roles/zuul_server/tasks/main.yaml

- name: Prepeare Python env
  include_role:
    name: el7_centos_python_env


# PostgreSQL reporter from Zuul
- name: PostgreSQL 10 packages and Python bindings
  package:
    name: '{{ item }}'
    state: present
  with_items:
    - rh-python36-python-psycopg2
    - rh-postgresql10-postgresql-syspaths
    - python-psycopg2

- name: PostgreSQL 10 server package
  package:
    name: rh-postgresql10-postgresql-server
    state: present

- name: postgresql 10 initdb
  command: '/opt/rh/rh-postgresql10/root/usr/bin/postgresql-setup --initdb'
  args:
    creates: /var/opt/rh/rh-postgresql10/lib/pgsql/data/PG_VERSION
  become: true
  become_user: postgres

- name: PostgreSQL 10 server service
  systemd:
    name: rh-postgresql10-postgresql
    state: started
    enabled: yes

- name: PostgreSQL Zuul DB
  become: yes
  become_user: postgres
  postgresql_db:
    name: zuul
    state: present

- name: PostgreSQL Zuul role
  become: yes
  become_user: postgres
  postgresql_user:
    db: zuul
    name: zuul
    priv: "ALL"

- name: script for retrieving Zuul tenant configuration from Gerrit
  copy:
    dest: /usr/local/bin/zuul-fetch-tenants-from-gerrit.sh
    src: files/zuul/zuul-fetch-tenants-from-gerrit.sh
    owner: root
    group: root
    mode: 0755

# TODO: this is always marked as 'changed' for some reason...
- name: Install Zuul
  include_role:
    name: openstack.zuul
  vars:
    zuul_install_method: pip
    zuul_git_version: '3.18.0'
    zuul_pip_executable: /opt/rh/rh-python36/root/bin/pip
    zuul_pip_extra_args: "--install-option='--install-scripts=/usr/local/bin'"
    zuul_file_zuul_conf_src: files/zuul/zuul.conf
    zuul_file_main_yaml_manage: false

- name: Provision Zuul SSH directory
  file:
    path: /var/lib/zuul/.ssh
    state: directory
    owner: zuul
    group: zuul
    mode: 0700

- name: Provision Zuul SSH private key
  copy:
    src: ../ansible-cesnet-secrets/zuul/id_rsa
    dest: /var/lib/zuul/.ssh/id_rsa
    owner: zuul
    group: zuul
    mode: 0600

- name: Gerrit's SSH server pubkey
  file:
    path: /var/lib/zuul/.ssh/known_hosts
    state: touch
    modification_time: preserve
    access_time: preserve
    owner: zuul
    group: zuul
    mode: 0600

- name: Gerrit's SSH server pubkey content
  known_hosts:
    path: /var/lib/zuul/.ssh/known_hosts
    name: '[gerrit.cesnet.cz]:29418'
    key: '[gerrit.cesnet.cz]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='

- name: Gerrit's SSH server pubkey content (IPv6 address)
  known_hosts:
    path: /var/lib/zuul/.ssh/known_hosts
    name: '[2001:718:1:1f:50:56ff:feee:163]:29418'
    key: '[2001:718:1:1f:50:56ff:feee:163]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbNpJXucXZHmjFeAVQwc87AeUtyYDULfW/AVfkXbJ86JSzoMfV19GSfPf2v+lVVaEJKrHN4I4X2p2vuTiibFHHXRFuquxltQeAY1wMUthL+x67EfcvptPEslwR134HtNX+fJOrrBx2K2Qvj2/BT9JXQm62NbBBIpIrIyBiMUaCnw=='

- name: fingergw firewall
  firewalld:
    zone: public
    permanent: yes
    state: enabled
    port: 79/tcp
    immediate: yes

- name: Apache modules from SCL
  package:
    name: 'httpd24-{{ item }}'
    state: present
  with_items:
    - mod_md
    - mod_ssl
  notify:
    - restart apache

- name: Apache firewall
  firewalld:
    zone: public
    permanent: yes
    immediate: yes
    state: enabled
    service: '{{ item }}'
  with_items:
    - http
    - https

- name: mpm_prefork disabled
  lineinfile:
    path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
    regexp: '^LoadModule mpm_prefork_module.*'
    state: absent
  notify:
    - restart apache

- name: mpm_event enabled
  lineinfile:
    path: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf
    line: 'LoadModule mpm_event_module modules/mod_mpm_event.so'
    state: present
  notify:
    - restart apache

- name: remove default Apache server admin
  lineinfile:
    path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
    regexp: '^ServerAdmin root.*'
    state: absent
  notify:
    - restart apache

- name: Apache server admin jan.kundrat@cesnet.cz
  lineinfile:
    path: /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
    line: 'ServerAdmin mailto:jan.kundrat@cesnet.cz'
    state: present
  notify:
    - restart apache

# FIXME: apparently, this still requires a manual fix-up of /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf
# Remove the cert and key files in there. I'm too lazy to automate that right now. Without that, there's this
# error message in apache's log:
# [ssl:warn] [pid 3676:tid 139633325263040] AH10084: Init: (zuul.gerrit.cesnet.cz:443) You configured certificate/key files on this host, but is is covered by a Managed Domain. You need to remove these directives for the Managed Domain to take over.
- name: Apache LetsEncrypt agreement
  lineinfile:
    path: /opt/rh/httpd24/root/etc/httpd/conf.d/00-letsencrypt.conf
    create: yes
    line: '{{ item }}'
    state: present
  with_items:
    - 'MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
    - 'MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory'
  notify:
    - restart apache

- name: Apache zuul vhost
  copy:
    dest: /opt/rh/httpd24/root/etc/httpd/conf.d/20-zuul.gerrit.cesnet.cz.conf
    src: files/zuul/vhost.conf
    mode: 0644
  notify:
    - restart apache

- name: Apache service
  systemd:
    name: httpd24-httpd
    state: started
    enabled: yes

- name: bubblewrap for Zuul executor
  package:
    name: bubblewrap
    state: present

- name: JQ for JSON parsing within Zuul jobs
  package:
    name: jq
    state: present