[ansible] Update bodhi-backend
by Nicolas Chauvet
commit ace1d1967358a3c85e4bc80f336924c4b9306afe
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Oct 10 12:11:34 2016 +0200
Update bodhi-backend
group_vars/bodhi-backend | 42 ++++++++++++++++++++++++++++++++++++++++
group_vars/bodhi2 | 10 +++++++-
group_vars/releng-compose | 47 +++++++++++++++++++++++++++++++++++++++++++++
inventory/inventory | 11 +++++++++-
4 files changed, 107 insertions(+), 3 deletions(-)
---
diff --git a/group_vars/bodhi-backend b/group_vars/bodhi-backend
new file mode 100644
index 0000000..529d28d
--- /dev/null
+++ b/group_vars/bodhi-backend
@@ -0,0 +1,42 @@
+---
+# common items for the releng-* boxes
+lvm_size: 10000
+mem_size: 1024
+num_cpus: 1
+
+# Do not use testing repositories on production
+testing: False
+
+# These are for fedmsg publication from the bodhi backend.
+# If you change these iptables rules, you also need to changes the endpoints
+# list in roles/fedmsg/base/templates/endpoints-bodhi.py
+tcp_ports: [
+ 3000, 3001, 3002, 3003, 3004,
+ 3005, 3006, 3007, 3008, 3009,
+ 3010, 3011, 3012, 3013, 3014,
+ 3015, 3016, 3017, 3018, 3019,
+]
+# Make connections from signing bridges stateless, they break sigul connections
+# https://bugzilla.redhat.com/show_bug.cgi?id=1283364
+#custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.5.125.71 -j ACCEPT']
+
+# With 16 cpus, theres a bunch more kernel threads
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
+host_group: releng
+
+# These people get told when something goes wrong.
+fedmsg_error_recipients:
+- root(a)rpmfusion.org
+
+## XXX -- note that the fedmsg_certs declaration does not happen here, but
+# happens instead at the inventory/host_vars/ level since bodhi-backend03 and
+# bodhi-backend02 have different roles and responsibilities.
+
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+
+fas_client_groups: sysadmin-releng,sysadmin-bodhi
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
+
+## XXX - note that the csi_ stuff is kept at the host_vars/ level.
diff --git a/group_vars/bodhi2 b/group_vars/bodhi2
index 7cec042..18d32dd 100644
--- a/group_vars/bodhi2
+++ b/group_vars/bodhi2
@@ -7,10 +7,13 @@ lvm_size: 40000
mem_size: 16384
num_cpus: 4
+# Do not use testing repositories on production
+testing: False
+
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
-host_group: bodhi2
+host_group: releng
# Definining these vars has a number of effects
# 1) mod_wsgi is configured to use the vars for its own setup
@@ -25,7 +28,8 @@ tcp_ports: [ 80 ]
# Neeed for rsync from log01 for logs.
#custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
-fas_client_groups: sysadmin-main
+fas_client_groups: sysadmin-noc,sysadmin-bodhi
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
# These set a config value in /etc/fedmsg.d/, see roles/bodhi2/base/
# frontend nodes won't run either of these
@@ -73,6 +77,8 @@ fedmsg_certs:
# For the MOTD
csi_security_category: Moderate
+csi_primary_contact: Bodhi Admins root(a)rpmfusion.org
+csi_purpose: Run the Bodhi mod_wsgi app for admin.rpmfusion.org
csi_relationship: |
The apache/mod_wsgi app is the only thing really running here.
