From 2af76fe3f47f3cd612c8dca6f4d19bb01a9cf45c Mon Sep 17 00:00:00 2001 From: Eugene Zamriy Date: Fri, 22 Dec 2023 11:18:48 +0300 Subject: [PATCH] Adds Gitea installation and Koji builders support --- CHANGELOG.rst | 15 ++ README.md | 3 + changelogs/.plugin-cache.yaml | 14 +- changelogs/changelog.yaml | 17 ++ .../2-add-builders-and-git-support.yml | 2 + galaxy.yml | 4 +- roles/gitea_binary/README.md | 49 +++++ roles/gitea_binary/defaults/main.yml | 20 +++ roles/gitea_binary/handlers/main.yml | 10 ++ roles/gitea_binary/meta/argument_specs.yml | 101 +++++++++++ roles/gitea_binary/meta/main.yml | 17 ++ roles/gitea_binary/tasks/main.yml | 167 ++++++++++++++++++ roles/gitea_binary/templates/gitea.service.j2 | 17 ++ .../templates/httpd-vhost.conf.j2 | 19 ++ roles/gitea_db_server/README.md | 32 ++++ roles/gitea_db_server/defaults/main.yml | 6 + roles/gitea_db_server/handlers/main.yml | 5 + roles/gitea_db_server/meta/argument_specs.yml | 34 ++++ roles/gitea_db_server/meta/main.yml | 16 ++ roles/gitea_db_server/tasks/main.yml | 75 ++++++++ roles/koji_builder/README.md | 41 +++++ roles/koji_builder/defaults/main.yml | 13 ++ roles/koji_builder/handlers/main.yml | 5 + roles/koji_builder/meta/argument_specs.yml | 76 ++++++++ roles/koji_builder/meta/main.yml | 15 ++ roles/koji_builder/tasks/main.yml | 97 ++++++++++ roles/koji_server/README.md | 1 + roles/koji_server/defaults/main.yml | 1 + roles/koji_server/meta/argument_specs.yml | 7 + roles/koji_server/tasks/koji_add_host.yml | 20 +++ roles/koji_server/tasks/main.yml | 18 ++ roles/koji_server_ca/defaults/main.yml | 2 + 32 files changed, 917 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments-archive/2-add-builders-and-git-support.yml create mode 100644 roles/gitea_binary/README.md create mode 100644 roles/gitea_binary/defaults/main.yml create mode 100644 roles/gitea_binary/handlers/main.yml create mode 100644 roles/gitea_binary/meta/argument_specs.yml create mode 100644 roles/gitea_binary/meta/main.yml create mode 100644 roles/gitea_binary/tasks/main.yml create mode 100644 roles/gitea_binary/templates/gitea.service.j2 create mode 100644 roles/gitea_binary/templates/httpd-vhost.conf.j2 create mode 100644 roles/gitea_db_server/README.md create mode 100644 roles/gitea_db_server/defaults/main.yml create mode 100644 roles/gitea_db_server/handlers/main.yml create mode 100644 roles/gitea_db_server/meta/argument_specs.yml create mode 100644 roles/gitea_db_server/meta/main.yml create mode 100644 roles/gitea_db_server/tasks/main.yml create mode 100644 roles/koji_builder/README.md create mode 100644 roles/koji_builder/defaults/main.yml create mode 100644 roles/koji_builder/handlers/main.yml create mode 100644 roles/koji_builder/meta/argument_specs.yml create mode 100644 roles/koji_builder/meta/main.yml create mode 100644 roles/koji_builder/tasks/main.yml create mode 100644 roles/koji_server/tasks/koji_add_host.yml create mode 100644 roles/koji_server_ca/defaults/main.yml diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 737ffff..13582bb 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -5,6 +5,21 @@ msvsphere.ci Release Notes .. contents:: Topics +v0.1.6 +====== + +Release Summary +--------------- + +Implemented Gitea installation and Koji builders support. + +New Roles +--------- + +- msvsphere.ci.gitea_binary - A role that installs Gitea from an official binary. +- msvsphere.ci.gitea_db_server - A role that configures a PostgreSQL server for Gitea. +- msvsphere.ci.koji_builder - A role that configures a Koji builder. + v0.1.5 ====== diff --git a/README.md b/README.md index 196c1b2..8d7d7cd 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,11 @@ The MSVSphere OS CI/CD collection. ## Roles +* [gitea_binary](roles/gitea_binary/README.md) +* [gitea_db_server](roles/gitea_db_server/README.md) * [kerberos_kdc](roles/kerberos_kdc/README.md) * [kerberos_principal](roles/kerberos_principal/README.md) +* [koji_builder](roles/koji_builder/README.md) * [koji_cli](roles/koji_cli/README.md) * [koji_db_server](roles/koji_db_server/README.md) * [koji_server](roles/koji_server/README.md) diff --git a/changelogs/.plugin-cache.yaml b/changelogs/.plugin-cache.yaml index ff0d353..4eab716 100644 --- a/changelogs/.plugin-cache.yaml +++ b/changelogs/.plugin-cache.yaml @@ -1,5 +1,13 @@ objects: role: + gitea_binary: + description: A role that installs Gitea from an official binary. + name: gitea_binary + version_added: 0.1.6 + gitea_db_server: + description: A role that configures a PostgreSQL server for Gitea. + name: gitea_db_server + version_added: 0.1.6 kerberos_kdc: description: A role that installs and configures a Kerberos KDC. name: kerberos_kdc @@ -8,6 +16,10 @@ objects: description: A role