roles/zuul_server/tasks/main.yaml - ci/ansible-cesnet - Gitiles

 - name: Prepeare Python env
   include_role:
     name: el7_centos_python_env


 # PostgreSQL reporter from Zuul
 - name: PostgreSQL 10 packages and Python bindings
   package:
     name: '{{ item }}'
     state: present
   with_items:
     - rh-python36-python-psycopg2
     - rh-postgresql10-postgresql-syspaths
     - python-psycopg2

 - name: PostgreSQL 10 server package
   package:
     name: rh-postgresql10-postgresql-server
     state: present

 - name: postgresql 10 initdb
   command: '/opt/rh/rh-postgresql10/root/usr/bin/postgresql-setup --initdb'
   args:
     creates: /var/opt/rh/rh-postgresql10/lib/pgsql/data/PG_VERSION
   become: true
   become_user: postgres

 - name: PostgreSQL 10 server service
   systemd:
     name: rh-postgresql10-postgresql
     state: started
     enabled: yes

 - name: PostgreSQL Zuul DB
   become: yes
   become_user: postgres
   postgresql_db:
     name: zuul
     state: present

 - name: PostgreSQL Zuul role
   become: yes
   become_user: postgres
   postgresql_user:
     db: zuul
     name: zuul
     priv: "ALL"

 - name: script for retrieving Zuul tenant configuration from Gerrit
   copy:
     dest: /usr/local/bin/zuul-fetch-tenants-from-gerrit.sh
     src: files/zuul/zuul-fetch-tenants-from-gerrit.sh
     owner: root
     group: root
     mode: 0755

 # TODO: this is always marked as 'changed' for some reason...
 - name: Install Zuul
   include_role:
     name: openstack.zuul
   vars:
     zuul_install_method: pip
     zuul_git_version: '3.5.0'
     zuul_pip_executable: /opt/rh/rh-python36/root/bin/pip
     zuul_pip_extra_args: "--install-option='--install-scripts=/usr/local/bin'"
     zuul_file_zuul_conf_src: files/zuul/zuul.conf
     zuul_file_main_yaml_manage: false

 - name: Provision Zuul SSH directory
   file:
     path: /var/lib/zuul/.ssh
     state: directory
     owner: zuul
     group: zuul
     mode: 0700

 - name: Provision Zuul SSH private key
   copy:
     src: ../ansible-cesnet-secrets/zuul/id_rsa
     dest: /var/lib/zuul/.ssh/id_rsa
     owner: zuul
     group: zuul
     mode: 0600

 # TODO: this is buggy, `touch` always updates...
 - name: Gerrit's SSH server pubkey
   file:
     path: /var/lib/zuul/.ssh/known_hosts
     state: touch
     owner: zuul
     group: zuul
     mode: 0600

 - name: Gerrit's SSH server pubkey content
   known_hosts:
     path: /var/lib/zuul/.ssh/known_hosts
     name: '[gerrit.cesnet.cz]:29418'
     key: '[gerrit.cesnet.cz]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='

 - name: Gerrit's SSH server pubkey content (IPv6 address)
   known_hosts:
     path: /var/lib/zuul/.ssh/known_hosts
     name: '[2001:718:1:1f:50:56ff:feee:163]:29418'
     key: '[2001:718:1:1f:50:56ff:feee:163]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='

 - name: fingergw firewall
   firewalld:
     zone: public
     permanent: yes
     state: enabled
     port: 79/tcp
     immediate: yes

 - name: Apache modules from SCL
   package:
     name: 'httpd24-{{ item }}'
     state: present
   with_items:
     - mod_md
     - mod_ssl
   notify:
     - restart apache

 - name: Apache firewall
   firewalld:
     zone: public
     permanent: yes
     immediate: yes
     state: enabled
     service: '{{ item }}'
   with_items:
     - http
     - https

 - name: mpm_prefork disabled
   lineinfile:
     path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
     regexp: '^LoadModule mpm_prefork_module.*'
     state: absent
   notify:
     - restart apache

 - name: mpm_event enabled
   lineinfile:
     path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
     line: 'LoadModule mpm_event_module modules/mod_mpm_event.so'
     state: present
   notify:
     - restart apache

 - name: remove default Apache server admin
   lineinfile:
     path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
     regexp: '^ServerAdmin root.*'
     state: absent
   notify:
     - restart apache

 - name: Apache server admin jan.kundrat@cesnet.cz
   lineinfile:
     path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
     line: 'ServerAdmin mailto:jan.kundrat@cesnet.cz'
     state: present
   notify:
     - restart apache

 - name: Apache LetsEncrypt agreement
   lineinfile:
     path: /opt/rh/httpd24/root/etc/httpd/conf.d/00-letsencrypt.conf
     create: yes
     line: 'MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
     state: present
   notify:
     - restart apache

 - name: Apache zuul vhost
   copy:
     dest: /opt/rh/httpd24/root/etc/httpd/conf.d/20-zuul.gerrit.cesnet.cz.conf
     src: files/zuul/vhost.conf
     mode: 0644
   notify:
     - restart apache

 - name: Apache service
   systemd:
     name: httpd24-httpd
     state: started
     enabled: yes

