| Jan Kundrát | 1c2bb58 | 2019-01-10 19:30:43 +0100 | [diff] [blame] | 1 | - name: Prepeare Python env |
| 2 | include_role: |
| 3 | name: el7_centos_python_env |
| 4 | |
| Jan Kundrát | ecaf7a3 | 2019-01-11 13:00:14 +0100 | [diff] [blame] | 5 | # TODO: this is always marked as 'changed' for some reason... |
| Jan Kundrát | 1c2bb58 | 2019-01-10 19:30:43 +0100 | [diff] [blame] | 6 | - name: Install Zuul |
| 7 | include_role: |
| 8 | name: openstack.zuul |
| 9 | vars: |
| Jan Kundrát | 9ada9b5 | 2019-01-11 12:20:28 +0100 | [diff] [blame] | 10 | zuul_install_method: pip |
| 11 | zuul_git_version: '3.3.1' |
| Jan Kundrát | 1c2bb58 | 2019-01-10 19:30:43 +0100 | [diff] [blame] | 12 | zuul_pip_executable: /opt/rh/rh-python36/root/bin/pip |
| 13 | zuul_pip_extra_args: "--install-option='--install-scripts=/usr/local/bin'" |
| 14 | zuul_file_zuul_conf_src: files/zuul/zuul.conf |
| Jan Kundrát | 74982a6 | 2019-01-11 13:17:15 +0100 | [diff] [blame^] | 15 | zuul_file_main_yaml_src: files/zuul/main.yaml |
| Jan Kundrát | 1c2bb58 | 2019-01-10 19:30:43 +0100 | [diff] [blame] | 16 | |
| 17 | - name: Provision Zuul SSH directory |
| 18 | file: |
| 19 | path: /var/lib/zuul/.ssh |
| 20 | state: directory |
| 21 | owner: zuul |
| 22 | group: zuul |
| 23 | mode: 0700 |
| 24 | |
| 25 | - name: Provision Zuul SSH private key |
| 26 | copy: |
| 27 | src: ../ansible-cesnet-secrets/zuul/id_rsa |
| 28 | dest: /var/lib/zuul/.ssh/id_rsa |
| 29 | owner: zuul |
| 30 | group: zuul |
| 31 | mode: 0600 |
| 32 | |
| Jan Kundrát | ecaf7a3 | 2019-01-11 13:00:14 +0100 | [diff] [blame] | 33 | # TODO: this is buggy, `touch` always updates... |
| Jan Kundrát | 1c2bb58 | 2019-01-10 19:30:43 +0100 | [diff] [blame] | 34 | - name: Gerrit's SSH server pubkey |
| 35 | file: |
| 36 | path: /var/lib/zuul/.ssh/known_hosts |
| 37 | state: touch |
| 38 | owner: zuul |
| 39 | group: zuul |
| 40 | mode: 0600 |
| 41 | |
| 42 | - name: Gerrit's SSH server pubkey content |
| 43 | known_hosts: |
| 44 | path: /var/lib/zuul/.ssh/known_hosts |
| 45 | name: '[gerrit.cesnet.cz]:29418' |
| 46 | key: '[gerrit.cesnet.cz]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw==' |
| 47 | |
| 48 | - name: Gerrit's SSH server pubkey content (IPv6 address) |
| 49 | known_hosts: |
| 50 | path: /var/lib/zuul/.ssh/known_hosts |
| 51 | name: '[2001:718:1:1f:50:56ff:feee:163]:29418' |
| 52 | key: '[2001:718:1:1f:50:56ff:feee:163]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw==' |
| 53 | |
| 54 | - name: fingergw firewall |
| 55 | firewalld: |
| 56 | zone: public |
| 57 | permanent: yes |
| 58 | state: enabled |
| 59 | port: 79/tcp |
| 60 | immediate: yes |
| Jan Kundrát | 84eff46 | 2019-01-11 11:19:06 +0100 | [diff] [blame] | 61 | |
| 62 | - name: Apache modules from SCL |
| 63 | package: |
| 64 | name: 'httpd24-{{ item }}' |
| 65 | state: present |
| 66 | with_items: |
| 67 | - mod_md |
| 68 | - mod_ssl |
| 69 | notify: |
| 70 | - restart apache |
| 71 | |
| 72 | - name: Apache firewall |
| 73 | firewalld: |
| 74 | zone: public |
| 75 | permanent: yes |
| 76 | immediate: yes |
| 77 | state: enabled |
| 78 | service: '{{ item }}' |
| 79 | with_items: |
| 80 | - http |
| 81 | - https |
| 82 | |
| 83 | - name: mpm_prefork disabled |
| 84 | lineinfile: |
| 85 | path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf |
| 86 | regexp: '^LoadModule mpm_prefork_module.*' |
| 87 | state: absent |
| 88 | notify: |
| 89 | - restart apache |
| 90 | |
| 91 | - name: mpm_event enabled |
| 92 | lineinfile: |
| 93 | path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf |
| 94 | line: 'LoadModule mpm_event_module modules/mod_mpm_event.so' |
| 95 | state: present |
| 96 | notify: |
| 97 | - restart apache |
| 98 | |
| 99 | - name: remove default Apache server admin |
| 100 | lineinfile: |
| 101 | path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf |
| 102 | regexp: '^ServerAdmin root.*' |
| 103 | state: absent |
| 104 | notify: |
| 105 | - restart apache |
| 106 | |
| 107 | - name: Apache server admin jan.kundrat@cesnet.cz |
| 108 | lineinfile: |
| 109 | path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf |
| 110 | line: 'ServerAdmin mailto:jan.kundrat@cesnet.cz' |
| 111 | state: present |
| 112 | notify: |
| 113 | - restart apache |
| 114 | |
| 115 | - name: Apache LetsEncrypt agreement |
| 116 | lineinfile: |
| 117 | path: /opt/rh/httpd24/root/etc/httpd/conf.d/00-letsencrypt.conf |
| 118 | create: yes |
| 119 | line: 'MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf' |
| 120 | state: present |
| 121 | notify: |
| 122 | - restart apache |
| 123 | |
| 124 | - name: Apache zuul vhost |
| 125 | copy: |
| 126 | dest: /opt/rh/httpd24/root/etc/httpd/conf.d/20-zuul.gerrit.cesnet.cz.conf |
| 127 | src: files/zuul/vhost.conf |
| 128 | mode: 0644 |
| 129 | notify: |
| 130 | - restart apache |
| 131 | |
| 132 | - name: Apache service |
| 133 | systemd: |
| 134 | name: httpd24-httpd |
| 135 | state: started |
| 136 | enabled: yes |