Add robosignatory plays

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2016-09-14 16:38:01 +00:00 · 2016-09-14 16:38:01 +00:00 · 75d3a06353
commit 75d3a06353
parent 6ec8a7ea2e
3 changed files with 69 additions and 0 deletions
--- a/playbooks/groups/robosignatory.yml
+++ b/playbooks/groups/robosignatory.yml
@ -0,0 +1,37 @@
+# provision an autosign server
+# NOTE: this assumes the boxes are already up and are accessible
+# NOTE: most of these vars_path come from group_vars/sign or from hostvars
+#
+# FURTHER NOTE: some of These machines run day to day with sshd disabled/off.
+# Access is via management interface only. This playbook does initial setup.
+# Please check with rel-eng before doing anything here.
+
+- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=sign-bridge"
+
+- name: configure robosignatory server
+  hosts: autosign
+  user: root
+  gather_facts: true
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - hosts
+  - fas_client
+  - sudo
+  - fedmsg/base
+  - fedmsg/hub
+  - robosignatory
+
+  tasks:
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
--- a/roles/robosignatory/files/robosignatory.production.conf
+++ b/roles/robosignatory/files/robosignatory.production.conf
@ -0,0 +1,22 @@
+config = {
+    'robosignatory.enabled.tagsigner': True,
+    'robosignatory.signing.user': 'autosign',
+    'robosignatory.signing.passphrase_file': '/etc/robosignatory/autosign.pass',
+    'robosignatory.signing.config_file': '/etc/robosignatory/sigul/client.conf',
+
+    # The keys here need to be the same in the sigul bridge
+    'robosignatory.koji_instances': {
+        'primary': {
+            'url': 'https://koji.fedoraproject.org/kojihub',
+            'options': {
+                # Only ssl is supported at the moment
+                'authmethod': 'ssl',
+                'cert': '/etc/robosignatory/koji.cert',
+                'serverca': '/etc/robosignatory/serverca.cert',
+            },
+            'tags': [
+            ]
+        },
+    },
+}
+
--- a/roles/robosignatory/tasks/main.yml
+++ b/roles/robosignatory/tasks/main.yml
@ -0,0 +1,10 @@
+- name: Install robosignatory
+  yum: state=present name=python-robosignatory
+  tags:
+  - packages
+
+- name: Setup robosignatory config
+  copy: src=robosignatory.{{env}}.conf dest=/etc/fedmsg.d/robosignatory.conf
+        owner=fedmsg group=fedmsg mode=0640
+  tags:
+  - config