slurry of changes and fixes

This commit is contained in:
nazunalika 2020-12-30 02:22:58 -07:00
parent 7d8ed3bbe5
commit 99e163b220
11 changed files with 146 additions and 6 deletions

View File

@ -0,0 +1,84 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates RabbitMQ Users
# Required parameters:
# -> username: The username to create in RabbitMQ, which should match an LDAP
# name or the CN of a certificate. Note that if it's a hostname
# it must be the FQDN.
# -> queue_name: Name of the queue to create. This should be setup with a
# prefix_suffix name, where prefix is the username, and
# the suffix is a service name.
# -> routing_keys: A list to be used as routing keys.
# Optional:
# -> write_queues: A list of queues name prefixes that which the user will
# be allowed to publish.
# -> thresholds: A dictionary with two keys "warning" and "critical" - The
# values are numbers. In the event we have a monitoring system
# this can be a number of messages that could cause an alert.
# -> vhost: The vhost this queue will be part of. The default is /pubsub.
- name: Create a User
hosts: rabbitmq
become: false
gather_facts: false
vars_files:
- vars/encpass.yml
- vars/rabbitmq.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- username != "admin"
- username != "guest"
- username != "mq-monitoring"
success_msg: "Required variables provided"
fail_msg: "Username is reserved"
tags:
- rabbitmq
- name: "Validate username queue name"
assert:
that:
- "queue_name.startswith(username)"
tags:
- rabbitmq
- name: "Creating User Account"
community.rabbitmq.rabbitmq_user:
user: "{{ username }}"
vhost: "{{ vhost|default('/pubsub') }}"
read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$"
write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
configure_priv: "^$"
state: present
tags:
- rabbitmq
- name: "Create {{ queue_name }}"
delegate_to: "{{ rabbitmq_cluster_list[0] }}"
community.rabbitmq.rabbitmq_queue:
name: "{{ queue_name }}"
vhost: "{{ vhost|default('/pubsub') }}"
auto_delete: false
durable: true
message_ttl: "{{ message_ttl|default('null') }}"
state: present
login_user: admin
login_password: "{{ rabbitmq_admin_password }}"
tags:
- rabbitmq
- name: "Bind {{ queue_name }} to amq.topic exchange"
delegate_to: "{{ rabbitmq_cluster_list[0] }}"
community.rabbitmq.rabbitmq_binding:
name: "amq.topic"
destination: "{{ queue_name }}"
destination_type: queue
routing_key: "{{ item }}"
vhost: "{{ vhost|default('/pubsub') }}"
state: present
login_user: admin
login_password: "{{ rabbitmq_admin_password }}"
tags:
- rabbitmq

View File

@ -1,6 +1,7 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates RabbitMQ Users
# The username is the required parameter
- name: Create a User
hosts: rabbitmq

View File

@ -4,6 +4,7 @@
hosts: gitlabservers
become: true
vars_files:
- vars/common.yml
- vars/gitlab.yml
# This is to try to avoid the handler issue in pre/post tasks

View File

@ -4,6 +4,7 @@
hosts: rabbitmq
become: true
vars_files:
- vars/common.yml
- vars/encpass.yml
- vars/rabbitmq.yml

View File

@ -40,7 +40,7 @@ gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
password: '{{ gitlab_ldap_password }}'
allow_username_or_email_login: true
base: '{{ gitlab_ldap_base }}'
user_filter: ''
user_filter: '{{ gitlab_ldap_user_filter }}'
group_base: '{{ gitlab_ldap_group_dn }}'
admin_group: '{{ gitlab_ldap_admin_group }}'
sync_ssh_keys: true

View File

@ -0,0 +1,8 @@
---
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
rocky_ldap_bind_pw: "ThisIsNotThePassword!"
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org"
# Requires jinja 2.9+
rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"

View File

@ -16,3 +16,6 @@ ipsilon_db_password: !vault |
koji_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
REDACTED
pubsub_federation_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
REDACTED

View File

@ -21,15 +21,16 @@ gitlab_ssl_key: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
# LDAP Configuration
gitlab_ldap_enabled: "true"
gitlab_ldap_host: "ipa001.rockylinux.org"
gitlab_ldap_host: "{{ rocky_ipaserver_list[0] }}"
gitlab_ldap_port: "389"
gitlab_ldap_uid: "uid"
gitlab_ldap_method: "start_tls"
gitlab_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
gitlab_ldap_password: "ThisIsNotThePassword!"
gitlab_ldap_base: "cn=users,cn=accounts,dc=rockylinux,dc=org"
gitlab_ldap_group_dn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
gitlab_ldap_bind_dn: "{{ rocky_ldap_bind_dn }}"
gitlab_ldap_password: "{{ rocky_ldap_bind_pw }}"
gitlab_ldap_base: "{{ rocky_ldap_user_basedn }}"
gitlab_ldap_group_dn: "{{ rocky_ldap_group_basedn }}"
gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org"
gitlab_ldap_user_filter: "(&(objectClass=posixAccount)(memberOf=cn=gitusers,cn=groups,cn=accounts,dc=rockylinux,dc=org))"
gitlab_time_zone: "UTC"

View File

@ -42,12 +42,25 @@ ipagroups:
- rfelsburg
- tg
- hbjy
- group: gitusers
description: Rocky Linux GitLab Users
user:
- label
- neil
- rlh
- rfelsburg
- tg
- hbjy
- rockyautomation
- group: services
description: Rocky Linux Service Accounts
user:
- hostman
- kerbman
- rockykoji
- pubsub_federation
- rockypubsub
- rockyautomation
- group: iam
description: Rocky Linux Identity Management
user:
@ -56,3 +69,5 @@ ipagroups:
description: Rocky Linux Release Engineering
user:
- label
- group: mq_pub_readonly
description: RabbitMQ ReadOnly

View File

@ -16,6 +16,10 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
#rabbitmq_cluster_name:
#rabbitmq_env:
# Federation / Public Queues
rabbitmq_enable_public: false
#pubsub_federation_pass:
# THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
# This should be changed depending on how inventory is managed. For example, if
# it's not possible to have "staging inventory" as opposed to a "production"
@ -23,6 +27,7 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
# also possible there will be more than one cluster, so these must be taken
# into account when setting this variable.
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
# Messaging queues are generally private
rabbitmq_private: true

View File

@ -21,3 +21,24 @@ svcusers:
password: ThisIsNotMyPassword1!
title: System Account - Koji Manager
loginshell: /sbin/nologin
- name: pubsub_federation
first: pubsub
last: federation
email: infrastructure@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - pubsub federator
loginshell: /sbin/nologin
- name: rockypubsub
first: rocky
last: pubsub
email: infrastructure@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - pubsub
loginshell: /sbin/nologin
- name: rockyautomation
first: Rocky
last: Automation
email: infrastructure@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - Automation
loginshell: /sbin/nologin