From 7a010775c9784f6ed67995980c8905a15618f63d Mon Sep 17 00:00:00 2001 From: nazunalika Date: Wed, 23 Dec 2020 03:52:34 -0700 Subject: [PATCH] adding kojihub --- ansible/inventories/production/hosts.ini | 6 +- ansible/playbooks/adhoc-ipagetkeytab.yml | 26 +++-- ansible/playbooks/adhoc-ipaservice.yml | 6 +- .../playbooks/init-rocky-ipa-internal-dns.yml | 7 ++ ansible/playbooks/role-rocky-kojihub.yml | 82 ++++++++++++++++ ansible/playbooks/vars/fdns.yml | 3 + ansible/playbooks/vars/kojihub.yml | 97 +++++++++++++++++++ ansible/playbooks/vars/svcusers.yml | 11 ++- ansible/roles/requirements.yml | 9 +- 9 files changed, 234 insertions(+), 13 deletions(-) create mode 100644 ansible/playbooks/role-rocky-kojihub.yml create mode 100644 ansible/playbooks/vars/fdns.yml create mode 100644 ansible/playbooks/vars/kojihub.yml diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini index 12abbd5..c3ca97a 100644 --- a/ansible/inventories/production/hosts.ini +++ b/ansible/inventories/production/hosts.ini @@ -39,9 +39,10 @@ git.rockylinux.org ansible_host=10.100.1.113 [koji:children] kojihub kojid +mqtt [kojihub] -hub.boxbuild.rockylinux.org ansible_host=10.100.1.200 +koji.boxbuild.rockylinux.org ansible_host=10.100.1.200 [kojid] x86-01.boxbuild.rockylinux.org ansible_host=10.100.1.201 @@ -56,3 +57,6 @@ aarch64-06.boxbuild.rockylinux.org ansible_host=10.100.1.209 ppc64le-01.boxbuild.rockylinux.org ansible_host=10.100.1.210 ppc64le-02.boxbuild.rockylinux.org ansible_host=10.100.1.211 ppc64le-03.boxbuild.rockylinux.org ansible_host=10.100.1.212 + +[mqtt] +mqtt.boxbuild.rockylinux.org ansible_host=10.100.1.213 diff --git a/ansible/playbooks/adhoc-ipagetkeytab.yml b/ansible/playbooks/adhoc-ipagetkeytab.yml index 3863661..30fbe03 100644 --- a/ansible/playbooks/adhoc-ipagetkeytab.yml +++ b/ansible/playbooks/adhoc-ipagetkeytab.yml @@ -2,9 +2,10 @@ # This playbook is meant to be used with callable variables, like adhoc or AWX. # What: Pulls keytabs for a kerberos service # What is expected: -# -> ipaService, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG -# -> ipaKeytabFullPath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab -# -> ipaServer: This needs to be one of the IPA servers +# -> ipa_service, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG +# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab +# -> ipa_server: This needs to be one of the IPA servers +# -> ipa_owner: If applicable, the local account that will own this keytab (eg for Apache) - name: Pull keytab from IPA hosts: "{{ host }}" @@ -18,16 +19,27 @@ assert: that: - ipaadmin_password | mandatory - - ipaService | mandatory - - ipaKeytabFullPath | mandatory - - ipaServer | mandatory + - ipa_service | mandatory + - ipa_keytab_fullpath | mandatory + - ipa_server | mandatory success_msg: "Required variables provided" fail_msg: "We are missing required information" - name: "Pulling keytab" - command: "ipa-getkeytab -s {{ ipaServer }} -p {{ ipaService }} -k {{ ipaKeytabFullPath }}" + command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k {{ ipa_keytab_fullpath }}" register: ipakeytab_result changed_when: - ipakeytab_result.rc == 0 tags: - keytab + + - name: "Set ownership if applicable" + file: + path: "{{ ipa_keytab_fullpath }}" + owner: "{{ ipa_owner }}" + group: "{{ ipa_owner }}" + mode: '0600' + state: file + when: ipa_owner + tags: + - keytab