mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-21 20:51:27 +00:00
slurry of changes and fixes
This commit is contained in:
parent
7d8ed3bbe5
commit
99e163b220
84
ansible/playbooks/adhoc-rabbitmqqueue.yml
Normal file
84
ansible/playbooks/adhoc-rabbitmqqueue.yml
Normal file
@ -0,0 +1,84 @@
|
||||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates RabbitMQ Users
|
||||
# Required parameters:
|
||||
# -> username: The username to create in RabbitMQ, which should match an LDAP
|
||||
# name or the CN of a certificate. Note that if it's a hostname
|
||||
# it must be the FQDN.
|
||||
# -> queue_name: Name of the queue to create. This should be setup with a
|
||||
# prefix_suffix name, where prefix is the username, and
|
||||
# the suffix is a service name.
|
||||
# -> routing_keys: A list to be used as routing keys.
|
||||
# Optional:
|
||||
# -> write_queues: A list of queues name prefixes that which the user will
|
||||
# be allowed to publish.
|
||||
# -> thresholds: A dictionary with two keys "warning" and "critical" - The
|
||||
# values are numbers. In the event we have a monitoring system
|
||||
# this can be a number of messages that could cause an alert.
|
||||
# -> vhost: The vhost this queue will be part of. The default is /pubsub.
|
||||
|
||||
- name: Create a User
|
||||
hosts: rabbitmq
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
- vars/rabbitmq.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
that:
|
||||
- username != "admin"
|
||||
- username != "guest"
|
||||
- username != "mq-monitoring"
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "Username is reserved"
|
||||
tags:
|
||||
- rabbitmq
|
||||
|
||||
- name: "Validate username queue name"
|
||||
assert:
|
||||
that:
|
||||
- "queue_name.startswith(username)"
|
||||
tags:
|
||||
- rabbitmq
|
||||
|
||||
- name: "Creating User Account"
|
||||
community.rabbitmq.rabbitmq_user:
|
||||
user: "{{ username }}"
|
||||
vhost: "{{ vhost|default('/pubsub') }}"
|
||||
read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$"
|
||||
write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
|
||||
configure_priv: "^$"
|
||||
state: present
|
||||
tags:
|
||||
- rabbitmq
|
||||
|
||||
- name: "Create {{ queue_name }}"
|
||||
delegate_to: "{{ rabbitmq_cluster_list[0] }}"
|
||||
community.rabbitmq.rabbitmq_queue:
|
||||
name: "{{ queue_name }}"
|
||||
vhost: "{{ vhost|default('/pubsub') }}"
|
||||
auto_delete: false
|
||||
durable: true
|
||||
message_ttl: "{{ message_ttl|default('null') }}"
|
||||
state: present
|
||||
login_user: admin
|
||||
login_password: "{{ rabbitmq_admin_password }}"
|
||||
tags:
|
||||
- rabbitmq
|
||||
|
||||
- name: "Bind {{ queue_name }} to amq.topic exchange"
|
||||
delegate_to: "{{ rabbitmq_cluster_list[0] }}"
|
||||
community.rabbitmq.rabbitmq_binding:
|
||||
name: "amq.topic"
|
||||
destination: "{{ queue_name }}"
|
||||
destination_type: queue
|
||||
routing_key: "{{ item }}"
|
||||
vhost: "{{ vhost|default('/pubsub') }}"
|
||||
state: present
|
||||
login_user: admin
|
||||
login_password: "{{ rabbitmq_admin_password }}"
|
||||
tags:
|
||||
- rabbitmq
|
@ -1,6 +1,7 @@
|
||||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates RabbitMQ Users
|
||||
# The username is the required parameter
|
||||
|
||||
- name: Create a User
|
||||
hosts: rabbitmq
|
||||
|
@ -4,6 +4,7 @@
|
||||
hosts: gitlabservers
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/common.yml
|
||||
- vars/gitlab.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
|
@ -4,6 +4,7 @@
|
||||
hosts: rabbitmq
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/common.yml
|
||||
- vars/encpass.yml
|
||||
- vars/rabbitmq.yml
|
||||
|
||||
|
@ -40,7 +40,7 @@ gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
|
||||
password: '{{ gitlab_ldap_password }}'
|
||||
allow_username_or_email_login: true
|
||||
base: '{{ gitlab_ldap_base }}'
|
||||
user_filter: ''
|
||||
user_filter: '{{ gitlab_ldap_user_filter }}'
|
||||
group_base: '{{ gitlab_ldap_group_dn }}'
|
||||
admin_group: '{{ gitlab_ldap_admin_group }}'
|
||||
sync_ssh_keys: true
|
||||
|
8
ansible/playbooks/vars/common.yml
Normal file
8
ansible/playbooks/vars/common.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||
rocky_ldap_bind_pw: "ThisIsNotThePassword!"