that creates a kerberos principal. name: kerberos_principal version_added: 0.1.4 + koji_builder: + description: A role that configures a Koji builder. + name: koji_builder + version_added: 0.1.6 koji_cli: description: A role that installs and configures Koji CLI tools. name: koji_cli @@ -48,4 +60,4 @@ plugins: strategy: {} test: {} vars: {} -version: 0.1.5 +version: 0.1.6 diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml index e492c22..c068e0f 100644 --- a/changelogs/changelog.yaml +++ b/changelogs/changelog.yaml @@ -58,3 +58,20 @@ releases: name: kerberos_kdc namespace: null release_date: '2023-12-18' + 0.1.6: + changes: + release_summary: Implemented Gitea installation and Koji builders support. + fragments: + - 2-add-builders-and-git-support.yml + objects: + role: + - description: A role that installs Gitea from an official binary. + name: gitea_binary + namespace: null + - description: A role that configures a PostgreSQL server for Gitea. + name: gitea_db_server + namespace: null + - description: A role that configures a Koji builder. + name: koji_builder + namespace: null + release_date: '2023-12-22' diff --git a/changelogs/fragments-archive/2-add-builders-and-git-support.yml b/changelogs/fragments-archive/2-add-builders-and-git-support.yml new file mode 100644 index 0000000..4829f16 --- /dev/null +++ b/changelogs/fragments-archive/2-add-builders-and-git-support.yml @@ -0,0 +1,2 @@ +--- +release_summary: Implemented Gitea installation and Koji builders support. diff --git a/galaxy.yml b/galaxy.yml index 30f1cc9..364c7d3 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ namespace: msvsphere name: ci -version: 0.1.5 +version: 0.1.6 readme: README.md authors: - Eugene Zamriy @@ -10,6 +10,8 @@ tags: - linux - msvsphere dependencies: + 'ansible.posix': '*' + 'community.general': '*' 'community.postgresql': '*' repository: https://git.inferitos.ru/msvsphere/ansible-msvsphere.ci homepage: https://git.inferitos.ru/msvsphere/ansible-msvsphere.ci diff --git a/roles/gitea_binary/README.md b/roles/gitea_binary/README.md new file mode 100644 index 0000000..8c763d6 --- /dev/null +++ b/roles/gitea_binary/README.md @@ -0,0 +1,49 @@ +# msvsphere.ci.gitea_binary + +An Ansible role that installs Gitea from an official binary. + +## Variables + +| Variable | Default value | Type | Description | Required | +| -------- | ------------- | ---- | ----------- | -------- | +| gitea_binary_version | "1.21.2" | str | Gitea version. | no | +| gitea_binary_url | "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64" | str | Gitea binary download URL. | no | +| gitea_binary_checksum | "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64.sha256" | str | Gitea binary SHA256 checksum file URL. | no | +| gitea_binary_system_user | "git" | str | Gitea system user name. | no | +| gitea_binary_system_group | "git" | str | Gitea system group name. | no | +| gitea_db_name | "gitea" | str | Gitea PostgreSQL database name. | no | +| gitea_db_user | "gitea" | str | Gitea PostgreSQL database user. | no | +| gitea_db_password | | str | Gitea PostgreSQL database user password. | yes | +| gitea_domain_name | | str | Gitea server domain name. | yes | +| gitea_admin_user | "gitadmin" | str | Gitea administrator user name. | no | +| gitea_admin_password | | str | Gitea administrator user password. | yes | +| gitea_admin_email | "{{ gitea_admin_user }}@{{ gitea_domain_name }}" | str | Gitea administrator user e-mail. | no | +| gitea_app_name | "MSVSphere Git Server" | str | Gitea application name (page title). | no | +| gitea_binary_ca_cert_path | | str | Gitea certificate authority certificate path. | yes | +| gitea_binary_cert_path | | str | Gitea certificate path. | yes | +| gitea_binary_cert_key_path | | str | Gitea certificate key path. | yes | +| gitea_binary_cert_chain_path | | str | Gitea certificate chain path. | yes | + +## Example playbook + +```yaml +--- +- hosts: all + roles: + - role: msvsphere.ci.gitea_binary + gitea_domain_name: 'git.msvsphere.test' + gitea_db_password: 'P@s$w0Rd' + gitea_admin_password: 'p@S$W0rD' + gitea_binary_ca_cert_path: /etc/pki/koji/koji-ca.crt + gitea_binary_cert_path: "/etc/pki/koji/{{ gitea_domain_name }}.crt" + gitea_binary_cert_key_path: "/etc/pki/koji/{{ gitea_domain_name }}.key" + gitea_binary_cert_chain_path: "/etc/pki/koji/{{ gitea_domain_name }}.crt" +``` + +## License + +MIT. + +## Authors + +* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru) diff --git a/roles/gitea_binary/defaults/main.yml b/roles/gitea_binary/defaults/main.yml new file mode 100644 index 0000000..b548f4f --- /dev/null +++ b/roles/gitea_binary/defaults/main.yml @@ -0,0 +1,20 @@ +--- +gitea_binary_version: '1.21.2' +gitea_binary_url: "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64" +gitea_binary_checksum: "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64.sha256" +gitea_binary_system_user: git +gitea_binary_system_group: git +gitea_db_name: gitea +gitea_db_user: gitea +gitea_db_password: +gitea_domain_name: +gitea_admin_user: 'gitadmin' +gitea_admin_password: +gitea_admin_email: "{{ gitea_admin_user }}@{{ gitea_domain_name }}" +# Gitea application name (page title) +gitea_app_name: 'MSVSphere Git Server' +# Apache httpd configuration +gitea_binary_ca_cert_path: +gitea_binary_cert_path: +gitea_binary_cert_key_path: +gitea_binary_cert_chain_path: diff --git a/roles/gitea_binary/handlers/main.yml b/roles/gitea_binary/handlers/main.yml new file mode 100644 index 0000000..db2b225 --- /dev/null +++ b/roles/gitea_binary/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart gitea + ansible.builtin.service: + name: gitea + state: restarted + +- name: restart httpd + ansible.builtin.service: + name: httpd + state: restarted diff --git a/roles/gitea_binary/meta/argument_specs.yml b/roles/gitea_binary/meta/argument_specs.yml new file mode 100644 index 0000000..93866b4 --- /dev/null +++ b/roles/gitea_binary/meta/argument_specs.yml @@ -0,0 +1,101 @@ +--- +argument_specs: + main: + short_description: A role that installs Gitea from an official binary. + author: Eugene Zamriy + version_added: '0.1.6' + options: + gitea_binary_version: + description: Gitea version. + default: '1.21.2' + type: 'str' + required: false + + gitea_binary_url: + description: Gitea binary download URL. + default: 'https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64' + type: 'str' + required: false + + gitea_binary_checksum: + description: Gitea binary SHA256 checksum file URL. + default: 'https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64.sha256' + type: 'str' + required: false + + gitea_binary_system_user: + description: Gitea system user name. + default: git + type: 'str' + required: false + + gitea_binary_system_group: + description: Gitea system group name. + default: git + type: 'str' + required: false + + gitea_db_name: + description: Gitea PostgreSQL database name. + default: gitea + type: 'str' + required: false + + gitea_db_user: + description: Gitea PostgreSQL database user. + default: gitea + type: 'str' + required: false + + gitea_db_password: + description: Gitea PostgreSQL database user password. + type: 'str' + required: true + + gitea_domain_name: + description: Gitea server domain name. + type: 'str' + required: true + + gitea_admin_user: + description: Gitea administrator user name. + default: 'gitadmin' + type: 'str' + required: false + + gitea_admin_password: + description: Gitea administrator user password. + type: 'str' + required: true + + gitea_admin_email: + description: Gitea administrator user e-mail. + default: '{{ gitea_admin_user }}@{{ gitea_domain_name }}' + type: 'str' + required: false + + gitea_app_name: + description: Gitea application name (page title). + default: 'MSVSphere Git Server' + type: 'str' + required: false + + gitea_binary_ca_cert_path: + description: Gitea certificate authority certificate path. + type: 'str' + required: true + + gitea_binary_cert_path: + description: Gitea certificate path. + type: 'str' + required: true + + gitea_binary_cert_key_path: + description: Gitea certificate key path. + type: 'str' + required: true + + gitea_binary_cert_chain_path: + description: Gitea certificate chain path. + type: 'str' + required: true diff --git a/roles/gitea_binary/meta/main.yml b/roles/gitea_binary/meta/main.yml new file mode 100644 index 0000000..08e9027 --- /dev/null +++ b/roles/gitea_binary/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + author: Eugene Zamriy + description: A role that installs Gitea from an official binary. + company: Softline PJSC + license: MIT + min_ansible_version: 2.13 + platforms: + - name: EL + versions: + - "9" + galaxy_tags: + - gitea + - httpd + - postgresql + +dependencies: [] diff --git a/roles/gitea_binary/tasks/main.yml b/roles/gitea_binary/tasks/main.yml new file mode 100644 index 0000000..5800f43 --- /dev/null +++ b/roles/gitea_binary/tasks/main.yml @@ -0,0 +1,167 @@ +--- +- name: Check if required variables are defined + ansible.builtin.fail: + msg: "{{ item }} is not defined or empty" + when: | + (vars[item] is undefined) + or (vars[item] is none) + or (vars[item] | trim | length == 0) + with_items: + - gitea_admin_user + - gitea_admin_password + - gitea_admin_email + - gitea_binary_version + - gitea_binary_url + - gitea_binary_checksum + - gitea_domain_name + - gitea_binary_ca_cert_path + - gitea_binary_cert_path + - gitea_binary_cert_key_path + - gitea_binary_cert_chain_path + +- name: Add Gitea domain name to /etc/hosts + ansible.builtin.lineinfile: + dest: /etc/hosts + regexp: ".