The mashing of repos is handled by the bodhi-backend node(s).
diff --git a/group_vars/releng-compose b/group_vars/releng-compose
new file mode 100644
index 0000000..cfe2376
--- /dev/null
+++ b/group_vars/releng-compose
@@ -0,0 +1,47 @@
+---
+# common items for the releng-* boxes
+lvm_size: 10000
+mem_size: 1024
+num_cpus: 1
+ks_url: http://192.168.181.254/install/ks/compose01.ks
+ks_repo: http://dl.fedoraproject.org/pub/fedora/linux/releases/24/Server/x86_64/os/
+virt_install_command: "{{ virt_install_command_one_nic }}"
+
+# With 16 cpus, theres a bunch more kernel threads
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
+host_group: releng
+fas_client_groups: sysadmin-releng
+freezes: true
+sudoers: "{{ private }}/files/sudo/00releng-sudoers"
+
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+
+# For the mock config
+kojipkgs_url: koji.rpmfusion.org/kojifiles
+kojihub_url: koji.rpmfusion.org/kojihub
+kojihub_scheme: http
+
+# for kojid config
+koji_server_url: "http://koji.rpmfusion.org/kojihub"
+koji_weburl: "http://koji.rpmfusion.org/koji"
+koji_topurl: "http://koji.rpmfusion.org/kojifiles"
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+ owner: root
+ group: root
+ can_send:
+ - logger.log
+- service: releng
+ owner: root
+ group: masher
+ can_send:
+ - pungi.compose.phase.start
+ - pungi.compose.phase.stop
+ - pungi.compose.status.change
+ # Then there are *all these* make-updates things from releng+cloudsig
+ - compose.23.make-updates.start
+ - compose.23.make-updates.done
diff --git a/inventory/inventory b/inventory/inventory
index 2eab70a..e64130c 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -1,9 +1,12 @@
[bastion]
hv01.online.rpmfusion.net
-[bodhi-backend]
+[bodhi2]
bodhi01.online.rpmfusion.net
+[bodhi-backend]
+bodhi-backend01.online.rpmfusion.net
+
[bugzilla]
bugzilla02.online.rpmfusion.net
@@ -28,6 +31,12 @@ pkgs01.online.rpmfusion.net
[proxies]
pkgs01.online.rpmfusion.net
+[releng-compose]
+bodhi01-backend.online.rpmfusion.net
+
+[sign-bridge]
+koji01.online.rpmfusion.net
+
[bvirthost]
[buildvmhost]
8 years, 2 months
[ansible] Disable openvpn on fas
by Nicolas Chauvet
commit d15e018e178ec780daf2ab50b1a1e2fe4d718918
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Oct 7 22:51:17 2016 +0200
Disable openvpn on fas
playbooks/groups/fas.yml | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
---
diff --git a/playbooks/groups/fas.yml b/playbooks/groups/fas.yml
index 790b53f..a434c4a 100644
--- a/playbooks/groups/fas.yml
+++ b/playbooks/groups/fas.yml
@@ -27,7 +27,6 @@
- sudo
# - yubikey
# - totpcgi
- - { role: openvpn/client, when: env != "staging" }
tasks:
- include: "{{ tasks }}/yumrepos.yml"
8 years, 2 months
[ansible] Add memcached
by Nicolas Chauvet
commit 46564f859386b03a096f53d9dfa4d5eb0764cba0
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Oct 7 18:58:17 2016 +0200
Add memcached
.../memcached/files/memcached-systemdoverride.conf | 3 ++
roles/memcached/tasks/main.yml | 35 ++++++++++++++++++++
roles/memcached/templates/memcached | 5 +++
3 files changed, 43 insertions(+), 0 deletions(-)
---
diff --git a/roles/memcached/files/memcached-systemdoverride.conf b/roles/memcached/files/memcached-systemdoverride.conf
new file mode 100644
index 0000000..98d34df
--- /dev/null
+++ b/roles/memcached/files/memcached-systemdoverride.conf