 - name: bubblewrap for Zuul executor
   package:
     name: bubblewrap
     state: present
	- name: Prepeare Python env
	include_role:
	name: el7_centos_python_env


	# PostgreSQL reporter from Zuul
	- name: PostgreSQL 10 packages and Python bindings
	package:
	name: '{{ item }}'
	state: present
	with_items:
	- rh-python36-python-psycopg2
	- rh-postgresql10-postgresql-syspaths
	- python-psycopg2

	- name: PostgreSQL 10 server package
	package:
	name: rh-postgresql10-postgresql-server
	state: present

	- name: postgresql 10 initdb
	command: '/opt/rh/rh-postgresql10/root/usr/bin/postgresql-setup --initdb'
	args:
	creates: /var/opt/rh/rh-postgresql10/lib/pgsql/data/PG_VERSION
	become: true
	become_user: postgres

	- name: PostgreSQL 10 server service
	systemd:
	name: rh-postgresql10-postgresql
	state: started
	enabled: yes

	- name: PostgreSQL Zuul DB
	become: yes
	become_user: postgres
	postgresql_db:
	name: zuul
	state: present

	- name: PostgreSQL Zuul role
	become: yes
	become_user: postgres
	postgresql_user:
	db: zuul
	name: zuul
	priv: "ALL"

	- name: script for retrieving Zuul tenant configuration from Gerrit
	copy:
	dest: /usr/local/bin/zuul-fetch-tenants-from-gerrit.sh
	src: files/zuul/zuul-fetch-tenants-from-gerrit.sh
	owner: root
	group: root
	mode: 0755

	# TODO: this is always marked as 'changed' for some reason...
	- name: Install Zuul
	include_role:
	name: openstack.zuul
	vars:
	zuul_install_method: pip
	zuul_git_version: '3.5.0'
	zuul_pip_executable: /opt/rh/rh-python36/root/bin/pip
	zuul_pip_extra_args: "--install-option='--install-scripts=/usr/local/bin'"
	zuul_file_zuul_conf_src: files/zuul/zuul.conf
	zuul_file_main_yaml_manage: false

	- name: Provision Zuul SSH directory
	file:
	path: /var/lib/zuul/.ssh
	state: directory
	owner: zuul
	group: zuul
	mode: 0700

	- name: Provision Zuul SSH private key
	copy:
	src: ../ansible-cesnet-secrets/zuul/id_rsa
	dest: /var/lib/zuul/.ssh/id_rsa
	owner: zuul
	group: zuul
	mode: 0600

	# TODO: this is buggy, `touch` always updates...
	- name: Gerrit's SSH server pubkey
	file:
	path: /var/lib/zuul/.ssh/known_hosts
	state: touch
	owner: zuul
	group: zuul
	mode: 0600

	- name: Gerrit's SSH server pubkey content
	known_hosts:
	path: /var/lib/zuul/.ssh/known_hosts
	name: '[gerrit.cesnet.cz]:29418'
	key: '[gerrit.cesnet.cz]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='

	- name: Gerrit's SSH server pubkey content (IPv6 address)
	known_hosts:
	path: /var/lib/zuul/.ssh/known_hosts
	name: '[2001:718:1:1f:50:56ff:feee:163]:29418'
	key: '[2001:718:1:1f:50:56ff:feee:163]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='

	- name: fingergw firewall
	firewalld:
	zone: public
	permanent: yes
	state: enabled
	port: 79/tcp
	immediate: yes

	- name: Apache modules from SCL
	package:
	name: 'httpd24-{{ item }}'
	state: present
	with_items:
	- mod_md
	- mod_ssl
	notify:
	- restart apache

	- name: Apache firewall
	firewalld:
	zone: public
	permanent: yes
	immediate: yes
	state: enabled
	service: '{{ item }}'
	with_items:
	- http
	- https

	- name: mpm_prefork disabled
	lineinfile:
	path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
	regexp: '^LoadModule mpm_prefork_module.*'
	state: absent
	notify:
	- restart apache

	- name: mpm_event enabled
	lineinfile:
	path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
	line: 'LoadModule mpm_event_module modules/mod_mpm_event.so'
	state: present
	notify:
	- restart apache

	- name: remove default Apache server admin
	lineinfile:
	path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
	regexp: '^ServerAdmin root.*'
	state: absent
	notify:
	- restart apache

	- name: Apache server admin jan.kundrat@cesnet.cz
	lineinfile:
	path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
	line: 'ServerAdmin mailto:jan.kundrat@cesnet.cz'
	state: present
	notify:
	- restart apache

	- name: Apache LetsEncrypt agreement
	lineinfile:
	path: /opt/rh/httpd24/root/etc/httpd/conf.d/00-letsencrypt.conf
	create: yes
	line: 'MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
	state: present
	notify:
	- restart apache

	- name: Apache zuul vhost
	copy:
	dest: /opt/rh/httpd24/root/etc/httpd/conf.d/20-zuul.gerrit.cesnet.cz.conf
	src: files/zuul/vhost.conf
	mode: 0644
	notify:
	- restart apache

	- name: Apache service
	systemd:
	name: httpd24-httpd
	state: started
	enabled: yes

	- name: bubblewrap for Zuul executor
	package:
	name: bubblewrap
	state: present