mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-05-28 17:40:16 +00:00
Merge branch 'main' of github.com:rocky-linux/infrastructure
This commit is contained in:
commit
e23f7cc69d
3
.ansible-lint
Normal file
3
.ansible-lint
Normal file
|
@ -0,0 +1,3 @@
|
|||
warn_list:
|
||||
- internal-error
|
||||
- syntax-check
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v3.3.0
|
||||
rev: v3.4.0
|
||||
hooks:
|
||||
- id: trailing-whitespace
|
||||
- id: end-of-file-fixer
|
||||
|
@ -25,7 +25,7 @@ repos:
|
|||
always_run: true
|
||||
|
||||
- repo: https://github.com/adrienverge/yamllint.git
|
||||
rev: v1.24.2
|
||||
rev: v1.26.0
|
||||
hooks:
|
||||
- id: yamllint
|
||||
files: \.(yaml|yml)$
|
||||
|
|
|
@ -167,3 +167,238 @@ When initializing the ansible host, you should be in `./infrastructure/ansible`
|
|||
% cd infrastructure/ansible
|
||||
% ansible-playbook playbooks/init-rocky-ansible-host.yml
|
||||
```
|
||||
|
||||
## Initializing the environment
|
||||
|
||||
To get a base environment, you will need to run the playbooks in this order.
|
||||
|
||||
```
|
||||
# Ansible host
|
||||
init-rocky-ansible-host.yml
|
||||
# First IPA server
|
||||
role-rocky-ipa.yml
|
||||
# Replicas
|
||||
role-rocky-ipa-replica.yml
|
||||
# Base users, groups, and DNS
|
||||
init-rocky-ipa-team.yml
|
||||
init-rocky-ipa-internal-dns.yml
|
||||
# All clients should be listed under [ipaclients]
|
||||
role-rocky-ipa-client.yml
|
||||
# All systems should be hardened
|
||||
init-rocky-system-config.yml
|
||||
```
|
||||
|
||||
## Current Set
|
||||
|
||||
```
|
||||
.
|
||||
├── README.md
|
||||
├── ansible.cfg
|
||||
├── collections
|
||||
│ └── Readme.md
|
||||
├── files -> playbooks/files
|
||||
├── handlers -> playbooks/handlers
|
||||
├── inventories
|
||||
│ ├── production
|
||||
│ │ ├── group_vars
|
||||
│ │ │ ├── chronyservers
|
||||
│ │ │ │ └── main.yml
|
||||
│ │ │ ├── ipa
|
||||
│ │ │ │ └── main.yml
|
||||
│ │ │ ├── ipaclients
|
||||
│ │ │ │ └── main.yml
|
||||
│ │ │ ├── ipareplicas
|
||||
│ │ │ │ └── main.yml
|
||||
│ │ │ ├── ipaserver
|
||||
│ │ │ │ └── main.yml
|
||||
│ │ │ └── rabbitmq
|
||||
│ │ │ └── main.yml
|
||||
│ │ └── hosts.ini
|
||||
│ └── staging
|
||||
│ ├── group_vars
|
||||
│ │ ├── chronyservers
|
||||
│ │ │ └── main.yml
|
||||
│ │ ├── ipa
|
||||
│ │ │ └── main.yml
|
||||
│ │ ├── ipaclients
|
||||
│ │ │ └── main.yml
|
||||
│ │ ├── ipareplicas
|
||||
│ │ │ └── main.yml
|
||||
│ │ ├── ipaserver
|
||||
│ │ │ └── main.yml
|
||||
│ │ └── rabbitmq
|
||||
│ │ └── main.yml
|
||||
│ └── hosts.ini
|
||||
├── playbooks
|
||||
│ ├── adhoc-facts-refresh.yml
|
||||
│ ├── adhoc-ipabinder.yml
|
||||
│ ├── adhoc-ipadnsrecord.yml
|
||||
│ ├── adhoc-ipadnszone.yml
|
||||
│ ├── adhoc-ipagetcert.yml
|
||||
│ ├── adhoc-ipagetkeytab.yml
|
||||
│ ├── adhoc-ipagroup.yml
|
||||
│ ├── adhoc-ipaservice.yml
|
||||
│ ├── adhoc-ipauser-disable.yml
|
||||
│ ├── adhoc-ipauser-enable.yml
|
||||
│ ├── adhoc-ipauser.yml
|
||||
│ ├── adhoc-rabbitmqqueue.yml
|
||||
│ ├── adhoc-rabbitmquser.yml
|
||||
│ ├── files
|
||||
│ │ ├── etc
|
||||
│ │ │ ├── authselect
|
||||
│ │ │ │ └── custom
|
||||
│ │ │ │ └── sssd-rocky
|
||||
│ │ │ │ ├── CentOS-8-system-auth -> RedHat-8-system-auth
|
||||
│ │ │ │ └── RedHat-8-system-auth
|
||||
│ │ │ ├── gitlab
|
||||
│ │ │ ├── pam.d
|
||||
│ │ │ │ ├── CentOS-7-system-auth-ac -> RedHat-7-system-auth-ac
|
||||
│ │ │ │ └── RedHat-7-system-auth-ac
|
||||
│ │ │ ├── rockybanner
|
||||
│ │ │ └── sudoers.d
|
||||
│ │ │ └── cis
|
||||
│ │ ├── tmp
|
||||
│ │ └── usr
|
||||
│ │ └── local
|
||||
│ │ └── bin
|
||||
│ │ └── lock-wrapper
|
||||
│ ├── handlers
|
||||
│ │ └── main.yml
|
||||
│ ├── import-rockygroups.yml
|
||||
│ ├── import-rockyipaprivs.yml
|
||||
│ ├── import-rockypwpolicy.yml
|
||||
│ ├── import-rockysudo.yml
|
||||
│ ├── import-rockyusers.yml
|
||||
│ ├── init-rocky-account-services.yml
|
||||
│ ├── init-rocky-ansible-host.yml
|
||||
│ ├── init-rocky-bugzilla.yml
|
||||
│ ├── init-rocky-builder-postfix.yml
|
||||
│ ├── init-rocky-chrony.yml
|
||||
│ ├── init-rocky-install-kvm-hosts.yml
|
||||
│ ├── init-rocky-ipa-internal-dns.yml
|
||||
│ ├── init-rocky-ipa-team.yml
|
||||
│ ├── init-rocky-noggin-theme.yml
|
||||
│ ├── init-rocky-system-config.yml
|
||||
│ ├── rocky-rocky-gitlab-ee.yml
|
||||
│ ├── role-rocky-graylog.yml
|
||||
│ ├── role-rocky-ipa-client.yml
|
||||
│ ├── role-rocky-ipa-replica.yml
|
||||
│ ├── role-rocky-ipa.yml
|
||||
│ ├── role-rocky-ipsilon.yml
|
||||
│ ├── role-rocky-kojid.yml
|
||||
│ ├── role-rocky-kojihub.yml
|
||||
│ ├── role-rocky-monitoring.yml
|
||||
│ ├── role-rocky-mqtt.yml
|
||||
│ ├── role-rocky-node_exporter.yml
|
||||
│ ├── role-rocky-rabbitmq.yml
|
||||
│ ├── role-rocky-sigul-bridge.yml
|
||||
│ ├── role-rocky-sigul-server.yml
|
||||
│ ├── tasks
|
||||
│ │ ├── account_services.yml
|
||||
│ │ ├── auditd.yml
|
||||
│ │ ├── authentication.yml
|
||||
│ │ ├── chrony.yml
|
||||
│ │ ├── gitlab-reconfigure.yml
|
||||
│ │ ├── grub.yml
|
||||
│ │ ├── harden.yml
|
||||
│ │ ├── koji_efs.yml
|
||||
│ │ ├── main.yml
|
||||
│ │ ├── mantis.yml
|
||||
│ │ ├── postfix_relay.yml
|
||||
│ │ ├── rabbitmq-reconfigure.yml
|
||||
│ │ ├── scripts.yml
|
||||
│ │ ├── ssh_config.yml
|
||||
│ │ └── variable_loader_common.yml
|
||||
│ ├── templates
|
||||
│ │ ├── etc
|
||||
│ │ │ ├── audit
|
||||
│ │ │ │ └── rules.d
|
||||
│ │ │ │ └── collection.rules.j2
|
||||
│ │ │ ├── chrony.conf.j2
|
||||
│ │ │ ├── gitlab
|
||||
│ │ │ │ └── rocky_gitlab.rb
|
||||
│ │ │ ├── httpd
|
||||
│ │ │ │ └── conf.d
|
||||
│ │ │ │ ├── id.conf.j2
|
||||
│ │ │ │ └── mantis.conf.j2
|
||||
│ │ │ ├── modprobe.d
|
||||
│ │ │ │ └── cis.conf.j2
|
||||
│ │ │ ├── nginx
|
||||
│ │ │ │ ├── conf.d
|
||||
│ │ │ │ │ └── omnibus.conf.j2
|
||||
│ │ │ │ └── nginx.conf.j2
|
||||
│ │ │ ├── postfix
|
||||
│ │ │ │ └── sasl_passwd.j2
|
||||
│ │ │ ├── resolv.conf.j2
|
||||
│ │ │ ├── rsyslog.d
|
||||
│ │ │ ├── ssh
|
||||
│ │ │ │ ├── CentOS-7-sshd_config.j2 -> RedHat-7-sshd_config.j2
|
||||
│ │ │ │ ├── CentOS-8-sshd_config.j2 -> RedHat-8-sshd_config.j2
|
||||
│ │ │ │ ├── RedHat-7-sshd_config.j2
|
||||
│ │ │ │ └── RedHat-8-sshd_config.j2
|
||||
│ │ │ └── sssd
|
||||
│ │ ├── hidden
|
||||
│ │ │ ├── README.md
|
||||
│ │ │ └── home
|
||||
│ │ │ └── noggin
|
||||
│ │ │ └── noggin.cfg
|
||||
│ │ ├── tmp
|
||||
│ │ │ ├── binder.update
|
||||
│ │ │ └── binder_template.update
|
||||
│ │ └── var
|
||||
│ │ └── www
|
||||
│ │ └── mantis
|
||||
│ │ └── config
|
||||
│ │ └── config_inc.php.j2
|
||||
│ └── vars
|
||||
│ ├── CentOS.yml -> RedHat.yml
|
||||
│ ├── RedHat.yml
|
||||
│ ├── buildsys.yml
|
||||
│ ├── chrony.yml
|
||||
│ ├── chronyserver.yml
|
||||
│ ├── common.yml
|
||||
│ ├── gitlab.yml
|
||||
│ ├── graylog.yml
|
||||
│ ├── ipa
|
||||
│ │ ├── adminusers.yml
|
||||
│ │ ├── agreements.yml
|
||||
│ │ ├── fdns.yml
|
||||
│ │ ├── groups.yml
|
||||
│ │ ├── ipaclient.yml
|
||||
│ │ ├── ipaprivs.yml
|
||||
│ │ ├── ipareplica.yml
|
||||
│ │ ├── ipaserver.yml
|
||||
│ │ ├── rdns.yml
|
||||
│ │ ├── sudorules.yml
|
||||
│ │ ├── svcusers.yml
|
||||
│ │ └── users.yml
|
||||
│ ├── ipaserver.yml
|
||||
│ ├── ipsilon.yml
|
||||
│ ├── koji-common.yml
|
||||
│ ├── kojid.yml
|
||||
│ ├── kojihub.yml
|
||||
│ ├── mantis.yml
|
||||
│ ├── matterbridge.yml
|
||||
│ ├── monitoring
|
||||
│ │ └── README.md
|
||||
│ ├── monitoring.yml
|
||||
│ ├── mqtt.yml
|
||||
│ ├── rabbitmq.yml
|
||||
│ ├── sigul_bridge.yml
|
||||
│ ├── sigul_server.yml
|
||||
│ └── vaults
|
||||
│ └── README.md
|
||||
├── roles
|
||||
│ ├── local
|
||||
│ │ └── Readme.md
|
||||
│ ├── public
|
||||
│ │ └── Readme.md
|
||||
│ └── requirements.yml
|
||||
├── ssh_config
|
||||
├── tasks -> playbooks/tasks
|
||||
├── templates -> playbooks/templates
|
||||
├── tmp
|
||||
│ ├── Readme.md
|
||||
│ └── ansible.log
|
||||
└── vars -> playbooks/vars
|
||||
```
|
||||
|
|
|
@ -67,3 +67,10 @@ log_path = tmp/ansible.log
|
|||
known_hosts = tmp/known_hosts
|
||||
roles_path = roles/local:roles/public
|
||||
collections_paths = collections
|
||||
|
||||
########################################
|
||||
# SSH Configuration
|
||||
########################################
|
||||
[ssh_connection]
|
||||
# Disable GSSAPI, which slows down SSH connections for ansible
|
||||
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o GSSAPIAuthentication=no
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
# RabbitMQ Staging Vars
|
||||
rabbitmq_cluster_name: "rabbitprod"
|
||||
rabbitmq_cluster_name: "rabbit"
|
||||
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
|
||||
rabbitmq_env: "production"
|
||||
|
|
|
@ -19,51 +19,91 @@ ipa002.rockylinux.org ansible_host=10.100.1.111
