October 2016 - sysadmin-notify

by Nicolas Chauvet

commit ace1d1967358a3c85e4bc80f336924c4b9306afe Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Mon Oct 10 12:11:34 2016 +0200 Update bodhi-backend group_vars/bodhi-backend | 42 ++++++++++++++++++++++++++++++++++++++++ group_vars/bodhi2 | 10 +++++++- group_vars/releng-compose | 47 +++++++++++++++++++++++++++++++++++++++++++++ inventory/inventory | 11 +++++++++- 4 files changed, 107 insertions(+), 3 deletions(-) --- diff --git a/group_vars/bodhi-backend b/group_vars/bodhi-backend new file mode 100644 index 0000000..529d28d --- /dev/null +++ b/group_vars/bodhi-backend @@ -0,0 +1,42 @@ +--- +# common items for the releng-* boxes +lvm_size: 10000 +mem_size: 1024 +num_cpus: 1 + +# Do not use testing repositories on production +testing: False + +# These are for fedmsg publication from the bodhi backend. +# If you change these iptables rules, you also need to changes the endpoints +# list in roles/fedmsg/base/templates/endpoints-bodhi.py +tcp_ports: [ + 3000, 3001, 3002, 3003, 3004, + 3005, 3006, 3007, 3008, 3009, + 3010, 3011, 3012, 3013, 3014, + 3015, 3016, 3017, 3018, 3019, +] +# Make connections from signing bridges stateless, they break sigul connections +# https://bugzilla.redhat.com/show_bug.cgi?id=1283364 +#custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.5.125.71 -j ACCEPT'] + +# With 16 cpus, theres a bunch more kernel threads +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 + +host_group: releng + +# These people get told when something goes wrong. +fedmsg_error_recipients: +- root(a)rpmfusion.org + +## XXX -- note that the fedmsg_certs declaration does not happen here, but +# happens instead at the inventory/host_vars/ level since bodhi-backend03 and +# bodhi-backend02 have different roles and responsibilities. + +nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4" + +fas_client_groups: sysadmin-releng,sysadmin-bodhi +sudoers: "{{ private }}/files/sudo/00releng-sudoers" + +## XXX - note that the csi_ stuff is kept at the host_vars/ level. diff --git a/group_vars/bodhi2 b/group_vars/bodhi2 index 7cec042..18d32dd 100644 --- a/group_vars/bodhi2 +++ b/group_vars/bodhi2 @@ -7,10 +7,13 @@ lvm_size: 40000 mem_size: 16384 num_cpus: 4 +# Do not use testing repositories on production +testing: False + # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file -host_group: bodhi2 +host_group: releng # Definining these vars has a number of effects # 1) mod_wsgi is configured to use the vars for its own setup @@ -25,7 +28,8 @@ tcp_ports: [ 80 ] # Neeed for rsync from log01 for logs. #custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] -fas_client_groups: sysadmin-main +fas_client_groups: sysadmin-noc,sysadmin-bodhi +sudoers: "{{ private }}/files/sudo/00releng-sudoers" # These set a config value in /etc/fedmsg.d/, see roles/bodhi2/base/ # frontend nodes won't run either of these @@ -73,6 +77,8 @@ fedmsg_certs: # For the MOTD csi_security_category: Moderate +csi_primary_contact: Bodhi Admins root(a)rpmfusion.org +csi_purpose: Run the Bodhi mod_wsgi app for admin.rpmfusion.org csi_relationship: | The apache/mod_wsgi app is the only thing really running here. The mashing of repos is handled by the bodhi-backend node(s). diff --git a/group_vars/releng-compose b/group_vars/releng-compose new file mode 100644 index 0000000..cfe2376 --- /dev/null +++ b/group_vars/releng-compose @@ -0,0 +1,47 @@ +--- +# common items for the releng-* boxes +lvm_size: 10000 +mem_size: 1024 +num_cpus: 1 +ks_url: http://192.168.181.254/install/ks/compose01.ks +ks_repo: http://dl.fedoraproject.org/pub/fedora/linux/releases/24/Server/x86_64/os/ +virt_install_command: "{{ virt_install_command_one_nic }}" + +# With 16 cpus, theres a bunch more kernel threads +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 + +host_group: releng +fas_client_groups: sysadmin-releng +freezes: true +sudoers: "{{ private }}/files/sudo/00releng-sudoers" + +nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4" + +# For the mock config +kojipkgs_url: koji.rpmfusion.org/kojifiles +kojihub_url: koji.rpmfusion.org/kojihub +kojihub_scheme: http + +# for kojid config +koji_server_url: "http://koji.rpmfusion.org/kojihub" +koji_weburl: "http://koji.rpmfusion.org/koji" +koji_topurl: "http://koji.rpmfusion.org/kojifiles" + +# These are consumed by a task in roles/fedmsg/base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: root + can_send: + - logger.log +- service: releng + owner: root + group: masher + can_send: + - pungi.compose.phase.start + - pungi.compose.phase.stop + - pungi.compose.status.change + # Then there are *all these* make-updates things from releng+cloudsig + - compose.23.make-updates.start + - compose.23.make-updates.done diff --git a/inventory/inventory b/inventory/inventory index 2eab70a..e64130c 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1,9 +1,12 @@ [bastion] hv01.online.rpmfusion.net -[bodhi-backend] +[bodhi2] bodhi01.online.rpmfusion.net +[bodhi-backend] +bodhi-backend01.online.rpmfusion.net + [bugzilla] bugzilla02.online.rpmfusion.net @@ -28,6 +31,12 @@ pkgs01.online.rpmfusion.net [proxies] pkgs01.online.rpmfusion.net +[releng-compose] +bodhi01-backend.online.rpmfusion.net + +[sign-bridge] +koji01.online.rpmfusion.net + [bvirthost] [buildvmhost]

