ansible/roles/odcs/backend/tasks/main.yml

---
- name: Install the httpd package, just to get the apache group on the system.
  package:
    pkg: httpd
    state: present
  tags:
  - packages
  - odcs
  - odcs/backend
- name: Install support files for ISO creation
  package:
    name:
    - libisoburn
    - xorriso
- name: Make sure httpd isn't running.
  service:
    name: httpd
    state: stopped
  tags:
  - odcs
  - odcs/backend
- name: Make sure odcs-celery-backend isn't running.
  service:
    name: odcs-celery-backend
    state: stopped
  tags:
  - odcs
  - odcs/backend
- name: ensure Pungi cache files have right ownership
  file:
    path: "{{ item }}"
    owner: odcs-server
    group: odcs-server
    state: touch
  with_items:
  - /var/tmp/pungi_cache_file.dbm.rw.lock
  - /var/tmp/pungi_cache_file.dbm
  tags:
    - odcs
    - odcs/backend
- name: generate the ODCS koji config
  template:
    src: etc/koji.conf.d/odcs.conf.j2
    dest: /etc/koji.conf.d/odcs.conf
    owner: odcs-server
    group: odcs-server
    mode: 0440
  notify:
  - restart odcs-celery-backend
  tags:
  - odcs
  - odcs/backend
- name: add the odcs-server user to the apache group
  user:
    name: odcs-server
    group: apache
    groups: apache
    append: true
  notify:
  - restart odcs-celery-backend
  tags:
  - odcs
  - odcs/backend
- name: migrate the database
  command: "{{ item }}"
  with_items:
  - odcs-manager upgradedb
  become: yes
  become_user: odcs-server
  when: odcs_migrate_db
  notify:
  - restart odcs-celery-backend
  tags:
  - odcs
  - odcs/backend

- name: Configure the odcs virtual host
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  rabbitmq_vhost:
    name: /odcs
    state: present
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

- name: Configure the HA policy for the odcs queues
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  rabbitmq_policy:
    name: HA
    apply_to: queues
    pattern: .*
    tags:
      ha-mode: all
      ha-sync-mode: automatic  # Auto sync queues to new cluster members
      ha-sync-batch-size: 10000  # Larger is faster, but must finish in 1 net_ticktime
    vhost: /odcs
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

- name: Add a policy to limit queues to 1GB and remove after a month of no use
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  rabbitmq_policy:
    apply_to: queues
    name: pubsub_sweeper
    state: present
    pattern: ".*"
    tags:
      # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month)
      expires: 111600000
      # Queues can use at most 1GB of storage
      max-length-bytes: 1073741824
    vhost: /odcs
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

- name: Create the odcs-admin user for the odcs vhost (prod)
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  rabbitmq_user:
    user: odcs-admin
    password: "{{ (env == 'production')|ternary(rabbitmq_odcs_admin_password_production, rabbitmq_odcs_admin_password_staging) }}"
    vhost: /odcs
    configure_priv: .*
    read_priv: .*
    write_priv: .*
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

- name: Dump the admin password in a file for administrative operations
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  copy:
    dest: /root/.odcs-rabbitmqpass
    content: "{{ (env == 'production')|ternary(rabbitmq_odcs_admin_password_production, rabbitmq_odcs_admin_password_staging) }}"
    mode: 0600
    owner: root
    group: root
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

- name: Grant the admin user access to the odcs vhost
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  rabbitmq_user:
    user: admin
    vhost: /odcs
    configure_priv: .*
    read_priv: .*
    write_priv: .*
    tags: administrator
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

- name: Grant the nagios-monitoring user access to the odcs vhost
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  rabbitmq_user:
    user: nagios-monitoring
    vhost: /odcs
    configure_priv: "^$"
    read_priv: "^$"
    write_priv: "^$"
    tags: monitoring
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

# Create a user with:
- name: Create a user for odcs access
  run_once: true
  delegate_to: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
  rabbitmq_user:
    user: "odcs-private-queue{{ env_suffix }}"
    vhost: /odcs
    configure_priv: .*
    write_priv: .*
    read_priv: .*
    state: present
  tags:
  - rabbitmq_cluster
  - config
  - odcs
  - odcs/backend

- name: set releng user keytab
  copy:
    src: "{{private}}/files/keytabs/{{env}}/releng"
    dest: /etc/krb5.releng.keytab
    owner: odcs-server
    group: odcs-server
    mode: 0640
  when: inventory_hostname.startswith('odcs-backend-releng')

- name: set releng odcs oidc token
  copy:
    src: "{{private}}/files/releng/{{env}}/releng-odcs-oidc-token"
    dest: /etc/releng-odcs-oidc-token
  when: inventory_hostname.startswith('odcs-backend-releng')

- name: Set MAILTO cronvar
  cronvar:
    name: MAILTO
    value: releng-cron@lists.fedoraproject.org
  when: inventory_hostname.startswith('odcs-backend-releng')


- name: Set cronjob to execute ELN periodic compose
  cron:
    name: "ELN periodic compose"
    minute: "0"
    hour: "*/4"
    job: 'odcs --token=/etc/releng-odcs-oidc-token create-raw-config --compose-type=production --label=Alpha-0.`date "+\%s"` eln eln'
  when: inventory_hostname.startswith('odcs-backend-releng')