Merge pull request #14985 from rocky-linux/develop

Merge Downward Changes
This commit is contained in:
Louis Abel 2021-04-02 18:02:13 -07:00 committed by GitHub
commit be269f8608
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 536 additions and 66 deletions

3
.ansible-lint Normal file
View file

@ -0,0 +1,3 @@
warn_list:
- internal-error
- syntax-check

View file

@ -104,3 +104,6 @@ matterbridge.rockylinux.org ansible_host=10.100.xx.xx
[matomo]
matomo.rockylinux.org ansible_host=10.100.xx.xx
[bugtracker]
bugs.rockylinux.org ansible_host=10.100.xx.xx

View file

@ -0,0 +1,16 @@
[Unit]
Description=noggin
After=network-online.target
Wants=network-online.target
[Service]
Environment=FLASK_APP=/opt/noggin/noggin/noggin/app.py
Environment=NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
Environment=FLASK_DEBUG=1
User=noggin
WorkingDirectory=/opt/noggin/noggin
ExecStart=/bin/bash /opt/noggin/start_noggin.sh
PrivateTmp=true
[Install]
WantedBy=multi-user.target

View file

@ -1,8 +1,13 @@
---
# Installs the mantis bug tracker
- name: Configure MantisBT
hosts: "{{ host }}"
hosts: "bugtracker"
become: true
vars_files:
- vars/common.yml
- vars/vaults/encpass.yml
- vars/vaults/mantis.yml
- vars/mantis.yml
handlers:
- import_tasks: handlers/main.yml
@ -20,11 +25,31 @@
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
roles:
- role: rockylinux.ipagetcert
state: present
tasks:
- name: Deploy Mantis
import_tasks: tasks/mantis.yml
post_tasks:
- name: Open firewalld ports
ansible.posix.firewalld:
service: "{{ item }}"
permanent: true
immediate: true
state: enabled
with_items:
- http
- https
- name: Ensure httpd is enabled and running
service:
name: httpd
enabled: true
state: started
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run

View file

@ -0,0 +1,34 @@
---
# (Re)deploys the noggin theme
- name: Deploy Noggin
hosts: "idp"
become: true
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Deploy Noggin
import_tasks: "tasks/noggin.yml"
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

View file

@ -0,0 +1,34 @@
---
# Preps a system to be a repository
- name: Configure repository system
hosts: "{{ host }}"
become: true
handlers:
- import_tasks: handers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Configure repository system
import_tasks: tasks/repository.yml
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

View file

@ -0,0 +1,69 @@
---
# WikiJS
- name: Install and manage Wikijs
hosts: wiki
become: false
vars_files:
- vars/vaults/hostman.yml
- vars/vaults/wikijs.yml
- vars/wikijs.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages
become: true
package:
name: python3-policycoreutils.noarch
state: present
roles:
- role: rockylinux.ipagetcert
become: true
state: present
tags: ['certs']
- role: rockylinux.wikijs
tags: ['wikijs']
become: true
# Define variables in vars/wikijs.yml
- role: nginxinc.nginx_core.nginx
tags: ['nginx']
become: true
- role: nginxinc.nginx_core.nginx_config
tags: ['nginx']
become: true
post_tasks:
- name: Open firewalld ports
become: true
ansible.posix.firewalld:
port: "{{ item.port }}"
permanent: "{{ item.permanent }}"
state: "{{ item.state }}"
immediate: yes
loop: "{{ firewall_rules }}"
- name: Touching run file that ansible has ran here
become: true
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

View file

@ -1,54 +1,4 @@
---
- name: Reset grub link if we are EFI
set_fact:
grub_config_path_link: "{{ grub_config_path_efi }}"
when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
- grub_config_path_efi is defined
tags:
- efi
- name: Create grub.d directory
file:
name: /etc/default/grub.d
owner: root
group: root
mode: '0755'
state: directory
recurse: true
tags:
- grub
- kernel
- harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Command line defaults
copy:
dest: "/etc/default/grub.d/99-rocky.cfg"
owner: root
group: root
mode: '0644'
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
tags:
- grub
- kernel
- harden
- name: Rebuild grub
command: "/usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}"
register: grub_command_result
changed_when: "grub_command_result.rc == 0"
tags:
- grub
- kernel
- harden
- name: Add kernel boot options to all kernels and default config
command: /usr/sbin/grubby --update-kernel=ALL --args "{{ grub_boot_options }}"
changed_when: "1 != 1"

