Adds Gitea installation and Koji builders support

CHANGELOG.rst

@@ -5,6 +5,21 @@ msvsphere.ci Release Notes
 .. contents:: Topics
 
 
+v0.1.6
+======
+
+Release Summary
+---------------
+
+Implemented Gitea installation and Koji builders support.
+
+New Roles
+---------
+
+- msvsphere.ci.gitea_binary - A role that installs Gitea from an official binary.
+- msvsphere.ci.gitea_db_server - A role that configures a PostgreSQL server for Gitea.
+- msvsphere.ci.koji_builder - A role that configures a Koji builder.
+
 v0.1.5
 ======
 

README.md

@@ -4,8 +4,11 @@ The MSVSphere OS CI/CD collection.
 
 ## Roles
 
+* [gitea_binary](roles/gitea_binary/README.md)
+* [gitea_db_server](roles/gitea_db_server/README.md)
 * [kerberos_kdc](roles/kerberos_kdc/README.md)
 * [kerberos_principal](roles/kerberos_principal/README.md)
+* [koji_builder](roles/koji_builder/README.md)
 * [koji_cli](roles/koji_cli/README.md)
 * [koji_db_server](roles/koji_db_server/README.md)
 * [koji_server](roles/koji_server/README.md)

changelogs/.plugin-cache.yaml

@@ -1,5 +1,13 @@
 objects:
   role:
+    gitea_binary:
+      description: A role that installs Gitea from an official binary.
+      name: gitea_binary
+      version_added: 0.1.6
+    gitea_db_server:
+      description: A role that configures a PostgreSQL server for Gitea.
+      name: gitea_db_server
+      version_added: 0.1.6
     kerberos_kdc:
       description: A role that installs and configures a Kerberos KDC.
       name: kerberos_kdc
@@ -8,6 +16,10 @@ objects:
       description: A role that creates a kerberos principal.
       name: kerberos_principal
       version_added: 0.1.4
+    koji_builder:
+      description: A role that configures a Koji builder.
+      name: koji_builder
+      version_added: 0.1.6
     koji_cli:
       description: A role that installs and configures Koji CLI tools.
       name: koji_cli
@@ -48,4 +60,4 @@ plugins:
   strategy: {}
   test: {}
   vars: {}
-version: 0.1.5
+version: 0.1.6

changelogs/changelog.yaml

@@ -58,3 +58,20 @@ releases:
         name: kerberos_kdc
         namespace: null
     release_date: '2023-12-18'
+  0.1.6:
+    changes:
+      release_summary: Implemented Gitea installation and Koji builders support.
+    fragments:
+    - 2-add-builders-and-git-support.yml
+    objects:
+      role:
+      - description: A role that installs Gitea from an official binary.
+        name: gitea_binary
+        namespace: null
+      - description: A role that configures a PostgreSQL server for Gitea.
+        name: gitea_db_server
+        namespace: null
+      - description: A role that configures a Koji builder.
+        name: koji_builder
+        namespace: null
+    release_date: '2023-12-22'

changelogs/fragments-archive/2-add-builders-and-git-support.yml

@@ -0,0 +1,2 @@
+---
+release_summary: Implemented Gitea installation and Koji builders support.

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: msvsphere
 name: ci
-version: 0.1.5
+version: 0.1.6
 readme: README.md
 authors:
   - Eugene Zamriy <ezamriy@msvsphere-os.ru>
@@ -10,6 +10,8 @@ tags:
   - linux
   - msvsphere
 dependencies:
+  'ansible.posix': '*'
+  'community.general': '*'
   'community.postgresql': '*'
 repository: https://git.inferitos.ru/msvsphere/ansible-msvsphere.ci
 homepage: https://git.inferitos.ru/msvsphere/ansible-msvsphere.ci

