Merge pull request #14987 from rocky-linux/develop

Bugzilla

ansible/playbooks/adhoc-gitlab-creategroup.yml

@@ -0,0 +1,40 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# What: Creates a group in gitlab. Use this to create a group that may not
+#       exist and wish to have projects in.
+# What is expected:
+#   -> gitlab_api_token: You must provide an API token to perform this.
+#   -> gitlab_group_name: Name of the group you wish to create.
+#   -> gitlab_parent_group: Id or full path of parent group if required.
+#                           For example: "infrastructure/Public"
+#   -> gitlab_description: Description of your group
+#   -> gitlab_visibility: public, internal, private. Default is private.
+
+- name: Create a gitlab group
+  hosts: localhost
+  become: false
+  gather_facts: false
+  vars:
+    gitlab_endpoint: "https://git.rockylinux.org/"
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - gitlab_api_token | mandatory
+          - gitlab_group_name | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing our required variables"
+
+    - name: "Creating GitLab Group"
+      community.general.gitlab_group:
+        api_token: "{{ gitlab_api_token }}"
+        api_url: "{{ gitlab_endpoint }}"
+        name: "{{ gitlab_group_name }}"
+        description: "{{ gitlab_description|default(omit) }}"
+        parent: "{{ gitlab_parent_group|default(omit) }}"
+        state: present
+        validate_certs: true
+        visibility: "{{ gitlab_visibility|default('private') }}"
+      delegate_to: localhost
+      register: gitlab_group_return

ansible/playbooks/adhoc-gitlab-createproject.yml

@@ -0,0 +1,43 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# What: Creates a project in gitlab. Use this to create a project that may not
+#       exist. YOU MUST HAVE A GROUP THAT IT CAN BE PLACED IN.
+# What is expected:
+#   -> gitlab_api_token: You must provide an API token to perform this.
+#   -> gitlab_project_name: Name of the project
+#   -> gitlab_group_name: Id or Path to the group in which the project is
+#                         is placed. This is not optional.
+#   -> gitlab_description: Description of your project
+#   -> gitlab_import_url: If you are importing from github or another git repo,
+#                         put the URL here.
+#   -> gitlab_visibility: public, internal, private. Default is private.
+
+- name: Create a gitlab project
+  hosts: localhost
+  become: false
+  gather_facts: false
+  vars:
+    gitlab_endpoint: "https://git.rockylinux.org/"
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - gitlab_api_token | mandatory
+          - gitlab_project_name | mandatory
+          - gitlab_group_name | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing our required variables"
+
+    - name: "Creating GitLab Project"
+      community.general.gitlab_project:
+        api_url: "{{ gitlab_endpoint }}"
+        api_token: "{{ gitlab_api_token }}"
+        name: "{{ gitlab_project_name }}"
+        description: "{{ gitlab_description|default(omit) }}"
+        group: "{{ gitlab_group_name }}"
+        import_url: "{{ gitlab_import_url|default(omit) }}"
+        state: present
+        validate_certs: true
+        visibility: "{{ gitlab_visibility|default('private') }}"
+      delegate_to: localhost

ansible/playbooks/adhoc-gitlab-deletegroup.yml

@@ -0,0 +1,37 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# What: Deletes a group in gitlab. THERE MUST BE A REASON FOR YOU TO PERFORM
+#       THIS OPERATION.
+# What is expected:
+#   -> gitlab_api_token: You must provide an API token to perform this.
+#   -> gitlab_group_name: Name of the group you wish to create.
+#   -> gitlab_parent_group: Id or full path of parent group if required.
+#                           For example: "infrastructure/Public"
+#   -> gitlab_description: Description of your group
+#   -> gitlab_visibility: public, internal, private. Default is private.
+
+- name: Delete a gitlab group
+  hosts: localhost
+  become: false
+  gather_facts: false
+  vars:
+    gitlab_endpoint: "https://git.rockylinux.org/"
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - gitlab_api_token | mandatory
+          - gitlab_group_name | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing our required variables"
+
+    - name: "Deleting GitLab Group"
+      community.general.gitlab_group:
+        api_token: "{{ gitlab_api_token }}"
+        api_url: "{{ gitlab_endpoint }}"
+        name: "{{ gitlab_group_name }}"
+        parent: "{{ gitlab_parent_group|default(omit) }}"
+        state: absent
+        validate_certs: true
+      delegate_to: localhost