|
|||
ipa003.rockylinux.org ansible_host=10.100.1.112
|
||||
|
||||
[ipaclients]
|
||||
build-a-box.rockylinux.org ansible_host=10.100.1.112
|
||||
idp001.rockylinux.org ansible_host=10.100.x.x
|
||||
chrony001.rockylinux.org ansiblehost=10.100.3.110
|
||||
chrony002.rockylinux.org ansiblehost=10.200.3.111
|
||||
git.rockylinux.org ansible_host=10.100.1.113
|
||||
#chrony001.rockylinux.org ansiblehost=10.100.3.110
|
||||
#chrony002.rockylinux.org ansiblehost=10.200.3.111
|
||||
#git.rockylinux.org ansible_host=10.100.1.113
|
||||
|
||||
[ipaclients:children]
|
||||
idp
|
||||
sigul
|
||||
mbs
|
||||
koji
|
||||
rabbitmq
|
||||
bugtracker
|
||||
monitoringservers
|
||||
gitlabservers
|
||||
matomo
|
||||
|
||||
[idp]
|
||||
idp001.rockylinux.org ansible_host=10.100.x.x
|
||||
idp002.rockylinux.org ansible_host=10.100.x.x
|
||||
|
||||
[grafana]
|
||||
grafana.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[graylogservers]
|
||||
graylog001.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[monitoringservers:children]
|
||||
grafana
|
||||
|
||||
[chronyservers]
|
||||
chrony001.rockylinux.org ansiblehost=10.100.3.110
|
||||
chrony002.rockylinux.org ansiblehost=10.200.3.111
|
||||
|
||||
[gitlabservers]
|
||||
git.rockylinux.org ansible_host=10.100.1.113
|
||||
git.rockylinux.org ansible_host=10.xx.xx.xx
|
||||
|
||||
# Koji System - These names and IP's are not permanent as some machines can be
|
||||
# in a different location. This is the case with ppc64le
|
||||
[buildsys:children]
|
||||
koji
|
||||
gitlabservers
|
||||
bugtracker
|
||||
|
||||
[koji:children]
|
||||
kojihub
|
||||
kojid
|
||||
mqtt
|
||||
rabbitmq
|
||||
|
||||
[kojihub]
|
||||
koji.boxbuild.rockylinux.org ansible_host=10.100.1.200
|
||||
koji.rockylinux.org ansible_host=10.xx.xx.xx
|
||||
|
||||
[kojid]
|
||||
x86-01.boxbuild.rockylinux.org ansible_host=10.100.1.201
|
||||
x86-02.boxbuild.rockylinux.org ansible_host=10.100.1.202
|
||||
x86-repo.boxbuild.rockylinux.org ansible_host=10.100.1.203
|
||||
aarch64-01.boxbuild.rockylinux.org ansible_host=10.100.1.204
|
||||
aarch64-02.boxbuild.rockylinux.org ansible_host=10.100.1.205
|
||||
aarch64-03.boxbuild.rockylinux.org ansible_host=10.100.1.206
|
||||
aarch64-04.boxbuild.rockylinux.org ansible_host=10.100.1.207
|
||||
aarch64-05.boxbuild.rockylinux.org ansible_host=10.100.1.208
|
||||
aarch64-06.boxbuild.rockylinux.org ansible_host=10.100.1.209
|
||||
ppc64le-01.boxbuild.rockylinux.org ansible_host=10.100.1.210
|
||||
ppc64le-02.boxbuild.rockylinux.org ansible_host=10.100.1.211
|
||||
ppc64le-03.boxbuild.rockylinux.org ansible_host=10.100.1.212
|
||||
|
||||
[mqtt]
|
||||
mqtt.boxbuild.rockylinux.org ansible_host=10.100.1.213
|
||||
x86build001.rockylinux.org ansible_host=10.100.xx.xx
|
||||
x86build002.rockylinux.org ansible_host=10.100.xx.xx
|
||||
x86build003.rockylinux.org ansible_host=10.100.xx.xx
|
||||
aarch64build001.rockylinux.org ansible_host=10.100.xx.xx
|
||||
aarch64build002.rockylinux.org ansible_host=10.100.xx.xx
|
||||
aarch64build003.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[rabbitmq]
|
||||
rabbitmq01.rockylinux.org ansible_host=10.100.1.214
|
||||
rabbitmq02.rockylinux.org ansible_host=10.100.1.215
|
||||
rabbitmq03.rockylinux.org ansible_host=10.100.1.216
|
||||
rabbitmq001.rockylinux.org ansible_host=10.100.xx.xx
|
||||
rabbitmq002.rockylinux.org ansible_host=10.100.xx.xx
|
||||
rabbitmq003.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[sigul:children]
|
||||
sigulbridge
|
||||
sigulserver
|
||||
|
||||
[sigulbridge]
|
||||
sigul001.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[sigulserver]
|
||||
sigul002.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[mbs]
|
||||
mbs001.rockylinux.org ansible_host=10.100.xx.xx
|
||||
mbs002.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[bugtracker]
|
||||
bugs.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[matterbridge]
|
||||
matterbridge.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[matomo]
|
||||
matomo.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[bugtracker]
|
||||
bugs.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
chrony_server: true
|
||||
chrony_allow_cidr: "10.0.0.0/16"
|
0
ansible/inventories/staging/group_vars/ipa/main.yml
Normal file
0
ansible/inventories/staging/group_vars/ipa/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
ipaclient_domain: rockylinux.org
|
||||
ipaclient_realm: ROCKYLINUX.ORG
|
||||
ipaadmin_principal: admin
|
||||
ipaclient_no_ntp: true
|
||||
ipaclient_mkhomedir: true
|
||||
ipaclient_ssh_trust_dns: true
|
||||
ipasssd_enable_dns_updates: true
|
12
ansible/inventories/staging/group_vars/ipareplicas/main.yml
Normal file
12
ansible/inventories/staging/group_vars/ipareplicas/main.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
|
||||
ipaadmin_principal: admin
|
||||
ipaclient_mkhomedir: true
|
||||
ipaserver_realm: ROCKYLINUX.ORG
|
||||
ipareplica_domain: rockylinux.org
|
||||
ipareplica_auto_forwarders: true
|
||||
ipareplica_setup_firewalld: true
|
||||
ipareplica_setup_ca: true
|
||||
ipareplica_setup_kra: true
|
||||
ipareplica_setup_dns: true
|
||||
ipa_dns_master: 10.100.1.110
|
15
ansible/inventories/staging/group_vars/ipaserver/main.yml
Normal file
15
ansible/inventories/staging/group_vars/ipaserver/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
ipaserver_domain: rockylinux.org
|
||||
ipaserver_realm: ROCKYLINUX.ORG
|
||||
ipaserver_setup_dns: true
|
||||
ipaserver_setup_kra: true
|
||||
ipaserver_auto_forwarders: true
|
||||
ipaserver_no_host_dns: true
|
||||
ipaserver_hostname: ipa001.rockylinux.org
|
||||
ipaserver_allow_zone_overlap: true
|
||||
ipaserver_setup_firewalld: true
|
||||
ipaclient_no_ntp: true
|
||||
ipaclient_mkhomedir: true
|
||||
ipaserver_no_hbac_allow: true
|
||||
ipaserver_reverse_zones: ["1.100.10.in-addr.arpa."]
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
# RabbitMQ Staging Vars
|
||||
rabbitmq_cluster_name: "rabbitstage"
|
||||
rabbitmq_cluster_name: "rabbit"
|
||||
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
|
||||
rabbitmq_env: "staging"
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/hostman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
|
@ -42,3 +42,16 @@
|
|||
state: "{{ ipa_presence }}"
|
||||
tags:
|
||||
- dns
|
||||
|
||||
# We try to do this just in case because if a certificate is being issued
|
||||
# that wants a CNAME, the host has to "manage" said host. However, if the
|
||||
# host doesn't exist, we'll ignore it.
|
||||
- name: "Creating host object for CNAME"
|
||||
freeipa.ansible_freeipa.ipahost:
|
||||
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ ipa_name }}.{{ ipa_zone }}"
|
||||
force: true
|
||||
managedby:
|
||||
- "{{ ipa_name_value[:-1] }}"
|
||||
ignore_errors: true
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/hostman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
|
@ -17,12 +17,15 @@
|
|||
vars:
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ getcert_name|default(ansible_fqdn) }}"
|
||||
owner: "{{ getcert_owner|default(omit) }}"
|
||||
key_location: "{{ getcert_key|default(omit) }}"
|
||||
cert_location: "{{ getcert_cert|default(omit) }}"
|
||||
postcmd: "{{ getcert_postcmd|default(omit) }}"
|
||||
ipa_getcert_chain: "{{ getcert_chain|default(omit) }}"
|
||||
ipa_getcert_chain_location: "{{ getcert_chain_location|default(omit) }}"
|
||||
owner: "{{ getcert_owner|default('root') }}"
|
||||
key_location: "{{ getcert_key|default('/etc/pki/tls/private/newcert.key') }}"
|
||||
cert_location: "{{ getcert_cert|default('/etc/pki/tls/certs/newcert.crt') }}"
|
||||
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
|
||||
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
|
||||
postcmd: "{{ getcert_postcmd|default(false) }}"
|
||||
ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
|
||||
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
|
||||
ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
|
|
|
@ -18,12 +18,13 @@
|
|||
become: true
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/kerbman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
- ipa_service | mandatory
|
||||
- ipa_keytab_fullpath | mandatory
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/userman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/kerbman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
|
|
29
ansible/playbooks/adhoc-ipauser-disable.yml
Normal file
29
ansible/playbooks/adhoc-ipauser-disable.yml
Normal file
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates users in the idm infrastructure based on the variables provided.
