Add prelim, unfinished yet cut at koji hub role for aarch64 hub.

2013-09-12 17:01:07 +00:00 · 2013-09-12 17:01:07 +00:00 · 92b4a3ff7c
commit 92b4a3ff7c
parent 0fba97c3b0
6 changed files with 176 additions and 24 deletions
--- a/roles/koji_hub/files/openssl.cnf.aarch64
+++ b/roles/koji_hub/files/openssl.cnf.aarch64
@ -0,0 +1,74 @@
+HOME                    = .
+RANDFILE                = .rand
+
+[ca] 
+default_ca              = ca_default
+
+[ca_default] 
+dir                     = .
+certs                   = $dir/certs
+crl_dir                 = $dir/crl
+database                = $dir/index.txt
+new_certs_dir           = $dir/newcerts
+certificate             = $dir/%s_ca_cert.pem
+private_key             = $dir/private/%s_ca_key.pem
+serial                  = $dir/serial
+crl                     = $dir/crl.pem
+x509_extensions         = usr_cert
+name_opt                = ca_default
+cert_opt                = ca_default
+default_days            = 3650
+default_crl_days        = 30
+default_md              = md5
+preserve                = no
+policy                  = policy_match
+
+[policy_match] 
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[req] 
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions         = v3_ca # The extentions to add to the self signed cert
+string_mask             = MASK:0x2002
+
+[req_distinguished_name] 
+countryName                     = Country Name (2 letter code)
+countryName_default             = US
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Vienna
+localityName                    = Locality Name (eg, city)
+localityName_default            = Vienna
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = My company
+organizationalUnitName          = Organizational Unit Name (eg, section)
+commonName                      = Common Name (eg, your name or your server\'s hostname)
+commonName_max                  = 64
+emailAddress                    = Email Address
+emailAddress_max                = 64
+
+[req_attributes] 
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+unstructuredName                = An optional company name
+
+[usr_cert] 
+basicConstraints                = CA:FALSE
+nsComment                       = "OpenSSL Generated Certificate"
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid,issuer:always
+
+[v3_ca] 
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer:always
+basicConstraints                = CA:true
--- a/roles/koji_hub/tasks/main.yml
+++ b/roles/koji_hub/tasks/main.yml
@ -0,0 +1,99 @@
+---
+#
+# Setup koji hub server. 
+#
+- name: install koji hub server packages
+  yum: name=$item state=installed
+  with_items:
+  - koji-hub
+  - koji-web
+  - koji-utils
+  - mod_ssl
+  - mod_wsgi
+  - git
+  - gnupg2
+  tags:
+  - packages
+
+- name: make koji pki directory
+  file: state=directory path=/etc/pki/koji/ owner=root group=root
+
+- name: make koji pki subdirectories
+  file: state=directory path=/etc/pki/koji/{{ item }} owner=root group=root
+  with_items:
+  - certs
+  - private
+  - confs
+
+- name: setup ssl config for koji
+  copy: src={{ item }} dest=/etc/pki/koji/openssl.cnf mode=600
+  first_available_file:
+    - openssl.cnf.{{ ansible_fqdn }}
+    - openssl.cnf.{{ host_group }}
+    - openssl.cnf.{{ dist_tag }}
+  tags:
+  - config
+
+- name: create index.txt
+  file: name=/etc/pki/koji/index.txt
+  tags:
+  - config
+
+- name: init serial file
+  shell: "echo 01 > /etc/pki/koji/serial.txt" creates=/etc/pki/koji/serial.txt
+  tags:
+  - config
+
+- name: init koji ca key file
+  shell: "openssl genrsa -out /etc/pki/koji/private/koji_ca_cert.key 2048" creates=/etc/pki/koji/private/koji_ca_cert.key
+  tags:
+  - config
+
+- name: init koji ca cert file
+  shell: "openssl req -config /etc/pki/koji/ssl.cnf -new -x509 -subj "/C=US/ST=Arizona/L=Phoenix/O=IT/CN=aarch64.koji.fedoraproject.org" -days 3650 -key /etc/pki/koji/private/koji_ca_cert.key -out /etc/pki/koji/koji_ca_cert.crt -extensions v3_ca" creates=/etc/pki/koji/koji_ca_cert.crt
+  tags:
+  - config
+
+# setup certs needed here for kojiweb/hub
+
+# Database setup
+- name: setup the database
+  hosts: db-aarch64.qa.fedoraproject.org
+  gather_facts: no
+  sudo: yes
+  sudo_user: postgres
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+   - ${vars}/${ansible_distribution}.yml
+
+  tasks:
+
+   - name: databases creation
+     postgresql_db: name=koji owner=koji encoding=UTF-8
+
+   - name: koji db user
+     postgresql_user: name=koji password=$kojidatabasepassword
+     tags:
+     - db
+
+   - name: load initial schema 
+     shell: "psql koji koji < /usr/share/doc/koji*/docs/schema.sql" creates=/var/lib/pgql/koji-schema
+     tags:
+     - db
+
+# Todo here
+# httpd ssl.conf changes
+# koji hub.conf template
+# create skeleton /mnt/koji dirs
+# selinux config: 
+#   httpd_can_network_connect_db=1 allow_httpd_anon_write=1
+#   chcon -R -t public_content_rw_t /mnt/koji/*
+
+- name: Set httpd to run on boot
+  service: name=httpd enabled=yes
+  ignore_errors: true
+  notify:
+  - restart httpd
+  tags:
+  - service