From 7871a075a08b96877d9184e395acae8291d0ff2a Mon Sep 17 00:00:00 2001 From: nazunalika Date: Wed, 3 Feb 2021 21:26:46 -0700 Subject: [PATCH 1/6] fix requirements --- ansible/roles/requirements.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index 1400d44..a217efe 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -27,6 +27,9 @@ roles: - name: rockylinux.sigul src: https://github.com/rocky-linux/ansible-role-sigul version: main + - name: rockylinux.matterbridge + src: https://github.com/NeilHanlon/ansible-role-matterbridge + version: master collections: # freeipa @@ -39,3 +42,7 @@ collections: - name: ktdreyer.koji_ansible - name: netbox.netbox - name: community.aws + - name: rockylinux.taiga + source: https://github.com/rocky-linux/taiga-ansible.git + type: git + version: master From b96d75fc93e2a6b72dac161225c260dffad7e77c Mon Sep 17 00:00:00 2001 From: nazunalika Date: Wed, 3 Feb 2021 21:34:09 -0700 Subject: [PATCH 2/6] collection broken --- ansible/roles/requirements.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index a217efe..b7c9fd6 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -42,7 +42,7 @@ collections: - name: ktdreyer.koji_ansible - name: netbox.netbox - name: community.aws - - name: rockylinux.taiga - source: https://github.com/rocky-linux/taiga-ansible.git - type: git - version: master +# - name: rockylinux.taiga +# source: https://github.com/rocky-linux/taiga-ansible.git +# type: git +# version: master From 77becd2e9b7ffcc687597e9785103ca23b97f0c2 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Thu, 4 Feb 2021 19:50:47 -0700 Subject: [PATCH 3/6] hopefully the firewall rules don't break anything --- ansible/playbooks/role-rocky-ipa-replica.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/ansible/playbooks/role-rocky-ipa-replica.yml b/ansible/playbooks/role-rocky-ipa-replica.yml index c8c208b..64a3b42 100644 --- a/ansible/playbooks/role-rocky-ipa-replica.yml +++ b/ansible/playbooks/role-rocky-ipa-replica.yml @@ -39,17 +39,6 @@ notify: - reload_networkmanager - - name: Ensure resolv.conf is pointing to main master - template: - src: etc/resolv.conf.j2 - dest: /etc/resolv.conf - owner: root - group: root - mode: '0644' - backup: true - notify: - - reload_networkmanager - roles: - role: freeipa.ansible_freeipa.ipareplica state: present From 4666b3207328a3c3112720fa7399bade3523b6d3 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Mon, 8 Feb 2021 02:38:10 -0700 Subject: [PATCH 4/6] required some stuff --- ansible/roles/requirements.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index b7c9fd6..712eab1 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -42,6 +42,7 @@ collections: - name: ktdreyer.koji_ansible - name: netbox.netbox - name: community.aws + - name: containers.podman # - name: rockylinux.taiga # source: https://github.com/rocky-linux/taiga-ansible.git # type: git From 4dcb6d1e54db2b4746e0d6b70f07262cbf32e32f Mon Sep 17 00:00:00 2001 From: nazunalika Date: Tue, 9 Feb 2021 12:12:22 -0700 Subject: [PATCH 5/6] staging --- .../playbooks/role-rocky-kojid-staging.yml | 90 +++++++++++++ ansible/playbooks/role-rocky-kojid.yml | 4 +- .../playbooks/role-rocky-kojihub-staging.yml | 123 ++++++++++++++++++ ansible/playbooks/role-rocky-kojihub.yml | 4 +- ansible/playbooks/tasks/mantis.yml | 1 + .../vars/{ => production}/koji-common.yml | 0 .../playbooks/vars/{ => production}/kojid.yml | 0 .../vars/{ => production}/kojihub.yml | 0 .../playbooks/vars/staging/koji-common.yml | 13 ++ ansible/playbooks/vars/staging/kojid.yml | 15 +++ ansible/playbooks/vars/staging/kojihub.yml | 119 +++++++++++++++++ 11 files changed, 365 insertions(+), 4 deletions(-) create mode 100644 ansible/playbooks/role-rocky-kojid-staging.yml create mode 100644 ansible/playbooks/role-rocky-kojihub-staging.yml rename ansible/playbooks/vars/{ => production}/koji-common.yml (100%) rename ansible/playbooks/vars/{ => production}/kojid.yml (100%) rename ansible/playbooks/vars/{ => production}/kojihub.yml (100%) create mode 100644 ansible/playbooks/vars/staging/koji-common.yml create mode 100644 ansible/playbooks/vars/staging/kojid.yml create mode 100644 ansible/playbooks/vars/staging/kojihub.yml diff --git a/ansible/playbooks/role-rocky-kojid-staging.yml b/ansible/playbooks/role-rocky-kojid-staging.yml new file mode 100644 index 0000000..a6a29f9 --- /dev/null +++ b/ansible/playbooks/role-rocky-kojid-staging.yml @@ -0,0 +1,90 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/staging/kojid.yml + - vars/staging/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - kojid + stat: + path: /etc/kojid.keytab + register: kojid_keytab_check + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "kojid_keytab_check.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: rockylinux.kojid + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-kojid.yml b/ansible/playbooks/role-rocky-kojid.yml index d69ea2f..e365219 100644 --- a/ansible/playbooks/role-rocky-kojid.yml +++ b/ansible/playbooks/role-rocky-kojid.yml @@ -6,8 +6,8 @@ vars_files: - vars/vaults/encpass.yml - vars/common.yml - - vars/kojid.yml - - vars/koji-common.yml + - vars/production/kojid.yml + - vars/production/koji-common.yml # This is to try to avoid the handler issue in pre/post tasks handlers: diff --git a/ansible/playbooks/role-rocky-kojihub-staging.yml b/ansible/playbooks/role-rocky-kojihub-staging.yml new file mode 100644 index 0000000..0ac3884 --- /dev/null +++ b/ansible/playbooks/role-rocky-kojihub-staging.yml @@ -0,0 +1,123 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/staging/kojihub.yml + - vars/staging/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - web + stat: + path: /etc/keytabs/koji-web.keytab + register: koji_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - kojira + stat: + path: /etc/keytabs/kojira.keytab + register: kojira_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - gc + stat: + path: /etc/keytabs/koji-gc.keytab + register: gc_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - host + stat: + path: /etc/keytabs/host.keytab + register: host_keytab + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "koji_keytab.stat.exists" + - "kojira_keytab.stat.exists" + - "gc_keytab.stat.exists" + - "host_keytab.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: geerlingguy.certbot + state: present + when: not koji_internal_ca + + - role: rockylinux.ipagetcert + state: present + when: koji_internal_ca + + - role: geerlingguy.postgresql + state: present + when: koji_postgresql_vm + + - role: rockylinux.kojihub + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-kojihub.yml b/ansible/playbooks/role-rocky-kojihub.yml index dd3d8a3..d28afe6 100644 --- a/ansible/playbooks/role-rocky-kojihub.yml +++ b/ansible/playbooks/role-rocky-kojihub.yml @@ -6,8 +6,8 @@ vars_files: - vars/vaults/encpass.yml - vars/common.yml - - vars/kojihub.yml - - vars/koji-common.yml + - vars/production/kojihub.yml + - vars/production/koji-common.yml # This is to try to avoid the handler issue in pre/post tasks handlers: diff --git a/ansible/playbooks/tasks/mantis.yml b/ansible/playbooks/tasks/mantis.yml index 845e17d..4aaa4cf 100644 --- a/ansible/playbooks/tasks/mantis.yml +++ b/ansible/playbooks/tasks/mantis.yml @@ -29,6 +29,7 @@ dest: "/var/www" owner: apache group: apache + mode: '0644' remote_src: true - name: Configure mantis diff --git a/ansible/playbooks/vars/koji-common.yml b/ansible/playbooks/vars/production/koji-common.yml similarity index 100% rename from ansible/playbooks/vars/koji-common.yml rename to ansible/playbooks/vars/production/koji-common.yml diff --git a/ansible/playbooks/vars/kojid.yml b/ansible/playbooks/vars/production/kojid.yml similarity index 100% rename from ansible/playbooks/vars/kojid.yml rename to