*?\\s{{ gitea_domain_name }}" + line: "127.0.0.1 {{ gitea_domain_name }}" + state: present + +- name: Install git + ansible.builtin.dnf: + name: git-core + state: installed + +- name: Download Gitea binary + ansible.builtin.get_url: + url: "{{ gitea_binary_url }}" + dest: /usr/local/bin/gitea + checksum: "sha256:{{ gitea_binary_checksum }}" + owner: root + group: root + mode: '0755' + +- name: Create Gitea system group + ansible.builtin.group: + name: "{{ gitea_binary_system_group }}" + system: true + state: present + +- name: Create Gitea system user + ansible.builtin.user: + name: "{{ gitea_binary_system_user }}" + group: "{{ gitea_binary_system_group }}" + shell: /bin/bash + home: "/home/{{ gitea_binary_system_user }}" + system: true + comment: 'Git Version Control' + +- name: Create Gitea working directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_binary_system_user }}" + group: "{{ gitea_binary_system_group }}" + mode: '0750' + with_items: + - /var/lib/gitea + - /var/lib/gitea/custom + - /var/lib/gitea/data + - /var/lib/gitea/log + +- name: Create Gitea configuration directory + ansible.builtin.file: + path: /etc/gitea + state: directory + owner: root + group: "{{ gitea_binary_system_group }}" + mode: '0770' + +- name: Generate Gitea configuration file + community.general.ini_file: + path: /etc/gitea/app.ini + option: "{{ item.key }}" + section: "{{ item.section | default(none) }}" + value: "{{ item.value }}" + owner: "{{ gitea_binary_system_user }}" + group: "{{ gitea_binary_system_group }}" + mode: '0600' + with_items: + # default section + - { key: 'APP_NAME', value: "{{ gitea_app_name }}" } + - { key: 'RUN_USER', value: "{{ gitea_binary_system_user }}" } + - { key: 'WORK_PATH', value: '/var/lib/gitea' } + - { key: 'RUN_MODE', value: 'prod' } + # database section + - { key: 'DB_TYPE', value: 'postgres', section: 'database' } + - { key: 'HOST', value: '127.0.0.1:5432', section: 'database' } + - { key: 'NAME', value: "{{ gitea_db_name }}", section: 'database' } + - { key: 'USER', value: "{{ gitea_db_user }}", section: 'database' } + - { key: 'PASSWD', value: "{{ gitea_db_password }}", section: 'database' } + - { key: 'SCHEMA', value: '', section: 'database' } + - { key: 'SSL_MODE', value: 'disable', section: 'database' } + #- { key: 'PATH', value: '/var/lib/gitea/data/gitea.db', section: 'database'} + - { key: 'LOG_SQL', value: 'false', section: 'database' } + # repository section + - { key: 'ROOT', value: '/var/lib/gitea/data/gitea-repositories', section: 'repository' } + # server section + - { key: 'SSH_DOMAIN', value: "{{ gitea_domain_name }}", section: 'server' } + - { key: 'DOMAIN', value: "{{ gitea_domain_name }}", section: 'server' } + - { key: 'HTTP_PORT', value: '3000', section: 'server' } + - { key: 'ROOT_URL', value: "http://{{ gitea_domain_name }}/", section: 'server' } + - { key: 'APP_DATA_PATH', value: '/var/lib/gitea/data', section: 'server' } + - { key: 'DISABLE_SSH', value: 'false', section: 'server' } + - { key: 'SSH_PORT', value: '22', section: 'server' } + - { key: 'LFS_START_SERVER', value: 'true', section: 'server' } + - { key: 'OFFLINE_MODE', value: 'false', section: 'server' } + # security section + - { key: 'INSTALL_LOCK', value: 'true', section: 'security' } + notify: + - restart gitea + +- name: Generate Gitea systemd service + ansible.builtin.template: + src: gitea.service.j2 + dest: /etc/systemd/system/gitea.service + owner: root + group: root + mode: '0644' + +- name: Generate Gitea httpd virtual host config + ansible.builtin.template: + src: httpd-vhost.conf.j2 + dest: /etc/httpd/conf.d/{{ gitea_domain_name }}.conf + owner: root + group: root + mode: '0644' + notify: restart httpd + +- name: Enable and start Gitea systemd service + ansible.builtin.systemd_service: + name: gitea + daemon_reload: true + enabled: true + state: started + +- name: Wait for Gitea service up + ansible.builtin.uri: + url: "http://127.0.0.1:3000/" + method: GET + register: result + until: result.status == 200 + retries: 30 + delay: 2 + +- name: Check if Gitea administrator user exists + ansible.builtin.shell: + cmd: "/usr/local/bin/gitea -c /etc/gitea/app.ini admin user list --admin | tail -n +2 | grep '{{ gitea_admin_user }}'" + become: true + become_user: "{{ gitea_binary_system_user }}" + register: gitea_admin_list + changed_when: gitea_admin_list.rc != 0 + failed_when: gitea_admin_list.rc not in [0, 1] + +- name: Create Gitea administrator user + ansible.builtin.command: "/usr/local/bin/gitea -c /etc/gitea/app.ini admin user create --admin --username '{{ gitea_admin_user }}' --password '{{ gitea_admin_password }}' --email '{{ gitea_admin_email }}' --must-change-password=false" + become: true + become_user: "{{ gitea_binary_system_user }}" + when: gitea_admin_list.rc != 0 diff --git a/roles/gitea_binary/templates/gitea.service.j2 b/roles/gitea_binary/templates/gitea.service.j2 new file mode 100644 index 0000000..949310a --- /dev/null +++ b/roles/gitea_binary/templates/gitea.