infrastructure/mono-infrastructure
7
0
Fork 0
mirror of https://github.com/rocky-linux/infrastructure synced 2024-05-28 17:40:16 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'main' of github.com:rocky-linux/infrastructure

Browse Source
This commit is contained in:
Chris Cowley 2021-04-19 10:03:53 +02:00
commit e23f7cc69d
86 changed files with 2233 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.ansible-lint Normal file
View File

@ -0,0 +1,3 @@
warn_list:
- internal-error
- syntax-check

4
.pre-commit-config.yaml
View File

@ -1,7 +1,7 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.3.0
rev: v3.4.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
@ -25,7 +25,7 @@ repos:
always_run: true
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.24.2
rev: v1.26.0
hooks:
- id: yamllint
files: \.(yaml|yml)$

235
ansible/README.md
View File

@ -167,3 +167,238 @@ When initializing the ansible host, you should be in `./infrastructure/ansible`
% cd infrastructure/ansible
% ansible-playbook playbooks/init-rocky-ansible-host.yml
```
## Initializing the environment
To get a base environment, you will need to run the playbooks in this order.
```
# Ansible host
init-rocky-ansible-host.yml
# First IPA server
role-rocky-ipa.yml
# Replicas
role-rocky-ipa-replica.yml
# Base users, groups, and DNS
init-rocky-ipa-team.yml
init-rocky-ipa-internal-dns.yml
# All clients should be listed under [ipaclients]
role-rocky-ipa-client.yml
# All systems should be hardened
init-rocky-system-config.yml
```
## Current Set
```
.
├── README.md
├── ansible.cfg
├── collections
│   └── Readme.md
├── files -> playbooks/files
├── handlers -> playbooks/handlers
├── inventories
│   ├── production
│   │   ├── group_vars
│   │   │   ├── chronyservers
│   │   │   │   └── main.yml
│   │   │   ├── ipa
│   │   │   │   └── main.yml
│   │   │   ├── ipaclients
│   │   │   │   └── main.yml
│   │   │   ├── ipareplicas
│   │   │   │   └── main.yml
│   │   │   ├── ipaserver
│   │   │   │   └── main.yml
│   │   │   └── rabbitmq
│   │   │   └── main.yml
│   │   └── hosts.ini
│   └── staging
│   ├── group_vars
│   │   ├── chronyservers
│   │   │   └── main.yml
│   │   ├── ipa
│   │   │   └── main.yml
│   │   ├── ipaclients
│   │   │   └── main.yml
│   │   ├── ipareplicas
│   │   │   └── main.yml
│   │   ├── ipaserver
│   │   │   └── main.yml
│   │   └── rabbitmq
│   │   └── main.yml
│   └── hosts.ini
├── playbooks
│   ├── adhoc-facts-refresh.yml
│   ├── adhoc-ipabinder.yml
│   ├── adhoc-ipadnsrecord.yml
│   ├── adhoc-ipadnszone.yml
│   ├── adhoc-ipagetcert.yml
│   ├── adhoc-ipagetkeytab.yml
│   ├── adhoc-ipagroup.yml
│   ├── adhoc-ipaservice.yml
│   ├── adhoc-ipauser-disable.yml
│   ├── adhoc-ipauser-enable.yml
│   ├── adhoc-ipauser.yml
│   ├── adhoc-rabbitmqqueue.yml
│   ├── adhoc-rabbitmquser.yml
│   ├── files
│   │   ├── etc
│   │   │   ├── authselect
│   │   │   │   └── custom
│   │   │   │   └── sssd-rocky
│   │   │   │   ├── CentOS-8-system-auth -> RedHat-8-system-auth
│   │   │   │   └── RedHat-8-system-auth
│   │   │   ├── gitlab
│   │   │   ├── pam.d
│   │   │   │   ├── CentOS-7-system-auth-ac -> RedHat-7-system-auth-ac
│   │   │   │   └── RedHat-7-system-auth-ac
│   │   │   ├── rockybanner
│   │   │   └── sudoers.d
│   │   │   └── cis
│   │   ├── tmp
│   │   └── usr
│   │   └── local
│   │   └── bin
│   │   └── lock-wrapper
│   ├── handlers
│   │   └── main.yml
│   ├── import-rockygroups.yml
│   ├── import-rockyipaprivs.yml
│   ├── import-rockypwpolicy.yml
│   ├── import-rockysudo.yml
│   ├── import-rockyusers.yml
│   ├── init-rocky-account-services.yml
│   ├── init-rocky-ansible-host.yml
│   ├── init-rocky-bugzilla.yml
│   ├── init-rocky-builder-postfix.yml
│   ├── init-rocky-chrony.yml
│   ├── init-rocky-install-kvm-hosts.yml
│   ├── init-rocky-ipa-internal-dns.yml
│   ├── init-rocky-ipa-team.yml
│   ├── init-rocky-noggin-theme.yml
│   ├── init-rocky-system-config.yml
│   ├── rocky-rocky-gitlab-ee.yml
│   ├── role-rocky-graylog.yml
│   ├── role-rocky-ipa-client.yml
│   ├── role-rocky-ipa-replica.yml
│   ├── role-rocky-ipa.yml
│   ├── role-rocky-ipsilon.yml
│   ├── role-rocky-kojid.yml
│   ├── role-rocky-kojihub.yml
│   ├── role-rocky-monitoring.yml
│   ├── role-rocky-mqtt.yml
│   ├── role-rocky-node_exporter.yml
│   ├── role-rocky-rabbitmq.yml
│   ├── role-rocky-sigul-bridge.yml
│   ├── role-rocky-sigul-server.yml
│   ├── tasks
│   │   ├── account_services.yml
│   │   ├── auditd.yml
│   │   ├── authentication.yml
│   │   ├── chrony.yml
│   │   ├── gitlab-reconfigure.yml
│   │   ├── grub.yml
│   │   ├── harden.yml
│   │   ├── koji_efs.yml
│   │   ├── main.yml
│   │   ├── mantis.yml
│   │   ├── postfix_relay.yml
│   │   ├── rabbitmq-reconfigure.yml
│   │   ├── scripts.yml
│   │   ├── ssh_config.yml
│   │   └── variable_loader_common.yml
│   ├── templates
│   │   ├── etc
│   │   │   ├── audit
│   │   │   │   └── rules.d
│   │   │   │   └── collection.rules.j2
│   │   │   ├── chrony.conf.j2
│   │   │   ├── gitlab
│   │   │   │   └── rocky_gitlab.rb
│   │   │   ├── httpd
│   │   │   │   └── conf.d
│   │   │   │   ├── id.conf.j2
│   │   │   │   └── mantis.conf.j2
│   │   │   ├── modprobe.d
│   │   │   │   └── cis.conf.j2
│   │   │   ├── nginx
│   │   │   │   ├── conf.d
│   │   │   │   │   └── omnibus.conf.j2
│   │   │   │   └── nginx.conf.j2
│   │   │   ├── postfix
│   │   │   │   └── sasl_passwd.j2
│   │   │   ├── resolv.conf.j2
│   │   │   ├── rsyslog.d
│   │   │   ├── ssh
│   │   │   │   ├── CentOS-7-sshd_config.j2 -> RedHat-7-sshd_config.j2
│   │   │   │   ├── CentOS-8-sshd_config.j2 -> RedHat-8-sshd_config.j2
│   │   │   │   ├── RedHat-7-sshd_config.j2
│   │   │   │   └── RedHat-8-sshd_config.j2
│   │   │   └── sssd
│   │   ├── hidden
│   │   │   ├── README.md
│   │   │   └── home
│   │   │   └── noggin
│   │   │   └── noggin.cfg
│   │   ├── tmp
│   │   │   ├── binder.update
│   │   │   └── binder_template.update
│   │   └── var
│   │   └── www
│   │   └── mantis
│   │   └── config
│   │   └── config_inc.php.j2
│   └── vars
│   ├── CentOS.yml -> RedHat.yml
│   ├── RedHat.yml
│   ├── buildsys.yml
│   ├── chrony.yml
│   ├── chronyserver.yml
│   ├── common.yml
│   ├── gitlab.yml
│   ├── graylog.yml
│   ├── ipa
│   │   ├── adminusers.yml
│   │   ├── agreements.yml
│   │   ├── fdns.yml
│   │   ├── groups.yml
│   │   ├── ipaclient.yml
│   │   ├── ipaprivs.yml
│   │   ├── ipareplica.yml
│   │   ├── ipaserver.yml
│   │   ├── rdns.yml
│   │   ├── sudorules.yml
│   │   ├── svcusers.yml
│   │   └── users.yml
│   ├── ipaserver.yml
│   ├── ipsilon.yml
│   ├── koji-common.yml
│   ├── kojid.yml
│   ├── kojihub.yml
│   ├── mantis.yml
│   ├── matterbridge.yml
│   ├── monitoring
│   │   └── README.md
│   ├── monitoring.yml
│   ├── mqtt.yml
│   ├── rabbitmq.yml
│   ├── sigul_bridge.yml
│   ├── sigul_server.yml
│   └── vaults
│   └── README.md
├── roles
│   ├── local
│   │   └── Readme.md
│   ├── public
│   │   └── Readme.md
│   └── requirements.yml
├── ssh_config
├── tasks -> playbooks/tasks
├── templates -> playbooks/templates
├── tmp
│   ├── Readme.md
│   └── ansible.log
└── vars -> playbooks/vars
```

7
ansible/ansible.cfg
View File

@ -67,3 +67,10 @@ log_path = tmp/ansible.log
known_hosts = tmp/known_hosts
roles_path = roles/local:roles/public
collections_paths = collections
########################################
# SSH Configuration
########################################
[ssh_connection]
# Disable GSSAPI, which slows down SSH connections for ansible
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o GSSAPIAuthentication=no

2
ansible/inventories/production/group_vars/rabbitmq/main.yml
View File

@ -1,5 +1,5 @@
---
# RabbitMQ Staging Vars
rabbitmq_cluster_name: "rabbitprod"
rabbitmq_cluster_name: "rabbit"