ansible/playbooks/adhoc-gitlab-deleteproject.yml

@@ -0,0 +1,37 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# What: Deletes a project in gitlab. THERE MUST BE A GOOD REASON FOR YOU TO
+#       RUN THIS. THIS IS NOT REVERSIBLE.
+# What is expected:
+#   -> gitlab_api_token: You must provide an API token to perform this.
+#   -> gitlab_project_name: Name of the project
+#   -> gitlab_group_name: Id or Path to the group in which the project is
+#                         is placed. This is not optional.
+#   -> gitlab_description: Description of your project
+#   -> gitlab_visibility: public, internal, private. Default is private.
+
+- name: Delete a gitlab project
+  hosts: localhost
+  become: false
+  gather_facts: false
+  vars:
+    gitlab_endpoint: "https://git.rockylinux.org/"
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - gitlab_api_token | mandatory
+          - gitlab_project_name | mandatory
+          - gitlab_group_name | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing our required variables"
+
+    - name: "Deleting GitLab Project"
+      community.general.gitlab_project:
+        api_url: "{{ gitlab_endpoint }}"
+        api_token: "{{ gitlab_api_token }}"
+        name: "{{ gitlab_project_name }}"
+        state: absent
+        validate_certs: true
+      delegate_to: localhost

ansible/playbooks/adhoc-ipauser-disable-pdr.yml

@@ -0,0 +1,84 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# What: Disables users in the idm infrastructure based on the variables provided.
+#       This is primarily used in the event a user wishes to have their personal
+#       information removed from the project. However, signing of the agreements
+#       in Account Services cannot be removed and should still be available
+#       for the RESF to query.
+
+- name: Disable a User - PDR
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  vars_files:
+  - vars/vaults/userman.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - ipa_admin | mandatory
+          - ipaadmin_password | mandatory
+          - ipa_name | mandatory
+          - ticket_id | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing user information or ipa admin password"
+
+    - name: "Disabling User Account"
+      freeipa.ansible_freeipa.ipauser:
+        ipaadmin_principal: "{{ ipa_admin }}"
+        ipaadmin_password: "{{ ipaadmin_password }}"
+        name: "{{ ipa_name }}"
+        state: disabled
+      tags:
+        - users
+
+    - name: "Remove personal information attributes"
+      community.general.ldap_attr:
+        dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        name: "{{ item }}"
+        values: []
+        state: exact
+        server_uri: ldap://localhost/
+        bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        bind_pw: "{{ ipaadmin_password }}"
+      with_items:
+        - fasGPGKeyId
+        - fasGitHubUsername
+        - fasGitLabUsername
+        - fasIRCNick
+        - fasRHBZEmail
+        - fasWebsiteURL
+        - fasgpgkeyid
+        - fasLocale
+        - fasTimezone
+        - homePhone
+        - homePostalAddress
+        - postalAddress
+        - postalCode
+        - postOfficeBox
+        - st
+        - street
+        - ipaSshPubKey
+        - telephoneNumber
+        - homePhone
+
+    - name: "Set FAS Status Note"
+      community.general.ldap_attr:
+        dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        name: "fasStatusNote"
+        values: "Account Disabled: {{ ticket_id }}"
+        state: exact
+        server_uri: ldap://localhost/
+        bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        bind_pw: "{{ ipaadmin_password }}"
+
+    - name: "Set FAS Account Information to Private"
+      community.general.ldap_attr:
+        dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        name: "fasisprivate"
+        values: "TRUE"
+        state: exact
+        server_uri: ldap://localhost/
+        bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
+        bind_pw: "{{ ipaadmin_password }}"

ansible/playbooks/init-rocky-bugzilla.yml

@@ -1,13 +1,13 @@
 ---
-# Installs the mantis bug tracker
-- name: Configure MantisBT
+# Installs Bugzilla
+- name: Configure Bugzilla
   hosts: "bugtracker"
   become: true
   vars_files:
   - vars/common.yml
   - vars/vaults/encpass.yml
   - vars/vaults/mantis.yml
-  - vars/mantis.yml
+  - vars/bugzilla.yml
 
