From 6b43caff644826dc91aea9f1b5820b70b03ef5da Mon Sep 17 00:00:00 2001 From: Ryan Lerch Date: Mon, 23 Aug 2021 19:35:38 +1000 Subject: [PATCH] set fedora-messaging certs for ursabot Just doing this for staging right now, to check it works as expected Signed-off-by: Ryan Lerch --- roles/supybot/files/ursabot.service | 2 +- roles/supybot/tasks/main.yml | 54 +++++++++++++++++++ .../templates/fedora-messaging.toml.j2 | 37 +++++++++++++ 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 roles/supybot/templates/fedora-messaging.toml.j2 diff --git a/roles/supybot/files/ursabot.service b/roles/supybot/files/ursabot.service index 6cb982985c..4b58168094 100644 --- a/roles/supybot/files/ursabot.service +++ b/roles/supybot/files/ursabot.service @@ -3,7 +3,7 @@ Description=ursabot irc bot After=network.target [Service] -Environment=FEDORA_MESSAGING_CONF=/etc/fedora-messaging/fedora.stg.toml +Environment=FEDORA_MESSAGING_CONF=/etc/fedora-messaging/ursabot.toml Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ursabot_value02.stg.iad2.fedoraproject.org.keytab Type=simple User=daemon diff --git a/roles/supybot/tasks/main.yml b/roles/supybot/tasks/main.yml index 7c1e97031a..535780fefd 100644 --- a/roles/supybot/tasks/main.yml +++ b/roles/supybot/tasks/main.yml @@ -86,6 +86,60 @@ - meetbot - supybot +- name: Deploy the fedora-messaging CA (stg) + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/ca.crt" + dest: /etc/pki/fedora-messaging/rabbitmq-ca.crt + mode: 0644 + owner: daemon + group: daemon + when: + - env == "staging" + - inventory_hostname.startswith('value02') + tags: + - config + +- name: Deploy the fedora-messaging cert (stg) + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/{{ botname }}.crt" + dest: /etc/pki/fedora-messaging/{{ botname }}.crt + mode: 0644 + owner: daemon + group: daemon + when: + - env == "staging" + - inventory_hostname.startswith('value02') + tags: + - config + +- name: Deploy the fedora-messaging key (stg) + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/{{ botname }}.key" + dest: /etc/pki/fedora-messaging/{{ botname }}.key + mode: 0600 + owner: daemon + group: daemon + when: + - env == "staging" + - inventory_hostname.startswith('value02') + tags: + - config + +- name: Install fedora-messaging config (stg) + template: + src: fedora-messaging.toml.j2 + dest: /etc/fedora-messaging/{{ botname }}.toml + owner: daemon + group: daemon + mode: 0600 + when: + - env == "staging" + - inventory_hostname.startswith('value02') + tags: + - config + + + - name: setup zodbot systemd service file (prod) copy: src=zodbot.service dest=/etc/systemd/system/zodbot.service when: env == "production" diff --git a/roles/supybot/templates/fedora-messaging.toml.j2 b/roles/supybot/templates/fedora-messaging.toml.j2 new file mode 100644 index 0000000000..7f2fdf90fc --- /dev/null +++ b/roles/supybot/templates/fedora-messaging.toml.j2 @@ -0,0 +1,37 @@ +amqp_url = "amqps://{{ botname }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub" + +# Just check if the queue exist, don't try to create it (the server does not allow it). +passive_declares = true + +# The topic_prefix configuration value will add a prefix to the topics of every sent message. +# This is used for migrating from fedmsg, and should not be used afterwards. +{% if env == "staging" %} +topic_prefix = "org.fedoraproject.stg" +{% else %} +topic_prefix = "org.fedoraproject.prod" +{% endif %} + +[tls] +ca_cert = "/etc/pki/fedora-messaging/rabbitmq-ca.crt" +keyfile = "/etc/pki/fedora-messaging/{{ botname }}.key" +certfile = "/etc/pki/fedora-messaging/{{ botname }}.crt" + +[client_properties] +app = "{{ botname }}" + +[log_config] +version = 1 +disable_existing_loggers = true +[log_config.formatters.simple] +format = "[%(levelname)s %(name)s] %(message)s" +[log_config.handlers.console] +class = "logging.StreamHandler" +formatter = "simple" +stream = "ext://sys.stdout" +[log_config.loggers.fedora_messaging] +level = "INFO" +propagate = false +handlers = ["console"] +[log_config.root] +level = "WARNING" +handlers = ["console"]