rabbitmq tasks

defaults/main.yml

@@ -6,17 +6,22 @@ mbs_import_default_modules: true
 mbs_upgrade_db: true
 mbs_num_workers: 3
 mbs_celery_max_worker_tasks: 10
-mbs_mq_cert: 'cert.pem'
-mbs_mq_key: 'key.pem'
-mbs_mq_ca: 'ca.pem'
+mbs_mq_cert: ''
+mbs_mq_key: ''
+mbs_mq_ca: ''
 mbs_default_modules_dir: default-modules
+# rabbitmq
+rabbitmq_local: true
+rabbitmq_vhost: mbs
+rabbitmq_username: mbs
+rabbitmq_password: mbs
 # kojihub
 kojihub_top_url: https://cbs.centos.org
 kojihub_use_fast_upload: true
 kojihub_auth_type: kerberos
 kojihub_kerberos_rdns: false
 #mbs config.py
-mbs_config_broker_url: ''
+mbs_config_broker_url: 'amqp://{{ rabbitmq_username }}@{{ rabbitmq_password }}:localhost:5627/{{ rabbitmq_vhost }}'
 mbs_config_debug: false
 mbs_config_env: "{{ mbs_config_type }}"
 mbs_config_secret_key: a1b2c3d4

handlers/main.yml

@@ -2,34 +2,29 @@
 - name: Reload systemd
   systemd:
     daemon_reload: yes
-  become: true
 
 - name: Restart apache
   service:
     name: httpd
     state: restarted
     enabled: true
-  become: true
 
 - name: Reload apache
   service:
     name: httpd
     state: reloaded
-  become: true
 
 - name: Restart fedmsg-hub
   service:
     name: fedmsg-hub
     state: restarted
     enabled: true
-  become: true
 
 - name: Restart mbs poller
   service:
     name: mbs-poller
     state: restarted
     enabled: true
-  become: true
 
 - name: Restart mbs workers
   service:
@@ -37,4 +32,9 @@
     state: restarted
     enabled: true
   with_sequence: start=0 end={{ mbs_num_workers - 1 }}
-  become: true
+
+- name: Restart RabbitMQ
+  service:
+    name: rabbitmq-server
+    state: restarted
+    enabled: true

tasks/main.yml

@@ -1,6 +1,9 @@
 --- 
 # base system setup
 - include_tasks: system.yml
+# rabbitmq
+- include_tasks: rabbitmq.yml
+  when: rabbitmq_local
 # msb-backend setup
 - include_tasks: mbs-backend.yml
 # msb-frontend setup

tasks/mbs-backend.yml

@@ -79,6 +79,7 @@
     owner: root
     group: fedmsg
     mode: 0640
+  when: mbs_mq_cert
   
 - name: copy the MBS rabbitmq private queue key
   copy:
@@ -87,6 +88,7 @@
     owner: root
     group: fedmsg
     mode: 0640
+  when: mbs_mq_key
   
 - name: copy the MBS rabbitmq CA cert
   copy:
@@ -95,6 +97,7 @@
     owner: root
     group: fedmsg
     mode: 0640
+  when: mbs_mq_ca
   
 - name: Add the systemd service files
   template:

tasks/rabbitmq.yml

@@ -0,0 +1,33 @@
+- name: Install RabbitMQ SIG release package
+  yum:
+    name:
+      - centos-release-rabbitmq-38
+
+- name: Install RabbitMQ server packages
+  yum:
+    name:
+      - SDL2
+      - erlang
+      - rabbitmq-server
+
+- name: Apply rabbitmq config
+  template:
+    src: rabbitmq/rabbitmq.conf.j2
+    dest: /etc/rabbitmq/rabbitmq.conf
+  notify:
+    - Restart RabbitMQ
+
+- name: Ensure vhost exists
+  community.rabbitmq.rabbitmq_vhost:
+    name: "{{ rabbitmq_vhost }}"
+    state: present
+
+- name: Ensure user exists and has access to vhost
+  community.rabbitmq.rabbitmq_user:
+    user: "{{ rabbitmq_username }}"
+    password: "{{ rabbitmq_password }}"
+    vhost: "{{ rabbitmq_vhost }}"
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+    state: present