@@ -0,0 +1,3 @@
+[Service]
+Restart=always
+
diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml
new file mode 100644
index 0000000..e8f6c9c
--- /dev/null
+++ b/roles/memcached/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: install memcached server package
+ yum: state=present name=memcached
+ tags:
+ - packages
+ - memcached
+
+- name: setup memcached sysconfig
+ template: src=memcached dest=/etc/sysconfig/memcached mode=644
+ notify:
+ - restart memcached
+ tags:
+ - config
+ - memcached
+
+- name: enable memcached service
+ service: state=running enabled=true name=memcached
+ tags:
+ - service
+ - config
+ - memcached
+
+- name: make systemd override dir
+ file: state=directory path=/etc/systemd/system/memcached.service.d mode=0755 owner=root group=root
+ tags:
+ - memcached
+ when: not ansible_distribution_major_version|int == 6
+
+- name: make systemd override config
+ copy: src=memcached-systemdoverride.conf dest=/etc/systemd/system/memcached.service.d/
+ tags:
+ - memcached
+ notify:
+ - reload systemd
+ when: not ansible_distribution_major_version|int == 6
diff --git a/roles/memcached/templates/memcached b/roles/memcached/templates/memcached
new file mode 100644
index 0000000..e350ae6
--- /dev/null
+++ b/roles/memcached/templates/memcached
@@ -0,0 +1,5 @@
+PORT="11211"
+USER="memcached"
+MAXCONN="1024"
+CACHESIZE="1024"
+OPTIONS=""
8 years, 2 months
[ansible] Update ks_repo for fas
by Nicolas Chauvet
commit a38d451840220796eef4da67229af1bb41413447
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Oct 7 18:53:15 2016 +0200
Update ks_repo for fas
group_vars/fas | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
---
diff --git a/group_vars/fas b/group_vars/fas
index cb3a348..74bb607 100644
--- a/group_vars/fas
+++ b/group_vars/fas
@@ -5,6 +5,7 @@ mem_size: 1024
num_cpus: 1
virt_install_command: "{{ virt_install_command_rhel6 }}"
+ks_repo: http://mirror.centos.org/centos/6/os/x86_64/
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
8 years, 2 months
[ansible] Bridged inverted with fedora
by Nicolas Chauvet
commit 6166427197d97028d03e933d149fc2183633a1b7
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Oct 7 18:30:22 2016 +0200
Bridged inverted with fedora
group_vars/all | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/group_vars/all b/group_vars/all
index b4e24a4..609d659 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -79,7 +79,7 @@ virt_install_command_rhel6: virt-install -n {{ inventory_hostname }}
"ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
hostname={{ inventory_hostname }}"
- --network=bridge=br0 --autostart --noautoconsole --watchdog default
+ --network=bridge=br1 --autostart --noautoconsole --watchdog default
max_mem_size: "{{ mem_size * 1 }}"
max_cpu: "{{ num_cpus * 1 }}"
8 years, 2 months
[ansible] Add fas01.online host
by Nicolas Chauvet
commit 50bd3a3549a56b75275283ad922086a79b368040
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Oct 7 18:15:29 2016 +0200
Add fas01.online host
group_vars/fas | 47 ++++++++++++++++++++++++++++++++++
host_vars/fas01.online.rpmfusion.net | 12 ++++++++
inventory/inventory | 3 ++
playbooks/groups/fas.yml | 4 +-
4 files changed, 64 insertions(+), 2 deletions(-)
---
diff --git a/group_vars/fas b/group_vars/fas
new file mode 100644
index 0000000..cb3a348
