Gitiles
Code Review Sign In
gerrit.cesnet.cz / ci / ansible-cesnet / 89c7c37f5ab375791bc262716a879e864b0374f0 / . / roles / zuul_server / tasks / main.yaml
blob: b95315fd16aca66943dac6a538ff3657608009b8 [file] [log] [blame]
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]1- name: Prepeare Python env
2 include_role:
3 name: el7_centos_python_env
4
Jan Kundrát031422b2019-01-14 17:11:03 +0100[diff] [blame]5
6# PostgreSQL reporter from Zuul
7- name: PostgreSQL 10 packages and Python bindings
8 package:
9 name: '{{ item }}'
10 state: present
11 with_items:
12 - rh-python36-python-psycopg2
13 - rh-postgresql10-postgresql-syspaths
14 - python-psycopg2
15
16- name: PostgreSQL 10 server package
17 package:
18 name: rh-postgresql10-postgresql-server
19 state: present
20
21- name: postgresql 10 initdb
22 command: '/opt/rh/rh-postgresql10/root/usr/bin/postgresql-setup --initdb'
23 args:
24 creates: /var/opt/rh/rh-postgresql10/lib/pgsql/data/PG_VERSION
25 become: true
26 become_user: postgres
27
28- name: PostgreSQL 10 server service
29 systemd:
30 name: rh-postgresql10-postgresql
31 state: started
32 enabled: yes
33
34- name: PostgreSQL Zuul DB
35 become: yes
36 become_user: postgres
37 postgresql_db:
38 name: zuul
39 state: present
40
41- name: PostgreSQL Zuul role
42 become: yes
43 become_user: postgres
44 postgresql_user:
45 db: zuul
46 name: zuul
47 priv: "ALL"
48
Jan Kundrát59b00842019-01-22 20:06:15 +0100[diff] [blame]49- name: script for retrieving Zuul tenant configuration from Gerrit
50 copy:
51 dest: /usr/local/bin/zuul-fetch-tenants-from-gerrit.sh
52 src: files/zuul/zuul-fetch-tenants-from-gerrit.sh
53 owner: root
54 group: root
55 mode: 0755
56
Jan Kundrátecaf7a32019-01-11 13:00:14 +0100[diff] [blame]57# TODO: this is always marked as 'changed' for some reason...
Jan Kundrátc935f7c2020-11-13 18:32:55 +0100[diff] [blame]58# FIXME: cannot install from git directly (that needs some extra deps for the web build), so just:
59# FIXME: wget https://opendev.org/zuul/zuul/commit/758ba823f22366fe9da834612586b5f7c1829984.patch
60# FIXME: cd /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/zuul
61# FIXME: patch -p2 < ~/758ba823f22366fe9da834612586b5f7c1829984.patch
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]62- name: Install Zuul
63 include_role:
64 name: openstack.zuul
65 vars:
Jan Kundrát9ada9b52019-01-11 12:20:28 +0100[diff] [blame]66 zuul_install_method: pip
Jan Kundrát4cecfdd2020-04-08 13:46:32 +0200[diff] [blame]67 zuul_git_version: '3.18.0'
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]68 zuul_pip_executable: /opt/rh/rh-python36/root/bin/pip
69 zuul_pip_extra_args: "--install-option='--install-scripts=/usr/local/bin'"
70 zuul_file_zuul_conf_src: files/zuul/zuul.conf
Jan Kundrát59b00842019-01-22 20:06:15 +0100[diff] [blame]71 zuul_file_main_yaml_manage: false
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]72
73- name: Provision Zuul SSH directory
74 file:
75 path: /var/lib/zuul/.ssh
76 state: directory
77 owner: zuul
78 group: zuul
79 mode: 0700
80
81- name: Provision Zuul SSH private key
82 copy:
83 src: ../ansible-cesnet-secrets/zuul/id_rsa
84 dest: /var/lib/zuul/.ssh/id_rsa
85 owner: zuul
86 group: zuul
87 mode: 0600
88
89- name: Gerrit's SSH server pubkey
90 file:
91 path: /var/lib/zuul/.ssh/known_hosts
92 state: touch
Jan Kundrát327e8ae2019-01-28 13:30:59 +0100[diff] [blame]93 modification_time: preserve
94 access_time: preserve
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]95 owner: zuul
96 group: zuul
97 mode: 0600
98
99- name: Gerrit's SSH server pubkey content
100 known_hosts:
101 path: /var/lib/zuul/.ssh/known_hosts