roles/gitea_binary/README.md

@@ -0,0 +1,49 @@
+# msvsphere.ci.gitea_binary
+
+An Ansible role that installs Gitea from an official binary.
+
+## Variables
+
+| Variable | Default value | Type | Description | Required |
+| -------- | ------------- | ---- | ----------- | -------- |
+| gitea_binary_version | "1.21.2" | str | Gitea version. | no |
+| gitea_binary_url | "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64" | str | Gitea binary download URL. | no |
+| gitea_binary_checksum | "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64.sha256" | str | Gitea binary SHA256 checksum file URL. | no |
+| gitea_binary_system_user | "git" | str | Gitea system user name. | no |
+| gitea_binary_system_group | "git" | str | Gitea system group name. | no |
+| gitea_db_name | "gitea" | str | Gitea PostgreSQL database name. | no |
+| gitea_db_user | "gitea" | str | Gitea PostgreSQL database user. | no |
+| gitea_db_password | | str | Gitea PostgreSQL database user password. | yes |
+| gitea_domain_name | | str | Gitea server domain name. | yes |
+| gitea_admin_user | "gitadmin" | str | Gitea administrator user name. | no |
+| gitea_admin_password | | str | Gitea administrator user password. | yes |
+| gitea_admin_email | "{{ gitea_admin_user }}@{{ gitea_domain_name }}" | str | Gitea administrator user e-mail. | no |
+| gitea_app_name | "MSVSphere Git Server" | str | Gitea application name (page title). | no |
+| gitea_binary_ca_cert_path | | str | Gitea certificate authority certificate path. | yes |
+| gitea_binary_cert_path | | str | Gitea certificate path. | yes |
+| gitea_binary_cert_key_path | | str | Gitea certificate key path. | yes |
+| gitea_binary_cert_chain_path | | str | Gitea certificate chain path. | yes |
+
+## Example playbook
+
+```yaml
+---
+- hosts: all
+  roles:
+    - role: msvsphere.ci.gitea_binary
+      gitea_domain_name: 'git.msvsphere.test'
+      gitea_db_password: 'P@s$w0Rd'
+      gitea_admin_password: 'p@S$W0rD'
+      gitea_binary_ca_cert_path: /etc/pki/koji/koji-ca.crt
+      gitea_binary_cert_path: "/etc/pki/koji/{{ gitea_domain_name }}.crt"
+      gitea_binary_cert_key_path: "/etc/pki/koji/{{ gitea_domain_name }}.key"
+      gitea_binary_cert_chain_path: "/etc/pki/koji/{{ gitea_domain_name }}.crt"
+```
+
+## License
+
+MIT.
+
+## Authors
+
+* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)

roles/gitea_binary/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+gitea_binary_version: '1.21.2'
+gitea_binary_url: "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64"
+gitea_binary_checksum: "https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64.sha256"
+gitea_binary_system_user: git
+gitea_binary_system_group: git
+gitea_db_name: gitea
+gitea_db_user: gitea
+gitea_db_password:
+gitea_domain_name:
+gitea_admin_user: 'gitadmin'
+gitea_admin_password:
+gitea_admin_email: "{{ gitea_admin_user }}@{{ gitea_domain_name }}"
+# Gitea application name (page title)
+gitea_app_name: 'MSVSphere Git Server'
+# Apache httpd configuration
+gitea_binary_ca_cert_path:
+gitea_binary_cert_path:
+gitea_binary_cert_key_path:
+gitea_binary_cert_chain_path:

roles/gitea_binary/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: restart gitea
+  ansible.builtin.service:
+    name: gitea
+    state: restarted
+
+- name: restart httpd
+  ansible.builtin.service:
+    name: httpd
+    state: restarted

roles/gitea_binary/meta/argument_specs.yml

@@ -0,0 +1,101 @@
+---
+argument_specs:
+  main:
+    short_description: A role that installs Gitea from an official binary.
+    author: Eugene Zamriy
+    version_added: '0.1.6'
+    options:
+      gitea_binary_version:
+        description: Gitea version.
+        default: '1.21.2'
+        type: 'str'
+        required: false
+
+      gitea_binary_url:
+        description: Gitea binary download URL.
+        default: 'https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64'
+        type: 'str'
+        required: false
+
+      gitea_binary_checksum:
+        description: Gitea binary SHA256 checksum file URL.
+        default: 'https://dl.gitea.com/gitea/{{ gitea_binary_version }}/gitea-{{ gitea_binary_version }}-linux-amd64.sha256'
+        type: 'str'
+        required: false
+
+      gitea_binary_system_user:
+        description: Gitea system user name.
+        default: git
+        type: 'str'
+        required: false
+
+      gitea_binary_system_group:
+        description: Gitea system group name.
+        default: git
+        type: 'str'
+        required: false
+
+      gitea_db_name:
+        description: Gitea PostgreSQL database name.
+        default: gitea
+        type: 'str'
+        required: false
+
+      gitea_db_user:
+        description: Gitea PostgreSQL database user.
+        default: gitea
+        type: 'str'
+        required: false
+
+      gitea_db_password:
+        description: Gitea PostgreSQL database user password.
+        type: 'str'
+        required: true
+
+      gitea_domain_name:
+        description: Gitea server domain name.
+        type: 'str'
+        required: true
+
+      gitea_admin_user:
+        description: Gitea administrator user name.
+        default: 'gitadmin'
+        type: 'str'
+        required: false
+
+      gitea_admin_password:
+        description: Gitea administrator user password.
+        type: 'str'
+        required: true
+
+      gitea_admin_email:
+        description: Gitea administrator user e-mail.
+        default: '{{ gitea_admin_user }}@{{ gitea_domain_name }}'
+        type: 'str'
+        required: false
+
+      gitea_app_name:
+        description: Gitea application name (page title).
+        default: 'MSVSphere Git Server'
+        type: 'str'
+        required: false
+
+      gitea_binary_ca_cert_path:
+        description: Gitea certificate authority certificate path.
+        type: 'str'
+        required: true
+
+      gitea_binary_cert_path:
+        description: Gitea certificate path.
+        type: 'str'
+        required: true
+
+      gitea_binary_cert_key_path:
+        description: Gitea certificate key path.
+        type: 'str'
+        required: true
+
+      gitea_binary_cert_chain_path:
+        description: Gitea certificate chain path.
+        type: 'str'
+        required: true