--- /dev/null
+++ b/group_vars/fas
@@ -0,0 +1,47 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 30000
+mem_size: 1024
+num_cpus: 1
+
+virt_install_command: "{{ virt_install_command_rhel6 }}"
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+wsgi_fedmsg_service: fas
+wsgi_procs: 40
+wsgi_threads: 1
+
+tcp_ports: [ 80, 873, 8443, 8444 ]
+
+fas_client_groups: sysadmin-main,sysadmin-accounts
+
+master_fas_node: True
+gen_cert: False
+
+# A host group for rsync config
+rsync_group: fas
+
+nrpe_procs_warn: 300
+nrpe_procs_crit: 500
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+ owner: root
+ group: sysadmin
+ can_send:
+ - logger.log
+- service: fas
+ owner: root
+ group: fas
+ can_send:
+ - fas.group.create
+ - fas.group.member.apply
+ - fas.group.member.remove
+ - fas.group.member.sponsor
+ - fas.group.update
+ - fas.role.update
+ - fas.user.create
+ - fas.user.update
diff --git a/host_vars/fas01.online.rpmfusion.net b/host_vars/fas01.online.rpmfusion.net
new file mode 100644
index 0000000..6956353
--- /dev/null
+++ b/host_vars/fas01.online.rpmfusion.net
@@ -0,0 +1,12 @@
+nm: 255.255.255.0
+gw: 192.168.181.254
+dns: 62.210.16.6
+ks_url: http://192.168.181.254/install/ks/fas01.ks
+volgroup: /dev/vg_hv03_virt
+eth0_ip: 192.168.181.172
+vmhost: hv01.online.rpmfusion.net
+datacenter: online
+
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
diff --git a/inventory/inventory b/inventory/inventory
index 8e94d21..2eab70a 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -10,6 +10,9 @@ bugzilla02.online.rpmfusion.net
[dbserver]
db02.online.rpmfusion.net
+[fas]
+fas01.online.rpmfusion.net
+
[ipsilon]
ipsilon01.online.rpmfusion.net
diff --git a/playbooks/groups/fas.yml b/playbooks/groups/fas.yml
index bff9deb..790b53f 100644
--- a/playbooks/groups/fas.yml
+++ b/playbooks/groups/fas.yml
@@ -25,8 +25,8 @@
- fas_server
- fedmsg/base
- sudo
- - yubikey
- - totpcgi
+# - yubikey
+# - totpcgi
- { role: openvpn/client, when: env != "staging" }
tasks:
8 years, 2 months
[ansible] Add empty directory
by Nicolas Chauvet
commit 427c1c727a94565644e79e8da4eae78adf6883c2
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Oct 4 16:48:09 2016 +0200
Add empty directory
roles/bugzilla/handlers/main.yml | 2 ++
roles/bugzilla/tests/inventory | 1 +
roles/bugzilla/tests/test.yml | 5 +++++
roles/bugzilla/vars/main.yml | 2 ++
4 files changed, 10 insertions(+), 0 deletions(-)
---
diff --git a/roles/bugzilla/handlers/main.yml b/roles/bugzilla/handlers/main.yml
new file mode 100644
index 0000000..2c6e757
--- /dev/null
+++ b/roles/bugzilla/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for bugzilla
diff --git a/roles/bugzilla/tests/inventory b/roles/bugzilla/tests/inventory
new file mode 100644
index 0000000..d18580b
--- /dev/null
+++ b/roles/bugzilla/tests/inventory
@@ -0,0 +1 @@
+localhost
\ No newline at end of file
diff --git a/roles/bugzilla/tests/test.yml b/roles/bugzilla/tests/test.yml
new file mode 100644
index 0000000..af91cf4
--- /dev/null
+++ b/roles/bugzilla/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+ remote_user: root
+ roles:
+ - bugzilla
\ No newline at end of file
diff --git a/roles/bugzilla/vars/main.yml b/roles/bugzilla/vars/main.yml
new file mode 100644
index 0000000..730e5b0
--- /dev/null
+++ b/roles/bugzilla/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for bugzilla