|
||||
|
||||
- name: Create a User
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/userman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
- ipa_name | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing user information or ipa admin password"
|
||||
|
||||
- name: "Disabling User Account"
|
||||
freeipa.ansible_freeipa.ipauser:
|
||||
ipaadmin_principal: "{{ ipa_admin }}"
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ ipa_name }}"
|
||||
state: disabled
|
||||
tags:
|
||||
- users
|
29
ansible/playbooks/adhoc-ipauser-enable.yml
Normal file
29
ansible/playbooks/adhoc-ipauser-enable.yml
Normal file
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||
# What: Creates users in the idm infrastructure based on the variables provided.
|
||||
|
||||
- name: Create a User
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/userman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
assert:
|
||||
that:
|
||||
- ipa_admin | mandatory
|
||||
- ipaadmin_password | mandatory
|
||||
- ipa_name | mandatory
|
||||
success_msg: "Required variables provided"
|
||||
fail_msg: "We are missing user information or ipa admin password"
|
||||
|
||||
- name: "Enabling User Account"
|
||||
freeipa.ansible_freeipa.ipauser:
|
||||
ipaadmin_principal: "{{ ipa_admin }}"
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ ipa_name }}"
|
||||
state: enabled
|
||||
tags:
|
||||
- users
|
|
@ -7,7 +7,7 @@
|
|||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/userman.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
|
|
|
@ -75,10 +75,13 @@
|
|||
name: "amq.topic"
|
||||
destination: "{{ queue_name }}"
|
||||
destination_type: queue
|
||||
routing_key: "{{ item }}"
|
||||
routing_key: "{{ routing_item }}"
|
||||
vhost: "{{ vhost|default('/pubsub') }}"
|
||||
state: present
|
||||
login_user: admin
|
||||
login_password: "{{ rabbitmq_admin_password }}"
|
||||
loop: "{{ routing_keys }}"
|
||||
loop_control:
|
||||
loop_var: routing_item
|
||||
tags:
|
||||
- rabbitmq
|
||||
|
|
|
@ -7,12 +7,12 @@ auth [success=done ignore=ignore default=die] pam_sss.so require_cert
|
|||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
||||
auth required pam_deny.so
|
||||
|
@ -20,8 +20,8 @@ auth required pam_deny.so
|
|||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 1000 quiet
|
||||
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
|
|
|
@ -1,11 +1,3 @@
|
|||
******* **
|
||||
/**////** /** ** **
|
||||
/** /** ****** ***** /** ** //** **
|
||||
/******* **////** **///**/** ** //***
|
||||
/**///** /** /**/** // /**** /**
|
||||
/** //** /** /**/** **/**/** **
|
||||
/** //**//****** //***** /**//** **
|
||||
// // ////// ///// // // //
|
||||
This is a Rocky Linux system
|
||||
|
||||
All access is logged and monitored. Unauthorized access is prohibited.
|
||||
|
||||
|
|
16
ansible/playbooks/files/etc/systemd/system/noggin.service
Normal file
16
ansible/playbooks/files/etc/systemd/system/noggin.service
Normal file
|
@ -0,0 +1,16 @@
|
|||
[Unit]
|
||||
Description=noggin
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Environment=FLASK_APP=/opt/noggin/noggin/noggin/app.py
|
||||
Environment=NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
|
||||
Environment=FLASK_DEBUG=1
|
||||
User=noggin
|
||||
WorkingDirectory=/opt/noggin/noggin
|
||||
ExecStart=/bin/bash /opt/noggin/start_noggin.sh
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -32,3 +32,16 @@
|
|||
command: gitlab-ctl reconfigure
|
||||
register: gitlab_restart
|
||||
failed_when: gitlab_restart_handler_failed_when | bool
|
||||
|
||||
- name: restart_noggin
|
||||
service:
|
||||
name: noggin
|
||||
state: restarted
|
||||
|
||||
- name: rehash_postfix_sasl
|
||||
command: "postmap /etc/postfix/sasl_passwd"
|
||||
|
||||
- name: restart_postfix
|
||||
service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
hosts: "{{ host }}"
|
||||
become: true
|
||||
|
||||
handers:
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
|
|
|
@ -1,10 +1,15 @@
|
|||
---
|
||||
# Installs the mantis bug tracker
|
||||
- name: Configure MantisBT
|
||||
hosts: "{{ host }}"
|
||||
hosts: "bugtracker"
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/common.yml
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/mantis.yml
|
||||
- vars/mantis.yml
|
||||
|
||||
handers:
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
|
@ -20,11 +25,31 @@
|
|||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
|
||||
tasks:
|
||||
- name: Deploy Mantis
|
||||
import_tasks: tasks/mantis.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewalld ports
|
||||
ansible.posix.firewalld:
|
||||
service: "{{ item }}"
|
||||
permanent: true
|
||||
immediate: true
|
||||
state: enabled
|
||||
with_items:
|
||||
- http
|
||||
- https
|
||||
|
||||
- name: Ensure httpd is enabled and running
|
||||
service:
|
||||
name: httpd
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
|
|
36
ansible/playbooks/init-rocky-builder-postfix.yml
Normal file
36
ansible/playbooks/init-rocky-builder-postfix.yml
Normal file
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
# Configures postfix on buildsystems
|
||||
- name: Configure Buildsys Relay
|
||||
hosts: "buildsys"
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/buildsys.yml
|
||||
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Deploy Postfix Relay
|
||||
import_tasks: tasks/postfix_relay.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
34
ansible/playbooks/init-rocky-koji-ecosystem.yml
Normal file
34
ansible/playbooks/init-rocky-koji-ecosystem.yml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
# Configures the koji ecosystem
|
||||
- name: Configure Koji
|
||||
hosts: "kojihub"
|
||||
become: true
|
||||
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Build out relevant accounts and components
|
||||
import_tasks: tasks/init-koji.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
40
ansible/playbooks/init-rocky-noggin-theme.yml
Normal file
40
ansible/playbooks/init-rocky-noggin-theme.yml
Normal file
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
# (Re)deploys the noggin theme
|
||||
- name: Deploy Noggin Theme
|
||||
hosts: "idp"
|
||||
become: true
|
||||
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Deploy Rocky Noggin Theme
|
||||
git:
|
||||
repo: https://github.com/rocky-linux/noggin-theme.git
|
||||
dest: /opt/noggin/noggin/noggin/themes/rocky
|
||||
update: true
|
||||
version: main
|
||||
become_user: noggin
|
||||
notify: restart_noggin
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
34
ansible/playbooks/init-rocky-noggin.yml
Normal file
34
ansible/playbooks/init-rocky-noggin.yml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
# (Re)deploys the noggin theme
|
||||
- name: Deploy Noggin
|
||||
hosts: "idp"
|
||||
become: true
|
||||
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Deploy Noggin
|
||||
import_tasks: "tasks/noggin.yml"
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
34
ansible/playbooks/init-rocky-repo-servers.yml
Normal file
34
ansible/playbooks/init-rocky-repo-servers.yml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
# Preps a system to be a repository
|
||||
- name: Configure repository system
|
||||
hosts: "{{ host }}"
|
||||
become: true
|
||||
|
||||
handlers:
|
||||
- import_tasks: handers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Configure repository system
|
||||
import_tasks: tasks/repository.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
# Basic system configuration. All hardening should also be imported here.
|
||||
# Use --extra-vars="host=..." and specify a hostname in the inventory or
|
||||
# provide an ansible host group name. You can also just use "all" if you
|
||||
# want to ensure all systems are up to date on the configuration.
|
||||
- name: Configure system
|
||||
hosts: all
|
||||
hosts: "{{ host }}"
|
||||
become: true
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
|
|
65
ansible/playbooks/role-rocky-graylog.yml
Normal file
65
ansible/playbooks/role-rocky-graylog.yml
Normal file
|
@ -0,0 +1,65 @@
|
|||
---
|
||||
# Configure and setup graylog
|
||||
# Reccommended specs
|
||||
# CPU: 2 cores
|
||||
# Memory: 4GB
|
||||
# Storage: Yes
|
||||
- name: Install Graylog
|
||||
hosts: graylogservers
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/graylog.yml
|
||||
- vars/vaults/hostman.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
- name: "Creating DNS Record for ord-prod-graylog.rockylinux.org"
|
||||
freeipa.ansible_freeipa.ipadnsrecord:
|
||||
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
zone_name: "{{ graylog_ipa_dnsrecord_zone_name }}"
|
||||
name: "{{ graylog_ipa_dnsrecord_name }}"
|
||||
record_type: "{{ graylog_ipa_dnsrecord_record_type }}"
|
||||
record_value: "{{ graylog_ipa_dnsrecord_record_value }}"
|
||||
state: "{{ graylog_ipa_dnsrecord_state }}"
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewalld ports
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item.port }}"
|
||||
permanent: "{{ item.permanent }}"
|
||||
state: "{{ item.state }}"
|
||||
loop: "{{ graylog_server_firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -39,17 +39,6 @@
|
|||
notify:
|
||||
- reload_networkmanager
|
||||
|
||||
- name: Ensure resolv.conf is pointing to main master
|
||||
template:
|
||||
src: etc/resolv.conf.j2
|
||||
dest: /etc/resolv.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
backup: true
|
||||
notify:
|
||||
- reload_networkmanager
|
||||
|
||||
roles:
|
||||
- role: freeipa.ansible_freeipa.ipareplica
|
||||
state: present
|
||||
|
|
90
ansible/playbooks/role-rocky-kojid-staging.yml
Normal file
90
ansible/playbooks/role-rocky-kojid-staging.yml
Normal file
|
@ -0,0 +1,90 @@
|
|||
---
|
||||
# Stands up an ipsilon instance for simple SSO
|
||||
- name: Configure koji hub and web server
|
||||
hosts: kojihub
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/common.yml
|
||||
- vars/staging/kojid.yml
|
||||
- vars/staging/koji-common.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Check for keytabs - kojid
|
||||
stat:
|
||||
path: /etc/kojid.keytab
|
||||
register: kojid_keytab_check
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Verify keytab
|
||||
assert:
|
||||
that:
|
||||
- "kojid_keytab_check.stat.exists"
|
||||
success_msg: "It is likely we have all keytabs"
|
||||
fail_msg: "There are no keytabs. Please build the keytabs."
|
||||
|
||||
# EPEL and PowerTools are required for ipsilon to function
|
||||
# I also couldn't find an ansible built-in to do this
|
||||
- name: Enable the PowerTools repository
|
||||
ini_file:
|
||||
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
|
||||
section: powertools
|
||||
option: enabled
|
||||
value: 1
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
# The CentOS extras repos has epel-release provided
|
||||
- name: Enable the EPEL repository
|
||||
yum:
|
||||
name: epel-release
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Install rocky-tools copr
|
||||
yum_repository:
|
||||
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
|
||||
description: Copr repo for rockylinux-tools owned by nalika
|
||||
file: copr_repos
|
||||
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
|
||||
gpgcheck: true
|
||||
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
|
||||
enabled: true
|
||||
|
||||
# Right now, we are not sure how or where we'll get our certificates. So we
|
||||
# are presenting a choice by setting a variable, koji_internal_ca. There is a
|
||||
# change that we will have to do internal certs for mqtt anyway.
|
||||
# TODO: We need an MQTT role and pre_tasks for the keytabs for this role
|
||||
roles:
|
||||
- role: rockylinux.kojid
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: "Setup shared filesystem mount"
|
||||
import_tasks: tasks/koji_efs.yml
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -5,7 +5,9 @@
|
|||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/kojid.yml
|
||||
- vars/common.yml
|
||||
- vars/production/kojid.yml
|
||||
- vars/production/koji-common.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
|
@ -27,13 +29,13 @@
|
|||
- name: Check for keytabs - kojid
|
||||
stat:
|
||||
path: /etc/kojid.keytab
|
||||
register: kojid_keytab
|
||||
register: kojid_keytab_check
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Verify keytab
|
||||
assert:
|
||||
that:
|
||||
- "kojid_keytab.stat.exists"
|
||||
- "kojid_keytab_check.stat.exists"
|
||||
success_msg: "It is likely we have all keytabs"
|
||||
fail_msg: "There are no keytabs. Please build the keytabs."
