Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/roles/robosignatory/tasks/main.yml
Patrick Uiterwijk 9b0bddf050 Update robosignatory role for py3 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2020-06-10 10:08:51 +02:00

203 lines
4.1 KiB
YAML
Raw Blame History

- name: Install packages
package: state=present name={{ item }}
with_items:
- python3-robosignatory
- fedora-messaging
- trousers
- tpm-tools
- sigul
tags:
- packages
- robosignatory
- name: Create robosignatory group
group:
name: robosignatory
state: present
system: yes
gid: 263
tags:
- config
- robosignatory
- name: Create robosignatory user
user:
name: robosignatory
state: present
group: robosignatory
system: yes
home: /etc/robosignatory
comment: Robosignatory
shell: /sbin/nologin
uid: 263
tags:
- config
- robosignatory
- name: Create config directory
file:
path: /etc/robosignatory
state: directory
owner: robosignatory
group: robosignatory
mode: 0750
tags:
- config
- robosignatory
- name: Create robosignatory sigul directory
file:
path: /etc/robosignatory/sigul
state: directory
owner: robosignatory
group: robosignatory
mode: 0750
tags:
- config
- robosignatory
- name: Install sigul configuration
copy:
src: sigul.{{env}}.conf
dest: /etc/sigul/client.conf
owner: robosignatory
group: robosignatory
mode: 0640
tags:
- config
- robosignatory
- name: Make sure every file in the sigul conf dir has proper ownership
file:
path: /etc/sigul
state: directory
group: robosignatory
owner: robosignatory
recurse: yes
- name: Install koji config
template:
src: koji.conf
dest: /etc/robosignatory/koji.config
owner: robosignatory
group: robosignatory
mode: 0640
tags:
- config
- robosignatory
- name: Install koji CA certificate
copy:
src: "{{ private }}/files/fedora-ca.cert"
dest: /etc/robosignatory/serverca.cert
owner: robosignatory
group: robosignatory
mode: 0640
tags:
- config
- robosignatory
# Fedora Messaging
- name: Create /etc/pki/fedora-messaging
file:
dest: /etc/pki/fedora-messaging
mode: 0775
owner: root
group: root
state: directory
tags:
- config
- robosignatory
- name: Deploy the fedora-messaging CA
copy:
src: "{{ private }}/files/rabbitmq/{{env}}/pki/ca.crt"
dest: /etc/pki/fedora-messaging/cacert.pem
mode: 0644
owner: root
group: root
tags:
- config
- robosignatory
- name: Deploy the fedora-messaging cert
copy:
src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/robosignatory{{env_suffix}}.crt"
dest: /etc/pki/fedora-messaging/robosignatory-cert.pem
mode: 0644
owner: robosignatory
group: robosignatory
tags:
- config
- robosignatory
- name: Deploy the fedora-messaging key
copy:
src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/robosignatory{{env_suffix}}.key"
dest: /etc/pki/fedora-messaging/robosignatory-key.pem
mode: 0600
owner: robosignatory
group: robosignatory
tags:
- config
- robosignatory
- name: Setup robosignatory config
template:
src: robosignatory.toml.j2
dest: /etc/fedora-messaging/robosignatory.toml
owner: robosignatory
group: robosignatory
mode: 0640
tags:
- config
- robosignatory
- robosignatory-config
- name: Create /etc/systemd/system/fm-consumer@.service.d
file:
state: directory
path: /etc/systemd/system/fm-consumer@.service.d
owner: root
group: root
mode: 0755
when: env == 'staging'
tags:
- config
- robosignatory
- name: Configure fm-consumer@.service to run as robosignatory
copy:
src: fm-consumer@.service
dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
owner: root
group: root
mode: 0644
when: env == 'staging'
notify:
- reload systemd
tags:
- config
- robosignatory
- name: Ensure fedora-messaging is enabled and started on the backend
service:
name: fm-consumer@robosignatory.service
enabled: yes
state: started
when: env == 'staging'
tags:
- config
- robosignatory
- name: Allow robosignatory to use systemd-ask-password
copy:
src: ask-password-robosignatory.conf
dest: /etc/tmpfiles.d/ask-password-robosignatory.conf
owner: root
group: root
mode: 0644
tags:
- config
- robosignatory
Reference in a new issue View git blame Copy permalink