   handlers:
     - import_tasks: handlers/main.yml
@@ -31,7 +31,7 @@
 
   tasks:
     - name: Deploy Mantis
-      import_tasks: tasks/mantis.yml
+      import_tasks: tasks/bugzilla.yml
 
   post_tasks:
     - name: Open firewalld ports

ansible/playbooks/init-rocky-mantisbt.yml

@@ -0,0 +1,59 @@
+---
+# Installs the mantis bug tracker
+- name: Configure MantisBT
+  hosts: "bugtracker"
+  become: true
+  vars_files:
+  - vars/common.yml
+  - vars/vaults/encpass.yml
+  - vars/vaults/mantis.yml
+  - vars/mantis.yml
+
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are not able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  roles:
+    - role: rockylinux.ipagetcert
+      state: present
+
+  tasks:
+    - name: Deploy Mantis
+      import_tasks: tasks/mantis.yml
+
+  post_tasks:
+    - name: Open firewalld ports
+      ansible.posix.firewalld:
+        service: "{{ item }}"
+        permanent: true
+        immediate: true
+        state: enabled
+      with_items:
+        - http
+        - https
+
+    - name: Ensure httpd is enabled and running
+      service:
+        name: httpd
+        enabled: true
+        state: started
+
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/role-rocky-gitlab-runner.yml

@@ -0,0 +1,48 @@
+---
+# Creates a Gitlab runner and registers it w/ tags
+- name: Install and Provision Gitlab Runner
+  hosts: gitlab_runners
+  become: true
+  vars_files:
+  - vars/common.yml
+  - vars/gitlab_runner.yml
+  - vars/vaults/encpass.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping un on this node"
+
+    - name: Install SELinux packages
+      package:
+        name: python3-policycoreutils.noarch
+        state: present
+
+  tasks:
+    - name: Install and configure runner
+      import_tasks: tasks/gitlab-runner.yml
+
+  roles:
+    - role: riemers.gitlab-runner
+      state: present
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/tasks/bugzilla.yml

@@ -0,0 +1,54 @@
+---
+# Configure Bugzilla
+- name: Configure SELinux booleans
+  ansible.posix.seboolean:
+    name: "{{ item }}"
+    persistent: true
+    state: true
+  with_items:
+    - httpd_can_network_connect_db
+    - httpd_can_network_connect
+    - httpd_can_sendmail
+
+- name: Install necessary packages
+  yum:
+    name: "{{ bugzilla_pkg }}"
+    state: present
+  tags:
+    - packages
+
+- name: Download the bugtracker
+  get_url:
+    url: "https://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-{{ bugzilla_version }}.tar.gz"
+    dest: "/tmp/bugzilla-{{ bugzilla_version }}.tar.gz"
+    checksum: "{{ bugzilla_checksum }}"
+
+- name: Create initial directory
+  file:
+    path: "{{ bugzilla_dir }}"
+    state: directory
+    mode: '0750'
+    owner: root
+    group: apache
+
+- name: Extract bugzilla
+  unarchive:
+    src: "/tmp/bugzilla-{{ bugzilla_version }}.tar.gz"
+    dest: "{{ bugzilla_dir }}"
+    owner: root
+    group: apache
+    mode: '0640'
+    remote_src: true
+    extra_opts:
+      - '--strip-components=1'
+
+- name: Configure httpd
+  template:
+    src: "etc/httpd/conf.d/bugzilla.conf.j2"
+    dest: "/etc/httpd/conf.d/bugzilla.conf"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Install necessary pieces
+  import_tasks: bugzilla_install.yml