|
||||
|
||||
|
@ -76,6 +78,9 @@
|
|||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: "Setup shared filesystem mount"
|
||||
import_tasks: tasks/koji_efs.yml
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
|
|
123
ansible/playbooks/role-rocky-kojihub-staging.yml
Normal file
123
ansible/playbooks/role-rocky-kojihub-staging.yml
Normal file
|
@ -0,0 +1,123 @@
|
|||
---
|
||||
# Stands up an ipsilon instance for simple SSO
|
||||
- name: Configure koji hub and web server
|
||||
hosts: kojihub
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/common.yml
|
||||
- vars/staging/kojihub.yml
|
||||
- vars/staging/koji-common.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Check for keytabs - web
|
||||
stat:
|
||||
path: /etc/keytabs/koji-web.keytab
|
||||
register: koji_keytab
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Check for keytabs - kojira
|
||||
stat:
|
||||
path: /etc/keytabs/kojira.keytab
|
||||
register: kojira_keytab
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Check for keytabs - gc
|
||||
stat:
|
||||
path: /etc/keytabs/koji-gc.keytab
|
||||
register: gc_keytab
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Check for keytabs - host
|
||||
stat:
|
||||
path: /etc/keytabs/host.keytab
|
||||
register: host_keytab
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Verify keytab
|
||||
assert:
|
||||
that:
|
||||
- "koji_keytab.stat.exists"
|
||||
- "kojira_keytab.stat.exists"
|
||||
- "gc_keytab.stat.exists"
|
||||
- "host_keytab.stat.exists"
|
||||
success_msg: "It is likely we have all keytabs"
|
||||
fail_msg: "There are no keytabs. Please build the keytabs."
|
||||
|
||||
# EPEL and PowerTools are required for ipsilon to function
|
||||
# I also couldn't find an ansible built-in to do this
|
||||
- name: Enable the PowerTools repository
|
||||
ini_file:
|
||||
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
|
||||
section: powertools
|
||||
option: enabled
|
||||
value: 1
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
# The CentOS extras repos has epel-release provided
|
||||
- name: Enable the EPEL repository
|
||||
yum:
|
||||
name: epel-release
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Install rocky-tools copr
|
||||
yum_repository:
|
||||
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
|
||||
description: Copr repo for rockylinux-tools owned by nalika
|
||||
file: copr_repos
|
||||
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
|
||||
gpgcheck: true
|
||||
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
|
||||
enabled: true
|
||||
|
||||
# Right now, we are not sure how or where we'll get our certificates. So we
|
||||
# are presenting a choice by setting a variable, koji_internal_ca. There is a
|
||||
# change that we will have to do internal certs for mqtt anyway.
|
||||
# TODO: We need an MQTT role and pre_tasks for the keytabs for this role
|
||||
roles:
|
||||
- role: geerlingguy.certbot
|
||||
state: present
|
||||
when: not koji_internal_ca
|
||||
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
when: koji_internal_ca
|
||||
|
||||
- role: geerlingguy.postgresql
|
||||
state: present
|
||||
when: koji_postgresql_vm
|
||||
|
||||
- role: rockylinux.kojihub
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: "Setup shared filesystem mount"
|
||||
import_tasks: tasks/koji_efs.yml
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -5,7 +5,9 @@
|
|||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/kojihub.yml
|
||||
- vars/common.yml
|
||||
- vars/production/kojihub.yml
|
||||
- vars/production/koji-common.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
|
@ -109,6 +111,9 @@
|
|||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: "Setup shared filesystem mount"
|
||||
import_tasks: tasks/koji_efs.yml
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
|
|
21
ansible/playbooks/role-rocky-node_exporter.yml
Normal file
21
ansible/playbooks/role-rocky-node_exporter.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: Install Prometheus Node Exporter
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
pre_tasks:
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- role: cloudalchemy.node-exporter
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewall for node-exporter
|
||||
ansible.posix.firewalld:
|
||||
port: 9100/tcp
|
||||
permanent: true
|
||||
state: enabled
|
|
@ -54,7 +54,7 @@
|
|||
# rocky-release-rabbitmq repo
|
||||
- name: Install centos rabbitmq
|
||||
yum:
|
||||
name: centos-release-rabbitmq
|
||||
name: centos-release-rabbitmq-38
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
|
91
ansible/playbooks/role-rocky-sigul-bridge.yml
Normal file
91
ansible/playbooks/role-rocky-sigul-bridge.yml
Normal file
|
@ -0,0 +1,91 @@
|
|||
---
|
||||
# Stands up an ipsilon instance for simple SSO
|
||||
- name: Configure Sigul Bridge
|
||||
hosts: sigulbridge
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/common.yml
|
||||
- vars/sigul_bridge.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Check for keytabs - sigul
|
||||
stat:
|
||||
path: /etc/sigul.keytab
|
||||
register: sigul_keytab_register
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Verify keytab
|
||||
assert:
|
||||
that:
|
||||
- "sigul_keytab_register.stat.exists"
|
||||
success_msg: "It is likely we have all keytabs"
|
||||
fail_msg: "There are no keytabs. Please build the keytabs."
|
||||
|
||||
# EPEL and PowerTools are required for ipsilon to function
|
||||
# I also couldn't find an ansible built-in to do this
|
||||
- name: Enable the PowerTools repository
|
||||
ini_file:
|
||||
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
|
||||
section: powertools
|
||||
option: enabled
|
||||
value: 1
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
# The CentOS extras repos has epel-release provided
|
||||
- name: Enable the EPEL repository
|
||||
yum:
|
||||
name: epel-release
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Install rocky-tools copr
|
||||
yum_repository:
|
||||
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
|
||||
description: Copr repo for rockylinux-tools owned by nalika
|
||||
file: copr_repos
|
||||
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
|
||||
gpgcheck: true
|
||||
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
|
||||
enabled: true
|
||||
|
||||
roles:
|
||||
- role: rockylinux.sigul
|
||||
state: present
|
||||
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Enable the sigul bridge
|
||||
systemd:
|
||||
name: sigul_bridge
|
||||
state: restarted
|
||||
enabled: true
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
78
ansible/playbooks/role-rocky-sigul-server.yml
Normal file
78
ansible/playbooks/role-rocky-sigul-server.yml
Normal file
|
@ -0,0 +1,78 @@
|
|||
---
|
||||
# Stands up an ipsilon instance for simple SSO
|
||||
- name: Configure Sigul Server
|
||||
hosts: sigulserver
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/common.yml
|
||||
- vars/sigul_server.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
# EPEL and PowerTools are required for ipsilon to function
|
||||
# I also couldn't find an ansible built-in to do this
|
||||
- name: Enable the PowerTools repository
|
||||
ini_file:
|
||||
dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo
|
||||
section: powertools
|
||||
option: enabled
|
||||
value: 1
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
# The CentOS extras repos has epel-release provided
|
||||
- name: Enable the EPEL repository
|
||||
yum:
|
||||
name: epel-release
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Install rocky-tools copr
|
||||
yum_repository:
|
||||
name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool
|
||||
description: Copr repo for rockylinux-tools owned by nalika
|
||||
file: copr_repos
|
||||
baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/
|
||||
gpgcheck: true
|
||||
gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg
|
||||
enabled: true
|
||||
|
||||
roles:
|
||||
- role: rockylinux.sigul
|
||||
state: present
|
||||
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Enable the sigul server
|
||||
systemd:
|
||||
name: sigul_server
|
||||
state: restarted
|
||||
enabled: true
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
69
ansible/playbooks/role-rocky-wikijs.yml
Normal file
69
ansible/playbooks/role-rocky-wikijs.yml
Normal file
|
@ -0,0 +1,69 @@
|
|||
---
|
||||
# WikiJS
|
||||
- name: Install and manage Wikijs
|
||||
hosts: wiki
|
||||
become: false
|
||||
vars_files:
|
||||
- vars/vaults/hostman.yml
|
||||
- vars/vaults/wikijs.yml
|
||||
- vars/wikijs.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
become: true
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
become: true
|
||||
state: present
|
||||
tags: ['certs']
|
||||
|
||||
- role: rockylinux.wikijs
|
||||
tags: ['wikijs']
|
||||
become: true
|
||||
|
||||
# Define variables in vars/wikijs.yml
|
||||
- role: nginxinc.nginx_core.nginx
|
||||
tags: ['nginx']
|
||||
become: true
|
||||
- role: nginxinc.nginx_core.nginx_config
|
||||
tags: ['nginx']
|
||||
become: true
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewalld ports
|
||||
become: true
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item.port }}"
|
||||
permanent: "{{ item.permanent }}"
|
||||
state: "{{ item.state }}"
|
||||
immediate: yes
|
||||
