From 1747f1f76e4f4a56c7d3dd2eed36668d33a41a66 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sun, 17 Jan 2021 23:34:42 -0700 Subject: [PATCH 1/3] noggin theme --- ansible/playbooks/handlers/main.yml | 5 +++ ansible/playbooks/init-rocky-noggin-theme.yml | 40 +++++++++++++++++++ ...itlab-ee.yml => rocky-rocky-gitlab-ee.yml} | 0 3 files changed, 45 insertions(+) create mode 100644 ansible/playbooks/init-rocky-noggin-theme.yml rename ansible/playbooks/{role-gitlab-ee.yml => rocky-rocky-gitlab-ee.yml} (100%) diff --git a/ansible/playbooks/handlers/main.yml b/ansible/playbooks/handlers/main.yml index a9f7821..ba255cb 100644 --- a/ansible/playbooks/handlers/main.yml +++ b/ansible/playbooks/handlers/main.yml @@ -32,3 +32,8 @@ command: gitlab-ctl reconfigure register: gitlab_restart failed_when: gitlab_restart_handler_failed_when | bool + +- name: restart_noggin + service: + name: noggin + state: restarted diff --git a/ansible/playbooks/init-rocky-noggin-theme.yml b/ansible/playbooks/init-rocky-noggin-theme.yml new file mode 100644 index 0000000..2ae8d34 --- /dev/null +++ b/ansible/playbooks/init-rocky-noggin-theme.yml @@ -0,0 +1,40 @@ +--- +# (Re)deploys the noggin theme +- name: Deploy Noggin Theme + hosts: "idp" + become: true + + handers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are not able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - name: Deploy Rocky Noggin Theme + git: + repo: https://github.com/rocky-linux/noggin-theme.git + dest: /opt/noggin/noggin/noggin/themes/rocky + update: true + version: main + become_user: noggin + notify: restart_noggin + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-gitlab-ee.yml b/ansible/playbooks/rocky-rocky-gitlab-ee.yml similarity index 100% rename from ansible/playbooks/role-gitlab-ee.yml rename to ansible/playbooks/rocky-rocky-gitlab-ee.yml From 87bd02945a663efa3b7ca9262ee3023fd4e057e4 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Tue, 19 Jan 2021 22:05:28 -0700 Subject: [PATCH 2/3] sigul and koji --- ansible/inventories/production/hosts.ini | 10 +++ ansible/playbooks/adhoc-ipagetcert.yml | 3 + ansible/playbooks/role-rocky-kojid.yml | 1 + ansible/playbooks/role-rocky-kojihub.yml | 1 + ansible/playbooks/role-rocky-sigul-bridge.yml | 85 +++++++++++++++++++ ansible/playbooks/role-rocky-sigul-server.yml | 72 ++++++++++++++++ ansible/playbooks/vars/common.yml | 1 + ansible/playbooks/vars/kojihub.yml | 26 ++++++ ansible/playbooks/vars/sigul_bridge.yml | 15 ++++ ansible/playbooks/vars/sigul_server.yml | 13 +++ ansible/roles/requirements.yml | 3 + 11 files changed, 230 insertions(+) create mode 100644 ansible/playbooks/role-rocky-sigul-bridge.yml create mode 100644 ansible/playbooks/role-rocky-sigul-server.yml create mode 100644 ansible/playbooks/vars/sigul_bridge.yml create mode 100644 ansible/playbooks/vars/sigul_server.yml diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini index 44184b8..9fde623 100644 --- a/ansible/inventories/production/hosts.ini +++ b/ansible/inventories/production/hosts.ini @@ -67,3 +67,13 @@ mqtt.boxbuild.rockylinux.org ansible_host=10.100.1.213 rabbitmq01.rockylinux.org ansible_host=10.100.1.214 rabbitmq02.rockylinux.org ansible_host=10.100.1.215 rabbitmq03.rockylinux.org ansible_host=10.100.1.216 + +[sigul:children] +sigulbridge +sigulserver + +[sigulbridge] +sigul-bridge.rockylinux.org ansible_host=10.100.1.217 + +[sigulserver] +sigul-server.rockylinux.org ansible_host=10.100.1.218 diff --git a/ansible/playbooks/adhoc-ipagetcert.yml b/ansible/playbooks/adhoc-ipagetcert.yml index 075b3d0..af4f63d 100644 --- a/ansible/playbooks/adhoc-ipagetcert.yml +++ b/ansible/playbooks/adhoc-ipagetcert.yml @@ -20,9 +20,12 @@ owner: "{{ getcert_owner|default(omit) }}" key_location: "{{ getcert_key|default(omit) }}" cert_location: "{{ getcert_cert|default(omit) }}" + nss_db_dir: "{{ getcert_nss_db_dir|default(omit) }}" + nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}" postcmd: "{{ getcert_postcmd|default(omit) }}" ipa_getcert_chain: "{{ getcert_chain|default(omit) }}" ipa_getcert_chain_location: "{{ getcert_chain_location|default(omit) }}" + ipa_getcert_nss: "{{ getcert_nss|default(false) }}" roles: - role: rockylinux.ipagetcert diff --git a/ansible/playbooks/role-rocky-kojid.yml b/ansible/playbooks/role-rocky-kojid.yml index 75bd9ef..fc03071 100644 --- a/ansible/playbooks/role-rocky-kojid.yml +++ b/ansible/playbooks/role-rocky-kojid.yml @@ -5,6 +5,7 @@ become: true vars_files: - vars/vaults/encpass.yml + - vars/common.yml - vars/kojid.yml # This is to try to avoid the handler issue in pre/post tasks diff --git a/ansible/playbooks/role-rocky-kojihub.yml b/ansible/playbooks/role-rocky-kojihub.yml index 81ddd7e..e1c0b88 100644 --- a/ansible/playbooks/role-rocky-kojihub.yml +++ b/ansible/playbooks/role-rocky-kojihub.yml @@ -5,6 +5,7 @@ become: true vars_files: - vars/vaults/encpass.yml + - vars/common.yml - vars/kojihub.yml # This is to try to avoid the handler issue in pre/post tasks diff --git a/ansible/playbooks/role-rocky-sigul-bridge.yml b/ansible/playbooks/role-rocky-sigul-bridge.yml new file mode 100644 index 0000000..79ffbd4 --- /dev/null +++ b/ansible/playbooks/role-rocky-sigul-bridge.yml @@ -0,0 +1,85 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure Sigul Bridge + hosts: sigulbridge + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/sigul_bridge.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - sigul + stat: + path: /etc/sigul.keytab + register: sigul_keytab + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "sigul_keytab.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + roles: + - role: rockylinux.sigul + state: present + + - role: rockylinux.ipagetcert + state: present + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-sigul-server.yml b/ansible/playbooks/role-rocky-sigul-server.yml new file mode 100644 index 0000000..8a759dd --- /dev/null +++ b/ansible/playbooks/role-rocky-sigul-server.yml @@ -0,0 +1,72 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure Sigul Server + hosts: sigulserver + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/sigul_server.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + roles: + - role: rockylinux.sigul + state: present + + - role: rockylinux.ipagetcert + state: present + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/vars/common.yml b/ansible/playbooks/vars/common.yml index f51631c..dc01ede 100644 --- a/ansible/playbooks/vars/common.yml +++ b/ansible/playbooks/vars/common.yml @@ -1,4 +1,5 @@ --- +rocky_ipa_realm: "ROCKYLINUX.ORG" rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org" rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org" rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org" diff --git a/ansible/playbooks/vars/kojihub.yml b/ansible/playbooks/vars/kojihub.yml index b835192..28f4677 100644 --- a/ansible/playbooks/vars/kojihub.yml +++ b/ansible/playbooks/vars/kojihub.yml @@ -20,10 +20,36 @@ koji_hub_url: "https://{{ koji_url_name }}/kojihub" koji_files_url: "https://{{ koji_url_name }}/kojifiles" # The IPA internal CA is combined with the others +# Change before deployment or store in vault +koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" +# Kojira +koji_kojira: true +koji_kojira_user: kojira +koji_kojira_user_kerb: kojira/koji.rockylinux.org +koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG +koji_kojira_keytab: /etc/keytabs/kojira.keytab + +# MBS +koji_mbs: true +koji_mbs_user: mbs +koji_mbs_user_kerb: mbs/mbs.rockylinux.org +koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG +koji_mbs_keytab: /etc/keytabs/mbs.keytab + +# GC +koji_gc_keytab: /etc/keytabs/koji-gc.keytab +koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG + +# Sigul +koji_sigul: true +koji_sigul_user: sigul +koji_sigul_user_kerb: sigul/sigul.rockylinux.org +koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG + # NFS? We need a place. koji_nfs: false koji_mount: /mnt/koji diff --git a/ansible/playbooks/vars/sigul_bridge.yml b/ansible/playbooks/vars/sigul_bridge.yml new file mode 100644 index 0000000..1a17cc0 --- /dev/null +++ b/ansible/playbooks/vars/sigul_bridge.yml @@ -0,0 +1,15 @@ +--- +# Sigul Bridge Variables +sigul_type: bridge +sigul_ipa_realm: "ROCKYLINUX.ORG" +sigul_bridge_cert_nickname: "sigul-bridge" +sigul_principal: "sigul/{{ inventory_hostname }}@{{ sigul_ipa_realm }}" +sigul_keytab: /etc/sigul.keytab +sigul_nss_dir: /etc/pki/tls/sigul + +# ipa-getcert variables +getcert_name: "{{ ansible_fqdn }}" +getcert_owner: sigul +getcert_nss_db_dir: "{{ sigul_nss_dir }}" +getcert_nss_nickname: "{{ sigul_bridge_cert_nickname }}" +getcert_nss: true diff --git a/ansible/playbooks/vars/sigul_server.yml b/ansible/playbooks/vars/sigul_server.yml new file mode 100644 index 0000000..5ecd243 --- /dev/null +++ b/ansible/playbooks/vars/sigul_server.yml @@ -0,0 +1,13 @@ +--- +# Sigul Server Variables +sigul_type: server +sigul_server_cert_nickname: "sigul-server" +sigul_nss_dir: /etc/pki/tls/sigul +sigul_bridge_name: "sigul-bridge.rockylinux.org" + +# ipa-getcert variables +getcert_name: "{{ ansible_fqdn }}" +getcert_owner: sigul +getcert_nss_db_dir: "{{ sigul_nss_dir }}" +getcert_nss_nickname: "{{ sigul_bridge_cert_nickname }}" +getcert_nss: true diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index 9471285..46b4cdf 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -24,6 +24,9 @@ roles: - name: rockylinux.rabbitmq src: https://github.com/rocky-linux/ansible-role-rabbitmq version: main + - name: rockylinux.sigul + src: https://github.com/rocky-linux/ansible-role-sigul + version: main collections: # freeipa From ccebf54810ec085ceff1f0d17eff28dd4c565512 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Tue, 19 Jan 2021 22:17:01 -0700 Subject: [PATCH 3/3] forgot sigul service --- ansible/playbooks/role-rocky-sigul-bridge.yml | 6 ++++++ ansible/playbooks/role-rocky-sigul-server.yml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/ansible/playbooks/role-rocky-sigul-bridge.yml b/ansible/playbooks/role-rocky-sigul-bridge.yml index 79ffbd4..b22cd48 100644 --- a/ansible/playbooks/role-rocky-sigul-bridge.yml +++ b/ansible/playbooks/role-rocky-sigul-bridge.yml @@ -76,6 +76,12 @@ state: present post_tasks: + - name: Enable the sigul bridge + systemd: + name: sigul_bridge + state: running + enabled: true + - name: Touching run file that ansible has ran here file: path: /var/log/ansible.run diff --git a/ansible/playbooks/role-rocky-sigul-server.yml b/ansible/playbooks/role-rocky-sigul-server.yml index 8a759dd..00b064e 100644 --- a/ansible/playbooks/role-rocky-sigul-server.yml +++ b/ansible/playbooks/role-rocky-sigul-server.yml @@ -63,6 +63,12 @@ state: present post_tasks: + - name: Enable the sigul server + systemd: + name: sigul_server + state: running + enabled: true + - name: Touching run file that ansible has ran here file: path: /var/log/ansible.run