ansible/playbooks/vars/production/kojid.yml diff --git a/ansible/playbooks/vars/kojihub.yml b/ansible/playbooks/vars/production/kojihub.yml similarity index 100% rename from ansible/playbooks/vars/kojihub.yml rename to ansible/playbooks/vars/production/kojihub.yml diff --git a/ansible/playbooks/vars/staging/koji-common.yml b/ansible/playbooks/vars/staging/koji-common.yml new file mode 100644 index 0000000..a08c2df --- /dev/null +++ b/ansible/playbooks/vars/staging/koji-common.yml @@ -0,0 +1,13 @@ +--- +# Koji common +koji_efs_mount_path: /mnt/koji +koji_efs_fsid: whatever.amazonaws.com +koji_efs_fs_ip_map: + us-east-2a: 10.x.x.x + us-east-2b: 10.x.x.x + us-east-2c: 10.x.x.x +koji_efs_fs_type: efs +koji_efs_fs_opts: + - _netdev + - tls + - iam diff --git a/ansible/playbooks/vars/staging/kojid.yml b/ansible/playbooks/vars/staging/kojid.yml new file mode 100644 index 0000000..bb524f8 --- /dev/null +++ b/ansible/playbooks/vars/staging/kojid.yml @@ -0,0 +1,15 @@ +--- +# vars for kojid + +kojid_vendor: Rocky +kojid_packager: infrastructure@rockylinux.org +kojid_distribution: Rocky +# These three should probably be specified by special vars +# kojid_web_url: https://kojistg.rockylinux.org/koji +# kojid_hub_url: https://kojistg.rockylinux.org/kojihub +# kojid_files_url: https://kojistg.rockylinux.org/kojifiles + +kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt +kojid_keytab: /etc/kojid.keytab +kojid_smtp_host: smtp.rockylinux.org +kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*" diff --git a/ansible/playbooks/vars/staging/kojihub.yml b/ansible/playbooks/vars/staging/kojihub.yml new file mode 100644 index 0000000..7d6cf0b --- /dev/null +++ b/ansible/playbooks/vars/staging/kojihub.yml @@ -0,0 +1,119 @@ +--- +# koji hub settings +# This should be the front-facing URL of koji +#koji_url_name: kojistg.rockylinux.org + +# Use an internal CA (IPA) +koji_internal_ca: true + +# Use postgresql on this machine rather than managed service +koji_postgresql_vm: true + +# Database settings +koji_db_name: koji +koji_db_user: koji +# This will need to change when koji_postgresql_vm is false +koji_db_host: "{{ ansible_fqdn }}" + +koji_web_url: "https://{{ koji_url_name }}/koji" +koji_hub_url: "https://{{ koji_url_name }}/kojihub" +koji_files_url: "https://{{ koji_url_name }}/kojifiles" + +# The IPA internal CA is combined with the others +# Change before deployment or store in vault +koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu +koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt +koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +# Kojira +koji_kojira: true +koji_kojira_user: kojira +koji_kojira_user_kerb: kojira/kojistg.rockylinux.org +koji_kojira_principal: kojira/kojistg.rockylinux.org@ROCKYLINUX.ORG +koji_kojira_keytab: /etc/keytabs/kojira.keytab + +# MBS +koji_mbs: true +koji_mbs_user: mbs +koji_mbs_user_kerb: mbs/mbs.rockylinux.org +koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG +koji_mbs_keytab: /etc/keytabs/mbs.keytab + +# GC +koji_gc_keytab: /etc/keytabs/koji-gc.keytab +koji_gc_principal: koji-gc/kojistg.rockylinux.org@ROCKYLINUX.ORG + +# Sigul +koji_sigul: true +koji_sigul_user: sigul +koji_sigul_user_kerb: sigul/sigul.rockylinux.org +koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG + +# NFS? We need a place. +koji_nfs: false +koji_mount: /mnt/koji +koji_nfs_path: nfs.rockylinux.org:/export/koji + +# Koji Admin Settings +koji_admin_client: true +koji_admin_user: rockykoji +koji_admin_principal: rockykoji@ROCKYLINUX.ORG +koji_admin_localuser: true +koji_admin_localuser_name: koji + +# Hub Settings +koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG" +koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG" +koji_hub_keytab: /etc/keytabs/host.keytab +koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG +# This should be sufficient even for LE +koji_hub_ca: "{{ koji_web_cacert }}" + +# Koji FAS Syncing +# This isn't implemented yet in the role +koji_fas_sync: false +koji_fas_url: https://accounts.rockylinux.org + +# IPA Certs if Required +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: apache + key_location: "{{ koji_web_tls_key }}" + cert_location: "{{ koji_web_tls_cert }}" + postcmd: "/bin/systemctl reload httpd" + +# postgresql vars +postgresql_restarted_state: "restarted" +postgresql_python_library: python3-psycopg2 +postgresql_user: postgres +postgresql_group: postgres +postgresql_hba_entries: + - type: local + database: koji + user: koji + auth_method: trust + - type: local + database: all + user: postgres + auth_method: peer + - type: host + database: koji + user: koji + address: '10.100.1.0/24' + auth_method: md5 + +postgresql_databases: + - name: "{{ koji_db_name }}" + owner: "{{ koji_db_user }}" + +postgresql_users: + - name: "{{ koji_db_user }}" + password: "{{ koji_db_pass }}" + role_attr_flags: "NOCREATEDB,NOSUPERUSER,NOCREATEROLE" + db: "{{ koji_db_name }}" + state: present + +postgresql_global_config_options: + - option: listen_addresses + value: '*' From 3458aef0d950c998e702928189f315f630c04cbf Mon Sep 17 00:00:00 2001 From: nazunalika Date: Mon, 15 Feb 2021 22:32:07 -0700 Subject: [PATCH 6/6] init koji hub --- .../playbooks/init-rocky-koji-ecosystem.yml | 34 ++++++++++ ansible/playbooks/tasks/init-koji.yml | 62 +++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 ansible/playbooks/init-rocky-koji-ecosystem.yml create mode 100644 ansible/playbooks/tasks/init-koji.yml diff --git a/ansible/playbooks/init-rocky-koji-ecosystem.yml b/ansible/playbooks/init-rocky-koji-ecosystem.yml new file mode 100644 index 0000000..f2f7a37 --- /dev/null +++ b/ansible/playbooks/init-rocky-koji-ecosystem.yml @@ -0,0 +1,34 @@ +--- +# Configures the koji ecosystem +- name: Configure Koji + hosts: "kojihub" + become: true + + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are not able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - name: Build out relevant accounts and components + import_tasks: tasks/init-koji.yml + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/tasks/init-koji.yml b/ansible/playbooks/tasks/init-koji.yml new file mode 100644 index 0000000..a040b60 --- /dev/null +++ b/ansible/playbooks/tasks/init-koji.yml @@ -0,0 +1,62 @@ +--- +# Init koji +- name: kinit as koji admin using password + shell: "set -o pipefail && echo \"{{ rockykoji_password }}\" | kinit rockykoji@ROCKYLINUX.ORG" + check_mode: false + changed_when: "1 != 1" + become: yes + become_user: koji + when: rockykoji_has_password | bool + +- name: kinit as koji admin using keytab + shell: "set -o pipefail && kinit -kt /home/koji/.koji/keytab koji/rockykoji@ROCKYLINUX.ORG" + check_mode: false + changed_when: "1 != 1" + become: yes + become_user: koji + when: not rockykoji_has_password | bool + +- name: Import current necessary tags + shell: "set -o pipefail && koji add-tag {{ item }}" + changed_when: "1 != 1" + become: yes + become_user: koji + loop: + - build-modules + - dist-rocky8 + - dist-rocky8-build + - dist-rocky8-compose + - dist-rocky8-extras + - dist-rocky8-gcc-toolset-9-build + - dist-rocky8-modular-buildrequires + - dist-rocky8-module-compose + - dist-rocky8-plus + - dist-rocky8-rust-bootstrap + - dist-rocky8-rust-bootstrap-build + - dist-rocky8-updates + - dist-rocky8-updates-build + - dist-rocky8_0-updates-build + - dist-rocky8_1-gcc-toolset-9-build + - dist-rocky8_1-updates-build + - dist-rocky8_2-updates-build + - dist-rocky8_3-updates-build + - dist-rocky8_4-updates-build + - dist-rocky9 + - el8 + - el8_0 + - el8_1 + - el8_2 + - el8_3 + - el8_4 + - el8_infra + - el9 + - el9_infra + - eln + - modular-updates-candidate + - module-rocky-8.0.0-build + - module-rocky-8.1.0-build + - module-rocky-8.2.0-build + - module-rocky-8.3.0-build + - module-rocky-8.4.0-build + - trash + - trashcan