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
rabbitmq_env: "production"

92
ansible/inventories/production/hosts.ini
View File

@ -19,51 +19,91 @@ ipa002.rockylinux.org ansible_host=10.100.1.111
ipa003.rockylinux.org ansible_host=10.100.1.112
[ipaclients]
build-a-box.rockylinux.org ansible_host=10.100.1.112
idp001.rockylinux.org ansible_host=10.100.x.x
chrony001.rockylinux.org ansiblehost=10.100.3.110
chrony002.rockylinux.org ansiblehost=10.200.3.111
git.rockylinux.org ansible_host=10.100.1.113
#chrony001.rockylinux.org ansiblehost=10.100.3.110
#chrony002.rockylinux.org ansiblehost=10.200.3.111
#git.rockylinux.org ansible_host=10.100.1.113
[ipaclients:children]
idp
sigul
mbs
koji
rabbitmq
bugtracker
monitoringservers
gitlabservers
matomo
[idp]
idp001.rockylinux.org ansible_host=10.100.x.x
idp002.rockylinux.org ansible_host=10.100.x.x
[grafana]
grafana.rockylinux.org ansible_host=10.100.xx.xx
[graylogservers]
graylog001.rockylinux.org ansible_host=10.100.xx.xx
[monitoringservers:children]
grafana
[chronyservers]
chrony001.rockylinux.org ansiblehost=10.100.3.110
chrony002.rockylinux.org ansiblehost=10.200.3.111
[gitlabservers]
git.rockylinux.org ansible_host=10.100.1.113
git.rockylinux.org ansible_host=10.xx.xx.xx
# Koji System - These names and IP's are not permanent as some machines can be
# in a different location. This is the case with ppc64le
[buildsys:children]
koji
gitlabservers
bugtracker
[koji:children]
kojihub
kojid
mqtt
rabbitmq
[kojihub]
koji.boxbuild.rockylinux.org ansible_host=10.100.1.200
koji.rockylinux.org ansible_host=10.xx.xx.xx
[kojid]
x86-01.boxbuild.rockylinux.org ansible_host=10.100.1.201
x86-02.boxbuild.rockylinux.org ansible_host=10.100.1.202
x86-repo.boxbuild.rockylinux.org ansible_host=10.100.1.203
aarch64-01.boxbuild.rockylinux.org ansible_host=10.100.1.204
aarch64-02.boxbuild.rockylinux.org ansible_host=10.100.1.205
aarch64-03.boxbuild.rockylinux.org ansible_host=10.100.1.206
aarch64-04.boxbuild.rockylinux.org ansible_host=10.100.1.207
aarch64-05.boxbuild.rockylinux.org ansible_host=10.100.1.208
aarch64-06.boxbuild.rockylinux.org ansible_host=10.100.1.209
ppc64le-01.boxbuild.rockylinux.org ansible_host=10.100.1.210
ppc64le-02.boxbuild.rockylinux.org ansible_host=10.100.1.211
ppc64le-03.boxbuild.rockylinux.org ansible_host=10.100.1.212
[mqtt]
mqtt.boxbuild.rockylinux.org ansible_host=10.100.1.213
x86build001.rockylinux.org ansible_host=10.100.xx.xx
x86build002.rockylinux.org ansible_host=10.100.xx.xx
x86build003.rockylinux.org ansible_host=10.100.xx.xx
aarch64build001.rockylinux.org ansible_host=10.100.xx.xx
aarch64build002.rockylinux.org ansible_host=10.100.xx.xx
aarch64build003.rockylinux.org ansible_host=10.100.xx.xx
[rabbitmq]
rabbitmq01.rockylinux.org ansible_host=10.100.1.214
rabbitmq02.rockylinux.org ansible_host=10.100.1.215
rabbitmq03.rockylinux.org ansible_host=10.100.1.216
rabbitmq001.rockylinux.org ansible_host=10.100.xx.xx
rabbitmq002.rockylinux.org ansible_host=10.100.xx.xx
rabbitmq003.rockylinux.org ansible_host=10.100.xx.xx
[sigul:children]
sigulbridge
sigulserver
[sigulbridge]
sigul001.rockylinux.org ansible_host=10.100.xx.xx
[sigulserver]
sigul002.rockylinux.org ansible_host=10.100.xx.xx
[mbs]
mbs001.rockylinux.org ansible_host=10.100.xx.xx
mbs002.rockylinux.org ansible_host=10.100.xx.xx
[bugtracker]
bugs.rockylinux.org ansible_host=10.100.xx.xx
[matterbridge]
matterbridge.rockylinux.org ansible_host=10.100.xx.xx
[matomo]
matomo.rockylinux.org ansible_host=10.100.xx.xx
[bugtracker]
bugs.rockylinux.org ansible_host=10.100.xx.xx

4
ansible/inventories/staging/group_vars/chronyservers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
chrony_server: true
chrony_allow_cidr: "10.0.0.0/16"

0
ansible/inventories/staging/group_vars/ipa/main.yml Normal file
View File

9
ansible/inventories/staging/group_vars/ipaclients/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
ipaclient_domain: rockylinux.org
ipaclient_realm: ROCKYLINUX.ORG
ipaadmin_principal: admin
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_ssh_trust_dns: true
ipasssd_enable_dns_updates: true

12
ansible/inventories/staging/group_vars/ipareplicas/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
ipaadmin_principal: admin
ipaclient_mkhomedir: true
ipaserver_realm: ROCKYLINUX.ORG
ipareplica_domain: rockylinux.org
ipareplica_auto_forwarders: true
ipareplica_setup_firewalld: true
ipareplica_setup_ca: true
ipareplica_setup_kra: true
ipareplica_setup_dns: true
ipa_dns_master: 10.100.1.110

15
ansible/inventories/staging/group_vars/ipaserver/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
ipaserver_domain: rockylinux.org
ipaserver_realm: ROCKYLINUX.ORG
ipaserver_setup_dns: true
ipaserver_setup_kra: true
ipaserver_auto_forwarders: true
ipaserver_no_host_dns: true
ipaserver_hostname: ipa001.rockylinux.org
ipaserver_allow_zone_overlap: true
ipaserver_setup_firewalld: true
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaserver_no_hbac_allow: true
ipaserver_reverse_zones: ["1.100.10.in-addr.arpa."]

2
ansible/inventories/staging/group_vars/rabbitmq/main.yml
View File

@ -1,5 +1,5 @@
---
# RabbitMQ Staging Vars
rabbitmq_cluster_name: "rabbitstage"
rabbitmq_cluster_name: "rabbit"
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
rabbitmq_env: "staging"

15
ansible/playbooks/adhoc-ipadnsrecord.yml
View File

@ -16,7 +16,7 @@
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/vaults/hostman.yml
tasks:
- name: "Checking for user variables"
@ -42,3 +42,16 @@
state: "{{ ipa_presence }}"
tags:
- dns
# We try to do this just in case because if a certificate is being issued
# that wants a CNAME, the host has to "manage" said host. However, if the
# host doesn't exist, we'll ignore it.
- name: "Creating host object for CNAME"
freeipa.ansible_freeipa.ipahost:
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}.{{ ipa_zone }}"
force: true
managedby:
- "{{ ipa_name_value[:-1] }}"
ignore_errors: true

2
ansible/playbooks/adhoc-ipadns.yml → ansible/playbooks/adhoc-ipadnszone.yml
View File

@ -8,7 +8,7 @@
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/vaults/hostman.yml
tasks:
- name: "Checking for user variables"

15
ansible/playbooks/adhoc-ipagetcert.yml
View File

@ -17,12 +17,15 @@
vars:
ipa_getcert_requested_hostnames:
- name: "{{ getcert_name|default(ansible_fqdn) }}"
owner: "{{ getcert_owner|default(omit) }}"
key_location: "{{ getcert_key|default(omit) }}"
cert_location: "{{ getcert_cert|default(omit) }}"
postcmd: "{{ getcert_postcmd|default(omit) }}"
ipa_getcert_chain: "{{ getcert_chain|default(omit) }}"
ipa_getcert_chain_location: "{{ getcert_chain_location|default(omit) }}"
owner: "{{ getcert_owner|default('root') }}"
key_location: "{{ getcert_key|default('/etc/pki/tls/private/newcert.key') }}"
cert_location: "{{ getcert_cert|default('/etc/pki/tls/certs/newcert.crt') }}"
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
postcmd: "{{ getcert_postcmd|default(false) }}"
ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
roles:
- role: rockylinux.ipagetcert

3
ansible/playbooks/adhoc-ipagetkeytab.yml
View File

@ -18,12 +18,13 @@
become: true
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/vaults/kerbman.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_service | mandatory
- ipa_keytab_fullpath | mandatory

2
ansible/playbooks/adhoc-ipagroup.yml
View File

@ -10,7 +10,7 @@
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"

2
ansible/playbooks/adhoc-ipaservice.yml
View File

@ -7,7 +7,7 @@
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/vaults/kerbman.yml
tasks:
- name: "Checking for user variables"

29
ansible/playbooks/adhoc-ipauser-disable.yml Normal file
View File

@ -0,0 +1,29 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided.
