From 6d95f3fd758bc08a10e8dc45d086074161fea743 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 22 Jan 2015 17:16:21 +0000
Subject: [PATCH] First stab at blockerbugs ansible playbooks and
 blockerbugs01.stg config

---
 inventory/group_vars/blockerbugs              | 17 ++++++
 inventory/group_vars/blockerbugs-stg          | 17 ++++++
 .../blockerbugs01.stg.phx2.fedoraproject.org  | 13 +++++
 playbooks/groups/blockerbugs.yml              | 44 ++++++++++++++++
 roles/blockerbugs/files/blockerbugs.conf      | 16 ++++++
 roles/blockerbugs/files/blockerbugs.cron      |  1 +
 roles/blockerbugs/tasks/main.yml              | 52 +++++++++++++++++++
 .../templates/blockerbugs-settings.py.j2      | 21 ++++++++
 8 files changed, 181 insertions(+)
 create mode 100644 inventory/group_vars/blockerbugs
 create mode 100644 inventory/group_vars/blockerbugs-stg
 create mode 100644 inventory/host_vars/blockerbugs01.stg.phx2.fedoraproject.org
 create mode 100644 playbooks/groups/blockerbugs.yml
 create mode 100644 roles/blockerbugs/files/blockerbugs.conf
 create mode 100644 roles/blockerbugs/files/blockerbugs.cron
 create mode 100644 roles/blockerbugs/tasks/main.yml
 create mode 100644 roles/blockerbugs/templates/blockerbugs-settings.py.j2

diff --git a/inventory/group_vars/blockerbugs b/inventory/group_vars/blockerbugs
new file mode 100644
index 0000000000..a5f2fae40e
--- /dev/null
+++ b/inventory/group_vars/blockerbugs
@@ -0,0 +1,17 @@
+---
+lvm_size: 30000
+mem_size: 4096
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80, 443, 8888 ]
+
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-qa
+
+# This gets overridden by whichever node we want to run special cronjobs.
+master_blockerbugs_node: False
diff --git a/inventory/group_vars/blockerbugs-stg b/inventory/group_vars/blockerbugs-stg
new file mode 100644
index 0000000000..a5f2fae40e
--- /dev/null
+++ b/inventory/group_vars/blockerbugs-stg
@@ -0,0 +1,17 @@
+---
+lvm_size: 30000
+mem_size: 4096
+num_cpus: 2
+
+# for systems that do not match the above - specify the same parameter in
+# the host_vars/$hostname file
+
+tcp_ports: [ 80, 443, 8888 ]
+
+# Neeed for rsync from log01 for logs.
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ]
+
+fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-qa
+
+# This gets overridden by whichever node we want to run special cronjobs.
+master_blockerbugs_node: False
diff --git a/inventory/host_vars/blockerbugs01.stg.phx2.fedoraproject.org b/inventory/host_vars/blockerbugs01.stg.phx2.fedoraproject.org
new file mode 100644
index 0000000000..45b605b65e
--- /dev/null
+++ b/inventory/host_vars/blockerbugs01.stg.phx2.fedoraproject.org
@@ -0,0 +1,13 @@
+---
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.65
+vmhost: virthost12.phx2.fedoraproject.org
+datacenter: phx2
+
+# This is the master node in stg, so it runs the cron job
+master_blockerbugs_node: True
diff --git a/playbooks/groups/blockerbugs.yml b/playbooks/groups/blockerbugs.yml
new file mode 100644
index 0000000000..bcdc0a3c0a
--- /dev/null
+++ b/playbooks/groups/blockerbugs.yml
@@ -0,0 +1,44 @@
+- name: make blockerbugs servers
+  hosts: blockerbugs-stg
+  user: root
+  gather_facts: False
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/virt_instance_create.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the box be real
+  hosts: blockerbugs-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - nagios_client
+  - hosts
+  - fas_client
+  - collectd/base
+  - sudo
+  - blockerbugs
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+  - include: "{{ tasks }}/motd.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+  - include: "{{ handlers }}/semanage.yml"