7 years, 6 months

1
0
0 / 0

[ansible] Add fas01 to hostsé

by Nicolas Chauvet

commit b9cce34459971087f71c1f2ac215d7437482075f Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Oct 7 22:53:45 2016 +0200 Add fas01 to hostsé roles/hosts/files/online-hosts | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) --- diff --git a/roles/hosts/files/online-hosts b/roles/hosts/files/online-hosts index 09c9ea8..86e1510 100644 --- a/roles/hosts/files/online-hosts +++ b/roles/hosts/files/online-hosts @@ -20,6 +20,7 @@ 192.168.181.141 bodhi01.online.rpmfusion.net bodhi01 192.168.181.157 bugzilla02.online.rpmfusion.net bugzilla02 192.168.181.160 ipsilon01.online.rpmfusion.net ipsilon01 +192.168.181.172 fas01.online.rpmfusion.net fas01 # hv01 online - vpn 192.168.182.1 hv01.vpn.rpmfusion.net proxy.vpn.rpmfusion.net nfs-server.vpn.rpmfusion.net

7 years, 6 months

1
0
0 / 0

[ansible] Disable openvpn on fas

by Nicolas Chauvet

commit d15e018e178ec780daf2ab50b1a1e2fe4d718918 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Oct 7 22:51:17 2016 +0200 Disable openvpn on fas playbooks/groups/fas.yml | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) --- diff --git a/playbooks/groups/fas.yml b/playbooks/groups/fas.yml index 790b53f..a434c4a 100644 --- a/playbooks/groups/fas.yml +++ b/playbooks/groups/fas.yml @@ -27,7 +27,6 @@ - sudo # - yubikey # - totpcgi - - { role: openvpn/client, when: env != "staging" } tasks: - include: "{{ tasks }}/yumrepos.yml"

