mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-10 16:01:23 +00:00
slurry of changes and fixes
This commit is contained in:
parent
7d8ed3bbe5
commit
99e163b220
84
ansible/playbooks/adhoc-rabbitmqqueue.yml
Normal file
84
ansible/playbooks/adhoc-rabbitmqqueue.yml
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
---
|
||||||
|
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||||
|
# What: Creates RabbitMQ Users
|
||||||
|
# Required parameters:
|
||||||
|
# -> username: The username to create in RabbitMQ, which should match an LDAP
|
||||||
|
# name or the CN of a certificate. Note that if it's a hostname
|
||||||
|
# it must be the FQDN.
|
||||||
|
# -> queue_name: Name of the queue to create. This should be setup with a
|
||||||
|
# prefix_suffix name, where prefix is the username, and
|
||||||
|
# the suffix is a service name.
|
||||||
|
# -> routing_keys: A list to be used as routing keys.
|
||||||
|
# Optional:
|
||||||
|
# -> write_queues: A list of queues name prefixes that which the user will
|
||||||
|
# be allowed to publish.
|
||||||
|
# -> thresholds: A dictionary with two keys "warning" and "critical" - The
|
||||||
|
# values are numbers. In the event we have a monitoring system
|
||||||
|
# this can be a number of messages that could cause an alert.
|
||||||
|
# -> vhost: The vhost this queue will be part of. The default is /pubsub.
|
||||||
|
|
||||||
|
- name: Create a User
|
||||||
|
hosts: rabbitmq
|
||||||
|
become: false
|
||||||
|
gather_facts: false
|
||||||
|
vars_files:
|
||||||
|
- vars/encpass.yml
|
||||||
|
- vars/rabbitmq.yml
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: "Checking for user variables"
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- username != "admin"
|
||||||
|
- username != "guest"
|
||||||
|
- username != "mq-monitoring"
|
||||||
|
success_msg: "Required variables provided"
|
||||||
|
fail_msg: "Username is reserved"
|
||||||
|
tags:
|
||||||
|
- rabbitmq
|
||||||
|
|
||||||
|
- name: "Validate username queue name"
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "queue_name.startswith(username)"
|
||||||
|
tags:
|
||||||
|
- rabbitmq
|
||||||
|
|
||||||
|
- name: "Creating User Account"
|
||||||
|
community.rabbitmq.rabbitmq_user:
|
||||||
|
user: "{{ username }}"
|
||||||
|
vhost: "{{ vhost|default('/pubsub') }}"
|
||||||
|
read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$"
|
||||||
|
write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
|
||||||
|
configure_priv: "^$"
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- rabbitmq
|
||||||
|
|
||||||
|
- name: "Create {{ queue_name }}"
|
||||||
|
delegate_to: "{{ rabbitmq_cluster_list[0] }}"
|
||||||
|
community.rabbitmq.rabbitmq_queue:
|
||||||
|
name: "{{ queue_name }}"
|
||||||
|
vhost: "{{ vhost|default('/pubsub') }}"
|
||||||
|
auto_delete: false
|
||||||
|
durable: true
|
||||||
|
message_ttl: "{{ message_ttl|default('null') }}"
|
||||||
|
state: present
|
||||||
|
login_user: admin
|
||||||
|
login_password: "{{ rabbitmq_admin_password }}"
|
||||||
|
tags:
|
||||||
|
- rabbitmq
|
||||||
|
|
||||||
|
- name: "Bind {{ queue_name }} to amq.topic exchange"
|
||||||
|
delegate_to: "{{ rabbitmq_cluster_list[0] }}"
|
||||||
|