View file

@ -32,6 +32,11 @@
mode: '0644'
remote_src: true
- name: Generate crypto salt
shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0"
changed_when: "1 != 1"
register: cryptosalt_string
- name: Configure mantis
template:
src: "var/www/mantis/config/config_inc.php.j2"
@ -40,6 +45,22 @@
group: apache
mode: '0640'
- name: Deploy plugins from Mantis GitHub
git:
repo: "https://github.com/mantisbt-plugins/{{ item }}.git"
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}"
update: true
version: master
with_items:
- Snippets
- name: Deploy custom libravatar plugin
git:
repo: "https://github.com/nazunalika/mantisbt-libravatar.git"
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar"
update: true
version: main
- name: Configure httpd
template:
src: "etc/httpd/conf.d/mantis.conf.j2"
@ -47,3 +68,25 @@
owner: root
group: root
mode: '0644'
- name: Database import template
template:
src: "tmp/mantis_import.sql.j2"
dest: "/tmp/mantis_import.sql.j2"
owner: root
group: root
mode: '0600'
# We will need to generate this
# name: Import database if required
# community.general.postgresql_db:
# name: "{{ mantis_db_name }}"
# target: /tmp/mantis_import.sql
# owner: "{{ mantis_db_user }}"
# state: restore
# login_host: "{{ mantis_db_host }}"
# login_user: "{{ mantis_db_user }}"
# login_password: "{{ mantis_db_pass }}"
- name: Patch up some pages
import_tasks: mantispatch.yml

View file

@ -0,0 +1,25 @@
---
# Patch up various pieces of mantis to customize it. We do not rely on local
# bug tracker accounts. We are doing regex instead of just replacing the
# file as a whole. Should make it easier to deal with upgrades in theory.
- name: Change signup_page.php to Account Services
replace:
path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
regexp: 'signup_page.php'
replace: 'https://accounts.rockylinux.org'
with_items:
- core/print_api.php
- lost_pwd_page.php
- login_page.php
- name: Change special signup_page.php reference
replace:
path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
replace: 'https://accounts.rockylinux.org'
- name: Remove LDAP from checks for signup button
lineinfile:
path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
state: absent
regex: 'LDAP != config_get_global'

View file

@ -0,0 +1,88 @@
---
- name: Ensure python is installed
yum:
name:
- python3
- python3-pip
state: present
- name: Ensure noggin user exists
user:
name: noggin
comment: "Noggin FAS"
- name: Create noggin directory
file:
path: /opt/noggin
state: directory
mode: '0700'
owner: noggin
group: noggin
- name: Deploy noggin
git:
repo: https://github.com/fedora-infra/noggin.git
dest: /opt/noggin/noggin
update: true
version: main
become: true
become_user: noggin
- name: Noggin user must install poetry
pip:
name: poetry
executable: pip3
become: true
become_user: noggin
- name: Remove any pycache
file:
path: "/home/noggin/.cache/pypoetry"
state: absent
- name: Noggin installation
command: "/home/noggin/.local/bin/poetry install --no-dev --extras deploy"
become: true
become_user: noggin
changed_when: "1 != 1"
args:
chdir: "/opt/noggin/noggin"
- name: Get the noggin poetry virtualenv
shell:
cmd: "poetry env list | awk '{print $1}'"
chdir: "/opt/noggin/noggin"
become: true
become_user: noggin
changed_when: "1 != 1"
register: virtualenv_location
- name: Deploy start up script
template:
src: "opt/noggin/start_noggin.sh.j2"
dest: "/opt/noggin/start_noggin.sh"
mode: '0750'
user: noggin
group: noggin
- name: Deploy systemd unit
copy:
src: "etc/systemd/system/noggin.service"
dest: "/etc/systemd/system/noggin.service"
owner: root
group: root
mode: '0644'
- name: Deploy noggin configuration
template:
src: "opt/noggin/noggin.cfg.j2"
dest: "/opt/noggin/noggin.cfg"
owner: noggin
group: noggin
mode: '0600'
# The only way to run it properly, at least on EL8, is we need this line
- name: Add missing create_app call
lineinfile:
path: "/opt/noggin/noggin/noggin/app.py"
line: "app = create_app()"

View file

@ -0,0 +1,2 @@
---
# no tasks yet

View file

@ -136,3 +136,6 @@ gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
{% if gitlab_trusted_proxies %}
gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
{% endif %}
gitlab_rails['gravatar_enabled'] = true
gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"