7 years, 6 months

1
0
0 / 0

[ansible] Add memcached

by Nicolas Chauvet

commit 46564f859386b03a096f53d9dfa4d5eb0764cba0 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Oct 7 18:58:17 2016 +0200 Add memcached .../memcached/files/memcached-systemdoverride.conf | 3 ++ roles/memcached/tasks/main.yml | 35 ++++++++++++++++++++ roles/memcached/templates/memcached | 5 +++ 3 files changed, 43 insertions(+), 0 deletions(-) --- diff --git a/roles/memcached/files/memcached-systemdoverride.conf b/roles/memcached/files/memcached-systemdoverride.conf new file mode 100644 index 0000000..98d34df --- /dev/null +++ b/roles/memcached/files/memcached-systemdoverride.conf @@ -0,0 +1,3 @@ +[Service] +Restart=always + diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml new file mode 100644 index 0000000..e8f6c9c --- /dev/null +++ b/roles/memcached/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: install memcached server package + yum: state=present name=memcached + tags: + - packages + - memcached + +- name: setup memcached sysconfig + template: src=memcached dest=/etc/sysconfig/memcached mode=644 + notify: + - restart memcached + tags: + - config + - memcached + +- name: enable memcached service + service: state=running enabled=true name=memcached + tags: + - service + - config + - memcached + +- name: make systemd override dir + file: state=directory path=/etc/systemd/system/memcached.service.d mode=0755 owner=root group=root + tags: + - memcached + when: not ansible_distribution_major_version|int == 6 + +- name: make systemd override config + copy: src=memcached-systemdoverride.conf dest=/etc/systemd/system/memcached.service.d/ + tags: + - memcached + notify: + - reload systemd + when: not ansible_distribution_major_version|int == 6 diff --git a/roles/memcached/templates/memcached b/roles/memcached/templates/memcached new file mode 100644 index 0000000..e350ae6 --- /dev/null +++ b/roles/memcached/templates/memcached @@ -0,0 +1,5 @@ +PORT="11211" +USER="memcached" +MAXCONN="1024" +CACHESIZE="1024" +OPTIONS=""

7 years, 6 months

1
0
0 / 0

[ansible] Update ks_repo for fas

by Nicolas Chauvet

commit a38d451840220796eef4da67229af1bb41413447 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Oct 7 18:53:15 2016 +0200 Update ks_repo for fas group_vars/fas | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) --- diff --git a/group_vars/fas b/group_vars/fas index cb3a348..74bb607 100644 --- a/group_vars/fas +++ b/group_vars/fas @@ -5,6 +5,7 @@ mem_size: 1024 num_cpus: 1 virt_install_command: "{{ virt_install_command_rhel6 }}" +ks_repo: http://mirror.centos.org/centos/6/os/x86_64/ # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file

7 years, 6 months

1
0
0 / 0

[ansible] Bridged inverted with fedora

by Nicolas Chauvet

commit 6166427197d97028d03e933d149fc2183633a1b7 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Oct 7 18:30:22 2016 +0200 Bridged inverted with fedora group_vars/all | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) --- diff --git a/group_vars/all b/group_vars/all index b4e24a4..609d659 100644 --- a/group_vars/all +++ b/group_vars/all @@ -79,7 +79,7 @@ virt_install_command_rhel6: virt-install -n {{ inventory_hostname }} "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }} gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }}" - --network=bridge=br0 --autostart --noautoconsole --watchdog default + --network=bridge=br1 --autostart --noautoconsole --watchdog default max_mem_size: "{{ mem_size * 1 }}" max_cpu: "{{ num_cpus * 1 }}"