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target + +[Service] +RestartSec=2s +User={{ gitea_binary_system_user }} +Group={{ gitea_binary_system_group }} +WorkingDirectory=/var/lib/gitea/ +ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini +Restart=always +Environment=USER={{ gitea_binary_system_user }} HOME=/home/{{ gitea_binary_system_user }} GITEA_WORK_DIR=/var/lib/gitea +WatchdogSec=30s + +[Install] +WantedBy=multi-user.target diff --git a/roles/gitea_binary/templates/httpd-vhost.conf.j2 b/roles/gitea_binary/templates/httpd-vhost.conf.j2 new file mode 100644 index 0000000..ab74449 --- /dev/null +++ b/roles/gitea_binary/templates/httpd-vhost.conf.j2 @@ -0,0 +1,19 @@ + + ServerName {{ gitea_domain_name }} + + SSLEngine on + SSLHonorCipherOrder on + SSLCipherSuite PROFILE=SYSTEM + SSLProxyCipherSuite PROFILE=SYSTEM + SSLCertificateFile {{ gitea_binary_cert_path }} + SSLCertificateKeyFile {{ gitea_binary_cert_key_path }} + SSLCertificateChainFile {{ gitea_binary_cert_chain_path }} + SSLCACertificateFile {{ gitea_binary_ca_cert_path }} + + ProxyPreserveHost On + ProxyRequests off + AllowEncodedSlashes NoDecode + ProxyPass / http://localhost:3000/ nocanon + ErrorLog /var/log/httpd/{{ gitea_domain_name }}-error.log + CustomLog /var/log/httpd/{{ gitea_domain_name }}-access.log combined + diff --git a/roles/gitea_db_server/README.md b/roles/gitea_db_server/README.md new file mode 100644 index 0000000..8ead774 --- /dev/null +++ b/roles/gitea_db_server/README.md @@ -0,0 +1,32 @@ +# msvsphere.ci.gitea_db_server + +An Ansible role that configures a PostgreSQL server for Gitea. + +## Variables + +| Variable | Default value | Type | Description | Required | +| -------- | ------------- | ---- | ----------- | -------- | +| gitea_db_name | "gitea" | str | Gitea database name. | no | +| gitea_db_user | "gitea" | str | Gitea database user. | no | +| gitea_db_password | | str | Gitea database user password. | yes | +| gitea_server_ip | | str | Gitea server IP address. | yes | +| gitea_db_server_password_encryption | "scram-sha-256" | str | Password encryption algorithm. | no | + +## Example playbook + +```yaml +--- +- hosts: all + roles: + - role: msvsphere.ci.gitea_db_server + gitea_server_ip: '127.0.0.1' + gitea_db_password: 'p@$Sw0Rd' +``` + +## License + +MIT. + +## Authors + +* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru) diff --git a/roles/gitea_db_server/defaults/main.yml b/roles/gitea_db_server/defaults/main.yml new file mode 100644 index 0000000..b645985 --- /dev/null +++ b/roles/gitea_db_server/defaults/main.yml @@ -0,0 +1,6 @@ +--- +gitea_db_name: gitea +gitea_db_user: gitea +gitea_db_password: +gitea_server_ip: +gitea_db_server_password_encryption: 'scram-sha-256' diff --git a/roles/gitea_db_server/handlers/main.yml b/roles/gitea_db_server/handlers/main.yml new file mode 100644 index 0000000..29d7b69 --- /dev/null +++ b/roles/gitea_db_server/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart postgresql + ansible.builtin.service: + name: postgresql + state: restarted diff --git a/roles/gitea_db_server/meta/argument_specs.yml b/roles/gitea_db_server/meta/argument_specs.yml new file mode 100644 index 0000000..ceeb32e --- /dev/null +++ b/roles/gitea_db_server/meta/argument_specs.yml @@ -0,0 +1,34 @@ +--- +argument_specs: + main: + short_description: A role that configures a PostgreSQL server for Gitea. + author: Eugene Zamriy + version_added: '0.1.6' + options: + gitea_db_name: + description: Gitea database name. + default: 'gitea' + type: 'str' + required: false + + gitea_db_user: + description: Gitea database user name. + default: 'gitea' + type: 'str' + required: false + + gitea_db_password: + description: Gitea database user password. + type: 'str' + required: true + + gitea_server_ip: + description: Gitea server IP address. + type: 'str' + required: true + + gitea_db_server_password_encryption: + description: Password encryption algorithm. + default: 'scram-sha-256' + type: 'str' + required: false diff --git a/roles/gitea_db_server/meta/main.yml b/roles/gitea_db_server/meta/main.yml new file mode 100644 index 0000000..d4fdd12 --- /dev/null +++ b/roles/gitea_db_server/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Eugene Zamriy + description: A role that configures a PostgreSQL