "/usr/local/bin/fix_gitlab_certs.sh"
|
||||
cnames:
|
||||
- "git.rockylinux.org"
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
x-efs_fs_opts_common: &common_fs_opts
|
||||
fstype: efs
|
||||
fsopts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
||||
- rw
|
||||
|
||||
mounts:
|
||||
- name: prod-build-compose
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXXX
|
||||
mount_point: /mnt/compose
|
||||
ip_map:
|
||||
us-east-2a: 10.100.100.250
|
||||
us-east-2b: 10.100.101.250
|
||||
us-east-2c: 10.100.102.250
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
x-efs_fs_opts_common: &common_fs_opts
|
||||
fstype: efs
|
||||
fsopts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
||||
- rw
|
||||
|
||||
mounts:
|
||||
- name: prod-build-repos-staging
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXXX
|
||||
mount_point: /mnt/repos-staging
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.249
|
||||
us-east-2b: 10.101.101.249
|
||||
us-east-2c: 10.101.102.249
|
||||
- name: prod-build-repos-production
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-YYYYYYYY
|
||||
mount_point: /mnt/repos-production
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.246
|
||||
us-east-2b: 10.101.101.246
|
||||
us-east-2c: 10.101.102.246
|
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
x-efs_fs_opts_common: &common_fs_opts
|
||||
fstype: efs
|
||||
fsopts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
||||
- rw
|
||||
|
||||
mounts:
|
||||
- name: prod-build-repos-internal
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX1
|
||||
mount_point: /mnt/repos-internal
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.248
|
||||
us-east-2b: 10.101.101.248
|
||||
us-east-2c: 10.101.102.248
|
||||
- name: prod-koji
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX2
|
||||
mount_point: /mnt/koji
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.247
|
||||
us-east-2b: 10.101.101.247
|
||||
us-east-2c: 10.101.102.247
|
||||
- name: prod-build-compose
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX3
|
||||
mount_point: /mnt/compose
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.250
|
||||
us-east-2b: 10.101.101.250
|
||||
us-east-2c: 10.101.102.250
|
||||
- name: prod-build-repos-staging
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX4
|
||||
mount_point: /mnt/repos-staging
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.249
|
||||
us-east-2b: 10.101.101.249
|
||||
us-east-2c: 10.101.102.249
|
||||
- name: prod-build-repos-production
|
||||
<<: *common_fs_opts
|
||||
fsid: fs-XXXXXXX5
|
||||
mount_point: /mnt/repos-production
|
||||
ip_map:
|
||||
us-east-2a: 10.101.100.246
|
||||
us-east-2b: 10.101.101.246
|
||||
us-east-2c: 10.101.102.246
|
|
@ -0,0 +1,64 @@
|
|||
---
|
||||
# pinnwand
|
||||
|
||||
firewall_rules:
|
||||
- port: 443/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
- port: 9100/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: nginx
|
||||
key_location: "{{ tls_key }}"
|
||||
cert_location: "{{ tls_cert }}"
|
||||
postcmd: "/bin/systemctl reload nginx"
|
||||
|
||||
pinnwand_config:
|
||||
database:
|
||||
scheme: postgresql
|
||||
username: pinnwand
|
||||
password: "{{ _pinnwand_db_rw_pass }}"
|
||||
hostname: "db.rockylinux.org"
|
||||
port: 5432
|
||||
database: pinnwand_db
|
||||
paste_size: 10485760
|
||||
preferred_lexers: []
|
||||
logo_path: /opt/pinnwand/logo.png
|
||||
page_path: /tmp
|
||||
page_list:
|
||||
- about
|
||||
- removal
|
||||
- expiry
|
||||
footer: ''
|
||||
paste_help: ''
|
||||
report_email: 'abuse@rockylinux.org'
|
||||
expiries:
|
||||
- name: 1hour
|
||||
time: 3600
|
||||
- name: 1day
|
||||
time: 86400
|
||||
- name: 1week
|
||||
time: 604800
|
||||
- name: forever
|
||||
time: 4294967294
|
||||
ratelimits:
|
||||
- name: read
|
||||
capacity: 100
|
||||
consume: 1
|
||||
refill: 2
|
||||
- name: create
|
||||
capacity: 2
|
||||
consume: 2
|
||||
refill: 1
|
||||
- name: delete
|
||||
capacity: 2
|
||||
consume: 2
|
||||
refill: 1
|
||||
spamscore: 50
|
|
@ -12,4 +12,4 @@ kojid_distribution: Rocky
|
|||
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
|
||||
kojid_keytab: /etc/kojid.keytab
|
||||
kojid_smtp_host: smtp.rockylinux.org
|
||||
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"
|
||||
kojid_allowed_scm: "git.rockylinux.org:/staging/rpms/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/rocky/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/original/rpms/*:off:/var/srpmproc/srpmproc_wrapper"
|
||||
|
|
|
@ -12,4 +12,4 @@ kojid_distribution: Rocky
|
|||
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
|
||||
kojid_keytab: /etc/kojid.keytab
|
||||
kojid_smtp_host: smtp.rockylinux.org
|
||||
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"
|
||||
kojid_allowed_scm: "git.rockylinux.org:/staging/rpms/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/rocky/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/original/rpms/*:off:/var/srpmproc/srpmproc_wrapper"
|
||||
|
|
|
@ -9,6 +9,12 @@ roles:
|
|||
- name: cloudalchemy.grafana
|
||||
- name: geerlingguy.gitlab
|
||||
- name: geerlingguy.postgresql
|
||||
- name: geerlingguy.php
|
||||
- name: geerlingguy.nodejs
|
||||
- name: geerlingguy.certbot
|
||||
- name: riemers.gitlab-runner
|
||||
|
||||
|
||||
- name: rockylinux.ipagetcert
|
||||
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
|
||||
version: main
|
||||
|
@ -30,16 +36,18 @@ roles:
|
|||
- name: rockylinux.matterbridge
|
||||
src: https://github.com/NeilHanlon/ansible-role-matterbridge
|
||||
version: master
|
||||
- name: rockylinux.pinnwand
|
||||
src: https://github.com/rocky-linux/ansible-role-pinnwand
|
||||
version: main
|
||||
- name: rockylinux.wikijs
|
||||
src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
|
||||
scm: git
|
||||
version: develop
|
||||
- name: riemers.gitlab-runner
|
||||
|
||||
collections:
|
||||
# freeipa
|
||||
- name: freeipa.ansible_freeipa
|
||||
version: 0.3.1
|
||||
version: 0.3.6
|
||||
- name: community.general
|
||||
- name: community.mysql
|
||||
- name: community.rabbitmq
|
||||
|
|
Loading…
Reference in New Issue