8 years, 2 months
[ansible] Add robosignatory
by Nicolas Chauvet
commit 9fa457a38c646f52230f4d972e9cd49c45619527
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Oct 4 16:46:08 2016 +0200
Add robosignatory
roles/robosignatory/files/koji.conf | 7 ++
.../files/robosignatory.production.py | 68 ++++++++++++++++++++
roles/robosignatory/tasks/main.yml | 49 ++++++++++++++
3 files changed, 124 insertions(+), 0 deletions(-)
---
diff --git a/roles/robosignatory/files/koji.conf b/roles/robosignatory/files/koji.conf
new file mode 100644
index 0000000..1713a77
--- /dev/null
+++ b/roles/robosignatory/files/koji.conf
@@ -0,0 +1,7 @@
+[koji]
+server = http://koji.rpmfusion.org/kojihub
+weburl = http://koji.rpmfusion.org/koji
+topurl = https://kojipkgs.rpmfusion.org/
+anon_retry = false
+cert = /etc/robosignatory/koji.cert
+serverca = /etc/robosignatory/serverca.cert
diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py
new file mode 100644
index 0000000..2ba3fad
--- /dev/null
+++ b/roles/robosignatory/files/robosignatory.production.py
@@ -0,0 +1,68 @@
+config = {
+ 'logging': {
+ 'loggers': {
+ 'robosignatory': {
+ 'handlers': ['console', 'mailer'],
+ 'level': 'DEBUG',
+ 'propagate': False
+ },
+ },
+ },
+
+ 'robosignatory.enabled.tagsigner': True,
+ 'robosignatory.signing.user': 'autopen',
+ 'robosignatory.signing.passphrase_file': '/etc/sigul/autosign.pass',
+ 'robosignatory.signing.config_file': '/etc/sigul/client.conf',
+
+ # The keys here need to be the same in the sigul bridge
+ 'robosignatory.koji_instances': {
+ 'primary': {
+ 'url': 'https://koji.rpmfusion.org/kojihub',
+ 'options': {
+ # Only ssl is supported at the moment
+ 'authmethod': 'ssl',
+ 'cert': '/etc/sigul/autopen.pem',
+ 'serverca': '/etc/sigul/fedoraca.pem',
+ },
+ 'tags': [
+ {
+ "from": "f23-free-candidate",
+ "key": "f23-free",
+ "keyid": "e051b67e",
+ "to": "f23-free-updates-testing"
+ },
+ {
+ "from": "f24-free-candidate",
+ "key": "f24-free",
+ "keyid": "b7546f06",
+ "to": "f24-free-updates-testing"
+ },
+ {
+ "from": "f25-free-candidate",
+ "key": "f25-free",
+ "keyid": "6806a9cb",
+ "to": "f25-free-updates-testing"
+ },
+ {
+ "from": "f23-nonfree-candidate",
+ "key": "f23-nonfree",
+ "keyid": "e051b67e",
+ "to": "f23-nonfree-updates-testing"
+ },
+ {
+ "from": "f24-nonfree-candidate",
+ "key": "f24-nonfree",
+ "keyid": "b7546f06",
+ "to": "f24-nonfree-updates-testing"
+ },
+ {
+ "from": "f25-nonfree-candidate",
+ "key": "f25-nonfree",
+ "keyid": "6806a9cb",
+ "to": "f25-nonfree-updates-testing"
+ }
+
+ ]
+ },
+ },
+}
diff --git a/roles/robosignatory/tasks/main.yml b/roles/robosignatory/tasks/main.yml
new file mode 100644
index 0000000..851d3ef
--- /dev/null
+++ b/roles/robosignatory/tasks/main.yml
@@ -0,0 +1,49 @@
+- name: Install packages
+ yum: state=present name={{ item }}
+ with_items:
+ - python-robosignatory
+ - trousers
+ - tpm-tools
+ tags:
+ - packages
+ - robosignatory
+
+- name: Create config directory
+ file: path=/etc/robosignatory state=directory owner=fedmsg group=fedmsg mode=0750
+ tags:
+ - config
+ - robosignatory
+
+- name: Create sigul directory
+ file: path=/etc/robosignatory/sigul state=directory owner=fedmsg group=fedmsg mode=0750
+ tags:
+ - config
+ - robosignatory
+
+- name: Install koji certificate and key
