rabbitmq_cluster: setup private mbs vhost/user

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

roles/rabbitmq_cluster/tasks/apps.yml

@@ -252,22 +252,110 @@
 # CENTOS ODCS END
 
 # MBS BEGIN
-- name: MBS User
+#
+- name: Configure the mbs-private-queue virtual host
   run_once: true
-  include_role:
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
-    name: rabbit/user
+  rabbitmq_vhost:
-  vars:
+    name: /msb-private-queue
-     username: mbs{{ env_suffix }}
+    state: present
+  tags:
+  - msb-private-queue
 
-- name: MBS Queue
+- name: Configure the HA policy for the msb-private-queue queues
   run_once: true
-  include_role:
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
-    name: rabbit/queue
+  rabbitmq_policy:
-  vars:
+    name: HA
-    username: mbs{{ env_suffix }}
+    apply_to: queues
-    queue_name: mbs{{ env_suffix }}
+    pattern: .*
-    # TTL: 10 days (in miliseconds)
+    tags:
-    message_ttl: 864000000
+      ha-mode: all
-    routing_keys:
+      ha-sync-mode: automatic  # Auto sync queues to new cluster members
-      - "mbs.{{ env_short }}.gitlab.#"
+      ha-sync-batch-size: 10000  # Larger is faster, but must finish in 1 net_ticktime
+    vhost: /mbs-private-queue
+  tags:
+  - mbs-private-queue
+
+- name: Add a policy to limit queues to 1GB and remove after a month of no use
+  run_once: true
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
+  rabbitmq_policy:
+    apply_to: queues
+    name: pubsub_sweeper
+    state: present
+    pattern: ".*"
+    tags:
+      # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month)
+      expires: 111600000
+      # Queues can use at most 1GB of storage
+      max-length-bytes: 1073741824
+    vhost: /mbs-private-queue
+  tags:
+  - mbs-private-queue
+
+- name: Create the mbs-private-queue user for the mbs-private-queue vhost (prod)
+  run_once: true
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: mbs-private-queue
+    password: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}"
+    vhost: /mbs-private-queue
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+  tags:
+  - mbs-private-queue
+
+- name: Dump the admin password in a file for administrative operations
+  run_once: true
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
+  copy:
+    dest: /root/.mbs-private-queue-rabbitmqpass
+    content: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}"
+    mode: 0600
+    owner: root
+    group: root
+  tags:
+  - mbs-private-queue
+
+- name: Grant the admin user access to the mbs-private-queue vhost
+  run_once: true
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: admin
+    vhost: /mbs-private-queue
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+    tags: administrator
+  tags:
+  - mbs-private-queue
+
+- name: Grant the nagios-monitoring user access to the mbs-private-queue vhost
+  run_once: true
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: nagios-monitoring
+    vhost: /mbs-private-queue
+    configure_priv: "^$"
+    read_priv: "^$"
+    write_priv: "^$"
+    tags: monitoring
+  tags:
+  - mbs-private-queue
+
+- name: Create a user for mbs-private-queue access
+  run_once: true
+  delegate_to: "rabbitmq01.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: "mbs-private-queue{{ env_suffix }}"
+    vhost: /mbs-private-queue
+    configure_priv: .*
+    write_priv: .*
+    read_priv: .*
+    state: present
+  tags:
+  - mbs-private-queue
+
 # MBS END