community.rabbitmq.rabbitmq_binding:
|
||||||
|
name: "amq.topic"
|
||||||
|
destination: "{{ queue_name }}"
|
||||||
|
destination_type: queue
|
||||||
|
routing_key: "{{ item }}"
|
||||||
|
vhost: "{{ vhost|default('/pubsub') }}"
|
||||||
|
state: present
|
||||||
|
login_user: admin
|
||||||
|
login_password: "{{ rabbitmq_admin_password }}"
|
||||||
|
tags:
|
||||||
|
- rabbitmq
|
@ -1,6 +1,7 @@
|
|||||||
---
|
---
|
||||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||||
# What: Creates RabbitMQ Users
|
# What: Creates RabbitMQ Users
|
||||||
|
# The username is the required parameter
|
||||||
|
|
||||||
- name: Create a User
|
- name: Create a User
|
||||||
hosts: rabbitmq
|
hosts: rabbitmq
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
hosts: gitlabservers
|
hosts: gitlabservers
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
|
- vars/common.yml
|
||||||
- vars/gitlab.yml
|
- vars/gitlab.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
hosts: rabbitmq
|
hosts: rabbitmq
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
|
- vars/common.yml
|
||||||
- vars/encpass.yml
|
- vars/encpass.yml
|
||||||
- vars/rabbitmq.yml
|
- vars/rabbitmq.yml
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
|
|||||||
password: '{{ gitlab_ldap_password }}'
|
password: '{{ gitlab_ldap_password }}'
|
||||||
allow_username_or_email_login: true
|
allow_username_or_email_login: true
|
||||||
base: '{{ gitlab_ldap_base }}'
|
base: '{{ gitlab_ldap_base }}'
|
||||||
user_filter: ''
|
user_filter: '{{ gitlab_ldap_user_filter }}'
|
||||||
group_base: '{{ gitlab_ldap_group_dn }}'
|
group_base: '{{ gitlab_ldap_group_dn }}'
|
||||||
admin_group: '{{ gitlab_ldap_admin_group }}'
|
admin_group: '{{ gitlab_ldap_admin_group }}'
|
||||||
sync_ssh_keys: true
|
sync_ssh_keys: true
|
||||||
|
8
ansible/playbooks/vars/common.yml
Normal file
8
ansible/playbooks/vars/common.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||||
|
rocky_ldap_bind_pw: "ThisIsNotThePassword!"
|
||||||
|
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||||
|
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||||
|
rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
|
||||||
|
# Requires jinja 2.9+
|
||||||
|
rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
|
@ -16,3 +16,6 @@ ipsilon_db_password: !vault |
|
|||||||
koji_db_pass: !vault |
|
koji_db_pass: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
REDACTED
|
REDACTED
|
||||||
|
pubsub_federation_pass: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
REDACTED
|
||||||
|
@ -21,15 +21,16 @@ gitlab_ssl_key: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
|
|||||||
|
|
||||||
# LDAP Configuration
|
# LDAP Configuration
|
||||||
gitlab_ldap_enabled: "true"
|
gitlab_ldap_enabled: "true"
|
||||||
gitlab_ldap_host: "ipa001.rockylinux.org"
|
gitlab_ldap_host: "{{ rocky_ipaserver_list[0] }}"
|
||||||
gitlab_ldap_port: "389"
|
gitlab_ldap_port: "389"
|
||||||
gitlab_ldap_uid: "uid"
|
gitlab_ldap_uid: "uid"
|
||||||
gitlab_ldap_method: "start_tls"
|
gitlab_ldap_method: "start_tls"
|
||||||
gitlab_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
gitlab_ldap_bind_dn: "{{ rocky_ldap_bind_dn }}"
|
||||||
gitlab_ldap_password: "ThisIsNotThePassword!"