View file

@ -0,0 +1,23 @@
TEMPLATES_AUTO_RELOAD = False
FREEIPA_SERVERS = []
FREEIPA_CACERT = '/etc/ipa/ca.crt'
FREEIPA_ADMIN_USER = 'userman'
FREEIPA_ADMIN_PASSWORD = '{{ rocky_ldap_userman_pw }}'
THEME = "rocky"
FERNET_SECRET = b'NOTASECRET='
SECRET_KEY = b'NOTASECRET='
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = True
USER_DEFAULTS = {
"locale": "en-US",
"timezone": "UTC",
"status_note": "active",
}
REGISTRATION_OPEN = True
ACTIVATION_TOKEN_EXPIRATION = 30
PASSWORD_RESET_EXPIRATION = 10
MAIL_DEFAULT_SENDER = "Account Services <identitymanagement@rockylinux.org>"
MAIL_SUPPRESS_SEND = False
AVATAR_SERVICE_URL = "https://seccdn.libravatar.org/"
AVATAR_DEFAULT_TYPE = "retro"
FEDORA_MESSAGING_ENABLED = False

View file

@ -0,0 +1,14 @@
#!/bin/bash
export PATH=/home/noggin/.local/bin:/home/noggin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
export NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
export FLASK_DEBUG=1
export FLASK_APP=/opt/noggin/noggin/noggin/app.py
source /home/noggin/.cache/pypoetry/virtualenvs/{{ virtualenv_location.stdout }}/bin/activate
cd /opt/noggin/noggin
#/home/noggin/.local/bin/poetry run flask run -h 0.0.0.0
# --certfile=/etc/pki/tls/certs/noggin.crt \
# --keyfile=/etc/pki/tls/private/noggin.key \
gunicorn -w 3 \
--env NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg \
--bind tcp://0.0.0.0:5000 \
noggin.app:app

View file

@ -0,0 +1 @@
# Empty

View file

@ -1,5 +1,5 @@
<?php
$g_hostname = 'build-a-box.labs.angelsofclockwork.net';
$g_hostname = '{{ mantis_db_host }}';
$g_db_type = 'pgsql';
$g_database_name = '{{ mantis_db_name }}';
$g_db_username = '{{ mantis_db_user }}';
@ -7,13 +7,14 @@ $g_db_password = '{{ mantis_db_pass }}';
$g_default_timezone = 'UTC';
$g_crypto_master_salt = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
$g_crypto_master_salt = '{{ cryptosalt_string.stdout }}';
# Added
$g_login_method = 'LDAP';
$g_ldap_server = '{{ rocky_ipaserver_lb }}';
$g_ldap_port = '389';
$g_ldap_root_dn = '{{ rocky_ldap_user_basedn }}';
$g_ldap_organization = '(objectClass=posixAccount)';
#$g_ldap_organization = '(objectClass=posixAccount)';
$g_ldap_protocol_version = 3;
$g_ldap_network_timeout = 30;
$g_ldap_follow_referrals = ON;
@ -32,9 +33,14 @@ $g_allow_file_upload = ON;
$g_file_upload_method = DATABASE; # or DISK
$g_dropzone_enabled = ON;
$g_show_realname = ON;
$g_show_avatar = ON;
$g_allowed_files = 'log,patch,txt';
$g_disallowed_files = 'exe,tar,tgz,tar.gz,pl,sh';
$g_disallowed_files = 'exe,pl,sh,py,c,cpp,rar,zip,rpm';
$g_window_title = 'Rocky Bugzilla';
$g_allow_signup = OFF;
$g_allow_signup = ON;
$g_allow_anonymous_login = ON;
$g_anonymous_account = 'anonymous';
$g_enable_email_notification = ON;
# Cookie problems
$g_allow_permanent_cookie = OFF;

View file

@ -9,3 +9,5 @@ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
rocky_ipaserver_lb: "ipa-lb.rockylinux.org"
# This will need to be vaulted
rocky_ldap_bind_pw: "{{ ipa_binder_password }}"
rocky_ldap_userman_dn: "uid=userman,cn=users,cn=accounts,dc=rockylinux,dc=org"
rocky_ldap_userman_pw: "{{ ipa_userman_password }}"

