infrastructure
/
mono-infrastructure
mirror of https://github.com/rocky-linux/infrastructure
7
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #14992 from rocky-linux/develop 

Develop
This commit is contained in:
Louis Abel 2021-08-20 09:43:10 -07:00 committed by GitHub
parent e5c57418d5 1ab0d3ce2a
commit 1a1aedf1b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 558 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.ansible-lint
View File

@ -1,3 +1,5 @@
warn_list:
- internal-error
- syntax-check
skip_list:
- '204'

85
ansible/README.md
View File

@ -188,11 +188,19 @@ role-rocky-ipa-client.yml
init-rocky-system-config.yml
```
### Initializing a base system
```
# All clients should be listed under [ipaclients]
role-rocky-ipa-client.yml
# All systems should be hardened
init-rocky-system-config.yml
```
## Current Set
```
.
├── README.md
├── ansible.cfg
├── collections
│   └── Readme.md
@ -231,6 +239,10 @@ init-rocky-system-config.yml
│   └── hosts.ini
├── playbooks
│   ├── adhoc-facts-refresh.yml
│   ├── adhoc-gitlab-creategroup.yml
│   ├── adhoc-gitlab-createproject.yml
│   ├── adhoc-gitlab-deletegroup.yml
│   ├── adhoc-gitlab-deleteproject.yml
│   ├── adhoc-ipabinder.yml
│   ├── adhoc-ipadnsrecord.yml
│   ├── adhoc-ipadnszone.yml
@ -238,6 +250,7 @@ init-rocky-system-config.yml
│   ├── adhoc-ipagetkeytab.yml
│   ├── adhoc-ipagroup.yml
│   ├── adhoc-ipaservice.yml
│   ├── adhoc-ipauser-disable-pdr.yml
│   ├── adhoc-ipauser-disable.yml
│   ├── adhoc-ipauser-enable.yml
│   ├── adhoc-ipauser.yml
@ -255,8 +268,11 @@ init-rocky-system-config.yml
│   │   │   │   ├── CentOS-7-system-auth-ac -> RedHat-7-system-auth-ac
│   │   │   │   └── RedHat-7-system-auth-ac
│   │   │   ├── rockybanner
│   │   │   └── sudoers.d
│   │   │   └── cis
│   │   │   ├── sudoers.d
│   │   │   │   └── cis
│   │   │   └── systemd
│   │   │   └── system
│   │   │   └── noggin.service
│   │   ├── tmp
│   │   └── usr
│   │   └── local
@ -277,15 +293,22 @@ init-rocky-system-config.yml
│   ├── init-rocky-install-kvm-hosts.yml
│   ├── init-rocky-ipa-internal-dns.yml
│   ├── init-rocky-ipa-team.yml
│   ├── init-rocky-koji-ecosystem.yml
│   ├── init-rocky-mantisbt.yml
│   ├── init-rocky-noggin-theme.yml
│   ├── init-rocky-noggin.yml
│   ├── init-rocky-repo-servers.yml
│   ├── init-rocky-system-config.yml
│   ├── rocky-rocky-gitlab-ee.yml
│   ├── role-rocky-gitlab-runner.yml
│   ├── role-rocky-graylog.yml
│   ├── role-rocky-ipa-client.yml
│   ├── role-rocky-ipa-replica.yml
│   ├── role-rocky-ipa.yml
│   ├── role-rocky-ipsilon.yml
│   ├── role-rocky-kojid-staging.yml
│   ├── role-rocky-kojid.yml
│   ├── role-rocky-kojihub-staging.yml
│   ├── role-rocky-kojihub.yml
│   ├── role-rocky-monitoring.yml
│   ├── role-rocky-mqtt.yml
@ -293,19 +316,27 @@ init-rocky-system-config.yml
│   ├── role-rocky-rabbitmq.yml
│   ├── role-rocky-sigul-bridge.yml
│   ├── role-rocky-sigul-server.yml
│   ├── role-rocky-wikijs.yml
│   ├── tasks
│   │   ├── account_services.yml
│   │   ├── auditd.yml
│   │   ├── authentication.yml
│   │   ├── bugzilla_install.yml
│   │   ├── bugzilla.yml
│   │   ├── chrony.yml
│   │   ├── gitlab-reconfigure.yml
│   │   ├── gitlab-runner.yml
│   │   ├── grub.yml
│   │   ├── harden.yml
│   │   ├── init-koji.yml
│   │   ├── koji_efs.yml
│   │   ├── main.yml
│   │   ├── mantispatch.yml
│   │   ├── mantis.yml
│   │   ├── noggin.yml
│   │   ├── postfix_relay.yml
│   │   ├── rabbitmq-reconfigure.yml
│   │   ├── repository.yml
│   │   ├── scripts.yml
│   │   ├── ssh_config.yml
│   │   └── variable_loader_common.yml