|
||||
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||
rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
|
||||
# Requires jinja 2.9+
|
||||
rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
|
@ -16,3 +16,6 @@ ipsilon_db_password: !vault |
|
||||
koji_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
REDACTED
|
||||
pubsub_federation_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
REDACTED
|
||||
|
@ -21,15 +21,16 @@ gitlab_ssl_key: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
|
||||
|
||||
# LDAP Configuration
|
||||
gitlab_ldap_enabled: "true"
|
||||
gitlab_ldap_host: "ipa001.rockylinux.org"
|
||||
gitlab_ldap_host: "{{ rocky_ipaserver_list[0] }}"
|
||||
gitlab_ldap_port: "389"
|
||||
gitlab_ldap_uid: "uid"
|
||||
gitlab_ldap_method: "start_tls"
|
||||
gitlab_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||
gitlab_ldap_password: "ThisIsNotThePassword!"
|
||||
gitlab_ldap_base: "cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
gitlab_ldap_group_dn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||
gitlab_ldap_bind_dn: "{{ rocky_ldap_bind_dn }}"
|
||||
gitlab_ldap_password: "{{ rocky_ldap_bind_pw }}"
|
||||
gitlab_ldap_base: "{{ rocky_ldap_user_basedn }}"
|
||||
gitlab_ldap_group_dn: "{{ rocky_ldap_group_basedn }}"
|
||||
gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||
gitlab_ldap_user_filter: "(&(objectClass=posixAccount)(memberOf=cn=gitusers,cn=groups,cn=accounts,dc=rockylinux,dc=org))"
|
||||
|
||||
gitlab_time_zone: "UTC"
|
||||
|
||||
|
@ -42,12 +42,25 @@ ipagroups:
|
||||
- rfelsburg
|
||||
- tg
|
||||
- hbjy
|
||||
- group: gitusers
|
||||
description: Rocky Linux GitLab Users
|
||||
user:
|
||||
- label
|
||||
- neil
|
||||
- rlh
|
||||
- rfelsburg
|
||||
- tg
|
||||
- hbjy
|
||||
- rockyautomation
|
||||
- group: services
|
||||
description: Rocky Linux Service Accounts
|
||||
user:
|
||||
- hostman
|
||||
- kerbman
|
||||
- rockykoji
|
||||
- pubsub_federation
|
||||
- rockypubsub
|
||||
- rockyautomation
|
||||
- group: iam
|
||||
description: Rocky Linux Identity Management
|
||||
user:
|
||||
@ -56,3 +69,5 @@ ipagroups:
|
||||
description: Rocky Linux Release Engineering
|
||||
user:
|
||||
- label
|
||||
- group: mq_pub_readonly
|
||||
description: RabbitMQ ReadOnly
|
||||
|
@ -16,6 +16,10 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
#rabbitmq_cluster_name:
|
||||
#rabbitmq_env:
|
||||
|
||||
# Federation / Public Queues
|
||||
rabbitmq_enable_public: false
|
||||
#pubsub_federation_pass:
|
||||
|
||||
# THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
|
||||
# This should be changed depending on how inventory is managed. For example, if
|
||||
# it's not possible to have "staging inventory" as opposed to a "production"
|
||||
@ -23,6 +27,7 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
# also possible there will be more than one cluster, so these must be taken
|
||||
# into account when setting this variable.
|
||||
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
|
||||
rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
|
||||
|
||||
# Messaging queues are generally private
|
||||
rabbitmq_private: true
|
||||
|
@ -21,3 +21,24 @@ svcusers:
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Koji Manager
|
||||
loginshell: /sbin/nologin
|
||||
- name: pubsub_federation
|
||||
first: pubsub
|
||||
last: federation
|
||||
email: infrastructure@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - pubsub federator
|
||||
loginshell: /sbin/nologin
|
||||
- name: rockypubsub
|
||||
first: rocky
|
||||
last: pubsub
|
||||
email: infrastructure@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - pubsub
|
||||
loginshell: /sbin/nologin
|
||||
- name: rockyautomation
|
||||
first: Rocky
|
||||
last: Automation
|
||||
email: infrastructure@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Automation
|
||||
loginshell: /sbin/nologin
|
||||
|
Loading…
Reference in New Issue
Block a user