loop: "{{ firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
become: true
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -1,2 +1,26 @@
|
|||
---
|
||||
# Account Services
|
||||
- name: Install packages
|
||||
package:
|
||||
name:
|
||||
- httpd
|
||||
- mod_ssl
|
||||
- python3
|
||||
- python3-setuptools
|
||||
- python3-kdcproxy
|
||||
state: present
|
||||
|
||||
- name: Deploy relevant httpd configuration
|
||||
template:
|
||||
src: "etc/httpd/conf.d/id.conf.j2"
|
||||
dest: "/etc/httpd/conf.d/id.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: restart_httpd
|
||||
|
||||
- name: Enable and start
|
||||
systemd:
|
||||
name: httpd
|
||||
state: running
|
||||
enabled: true
|
||||
|
|
|
@ -35,18 +35,18 @@
|
|||
|
||||
- name: Override system-auth and password-auth
|
||||
copy:
|
||||
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||
src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||
dest: "{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
loop:
|
||||
- /etc/authselect/custom/sssd-aoc/system-auth
|
||||
- /etc/authselect/custom/sssd-aoc/password-auth
|
||||
- /etc/authselect/custom/sssd-rocky/system-auth
|
||||
- /etc/authselect/custom/sssd-rocky/password-auth
|
||||
|
||||
- name: Select New Profile
|
||||
command: >
|
||||
/usr/bin/authselect select custom/sssd-aoc
|
||||
/usr/bin/authselect select custom/sssd-rocky
|
||||
without-nullok
|
||||
with-faillock
|
||||
with-mkhomedir
|
||||
|
|
|
@ -50,6 +50,10 @@
|
|||
group: root
|
||||
state: link
|
||||
|
||||
- name: Symlink the hash
|
||||
command: "openssl rehash /etc/gitlab/trusted-certs"
|
||||
changed_when: "1 != 1"
|
||||
|
||||
- name: Turn on necessary SELinux booleans
|
||||
ansible.posix.seboolean:
|
||||
name: "{{ item }}"
|
||||
|
|
|
@ -1,54 +1,4 @@
|
|||
---
|
||||
- name: Reset grub link if we are EFI
|
||||
set_fact:
|
||||
grub_config_path_link: "{{ grub_config_path_efi }}"
|
||||
when:
|
||||
- efi_installed.stat.isdir is defined
|
||||
- efi_installed.stat.isdir
|
||||
- grub_config_path_efi is defined
|
||||
tags:
|
||||
- efi
|
||||
|
||||
- name: Create grub.d directory
|
||||
file:
|
||||
name: /etc/default/grub.d
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
state: directory
|
||||
recurse: true
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
|
||||
- name: Append /etc/default/grub file
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
|
||||
state: present
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
|
||||
- name: Command line defaults
|
||||
copy:
|
||||
dest: "/etc/default/grub.d/99-rocky.cfg"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
|
||||
- name: Rebuild grub
|
||||
command: "/usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}"
|
||||
register: grub_command_result
|
||||
changed_when: "grub_command_result.rc == 0"
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
- name: Add kernel boot options to all kernels and default config
|
||||
command: /usr/sbin/grubby --update-kernel=ALL --args "{{ grub_boot_options }}"
|
||||
changed_when: "1 != 1"
|
||||
|
|
62
ansible/playbooks/tasks/init-koji.yml
Normal file
62
ansible/playbooks/tasks/init-koji.yml
Normal file
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
# Init koji
|
||||
- name: kinit as koji admin using password
|
||||
shell: "set -o pipefail && echo \"{{ rockykoji_password }}\" | kinit rockykoji@ROCKYLINUX.ORG"
|
||||
check_mode: false
|
||||
changed_when: "1 != 1"
|
||||
become: yes
|
||||
become_user: koji
|
||||
when: rockykoji_has_password | bool
|
||||
|
||||
- name: kinit as koji admin using keytab
|
||||
shell: "set -o pipefail && kinit -kt /home/koji/.koji/keytab koji/rockykoji@ROCKYLINUX.ORG"
|
||||
check_mode: false
|
||||
changed_when: "1 != 1"
|
||||
become: yes
|
||||
become_user: koji
|
||||
when: not rockykoji_has_password | bool
|
||||
|
||||
- name: Import current necessary tags
|
||||
shell: "set -o pipefail && koji add-tag {{ item }}"
|
||||
changed_when: "1 != 1"
|
||||
become: yes
|
||||
become_user: koji
|
||||
loop:
|
||||
- build-modules
|
||||
- dist-rocky8
|
||||
- dist-rocky8-build
|
||||
- dist-rocky8-compose
|
||||
- dist-rocky8-extras
|
||||
- dist-rocky8-gcc-toolset-9-build
|
||||
- dist-rocky8-modular-buildrequires
|
||||
- dist-rocky8-module-compose
|
||||
- dist-rocky8-plus
|
||||
- dist-rocky8-rust-bootstrap
|
||||
- dist-rocky8-rust-bootstrap-build
|
||||
- dist-rocky8-updates
|
||||
- dist-rocky8-updates-build
|
||||
- dist-rocky8_0-updates-build
|
||||
- dist-rocky8_1-gcc-toolset-9-build
|
||||
- dist-rocky8_1-updates-build
|
||||
- dist-rocky8_2-updates-build
|
||||
- dist-rocky8_3-updates-build
|
||||
- dist-rocky8_4-updates-build
|
||||
- dist-rocky9
|
||||
- el8
|
||||
- el8_0
|
||||
- el8_1
|
||||
- el8_2
|
||||
- el8_3
|
||||
- el8_4
|
||||
- el8_infra
|
||||
- el9
|
||||
- el9_infra
|
||||
- eln
|
||||
- modular-updates-candidate
|
||||
- module-rocky-8.0.0-build
|
||||
- module-rocky-8.1.0-build
|
||||
- module-rocky-8.2.0-build
|
||||
- module-rocky-8.3.0-build
|
||||
- module-rocky-8.4.0-build
|
||||
- trash
|
||||
- trashcan
|
35
ansible/playbooks/tasks/koji_efs.yml
Normal file
35
ansible/playbooks/tasks/koji_efs.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
# Sets up the EFS mount for /mnt/koji {{ koji_efs_mount_path }}
|
||||
# Requires amazon-efs-utils; included
|
||||
#
|
||||
- name: Installing amazon-efs-utils
|
||||
yum:
|
||||
name: amazon-efs-utils
|
||||
state: present
|
||||
tags:
|
||||
- amazon_efs_utils
|
||||
- packages
|
||||
|
||||
- name: "Gathering ec2 facts"
|
||||
amazon.aws.ec2_metadata_facts:
|
||||
tags:
|
||||
- mounts
|
||||
|
||||
# "you can use /etc/hosts" https://github.com/aws/efs-utils/issues/1
|
||||
- name: "Install custom hosts file because ~~fml~~ amazon said so."
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/hosts
|
||||
line: "{{ koji_efs_fs_ip_map[ansible_ec2_placement_availability_zone] }} {{ koji_efs_fsid }}"
|
||||
create: yes
|
||||
tags:
|
||||
- mounts
|
||||
|
||||
- name: "Creating and mounting {{ koji_efs_fsid }} at {{ koji_efs_mount_path }}"
|
||||
ansible.posix.mount:
|
||||
path: "{{ koji_efs_mount_path }}"
|
||||
src: "{{ koji_efs_fsid }}:/"
|
||||
fstype: "{{ koji_efs_fs_type }}"
|
||||
opts: "{{ koji_efs_fs_opts | join(',') }}"
|
||||
state: "{{ koji_efs_fs_state | default('mounted') }}"
|
||||
tags:
|
||||
- mounts
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
# Configure mantis
|
||||
- name: Configure SELinux booleans
|
||||
seboolean:
|
||||
ansible.posix.seboolean:
|
||||
name: "{{ item }}"
|
||||
persistent: true
|
||||
state: true
|
||||
|
@ -14,15 +14,79 @@
|
|||
yum:
|
||||
name: "{{ mantis_pkg }}"
|
||||
state: present
|
||||
vars:
|
||||
mantis_pkg:
|
||||
- php
|
||||
- php-ldap
|
||||
- httpd
|
||||
- mod_ssl
|
||||
- php-pgsql
|
||||
- php-mbstring
|
||||
- php-curl
|
||||
- openldap
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Download the bugtracker
|
||||
get_url:
|
||||
url: "http://downloads.sourceforge.net/mantisbt/mantisbt-{{ mantis_version }}.tar.gz"
|
||||
dest: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
|
||||
checksum: "{{ mantis_checksum }}"
|
||||
|
||||
- name: Extract mantis
|
||||
unarchive:
|
||||
src: "/tmp/mantisbt-{{ mantis_version }}.tar.gz"
|
||||
dest: "/var/www"
|
||||
owner: apache
|
||||
group: apache
|
||||
mode: '0644'
|
||||
remote_src: true
|
||||
|
||||
- name: Generate crypto salt
|
||||
shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0"
|
||||
changed_when: "1 != 1"
|
||||
register: cryptosalt_string
|
||||
|
||||
- name: Configure mantis
|
||||
template:
|
||||
src: "var/www/mantis/config/config_inc.php.j2"
|
||||
dest: "/var/www/mantisbt-{{ mantis_version }}/config/config_inc.php"
|
||||
owner: apache
|
||||
group: apache
|
||||
mode: '0640'
|
||||
|
||||
- name: Deploy plugins from Mantis GitHub
|
||||
git:
|
||||
repo: "https://github.com/mantisbt-plugins/{{ item }}.git"
|
||||
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}"
|
||||
update: true
|
||||
version: master
|
||||
with_items:
|
||||
- Snippets
|
||||
|
||||
- name: Deploy custom libravatar plugin
|
||||
git:
|
||||
repo: "https://github.com/nazunalika/mantisbt-libravatar.git"
|
||||
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar"
|
||||
update: true
|
||||
version: main
|
||||
|
||||
- name: Configure httpd
|
||||
template:
|
||||
src: "etc/httpd/conf.d/mantis.conf.j2"
|
||||
dest: "/etc/httpd/conf.d/mantis.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
- name: Database import template
|
||||
template:
|
||||
src: "tmp/mantis_import.sql.j2"
|
||||
dest: "/tmp/mantis_import.sql.j2"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
|
||||
# We will need to generate this
|
||||
# name: Import database if required
|
||||
# community.general.postgresql_db:
|
||||
# name: "{{ mantis_db_name }}"
|
||||
# target: /tmp/mantis_import.sql
|
||||
# owner: "{{ mantis_db_user }}"
|
||||
# state: restore
|
||||
# login_host: "{{ mantis_db_host }}"
|
||||
# login_user: "{{ mantis_db_user }}"
|
||||
# login_password: "{{ mantis_db_pass }}"
|
||||
|
||||
- name: Patch up some pages
|
||||
import_tasks: mantispatch.yml
|
||||
|
|
25
ansible/playbooks/tasks/mantispatch.yml
Normal file
25
ansible/playbooks/tasks/mantispatch.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Patch up various pieces of mantis to customize it. We do not rely on local