ansible/playbooks/tasks/bugzilla_install.yml

@@ -0,0 +1,54 @@
+---
+# Install bugzilla properly, including modules and stuff
+
+- name: Check for a localconfig file
+  stat:
+    path: "{{ bugzilla_dir }}/localconfig"
+  register: conf_result
+
+- name: Deploy answer file
+  template:
+    src: "var/www/bugzilla/answer"
+    dest: "{{ bugzilla_dir }}/answer"
+    owner: root
+    group: apache
+    mode: "0640"
+  when: not conf_result.stat.exists
+
+- name: Run checksetup.pl
+  shell: "set -o pipefail && /usr/bin/perl checksetup.pl /var/www/bugzilla/answer"
+  chdir: "{{ bugzilla_dir }}"
+  changed_when: "1 != 1"
+  when: not conf_result.stat.exists
+
+- name: Deploy proper configuration
+  template:
+    src: "var/www/bugzilla/localconfig.j2"
+    dest: "{{ bugzilla_dir }}/localconfig"
+    owner: root
+    group: apache
+    mode: '0640'
+
+- name: Install the proper modules
+  shell: "set -o pipefail && /usr/bin/perl install-module.pl {{ item }}"
+  chdir: "{{ bugzilla_dir }}"
+  changed_when: "1 != 1"
+  with_items:
+    - 'Net::SAML2'
+    - 'HTML::FormatText::WithLinks'
+    - 'PatchReader'
+    - 'Crypt::OpenSSL::Verify'
+    - 'Crypt::OpenSSL::RSA'
+    - 'JSON::RPC'
+    - 'XML::Twig'
+    - 'Template::Plugin::GD::Image'
+
+- name: Re-run checksetup.pl
+  shell: "set -o pipefail && /usr/bin/perl checksetup.pl"
+  chdir: "{{ bugzilla_dir }}"
+  changed_when: "1 != 1"
+
+- name: Remove answer file
+  file:
+    path: "{{ bugzilla_dir }}/answer"
+    state: absent

ansible/playbooks/tasks/gitlab-runner.yml

@@ -0,0 +1,30 @@
+# included tasks from role-rocky-gitlab-runner
+---
+- name: Download and install gitlab runner rpm
+  block:
+    - name: Install gitlab gpg key
+      ansible.builtin.rpm_key:
+        state: present
+        key: https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-366915F31B487241.pub.gpg
+        fingerprint: "3018 3AC2 C4E2 3A40 9EFB  E705 9CE4 5ABC 8807 21D4"
+
+    - name: Download gitlab runner RPM
+      get_url:
+        url: "https://packages.gitlab.com/runner/gitlab-runner/packages/el/8/gitlab-runner-13.10.0-1.x86_64.rpm/download.rpm"
+        checksum: "sha256:3baa809dced03e9fbec615b378c85d0224306ca270ef5cb9ed64de982857ea5d"
+        dest: /tmp/gitlab-runner.rpm
+      register: download_rpm
+
+    - name: Install downloaded RPM
+      dnf:
+        name: /tmp/gitlab-runner.rpm
+      when: download_rpm.changed != 0
+  when: do_install == 'true'
+  become: true
+
+- name: Create gitlab-runner user
+  become: yes
+  user:
+    name: gitlab-runner
+    shell: /bin/bash
+    system: yes

ansible/playbooks/templates/etc/httpd/conf.d/bugzilla.conf.j2

@@ -0,0 +1,37 @@
+<VirtualHost *:80>
+  ServerAdmin infrastructure@rockylinux.org
+  DocumentRoot "{{ bugzilla_dir }}"
+  ServerName bugs.rockylinux.org
+  TransferLog /var/log/httpd/bugzilla_access.log
+  ErrorLog /var/log/httpd/bugzilla_error.log
+  <Directory "{{ bugzilla_dir }}/">
+    AddHandler cgi-script .cgi
+    DirectoryIndex index.cgi
+    Options MultiViews FollowSymlinks ExecCGI FollowSymLinks
+    AllowOverride All
+    Order allow,deny
+    Allow from all
+  </Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+  SSLEngine on
+  SSLHonorCipherOrder on
+  SSLCipherSuite PROFILE=SYSTEM
+  SSLProxyCipherSuite PROFILE=SYSTEM
+  SSLCertificateFile /etc/pki/tls/certs/bugs.rockylinux.org.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/bugs.rockylinux.org.key
+  ServerAdmin infrastructure@rockylinux.org
+  DocumentRoot "{{ bugzilla_dir }}"
+  ServerName bugs.rockylinux.org
+  TransferLog /var/log/httpd/bugzilla_access.log
+  ErrorLog /var/log/httpd/bugzilla_error.log
+  <Directory "{{ bugzilla_dir }}/">
+    AddHandler cgi-script .cgi
+    DirectoryIndex index.cgi
+    Options MultiViews FollowSymlinks ExecCGI FollowSymLinks
+    AllowOverride All
+    Order allow,deny
+    Allow from all
+  </Directory>
+</VirtualHost>