- name: Create a User
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_name | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing user information or ipa admin password"
- name: "Disabling User Account"
freeipa.ansible_freeipa.ipauser:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}"
state: disabled
tags:
- users

29
ansible/playbooks/adhoc-ipauser-enable.yml Normal file
View File

@ -0,0 +1,29 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates users in the idm infrastructure based on the variables provided.
- name: Create a User
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipa_admin | mandatory
- ipaadmin_password | mandatory
- ipa_name | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing user information or ipa admin password"
- name: "Enabling User Account"
freeipa.ansible_freeipa.ipauser:
ipaadmin_principal: "{{ ipa_admin }}"
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}"
state: enabled
tags:
- users

2
ansible/playbooks/adhoc-ipauser.yml
View File

@ -7,7 +7,7 @@
become: false
gather_facts: false
vars_files:
- vars/vaults/encpass.yml
- vars/vaults/userman.yml
tasks:
- name: "Checking for user variables"

5
ansible/playbooks/adhoc-rabbitmqqueue.yml
View File

@ -75,10 +75,13 @@
name: "amq.topic"
destination: "{{ queue_name }}"
destination_type: queue
routing_key: "{{ item }}"
routing_key: "{{ routing_item }}"
vhost: "{{ vhost|default('/pubsub') }}"
state: present
login_user: admin
login_password: "{{ rabbitmq_admin_password }}"
loop: "{{ routing_keys }}"
loop_control:
loop_var: routing_item
tags:
- rabbitmq

8
ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth
View File

@ -7,12 +7,12 @@ auth [success=done ignore=ignore default=die] pam_sss.so require_cert
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
auth required pam_deny.so
@ -20,8 +20,8 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

10
ansible/playbooks/files/etc/rockybanner
View File

@ -1,11 +1,3 @@
******* **
/**////** /** ** **
/** /** ****** ***** /** ** //** **
/******* **////** **///**/** ** //***
/**///** /** /**/** // /**** /**
/** //** /** /**/** **/**/** **
/** //**//****** //***** /**//** **
// // ////// ///// // // //
This is a Rocky Linux system
All access is logged and monitored. Unauthorized access is prohibited.

16
ansible/playbooks/files/etc/systemd/system/noggin.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=noggin
After=network-online.target
Wants=network-online.target
[Service]
Environment=FLASK_APP=/opt/noggin/noggin/noggin/app.py
Environment=NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
Environment=FLASK_DEBUG=1
User=noggin
WorkingDirectory=/opt/noggin/noggin
ExecStart=/bin/bash /opt/noggin/start_noggin.sh
PrivateTmp=true
[Install]
WantedBy=multi-user.target

13
ansible/playbooks/handlers/main.yml
View File

@ -32,3 +32,16 @@
command: gitlab-ctl reconfigure
register: gitlab_restart
failed_when: gitlab_restart_handler_failed_when | bool
- name: restart_noggin
service:
name: noggin
state: restarted
- name: rehash_postfix_sasl
command: "postmap /etc/postfix/sasl_passwd"
- name: restart_postfix
service:
name: postfix
state: restarted

2
ansible/playbooks/init-rocky-account-services.yml
View File

@ -4,7 +4,7 @@
hosts: "{{ host }}"
become: true
handers:
handlers:
- import_tasks: handlers/main.yml
pre_tasks:

29
ansible/playbooks/init-rocky-bugzilla.yml
View File

@ -1,10 +1,15 @@
---
# Installs the mantis bug tracker
- name: Configure MantisBT
hosts: "{{ host }}"
hosts: "bugtracker"
become: true
vars_files:
- vars/common.yml
- vars/vaults/encpass.yml
- vars/vaults/mantis.yml
- vars/mantis.yml
handers:
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
@ -20,11 +25,31 @@
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
roles:
- role: rockylinux.ipagetcert
state: present
tasks:
- name: Deploy Mantis
import_tasks: tasks/mantis.yml
post_tasks:
- name: Open firewalld ports
ansible.posix.firewalld:
service: "{{ item }}"
permanent: true
immediate: true
state: enabled
with_items:
- http
- https
- name: Ensure httpd is enabled and running
service:
name: httpd
enabled: true
state: started
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run

36
ansible/playbooks/init-rocky-builder-postfix.yml Normal file
View File

@ -0,0 +1,36 @@
---
# Configures postfix on buildsystems
- name: Configure Buildsys Relay
hosts: "buildsys"
become: true
vars_files:
- vars/buildsys.yml
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Deploy Postfix Relay
import_tasks: tasks/postfix_relay.yml
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

34
ansible/playbooks/init-rocky-koji-ecosystem.yml Normal file
View File

@ -0,0 +1,34 @@
---
# Configures the koji ecosystem
- name: Configure Koji
hosts: "kojihub"
become: true
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Build out relevant accounts and components
import_tasks: tasks/init-koji.yml
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

40
ansible/playbooks/init-rocky-noggin-theme.yml Normal file
View File

@ -0,0 +1,40 @@
---
# (Re)deploys the noggin theme
- name: Deploy Noggin Theme
hosts: "idp"
become: true
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Deploy Rocky Noggin Theme
git:
repo: https://github.com/rocky-linux/noggin-theme.git
dest: /opt/noggin/noggin/noggin/themes/rocky
update: true
version: main
become_user: noggin
notify: restart_noggin
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

34
ansible/playbooks/init-rocky-noggin.yml Normal file
View File

@ -0,0 +1,34 @@
---
# (Re)deploys the noggin theme
- name: Deploy Noggin
hosts: "idp"
become: true
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Deploy Noggin
import_tasks: "tasks/noggin.yml"
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

34
ansible/playbooks/init-rocky-repo-servers.yml Normal file
View File

@ -0,0 +1,34 @@
---
# Preps a system to be a repository
- name: Configure repository system
hosts: "{{ host }}"
become: true
handlers:
- import_tasks: handers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are not able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Configure repository system
import_tasks: tasks/repository.yml
post_tasks:
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

5
ansible/playbooks/init-rocky-system-config.yml
View File

@ -1,7 +1,10 @@
---
# Basic system configuration. All hardening should also be imported here.
# Use --extra-vars="host=..." and specify a hostname in the inventory or
# provide an ansible host group name. You can also just use "all" if you
# want to ensure all systems are up to date on the configuration.
- name: Configure system
hosts: all
hosts: "{{ host }}"
become: true
# This is to try to avoid the handler issue in pre/post tasks

0
ansible/playbooks/role-gitlab-ee.yml → ansible/playbooks/rocky-rocky-gitlab-ee.yml
View File

65
ansible/playbooks/role-rocky-graylog.yml Normal file
View File

@ -0,0 +1,65 @@
---
# Configure and setup graylog
# Reccommended specs
# CPU: 2 cores
# Memory: 4GB
# Storage: Yes
- name: Install Graylog
hosts: graylogservers
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/graylog.yml
- vars/vaults/hostman.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages
package:
name: python3-policycoreutils.noarch
state: present
- name: "Creating DNS Record for ord-prod-graylog.rockylinux.org"
freeipa.ansible_freeipa.ipadnsrecord:
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
ipaadmin_password: "{{ ipaadmin_password }}"
zone_name: "{{ graylog_ipa_dnsrecord_zone_name }}"
name: "{{ graylog_ipa_dnsrecord_name }}"
record_type: "{{ graylog_ipa_dnsrecord_record_type }}"
record_value: "{{ graylog_ipa_dnsrecord_record_value }}"
state: "{{ graylog_ipa_dnsrecord_state }}"
roles:
- role: rockylinux.ipagetcert
state: present
post_tasks:
- name: Open firewalld ports
ansible.posix.firewalld:
port: "{{ item.port }}"
permanent: "{{ item.permanent }}"
state: "{{ item.state }}"
loop: "{{ graylog_server_firewall_rules }}"
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

11
ansible/playbooks/role-rocky-ipa-replica.yml
View File

@ -39,17 +39,6 @@
notify:
- reload_networkmanager
- name: Ensure resolv.conf is pointing to main master
template:
src: etc/resolv.conf.j2
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'
backup: true
notify:
- reload_networkmanager
roles:
- role: freeipa.ansible_freeipa.ipareplica
state: present

90
ansible/playbooks/role-rocky-kojid-staging.yml Normal file
View File

@ -0,0 +1,90 @@
---
# Stands up an ipsilon instance for simple SSO
- name: Configure koji hub and web server
hosts: kojihub
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/common.yml
- vars/staging/kojid.yml
- vars/staging/koji-common.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Check for keytabs - kojid
stat:
path: /etc/kojid.keytab
register: kojid_keytab_check
changed_when: "1 != 1"
- name: Verify keytab
assert:
that:
- "kojid_keytab_check.stat.exists"
success_msg: "It is likely we have all keytabs"
fail_msg: "There are no keytabs. Please build the keytabs."
# EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this
- name: Enable the PowerTools repository
ini_file:
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
section: powertools
option: enabled
value: 1
owner: root
group: root
mode: '0644'
# The CentOS extras repos has epel-release provided
- name: Enable the EPEL repository
yum:
name: epel-release
state: present
tags:
- packages
- name: Install rocky-tools copr
yum_repository:
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
description: Copr repo for rockylinux-tools owned by nalika
file: copr_repos
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
gpgcheck: true
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
enabled: true
# Right now, we are not sure how or where we'll get our certificates. So we
# are presenting a choice by setting a variable, koji_internal_ca. There is a
# change that we will have to do internal certs for mqtt anyway.
# TODO: We need an MQTT role and pre_tasks for the keytabs for this role
roles:
- role: rockylinux.kojid
state: present
post_tasks:
- name: "Setup shared filesystem mount"
import_tasks: tasks/koji_efs.yml
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

11
ansible/playbooks/role-rocky-kojid.yml
View File

@ -5,7 +5,9 @@
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/kojid.yml
- vars/common.yml
- vars/production/kojid.yml
- vars/production/koji-common.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
@ -27,13 +29,13 @@
- name: Check for keytabs - kojid
stat:
path: /etc/kojid.keytab
register: kojid_keytab
register: kojid_keytab_check
changed_when: "1 != 1"
- name: Verify keytab
assert:
that:
- "kojid_keytab.stat.exists"
- "kojid_keytab_check.stat.exists"
success_msg: "It is likely we have all keytabs"
fail_msg: "There are no keytabs. Please build the keytabs."
@ -76,6 +78,9 @@
state: present
post_tasks:
- name: "Setup shared filesystem mount"
import_tasks: tasks/koji_efs.yml
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run

123
ansible/playbooks/role-rocky-kojihub-staging.yml Normal file
View File

@ -0,0 +1,123 @@
---
# Stands up an ipsilon instance for simple SSO
- name: Configure koji hub and web server
hosts: kojihub
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/common.yml
- vars/staging/kojihub.yml
- vars/staging/koji-common.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Check for keytabs - web
stat:
path: /etc/keytabs/koji-web.keytab
register: koji_keytab
changed_when: "1 != 1"
- name: Check for keytabs - kojira
stat:
path: /etc/keytabs/kojira.keytab
register: kojira_keytab
changed_when: "1 != 1"
- name: Check for keytabs - gc
stat:
path: /etc/keytabs/koji-gc.keytab
register: gc_keytab
changed_when: "1 != 1"
- name: Check for keytabs - host
stat:
path: /etc/keytabs/host.keytab
register: host_keytab
changed_when: "1 != 1"
- name: Verify keytab
assert:
that:
- "koji_keytab.stat.exists"
- "kojira_keytab.stat.exists"
- "gc_keytab.stat.exists"
- "host_keytab.stat.exists"
success_msg: "It is likely we have all keytabs"
fail_msg: "There are no keytabs. Please build the keytabs."
# EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this
- name: Enable the PowerTools repository
ini_file:
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
section: powertools
option: enabled
value: 1
owner: root
group: root
mode: '0644'
# The CentOS extras repos has epel-release provided
- name: Enable the EPEL repository
yum:
name: epel-release
state: present
tags:
- packages
- name: Install rocky-tools copr
yum_repository:
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
description: Copr repo for rockylinux-tools owned by nalika
file: copr_repos
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
gpgcheck: true
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
enabled: true
# Right now, we are not sure how or where we'll get our certificates. So we
# are presenting a choice by setting a variable, koji_internal_ca. There is a
# change that we will have to do internal certs for mqtt anyway.
# TODO: We need an MQTT role and pre_tasks for the keytabs for this role
roles:
- role: geerlingguy.certbot
state: present
when: not koji_internal_ca
- role: rockylinux.ipagetcert
state: present
when: koji_internal_ca
- role: geerlingguy.postgresql
state: present
when: koji_postgresql_vm
- role: rockylinux.kojihub
state: present
post_tasks:
- name: "Setup shared filesystem mount"
import_tasks: tasks/koji_efs.yml
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

7
ansible/playbooks/role-rocky-kojihub.yml
View File

@ -5,7 +5,9 @@
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/kojihub.yml
- vars/common.yml
- vars/production/kojihub.yml
- vars/production/koji-common.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
@ -109,6 +111,9 @@
state: present
post_tasks:
- name: "Setup shared filesystem mount"
import_tasks: tasks/koji_efs.yml
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run

21
ansible/playbooks/role-rocky-node_exporter.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Install Prometheus Node Exporter
hosts: all
become: true
pre_tasks:
- name: Install SELinux packages
package:
name: python3-policycoreutils.noarch
state: present
roles:
- role: cloudalchemy.node-exporter
state: present
post_tasks:
- name: Open firewall for node-exporter
ansible.posix.firewalld:
port: 9100/tcp
permanent: true
state: enabled

2
ansible/playbooks/role-rocky-rabbitmq.yml
View File

@ -54,7 +54,7 @@
# rocky-release-rabbitmq repo
- name: Install centos rabbitmq
yum:
name: centos-release-rabbitmq
name: centos-release-rabbitmq-38
state: present
tags:
- packages

91
ansible/playbooks/role-rocky-sigul-bridge.yml Normal file
View File

@ -0,0 +1,91 @@
---
# Stands up an ipsilon instance for simple SSO
- name: Configure Sigul Bridge
hosts: sigulbridge
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/common.yml
- vars/sigul_bridge.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Check for keytabs - sigul
stat:
path: /etc/sigul.keytab
register: sigul_keytab_register
changed_when: "1 != 1"
- name: Verify keytab
assert:
that:
- "sigul_keytab_register.stat.exists"
success_msg: "It is likely we have all keytabs"
fail_msg: "There are no keytabs. Please build the keytabs."
# EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this
- name: Enable the PowerTools repository
ini_file:
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
section: powertools
option: enabled
value: 1
owner: root
group: root
mode: '0644'
# The CentOS extras repos has epel-release provided
- name: Enable the EPEL repository
yum:
name: epel-release
state: present
tags:
- packages
- name: Install rocky-tools copr
yum_repository:
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
description: Copr repo for rockylinux-tools owned by nalika
file: copr_repos
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
gpgcheck: true
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
enabled: true
roles:
- role: rockylinux.sigul
state: present
- role: rockylinux.ipagetcert
state: present
post_tasks:
- name: Enable the sigul bridge
systemd:
name: sigul_bridge
state: restarted
enabled: true
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

78
ansible/playbooks/role-rocky-sigul-server.yml Normal file
View File

@ -0,0 +1,78 @@
---
# Stands up an ipsilon instance for simple SSO
- name: Configure Sigul Server
hosts: sigulserver
become: true
vars_files:
- vars/vaults/encpass.yml
- vars/common.yml
- vars/sigul_server.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
# EPEL and PowerTools are required for ipsilon to function
# I also couldn't find an ansible built-in to do this
- name: Enable the PowerTools repository
ini_file:
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
section: powertools
option: enabled
value: 1
owner: root
group: root
mode: '0644'
# The CentOS extras repos has epel-release provided
- name: Enable the EPEL repository
yum:
name: epel-release
state: present
tags:
- packages
- name: Install rocky-tools copr
yum_repository:
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
description: Copr repo for rockylinux-tools owned by nalika
file: copr_repos
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
gpgcheck: true
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
enabled: true
roles:
- role: rockylinux.sigul
state: present
- role: rockylinux.ipagetcert
state: present
post_tasks:
- name: Enable the sigul server
systemd:
name: sigul_server
state: restarted
enabled: true
- name: Touching run file that ansible has ran here
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

69
ansible/playbooks/role-rocky-wikijs.yml Normal file
View File

@ -0,0 +1,69 @@
---
# WikiJS
- name: Install and manage Wikijs
hosts: wiki
become: false
vars_files:
- vars/vaults/hostman.yml
- vars/vaults/wikijs.yml
- vars/wikijs.yml
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
- name: Install SELinux packages
become: true
package:
name: python3-policycoreutils.noarch
state: present
roles:
- role: rockylinux.ipagetcert
become: true
state: present
tags: ['certs']
- role: rockylinux.wikijs
tags: ['wikijs']
become: true
# Define variables in vars/wikijs.yml
- role: nginxinc.nginx_core.nginx
tags: ['nginx']
become: true
- role: nginxinc.nginx_core.nginx_config
tags: ['nginx']
become: true
post_tasks:
- name: Open firewalld ports
become: true
ansible.posix.firewalld:
port: "{{ item.port }}"
permanent: "{{ item.permanent }}"
state: "{{ item.state }}"
immediate: yes
loop: "{{ firewall_rules }}"
- name: Touching run file that ansible has ran here
become: true
file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root

24
ansible/playbooks/tasks/account_services.yml
View File

@ -1,2 +1,26 @@
---
# Account Services
- name: Install packages
package:
name:
- httpd
- mod_ssl
- python3
- python3-setuptools
- python3-kdcproxy
state: present
- name: Deploy relevant httpd configuration
template:
src: "etc/httpd/conf.d/id.conf.j2"
dest: "/etc/httpd/conf.d/id.conf"
owner: root
group: root
mode: '0644'
notify: restart_httpd
- name: Enable and start
systemd:
name: httpd
state: running
enabled: true

8
ansible/playbooks/tasks/authentication.yml
View File

@ -35,18 +35,18 @@
- name: Override system-auth and password-auth
copy:
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}"
owner: root
group: root
mode: '0644'
loop:
- /etc/authselect/custom/sssd-aoc/system-auth
- /etc/authselect/custom/sssd-aoc/password-auth
- /etc/authselect/custom/sssd-rocky/system-auth
- /etc/authselect/custom/sssd-rocky/password-auth
- name: Select New Profile
command: >
/usr/bin/authselect select custom/sssd-aoc
/usr/bin/authselect select custom/sssd-rocky
without-nullok
with-faillock
with-mkhomedir

4
ansible/playbooks/tasks/gitlab-reconfigure.yml
View File

@ -50,6 +50,10 @@
group: root
state: link
- name: Symlink the hash
command: "openssl rehash /etc/gitlab/trusted-certs"
changed_when: "1 != 1"
- name: Turn on necessary SELinux booleans
ansible.posix.seboolean:
name: "{{ item }}"

56
ansible/playbooks/tasks/grub.yml
View File

@ -1,54 +1,4 @@
---
- name: Reset grub link if we are EFI
set_fact:
grub_config_path_link: "{{ grub_config_path_efi }}"
when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
- grub_config_path_efi is defined
tags:
- efi
- name: Create grub.d directory
file:
name: /etc/default/grub.d
owner: root
group: root
mode: '0755'
state: directory
recurse: true
tags:
- grub
- kernel
- harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Command line defaults
copy:
dest: "/etc/default/grub.d/99-rocky.cfg"
owner: root
group: root
mode: '0644'
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
tags:
- grub
- kernel
- harden
- name: Rebuild grub
command: "/usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}"
register: grub_command_result
changed_when: "grub_command_result.rc == 0"
tags:
- grub
- kernel
- harden
- name: Add kernel boot options to all kernels and default config
command: /usr/sbin/grubby --update-kernel=ALL --args "{{ grub_boot_options }}"
changed_when: "1 != 1"

62
ansible/playbooks/tasks/init-koji.yml Normal file
View File

@ -0,0 +1,62 @@
---
# Init koji
- name: kinit as koji admin using password
shell: "set -o pipefail && echo \"{{ rockykoji_password }}\" | kinit rockykoji@ROCKYLINUX.ORG"
check_mode: false
changed_when: "1 != 1"
become: yes
become_user: koji
when: rockykoji_has_password | bool
- name: kinit as koji admin using keytab
shell: "set -o pipefail && kinit -kt /home/koji/.koji/keytab koji/rockykoji@ROCKYLINUX.ORG"
check_mode: false
changed_when: "1 != 1"
become: yes
become_user: koji
when: not rockykoji_has_password | bool
- name: Import current necessary tags
shell: "set -o pipefail && koji add-tag {{ item }}"
changed_when: "1 != 1"
become: yes
become_user: koji
loop:
- build-modules
- dist-rocky8
- dist-rocky8-build
- dist-rocky8-compose
- dist-rocky8-extras
- dist-rocky8-gcc-toolset-9-build
- dist-rocky8-modular-buildrequires
- dist-rocky8-module-compose
- dist-rocky8-plus
- dist-rocky8-rust-bootstrap
- dist-rocky8-rust-bootstrap-build
- dist-rocky8-updates
- dist-rocky8-updates-build
- dist-rocky8_0-updates-build
- dist-rocky8_1-gcc-toolset-9-build
- dist-rocky8_1-updates-build
- dist-rocky8_2-updates-build
- dist-rocky8_3-updates-build
- dist-rocky8_4-updates-build
- dist-rocky9
- el8
- el8_0
- el8_1
- el8_2
- el8_3
- el8_4
- el8_infra
- el9
- el9_infra
- eln
- modular-updates-candidate
- module-rocky-8.0.0-build
- module-rocky-8.1.0-build
- module-rocky-8.2.0-build
- module-rocky-8.3.0-build
- module-rocky-8.4.0-build
- trash
- trashcan

35
ansible/playbooks/tasks/koji_efs.yml Normal file
View File

@ -0,0 +1,35 @@
---
# Sets up the EFS mount for /mnt/koji {{ koji_efs_mount_path }}
# Requires amazon-efs-utils; included
#
- name: Installing amazon-efs-utils
yum:
name: amazon-efs-utils
state: present
tags:
- amazon_efs_utils
- packages
- name: "Gathering ec2 facts"
amazon.aws.ec2_metadata_facts:
tags:
- mounts
# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1
- name: "Install custom hosts file because ~~fml~~ amazon said so."
ansible.builtin.lineinfile:
path: /etc/hosts
line: "{{ koji_efs_fs_ip_map[ansible_ec2_placement_availability_zone] }} {{ koji_efs_fsid }}"
create: yes
tags:
- mounts
- name: "Creating and mounting {{ koji_efs_fsid }} at {{ koji_efs_mount_path }}"
ansible.posix.mount:
path: "{{ koji_efs_mount_path }}"
src: "{{ koji_efs_fsid }}:/"
fstype: "{{ koji_efs_fs_type }}"
opts: "{{ koji_efs_fs_opts | join(',') }}"
state: "{{ koji_efs_fs_state | default('mounted') }}"
tags:
- mounts

86
ansible/playbooks/tasks/mantis.yml
View File

@ -1,7 +1,7 @@
---
# Configure mantis
- name: Configure SELinux booleans
seboolean:
ansible.posix.seboolean:
name: "{{ item }}"
persistent: true
state: true
@ -14,15 +14,79 @@
yum:
name: "{{ mantis_pkg }}"
state: present
vars:
mantis_pkg:
- php
- php-ldap
- httpd
- mod_ssl
- php-pgsql
- php-mbstring
- php-curl
- openldap
tags:
- packages
- name: Download the bugtracker
get_url:
url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
checksum: "{{ mantis_checksum }}"
- name: Extract mantis
unarchive:
src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
dest: "/var/www"
owner: apache
group: apache
mode: '0644'
remote_src: true
- name: Generate crypto salt
shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0"
changed_when: "1 != 1"
register: cryptosalt_string
- name: Configure mantis
template:
src: "var/www/mantis/config/config_inc.php.j2"
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
owner: apache
group: apache
mode: '0640'
- name: Deploy plugins from Mantis GitHub
git:
repo: "https://github.com/mantisbt-plugins/{{ item }}.git"
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}"
update: true
version: master
with_items:
- Snippets
- name: Deploy custom libravatar plugin
git:
repo: "https://github.com/nazunalika/mantisbt-libravatar.git"
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar"
update: true
version: main
- name: Configure httpd
template:
src: "etc/httpd/conf.d/mantis.conf.j2"
dest: "/etc/httpd/conf.d/mantis.conf"
owner: root
group: root
mode: '0644'
- name: Database import template
template:
src: "tmp/mantis_import.sql.j2"
dest: "/tmp/mantis_import.sql.j2"
owner: root
group: root
mode: '0600'
# We will need to generate this
# name: Import database if required
# community.general.postgresql_db:
# name: "{{ mantis_db_name }}"
# target: /tmp/mantis_import.sql
# owner: "{{ mantis_db_user }}"
# state: restore
# login_host: "{{ mantis_db_host }}"
# login_user: "{{ mantis_db_user }}"
# login_password: "{{ mantis_db_pass }}"
- name: Patch up some pages
import_tasks: mantispatch.yml

25
ansible/playbooks/tasks/mantispatch.yml Normal file
View File