7 years, 6 months

1
0
0 / 0

[ansible] Add fas01.online host

by Nicolas Chauvet

commit 50bd3a3549a56b75275283ad922086a79b368040 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Fri Oct 7 18:15:29 2016 +0200 Add fas01.online host group_vars/fas | 47 ++++++++++++++++++++++++++++++++++ host_vars/fas01.online.rpmfusion.net | 12 ++++++++ inventory/inventory | 3 ++ playbooks/groups/fas.yml | 4 +- 4 files changed, 64 insertions(+), 2 deletions(-) --- diff --git a/group_vars/fas b/group_vars/fas new file mode 100644 index 0000000..cb3a348 --- /dev/null +++ b/group_vars/fas @@ -0,0 +1,47 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 30000 +mem_size: 1024 +num_cpus: 1 + +virt_install_command: "{{ virt_install_command_rhel6 }}" + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +wsgi_fedmsg_service: fas +wsgi_procs: 40 +wsgi_threads: 1 + +tcp_ports: [ 80, 873, 8443, 8444 ] + +fas_client_groups: sysadmin-main,sysadmin-accounts + +master_fas_node: True +gen_cert: False + +# A host group for rsync config +rsync_group: fas + +nrpe_procs_warn: 300 +nrpe_procs_crit: 500 + +# These are consumed by a task in roles/fedmsg/base/main.yml +fedmsg_certs: +- service: shell + owner: root + group: sysadmin + can_send: + - logger.log +- service: fas + owner: root + group: fas + can_send: + - fas.group.create + - fas.group.member.apply + - fas.group.member.remove + - fas.group.member.sponsor + - fas.group.update + - fas.role.update + - fas.user.create + - fas.user.update diff --git a/host_vars/fas01.online.rpmfusion.net b/host_vars/fas01.online.rpmfusion.net new file mode 100644 index 0000000..6956353 --- /dev/null +++ b/host_vars/fas01.online.rpmfusion.net @@ -0,0 +1,12 @@ +nm: 255.255.255.0 +gw: 192.168.181.254 +dns: 62.210.16.6 +ks_url: http://192.168.181.254/install/ks/fas01.ks +volgroup: /dev/vg_hv03_virt +eth0_ip: 192.168.181.172 +vmhost: hv01.online.rpmfusion.net +datacenter: online + +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 + diff --git a/inventory/inventory b/inventory/inventory index 8e94d21..2eab70a 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -10,6 +10,9 @@ bugzilla02.online.rpmfusion.net [dbserver] db02.online.rpmfusion.net +[fas] +fas01.online.rpmfusion.net + [ipsilon] ipsilon01.online.rpmfusion.net diff --git a/playbooks/groups/fas.yml b/playbooks/groups/fas.yml index bff9deb..790b53f 100644 --- a/playbooks/groups/fas.yml +++ b/playbooks/groups/fas.yml @@ -25,8 +25,8 @@ - fas_server - fedmsg/base - sudo - - yubikey - - totpcgi +# - yubikey +# - totpcgi - { role: openvpn/client, when: env != "staging" } tasks:

7 years, 6 months

1
0
0 / 0

[ansible] Add empty directory

by Nicolas Chauvet

commit 427c1c727a94565644e79e8da4eae78adf6883c2 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Tue Oct 4 16:48:09 2016 +0200 Add empty directory roles/bugzilla/handlers/main.yml | 2 ++ roles/bugzilla/tests/inventory | 1 + roles/bugzilla/tests/test.yml | 5 +++++ roles/bugzilla/vars/main.yml | 2 ++ 4 files changed, 10 insertions(+), 0 deletions(-) --- diff --git a/roles/bugzilla/handlers/main.yml b/roles/bugzilla/handlers/main.yml new file mode 100644 index 0000000..2c6e757 --- /dev/null +++ b/roles/bugzilla/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for bugzilla diff --git a/roles/bugzilla/tests/inventory b/roles/bugzilla/tests/inventory new file mode 100644 index 0000000..d18580b --- /dev/null +++ b/roles/bugzilla/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/roles/bugzilla/tests/test.yml b/roles/bugzilla/tests/test.yml new file mode 100644 index 0000000..af91cf4 --- /dev/null +++ b/roles/bugzilla/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - bugzilla \ No newline at end of file diff --git a/roles/bugzilla/vars/main.yml b/roles/bugzilla/vars/main.yml new file mode 100644 index 0000000..730e5b0 --- /dev/null +++ b/roles/bugzilla/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for bugzilla

7 years, 6 months

1
0
0 / 0

[ansible] Add robosignatory

by Nicolas Chauvet

commit 9fa457a38c646f52230f4d972e9cd49c45619527 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Tue Oct 4 16:46:08 2016 +0200 Add robosignatory roles/robosignatory/files/koji.conf | 7 ++ .../files/robosignatory.production.py | 68 ++++++++++++++++++++ roles/robosignatory/tasks/main.yml | 49 ++++++++++++++ 3 files changed, 124 insertions(+), 0 deletions(-) --- diff --git a/roles/robosignatory/files/koji.conf b/roles/robosignatory/files/koji.conf new file mode 100644 index 0000000..1713a77 --- /dev/null +++ b/roles/robosignatory/files/koji.conf @@ -0,0 +1,7 @@ +[koji] +server = http://koji.rpmfusion.org/kojihub +weburl = http://koji.rpmfusion.org/koji +topurl = https://kojipkgs.rpmfusion.org/ +anon_retry = false +cert = /etc/robosignatory/koji.cert +serverca = /etc/robosignatory/serverca.cert diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py new file mode 100644 index 0000000..2ba3fad --- /dev/null +++ b/roles/robosignatory/files/robosignatory.production.py @@ -0,0 +1,68 @@ +config = { + 'logging': { + 'loggers': { + 'robosignatory': { + 'handlers': ['console', 'mailer'], + 'level': 'DEBUG', + 'propagate': False + }, + }, + }, + + 'robosignatory.enabled.tagsigner': True, + 'robosignatory.signing.user': 'autopen', + 'robosignatory.signing.passphrase_file': '/etc/sigul/autosign.pass', + 'robosignatory.signing.config_file': '/etc/sigul/client.conf', + + # The keys here need to be the same in the sigul bridge + 'robosignatory.koji_instances': { + 'primary': { + 'url': 'https://koji.rpmfusion.org/kojihub', + 'options': { + # Only ssl is supported at the moment + 'authmethod': 'ssl', + 'cert': '/etc/sigul/autopen.pem', + 'serverca': '/etc/sigul/fedoraca.pem', + }, + 'tags': [ + { + "from": "f23-free-candidate", + "key": "f23-free", + "keyid": "e051b67e", + "to": "f23-free-updates-testing" + }, + { + "from": "f24-free-candidate", + "key": "f24-free", + "keyid": "b7546f06", + "to": "f24-free-updates-testing" + }, + { + "from": "f25-free-candidate", + "key": "f25-free", + "keyid": "6806a9cb", + "to": "f25-free-updates-testing" + }, + { + "from": "f23-nonfree-candidate", + "key": "f23-nonfree", + "keyid": "e051b67e", + "to": "f23-nonfree-updates-testing" + }, + { + "from": "f24-nonfree-candidate", + "key": "f24-nonfree", + "keyid": "b7546f06", + "to": "f24-nonfree-updates-testing" + }, + { + "from": "f25-nonfree-candidate", + "key": "f25-nonfree", + "keyid": "6806a9cb", + "to": "f25-nonfree-updates-testing" + } + + ] + }, + }, +} diff --git a/roles/robosignatory/tasks/main.yml b/roles/robosignatory/tasks/main.yml new file mode 100644 index 0000000..851d3ef --- /dev/null +++ b/roles/robosignatory/tasks/main.yml @@ -0,0 +1,49 @@ +- name: Install packages + yum: state=present name={{ item }} + with_items: + - python-robosignatory + - trousers + - tpm-tools + tags: + - packages + - robosignatory + +- name: Create config directory + file: path=/etc/robosignatory state=directory owner=fedmsg group=fedmsg mode=0750 + tags: + - config + - robosignatory + +- name: Create sigul directory + file: path=/etc/robosignatory/sigul state=directory owner=fedmsg group=fedmsg mode=0750 + tags: + - config + - robosignatory + +- name: Install koji certificate and key + copy: src="{{ private }}/files/koji/autopen.pem" dest=/etc/robosignatory/koji.cert + owner=fedmsg group=fedmsg mode=0640 + tags: + - config + - robosignatory + +- name: Install koji config + copy: src=koji.conf dest=/etc/robosignatory/koji.config + owner=fedmsg group=fedmsg mode=0640 + tags: + - config + - robosignatory + +- name: Install koji CA certificate + copy: src="{{ private }}/files/fedora-ca.cert" dest=/etc/robosignatory/serverca.cert + owner=fedmsg group=fedmsg mode=0640 + tags: + - config + - robosignatory + +- name: Setup robosignatory config + copy: src=robosignatory.{{env}}.py dest=/etc/fedmsg.d/robosignatory.py + owner=fedmsg group=fedmsg mode=0640 + tags: + - config + - robosignatory

