mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-30 08:50:55 +08:00
244 lines
5.1 KiB
YAML
244 lines
5.1 KiB
YAML
---
|
|
- name: Install packages
|
|
ansible.builtin.package: state=present name={{ item }}
|
|
with_items:
|
|
- python3-robosignatory
|
|
- fedora-messaging
|
|
- trousers
|
|
- tpm-tools
|
|
- sigul
|
|
tags:
|
|
- packages
|
|
- robosignatory
|
|
|
|
- name: Create robosignatory group
|
|
group:
|
|
name: robosignatory
|
|
state: present
|
|
system: yes
|
|
gid: 263
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Create robosignatory user
|
|
user:
|
|
name: robosignatory
|
|
state: present
|
|
group: robosignatory
|
|
system: yes
|
|
home: /etc/robosignatory
|
|
comment: Robosignatory
|
|
shell: /sbin/nologin
|
|
uid: 263
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Create config directory
|
|
ansible.builtin.file:
|
|
path: /etc/robosignatory
|
|
state: directory
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: "0750"
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Create robosignatory sigul directory
|
|
ansible.builtin.file:
|
|
path: /etc/robosignatory/sigul
|
|
state: directory
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: "0750"
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Install sigul configuration
|
|
ansible.builtin.copy:
|
|
src: sigul.{{env}}.conf
|
|
dest: /etc/sigul/client.conf
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: "0640"
|
|
notify:
|
|
- Restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Make sure every file in the sigul conf dir has proper ownership
|
|
ansible.builtin.file:
|
|
path: /etc/sigul
|
|
state: directory
|
|
group: robosignatory
|
|
owner: robosignatory
|
|
recurse: yes
|
|
|
|
- name: Install koji config
|
|
ansible.builtin.template:
|
|
src: koji.conf
|
|
dest: /etc/robosignatory/koji.config
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: "0640"
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Install koji CA certificate
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/fedora-ca.cert"
|
|
dest: /etc/robosignatory/serverca.cert
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: "0640"
|
|
notify:
|
|
- Restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
# Fedora Messaging
|
|
|
|
- name: Create /etc/pki/fedora-messaging
|
|
ansible.builtin.file:
|
|
dest: /etc/pki/fedora-messaging
|
|
mode: "0775"
|
|
owner: root
|
|
group: root
|
|
state: directory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Deploy the fedora-messaging CA
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/rabbitmq/{{env}}/ca-combined.crt"
|
|
dest: /etc/pki/fedora-messaging/cacert.pem
|
|
mode: "0644"
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Deploy the fedora-messaging cert
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/robosignatory{{env_suffix}}.crt"
|
|
dest: /etc/pki/fedora-messaging/robosignatory-cert.pem
|
|
mode: "0644"
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
notify:
|
|
- Restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Deploy the fedora-messaging key
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/robosignatory{{env_suffix}}.key"
|
|
dest: /etc/pki/fedora-messaging/robosignatory-key.pem
|
|
mode: "0600"
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
notify:
|
|
- Restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Setup robosignatory config
|
|
ansible.builtin.template:
|
|
src: robosignatory.toml.j2
|
|
dest: /etc/fedora-messaging/robosignatory.toml
|
|
owner: robosignatory
|
|
group: robosignatory
|
|
mode: "0640"
|
|
notify:
|
|
- Restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
- robosignatory-config
|
|
|
|
- name: Create /etc/systemd/system/fm-consumer@.service.d (staging)
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: /etc/systemd/system/fm-consumer@.service.d
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
when: env == 'staging'
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Configure fm-consumer@.service to run as robosignatory (staging)
|
|
ansible.builtin.copy:
|
|
src: fm-consumer@.service
|
|
dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: env == 'staging'
|
|
notify:
|
|
- Reload systemd
|
|
- Restart robosignatory
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Ensure fedora-messaging is enabled and started on the backend (staging)
|
|
service:
|
|
name: fm-consumer@robosignatory.service
|
|
enabled: yes
|
|
state: started
|
|
when: env == 'staging'
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Configure key add script
|
|
ansible.builtin.copy:
|
|
src: sigul-add-key
|
|
dest: /usr/local/bin/sigul-add-key
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
when: env != 'staging'
|
|
notify:
|
|
- Reload systemd
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Configure robosignatory.service
|
|
ansible.builtin.copy:
|
|
src: robosignatory.service
|
|
dest: /etc/systemd/system/robosignatory.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: env != 'staging'
|
|
notify:
|
|
- Reload systemd
|
|
tags:
|
|
- config
|
|
- robosignatory
|
|
|
|
- name: Allow robosignatory to use systemd-ask-password
|
|
ansible.builtin.copy:
|
|
src: ask-password-robosignatory.conf
|
|
dest: /etc/tmpfiles.d/ask-password-robosignatory.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
tags:
|
|
- config
|
|
- robosignatory
|