@ -0,0 +1,25 @@
---
# Patch up various pieces of mantis to customize it. We do not rely on local
# bug tracker accounts. We are doing regex instead of just replacing the
# file as a whole. Should make it easier to deal with upgrades in theory.
- name: Change signup_page.php to Account Services
replace:
path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
regexp: 'signup_page.php'
replace: 'https://accounts.rockylinux.org'
with_items:
- core/print_api.php
- lost_pwd_page.php
- login_page.php
- name: Change special signup_page.php reference
replace:
path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
replace: 'https://accounts.rockylinux.org'
- name: Remove LDAP from checks for signup button
lineinfile:
path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
state: absent
regex: 'LDAP != config_get_global'

88
ansible/playbooks/tasks/noggin.yml Normal file
View File

@ -0,0 +1,88 @@
---
- name: Ensure python is installed
yum:
name:
- python3
- python3-pip
state: present
- name: Ensure noggin user exists
user:
name: noggin
comment: "Noggin FAS"
- name: Create noggin directory
file:
path: /opt/noggin
state: directory
mode: '0700'
owner: noggin
group: noggin
- name: Deploy noggin
git:
repo: https://github.com/fedora-infra/noggin.git
dest: /opt/noggin/noggin
update: true
version: main
become: true
become_user: noggin
- name: Noggin user must install poetry
pip:
name: poetry
executable: pip3
become: true
become_user: noggin
- name: Remove any pycache
file:
path: "/home/noggin/.cache/pypoetry"
state: absent
- name: Noggin installation
command: "/home/noggin/.local/bin/poetry install --no-dev --extras deploy"
become: true
become_user: noggin
changed_when: "1 != 1"
args:
chdir: "/opt/noggin/noggin"
- name: Get the noggin poetry virtualenv
shell:
cmd: "poetry env list | awk '{print $1}'"
chdir: "/opt/noggin/noggin"
become: true
become_user: noggin
changed_when: "1 != 1"
register: virtualenv_location
- name: Deploy start up script
template:
src: "opt/noggin/start_noggin.sh.j2"
dest: "/opt/noggin/start_noggin.sh"
mode: '0750'
user: noggin
group: noggin
- name: Deploy systemd unit
copy:
src: "etc/systemd/system/noggin.service"
dest: "/etc/systemd/system/noggin.service"
owner: root
group: root
mode: '0644'
- name: Deploy noggin configuration
template:
src: "opt/noggin/noggin.cfg.j2"
dest: "/opt/noggin/noggin.cfg"
owner: noggin
group: noggin
mode: '0600'
# The only way to run it properly, at least on EL8, is we need this line
- name: Add missing create_app call
lineinfile:
path: "/opt/noggin/noggin/noggin/app.py"
line: "app = create_app()"

37
ansible/playbooks/tasks/postfix_relay.yml Normal file
View File

@ -0,0 +1,37 @@
---
# Configure relay
- name: Ensure postfix is installed
yum:
name:
- postfix
- cyrus-sasl-plain
state: present
- name: Add password map
template:
src: etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd
owner: root
group: root
mode: '0600'
notify: rehash_postfix_sasl
- name: Add relay information to postfix
blockinfile:
path: /etc/postfix/main.cf
marker: "## ANSIBLE MANAGED ##"
block: |
smtp_tls_note_starttls_offer = yes
relayhost = [{{ smtp_relayhost }}]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
notify: restart_postfix
- name: Ensure postfix is running and enabled
service:
name: postfix
state: restarted
enabled: true

2
ansible/playbooks/tasks/repository.yml Normal file
View File

@ -0,0 +1,2 @@
---
# no tasks yet

7
ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb
View File

@ -132,3 +132,10 @@ gitlab_rails['db_port'] = '{{ gitlab_external_db_port }}'
gitlab_rails['db_username'] = '{{ gitlab_external_db_user }}'
gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
{% endif %}
{% if gitlab_trusted_proxies %}
gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
{% endif %}
gitlab_rails['gravatar_enabled'] = true
gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"

48
ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2 Normal file
View File

@ -0,0 +1,48 @@
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
display-name=%{GROUP}
WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
process-group=kdcproxy application-group=kdcproxy
WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
WSGIScriptReloading Off
<VirtualHost *:80>
ServerName accounts.rockylinux.org
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName accounts.rockylinux.org
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
RequestHeader set X-Forwarded-Proto https
SSLCertificateFile /etc/pki/tls/certs/noggin.crt
SSLCertificateKeyFile /etc/pki/tls/private/noggin.key
</VirtualHost>
<Location "/">
ProxyPreserveHost On
ProxyPass http://127.0.0.1:5000/
ProxyPassReverse http://127.0.0.1:5000/
<RequireAll>
Require all granted
Include /etc/httpd/conf/blacklist.conf
</RequireAll>
</Location>
<Location "/KdcProxy">
Satisfy Any
WSGIProcessGroup kdcproxy
WSGIApplicationGroup kdcproxy
ProxyPass "!"
ProxyPassReverse "!"
<RequireAll>
Require all granted
Include /etc/httpd/conf/blacklist.conf
</RequireAll>
</Location>
ServerSignature Off
ServerTokens Prod
ErrorDocument 403 "<h3>Your IP is on the blacklist.</h3><p>Please contact <a href="mailto:infrastructure@rockylinux.org">Rocky Linux Staff</a> to see if this can be corrected.</p>"

33
ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2 Normal file
View File

@ -0,0 +1,33 @@
<VirtualHost *:80>
ServerAdmin infrastructure@rockylinux.org
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
ServerName bugs.rockylinux.org
TransferLog /var/log/httpd/mantis_access.log
ErrorLog /var/log/httpd/mantis_error.log
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
Options MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
ServerAdmin infrastructure@rockylinux.org
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
ServerName bugs.rockylinux.org
TransferLog /var/log/httpd/mantis_access.log
ErrorLog /var/log/httpd/mantis_error.log
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
Options MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

1
ansible/playbooks/templates/etc/postfix/sasl_passwd.j2 Normal file
View File

@ -0,0 +1 @@
[{{ smtp_relayhost }}]:587 {{ smtp_user_name }}:{{ smtp_user_pass }}

6
ansible/playbooks/templates/etc/ssh/RedHat-7-sshd_config.j2
View File

@ -62,7 +62,6 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
@ -154,3 +153,8 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
ChallengeResponseAuthentication yes
PasswordAuthentication no
{% if 'gitlabservers' in group_names %}
AllowUsers git@* *@10.*
{% endif %}

6
ansible/playbooks/templates/etc/ssh/RedHat-8-sshd_config.j2
View File

@ -70,7 +70,6 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
@ -166,3 +165,8 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
ChallengeResponseAuthentication yes
PasswordAuthentication no
{% if 'gitlabservers' in group_names %}
AllowUsers git@* *@10.*
{% endif %}

23
ansible/playbooks/templates/opt/noggin/noggin.cfg Normal file
View File

@ -0,0 +1,23 @@
TEMPLATES_AUTO_RELOAD = False
FREEIPA_SERVERS = []
FREEIPA_CACERT = '/etc/ipa/ca.crt'
FREEIPA_ADMIN_USER = 'userman'
FREEIPA_ADMIN_PASSWORD = '{{ rocky_ldap_userman_pw }}'
THEME = "rocky"
FERNET_SECRET = b'NOTASECRET='
SECRET_KEY = b'NOTASECRET='
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = True
USER_DEFAULTS = {
"locale": "en-US",
"timezone": "UTC",
"status_note": "active",
}
REGISTRATION_OPEN = True
ACTIVATION_TOKEN_EXPIRATION = 30
PASSWORD_RESET_EXPIRATION = 10
MAIL_DEFAULT_SENDER = "Account Services <identitymanagement@rockylinux.org>"
MAIL_SUPPRESS_SEND = False
AVATAR_SERVICE_URL = "https://seccdn.libravatar.org/"
AVATAR_DEFAULT_TYPE = "retro"
FEDORA_MESSAGING_ENABLED = False

14
ansible/playbooks/templates/opt/noggin/start_noggin.sh.j2 Normal file
View File

@ -0,0 +1,14 @@
#!/bin/bash
export PATH=/home/noggin/.local/bin:/home/noggin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
export NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
export FLASK_DEBUG=1
export FLASK_APP=/opt/noggin/noggin/noggin/app.py
source /home/noggin/.cache/pypoetry/virtualenvs/{{ virtualenv_location.stdout }}/bin/activate
cd /opt/noggin/noggin
#/home/noggin/.local/bin/poetry run flask run -h 0.0.0.0
# --certfile=/etc/pki/tls/certs/noggin.crt \
# --keyfile=/etc/pki/tls/private/noggin.key \
gunicorn -w 3 \
--env NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg \
--bind tcp://0.0.0.0:5000 \
noggin.app:app

1
ansible/playbooks/templates/tmp/mantis_import.sql.j2 Normal file
View File

@ -0,0 +1 @@
# Empty

46
ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2 Normal file
View File

@ -0,0 +1,46 @@
<?php
$g_hostname = '{{ mantis_db_host }}';
$g_db_type = 'pgsql';
$g_database_name = '{{ mantis_db_name }}';
$g_db_username = '{{ mantis_db_user }}';
$g_db_password = '{{ mantis_db_pass }}';
$g_default_timezone = 'UTC';
$g_crypto_master_salt = '{{ cryptosalt_string.stdout }}';
# Added
$g_login_method = 'LDAP';
$g_ldap_server = '{{ rocky_ipaserver_lb }}';
$g_ldap_port = '389';
$g_ldap_root_dn = '{{ rocky_ldap_user_basedn }}';
#$g_ldap_organization = '(objectClass=posixAccount)';
$g_ldap_protocol_version = 3;
$g_ldap_network_timeout = 30;
$g_ldap_follow_referrals = ON;
$g_ldap_bind_dn = '{{ mantis_binder_user }}';
$g_ldap_bind_passwd = '{{ mantis_binder_pass }}';
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
$g_use_ldap_realname = ON;
$g_use_ldap_email = ON;
$g_webmaster_email = 'infrastructure@rockylinux.org';
$g_from_email = 'noreply@rockylinux.org';
$g_return_path_email = 'noreply@rockylinux.org';
$g_from_name = 'Rocky Linux Bugzilla';
$g_allow_file_upload = ON;
$g_file_upload_method = DATABASE; # or DISK
$g_dropzone_enabled = ON;
$g_show_realname = ON;
$g_show_avatar = ON;
$g_allowed_files = 'log,patch,txt';
$g_disallowed_files = 'exe,pl,sh,py,c,cpp,rar,zip,rpm';
$g_window_title = 'Rocky Bugzilla';
$g_allow_signup = ON;
$g_allow_anonymous_login = ON;
$g_anonymous_account = 'anonymous';
$g_enable_email_notification = ON;
# Cookie problems
$g_allow_permanent_cookie = OFF;

5
ansible/playbooks/vars/buildsys.yml Normal file
View File

@ -0,0 +1,5 @@
---
# Build sys
smtp_user_name: "username"
smtp_user_pass: "password"
smtp_relayhost: "smtp.rockylinux.org"

3
ansible/playbooks/vars/common.yml
View File

@ -1,4 +1,5 @@
---
rocky_ipa_realm: "ROCKYLINUX.ORG"
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
@ -8,3 +9,5 @@ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
rocky_ipaserver_lb: "ipa-lb.rockylinux.org"
# This will need to be vaulted
rocky_ldap_bind_pw: "{{ ipa_binder_password }}"
rocky_ldap_userman_dn: "uid=userman,cn=users,cn=accounts,dc=rockylinux,dc=org"
rocky_ldap_userman_pw: "{{ ipa_userman_password }}"

5
ansible/playbooks/vars/gitlab.yml
View File

@ -29,7 +29,7 @@ gitlab_ldap_bind_dn: "{{ rocky_ldap_bind_dn }}"
gitlab_ldap_password: "{{ rocky_ldap_bind_pw }}"
gitlab_ldap_base: "{{ rocky_ldap_user_basedn }}"
gitlab_ldap_group_dn: "{{ rocky_ldap_group_basedn }}"
gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org"
gitlab_ldap_admin_group: "gitadm"
gitlab_ldap_user_filter: "(&(objectClass=posixAccount)(memberOf=cn=gitusers,cn=groups,cn=accounts,dc=rockylinux,dc=org))"
gitlab_time_zone: "UTC"
@ -67,3 +67,6 @@ gitlab_external_db: true
gitlab_external_db_host: db.rockylinux.org
gitlab_external_db_user: gitlab
gitlab_external_db_password: "{{ gitlab_db_pass }}"
gitlab_trusted_proxies:
- 10.100.20.20/32

31
ansible/playbooks/vars/graylog.yml Normal file
View File

@ -0,0 +1,31 @@
---
# graylog
graylog_server_firewall_rules:
- port: 9000/tcp
permanent: true
state: enabled
- port: 1514/tcp
permanent: true
state: enabled
- port: 1514/udp
permanent: true
state: enabled
graylog_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
graylog_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
graylog_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: graylog
key_location: "{{ monitoring_tls_key }}"
cert_location: "{{ monitoring_tls_cert }}"
postcmd: "/bin/systemctl restart graylog-server"
cnames:
- "graylog.rockylinux.org"
graylog_ipa_dnsrecord_zone_name: rockylinux.org
graylog_ipa_dnsrecord_name: graylog
graylog_ipa_dnsrecord_record_type: CNAME
graylog_ipa_dnsrecord_record_value: graylog002.rockylinux.org.
graylog_ipa_dnsrecord_state: present

7
ansible/playbooks/vars/ipa/ipaprivs.yml
View File

@ -26,6 +26,13 @@ iparoles:
- "Netgroups Administrators"
user:
- hostman
- role: Kerberos Managers
description: Kerberos Key Managers
privileges:
- "Privileges - Kerberos Managers"
- "Service Administrators"
user:
- kerbman
- role: IPA User Managers
description: Rocky IPA User Managers responsible for idm flow
privileges:

2
ansible/playbooks/vars/ipaserver.yml Normal file
View File

@ -0,0 +1,2 @@
---
ipatype: server

31
ansible/playbooks/vars/mantis.yml Normal file
View File

@ -0,0 +1,31 @@
---
# mantis vars
mantis_version: 2.25.0
mantis_checksum: "sha256:d8973d3677ecb2ccbfee95e2267b3128049fbdcc59aa1f007686a342d93a4c0a"
mantis_pkg:
- php
- php-ldap
- httpd
- mod_ssl
- php-pgsql
- php-mbstring
- php-curl
- openldap
- php-json
mantis_db_host: db.rockylinux.org
mantis_db_name: mantisdb
mantis_db_user: mantis
mantis_binder_user: "{{ rocky_ldap_bind_dn }}"
mantis_binder_pass: "{{ rocky_ldap_bind_pw }}"
# Vault
# mantis_db_pass: ThisIsNotThePassword!
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: apache
key_location: "/etc/pki/tls/private/bugs.rockylinux.org.key"
cert_location: "/etc/pki/tls/certs/bugs.rockylinux.org.crt"
postcmd: "/bin/systemctl reload httpd"
cnames:
- "bugs.rockylinux.org"

16
ansible/playbooks/vars/matterbridge.yml Normal file
View File

@ -0,0 +1,16 @@
---
matterbridge_config:
binary_checksum: "0a321cbc90ba467d05c1bd5ec7a1c3b10fb2ba142710311b015f5e8235d39fe6"
version: 1.21.0
mbridge_bot_nick: rlf
mbridge_bridge_name: rlf
mbridge_irc_channel: '#irc'
mbridge_irc_ignore_nicks:
mbridge_irc_label: IRC
mbridge_irc_network_server: irc.freenode.net:6697
mbridge_mattermost_channel: testing
mbridge_mattermost_ignore_nicks:
mbridge_mattermost_label: MM
mbridge_mattermost_server: ws.chat.rockylinux.org
mbridge_mattermost_team: rocky-linux

13
ansible/playbooks/vars/production/koji-common.yml Normal file
View File

@ -0,0 +1,13 @@
---
# Koji common
koji_efs_mount_path: /mnt/koji
koji_efs_fsid: whatever.amazonaws.com
koji_efs_fs_ip_map:
us-east-2a: 10.x.x.x
us-east-2b: 10.x.x.x
us-east-2c: 10.x.x.x
koji_efs_fs_type: efs
koji_efs_fs_opts:
- _netdev
- tls
- iam

0
ansible/playbooks/vars/kojid.yml → ansible/playbooks/vars/production/kojid.yml
View File

26
ansible/playbooks/vars/kojihub.yml → ansible/playbooks/vars/production/kojihub.yml
View File

@ -20,10 +20,36 @@ koji_hub_url: "https://{{ koji_url_name }}/kojihub"
koji_files_url: "https://{{ koji_url_name }}/kojifiles"
# The IPA internal CA is combined with the others
# Change before deployment or store in vault
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt
koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
# Kojira
koji_kojira: true
koji_kojira_user: kojira
koji_kojira_user_kerb: kojira/koji.rockylinux.org
koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG
koji_kojira_keytab: /etc/keytabs/kojira.keytab
# MBS
koji_mbs: true
koji_mbs_user: mbs
koji_mbs_user_kerb: mbs/mbs.rockylinux.org
koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
koji_mbs_keytab: /etc/keytabs/mbs.keytab
# GC
koji_gc_keytab: /etc/keytabs/koji-gc.keytab
koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG
# Sigul
koji_sigul: true
koji_sigul_user: sigul
koji_sigul_user_kerb: sigul/sigul.rockylinux.org
koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG
# NFS? We need a place.
koji_nfs: false
koji_mount: /mnt/koji

5
ansible/playbooks/vars/rabbitmq.yml
View File