server for Gitea. + company: Softline PJSC + license: MIT + min_ansible_version: 2.13 + platforms: + - name: EL + versions: + - "9" + galaxy_tags: + - gitea + - postgresql + +dependencies: [] diff --git a/roles/gitea_db_server/tasks/main.yml b/roles/gitea_db_server/tasks/main.yml new file mode 100644 index 0000000..3883495 --- /dev/null +++ b/roles/gitea_db_server/tasks/main.yml @@ -0,0 +1,75 @@ +--- +- name: Check if required variables are defined + ansible.builtin.fail: + msg: "{{ item }} is not defined or empty" + when: | + (vars[item] is undefined) + or (vars[item] is none) + or (vars[item] | trim | length == 0) + with_items: + - gitea_db_name + - gitea_db_user + - gitea_db_password + - gitea_server_ip + - gitea_db_server_password_encryption + +- name: Install dependencies + dnf: + name: + - glibc-langpack-en + - python3-psycopg2 + state: present + +- name: Create Gitea database + community.postgresql.postgresql_db: + name: "{{ gitea_db_name }}" + template: template0 + encoding: UTF8 + lc_collate: en_US.UTF-8 + lc_ctype: en_US.UTF-8 + become: true + become_user: postgres + +- name: Create Gitea database user + community.postgresql.postgresql_user: + db: "{{ gitea_db_name }}" + name: "{{ gitea_db_user }}" + password: "{{ gitea_db_password }}" + environment: + PGOPTIONS: "-c password_encryption=scram-sha-256" + become: true + become_user: postgres + +- name: Get PostgreSQL server version + community.postgresql.postgresql_info: + filter: ver* + become: true + become_user: postgres + register: postgres_version + +- name: GRANT USAGE, CREATE PRIVILEGES ON SCHEMA public TO gitea_db_user + community.postgresql.postgresql_privs: + db: "{{ gitea_db_name }}" + privs: USAGE,CREATE + type: schema + objs: public + role: "{{ gitea_db_user }}" + become: true + become_user: postgres + when: postgres_version.version.major >= 15 + +- name: Allow requests from Gitea server + community.postgresql.postgresql_pg_hba: + dest: /var/lib/pgsql/data/pg_hba.conf + contype: host + databases: "{{ gitea_db_name }}" + users: "{{ gitea_db_user }}" + address: "{{ gitea_server_ip }}/32" + method: "{{ gitea_db_server_password_encryption }}" + register: pg_hba_status + +- name: Restart PostgreSQL + ansible.builtin.service: + name: postgresql + state: restarted + when: pg_hba_status.changed diff --git a/roles/koji_builder/README.md b/roles/koji_builder/README.md new file mode 100644 index 0000000..eac97e2 --- /dev/null +++ b/roles/koji_builder/README.md @@ -0,0 +1,41 @@ +# msvsphere.ci.koji_builder + +An Ansible role that configures a Koji builder. + +## Variables + +| Variable | Default value | Type | Description | Required | +| -------- | ------------- | ---- | ----------- | -------- | +| koji_domain_name | | str | Koji server domain name. | yes | +| koji_kerberos_realm | | str | Koji Kerberos realm. | yes | +| koji_builder_git_server_url | "git.inferitos.ru" | str | Sources git server domain name. | no | +| koji_builder_storage_url | "sources.inferitos.ru" | str | Sources storage domain name. | no | +| koji_builder_storage_proto | "http" | str | Sources storage protocol. | no | +| koji_builder_ca_cert_path | "/mnt/koji/koji-ca.crt" | str | Koji CA certificate path. | no | +| koji_builder_principal | "compile/{{ koji_domain_name }}@{{ koji_kerberos_realm }}" | str | Koji builder Kerberos principal. | no | +| koji_builder_keytab | "/etc/kojid/kojid.keytab" | str | Koji builder Kerberos keytab file path. | no | +| koji_builder_nfs_mount | true | bool | Mount /mnt/koji via NFS if true, use local directory otherwise. | no | +| koji_builder_distribution | MSVSphere | str | RPM distribution macros. | no | +| koji_builder_packager | MSVSphere | str | RPM packager macros. | no | +| koji_builder_vendor | MSVSphere | str | RPM vendor macros. | no | + +## Example playbook + +```yaml +--- +- hosts: all + roles: + - role: msvsphere.ci.koji_builder + koji_domain_name: 'koji.msvsphere.test' + koji_builder_nfs_mount: false + koji_kerberos_realm: 'MSVSPHERE.TEST' + koji_builder_ca_cert_path: '/etc/pki/koji/koji-ca.crt' +``` + +## License + +MIT. + +## Authors + +* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru) diff --git a/roles/koji_builder/defaults/main.yml b/roles/koji_builder/defaults/main.yml new file mode 100644 index 0000000..4be9cb9 --- /dev/null +++ b/roles/koji_builder/defaults/main.yml @@ -0,0 +1,13 @@ +--- +koji_domain_name: +koji_kerberos_realm: +koji_builder_git_server_url: git.inferitos.ru +koji_builder_storage_url: sources.inferitos.ru +koji_builder_storage_proto: http +koji_builder_ca_cert_path: /mnt/koji/koji-ca.crt +koji_builder_principal: "compile/{{ koji_domain_name }}@{{ koji_kerberos_realm }}" +koji_builder_keytab: /etc/kojid/kojid.keytab +koji_builder_nfs_mount: true +koji_builder_distribution: MSVSphere +koji_builder_packager: MSVSphere +koji_builder_vendor: MSVSphere diff --git a/roles/koji_builder/handlers/main.yml b/roles/koji_builder/handlers/main.yml new file mode 100644 index 0000000..c8533b9 --- /dev/null +++ b/roles/koji_builder/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart kojid + ansible.builtin.service: + name: kojid + state: restarted diff --git a/roles/koji_builder/meta/argument_specs.yml b/roles/koji_builder/meta/argument_specs.yml new file mode 100644 index 0000000..51842d5 --- /dev/null +++ b/roles/koji_builder/meta/argument_specs.yml @@ -0,0 +1,76 @@ +--- +argument_specs: + main: + short_description: A role that configures a Koji builder. + author: Eugene Zamriy + version_added: '0.1.6' + options: + koji_domain_name: + description: Koji server domain name. + type: 'str' + required: true + + koji_kerberos_realm: + description: Koji Kerberos realm. + type: 'str' + required: true + + koji_builder_git_server_url: + description: Sources git server domain name. + default: git.inferitos.ru + type: 'str' + required: false + + koji_builder_storage_url: + description: Sources storage domain name. + default: sources.inferitos.ru + type: 'str' + required: false + + koji_builder_storage_proto: + description: Sources storage protocol. + default: http + type: 'str' + required: false + + koji_builder_nfs_mount: + description: Mount /mnt/koji via NFS if true, use local directory otherwise. + default: true + type: 'bool' + required: false + + koji_builder_ca_cert_path: + description: Koji CA certificate path. + default: /mnt/koji/koji-ca.crt + type: 'str' + required: false + + koji_builder_principal: + description: Koji builder Kerberos principal. + default: 'compile/{{ koji_domain_name }}@{{ koji_kerberos_realm }}' + type: 'str' + required: false + + koji_builder_keytab: + description: Koji builder Kerberos keytab file path. + default: '/etc/kojid/kojid.keytab' + type: 'str' + required: false + + koji_builder_distribution: + description: RPM distribution macros. + default: 'MSVSphere' + type: 'str' + required: false + + koji_builder_packager: + description: RPM packager macros. + default: 'MSVSphere' + type: 'str' + required: false + + koji_builder_vendor: + description: RPM vendor macros. + default: 'MSVSphere' + type: 'str' + required: false diff --git a/roles/koji_builder/meta/main.yml b/roles/koji_builder/meta/main.yml new file mode 100644 index 0000000..586069d --- /dev/null +++ b/roles/koji_builder/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Eugene Zamriy + description: A role that configures a Koji builder. + company: Softline PJSC + license: MIT + min_ansible_version: 2.13 + platforms: + - name: EL + versions: + - "9" + galaxy_tags: + - koji + +dependencies: [] diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml new file mode 100644 index 0000000..9f69c99 --- /dev/null +++ b/roles/koji_builder/tasks/main.yml @@ -0,0 +1,97 @@ +--- +- name: Check if required variables are defined + ansible.builtin.fail: + msg: "{{ item }} is not defined or empty" + when: | + (vars[item] is undefined) + or (vars[item] is none) + or (vars[item] | trim | length == 0) + with_items: + - koji_domain_name + - koji_kerberos_realm + - koji_builder_git_server_url + - koji_builder_storage_url + - koji_builder_storage_proto + - koji_builder_principal + - koji_builder_keytab + - koji_builder_distribution + - koji_builder_packager + - koji_builder_vendor + +- name: Create /mnt/koji directory + ansible.builtin.file: + path: /mnt/koji + state: directory + owner: root + group: root + mode: '0755' + +- block: + - name: Install nfs-utils + ansible.builtin.dnf: + name: nfs-utils + state: installed + + - name: Mount /mnt/koji NFS directory + ansible.posix.mount: + src: "{{ koji_domain_name }}:/mnt/koji" + path: /mnt/koji + fstype: nfs4 + opts: ro + state: mounted + when: koji_builder_nfs_mount + +- name: Add Koji CA certificate to system + ansible.builtin.file: + src: "{{ koji_builder_ca_cert_path }}" + dest: /etc/pki/ca-trust/source/anchors/koji-ca.crt + state: link + register: koji_builder_ca_anchor + +- name: Trust Koji CA certificate + command: update-ca-trust extract + when: koji_builder_ca_anchor.changed + notify: + - restart kojid + +- name: Install koji-builder + ansible.builtin.dnf: + name: koji-builder + state: present + +# TODO: add FreeIPA support +- name: Generate koji-builder principal keytab + ansible.builtin.include_role: + name: msvsphere.ci.kerberos_principal + vars: + kerberos_principal_name: "{{ koji_builder_principal }}" + kerberos_principal_keytab_path: "{{ koji_builder_keytab }}" + +- name: Configure kojid + community.general.ini_file: + path: /etc/kojid/kojid.conf + section: kojid + option: "{{ item.key }}" + value: "{{ item.value }}" + with_items: + - { key: 'server', value: "https://{{ koji_domain_name }}/kojihub" } + - { key: 'topurl', value: "https://{{ koji_domain_name }}/kojifiles" } + - { key: 'topdir', value: '/mnt/koji' } + - { key: 'workdir', value: '/tmp/koji' } + - { key: 'allowed_scms', value: "{{ koji_builder_git_server_url }}:/*:false:inferitpkg-get-sources,--storage-proto,{{ koji_builder_storage_proto }},--storage-url,{{ koji_builder_storage_url }}" } + - { key: 'krb_principal', value: "{{ koji_builder_principal }}" } + - { key: 'keytab', value: "{{ koji_builder_keytab }}" } + - { key: 'vendor', value: "{{ koji_builder_vendor }}" } + - { key: 'packager', value: "{{ koji_builder_packager }}" } + - { key: 'distribution', value: "{{ koji_builder_distribution }}" } + - { key: 'use_createrepo_c', value: 'True' } + # NOTE: this setting allows building i686 and x86_64 architectures in parallel + - { key: 'build_arch_can_fail', value: 'True' } + notify: + - restart kojid + +- name: Enable and start kojid service + ansible.builtin.service: + name: kojid + enabled: true + state: started diff --git a/roles/koji_server/README.md b/roles/koji_server/README.md index cd93f21..e6a1361 100644 --- a/roles/koji_server/README.md +++ b/roles/koji_server/README.md @@ -7,6 +7,7 @@ An Ansible role that configures a Koji server. | Variable | Default value | Type | Description | Required | | -------- | ------------- | ---- | ----------- | -------- | | koji_domain_name | | str | Koji server domain name. | yes | +| koji_builders | [] | list | Koji builders list. | no | | koji_db_name | "koji" | str | Koji PostgreSQL database name. | no | | koji_db_user | "koji" | str | Koji PostgreSQL database user. | no | | koji_db_password | | str | Koji PostgreSQL database user password. | yes | diff --git a/roles/koji_server/defaults/main.yml b/roles/koji_server/defaults/main.yml index 0fe0d1c..c059649 100644 --- a/roles/koji_server/defaults/main.yml +++ b/roles/koji_server/defaults/main.yml @@ -1,5 +1,6 @@ --- koji_domain_name: +koji_builders: [] koji_db_name: koji koji_db_user: koji koji_db_password: diff --git a/roles/koji_server/meta/argument_specs.yml b/roles/koji_server/meta/argument_specs.yml index 22da4e9..b4116ed 100644 --- a/roles/koji_server/meta/argument_specs.yml +++ b/roles/koji_server/meta/argument_specs.yml @@ -11,6 +11,13 @@ argument_specs: type: str required: false + koji_builders: + description: Koji builders list. + default: [] + type: list + elements: str + version_added: '0.1.6' + koji_db_user: description: Koji database user. default: koji diff --git a/roles/koji_server/tasks/koji_add_host.yml b/roles/koji_server/tasks/koji_add_host.yml new file mode 100644 index 0000000..c601660 --- /dev/null +++ b/roles/koji_server/tasks/koji_add_host.yml @@ -0,0 +1,20 @@ +--- +- name: Check if Koji build host is already exist + ansible.builtin.shell: "koji list-hosts | grep {{ koji_build_host }}" + ignore_errors: true + register: koji_list_hosts + changed_when: koji_list_hosts.rc != 0 + +- name: Add Koji build host + ansible.builtin.command: "koji add-host {{ koji_build_host }} i386 x86_64" + register: koji_add_host + when: koji_list_hosts.rc != 0 + +- name: Add Koji build host to createrepo channel + ansible.builtin.command: "koji add-host-to-channel {{ koji_build_host }} createrepo" + when: koji_list_hosts.rc != 0 and koji_build_host_createrepo is true + +# TODO: make capacity configurable +- name: Set Koji build host capacity to 10 + ansible.builtin.command: "koji edit-host {{ koji_build_host }} --capacity=10" + when: koji_list_hosts.rc != 0 diff --git a/roles/koji_server/tasks/main.yml b/roles/koji_server/tasks/main.yml index 2f98d97..99087bb 100644 --- a/roles/koji_server/tasks/main.yml +++ b/roles/koji_server/tasks/main.yml @@ -114,3 +114,21 @@ - name: Install and configure kojira import_tasks: kojira.yml + +- name: Add Koji builders + block: + - name: Obtain Koji admin kerberos ticket + ansible.builtin.shell: "echo '{{ koji_admin_password }}' | kinit {{ koji_admin_principal }}" + changed_when: False + + - include: koji_add_host.yml + vars: + koji_build_host: "{{ item }}" + koji_build_host_createrepo: true + with_items: "{{ koji_builders }}" + always: + - name: Destroy Koji admin kerberos ticket + ansible.builtin.command: "kdestroy -p {{ koji_admin_principal }}" + ignore_errors: true + changed_when: False + when: koji_builders diff --git a/roles/koji_server_ca/defaults/main.yml b/roles/koji_server_ca/defaults/main.yml new file mode 100644 index 0000000..b3e19d9 --- /dev/null +++ b/roles/koji_server_ca/defaults/main.yml @@ -0,0 +1,2 @@ +--- +koji_server_ca_fqdn: