Gitiles
Code Review Sign In
gerrit.cesnet.cz / ci / ansible-cesnet / 136e237ea522d22110a97e452f8e9b9d5c048ed3 / . / roles / zuul_server / tasks / main.yaml
blob: e70b48284de3e728d3f19f06dab77df05dbbb9ef [file] [log] [blame]
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]1- name: Prepeare Python env
2 include_role:
3 name: el7_centos_python_env
4
Jan Kundrát031422b2019-01-14 17:11:03 +0100[diff] [blame]5
6# PostgreSQL reporter from Zuul
7- name: PostgreSQL 10 packages and Python bindings
8 package:
9 name: '{{ item }}'
10 state: present
11 with_items:
12 - rh-python36-python-psycopg2
13 - rh-postgresql10-postgresql-syspaths
14 - python-psycopg2
15
16- name: PostgreSQL 10 server package
17 package:
18 name: rh-postgresql10-postgresql-server
19 state: present
20
21- name: postgresql 10 initdb
22 command: '/opt/rh/rh-postgresql10/root/usr/bin/postgresql-setup --initdb'
23 args:
24 creates: /var/opt/rh/rh-postgresql10/lib/pgsql/data/PG_VERSION
25 become: true
26 become_user: postgres
27
28- name: PostgreSQL 10 server service
29 systemd:
30 name: rh-postgresql10-postgresql
31 state: started
32 enabled: yes
33
34- name: PostgreSQL Zuul DB
35 become: yes
36 become_user: postgres
37 postgresql_db:
38 name: zuul
39 state: present
40
41- name: PostgreSQL Zuul role
42 become: yes
43 become_user: postgres
44 postgresql_user:
45 db: zuul
46 name: zuul
47 priv: "ALL"
48
Jan Kundrát59b00842019-01-22 20:06:15 +0100[diff] [blame]49- name: script for retrieving Zuul tenant configuration from Gerrit
50 copy:
51 dest: /usr/local/bin/zuul-fetch-tenants-from-gerrit.sh
52 src: files/zuul/zuul-fetch-tenants-from-gerrit.sh
53 owner: root
54 group: root
55 mode: 0755
56
Jan Kundrátecaf7a32019-01-11 13:00:14 +0100[diff] [blame]57# TODO: this is always marked as 'changed' for some reason...
Jan Kundrátc935f7c2020-11-13 18:32:55 +0100[diff] [blame]58# FIXME: cannot install from git directly (that needs some extra deps for the web build), so just:
59# FIXME: wget https://opendev.org/zuul/zuul/commit/758ba823f22366fe9da834612586b5f7c1829984.patch
60# FIXME: cd /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/zuul
61# FIXME: patch -p2 < ~/758ba823f22366fe9da834612586b5f7c1829984.patch
Jan Kundrát136e2372020-11-13 20:34:24 +0100[diff] [blame^]62# FIXME: ...and also sed s/isAlive/is_alive/ over ansible/*/library/command.py
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]63- name: Install Zuul
64 include_role:
65 name: openstack.zuul
66 vars:
Jan Kundrát9ada9b52019-01-11 12:20:28 +0100[diff] [blame]67 zuul_install_method: pip
Jan Kundrát4cecfdd2020-04-08 13:46:32 +0200[diff] [blame]68 zuul_git_version: '3.18.0'
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]69 zuul_pip_executable: /opt/rh/rh-python36/root/bin/pip
70 zuul_pip_extra_args: "--install-option='--install-scripts=/usr/local/bin'"
71 zuul_file_zuul_conf_src: files/zuul/zuul.conf
Jan Kundrát59b00842019-01-22 20:06:15 +0100[diff] [blame]72 zuul_file_main_yaml_manage: false
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]73
74- name: Provision Zuul SSH directory
75 file:
76 path: /var/lib/zuul/.ssh
77 state: directory
78 owner: zuul
79 group: zuul
80 mode: 0700
81
82- name: Provision Zuul SSH private key
83 copy:
84 src: ../ansible-cesnet-secrets/zuul/id_rsa
85 dest: /var/lib/zuul/.ssh/id_rsa
86 owner: zuul
87 group: zuul
88 mode: 0600
89
90- name: Gerrit's SSH server pubkey
91 file:
92 path: /var/lib/zuul/.ssh/known_hosts
93 state: touch
Jan Kundrát327e8ae2019-01-28 13:30:59 +0100[diff] [blame]94 modification_time: preserve
95 access_time: preserve
Jan Kundrát1c2bb582019-01-10 19:30:43 +0100[diff] [blame]96 owner: zuul
97 group: zuul
98 mode: 0600
99
100- name: Gerrit's SSH server pubkey content