+ copy: src="{{ private }}/files/koji/autopen.pem" dest=/etc/robosignatory/koji.cert
+ owner=fedmsg group=fedmsg mode=0640
+ tags:
+ - config
+ - robosignatory
+
+- name: Install koji config
+ copy: src=koji.conf dest=/etc/robosignatory/koji.config
+ owner=fedmsg group=fedmsg mode=0640
+ tags:
+ - config
+ - robosignatory
+
+- name: Install koji CA certificate
+ copy: src="{{ private }}/files/fedora-ca.cert" dest=/etc/robosignatory/serverca.cert
+ owner=fedmsg group=fedmsg mode=0640
+ tags:
+ - config
+ - robosignatory
+
+- name: Setup robosignatory config
+ copy: src=robosignatory.{{env}}.py dest=/etc/fedmsg.d/robosignatory.py
+ owner=fedmsg group=fedmsg mode=0640
+ tags:
+ - config
+ - robosignatory
8 years, 2 months
[ansible] Add sigul
by Nicolas Chauvet
commit 420bb462530ac485cfb22ec15f78714f76417938
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Oct 4 13:08:35 2016 +0200
Add sigul
roles/sigul/bridge/files/koji-primary.conf | 24 +++++++++++
roles/sigul/bridge/tasks/main.yml | 14 ++++++
roles/sigul/bridge/templates/bridge.conf.j2 | 38 +++++++++++++++++
roles/sigul/server/files/00-sigul.rules | 12 +++++
roles/sigul/server/tasks/main.yml | 57 +++++++++++++++++++++++++
roles/sigul/server/templates/server.conf.j2 | 60 +++++++++++++++++++++++++++
6 files changed, 205 insertions(+), 0 deletions(-)
---
diff --git a/roles/sigul/bridge/files/koji-primary.conf b/roles/sigul/bridge/files/koji-primary.conf
new file mode 100644
index 0000000..5ff3981
--- /dev/null
+++ b/roles/sigul/bridge/files/koji-primary.conf
@@ -0,0 +1,24 @@
+[koji]
+
+;configuration for koji cli tool
+
+;url of XMLRPC server
+server = http://koji.rpmfusion.org/kojihub
+
+;url of web interface
+weburl = http://koji.rpmfusion.org/koji
+
+;url of package download site
+topurl = https://kojipkgs.rpmfusion.org/
+
+;path to the koji top directory
+;topdir = /mnt/koji
+
+anon_retry = true
+
+;client certificate
+cert = /etc/sigul/rpmfusion.cert
+
+;certificate of the CA that issued the HTTP server certificate
+serverca = /etc/sigul/rpmfusion-server-ca.cert
+
diff --git a/roles/sigul/bridge/tasks/main.yml b/roles/sigul/bridge/tasks/main.yml
new file mode 100644
index 0000000..4ebadb7
--- /dev/null
+++ b/roles/sigul/bridge/tasks/main.yml
@@ -0,0 +1,14 @@
+- name: Install sigul bridge
+ yum: state=present name=sigul-bridge
+ tags:
+ - packages
+
+- name: Setup sigul bridge.conf
+ template: src=bridge.conf.j2 dest=/etc/sigul/bridge.conf
+ owner=sigul group=sigul mode=0640
+ tags:
+ - config
+
+- name: Setup primary koji config file
+ copy: src=koji-primary.conf dest=/etc/koji-primary.conf owner=root group=root mode=644
+
diff --git a/roles/sigul/bridge/templates/bridge.conf.j2 b/roles/sigul/bridge/templates/bridge.conf.j2
new file mode 100644
index 0000000..3c13e2e
--- /dev/null
+++ b/roles/sigul/bridge/templates/bridge.conf.j2
@@ -0,0 +1,38 @@
+# This is a configuration for the sigul bridge.
+#
+[bridge]
+# Nickname of the bridge's certificate in the NSS database specified below
+bridge-cert-nickname: sign-bridge1 - RPM Fusion Project
+
+# Port on which the bridge expects client connections
+client-listen-port: 44334
+# Port on which the bridge expects server connections
+server-listen-port: 44333
+# A RPM Fusion account system group required for access to the signing server. If
+# empty, no RPM Fusion account check is done.