@ -319,6 +350,7 @@ init-rocky-system-config.yml
│   │   │   │   └── rocky_gitlab.rb
│   │   │   ├── httpd
│   │   │   │   └── conf.d
│   │   │   │   ├── bugzilla.conf.j2
│   │   │   │   ├── id.conf.j2
│   │   │   │   └── mantis.conf.j2
│   │   │   ├── modprobe.d
@ -338,25 +370,34 @@ init-rocky-system-config.yml
│   │   │   │   └── RedHat-8-sshd_config.j2
│   │   │   └── sssd
│   │   ├── hidden
│   │   │   ├── README.md
│   │   │   └── home
│   │   │   └── noggin
│   │   │   └── noggin.cfg
│   │   │   ├── home
│   │   │   │   └── noggin
│   │   │   │   └── noggin.cfg
│   │   │   └── README.md
│   │   ├── opt
│   │   │   └── noggin
│   │   │   ├── noggin.cfg
│   │   │   └── start_noggin.sh.j2
│   │   ├── tmp
│   │   │   ├── binder_template.update
│   │   │   ├── binder.update
│   │   │   └── binder_template.update
│   │   │   └── mantis_import.sql.j2
│   │   └── var
│   │   └── www
│   │   ├── bugzilla
│   │   │   ├── answer
│   │   │   └── localconfig.j2
│   │   └── mantis
│   │   └── config
│   │   └── config_inc.php.j2
│   └── vars
│   ├── CentOS.yml -> RedHat.yml
│   ├── RedHat.yml
│   ├── bugzilla.yml
│   ├── buildsys.yml
│   ├── chrony.yml
│   ├── CentOS.yml -> RedHat.yml
│   ├── chronyserver.yml
│   ├── chrony.yml
│   ├── common.yml
│   ├── gitlab_runner.yml
│   ├── gitlab.yml
│   ├── graylog.yml
│   ├── ipa
@ -374,20 +415,28 @@ init-rocky-system-config.yml
│   │   └── users.yml
│   ├── ipaserver.yml
│   ├── ipsilon.yml
│   ├── koji-common.yml
│   ├── kojid.yml
│   ├── kojihub.yml
│   ├── mantis.yml
│   ├── matterbridge.yml
│   ├── monitoring
│   │   └── README.md
│   ├── monitoring.yml
│   ├── mqtt.yml
│   ├── production
│   │   ├── koji-common.yml
│   │   ├── kojid.yml
│   │   └── kojihub.yml
│   ├── rabbitmq.yml
│   ├── RedHat.yml
│   ├── sigul_bridge.yml
│   ├── sigul_server.yml
│   └── vaults
│   └── README.md
│   ├── staging
│   │   ├── koji-common.yml
│   │   ├── kojid.yml
│   │   └── kojihub.yml
│   ├── vaults
│   │   └── README.md
│   └── wikijs.yml
├── README.md
├── roles
│   ├── local
│   │   └── Readme.md
@ -398,7 +447,7 @@ init-rocky-system-config.yml
├── tasks -> playbooks/tasks
├── templates -> playbooks/templates
├── tmp
│   ├── Readme.md
│   └── ansible.log
│   ├── ansible.log
│   └── Readme.md
└── vars -> playbooks/vars
```

6
ansible/playbooks/adhoc-ipauser-disable-pdr.yml
View File

@ -34,7 +34,7 @@
- users
- name: "Remove personal information attributes"
community.general.ldap_attr:
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "{{ item }}"
values: []
@ -64,7 +64,7 @@
- homePhone
- name: "Set FAS Status Note"
community.general.ldap_attr:
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasStatusNote"
values: "Account Disabled: {{ ticket_id }}"
@ -74,7 +74,7 @@
bind_pw: "{{ ipaadmin_password }}"
- name: "Set FAS Account Information to Private"
community.general.ldap_attr:
community.general.ldap_attrs:
dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
name: "fasisprivate"
values: "TRUE"

1
ansible/playbooks/files/etc/authselect/custom/sssd-rocky/Rocky-8-system-auth Symbolic link
View File

@ -0,0 +1 @@
RedHat-8-system-auth

2
ansible/playbooks/import-rockypwpolicy.yml
View File

@ -5,7 +5,7 @@
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.group }}"
minlife: "{{ item.minlife | default(0) }}"
maxlife: "{{ item.maxlife | default(84) }}"
maxlife: "{{ item.maxlife | default(0) }}"
history: "{{ item.history | default(5) }}"
priority: "{{ item.priority | default(1) }}"
lockouttime: "{{ item.lockout | default(300) }}"

40
