slurry of changes and fixes

ansible/playbooks/adhoc-rabbitmqqueue.yml

@@ -0,0 +1,84 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# What: Creates RabbitMQ Users
+# Required parameters:
+#   -> username: The username to create in RabbitMQ, which should match an LDAP
+#                name or the CN of a certificate. Note that if it's a hostname
+#                it must be the FQDN.
+#   -> queue_name: Name of the queue to create. This should be setup with a
+#                  prefix_suffix name, where prefix is the username, and
+#                  the suffix is a service name.
+#   -> routing_keys: A list to be used as routing keys.
+# Optional:
+#   -> write_queues: A list of queues name prefixes that which the user will
+#                    be allowed to publish.
+#   -> thresholds: A dictionary with two keys "warning" and "critical" - The
+#                  values are numbers. In the event we have a monitoring system
+#                  this can be a number of messages that could cause an alert.
+#   -> vhost: The vhost this queue will be part of. The default is /pubsub.
+
+- name: Create a User
+  hosts: rabbitmq
+  become: false
+  gather_facts: false
+  vars_files:
+  - vars/encpass.yml
+  - vars/rabbitmq.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - username != "admin"
+          - username != "guest"
+          - username != "mq-monitoring"
+        success_msg: "Required variables provided"
+        fail_msg: "Username is reserved"
+      tags:
+        - rabbitmq
+
+    - name: "Validate username queue name"
+      assert:
+        that:
+          - "queue_name.startswith(username)"
+      tags:
+        - rabbitmq
+
+    - name: "Creating User Account"
+      community.rabbitmq.rabbitmq_user:
+        user: "{{ username }}"
+        vhost: "{{ vhost|default('/pubsub') }}"
+        read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username  }}.*)$"
+        write_priv: "^(amq\\.topic)|({{ username  }}.*){% for queue in write_queues|default([]) %}|({{ queue  }}.*){% endfor %}$"
+        configure_priv: "^$"
+        state: present
+      tags:
+        - rabbitmq
+
+    - name: "Create {{ queue_name }}"
+      delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+      community.rabbitmq.rabbitmq_queue:
+        name: "{{ queue_name }}"
+        vhost: "{{ vhost|default('/pubsub') }}"
+        auto_delete: false
+        durable: true
+        message_ttl: "{{ message_ttl|default('null') }}"
+        state: present
+        login_user: admin
+        login_password: "{{ rabbitmq_admin_password }}"
+      tags:
+        - rabbitmq
+
+    - name: "Bind {{ queue_name }} to amq.topic exchange"
+      delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+      community.rabbitmq.rabbitmq_binding:
+        name: "amq.topic"
+        destination: "{{ queue_name }}"
+        destination_type: queue
+        routing_key: "{{ item }}"
+        vhost: "{{ vhost|default('/pubsub') }}"
+        state: present
+        login_user: admin
+        login_password: "{{ rabbitmq_admin_password }}"
+      tags:
+        - rabbitmq

ansible/playbooks/adhoc-rabbitmquser.yml

@@ -1,6 +1,7 @@
 ---
 # This playbook is meant to be used with callable variables, like adhoc or AWX.
 # What: Creates RabbitMQ Users
+# The username is the required parameter
 
 - name: Create a User
   hosts: rabbitmq

ansible/playbooks/role-gitlab-ee.yml

@@ -4,6 +4,7 @@
   hosts: gitlabservers
   become: true
   vars_files:
+  - vars/common.yml
   - vars/gitlab.yml
 
   # This is to try to avoid the handler issue in pre/post tasks

ansible/playbooks/role-rocky-rabbitmq.yml

@@ -4,6 +4,7 @@
   hosts: rabbitmq
   become: true
   vars_files:
+  - vars/common.yml
   - vars/encpass.yml
   - vars/rabbitmq.yml
 

ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb

@@ -40,7 +40,7 @@ gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
     password: '{{ gitlab_ldap_password }}'
     allow_username_or_email_login: true
     base: '{{ gitlab_ldap_base }}'
-    user_filter: ''
+    user_filter: '{{ gitlab_ldap_user_filter }}'
     group_base: '{{ gitlab_ldap_group_dn }}'
     admin_group: '{{ gitlab_ldap_admin_group }}'
     sync_ssh_keys: true

ansible/playbooks/vars/common.yml

@@ -0,0 +1,8 @@
+---
+rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
+rocky_ldap_bind_pw: "ThisIsNotThePassword!"
+rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
+rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
+rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
+# Requires jinja 2.9+
+rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"

ansible/playbooks/vars/encpass.yml

@@ -16,3 +16,6 @@ ipsilon_db_password: !vault |
 koji_db_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           REDACTED
+pubsub_federation_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          REDACTED

ansible/playbooks/vars/gitlab.yml

@@ -21,15 +21,16 @@ gitlab_ssl_key: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
 
 # LDAP Configuration
 gitlab_ldap_enabled: "true"
-gitlab_ldap_host: "ipa001.rockylinux.org"
+gitlab_ldap_host: "{{ rocky_ipaserver_list[0] }}"
 gitlab_ldap_port: "389"
 gitlab_ldap_uid: "uid"
 gitlab_ldap_method: "start_tls"
-gitlab_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
+gitlab_ldap_bind_dn: "{{ rocky_ldap_bind_dn }}"
-gitlab_ldap_password: "ThisIsNotThePassword!"
+gitlab_ldap_password: "{{ rocky_ldap_bind_pw }}"
-gitlab_ldap_base: "cn=users,cn=accounts,dc=rockylinux,dc=org"
+gitlab_ldap_base: "{{ rocky_ldap_user_basedn }}"
-gitlab_ldap_group_dn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
+gitlab_ldap_group_dn: "{{ rocky_ldap_group_basedn }}"
 gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org"
+gitlab_ldap_user_filter: "(&(objectClass=posixAccount)(memberOf=cn=gitusers,cn=groups,cn=accounts,dc=rockylinux,dc=org))"
 
 gitlab_time_zone: "UTC"
 

ansible/playbooks/vars/groups.yml

@@ -42,12 +42,25 @@ ipagroups:
       - rfelsburg
       - tg
       - hbjy
+  - group: gitusers
+    description: Rocky Linux GitLab Users
+    user:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
+      - rockyautomation
   - group: services
     description: Rocky Linux Service Accounts
     user:
       - hostman
       - kerbman
       - rockykoji
+      - pubsub_federation
+      - rockypubsub
+      - rockyautomation
   - group: iam
     description: Rocky Linux Identity Management
     user:
@@ -56,3 +69,5 @@ ipagroups:
     description: Rocky Linux Release Engineering
     user:
       - label
+  - group: mq_pub_readonly
+    description: RabbitMQ ReadOnly

ansible/playbooks/vars/rabbitmq.yml

@@ -16,6 +16,10 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
 #rabbitmq_cluster_name:
 #rabbitmq_env:
 
+# Federation / Public Queues
+rabbitmq_enable_public: false
+#pubsub_federation_pass:
+
 # THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
 # This should be changed depending on how inventory is managed. For example, if
 # it's not possible to have "staging inventory" as opposed to a "production"
@@ -23,6 +27,7 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
 # also possible there will be more than one cluster, so these must be taken
 # into account when setting this variable.
 rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
+rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
 
 # Messaging queues are generally private
 rabbitmq_private: true

ansible/playbooks/vars/svcusers.yml

@@ -21,3 +21,24 @@ svcusers:
     password: ThisIsNotMyPassword1!
     title: System Account - Koji Manager
     loginshell: /sbin/nologin
+  - name: pubsub_federation
+    first: pubsub
+    last: federation
+    email: infrastructure@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: System Account - pubsub federator
+    loginshell: /sbin/nologin
+  - name: rockypubsub
+    first: rocky
+    last: pubsub
+    email: infrastructure@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: System Account - pubsub
+    loginshell: /sbin/nologin
+  - name: rockyautomation
+    first: Rocky
+    last: Automation
+    email: infrastructure@rockylinux.org
+    password: ThisIsNotMyPassword1!
+    title: System Account - Automation
+    loginshell: /sbin/nologin