mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-04 14:31:42 +08:00
ebd01fab62
Fix the fedora-41 key, had too many characters there. Also, the add-key script needs to be readable by the robosignatory user, so it can't be mode 711. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
243 lines
4.8 KiB
YAML
243 lines
4.8 KiB
YAML
- name: Install packages
|
|
package: state=present name={{ item }}
|
|
with_items:
|
|
- python3-robosignatory
|
|
- fedora-messaging
|
|
- trousers
|
|
- tpm-tools
|
|
- sigul
|
|
tags:
|
|
- packages
|
|
- robosignatory
|
|
|
|
- name: Create robosignatory group
|
|
group:
|
|
name: robosignatory
|
|
state: present
|
|
system: yes
|
|
gid: 263
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Create robosignatory user
|
|
user:
|
|
name: robosignatory
|
|
state: present
|
|
group: robosignatory
|
|
system: yes
|
|
home: /etc/robosignatory
|
|
comment: Robosignatory
|
|
shell: /sbin/nologin
|
|
uid: 263
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Create config directory
|
|
file:
|
|
path: /etc/robosignatory
|
|
state: directory
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: 0750
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Create robosignatory sigul directory
|
|
file:
|
|
path: /etc/robosignatory/sigul
|
|
state: directory
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: 0750
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Install sigul configuration
|
|
copy:
|
|
src: sigul.{{env}}.conf
|
|
dest: /etc/sigul/client.conf
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: 0640
|
|
notify:
|
|
- restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Make sure every file in the sigul conf dir has proper ownership
|
|
file:
|
|
path: /etc/sigul
|
|
state: directory
|
|
group: robosignatory
|
|
owner: robosignatory
|
|
recurse: yes
|
|
|
|
- name: Install koji config
|
|
template:
|
|
src: koji.conf
|
|
dest: /etc/robosignatory/koji.config
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: 0640
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Install koji CA certificate
|
|
copy:
|
|
src: "{{ private }}/files/fedora-ca.cert"
|
|
dest: /etc/robosignatory/serverca.cert
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: 0640
|
|
notify:
|
|
- restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
# Fedora Messaging
|
|
|
|
- name: Create /etc/pki/fedora-messaging
|
|
file:
|
|
dest: /etc/pki/fedora-messaging
|
|
mode: 0775
|
|
owner: root
|
|
group: root
|
|
state: directory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Deploy the fedora-messaging CA
|
|
copy:
|
|
src: "{{ private }}/files/rabbitmq/{{env}}/pki/ca.crt"
|
|
dest: /etc/pki/fedora-messaging/cacert.pem
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Deploy the fedora-messaging cert
|
|
copy:
|
|
src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/robosignatory{{env_suffix}}.crt"
|
|
dest: /etc/pki/fedora-messaging/robosignatory-cert.pem
|
|
mode: 0644
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
notify:
|
|
- restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Deploy the fedora-messaging key
|
|
copy:
|
|
src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/robosignatory{{env_suffix}}.key"
|
|
dest: /etc/pki/fedora-messaging/robosignatory-key.pem
|
|
mode: 0600
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
notify:
|
|
- restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Setup robosignatory config
|
|
template:
|
|
src: robosignatory.toml.j2
|
|
dest: /etc/fedora-messaging/robosignatory.toml
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: 0640
|
|
notify:
|
|
- restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
- robosignatory-config
|
|
|
|
- name: Create /etc/systemd/system/fm-consumer@.service.d (staging)
|
|
file:
|
|
state: directory
|
|
path: /etc/systemd/system/fm-consumer@.service.d
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
when: env == 'staging'
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Configure fm-consumer@.service to run as robosignatory (staging)
|
|
copy:
|
|
src: fm-consumer@.service
|
|
dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
when: env == 'staging'
|
|
notify:
|
|
- reload systemd
|
|
- restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Ensure fedora-messaging is enabled and started on the backend (staging)
|
|
service:
|
|
name: fm-consumer@robosignatory.service
|
|
enabled: yes
|
|
state: started
|
|
when: env == 'staging'
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Configure key add script
|
|
copy:
|
|
src: sigul-add-key
|
|
dest: /usr/local/bin/sigul-add-key
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
when: env != 'staging'
|
|
notify:
|
|
- reload systemd
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Configure robosignatory.service
|
|
copy:
|
|
src: robosignatory.service
|
|
dest: /etc/systemd/system/robosignatory.service
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
when: env != 'staging'
|
|
notify:
|
|
- reload systemd
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Allow robosignatory to use systemd-ask-password
|
|
copy:
|
|
src: ask-password-robosignatory.conf
|
|
dest: /etc/tmpfiles.d/ask-password-robosignatory.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- config
|
|
- robosignatory
|