ansible/playbooks/templates/var/www/bugzilla/answer

@@ -0,0 +1,11 @@
+$answer{'db_host'}   = '{{ bugzilla_db_host }}';
+$answer{'db_driver'} = 'pg';
+$answer{'db_port'}   = 0;
+$answer{'db_name'}   = '{{ bugzilla_db_name }}';
+$answer{'db_user'}   = '{{ bugzilla_db_user }}';
+$answer{'db_pass'}   = '{{ bugzilla_db_pass }}';
+$answer{'urlbase'} = 'https://bugs.rockylinux.org/';
+$answer{'ADMIN_EMAIL'} = 'infrastructure@rockylinux.org';
+$answer{'ADMIN_PASSWORD'} = '{{ bugzilla_admin_password }}';
+$answer{'ADMIN_REALNAME'} = 'Infrastructure';
+$answer{'NO_PAUSE'} = 1

ansible/playbooks/templates/var/www/bugzilla/localconfig.j2

@@ -0,0 +1,19 @@
+$create_htaccess = 1;
+$webservergroup = 'apache';
+$use_suexec = 0;
+$db_driver = 'pg';
+$db_host = '{{ bugzilla_db_host }}';
+$db_name = '{{ bugzilla_db_name }}';
+$db_user = '{{ bugzilla_db_user }}';
+$db_pass = '{{ bugzilla_db_pass }}';
+$db_port = 0;
+$db_sock = '';
+$db_check = 1;
+$db_mysql_ssl_ca_file = '';
+$db_mysql_ssl_ca_path = '';
+$db_mysql_ssl_client_cert = '';
+$db_mysql_ssl_client_key = '';
+$index_html = 0;
+$interdiffbin = '/usr/bin/interdiff';
+$diffpath = '/usr/bin';
+$site_wide_secret = '{{ lookup('password', '/dev/null length=54 chars=ascii_letters') }}';

ansible/playbooks/vars/bugzilla.yml

@@ -0,0 +1,52 @@
+---
+# bugzilla vars
+bugzilla_version: 5.0.6
+bugzilla_checksum: "sha256:dd41a4b0a3a1df0d193bc056f2e3711d7b5605718a00bf6e5d4177bf1be86f77"
+bugzilla_dir: "/var/www/bugzilla"
+bugzilla_pkg:
+  - perl
+  - perl-CPAN
+  - perl-DBD-Pg
+  - perl-LDAP
+  - perl-JSON-RPC-CGI
+  - perl-JSON-RPC-Daemon
+  - perl-JSON-RPC-Apache2
+  - perl-JSON-XS
+  - perl-XMLRPC-Lite
+  - perl-CGI
+  - perl-DateTime
+  - perl-DateTime-TimeZone
+  - perl-Template-Toolkit
+  - perl-Email-Sender
+  - perl-Email-MIME
+  - perl-List-MoreUtils
+  - perl-Math-Random-ISAAC
+  - perl-GD
+  - patchutils
+  - httpd
+  - mod_ssl
+  - mod_perl
+  - mod_perl-devel
+  - httpd-devel
+  - gd-devel
+  - graphviz
+  - patchutils
+  - gcc
+  - openssl-devel
+  - wget
+  - curl
+bugzilla_db_host: db.rockylinux.org
+bugzilla_db_name: bugzilla_db
+bugzilla_db_user: bugzilla
+
+# Vault
+# bugzilla_db_pass: ThisIsNotThePassword!
+
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: apache
+    key_location: "/etc/pki/tls/private/bugs.rockylinux.org.key"
+    cert_location: "/etc/pki/tls/certs/bugs.rockylinux.org.crt"
+    postcmd: "/bin/systemctl reload httpd"
+    cnames:
+      - "bugs.rockylinux.org"

ansible/playbooks/vars/gitlab_runner.yml

@@ -0,0 +1,9 @@
+---
+gitlab_runner_coordinator_url: https://git.rockylinux.org
+gitlab_runner_registration_token: "{{ _reg_token }}"
+gitlab_runner_runners:
+  - name: "{{ ansible_fqdn }}"
+    executor: shell
+    tags: []
+
+gitlab_runner_timeout_stop_seconds: 60