7 years, 6 months

1
0
0 / 0

[ansible] Add sigul

by Nicolas Chauvet

commit 420bb462530ac485cfb22ec15f78714f76417938 Author: Nicolas Chauvet <kwizart(a)gmail.com> Date: Tue Oct 4 13:08:35 2016 +0200 Add sigul roles/sigul/bridge/files/koji-primary.conf | 24 +++++++++++ roles/sigul/bridge/tasks/main.yml | 14 ++++++ roles/sigul/bridge/templates/bridge.conf.j2 | 38 +++++++++++++++++ roles/sigul/server/files/00-sigul.rules | 12 +++++ roles/sigul/server/tasks/main.yml | 57 +++++++++++++++++++++++++ roles/sigul/server/templates/server.conf.j2 | 60 +++++++++++++++++++++++++++ 6 files changed, 205 insertions(+), 0 deletions(-) --- diff --git a/roles/sigul/bridge/files/koji-primary.conf b/roles/sigul/bridge/files/koji-primary.conf new file mode 100644 index 0000000..5ff3981 --- /dev/null +++ b/roles/sigul/bridge/files/koji-primary.conf @@ -0,0 +1,24 @@ +[koji] + +;configuration for koji cli tool + +;url of XMLRPC server +server = http://koji.rpmfusion.org/kojihub + +;url of web interface +weburl = http://koji.rpmfusion.org/koji + +;url of package download site +topurl = https://kojipkgs.rpmfusion.org/ + +;path to the koji top directory +;topdir = /mnt/koji + +anon_retry = true + +;client certificate +cert = /etc/sigul/rpmfusion.cert + +;certificate of the CA that issued the HTTP server certificate +serverca = /etc/sigul/rpmfusion-server-ca.cert + diff --git a/roles/sigul/bridge/tasks/main.yml b/roles/sigul/bridge/tasks/main.yml new file mode 100644 index 0000000..4ebadb7 --- /dev/null +++ b/roles/sigul/bridge/tasks/main.yml @@ -0,0 +1,14 @@ +- name: Install sigul bridge + yum: state=present name=sigul-bridge + tags: + - packages + +- name: Setup sigul bridge.conf + template: src=bridge.conf.j2 dest=/etc/sigul/bridge.conf + owner=sigul group=sigul mode=0640 + tags: + - config + +- name: Setup primary koji config file + copy: src=koji-primary.conf dest=/etc/koji-primary.conf owner=root group=root mode=644 + diff --git a/roles/sigul/bridge/templates/bridge.conf.j2 b/roles/sigul/bridge/templates/bridge.conf.j2 new file mode 100644 index 0000000..3c13e2e --- /dev/null +++ b/roles/sigul/bridge/templates/bridge.conf.j2 @@ -0,0 +1,38 @@ +# This is a configuration for the sigul bridge. +# +[bridge] +# Nickname of the bridge's certificate in the NSS database specified below +bridge-cert-nickname: sign-bridge1 - RPM Fusion Project + +# Port on which the bridge expects client connections +client-listen-port: 44334 +# Port on which the bridge expects server connections +server-listen-port: 44333 +# A RPM Fusion account system group required for access to the signing server. If +# empty, no RPM Fusion account check is done. +required-fas-group: signers +# User name and password for an account on the RPM Fusion account system that can +# be used to verify group memberships +fas-user-name: {{ fedoraDummyUser }} +fas-password: {{ fedoraDummyUserPassword }} + +[koji] +koji-instances: primary +koji-config-primary: /etc/koji-primary.conf + +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul + +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the bridge will +# ask on startup +# Currently no password is used +nss-password: +# Minimum and maximum versions of TLS used +nss-min-tls: tls1.2 +nss-max-tls: tls1.2 diff --git a/roles/sigul/server/files/00-sigul.rules b/roles/sigul/server/files/00-sigul.rules new file mode 100644 index 0000000..d3234c2 --- /dev/null +++ b/roles/sigul/server/files/00-sigul.rules @@ -0,0 +1,12 @@ +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.user == "sigul") { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.user == "sigul") { + return polkit.Result.YES; } +}); diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml new file mode 100644 index 0000000..d368ea6 --- /dev/null +++ b/roles/sigul/server/tasks/main.yml @@ -0,0 +1,57 @@ +- name: put rhel AH repos on rhel systems + copy: src="{{ files }}/common/rhel7ah.repo" dest="/etc/yum.repos.d/rhel7ah.repo" + when: ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS' + tags: + - config + - packages + - yumrepos + +- name: Install sigul server + package: state=present name={{ item }} + with_items: + - sigul-server + - rpm-sign + - bzip2 + - p11-kit + - engine_pkcs11 + - gnutls-utils + - ykpers + - yubico-piv-tool + - pcsc-lite + - opensc + tags: + - packages + +- name: Enable pcscd + service: name=pcscd state=started enabled=yes + +- name: install rhel7 only packages + package: state=present name={{ item }} + with_items: + - gnupg1 + when: ansible_distribution_major_version|int == 7 + tags: + - packages + +- name: install fedora only packages + package: state=present name={{ item }} + with_items: + - gnupg + when: ansible_distribution_major_version|int > 23 + tags: + - packages + +- name: Setup sigul server.conf + template: src=server.conf.j2 dest=/etc/sigul/server.conf + owner=sigul group=sigul mode=0640 + tags: + - config + +- name: Setup gpg link on rhel7 + file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg + when: ansible_distribution_major_version|int == 7 + +- name: add polkit rules to allow sigul user to access the smartcard/yubikey + file: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules + tags: + - config diff --git a/roles/sigul/server/templates/server.conf.j2 b/roles/sigul/server/templates/server.conf.j2 new file mode 100644 index 0000000..d712a87 --- /dev/null +++ b/roles/sigul/server/templates/server.conf.j2 @@ -0,0 +1,60 @@ +# This is a configuration for the sigul server. + +[server] +# Host name of the publically acessible bridge to clients + +bridge-hostname: koji01.online.rpmfusion.net +server-cert-nickname: sign-vault1 - RPM Fusion Project + +# Port on which the bridge expects server connections +bridge-port: 44333 +# Maximum accepted size of payload stored on disk +max-file-payload-size: 2073741824 +# Maximum accepted size of payload stored in server's memory +max-memory-payload-size: 1048576 + +# Whether to relax the CN vs username check +lenient-username-check: yes +# Which CN's are allowed to use different usernames, comma seperated +proxy-usernames: + + +[database] +# Path to a directory containing a SQLite database +;database-path: /var/lib/sigul + +[gnupg] +# Path to a directory containing GPG configuration and keyrings +gnupg-home: /var/lib/sigul/gnupg +# Default primary key type for newly created keys +gnupg-key-type: RSA +# Default primary key length for newly created keys +gnupg-key-length: 4096 +# Default subkey type for newly created keys, empty for no subkey +gnupg-subkey-type: +# Default subkey length for newly created keys if gnupg-subkey-type is not empty +; gnupg-subkey-length: 2048 +# Default key usage flags for newly created keys +gnupg-key-usage: encrypt, sign +# Length of key passphrases used for newsly created keys +passphrase-length: 128 + +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul + +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the server will +# ask on startup +; nss-password is not specified by default +# Minimum and maximum versions of TLS used +nss-min-tls: tls1.2 +nss-max-tls: tls1.2 + +[binding] +# List of binding modules enabled +enabled:

7 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sysadmin-notify October 2016