ansible/playbooks/role-rocky-bootstrap_staging.yml Normal file
View File

@ -0,0 +1,40 @@
---
# Manage bootstrap hosts
#
- name: Manage and configure bootstrap hosts
hosts: bootstrap_staging
become: true
vars_files:
- vars/mounts/bootstrap_staging.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- include_tasks: tasks/efs_mount.yml
loop: "{{ mounts }}"
- include_tasks: tasks/srpmproc.yml
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

10
ansible/playbooks/rocky-rocky-gitlab-ee.yml → ansible/playbooks/role-rocky-gitlab-ee.yml
View File

@ -30,9 +30,17 @@
state: present
roles:
- role: rockylinux.ipagetcert
state: present
when:
- "not gitlab_create_self_signed_cert|bool"
- "gitlab_ipa_cert|bool"
- role: geerlingguy.certbot
state: present
when: not gitlab_create_self_signed_cert
when:
- "not gitlab_create_self_signed_cert|bool"
- "gitlab_certbot|bool"
- role: geerlingguy.gitlab
state: present

25
ansible/playbooks/role-rocky-monitoring.yml
View File

@ -37,8 +37,8 @@
state: present
roles:
- role: rockylinux.ipagetcert
state: present
#- role: rockylinux.ipagetcert
# state: present
- role: cloudalchemy.prometheus
state: present
- role: cloudalchemy.alertmanager
@ -61,24 +61,3 @@
mode: '0644'
owner: root
group: root
- name: Install Prometheus Node Exporter
hosts: all
become: true
pre_tasks:
- name: Install SELinux packages
package:
name: python3-policycoreutils.noarch
state: present
roles:
- role: cloudalchemy.node-exporter
state: present
post_tasks:
- name: Open firewall for node-exporter
ansible.posix.firewalld:
port: 9100/tcp
permanent: true
state: enabled

66
ansible/playbooks/role-rocky-pinnwand.yml Normal file
View File

@ -0,0 +1,66 @@
---
# pinnwand
- name: Install pinnwand
hosts: pinnwand
become: true
vars_files:
- vars/vaults/hostman.yml
- vars/vaults/pinnwand.yml
- vars/pinnwand.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages
package:
name: python3-policycoreutils.noarch
state: present
tasks:
#- include_tasks: tasks/pinnwand.yml
# tags: ['includetasks']
roles:
- role: rockylinux.ipagetcert
state: present
tags: ['certs']
- role: rockylinux.pinnwand
state: present
tags: ['role_pinnwand']
# Define variables in vars/matomo/nginx.yml
- role: nginxinc.nginx_core.nginx
tags: ['nginx']
#- role: nginxinc.nginx_core.nginx_config
# tags: ['nginx']
post_tasks:
- name: Open firewalld ports
ansible.posix.firewalld:
port: "{{ item.port }}"
permanent: "{{ item.permanent | default(yes) }}"
state: "{{ item.state | default(present) }}"
loop: "{{ firewall_rules }}"
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

41
ansible/playbooks/role-rocky-repopool.yml Normal file
View File

@ -0,0 +1,41 @@
---
# Configures an instance to function as a HTTP serving member of repopool
- name: Configure Repo Pool hosts
hosts: repopool
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/common.yml
- vars/mounts/repopool.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: "Setup shared filesystem mount"
include_tasks: tasks/efs_mount.yml
with_items: "{{ mounts }}"
tags: ["koji_efs_mount"]
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

40
ansible/playbooks/role-rocky-srpmproc.yml Normal file
View File

@ -0,0 +1,40 @@
---
# Manage srpmproc
#
- name: Manage and configure srpmproc
hosts: srpmproc
become: true
vars_files:
- vars/mounts/srpmproc.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- include_tasks: tasks/efs_mount.yml
loop: "{{ mounts }}"
- include_tasks: tasks/srpmproc.yml
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

46
ansible/playbooks/tasks/efs_mount.yml Normal file
View File

@ -0,0 +1,46 @@
---
# Requires amazon-efs-utils; included, but should probably be split out?
#
- name: "Installing amazon-efs-utils"
become: yes
become_user: root
yum:
name: 'https://git.rockylinux.org/neil/efs-utils/-/jobs/5/artifacts/raw/build/amazon-efs-utils-1.30.1-1.el8.noarch.rpm?inline=false'
disable_gpg_check: yes
validate_certs: yes
state: present
tags:
- amazon_efs_utils
- packages
- mounts
- name: "Gathering ec2 facts"
amazon.aws.ec2_metadata_facts:
tags:
- mounts
# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1
- name: "Install custom hosts file because fmlC-w amazon said so."
become: yes
become_user: root
ansible.builtin.lineinfile:
path: /etc/hosts
line: "{{ item.ip_map[ansible_ec2_placement_availability_zone] }} {{ item.fsid }}.efs.{{ ansible_ec2_placement_region }}.amazonaws.com"
create: yes
tags:
- mounts
- name: "Creating and mounting {{ item.fsid }} at {{ item.mount_point }}"
become: yes
become_user: root
ansible.posix.mount:
path: "{{ item.mount_point }}"
src: "{{ item.fsid }}:/"
fstype: "{{ item.fstype }}"
opts: "{{ item.fsopts | join(',') }}"
state: "{{ item.state | default('mounted') }}"
tags:
- mounts

84
ansible/playbooks/tasks/gitlab-reconfigure.yml
View File

@ -1,46 +1,23 @@
---
- name: Install nginx normally
yum:
name: nginx
state: present
- name: Reconfigure Main nginx configuration
template:
src: "etc/nginx/nginx.conf.j2"
dest: "/etc/nginx/nginx.conf"
owner: root
group: root
mode: '0644'
backup: true
- name: Add omnibus nginx configuration
template:
src: "etc/nginx/conf.d/omnibus.conf.j2"
dest: "/etc/nginx/conf.d/omnibus.conf"
owner: root
group: root
mode: '0644'
backup: true
- name: Copy self-signed certificates from GitLab
- name: Copy certificates from ipa-getcert directory
copy:
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
owner: root
src: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt"
dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
owner: gitlab-www
group: root
mode: '0644'
remote_src: true
when: gitlab_create_self_signed_cert
when: "not gitlab_create_self_signed_cert|bool"
- name: Copy self-signed certificate key
- name: Copy keys from ipa-getcert directory
copy:
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
owner: root
src: "/etc/pki/tls/private/{{ gitlab_domain }}.key"
dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
owner: gitlab-www
group: root
mode: '0644'
mode: '0600'
remote_src: true
when: gitlab_create_self_signed_cert
when: "not gitlab_create_self_signed_cert|bool"
- name: Symlink the IPA CA
file:
@ -50,10 +27,6 @@
group: root
state: link
- name: Symlink the hash
command: "openssl rehash /etc/gitlab/trusted-certs"
changed_when: "1 != 1"
- name: Turn on necessary SELinux booleans
ansible.posix.seboolean:
name: "{{ item }}"
@ -65,16 +38,12 @@
- httpd_can_connect_ldap
- httpd_read_user_content
- name: Change fcontext to GitLab unix socket for nginx
community.general.sefcontext:
target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
setype: httpd_var_run_t
state: present
- name: Apply fcontext to GitLab unix socket for nginx
command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
register: restorecon_result
changed_when: "restorecon_result.rc == 0"
- name: Reconfigure gitlab is we're asked to
command: /usr/bin/gitlab-ctl reconfigure
register: gitlab_ctl_result
changed_when: "gitlab_ctl_result.rc == 0"
when:
- "gitlab_reconfigure_only is defined and (gitlab_reconfigure_only|bool)"
- name: Add firewall rules - http/s
ansible.posix.firewalld:
@ -86,15 +55,10 @@
- http
- https
- name: Add nginx user to git groups
user:
name: nginx
shell: /sbin/nologin
groups: gitlab-www,git
append: yes
- name: Enable and Start nginx
service:
name: nginx
enabled: true
state: started
- name: Deploy correct script
template:
src: "usr/local/bin/fix_gitlab_certs.sh"
dest: "/usr/local/bin/fix_gitlab_certs.sh"
owner: root
group: root
mode: '0750'

9
ansible/playbooks/tasks/srpmproc.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Configure SELinux booleans
ansible.posix.seboolean:
name: "{{ item }}"
persistent: true
state: true
with_items:
- httpd_can_network_connect_db
- httpd_can_network_connect

12
ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb
View File

@ -18,6 +18,7 @@ gitlab_rails['gitlab_default_theme'] = "{{ gitlab_default_theme }}"
nginx['redirect_http_to_https'] = {{ gitlab_redirect_http_to_https }}
nginx['ssl_certificate'] = "{{ gitlab_ssl_certificate }}"
nginx['ssl_certificate_key'] = "{{ gitlab_ssl_certificate_key }}"
letsencrypt['enable'] = false
# The directory where Git repositories will be stored.
git_data_dirs({"default" => {"path" => "{{ gitlab_git_data_dir }}"} })
@ -95,8 +96,8 @@ nginx['ssl_client_certificate'] = "{{ gitlab_nginx_ssl_client_certificate }}"
{% endif %}
# GitLab registry.
registry['enable'] = {{ gitlab_registry_enable }}
{% if gitlab_registry_enable == "true" %}
registry['enable'] = {{ gitlab_registry_enable | string | lower }}
{% if gitlab_registry_enable %}
registry_external_url "{{ gitlab_registry_external_url }}"
registry_nginx['ssl_certificate'] = "{{ gitlab_registry_nginx_ssl_certificate }}"
registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificate_key }}"
@ -120,8 +121,8 @@ registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificat
# To change other settings, see:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#changing-gitlab-yml-settings
nginx['enable'] = false
nginx['external_users'] = ['nginx']
#nginx['enable'] = false
#nginx['external_users'] = ['nginx']
{% if gitlab_external_db %}
postgresql['enable'] = false
@ -134,8 +135,9 @@ gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
{% endif %}
{% if gitlab_trusted_proxies %}
gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
gitlab_rails['trusted_proxies'] = [{{ gitlab_trusted_proxies | map("to_json") | join("', '") }}]
{% endif %}
gitlab_rails['gitlab_shell_ssh_port'] = "22220"
gitlab_rails['gravatar_enabled'] = true
gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"

1
ansible/playbooks/templates/etc/ssh/Rocky-8-sshd_config.j2 Symbolic link
View File

@ -0,0 +1 @@
RedHat-8-sshd_config.j2

7
ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/bash
/bin/cp "{{ gitlab_ssl_key }}" /etc/gitlab/ssl/
/bin/cp "{{ gitlab_ssl_cert }}" /etc/gitlab/ssl/
/bin/chown gitlab-www /etc/gitlab/ssl/*.{crt,key}
/bin/chmod 600 /etc/gitlab/ssl/*.key
/usr/bin/gitlab-ctl hup nginx

1
ansible/playbooks/vars/Rocky.yml Symbolic link
View File

@ -0,0 +1 @@
RedHat.yml

28
ansible/playbooks/vars/gitlab.yml
View File

@ -16,8 +16,10 @@ gitlab_create_self_signed_cert: "true"
gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}"
gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
gitlab_ssl_cert: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
gitlab_ssl_key: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
gitlab_ssl_cert: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt"
gitlab_ssl_key: "/etc/pki/tls/private/{{ gitlab_domain }}.key"
gitlab_ipa_cert: "true"
gitlab_certbot: "false"
# LDAP Configuration
gitlab_ldap_enabled: "true"