|
gitlab_ldap_password: "{{ rocky_ldap_bind_pw }}"
|
||||||
gitlab_ldap_base: "cn=users,cn=accounts,dc=rockylinux,dc=org"
|
gitlab_ldap_base: "{{ rocky_ldap_user_basedn }}"
|
||||||
gitlab_ldap_group_dn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
gitlab_ldap_group_dn: "{{ rocky_ldap_group_basedn }}"
|
||||||
gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||||
|
gitlab_ldap_user_filter: "(&(objectClass=posixAccount)(memberOf=cn=gitusers,cn=groups,cn=accounts,dc=rockylinux,dc=org))"
|
||||||
|
|
||||||
gitlab_time_zone: "UTC"
|
gitlab_time_zone: "UTC"
|
||||||
|
|
||||||
|
@ -42,12 +42,25 @@ ipagroups:
|
|||||||
- rfelsburg
|
- rfelsburg
|
||||||
- tg
|
- tg
|
||||||
- hbjy
|
- hbjy
|
||||||
|
- group: gitusers
|
||||||
|
description: Rocky Linux GitLab Users
|
||||||
|
user:
|
||||||
|
- label
|
||||||
|
- neil
|
||||||
|
- rlh
|
||||||
|
- rfelsburg
|
||||||
|
- tg
|
||||||
|
- hbjy
|
||||||
|
- rockyautomation
|
||||||
- group: services
|
- group: services
|
||||||
description: Rocky Linux Service Accounts
|
description: Rocky Linux Service Accounts
|
||||||
user:
|
user:
|
||||||
- hostman
|
- hostman
|
||||||
- kerbman
|
- kerbman
|
||||||
- rockykoji
|
- rockykoji
|
||||||
|
- pubsub_federation
|
||||||
|
- rockypubsub
|
||||||
|
- rockyautomation
|
||||||
- group: iam
|
- group: iam
|
||||||
description: Rocky Linux Identity Management
|
description: Rocky Linux Identity Management
|
||||||
user:
|
user:
|
||||||
@ -56,3 +69,5 @@ ipagroups:
|
|||||||
description: Rocky Linux Release Engineering
|
description: Rocky Linux Release Engineering
|
||||||
user:
|
user:
|
||||||
- label
|
- label
|
||||||
|
- group: mq_pub_readonly
|
||||||
|
description: RabbitMQ ReadOnly
|
||||||
|
@ -16,6 +16,10 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
|||||||
#rabbitmq_cluster_name:
|
#rabbitmq_cluster_name:
|
||||||
#rabbitmq_env:
|
#rabbitmq_env:
|
||||||
|
|
||||||
|
# Federation / Public Queues
|
||||||
|
rabbitmq_enable_public: false
|
||||||
|
#pubsub_federation_pass:
|
||||||
|
|
||||||
# THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
|
# THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
|
||||||
# This should be changed depending on how inventory is managed. For example, if
|
# This should be changed depending on how inventory is managed. For example, if
|
||||||
# it's not possible to have "staging inventory" as opposed to a "production"
|
# it's not possible to have "staging inventory" as opposed to a "production"
|
||||||
@ -23,6 +27,7 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
|||||||
# also possible there will be more than one cluster, so these must be taken
|
# also possible there will be more than one cluster, so these must be taken
|
||||||
# into account when setting this variable.
|
# into account when setting this variable.
|
||||||
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
|
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
|
||||||
|
rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
|
||||||
|
|
||||||
# Messaging queues are generally private
|
# Messaging queues are generally private
|
||||||
rabbitmq_private: true
|
rabbitmq_private: true
|
||||||
|
@ -21,3 +21,24 @@ svcusers:
|
|||||||
password: ThisIsNotMyPassword1!
|
password: ThisIsNotMyPassword1!
|
||||||
title: System Account - Koji Manager
|
title: System Account - Koji Manager
|
||||||
loginshell: /sbin/nologin
|
loginshell: /sbin/nologin
|
||||||
|
- name: pubsub_federation
|
||||||
|
first: pubsub
|
||||||
|
last: federation
|
||||||
|
email: infrastructure@rockylinux.org
|
||||||
|
password: ThisIsNotMyPassword1!
|
||||||
|
title: System Account - pubsub federator
|
||||||
|
loginshell: /sbin/nologin
|
||||||
|
- name: rockypubsub
|
||||||
|
first: rocky
|
||||||
|
last: pubsub
|
||||||
|
email: infrastructure@rockylinux.org
|
||||||
|
password: ThisIsNotMyPassword1!
|
||||||
|
title: System Account - pubsub
|
||||||
|
loginshell: /sbin/nologin
|
||||||
|
- name: rockyautomation
|
||||||
|
first: Rocky
|
||||||
|
last: Automation
|
||||||
|
email: infrastructure@rockylinux.org
|
||||||
|
password: ThisIsNotMyPassword1!
|
||||||
|
title: System Account - Automation
|
||||||
|
loginshell: /sbin/nologin
|
||||||
|
Loading…
Reference in New Issue
Block a user