101 known_hosts:
102 path: /var/lib/zuul/.ssh/known_hosts
103 name: '[gerrit.cesnet.cz]:29418'
104 key: '[gerrit.cesnet.cz]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='
105
106- name: Gerrit's SSH server pubkey content (IPv6 address)
107 known_hosts:
108 path: /var/lib/zuul/.ssh/known_hosts
109 name: '[2001:718:1:1f:50:56ff:feee:163]:29418'
110 key: '[2001:718:1:1f:50:56ff:feee:163]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='
111
112- name: fingergw firewall
113 firewalld:
114 zone: public
115 permanent: yes
116 state: enabled
117 port: 79/tcp
118 immediate: yes
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]119
120- name: Apache modules from SCL
121 package:
122 name: 'httpd24-{{ item }}'
123 state: present
124 with_items:
125 - mod_md
126 - mod_ssl
127 notify:
128 - restart apache
129
130- name: Apache firewall
131 firewalld:
132 zone: public
133 permanent: yes
134 immediate: yes
135 state: enabled
136 service: '{{ item }}'
137 with_items:
138 - http
139 - https
140
141- name: mpm_prefork disabled
142 lineinfile:
143 path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
144 regexp: '^LoadModule mpm_prefork_module.*'
145 state: absent
146 notify:
147 - restart apache
148
149- name: mpm_event enabled
150 lineinfile:
151 path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
152 line: 'LoadModule mpm_event_module modules/mod_mpm_event.so'
153 state: present
154 notify:
155 - restart apache
156
157- name: remove default Apache server admin
158 lineinfile:
159 path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
160 regexp: '^ServerAdmin root.*'
161 state: absent
162 notify:
163 - restart apache
164
165- name: Apache server admin jan.kundrat@cesnet.cz
166 lineinfile:
167 path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
168 line: 'ServerAdmin mailto:jan.kundrat@cesnet.cz'
169 state: present
170 notify:
171 - restart apache
172
Jan Kundrátecd797f2020-05-21 11:27:05 +0200[diff] [blame]173# FIXME: apparently, this still requires a manual fix-up of /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf
174# Remove the cert and key files in there. I'm too lazy to automate that right now. Without that, there's this
175# error message in apache's log:
176# [ssl:warn] [pid 3676:tid 139633325263040] AH10084: Init: (zuul.gerrit.cesnet.cz:443) You configured certificate/key files on this host, but is is covered by a Managed Domain. You need to remove these directives for the Managed Domain to take over.
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]177- name: Apache LetsEncrypt agreement
178 lineinfile:
179 path: /opt/rh/httpd24/root/etc/httpd/conf.d/00-letsencrypt.conf
180 create: yes
Jan Kundrátecd797f2020-05-21 11:27:05 +0200[diff] [blame]181 line: '{{ item }}'
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]182 state: present
Jan Kundrátecd797f2020-05-21 11:27:05 +0200[diff] [blame]183 with_items:
184 - 'MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
185 - 'MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory'
Jan Kundrát84eff462019-01-11 11:19:06 +0100[diff] [blame]186 notify:
187 - restart apache
188
189- name: Apache zuul vhost
190 copy:
191 dest: /opt/rh/httpd24/root/etc/httpd/conf.d/20-zuul.gerrit.cesnet.cz.conf
192 src: files/zuul/vhost.conf
193 mode: 0644
194 notify:
195 - restart apache
196
197- name: Apache service
198 systemd:
199 name: httpd24-httpd
200 state: started
201 enabled: yes
Jan Kundrátd920d8c2019-01-22 22:35:19 +0100[diff] [blame]202
203- name: bubblewrap for Zuul executor
204 package:
205 name: bubblewrap
206 state: present
Jan Kundrátd717ad32019-06-05 23:06:55 +0200[diff] [blame]207
208- name: JQ for JSON parsing within Zuul jobs
209 package:
210 name: jq
211 state: present