102 name: '[gerrit.cesnet.cz]:29418'
103 key: '[gerrit.cesnet.cz]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='
104
105- name: Gerrit's SSH server pubkey content (IPv6 address)
106 known_hosts:
107 path: /var/lib/zuul/.ssh/known_hosts
108 name: '[2001:718:1:1f:50:56ff:feee:163]:29418'
109 key: '[2001:718:1:1f:50:56ff:feee:163]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='
110
111- name: fingergw firewall
112 firewalld:
113 zone: public
114 permanent: yes
115 state: enabled
116 port: 79/tcp
117 immediate: yes
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]118
119- name: Apache modules from SCL
120 package:
121 name: 'httpd24-{{ item }}'
122 state: present
123 with_items:
124 - mod_md
125 - mod_ssl
126 notify:
127 - restart apache
128
129- name: Apache firewall
130 firewalld:
131 zone: public
132 permanent: yes
133 immediate: yes
134 state: enabled
135 service: '{{ item }}'
136 with_items:
137 - http
138 - https
139
140- name: mpm_prefork disabled
141 lineinfile:
142 path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
143 regexp: '^LoadModule mpm_prefork_module.*'
144 state: absent
145 notify:
146 - restart apache
147
148- name: mpm_event enabled
149 lineinfile:
150 path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
151 line: 'LoadModule mpm_event_module modules/mod_mpm_event.so'
152 state: present
153 notify:
154 - restart apache
155
156- name: remove default Apache server admin
157 lineinfile:
158 path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
159 regexp: '^ServerAdmin root.*'
160 state: absent
161 notify:
162 - restart apache
163
164- name: Apache server admin jan.kundrat@cesnet.cz
165 lineinfile:
166 path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
167 line: 'ServerAdmin mailto:jan.kundrat@cesnet.cz'
168 state: present
169 notify:
170 - restart apache
171
Jan Kundrátecd797f2020-05-21 11:27:05 +0200[diff] [blame]172# FIXME: apparently, this still requires a manual fix-up of /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf
173# Remove the cert and key files in there. I'm too lazy to automate that right now. Without that, there's this
174# error message in apache's log:
175# [ssl:warn] [pid 3676:tid 139633325263040] AH10084: Init: (zuul.gerrit.cesnet.cz:443) You configured certificate/key files on this host, but is is covered by a Managed Domain. You need to remove these directives for the Managed Domain to take over.
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]176- name: Apache LetsEncrypt agreement
177 lineinfile:
178 path: /opt/rh/httpd24/root/etc/httpd/conf.d/00-letsencrypt.conf
179 create: yes
Jan Kundrátecd797f2020-05-21 11:27:05 +0200[diff] [blame]180 line: '{{ item }}'
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]181 state: present
Jan Kundrátecd797f2020-05-21 11:27:05 +0200[diff] [blame]182 with_items:
183 - 'MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
184 - 'MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory'
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]185 notify:
186 - restart apache
187
188- name: Apache zuul vhost
189 copy:
190 dest: /opt/rh/httpd24/root/etc/httpd/conf.d/20-zuul.gerrit.cesnet.cz.conf
191 src: files/zuul/vhost.conf
192 mode: 0644
193 notify:
194 - restart apache
195
196- name: Apache service
197 systemd:
198 name: httpd24-httpd
199 state: started
200 enabled: yes
Jan Kundrátd920d8c2019-01-22 22:35:19 +0100[diff] [blame]201
202- name: bubblewrap for Zuul executor
203 package:
204 name: bubblewrap
205 state: present
Jan Kundrátd717ad32019-06-05 23:06:55 +0200[diff] [blame]206
207- name: JQ for JSON parsing within Zuul jobs
208 package:
209 name: jq
210 state: present