View file

@ -1,7 +1,7 @@
---
# mantis vars
mantis_version: 2.24.2
mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
mantis_version: 2.25.0
mantis_checksum: "sha256:d8973d3677ecb2ccbfee95e2267b3128049fbdcc59aa1f007686a342d93a4c0a"
mantis_pkg:
- php
- php-ldap
@ -11,8 +11,21 @@ mantis_pkg:
- php-mbstring
- php-curl
- openldap
mantis_db_name: mantis
- php-json
mantis_db_host: db.rockylinux.org
mantis_db_name: mantisdb
mantis_db_user: mantis
#mantis_db_pass: ThisIsNotThePassword!
mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
#mantis_binder_pass: ThisIsNotThePassword!
mantis_binder_user: "{{ rocky_ldap_bind_dn }}"
mantis_binder_pass: "{{ rocky_ldap_bind_pw }}"
# Vault
# mantis_db_pass: ThisIsNotThePassword!
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: apache
key_location: "/etc/pki/tls/private/bugs.rockylinux.org.key"
cert_location: "/etc/pki/tls/certs/bugs.rockylinux.org.crt"
postcmd: "/bin/systemctl reload httpd"
cnames:
- "bugs.rockylinux.org"

View file

@ -0,0 +1,109 @@
---
# wikijs vars
firewall_rules:
- port: 443/tcp
permanent: true
state: enabled
- port: 9100/tcp
permanent: true
state: enabled
tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: nginx
key_location: "{{ tls_key }}"
cert_location: "{{ tls_cert }}"
postcmd: "/bin/systemctl reload nginx"
wikijs_dbtype: postgres
wikijs_db:
host: "db.rockylinux.org"
port: 5432
user: wikijs
password: " {{ _wikijs_db_rw_pass }} "
dbname: wikijs_db
ssl: true
####################
### NGINX CONFIG ###
####################
# no demo config/template
nginx_config_html_demo_template_enable: false
nginx_config_selinux: true
nginx_config_selinux_enforcing: true
nginx_config_start: true
nginx_config_debug_output: true
nginx_config_debug_tasks: true
# nginx_config_cleanup: true
nginx_config_http_template_enable: true
nginx_config_main_template_enable: true
nginx_config_http_template:
default:
template_file: http/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
redirect_https:
listen:
v6:
ip: '[::]' # Wrap in square brackets for IPv6 addresses
port: 80
opts: ['default_server']
v4:
ip: '' # Wrap in square brackets for IPv6 addresses
port: 80
opts: ['default_server']
server_name: "{{ ansible_fqdn }}"
error_page: /usr/share/nginx/html
access_log:
- name: main
location: /var/log/nginx/access.log
error_log:
location: /var/log/nginx/error.log
level: warn
root: "{{ wikijs_dir }}"
https_redirect: $host
wikijs_server:
listen:
v6:
ip: '[::]' # Wrap in square brackets for IPv6 addresses
port: 443
ssl: true
opts: ['http2', 'default_server']
v4:
ip: '' # Wrap in square brackets for IPv6 addresses
port: 443
ssl: true
opts: ['http2', 'default_server']
ssl:
cert: "{{ tls_cert }}"
key: "{{ tls_key }}"
server_name: "{{ ansible_fqdn }}"
error_page: /usr/share/nginx/html
access_log:
- name: main
location: /var/log/nginx/access.log
error_log:
location: /var/log/nginx/error.log
level: warn
root: "{{ wikijs_dir }}"
web_server:
locations:
default:
location: /
custom_options:
- "proxy_pass http://localhost:3000/;"
http_demo_conf: false

View file

@ -3,7 +3,7 @@
roles:
- name: geerlingguy.mysql
# monitoring
- name: cloudalchemy.node-exporter
- name: cloudalchemy.node_exporter
- name: cloudalchemy.prometheus
- name: cloudalchemy.alertmanager
- name: cloudalchemy.grafana
@ -30,6 +30,11 @@ roles:
- name: rockylinux.matterbridge
src: https://github.com/NeilHanlon/ansible-role-matterbridge
version: master
- name: rockylinux.wikijs
src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
scm: git
version: develop
- name: riemers.gitlab-runner
collections:
# freeipa
@ -43,6 +48,8 @@ collections:
- name: netbox.netbox
- name: community.aws
- name: containers.podman
- name: nginxinc.nginx_core
version: 0.3.0
# - name: rockylinux.taiga
# source: https://github.com/rocky-linux/taiga-ansible.git
# type: git