| - name: Prepeare Python env |
| include_role: |
| name: el7_centos_python_env |
| |
| |
| # PostgreSQL reporter from Zuul |
| - name: PostgreSQL 10 packages and Python bindings |
| package: |
| name: '{{ item }}' |
| state: present |
| with_items: |
| - rh-python36-python-psycopg2 |
| - rh-postgresql10-postgresql-syspaths |
| - python-psycopg2 |
| |
| - name: PostgreSQL 10 server package |
| package: |
| name: rh-postgresql10-postgresql-server |
| state: present |
| |
| - name: postgresql 10 initdb |
| command: '/opt/rh/rh-postgresql10/root/usr/bin/postgresql-setup --initdb' |
| args: |
| creates: /var/opt/rh/rh-postgresql10/lib/pgsql/data/PG_VERSION |
| become: true |
| become_user: postgres |
| |
| - name: PostgreSQL 10 server service |
| systemd: |
| name: rh-postgresql10-postgresql |
| state: started |
| enabled: yes |
| |
| - name: PostgreSQL Zuul DB |
| become: yes |
| become_user: postgres |
| postgresql_db: |
| name: zuul |
| state: present |
| |
| - name: PostgreSQL Zuul role |
| become: yes |
| become_user: postgres |
| postgresql_user: |
| db: zuul |
| name: zuul |
| priv: "ALL" |
| |
| - name: script for retrieving Zuul tenant configuration from Gerrit |
| copy: |
| dest: /usr/local/bin/zuul-fetch-tenants-from-gerrit.sh |
| src: files/zuul/zuul-fetch-tenants-from-gerrit.sh |
| owner: root |
| group: root |
| mode: 0755 |
| |
| # TODO: this is always marked as 'changed' for some reason... |
| # FIXME: cannot install from git directly (that needs some extra deps for the web build), so just: |
| # FIXME: wget https://opendev.org/zuul/zuul/commit/758ba823f22366fe9da834612586b5f7c1829984.patch |
| # FIXME: cd /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/zuul |
| # FIXME: patch -p2 < ~/758ba823f22366fe9da834612586b5f7c1829984.patch |
| # FIXME: ...and also sed s/isAlive/is_alive/ over ansible/*/library/command.py |
| - name: Install Zuul |
| include_role: |
| name: openstack.zuul |
| vars: |
| zuul_install_method: pip |
| zuul_git_version: '3.18.0' |
| zuul_pip_executable: /opt/rh/rh-python36/root/bin/pip |
| zuul_pip_extra_args: "--install-option='--install-scripts=/usr/local/bin'" |
| zuul_file_zuul_conf_src: files/zuul/zuul.conf |
| zuul_file_main_yaml_manage: false |
| |
| - name: Provision Zuul SSH directory |
| file: |
| path: /var/lib/zuul/.ssh |
| state: directory |
| owner: zuul |
| group: zuul |
| mode: 0700 |
| |
| - name: Provision Zuul SSH private key |
| copy: |
| src: ../ansible-cesnet-secrets/zuul/id_rsa |
| dest: /var/lib/zuul/.ssh/id_rsa |
| owner: zuul |
| group: zuul |
| mode: 0600 |
| |
| - name: Gerrit's SSH server pubkey |
| file: |
| path: /var/lib/zuul/.ssh/known_hosts |
| state: touch |
| modification_time: preserve |
| access_time: preserve |
| owner: zuul |
| group: zuul |
| mode: 0600 |
| |
| - name: Gerrit's SSH server pubkey content |
| known_hosts: |
| path: /var/lib/zuul/.ssh/known_hosts |
| name: '[gerrit.cesnet.cz]:29418' |
| key: '[gerrit.cesnet.cz]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw==' |
| |
| - name: Gerrit's SSH server pubkey content (IPv6 address) |
| known_hosts: |
| path: /var/lib/zuul/.ssh/known_hosts |
| name: '[2001:718:1:1f:50:56ff:feee:163]:29418' |
| key: '[2001:718:1:1f:50:56ff:feee:163]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw==' |
| |
| - name: fingergw firewall |
| firewalld: |
| zone: public |
| permanent: yes |
| state: enabled |
| port: 79/tcp |
| immediate: yes |
| |
| - name: Apache modules from SCL |
| package: |
| name: 'httpd24-{{ item }}' |
| state: present |
| with_items: |
| - mod_md |
| - mod_ssl |
| notify: |
| - restart apache |
| |
| - name: Apache firewall |
| firewalld: |
| zone: public |
| permanent: yes |
| immediate: yes |
| state: enabled |
| service: '{{ item }}' |
| with_items: |
| - http |
| - https |
| |
| - name: mpm_prefork disabled |
| lineinfile: |
| path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf |
| regexp: '^LoadModule mpm_prefork_module.*' |
| state: absent |
| notify: |
| - restart apache |
| |
| - name: mpm_event enabled |
| lineinfile: |
| path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf |
| line: 'LoadModule mpm_event_module modules/mod_mpm_event.so' |
| state: present |
| notify: |
| - restart apache |
| |
| - name: remove default Apache server admin |
| lineinfile: |
| path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf |
| regexp: '^ServerAdmin root.*' |
| state: absent |
| notify: |
| - restart apache |
| |
| - name: Apache server admin jan.kundrat@cesnet.cz |
| lineinfile: |
| path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf |
| line: 'ServerAdmin mailto:jan.kundrat@cesnet.cz' |
| state: present |
| notify: |
| - restart apache |
| |
| # FIXME: apparently, this still requires a manual fix-up of /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf |
| # Remove the cert and key files in there. I'm too lazy to automate that right now. Without that, there's this |
| # error message in apache's log: |
| # [ssl:warn] [pid 3676:tid 139633325263040] AH10084: Init: (zuul.gerrit.cesnet.cz:443) You configured certificate/key files on this host, but is is covered by a Managed Domain. You need to remove these directives for the Managed Domain to take over. |
| - name: Apache LetsEncrypt agreement |
| lineinfile: |
| path: /opt/rh/httpd24/root/etc/httpd/conf.d/00-letsencrypt.conf |
| create: yes |
| line: '{{ item }}' |
| state: present |
| with_items: |
| - 'MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf' |
| - 'MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory' |
| notify: |
| - restart apache |
| |
| - name: Apache zuul vhost |
| copy: |
| dest: /opt/rh/httpd24/root/etc/httpd/conf.d/20-zuul.gerrit.cesnet.cz.conf |
| src: files/zuul/vhost.conf |
| mode: 0644 |
| notify: |
| - restart apache |
| |
| - name: Apache service |
| systemd: |
| name: httpd24-httpd |
| state: started |
| enabled: yes |
| |
| - name: bubblewrap for Zuul executor |
| package: |
| name: bubblewrap |
| state: present |
| |
| - name: JQ for JSON parsing within Zuul jobs |
| package: |
| name: jq |
| state: present |