|
||||
# bug tracker accounts. We are doing regex instead of just replacing the
|
||||
# file as a whole. Should make it easier to deal with upgrades in theory.
|
||||
- name: Change signup_page.php to Account Services
|
||||
replace:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
|
||||
regexp: 'signup_page.php'
|
||||
replace: 'https://accounts.rockylinux.org'
|
||||
with_items:
|
||||
- core/print_api.php
|
||||
- lost_pwd_page.php
|
||||
- login_page.php
|
||||
|
||||
- name: Change special signup_page.php reference
|
||||
replace:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
|
||||
regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
|
||||
replace: 'https://accounts.rockylinux.org'
|
||||
|
||||
- name: Remove LDAP from checks for signup button
|
||||
lineinfile:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
|
||||
state: absent
|
||||
regex: 'LDAP != config_get_global'
|
88
ansible/playbooks/tasks/noggin.yml
Normal file
88
ansible/playbooks/tasks/noggin.yml
Normal file
|
@ -0,0 +1,88 @@
|
|||
---
|
||||
- name: Ensure python is installed
|
||||
yum:
|
||||
name:
|
||||
- python3
|
||||
- python3-pip
|
||||
state: present
|
||||
|
||||
- name: Ensure noggin user exists
|
||||
user:
|
||||
name: noggin
|
||||
comment: "Noggin FAS"
|
||||
|
||||
- name: Create noggin directory
|
||||
file:
|
||||
path: /opt/noggin
|
||||
state: directory
|
||||
mode: '0700'
|
||||
owner: noggin
|
||||
group: noggin
|
||||
|
||||
- name: Deploy noggin
|
||||
git:
|
||||
repo: https://github.com/fedora-infra/noggin.git
|
||||
dest: /opt/noggin/noggin
|
||||
update: true
|
||||
version: main
|
||||
become: true
|
||||
become_user: noggin
|
||||
|
||||
- name: Noggin user must install poetry
|
||||
pip:
|
||||
name: poetry
|
||||
executable: pip3
|
||||
become: true
|
||||
become_user: noggin
|
||||
|
||||
- name: Remove any pycache
|
||||
file:
|
||||
path: "/home/noggin/.cache/pypoetry"
|
||||
state: absent
|
||||
|
||||
- name: Noggin installation
|
||||
command: "/home/noggin/.local/bin/poetry install --no-dev --extras deploy"
|
||||
become: true
|
||||
become_user: noggin
|
||||
changed_when: "1 != 1"
|
||||
args:
|
||||
chdir: "/opt/noggin/noggin"
|
||||
|
||||
- name: Get the noggin poetry virtualenv
|
||||
shell:
|
||||
cmd: "poetry env list | awk '{print $1}'"
|
||||
chdir: "/opt/noggin/noggin"
|
||||
become: true
|
||||
become_user: noggin
|
||||
changed_when: "1 != 1"
|
||||
register: virtualenv_location
|
||||
|
||||
- name: Deploy start up script
|
||||
template:
|
||||
src: "opt/noggin/start_noggin.sh.j2"
|
||||
dest: "/opt/noggin/start_noggin.sh"
|
||||
mode: '0750'
|
||||
user: noggin
|
||||
group: noggin
|
||||
|
||||
- name: Deploy systemd unit
|
||||
copy:
|
||||
src: "etc/systemd/system/noggin.service"
|
||||
dest: "/etc/systemd/system/noggin.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
- name: Deploy noggin configuration
|
||||
template:
|
||||
src: "opt/noggin/noggin.cfg.j2"
|
||||
dest: "/opt/noggin/noggin.cfg"
|
||||
owner: noggin
|
||||
group: noggin
|
||||
mode: '0600'
|
||||
|
||||
# The only way to run it properly, at least on EL8, is we need this line
|
||||
- name: Add missing create_app call
|
||||
lineinfile:
|
||||
path: "/opt/noggin/noggin/noggin/app.py"
|
||||
line: "app = create_app()"
|
37
ansible/playbooks/tasks/postfix_relay.yml
Normal file
37
ansible/playbooks/tasks/postfix_relay.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
# Configure relay
|
||||
- name: Ensure postfix is installed
|
||||
yum:
|
||||
name:
|
||||
- postfix
|
||||
- cyrus-sasl-plain
|
||||
state: present
|
||||
|
||||
- name: Add password map
|
||||
template:
|
||||
src: etc/postfix/sasl_passwd.j2
|
||||
dest: /etc/postfix/sasl_passwd
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
notify: rehash_postfix_sasl
|
||||
|
||||
- name: Add relay information to postfix
|
||||
blockinfile:
|
||||
path: /etc/postfix/main.cf
|
||||
marker: "## ANSIBLE MANAGED ##"
|
||||
block: |
|
||||
smtp_tls_note_starttls_offer = yes
|
||||
relayhost = [{{ smtp_relayhost }}]:587
|
||||
smtp_use_tls = yes
|
||||
smtp_sasl_auth_enable = yes
|
||||
smtp_sasl_security_options =
|
||||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
|
||||
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
|
||||
notify: restart_postfix
|
||||
|
||||
- name: Ensure postfix is running and enabled
|
||||
service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
enabled: true
|
2
ansible/playbooks/tasks/repository.yml
Normal file
2
ansible/playbooks/tasks/repository.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
# no tasks yet
|
|
@ -132,3 +132,10 @@ gitlab_rails['db_port'] = '{{ gitlab_external_db_port }}'
|
|||
gitlab_rails['db_username'] = '{{ gitlab_external_db_user }}'
|
||||
gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
|
||||
{% endif %}
|
||||
|
||||
{% if gitlab_trusted_proxies %}
|
||||
gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
|
||||
{% endif %}
|
||||
|
||||
gitlab_rails['gravatar_enabled'] = true
|
||||
gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"
|
||||
|
|
48
ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
Normal file
48
ansible/playbooks/templates/etc/httpd/conf.d/id.conf.j2
Normal file
|
@ -0,0 +1,48 @@
|
|||
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \
|
||||
display-name=%{GROUP}
|
||||
WSGIImportScript /usr/lib/python3.6/site-packages/kdcproxy/__init__.py \
|
||||
process-group=kdcproxy application-group=kdcproxy
|
||||
WSGIScriptAlias /KdcProxy /usr/lib/python3.6/site-packages/kdcproxy/__init__.py
|
||||
WSGIScriptReloading Off
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName accounts.rockylinux.org
|
||||
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTPS} !=on
|
||||
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName accounts.rockylinux.org
|
||||
ServerAlias accounts.rockylinux.org {{ ansible_fqdn }}
|
||||
RequestHeader set X-Forwarded-Proto https
|
||||
SSLCertificateFile /etc/pki/tls/certs/noggin.crt
|
||||
SSLCertificateKeyFile /etc/pki/tls/private/noggin.key
|
||||
</VirtualHost>
|
||||
|
||||
<Location "/">
|
||||
ProxyPreserveHost On
|
||||
ProxyPass http://127.0.0.1:5000/
|
||||
ProxyPassReverse http://127.0.0.1:5000/
|
||||
<RequireAll>
|
||||
Require all granted
|
||||
Include /etc/httpd/conf/blacklist.conf
|
||||
</RequireAll>
|
||||
</Location>
|
||||
|
||||
<Location "/KdcProxy">
|
||||
Satisfy Any
|
||||
WSGIProcessGroup kdcproxy
|
||||
WSGIApplicationGroup kdcproxy
|
||||
ProxyPass "!"
|
||||
ProxyPassReverse "!"
|
||||
<RequireAll>
|
||||
Require all granted
|
||||
Include /etc/httpd/conf/blacklist.conf
|
||||
</RequireAll>
|
||||
</Location>
|
||||
|
||||
ServerSignature Off
|
||||
ServerTokens Prod
|
||||
ErrorDocument 403 "<h3>Your IP is on the blacklist.</h3><p>Please contact <a href="mailto:infrastructure@rockylinux.org">Rocky Linux Staff</a> to see if this can be corrected.</p>"
|
33
ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
Normal file
33
ansible/playbooks/templates/etc/httpd/conf.d/mantis.conf.j2
Normal file
|
@ -0,0 +1,33 @@
|
|||
<VirtualHost *:80>
|
||||
ServerAdmin infrastructure@rockylinux.org
|
||||
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
|
||||
ServerName bugs.rockylinux.org
|
||||
TransferLog /var/log/httpd/mantis_access.log
|
||||
ErrorLog /var/log/httpd/mantis_error.log
|
||||
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
|
||||
Options MultiViews FollowSymlinks
|
||||
AllowOverride All
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
SSLEngine on
|
||||
SSLHonorCipherOrder on
|
||||
SSLCipherSuite PROFILE=SYSTEM
|
||||
SSLProxyCipherSuite PROFILE=SYSTEM
|
||||
SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
|
||||
SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
|
||||
ServerAdmin infrastructure@rockylinux.org
|
||||
DocumentRoot "/var/www/mantisbt-{{ mantis_version }}"
|
||||
ServerName bugs.rockylinux.org
|
||||
TransferLog /var/log/httpd/mantis_access.log
|
||||
ErrorLog /var/log/httpd/mantis_error.log
|
||||
<Directory "/var/www/mantisbt-{{ mantis_version }}/">
|
||||
Options MultiViews FollowSymlinks
|
||||
AllowOverride All
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
</VirtualHost>
|
1
ansible/playbooks/templates/etc/postfix/sasl_passwd.j2
Normal file
1
ansible/playbooks/templates/etc/postfix/sasl_passwd.j2
Normal file
|
@ -0,0 +1 @@
|
|||
[{{ smtp_relayhost }}]:587 {{ smtp_user_name }}:{{ smtp_user_pass }}
|
|
@ -62,7 +62,6 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
PasswordAuthentication yes
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
|
@ -154,3 +153,8 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
|||
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
|
||||
AuthorizedKeysCommandUser nobody
|
||||
ChallengeResponseAuthentication yes
|
||||
PasswordAuthentication no
|
||||
|
||||
{% if 'gitlabservers' in group_names %}
|
||||
AllowUsers git@* *@10.*
|
||||
{% endif %}
|
||||
|
|
|
@ -70,7 +70,6 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
PasswordAuthentication yes
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
|
@ -166,3 +165,8 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
|||
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
|
||||
AuthorizedKeysCommandUser nobody
|
||||
ChallengeResponseAuthentication yes
|
||||
PasswordAuthentication no
|
||||
|
||||
{% if 'gitlabservers' in group_names %}
|
||||
AllowUsers git@* *@10.*
|
||||