templates/rabbitmq/rabbitmq.conf.j2

@@ -0,0 +1,183 @@
+
+# =======================================
+# AMQP 1.0 section
+# =======================================
+
+## Connections that are not authenticated with SASL will connect as this
+## account. See the README for more information.
+##
+## Please note that setting this will allow clients to connect without
+## authenticating!
+##
+# amqp1_0.default_user = guest
+
+## Enable protocol strict mode. See the README for more information.
+##
+# amqp1_0.protocol_strict_mode = false
+
+## Logging settings.
+##
+## See https://rabbitmq.com/logging.html and https://github.com/erlang-lager/lager for details.
+##
+
+## Log directory, taken from the RABBITMQ_LOG_BASE env variable by default.
+##
+log.dir = /var/log/rabbitmq
+
+## Logging to file. Can be false or a filename.
+## Default:
+log.file = rabbit.log
+
+## To disable logging to a file
+# log.file = false
+
+## Log level for file logging
+##
+log.file.level = info
+
+## File rotation config. No rotation by default.
+## DO NOT SET rotation date to ''. Leave the value unset if "" is the desired value
+# log.file.rotation.date = $D0
+# log.file.rotation.size = 0
+
+## Logging to console (can be true or false)
+##
+# log.console = false
+
+## Log level for console logging
+##
+# log.console.level = info
+
+## Logging to the amq.rabbitmq.log exchange (can be true or false)
+##
+# log.exchange = false
+
+## Log level to use when logging to the amq.rabbitmq.log exchange
+##
+# log.exchange.level = info
+
+
+
+## ----------------------------------------------------------------------------
+## RabbitMQ LDAP Plugin
+##
+## Related doc guide: https://rabbitmq.com/ldap.html.
+##
+## ----------------------------------------------------------------------------
+
+# =======================================
+# LDAP section
+# =======================================
+
+##
+## Connecting to the LDAP server(s)
+## ================================
+##
+
+## Specify servers to bind to. You *must* set this in order for the plugin
+## to work properly.
+##
+# auth_ldap.servers.1 = your-server-name-goes-here
+
+## You can define multiple servers
+# auth_ldap.servers.2 = your-other-server
+
+## Connect to the LDAP server using TLS
+##
+# auth_ldap.use_ssl = false
+
+## Specify the LDAP port to connect to
+##
+# auth_ldap.port = 389
+
+## LDAP connection timeout, in milliseconds or 'infinity'
+##
+# auth_ldap.timeout = infinity
+
+## Or number
+# auth_ldap.timeout = 500
+
+## Enable logging of LDAP queries.
+## One of
+##   - false (no logging is performed)
+##   - true (verbose logging of the logic used by the plugin)
+##   - network (as true, but additionally logs LDAP network traffic)
+##
+## Defaults to false.
+##
+# auth_ldap.log = false
+
+## Also can be true or network
+# auth_ldap.log = true
+# auth_ldap.log = network
+
+##
+## Authentication
+## ==============
+##
+
+## Pattern to convert the username given through AMQP to a DN before
+## binding
+##
+# auth_ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com
+
+## Alternatively, you can convert a username to a Distinguished
+## Name via an LDAP lookup after binding. See the documentation for
+## full details.
+
+## When converting a username to a dn via a lookup, set these to
+## the name of the attribute that represents the user name, and the
+## base DN for the lookup query.
+##
+# auth_ldap.dn_lookup_attribute = userPrincipalName
+# auth_ldap.dn_lookup_base      = DC=gopivotal,DC=com
+
+## Controls how to bind for authorisation queries and also to
+## retrieve the details of users logging in without presenting a
+## password (e.g., SASL EXTERNAL).
+## One of
+##  - as_user (to bind as the authenticated user - requires a password)
+##  - anon    (to bind anonymously)
+##  - {UserDN, Password} (to bind with a specified user name and password)
+##
+## Defaults to 'as_user'.
+##
+# auth_ldap.other_bind = as_user
+
+## Or can be more complex:
+# auth_ldap.other_bind.user_dn  = User
+# auth_ldap.other_bind.password = Password
+
+## If user_dn and password defined - other options is ignored.
+
+# -----------------------------
+# Too complex section of LDAP
+# -----------------------------
+
+##
+## Authorisation
+## =============
+##
+
+## The LDAP plugin can perform a variety of queries against your
+## LDAP server to determine questions of authorisation.
+##
+## Related doc guide: https://rabbitmq.com/ldap.html#authorisation.
+
+## Following configuration should be defined in advanced.config file
+## DO NOT UNCOMMENT THESE LINES!
+
+## Set the query to use when determining vhost access
+##
+## {vhost_access_query, {in_group,
+##                       "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},
+
+## Set the query to use when determining resource (e.g., queue) access
+##
+## {resource_access_query, {constant, true}},
+
+## Set queries to determine which tags a user has
+##
+## {tag_queries, []}
+#   ]},
+# -----------------------------