+required-fas-group: signers
+# User name and password for an account on the RPM Fusion account system that can
+# be used to verify group memberships
+fas-user-name: {{ fedoraDummyUser }}
+fas-password: {{ fedoraDummyUserPassword }}
+
+[koji]
+koji-instances: primary
+koji-config-primary: /etc/koji-primary.conf
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database. If not specified, the bridge will
+# ask on startup
+# Currently no password is used
+nss-password:
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2
diff --git a/roles/sigul/server/files/00-sigul.rules b/roles/sigul/server/files/00-sigul.rules
new file mode 100644
index 0000000..d3234c2
--- /dev/null
+++ b/roles/sigul/server/files/00-sigul.rules
@@ -0,0 +1,12 @@
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
+ subject.user == "sigul") {
+ return polkit.Result.YES;
+ }
+});
+
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.debian.pcsc-lite.access_card" &&
+ subject.user == "sigul") {
+ return polkit.Result.YES; }
+});
diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml
new file mode 100644
index 0000000..d368ea6
--- /dev/null
+++ b/roles/sigul/server/tasks/main.yml
@@ -0,0 +1,57 @@
+- name: put rhel AH repos on rhel systems
+ copy: src="{{ files }}/common/rhel7ah.repo" dest="/etc/yum.repos.d/rhel7ah.repo"
+ when: ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS'
+ tags:
+ - config
+ - packages
+ - yumrepos
+
+- name: Install sigul server
+ package: state=present name={{ item }}
+ with_items:
+ - sigul-server
+ - rpm-sign
+ - bzip2
+ - p11-kit
+ - engine_pkcs11
+ - gnutls-utils
+ - ykpers
+ - yubico-piv-tool
+ - pcsc-lite
+ - opensc
+ tags:
+ - packages
+
+- name: Enable pcscd
+ service: name=pcscd state=started enabled=yes
+
+- name: install rhel7 only packages
+ package: state=present name={{ item }}
+ with_items:
+ - gnupg1
+ when: ansible_distribution_major_version|int == 7
+ tags:
+ - packages
+
+- name: install fedora only packages
+ package: state=present name={{ item }}
+ with_items:
+ - gnupg
+ when: ansible_distribution_major_version|int > 23
+ tags:
+ - packages
+
+- name: Setup sigul server.conf
+ template: src=server.conf.j2 dest=/etc/sigul/server.conf
+ owner=sigul group=sigul mode=0640
+ tags:
+ - config
+
+- name: Setup gpg link on rhel7
+ file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg
+ when: ansible_distribution_major_version|int == 7
+
+- name: add polkit rules to allow sigul user to access the smartcard/yubikey
+ file: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
+ tags:
+ - config
diff --git a/roles/sigul/server/templates/server.conf.j2 b/roles/sigul/server/templates/server.conf.j2
new file mode 100644
index 0000000..d712a87
--- /dev/null
+++ b/roles/sigul/server/templates/server.conf.j2
@@ -0,0 +1,60 @@
+# This is a configuration for the sigul server.
+
+[server]
+# Host name of the publically acessible bridge to clients
+
+bridge-hostname: koji01.online.rpmfusion.net
+server-cert-nickname: sign-vault1 - RPM Fusion Project
+
+# Port on which the bridge expects server connections
+bridge-port: 44333
+# Maximum accepted size of payload stored on disk
+max-file-payload-size: 2073741824
+# Maximum accepted size of payload stored in server's memory
+max-memory-payload-size: 1048576
+
+# Whether to relax the CN vs username check
+lenient-username-check: yes
+# Which CN's are allowed to use different usernames, comma seperated
+proxy-usernames:
+
+
+[database]
+# Path to a directory containing a SQLite database
+;database-path: /var/lib/sigul
+
+[gnupg]
+# Path to a directory containing GPG configuration and keyrings
+gnupg-home: /var/lib/sigul/gnupg
+# Default primary key type for newly created keys
+gnupg-key-type: RSA
+# Default primary key length for newly created keys
+gnupg-key-length: 4096
+# Default subkey type for newly created keys, empty for no subkey
+gnupg-subkey-type:
+# Default subkey length for newly created keys if gnupg-subkey-type is not empty
+; gnupg-subkey-length: 2048
+# Default key usage flags for newly created keys
+gnupg-key-usage: encrypt, sign
+# Length of key passphrases used for newsly created keys
+passphrase-length: 128
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database. If not specified, the server will
+# ask on startup
+; nss-password is not specified by default
+# Minimum and maximum versions of TLS used
+nss-min-tls: tls1.2
+nss-max-tls: tls1.2
+
+[binding]
+# List of binding modules enabled
+enabled:
8 years, 2 months