{% endif %}
|
||||
|
|
23
ansible/playbooks/templates/opt/noggin/noggin.cfg
Normal file
23
ansible/playbooks/templates/opt/noggin/noggin.cfg
Normal file
|
@ -0,0 +1,23 @@
|
|||
TEMPLATES_AUTO_RELOAD = False
|
||||
FREEIPA_SERVERS = []
|
||||
FREEIPA_CACERT = '/etc/ipa/ca.crt'
|
||||
FREEIPA_ADMIN_USER = 'userman'
|
||||
FREEIPA_ADMIN_PASSWORD = '{{ rocky_ldap_userman_pw }}'
|
||||
THEME = "rocky"
|
||||
FERNET_SECRET = b'NOTASECRET='
|
||||
SECRET_KEY = b'NOTASECRET='
|
||||
SESSION_COOKIE_HTTPONLY = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
USER_DEFAULTS = {
|
||||
"locale": "en-US",
|
||||
"timezone": "UTC",
|
||||
"status_note": "active",
|
||||
}
|
||||
REGISTRATION_OPEN = True
|
||||
ACTIVATION_TOKEN_EXPIRATION = 30
|
||||
PASSWORD_RESET_EXPIRATION = 10
|
||||
MAIL_DEFAULT_SENDER = "Account Services <identitymanagement@rockylinux.org>"
|
||||
MAIL_SUPPRESS_SEND = False
|
||||
AVATAR_SERVICE_URL = "https://seccdn.libravatar.org/"
|
||||
AVATAR_DEFAULT_TYPE = "retro"
|
||||
FEDORA_MESSAGING_ENABLED = False
|
14
ansible/playbooks/templates/opt/noggin/start_noggin.sh.j2
Normal file
14
ansible/playbooks/templates/opt/noggin/start_noggin.sh.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
export PATH=/home/noggin/.local/bin:/home/noggin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
|
||||
export NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
|
||||
export FLASK_DEBUG=1
|
||||
export FLASK_APP=/opt/noggin/noggin/noggin/app.py
|
||||
source /home/noggin/.cache/pypoetry/virtualenvs/{{ virtualenv_location.stdout }}/bin/activate
|
||||
cd /opt/noggin/noggin
|
||||
#/home/noggin/.local/bin/poetry run flask run -h 0.0.0.0
|
||||
# --certfile=/etc/pki/tls/certs/noggin.crt \
|
||||
# --keyfile=/etc/pki/tls/private/noggin.key \
|
||||
gunicorn -w 3 \
|
||||
--env NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg \
|
||||
--bind tcp://0.0.0.0:5000 \
|
||||
noggin.app:app
|
1
ansible/playbooks/templates/tmp/mantis_import.sql.j2
Normal file
1
ansible/playbooks/templates/tmp/mantis_import.sql.j2
Normal file
|
@ -0,0 +1 @@
|
|||
# Empty
|
|
@ -0,0 +1,46 @@
|
|||
<?php
|
||||
$g_hostname = '{{ mantis_db_host }}';
|
||||
$g_db_type = 'pgsql';
|
||||
$g_database_name = '{{ mantis_db_name }}';
|
||||
$g_db_username = '{{ mantis_db_user }}';
|
||||
$g_db_password = '{{ mantis_db_pass }}';
|
||||
|
||||
$g_default_timezone = 'UTC';
|
||||
|
||||
$g_crypto_master_salt = '{{ cryptosalt_string.stdout }}';
|
||||
|
||||
# Added
|
||||
$g_login_method = 'LDAP';
|
||||
$g_ldap_server = '{{ rocky_ipaserver_lb }}';
|
||||
$g_ldap_port = '389';
|
||||
$g_ldap_root_dn = '{{ rocky_ldap_user_basedn }}';
|
||||
#$g_ldap_organization = '(objectClass=posixAccount)';
|
||||
$g_ldap_protocol_version = 3;
|
||||
$g_ldap_network_timeout = 30;
|
||||
$g_ldap_follow_referrals = ON;
|
||||
$g_ldap_bind_dn = '{{ mantis_binder_user }}';
|
||||
$g_ldap_bind_passwd = '{{ mantis_binder_pass }}';
|
||||
$g_ldap_uid_field = 'uid';
|
||||
$g_ldap_realname_field = 'cn';
|
||||
$g_use_ldap_realname = ON;
|
||||
$g_use_ldap_email = ON;
|
||||
|
||||
$g_webmaster_email = 'infrastructure@rockylinux.org';
|
||||
$g_from_email = 'noreply@rockylinux.org';
|
||||
$g_return_path_email = 'noreply@rockylinux.org';
|
||||
$g_from_name = 'Rocky Linux Bugzilla';
|
||||
$g_allow_file_upload = ON;
|
||||
$g_file_upload_method = DATABASE; # or DISK
|
||||
$g_dropzone_enabled = ON;
|
||||
$g_show_realname = ON;
|
||||
$g_show_avatar = ON;
|
||||
$g_allowed_files = 'log,patch,txt';
|
||||
$g_disallowed_files = 'exe,pl,sh,py,c,cpp,rar,zip,rpm';
|
||||
$g_window_title = 'Rocky Bugzilla';
|
||||
$g_allow_signup = ON;
|
||||
$g_allow_anonymous_login = ON;
|
||||
$g_anonymous_account = 'anonymous';
|
||||
$g_enable_email_notification = ON;
|
||||
|
||||
# Cookie problems
|
||||
$g_allow_permanent_cookie = OFF;
|
5
ansible/playbooks/vars/buildsys.yml
Normal file
5
ansible/playbooks/vars/buildsys.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
# Build sys
|
||||
smtp_user_name: "username"
|
||||
smtp_user_pass: "password"
|
||||
smtp_relayhost: "smtp.rockylinux.org"
|
|
@ -1,4 +1,5 @@
|
|||
---
|
||||
rocky_ipa_realm: "ROCKYLINUX.ORG"
|
||||
rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||
rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||
|
@ -8,3 +9,5 @@ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
|
|||
rocky_ipaserver_lb: "ipa-lb.rockylinux.org"
|
||||
# This will need to be vaulted
|
||||
rocky_ldap_bind_pw: "{{ ipa_binder_password }}"
|
||||
rocky_ldap_userman_dn: "uid=userman,cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
rocky_ldap_userman_pw: "{{ ipa_userman_password }}"
|
||||
|
|
|
@ -29,7 +29,7 @@ gitlab_ldap_bind_dn: "{{ rocky_ldap_bind_dn }}"
|
|||
gitlab_ldap_password: "{{ rocky_ldap_bind_pw }}"
|
||||
gitlab_ldap_base: "{{ rocky_ldap_user_basedn }}"
|
||||
gitlab_ldap_group_dn: "{{ rocky_ldap_group_basedn }}"
|
||||
gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org"
|
||||
gitlab_ldap_admin_group: "gitadm"
|
||||
gitlab_ldap_user_filter: "(&(objectClass=posixAccount)(memberOf=cn=gitusers,cn=groups,cn=accounts,dc=rockylinux,dc=org))"
|
||||
|
||||
gitlab_time_zone: "UTC"
|
||||
|
@ -67,3 +67,6 @@ gitlab_external_db: true
|
|||
gitlab_external_db_host: db.rockylinux.org
|
||||
gitlab_external_db_user: gitlab
|
||||
gitlab_external_db_password: "{{ gitlab_db_pass }}"
|
||||
|
||||
gitlab_trusted_proxies:
|
||||
- 10.100.20.20/32
|
||||
|
|
31
ansible/playbooks/vars/graylog.yml
Normal file
31
ansible/playbooks/vars/graylog.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# graylog
|
||||
graylog_server_firewall_rules:
|
||||
- port: 9000/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
- port: 1514/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
- port: 1514/udp
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
graylog_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
graylog_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
graylog_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: graylog
|
||||
key_location: "{{ monitoring_tls_key }}"
|
||||
cert_location: "{{ monitoring_tls_cert }}"
|
||||
postcmd: "/bin/systemctl restart graylog-server"
|
||||
cnames:
|
||||
- "graylog.rockylinux.org"
|
||||
|
||||
graylog_ipa_dnsrecord_zone_name: rockylinux.org
|
||||
graylog_ipa_dnsrecord_name: graylog
|
||||
graylog_ipa_dnsrecord_record_type: CNAME
|
||||
graylog_ipa_dnsrecord_record_value: graylog002.rockylinux.org.
|
||||
graylog_ipa_dnsrecord_state: present
|
|
@ -26,6 +26,13 @@ iparoles:
|
|||
- "Netgroups Administrators"
|
||||
user:
|
||||
- hostman
|
||||
- role: Kerberos Managers
|
||||
description: Kerberos Key Managers
|
||||
privileges:
|
||||
- "Privileges - Kerberos Managers"
|
||||
- "Service Administrators"
|
||||
user:
|
||||
- kerbman
|
||||
- role: IPA User Managers
|
||||
description: Rocky IPA User Managers responsible for idm flow
|
||||
privileges:
|
||||
|
|
2
ansible/playbooks/vars/ipaserver.yml
Normal file
2
ansible/playbooks/vars/ipaserver.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
ipatype: server
|
31
ansible/playbooks/vars/mantis.yml
Normal file
31
ansible/playbooks/vars/mantis.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# mantis vars
|
||||
mantis_version: 2.25.0
|
||||
mantis_checksum: "sha256:d8973d3677ecb2ccbfee95e2267b3128049fbdcc59aa1f007686a342d93a4c0a"
|
||||
mantis_pkg:
|
||||
- php
|
||||
- php-ldap
|
||||
- httpd
|
||||
- mod_ssl
|
||||
- php-pgsql
|
||||
- php-mbstring
|
||||
- php-curl
|
||||
- openldap
|
||||
- php-json
|
||||
mantis_db_host: db.rockylinux.org
|
||||
mantis_db_name: mantisdb
|
||||
mantis_db_user: mantis
|
||||
mantis_binder_user: "{{ rocky_ldap_bind_dn }}"
|
||||
mantis_binder_pass: "{{ rocky_ldap_bind_pw }}"
|
||||
|
||||
# Vault
|
||||
# mantis_db_pass: ThisIsNotThePassword!
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: apache
|
||||
key_location: "/etc/pki/tls/private/bugs.rockylinux.org.key"
|
||||
cert_location: "/etc/pki/tls/certs/bugs.rockylinux.org.crt"
|
||||
postcmd: "/bin/systemctl reload httpd"
|
||||
cnames:
|
||||
- "bugs.rockylinux.org"
|
16
ansible/playbooks/vars/matterbridge.yml
Normal file
16
ansible/playbooks/vars/matterbridge.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
matterbridge_config:
|
||||
binary_checksum: "0a321cbc90ba467d05c1bd5ec7a1c3b10fb2ba142710311b015f5e8235d39fe6"
|
||||
version: 1.21.0
|
||||
|
||||
mbridge_bot_nick: rlf
|
||||
mbridge_bridge_name: rlf
|
||||
mbridge_irc_channel: '#irc'
|
||||
mbridge_irc_ignore_nicks:
|
||||
mbridge_irc_label: IRC
|
||||
mbridge_irc_network_server: irc.freenode.net:6697
|
||||
mbridge_mattermost_channel: testing
|
||||
mbridge_mattermost_ignore_nicks:
|
||||
mbridge_mattermost_label: MM
|
||||
mbridge_mattermost_server: ws.chat.rockylinux.org
|
||||
mbridge_mattermost_team: rocky-linux
|
13
ansible/playbooks/vars/production/koji-common.yml
Normal file
13
ansible/playbooks/vars/production/koji-common.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
# Koji common
|
||||
koji_efs_mount_path: /mnt/koji
|
||||
koji_efs_fsid: whatever.amazonaws.com
|
||||
koji_efs_fs_ip_map:
|
||||
us-east-2a: 10.x.x.x
|
||||
us-east-2b: 10.x.x.x
|
||||
us-east-2c: 10.x.x.x
|
||||
koji_efs_fs_type: efs
|
||||
koji_efs_fs_opts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
|
@ -20,10 +20,36 @@ koji_hub_url: "https://{{ koji_url_name }}/kojihub"
|
|||
koji_files_url: "https://{{ koji_url_name }}/kojifiles"
