ansible-msvsphere.ci/roles/koji_server/tasks/koji_hub.yml

---
- name: Install koji-hub and dependencies
  ansible.builtin.dnf:
    name:
      - koji-hub
      - koji-hub-plugins
      - mod_ssl
      # NOTE: python3-libsemanage is the ansible.posix.seboolean dependency
      - python3-libsemanage
    state: installed

# TODO: add FreeIPA support
- name: Generate koji-hub HTTP principal keytab
  ansible.builtin.include_role:
    name: msvsphere.ci.kerberos_principal
  vars:
    kerberos_principal_name: "{{ koji_hub_principal }}"
    kerberos_principal_keytab_path: "{{ koji_hub_keytab }}"

- name: Grant httpd read access to koji-hub keytab
  ansible.builtin.file:
    path: "{{ koji_hub_keytab }}"
    owner: root
    group: apache
    mode: 0o640
    setype: httpd_config_t
  notify:
    - restart httpd

- name: Configure koji-hub
  ansible.builtin.template:
    src: etc/koji-hub/hub.conf.j2
    dest: /etc/koji-hub/hub.conf
    owner: root
    group: apache
    mode: 0o640
  notify:
    - restart httpd

- name: Configure koji-hub httpd
  ansible.builtin.template:
    src: etc/httpd/conf.d/kojihub.conf.j2
    dest: /etc/httpd/conf.d/kojihub.conf
    owner: root
    group: root
    mode: 0o644
  notify:
    - restart httpd

- name: Configure SSL in httpd
  ansible.builtin.template:
    src: etc/httpd/conf.d/ssl.conf.j2
    dest: /etc/httpd/conf.d/ssl.conf
    owner: root
    group: root
    mode: 0o644
  notify:
    - restart httpd

- name: Enable httpd database connections in SELinux
  ansible.posix.seboolean:
    name: httpd_can_network_connect_db
    state: true
    persistent: true

- name: Allow httpd writing files in SELinux
  ansible.posix.seboolean:
    name: allow_httpd_anon_write
    state: true
    persistent: true

- name: Create /mnt/koji directory
  ansible.builtin.file:
    path: /mnt/koji
    state: directory
    owner: root
    group: root
    mode: 0o755
    setype: public_content_rw_t

- name: Create Koji working directories
  ansible.builtin.file:
    path: "/mnt/koji/{{ item }}"
    state: directory
    owner: apache
    group: apache
    mode: 0o755
    setype: public_content_rw_t
  with_items:
    - packages
    - repos
    - work
    - scratch
    - repos-dist

- name: Copy Koji CA certificate to /mnt/koji
  ansible.builtin.copy:
    src: /etc/pki/koji/koji-ca.crt
    dest: /mnt/koji/koji-ca.crt
    remote_src: yes

- name: Enable and start httpd service
  ansible.builtin.service:
    name: httpd
    enabled: true
    state: started

- name: Get firewalld service status
  ansible.builtin.systemd:
    name: firewalld
  register: firewalld_service_status

- name: Open HTTPs port on firewall
  ansible.posix.firewalld:
    zone: public
    service: https
    immediate: true
    permanent: true
    state: enabled
  when: firewalld_service_status.status.ActiveState == 'active'
Adds kerberos_principal and koji_server roles 11 months ago			`---`
			`- name: Install koji-hub and dependencies`
			`ansible.builtin.dnf:`
			`name:`
			`- koji-hub`
			`- koji-hub-plugins`
			`- mod_ssl`
			`# NOTE: python3-libsemanage is the ansible.posix.seboolean dependency`
			`- python3-libsemanage`
			`state: installed`

			`# TODO: add FreeIPA support`
			`- name: Generate koji-hub HTTP principal keytab`
			`ansible.builtin.include_role:`
			`name: msvsphere.ci.kerberos_principal`
			`vars:`
			`kerberos_principal_name: "{{ koji_hub_principal }}"`
			`kerberos_principal_keytab_path: "{{ koji_hub_keytab }}"`

			`- name: Grant httpd read access to koji-hub keytab`
			`ansible.builtin.file:`
			`path: "{{ koji_hub_keytab }}"`
			`owner: root`
			`group: apache`
			`mode: 0o640`
			`setype: httpd_config_t`
			`notify:`
			`- restart httpd`

			`- name: Configure koji-hub`
			`ansible.builtin.template:`
			`src: etc/koji-hub/hub.conf.j2`
			`dest: /etc/koji-hub/hub.conf`
			`owner: root`
			`group: apache`
			`mode: 0o640`
			`notify:`
			`- restart httpd`

			`- name: Configure koji-hub httpd`
			`ansible.builtin.template:`
			`src: etc/httpd/conf.d/kojihub.conf.j2`
			`dest: /etc/httpd/conf.d/kojihub.conf`
			`owner: root`
			`group: root`
			`mode: 0o644`
			`notify:`
			`- restart httpd`

			`- name: Configure SSL in httpd`
			`ansible.builtin.template:`
			`src: etc/httpd/conf.d/ssl.conf.j2`
			`dest: /etc/httpd/conf.d/ssl.conf`
			`owner: root`
			`group: root`
			`mode: 0o644`
			`notify:`
			`- restart httpd`

			`- name: Enable httpd database connections in SELinux`
			`ansible.posix.seboolean:`
			`name: httpd_can_network_connect_db`
			`state: true`
			`persistent: true`

			`- name: Allow httpd writing files in SELinux`
			`ansible.posix.seboolean:`
			`name: allow_httpd_anon_write`
			`state: true`
			`persistent: true`

			`- name: Create /mnt/koji directory`
			`ansible.builtin.file:`
			`path: /mnt/koji`
			`state: directory`
			`owner: root`
			`group: root`
			`mode: 0o755`
			`setype: public_content_rw_t`

			`- name: Create Koji working directories`
			`ansible.builtin.file:`
			`path: "/mnt/koji/{{ item }}"`
			`state: directory`
			`owner: apache`
			`group: apache`
			`mode: 0o755`
			`setype: public_content_rw_t`
			`with_items:`
			`- packages`
			`- repos`
			`- work`
			`- scratch`
			`- repos-dist`

			`- name: Copy Koji CA certificate to /mnt/koji`
			`ansible.builtin.copy:`
			`src: /etc/pki/koji/koji-ca.crt`
			`dest: /mnt/koji/koji-ca.crt`
			`remote_src: yes`

			`- name: Enable and start httpd service`
			`ansible.builtin.service:`
			`name: httpd`
			`enabled: true`
			`state: started`

			`- name: Get firewalld service status`
			`ansible.builtin.systemd:`
			`name: firewalld`
			`register: firewalld_service_status`

			`- name: Open HTTPs port on firewall`
			`ansible.posix.firewalld:`
			`zone: public`
			`service: https`
			`immediate: true`
			`permanent: true`
			`state: enabled`
			`when: firewalld_service_status.status.ActiveState == 'active'`