@ -28,6 +28,9 @@ rabbitmq_enable_public: false
# into account when setting this variable.
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
rabbitmq_ldap_bind_dn: "uid=rabbitmq_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
rabbitmq_ldap_bind_pw: "{{ rabbitmq_binder_password }}"
rabbitmq_ldap_basedn: "{{ rocky_ldap_account_basedn }}"
# Messaging queues are generally private
rabbitmq_private: true
@ -37,3 +40,5 @@ ipa_getcert_requested_hostnames:
key_location: "{{ rabbitmq_tls_key }}"
cert_location: "{{ rabbitmq_tls_cert }}"
postcmd: "/bin/systemctl restart rabbitmq-server"
cnames:
- "rabbitmq-{{ rabbitmq_env }}.rockylinux.org"

16
ansible/playbooks/vars/sigul_bridge.yml Normal file
View File

@ -0,0 +1,16 @@
---
# Sigul Bridge Variables
sigul_type: bridge
sigul_ipa_realm: "ROCKYLINUX.ORG"
sigul_bridge_cert_nickname: "sigul-bridge"
sigul_principal: "sigul/sigul.rockylinux.org@{{ sigul_ipa_realm }}"
sigul_keytab: /etc/sigul.keytab
sigul_nss_dir: /etc/pki/tls/sigul
# ipa-getcert variables
ipa_getcert_nss: true
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: sigul
nss_db_dir: "{{ sigul_nss_dir }}"
nss_nickname: "{{ sigul_bridge_cert_nickname }}"

14
ansible/playbooks/vars/sigul_server.yml Normal file
View File

@ -0,0 +1,14 @@
---
# Sigul Server Variables
sigul_type: server
sigul_server_cert_nickname: "sigul-server"
sigul_nss_dir: /etc/pki/tls/sigul
sigul_bridge_name: ""
# ipa-getcert variables
ipa_getcert_nss: true
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: sigul
nss_db_dir: "{{ sigul_nss_dir }}"
nss_nickname: "{{ sigul_server_cert_nickname }}"

13
ansible/playbooks/vars/staging/koji-common.yml Normal file
View File

@ -0,0 +1,13 @@
---
# Koji common
koji_efs_mount_path: /mnt/koji
koji_efs_fsid: whatever.amazonaws.com
koji_efs_fs_ip_map:
us-east-2a: 10.x.x.x
us-east-2b: 10.x.x.x
us-east-2c: 10.x.x.x
koji_efs_fs_type: efs
koji_efs_fs_opts:
- _netdev
- tls
- iam

15
ansible/playbooks/vars/staging/kojid.yml Normal file
View File

@ -0,0 +1,15 @@
---
# vars for kojid
kojid_vendor: Rocky
kojid_packager: infrastructure@rockylinux.org
kojid_distribution: Rocky
# These three should probably be specified by special vars
# kojid_web_url: https://kojistg.rockylinux.org/koji
# kojid_hub_url: https://kojistg.rockylinux.org/kojihub
# kojid_files_url: https://kojistg.rockylinux.org/kojifiles
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
kojid_keytab: /etc/kojid.keytab
kojid_smtp_host: smtp.rockylinux.org
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"

119
ansible/playbooks/vars/staging/kojihub.yml Normal file
View File

@ -0,0 +1,119 @@
---
# koji hub settings
# This should be the front-facing URL of koji
#koji_url_name: kojistg.rockylinux.org
# Use an internal CA (IPA)
koji_internal_ca: true
# Use postgresql on this machine rather than managed service
koji_postgresql_vm: true
# Database settings
koji_db_name: koji
koji_db_user: koji
# This will need to change when koji_postgresql_vm is false
koji_db_host: "{{ ansible_fqdn }}"
koji_web_url: "https://{{ koji_url_name }}/koji"
koji_hub_url: "https://{{ koji_url_name }}/kojihub"
koji_files_url: "https://{{ koji_url_name }}/kojifiles"
# The IPA internal CA is combined with the others
# Change before deployment or store in vault
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt
koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
# Kojira
koji_kojira: true
koji_kojira_user: kojira
koji_kojira_user_kerb: kojira/kojistg.rockylinux.org
koji_kojira_principal: kojira/kojistg.rockylinux.org@ROCKYLINUX.ORG
koji_kojira_keytab: /etc/keytabs/kojira.keytab
# MBS
koji_mbs: true
koji_mbs_user: mbs
koji_mbs_user_kerb: mbs/mbs.rockylinux.org
koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
koji_mbs_keytab: /etc/keytabs/mbs.keytab
# GC
koji_gc_keytab: /etc/keytabs/koji-gc.keytab
koji_gc_principal: koji-gc/kojistg.rockylinux.org@ROCKYLINUX.ORG
# Sigul
koji_sigul: true
koji_sigul_user: sigul
koji_sigul_user_kerb: sigul/sigul.rockylinux.org
koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG
# NFS? We need a place.
koji_nfs: false
koji_mount: /mnt/koji
koji_nfs_path: nfs.rockylinux.org:/export/koji
# Koji Admin Settings
koji_admin_client: true
koji_admin_user: rockykoji
koji_admin_principal: rockykoji@ROCKYLINUX.ORG
koji_admin_localuser: true
koji_admin_localuser_name: koji
# Hub Settings
koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
koji_hub_keytab: /etc/keytabs/host.keytab
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
# This should be sufficient even for LE
koji_hub_ca: "{{ koji_web_cacert }}"
# Koji FAS Syncing
# This isn't implemented yet in the role
koji_fas_sync: false
koji_fas_url: https://accounts.rockylinux.org
# IPA Certs if Required
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: apache
key_location: "{{ koji_web_tls_key }}"
cert_location: "{{ koji_web_tls_cert }}"
postcmd: "/bin/systemctl reload httpd"
# postgresql vars
postgresql_restarted_state: "restarted"
postgresql_python_library: python3-psycopg2
postgresql_user: postgres
postgresql_group: postgres
postgresql_hba_entries:
- type: local
database: koji
user: koji
auth_method: trust
- type: local
database: all
user: postgres
auth_method: peer
- type: host
database: koji
user: koji
address: '10.100.1.0/24'
auth_method: md5
postgresql_databases:
- name: "{{ koji_db_name }}"
owner: "{{ koji_db_user }}"
postgresql_users:
- name: "{{ koji_db_user }}"
password: "{{ koji_db_pass }}"
role_attr_flags: "NOCREATEDB,NOSUPERUSER,NOCREATEROLE"
db: "{{ koji_db_name }}"
state: present
postgresql_global_config_options:
- option: listen_addresses
value: '*'

109
ansible/playbooks/vars/wikijs.yml Normal file
View File

@ -0,0 +1,109 @@
---
# wikijs vars
firewall_rules:
- port: 443/tcp
permanent: true
state: enabled
- port: 9100/tcp
permanent: true
state: enabled
tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: nginx
key_location: "{{ tls_key }}"
cert_location: "{{ tls_cert }}"
postcmd: "/bin/systemctl reload nginx"
wikijs_dbtype: postgres
wikijs_db:
host: "db.rockylinux.org"
port: 5432
user: wikijs
password: " {{ _wikijs_db_rw_pass }} "
dbname: wikijs_db
ssl: true
####################
### NGINX CONFIG ###
####################
# no demo config/template
nginx_config_html_demo_template_enable: false
nginx_config_selinux: true
nginx_config_selinux_enforcing: true
nginx_config_start: true
nginx_config_debug_output: true
nginx_config_debug_tasks: true
# nginx_config_cleanup: true
nginx_config_http_template_enable: true
nginx_config_main_template_enable: true
nginx_config_http_template:
default:
template_file: http/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
redirect_https:
listen:
v6:
ip: '[::]' # Wrap in square brackets for IPv6 addresses
port: 80
opts: ['default_server']
v4:
ip: '' # Wrap in square brackets for IPv6 addresses
port: 80
opts: ['default_server']
server_name: "{{ ansible_fqdn }}"
error_page: /usr/share/nginx/html
access_log:
- name: main
location: /var/log/nginx/access.log
error_log:
location: /var/log/nginx/error.log
level: warn
root: "{{ wikijs_dir }}"
https_redirect: $host
wikijs_server:
listen:
v6:
ip: '[::]' # Wrap in square brackets for IPv6 addresses
port: 443
ssl: true
opts: ['http2', 'default_server']
v4:
ip: '' # Wrap in square brackets for IPv6 addresses
port: 443
ssl: true
opts: ['http2', 'default_server']
ssl:
cert: "{{ tls_cert }}"
key: "{{ tls_key }}"
server_name: "{{ ansible_fqdn }}"
error_page: /usr/share/nginx/html
access_log:
- name: main
location: /var/log/nginx/access.log
error_log:
location: /var/log/nginx/error.log
level: warn
root: "{{ wikijs_dir }}"
web_server:
locations:
default:
location: /
custom_options:
- "proxy_pass http://localhost:3000/;"
http_demo_conf: false

21
ansible/roles/requirements.yml
View File

@ -3,7 +3,7 @@
roles:
- name: geerlingguy.mysql
# monitoring
- name: cloudalchemy.node-exporter
- name: cloudalchemy.node_exporter
- name: cloudalchemy.prometheus
- name: cloudalchemy.alertmanager
- name: cloudalchemy.grafana
@ -24,6 +24,17 @@ roles:
- name: rockylinux.rabbitmq
src: https://github.com/rocky-linux/ansible-role-rabbitmq
version: main
- name: rockylinux.sigul
src: https://github.com/rocky-linux/ansible-role-sigul
version: main
- name: rockylinux.matterbridge
src: https://github.com/NeilHanlon/ansible-role-matterbridge
version: master
- name: rockylinux.wikijs
src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
scm: git
version: develop
- name: riemers.gitlab-runner
collections:
# freeipa
@ -35,3 +46,11 @@ collections:
- name: ansible.posix
- name: ktdreyer.koji_ansible
- name: netbox.netbox
- name: community.aws
- name: containers.podman
- name: nginxinc.nginx_core
version: 0.3.0
# - name: rockylinux.taiga
# source: https://github.com/rocky-linux/taiga-ansible.git
# type: git
# version: master