|
||||
|
||||
# The IPA internal CA is combined with the others
|
||||
# Change before deployment or store in vault
|
||||
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
|
||||
koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt
|
||||
koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
# Kojira
|
||||
koji_kojira: true
|
||||
koji_kojira_user: kojira
|
||||
koji_kojira_user_kerb: kojira/koji.rockylinux.org
|
||||
koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG
|
||||
koji_kojira_keytab: /etc/keytabs/kojira.keytab
|
||||
|
||||
# MBS
|
||||
koji_mbs: true
|
||||
koji_mbs_user: mbs
|
||||
koji_mbs_user_kerb: mbs/mbs.rockylinux.org
|
||||
koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
|
||||
koji_mbs_keytab: /etc/keytabs/mbs.keytab
|
||||
|
||||
# GC
|
||||
koji_gc_keytab: /etc/keytabs/koji-gc.keytab
|
||||
koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG
|
||||
|
||||
# Sigul
|
||||
koji_sigul: true
|
||||
koji_sigul_user: sigul
|
||||
koji_sigul_user_kerb: sigul/sigul.rockylinux.org
|
||||
koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG
|
||||
|
||||
# NFS? We need a place.
|
||||
koji_nfs: false
|
||||
koji_mount: /mnt/koji
|
|
@ -28,6 +28,9 @@ rabbitmq_enable_public: false
|
|||
# into account when setting this variable.
|
||||
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
|
||||
rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
|
||||
rabbitmq_ldap_bind_dn: "uid=rabbitmq_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||
rabbitmq_ldap_bind_pw: "{{ rabbitmq_binder_password }}"
|
||||
rabbitmq_ldap_basedn: "{{ rocky_ldap_account_basedn }}"
|
||||
|
||||
# Messaging queues are generally private
|
||||
rabbitmq_private: true
|
||||
|
@ -37,3 +40,5 @@ ipa_getcert_requested_hostnames:
|
|||
key_location: "{{ rabbitmq_tls_key }}"
|
||||
cert_location: "{{ rabbitmq_tls_cert }}"
|
||||
postcmd: "/bin/systemctl restart rabbitmq-server"
|
||||
cnames:
|
||||
- "rabbitmq-{{ rabbitmq_env }}.rockylinux.org"
|
||||
|
|
16
ansible/playbooks/vars/sigul_bridge.yml
Normal file
16
ansible/playbooks/vars/sigul_bridge.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
# Sigul Bridge Variables
|
||||
sigul_type: bridge
|
||||
sigul_ipa_realm: "ROCKYLINUX.ORG"
|
||||
sigul_bridge_cert_nickname: "sigul-bridge"
|
||||
sigul_principal: "sigul/sigul.rockylinux.org@{{ sigul_ipa_realm }}"
|
||||
sigul_keytab: /etc/sigul.keytab
|
||||
sigul_nss_dir: /etc/pki/tls/sigul
|
||||
|
||||
# ipa-getcert variables
|
||||
ipa_getcert_nss: true
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: sigul
|
||||
nss_db_dir: "{{ sigul_nss_dir }}"
|
||||
nss_nickname: "{{ sigul_bridge_cert_nickname }}"
|
14
ansible/playbooks/vars/sigul_server.yml
Normal file
14
ansible/playbooks/vars/sigul_server.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
# Sigul Server Variables
|
||||
sigul_type: server
|
||||
sigul_server_cert_nickname: "sigul-server"
|
||||
sigul_nss_dir: /etc/pki/tls/sigul
|
||||
sigul_bridge_name: ""
|
||||
|
||||
# ipa-getcert variables
|
||||
ipa_getcert_nss: true
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: sigul
|
||||
nss_db_dir: "{{ sigul_nss_dir }}"
|
||||
nss_nickname: "{{ sigul_server_cert_nickname }}"
|
13
ansible/playbooks/vars/staging/koji-common.yml
Normal file
13
ansible/playbooks/vars/staging/koji-common.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
# Koji common
|
||||
koji_efs_mount_path: /mnt/koji
|
||||
koji_efs_fsid: whatever.amazonaws.com
|
||||
koji_efs_fs_ip_map:
|
||||
us-east-2a: 10.x.x.x
|
||||
us-east-2b: 10.x.x.x
|
||||
us-east-2c: 10.x.x.x
|
||||
koji_efs_fs_type: efs
|
||||
koji_efs_fs_opts:
|
||||
- _netdev
|
||||
- tls
|
||||
- iam
|
15
ansible/playbooks/vars/staging/kojid.yml
Normal file
15
ansible/playbooks/vars/staging/kojid.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
# vars for kojid
|
||||
|
||||
kojid_vendor: Rocky
|
||||
kojid_packager: infrastructure@rockylinux.org
|
||||
kojid_distribution: Rocky
|
||||
# These three should probably be specified by special vars
|
||||
# kojid_web_url: https://kojistg.rockylinux.org/koji
|
||||
# kojid_hub_url: https://kojistg.rockylinux.org/kojihub
|
||||
# kojid_files_url: https://kojistg.rockylinux.org/kojifiles
|
||||
|
||||
kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt
|
||||
kojid_keytab: /etc/kojid.keytab
|
||||
kojid_smtp_host: smtp.rockylinux.org
|
||||
kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*"
|
119
ansible/playbooks/vars/staging/kojihub.yml
Normal file
119
ansible/playbooks/vars/staging/kojihub.yml
Normal file
|
@ -0,0 +1,119 @@
|
|||
---
|
||||
# koji hub settings
|
||||
# This should be the front-facing URL of koji
|
||||
#koji_url_name: kojistg.rockylinux.org
|
||||
|
||||
# Use an internal CA (IPA)
|
||||
koji_internal_ca: true
|
||||
|
||||
# Use postgresql on this machine rather than managed service
|
||||
koji_postgresql_vm: true
|
||||
|
||||
# Database settings
|
||||
koji_db_name: koji
|
||||
koji_db_user: koji
|
||||
# This will need to change when koji_postgresql_vm is false
|
||||
koji_db_host: "{{ ansible_fqdn }}"
|
||||
|
||||
koji_web_url: "https://{{ koji_url_name }}/koji"
|
||||
koji_hub_url: "https://{{ koji_url_name }}/kojihub"
|
||||
koji_files_url: "https://{{ koji_url_name }}/kojifiles"
|
||||
|
||||
# The IPA internal CA is combined with the others
|
||||
# Change before deployment or store in vault
|
||||
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
|
||||
koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt
|
||||
koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
# Kojira
|
||||
koji_kojira: true
|
||||
koji_kojira_user: kojira
|
||||
koji_kojira_user_kerb: kojira/kojistg.rockylinux.org
|
||||
koji_kojira_principal: kojira/kojistg.rockylinux.org@ROCKYLINUX.ORG
|
||||
koji_kojira_keytab: /etc/keytabs/kojira.keytab
|
||||
|
||||
# MBS
|
||||
koji_mbs: true
|
||||
koji_mbs_user: mbs
|
||||
koji_mbs_user_kerb: mbs/mbs.rockylinux.org
|
||||
koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
|
||||
koji_mbs_keytab: /etc/keytabs/mbs.keytab
|
||||
|
||||
# GC
|
||||
koji_gc_keytab: /etc/keytabs/koji-gc.keytab
|
||||
koji_gc_principal: koji-gc/kojistg.rockylinux.org@ROCKYLINUX.ORG
|
||||
|
||||
# Sigul
|
||||
koji_sigul: true
|
||||
koji_sigul_user: sigul
|
||||
koji_sigul_user_kerb: sigul/sigul.rockylinux.org
|
||||
koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG
|
||||
|
||||
# NFS? We need a place.
|
||||
koji_nfs: false
|
||||
koji_mount: /mnt/koji
|
||||
koji_nfs_path: nfs.rockylinux.org:/export/koji
|
||||
|
||||
# Koji Admin Settings
|
||||
koji_admin_client: true
|
||||
koji_admin_user: rockykoji
|
||||
koji_admin_principal: rockykoji@ROCKYLINUX.ORG
|
||||
koji_admin_localuser: true
|
||||
koji_admin_localuser_name: koji
|
||||
|
||||
# Hub Settings
|
||||
koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
|
||||
koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
|
||||
koji_hub_keytab: /etc/keytabs/host.keytab
|
||||
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
|
||||
# This should be sufficient even for LE
|
||||
koji_hub_ca: "{{ koji_web_cacert }}"
|
||||
|
||||
# Koji FAS Syncing
|
||||
# This isn't implemented yet in the role
|
||||
koji_fas_sync: false
|
||||
koji_fas_url: https://accounts.rockylinux.org
|
||||
|
||||
# IPA Certs if Required
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: apache
|
||||
key_location: "{{ koji_web_tls_key }}"
|
||||
cert_location: "{{ koji_web_tls_cert }}"
|
||||
postcmd: "/bin/systemctl reload httpd"
|
||||
|
||||
# postgresql vars
|
||||
postgresql_restarted_state: "restarted"
|
||||
postgresql_python_library: python3-psycopg2
|
||||
postgresql_user: postgres
|
||||
postgresql_group: postgres
|
||||
postgresql_hba_entries:
|
||||
- type: local
|
||||
database: koji
|
||||
user: koji
|
||||
auth_method: trust
|
||||
- type: local
|
||||
database: all
|
||||
user: postgres
|
||||
auth_method: peer
|
||||
- type: host
|
||||
database: koji
|
||||
user: koji
|
||||
address: '10.100.1.0/24'
|
||||
auth_method: md5
|
||||
|
||||
postgresql_databases:
|
||||
- name: "{{ koji_db_name }}"
|
||||
owner: "{{ koji_db_user }}"
|
||||
|
||||
postgresql_users:
|
||||
- name: "{{ koji_db_user }}"
|
||||
password: "{{ koji_db_pass }}"
|
||||
role_attr_flags: "NOCREATEDB,NOSUPERUSER,NOCREATEROLE"
|
||||
db: "{{ koji_db_name }}"
|
||||
state: present
|
||||
|
||||
postgresql_global_config_options:
|
||||
- option: listen_addresses
|
||||
value: '*'
|
109
ansible/playbooks/vars/wikijs.yml
Normal file
109
ansible/playbooks/vars/wikijs.yml
Normal file
|
@ -0,0 +1,109 @@
|
|||
---
|
||||
# wikijs vars
|
||||
firewall_rules:
|
||||
- port: 443/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
- port: 9100/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: nginx
|
||||
key_location: "{{ tls_key }}"
|
||||
cert_location: "{{ tls_cert }}"
|
||||
postcmd: "/bin/systemctl reload nginx"
|
||||
|
||||
wikijs_dbtype: postgres
|
||||
wikijs_db:
|
||||
host: "db.rockylinux.org"
|
||||
port: 5432
|
||||
user: wikijs
|
||||
password: " {{ _wikijs_db_rw_pass }} "
|
||||
dbname: wikijs_db
|
||||
ssl: true
|
||||
|
||||
|
||||
####################
|
||||
### NGINX CONFIG ###
|
||||
####################
|
||||
|
||||
|
||||
# no demo config/template
|
||||
nginx_config_html_demo_template_enable: false
|
||||
|
||||
nginx_config_selinux: true
|
||||
nginx_config_selinux_enforcing: true
|
||||
|
||||
nginx_config_start: true
|
||||
|
||||
nginx_config_debug_output: true
|
||||
nginx_config_debug_tasks: true
|
||||
|
||||
# nginx_config_cleanup: true
|
||||
|
||||
nginx_config_http_template_enable: true
|
||||
nginx_config_main_template_enable: true
|
||||
|
||||
nginx_config_http_template:
|
||||
default:
|
||||
template_file: http/default.conf.j2
|
||||
conf_file_name: default.conf
|
||||
conf_file_location: /etc/nginx/conf.d/
|
||||
servers:
|
||||
redirect_https:
|
||||
listen:
|
||||
v6:
|
||||
ip: '[::]' # Wrap in square brackets for IPv6 addresses
|
||||
port: 80
|
||||
opts: ['default_server']
|
||||
v4:
|
||||
ip: '' # Wrap in square brackets for IPv6 addresses
|
||||
port: 80
|
||||
opts: ['default_server']
|
||||
server_name: "{{ ansible_fqdn }}"
|
||||
error_page: /usr/share/nginx/html
|
||||
access_log:
|
||||
- name: main
|
||||
location: /var/log/nginx/access.log
|
||||
error_log:
|
||||
location: /var/log/nginx/error.log
|
||||
level: warn
|
||||
root: "{{ wikijs_dir }}"
|
||||
https_redirect: $host
|
||||
wikijs_server:
|
||||
listen:
|
||||
v6:
|
||||
ip: '[::]' # Wrap in square brackets for IPv6 addresses
|
||||
port: 443
|
||||
ssl: true
|
||||
opts: ['http2', 'default_server']
|
||||
v4:
|
||||
ip: '' # Wrap in square brackets for IPv6 addresses
|
||||
port: 443
|
||||
ssl: true
|
||||
opts: ['http2', 'default_server']
|
||||
ssl:
|
||||
cert: "{{ tls_cert }}"
|
||||
key: "{{ tls_key }}"
|
||||
server_name: "{{ ansible_fqdn }}"
|
||||
error_page: /usr/share/nginx/html
|
||||
access_log:
|
||||
- name: main
|
||||
location: /var/log/nginx/access.log
|
||||
error_log:
|
||||
location: /var/log/nginx/error.log
|
||||
level: warn
|
||||
root: "{{ wikijs_dir }}"
|
||||
web_server:
|
||||
locations:
|
||||
default:
|
||||
location: /
|
||||
custom_options:
|
||||
- "proxy_pass http://localhost:3000/;"
|
||||
http_demo_conf: false
|
|
@ -3,7 +3,7 @@
|
|||
roles:
|
||||
- name: geerlingguy.mysql
|
||||
# monitoring
|
||||
- name: cloudalchemy.node-exporter
|
||||
- name: cloudalchemy.node_exporter
|
||||
- name: cloudalchemy.prometheus
|
||||
- name: cloudalchemy.alertmanager
|
||||
- name: cloudalchemy.grafana
|
||||
|
@ -24,6 +24,17 @@ roles:
|
|||
- name: rockylinux.rabbitmq
|
||||
src: https://github.com/rocky-linux/ansible-role-rabbitmq
|
||||
version: main
|
||||
- name: rockylinux.sigul
|
||||
src: https://github.com/rocky-linux/ansible-role-sigul
|
||||
version: main
|
||||
- name: rockylinux.matterbridge
|
||||
src: https://github.com/NeilHanlon/ansible-role-matterbridge
|
||||
version: master
|
||||
- name: rockylinux.wikijs
|
||||
src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
|
||||
scm: git
|
||||
version: develop
|
||||
- name: riemers.gitlab-runner
|
||||
|
||||
collections:
|
||||
# freeipa
|
||||
|
@ -35,3 +46,11 @@ collections:
|
|||
- name: ansible.posix
|
||||
- name: ktdreyer.koji_ansible
|
||||
- name: netbox.netbox
|
||||
- name: community.aws
|
||||
- name: containers.podman
|
||||
- name: nginxinc.nginx_core
|
||||
version: 0.3.0
|
||||
# - name: rockylinux.taiga
|
||||
# source: https://github.com/rocky-linux/taiga-ansible.git
|
||||
# type: git
|
||||
# version: master
|
||||
|
|
Loading…
Reference in New Issue
Block a user