diff --git a/roles/blockerbugs/files/blockerbugs.conf b/roles/blockerbugs/files/blockerbugs.conf
new file mode 100644
index 0000000000..5d914a7342
--- /dev/null
+++ b/roles/blockerbugs/files/blockerbugs.conf
@@ -0,0 +1,16 @@
+WSGIDaemonProcess blockerbugs user=apache group=apache threads=5
+WSGIScriptAlias /blockerbugs /usr/share/blockerbugs/blockerbugs.wsgi
+WSGISocketPrefix run/wsgi
+
+# this isn't the best way to force SSL but it works for now
+#RewriteEngine On
+#RewriteCond %{HTTPS} !=on
+#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+
+<Directory /usr/share/blockerbugs>
+    WSGIProcessGroup blockerbugs
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIScriptReloading On
+    Order deny,allow
+    Allow from all
+</Directory>
diff --git a/roles/blockerbugs/files/blockerbugs.cron b/roles/blockerbugs/files/blockerbugs.cron
new file mode 100644
index 0000000000..f1379e5c7d
--- /dev/null
+++ b/roles/blockerbugs/files/blockerbugs.cron
@@ -0,0 +1 @@
+*/30 * * * * blockerbugs blockerbugs sync
diff --git a/roles/blockerbugs/tasks/main.yml b/roles/blockerbugs/tasks/main.yml
new file mode 100644
index 0000000000..b2416b6bc2
--- /dev/null
+++ b/roles/blockerbugs/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+- name: install needed packages for blockerbugs
+  yum: state=present name={{ item }} enablerepo=epel-testing
+  with_items:
+  - python-psycopg2
+  - python-kitchen
+  - python-alembic
+  - python-flask-wtf
+  - python-flask
+  - python-sqlalchemy
+  - python-fedora-flask
+  - python-wtforms
+  - python-fedora
+  - pytest
+  - python-lxml
+  - python-flask-sqlalchemy
+  - python-bugzilla
+  - blockerbugs
+  tags:
+  - packages
+  - blockerbugs
+
+- name: setup blockerbugs apache conf
+  copy: src=blockerbugs.conf dest=/etc/httpd/conf.d/blockerbugs.conf mode=644
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - httpd
+  - blockerbugs
+
+- name: setup blockerbugs app settings file
+  template: src=blockerbugs-settings.py.j2 dest=/etc/blockerbugs/settings.py mode=644
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - httpd
+  - blockerbugs
+
+- name: set sebooleans so blockerbugs can talk to the db
+  seboolean: name=httpd_can_network_connect_db state=true persistent=true
+  tags:
+  - config
+  - blockerbugs
+
+- name: setup blockerbugs cron (master node only)
+  copy: src=blockerbugs.cron dest=/etc/cron.d/blockerbugs
+  when: master_blockerbugs_node
+  tags:
+  - config
+  - blockerbugs
diff --git a/roles/blockerbugs/templates/blockerbugs-settings.py.j2 b/roles/blockerbugs/templates/blockerbugs-settings.py.j2
new file mode 100644
index 0000000000..755f2fe60f
--- /dev/null
+++ b/roles/blockerbugs/templates/blockerbugs-settings.py.j2
@@ -0,0 +1,21 @@
+SECRET_KEY = '{{ blockerbugs_secret_key }}'
+SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://{{ blockerbugs_app }}:{{ blockerbugs_appPassword }}@db-blockerbugs/blockerbugs'
+FAS_ADMIN_GROUP = "qa-admin"
+FAS_USER = "{{ blockerbugs_fas_user }}@fedoraproject.org"
+FAS_PASSWORD = "{{ blockerbugs_fas_password }}"
+{% if env == "staging" %}
+FAS_FLASK_COOKIE_REQUIRES_HTTPS = False
+FAS_CHECK_CERT = False
+PRODUCTION = False
+BUGZILLA_URL = 'https://partner-bugzilla.redhat.com/'
+{% else %}
+BUGZILLA_URL = 'https://bugzilla.redhat.com/'
+{% endif %}
+BUGZILLA_XMLRPC = BUGZILLA_URL + 'xmlrpc.cgi'
+KOJI_URL = "http://koji.fedoraproject.org/"
+FILE_LOGGING = False
+SYSLOG_LOGGING = True
+STREAM_LOGGING = False
+
+# to fix login issue for folks who are part of many FAS groups
+PREFERRED_URL_SCHEME='https'