diff --git a/ansible/playbooks/adhoc-ipaservice.yml b/ansible/playbooks/adhoc-ipaservice.yml index 45af9a1..13ba128 100644 --- a/ansible/playbooks/adhoc-ipaservice.yml +++ b/ansible/playbooks/adhoc-ipaservice.yml @@ -14,13 +14,15 @@ assert: that: - ipaadmin_password | mandatory - - ipaService | mandatory + - ipa_service | mandatory success_msg: "Required variables provided" fail_msg: "We are missing required information" - name: "Creating Kerberos Service" freeipa.ansible_freeipa.ipaservice: ipaadmin_password: "{{ ipaadmin_password }}" - name: "{{ ipaService }}" + name: "{{ ipa_service }}" + skip_host_check: "{{ ipa_skip_host_check | default(false) }}" + force: "{{ ipa_force | default(false) }}" tags: - services diff --git a/ansible/playbooks/init-rocky-ipa-internal-dns.yml b/ansible/playbooks/init-rocky-ipa-internal-dns.yml index ee77153..dba3d5d 100644 --- a/ansible/playbooks/init-rocky-ipa-internal-dns.yml +++ b/ansible/playbooks/init-rocky-ipa-internal-dns.yml @@ -7,6 +7,7 @@ vars_files: - vars/encpass.yml - vars/rdns.yml + - vars/fdns.yml tasks: - name: "Checking for user variables" @@ -21,3 +22,9 @@ ipaadmin_password: '{{ ipaadmin_password }}' name: '{{ item }}' with_items: '{{ rdns }}' + + - name: "Create Forward Domains" + freeipa.ansible_freeipa.ipadnszone: + ipaadmin_password: '{{ ipaadmin_password }}' + name: '{{ item }}' + with_items: '{{ fdns }}' diff --git a/ansible/playbooks/role-rocky-kojihub.yml b/ansible/playbooks/role-rocky-kojihub.yml new file mode 100644 index 0000000..2255900 --- /dev/null +++ b/ansible/playbooks/role-rocky-kojihub.yml @@ -0,0 +1,82 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure ipsilon server + hosts: kojihub + become: true + vars_files: + - vars/encpass.yml + - vars/kojihub.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + msg: "/etc/no-ansible exists - skipping run on this node" + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + roles: + - role: geerlingguy.certbot + state: present + when: not koji_internal_ca + + - role: rockylinux.ipagetcert + state: present + when: koji_internal_ca + + - role: geerlingguy.postgresql + state: present + when: koji_postgresql_vm + + - role: rockylinux.kojihub + state: present + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/vars/fdns.yml b/ansible/playbooks/vars/fdns.yml new file mode 100644 index 0000000..88cb46c --- /dev/null +++ b/ansible/playbooks/vars/fdns.yml @@ -0,0 +1,3 @@ +--- +fdns: + - boxbuild.rockylinux.org. diff --git a/ansible/playbooks/vars/kojihub.yml b/ansible/playbooks/vars/kojihub.yml new file mode 100644 index 0000000..9dca7b7 --- /dev/null +++ b/ansible/playbooks/vars/kojihub.yml @@ -0,0 +1,97 @@ +--- +# koji hub settings + +# Use an internal CA (IPA) +koji_internal_ca: true + +# Use postgresql on this machine rather than managed service +koji_postgresql_vm: true + +# Database settings +koji_db_name: koji +koji_db_user: koji +koji_db_pass: ThisIsNotThePassword! +koji_db_host: localhost + +koji_web_url: "https://{{ ansible_fqdn }}/koji" +koji_hub_url: "https://{{ ansible_fqdn }}/kojihub" +koji_files_url: "https://{{ ansible_fqdn }}/kojifiles" + +# The IPA internal CA is combined with the others +koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt +koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +# NFS? We need a place. +koji_nfs: false +koji_mount: /mnt/koji +koji_nfs_path: nfs.rockylinux.org:/export/koji + +# Koji Admin Settings +koji_admin_client: true +koji_admin_user: rockykoji +koji_admin_principal: rockykoji@ROCKYLINUX.ORG +koji_admin_localuser: true +koji_admin_localuser_name: koji + +# Hub Settings +koji_hub_principal: "HTTP/{{ ansible_fqdn }}@ROCKYLINUX.ORG" +koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG +koji_hub_keytab: /etc/koji.keytab +koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG +# This should be sufficient even for LE +koji_hub_ca: /etc/pki/tls/certs/ca-bundle.crt + +# Koji FAS Syncing +# This isn't implemented yet in the role +koji_fas_sync: false +koji_fas_url: https://accounts.rockylinux.org + +# Not implemented yet +koji_hub_plugin_mqtt_host: mqtt.rockylinux.org +koji_hub_plugin_mqtt_topic: koji +koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}" +koji_hub_plugin_mqtt_tls_cert: /etc/pki/tls/certs/mqtt.pem +koji_hub_plugin_mqtt_tls_key: /etc/pki/tls/certs/mqtt.pem +koji_hub_plugin_mqtt_excluded_tags: + - testing-tag + +# IPA Certs if Required +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: apache + +# postgresql vars +postgresql_restarted_state: "restarted" +postgresql_python_library: python3-psycopg2 +postgresql_user: postgres +postgresql_group: postgres +postgresql_hba_entries: + - type: local + database: koji + user: koji + auth_method: trust + - type: local + database: all + user: postgres + auth_method: peer + - type: host + database: koji + user: koji + address: '10.100.1.0/24' + auth_method: md5 + +postgresql_databases: + - name: "{{ koji_db_name }}" + owner: "{{ koji_db_user }}" + +postgresql_users: + - name: "{{ koji_db_user }}" + password: "{{ koji_db_pass }}" + role_attr_flags: "NOCREATEDB,NOSUPERUSER,NOCREATEROLE" + db: "{{ koji_db_name }}" + state: present + +postgresql_global_config_options: + - option: listen_addresses + value: '*' diff --git a/ansible/playbooks/vars/svcusers.yml b/ansible/playbooks/vars/svcusers.yml index 8dfce8b..ccef80d 100644 --- a/ansible/playbooks/vars/svcusers.yml +++ b/ansible/playbooks/vars/svcusers.yml @@ -3,14 +3,21 @@ svcusers: - name: hostman first: Host last: Manager - email: hostman@rockylinux.org + email: infrastructure@rockylinux.org password: ThisIsNotMyPassword1! title: System Account - Host Manager loginshell: /sbin/nologin - name: kerbman first: Kerberos last: Manager - email: kerbman@rockylinux.org + email: infrastructure@rockylinux.org password: ThisIsNotMyPassword1! title: System Account - Kerberos Key Manager loginshell: /sbin/nologin + - name: rockykoji + first: Koji + last: Manager + email: infrastructure@rockylinux.org + password: ThisIsNotMyPassword1! + title: System Account - Koji Manager + loginshell: /sbin/nologin diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index 6745378..4223cfd 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -5,10 +5,17 @@ roles: # monitoring - name: cloudalchemy.node-exporter - name: cloudalchemy.prometheus + - name: geerlingguy.gitlab + - name: geerlingguy.postgresql + - name: rockylinux.ipagetcert + src: https://github.com/rocky-linux/ansible-role-ipa-getcert + version: main - name: rockylinux.ipsilon src: https://github.com/rocky-linux/ansible-role-ipsilon version: main - - name: geerlingguy.gitlab + - name: rockylinux.kojihub + src: https://github.com/rocky-linux/ansible-role-kojihub + version: main collections: # freeipa