set fedora-messaging certs for ursabot

Just doing this for staging right now, to check it works as expected Signed-off-by: Ryan Lerch <rlerch@redhat.com>
2021-08-23 19:35:38 +10:00 · 2021-08-23 19:35:38 +10:00 · 6b43caff64
commit 6b43caff64
parent 35bb0977fb
3 changed files with 92 additions and 1 deletions
--- a/roles/supybot/files/ursabot.service
+++ b/roles/supybot/files/ursabot.service
@ -3,7 +3,7 @@ Description=ursabot irc bot
 After=network.target

 [Service]
-Environment=FEDORA_MESSAGING_CONF=/etc/fedora-messaging/fedora.stg.toml
+Environment=FEDORA_MESSAGING_CONF=/etc/fedora-messaging/ursabot.toml
 Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ursabot_value02.stg.iad2.fedoraproject.org.keytab
 Type=simple
 User=daemon
--- a/roles/supybot/tasks/main.yml
+++ b/roles/supybot/tasks/main.yml
@ -86,6 +86,60 @@
  - meetbot
  - supybot

+- name: Deploy the fedora-messaging CA (stg)
+  copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/ca.crt"
+    dest: /etc/pki/fedora-messaging/rabbitmq-ca.crt
+    mode: 0644
+    owner: daemon
+    group: daemon
+  when:
+  - env == "staging"
+  - inventory_hostname.startswith('value02')
+  tags:
+  - config
+
+- name: Deploy the fedora-messaging cert (stg)
+  copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/{{ botname }}.crt"
+    dest:  /etc/pki/fedora-messaging/{{ botname }}.crt
+    mode: 0644
+    owner: daemon
+    group: daemon
+  when:
+  - env == "staging"
+  - inventory_hostname.startswith('value02')
+  tags:
+  - config
+
+- name: Deploy the fedora-messaging key (stg)
+  copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/{{ botname }}.key"
+    dest: /etc/pki/fedora-messaging/{{ botname }}.key
+    mode: 0600
+    owner: daemon
+    group: daemon
+  when:
+  - env == "staging"
+  - inventory_hostname.startswith('value02')
+  tags:
+  - config
+
+- name: Install fedora-messaging config (stg)
+  template:
+    src: fedora-messaging.toml.j2
+    dest: /etc/fedora-messaging/{{ botname }}.toml
+    owner: daemon
+    group: daemon
+    mode: 0600
+  when:
+  - env == "staging"
+  - inventory_hostname.startswith('value02')
+  tags:
+  - config
+
+
+
 - name: setup zodbot systemd service file (prod)
  copy: src=zodbot.service dest=/etc/systemd/system/zodbot.service
  when: env == "production"
--- a/roles/supybot/templates/fedora-messaging.toml.j2
+++ b/roles/supybot/templates/fedora-messaging.toml.j2
@ -0,0 +1,37 @@
+amqp_url = "amqps://{{ botname }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
+
+# Just check if the queue exist, don't try to create it (the server does not allow it).
+passive_declares = true
+
+# The topic_prefix configuration value will add a prefix to the topics of every sent message.
+# This is used for migrating from fedmsg, and should not be used afterwards.
+{% if env == "staging" %}
+topic_prefix = "org.fedoraproject.stg"
+{% else %}
+topic_prefix = "org.fedoraproject.prod"
+{% endif %}
+
+[tls]
+ca_cert = "/etc/pki/fedora-messaging/rabbitmq-ca.crt"
+keyfile = "/etc/pki/fedora-messaging/{{ botname }}.key"
+certfile = "/etc/pki/fedora-messaging/{{ botname }}.crt"
+
+[client_properties]
+app = "{{ botname }}"
+
+[log_config]
+version = 1
+disable_existing_loggers = true
+[log_config.formatters.simple]
+format = "[%(levelname)s %(name)s] %(message)s"
+[log_config.handlers.console]
+class = "logging.StreamHandler"
+formatter = "simple"
+stream = "ext://sys.stdout"
+[log_config.loggers.fedora_messaging]
+level = "INFO"
+propagate = false
+handlers = ["console"]
+[log_config.root]
+level = "WARNING"
+handlers = ["console"]