@ -39,10 +41,10 @@ gitlab_download_validate_certs: true
# Email and SMTP configuration (For the future)
# Email configuration.
gitlab_email_enabled: "false"
gitlab_email_from: "gitlab@rockylinux.org"
gitlab_email_enabled: "true"
gitlab_email_from: "git@rockylinux.org"
gitlab_email_display_name: "Gitlab"
gitlab_email_reply_to: "gitlab@rockylinux.org"
gitlab_email_reply_to: "noreply@rockylinux.org"
# SMTP configuration
gitlab_smtp_enable: "false"
gitlab_smtp_address: "smtp.gmail.com"
@ -58,8 +60,7 @@ gitlab_smtp_ca_path: "/etc/pki/tls/certs"
gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt"
# In case of reverse proxy
gitlab_nginx_listen_port: 8080
gitlab_nginx_listen_https: "false"
gitlab_nginx_listen_https: "true"
gitlab_default_theme: 2
@ -68,5 +69,18 @@ gitlab_external_db_host: db.rockylinux.org
gitlab_external_db_user: gitlab
gitlab_external_db_password: "{{ gitlab_db_pass }}"
gitlab_registry_enable: "true"
gitlab_registry_external_url: "https://git.rockylinux.org:5050"
gitlab_registry_nginx_ssl_certificate: "{{ gitlab_ssl_certificate }}"
gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_ssl_certificate_key }}"
gitlab_trusted_proxies:
- 10.100.20.20/32
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: nginx
key_location: "{{ gitlab_ssl_key }}"
cert_location: "{{ gitlab_ssl_cert }}"
postcmd: "/usr/local/bin/fix_gitlab_certs.sh"
cnames:
- "git.rockylinux.org"

18
ansible/playbooks/vars/mounts/bootstrap_staging.yml Normal file
View File

@ -0,0 +1,18 @@
---
x-efs_fs_opts_common: &common_fs_opts
fstype: efs
fsopts:
- _netdev
- tls
- iam
- rw
mounts:
- name: prod-build-compose
<<: *common_fs_opts
fsid: fs-XXXXXXXX
mount_point: /mnt/compose
ip_map:
us-east-2a: 10.100.100.250
us-east-2b: 10.100.101.250
us-east-2c: 10.100.102.250

26
ansible/playbooks/vars/mounts/repopool.yml Normal file
View File

@ -0,0 +1,26 @@
---
x-efs_fs_opts_common: &common_fs_opts
fstype: efs
fsopts:
- _netdev
- tls
- iam
- rw
mounts:
- name: prod-build-repos-staging
<<: *common_fs_opts
fsid: fs-XXXXXXXX
mount_point: /mnt/repos-staging
ip_map:
us-east-2a: 10.101.100.249
us-east-2b: 10.101.101.249
us-east-2c: 10.101.102.249
- name: prod-build-repos-production
<<: *common_fs_opts
fsid: fs-YYYYYYYY
mount_point: /mnt/repos-production
ip_map:
us-east-2a: 10.101.100.246
us-east-2b: 10.101.101.246
us-east-2c: 10.101.102.246

50
ansible/playbooks/vars/mounts/srpmproc.yml Normal file
View File

@ -0,0 +1,50 @@
---
x-efs_fs_opts_common: &common_fs_opts
fstype: efs
fsopts:
- _netdev
- tls
- iam
- rw
mounts:
- name: prod-build-repos-internal
<<: *common_fs_opts
fsid: fs-XXXXXXX1
mount_point: /mnt/repos-internal
ip_map:
us-east-2a: 10.101.100.248
us-east-2b: 10.101.101.248
us-east-2c: 10.101.102.248
- name: prod-koji
<<: *common_fs_opts
fsid: fs-XXXXXXX2
mount_point: /mnt/koji
ip_map:
us-east-2a: 10.101.100.247
us-east-2b: 10.101.101.247
us-east-2c: 10.101.102.247
- name: prod-build-compose
<<: *common_fs_opts
fsid: fs-XXXXXXX3
mount_point: /mnt/compose
ip_map:
us-east-2a: 10.101.100.250
us-east-2b: 10.101.101.250
us-east-2c: 10.101.102.250
- name: prod-build-repos-staging
<<: *common_fs_opts
fsid: fs-XXXXXXX4
mount_point: /mnt/repos-staging
ip_map:
us-east-2a: 10.101.100.249
us-east-2b: 10.101.101.249
us-east-2c: 10.101.102.249
- name: prod-build-repos-production
<<: *common_fs_opts
fsid: fs-XXXXXXX5
mount_point: /mnt/repos-production
ip_map:
us-east-2a: 10.101.100.246
us-east-2b: 10.101.101.246
us-east-2c: 10.101.102.246

64
ansible/playbooks/vars/pinnwand.yml Normal file
View File

@ -0,0 +1,64 @@
---
# pinnwand
firewall_rules:
- port: 443/tcp
permanent: true
state: enabled
- port: 9100/tcp
permanent: true
state: enabled
tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: nginx
key_location: "{{ tls_key }}"
cert_location: "{{ tls_cert }}"
postcmd: "/bin/systemctl reload nginx"
pinnwand_config:
database:
scheme: postgresql
username: pinnwand
password: "{{ _pinnwand_db_rw_pass }}"
hostname: "db.rockylinux.org"
port: 5432
database: pinnwand_db
paste_size: 10485760
preferred_lexers: []
logo_path: /opt/pinnwand/logo.png
page_path: /tmp
page_list:
- about
- removal
- expiry
footer: ''
paste_help: ''
report_email: 'abuse@rockylinux.org'
expiries:
- name: 1hour
time: 3600
- name: 1day
time: 86400
- name: 1week
time: 604800
- name: forever
time: 4294967294
ratelimits:
- name: read
capacity: 100
consume: 1
refill: 2
- name: create
capacity: 2
consume: 2
refill: 1
- name: delete
capacity: 2
consume: 2
refill: 1
spamscore: 50

2
ansible/playbooks/vars/production/kojid.yml
View File

@ -12,4 +12,4 @@ kojid_distribution: Rocky
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
kojid_keytab: /etc/kojid.keytab
kojid_smtp_host: smtp.rockylinux.org
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"
kojid_allowed_scm: "git.rockylinux.org:/staging/rpms/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/rocky/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/original/rpms/*:off:/var/srpmproc/srpmproc_wrapper"

2
ansible/playbooks/vars/staging/kojid.yml
View File

@ -12,4 +12,4 @@ kojid_distribution: Rocky
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
kojid_keytab: /etc/kojid.keytab
kojid_smtp_host: smtp.rockylinux.org
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"
kojid_allowed_scm: "git.rockylinux.org:/staging/rpms/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/rocky/*:off:/var/srpmproc/srpmproc_wrapper git.rockylinux.org:/original/rpms/*:off:/var/srpmproc/srpmproc_wrapper"

12
ansible/roles/requirements.yml
View File

@ -9,6 +9,12 @@ roles:
- name: cloudalchemy.grafana
- name: geerlingguy.gitlab
- name: geerlingguy.postgresql
- name: geerlingguy.php
- name: geerlingguy.nodejs
- name: geerlingguy.certbot
- name: riemers.gitlab-runner
- name: rockylinux.ipagetcert
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
version: main
@ -30,16 +36,18 @@ roles:
- name: rockylinux.matterbridge
src: https://github.com/NeilHanlon/ansible-role-matterbridge
version: master
- name: rockylinux.pinnwand
src: https://github.com/rocky-linux/ansible-role-pinnwand
version: main
- name: rockylinux.wikijs
src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
scm: git
version: develop
- name: riemers.gitlab-runner
collections:
# freeipa
- name: freeipa.ansible_freeipa
version: 0.3.1
version: 0.3.6
- name: community.general
- name: community.mysql
- name: community.rabbitmq