roles/gitea_binary/meta/main.yml

@@ -0,0 +1,17 @@
+---
+galaxy_info:
+  author: Eugene Zamriy
+  description: A role that installs Gitea from an official binary.
+  company: Softline PJSC
+  license: MIT
+  min_ansible_version: 2.13
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - gitea
+    - httpd
+    - postgresql
+
+dependencies: []

roles/gitea_binary/tasks/main.yml

@@ -0,0 +1,167 @@
+---
+- name: Check if required variables are defined
+  ansible.builtin.fail:
+    msg: "{{ item }} is not defined or empty"
+  when: |
+    (vars[item] is undefined)
+    or (vars[item] is none)
+    or (vars[item] | trim | length == 0)    
+  with_items:
+    - gitea_admin_user
+    - gitea_admin_password
+    - gitea_admin_email
+    - gitea_binary_version
+    - gitea_binary_url
+    - gitea_binary_checksum
+    - gitea_domain_name
+    - gitea_binary_ca_cert_path
+    - gitea_binary_cert_path
+    - gitea_binary_cert_key_path
+    - gitea_binary_cert_chain_path
+
+- name: Add Gitea domain name to /etc/hosts
+  ansible.builtin.lineinfile:
+    dest: /etc/hosts
+    regexp: ".*?\\s{{ gitea_domain_name }}"
+    line: "127.0.0.1   {{ gitea_domain_name }}"
+    state: present
+
+- name: Install git
+  ansible.builtin.dnf:
+    name: git-core
+    state: installed
+
+- name: Download Gitea binary
+  ansible.builtin.get_url:
+    url: "{{ gitea_binary_url }}"
+    dest: /usr/local/bin/gitea
+    checksum: "sha256:{{ gitea_binary_checksum }}"
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create Gitea system group
+  ansible.builtin.group:
+    name: "{{ gitea_binary_system_group }}"
+    system: true
+    state: present
+
+- name: Create Gitea system user
+  ansible.builtin.user:
+    name: "{{ gitea_binary_system_user }}"
+    group: "{{ gitea_binary_system_group }}"
+    shell: /bin/bash
+    home: "/home/{{ gitea_binary_system_user }}"
+    system: true
+    comment: 'Git Version Control'
+
+- name: Create Gitea working directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_binary_system_user }}"
+    group: "{{ gitea_binary_system_group }}"
+    mode: '0750'
+  with_items:
+    - /var/lib/gitea
+    - /var/lib/gitea/custom
+    - /var/lib/gitea/data
+    - /var/lib/gitea/log
+
+- name: Create Gitea configuration directory
+  ansible.builtin.file:
+    path: /etc/gitea
+    state: directory
+    owner: root
+    group: "{{ gitea_binary_system_group }}"
+    mode: '0770'
+
+- name: Generate Gitea configuration file
+  community.general.ini_file:
+    path: /etc/gitea/app.ini
+    option: "{{ item.key }}"
+    section: "{{ item.section | default(none) }}"
+    value: "{{ item.value }}"
+    owner: "{{ gitea_binary_system_user }}"
+    group: "{{ gitea_binary_system_group }}"
+    mode: '0600'
+  with_items:
+    # default section
+    - { key: 'APP_NAME', value: "{{ gitea_app_name }}" }
+    - { key: 'RUN_USER', value: "{{ gitea_binary_system_user }}" }
+    - { key: 'WORK_PATH', value: '/var/lib/gitea' }
+    - { key: 'RUN_MODE', value: 'prod' }
+    # database section
+    - { key: 'DB_TYPE', value: 'postgres', section: 'database' }
+    - { key: 'HOST', value: '127.0.0.1:5432', section: 'database' }
+    - { key: 'NAME', value: "{{ gitea_db_name }}", section: 'database' }
+    - { key: 'USER', value: "{{ gitea_db_user }}", section: 'database' }
+    - { key: 'PASSWD', value: "{{ gitea_db_password }}", section: 'database' }
+    - { key: 'SCHEMA', value: '', section: 'database' }
+    - { key: 'SSL_MODE', value: 'disable', section: 'database' }
+    #- { key: 'PATH', value: '/var/lib/gitea/data/gitea.db', section: 'database'}
+    - { key: 'LOG_SQL', value: 'false', section: 'database' }
+    # repository section
+    - { key: 'ROOT', value: '/var/lib/gitea/data/gitea-repositories', section: 'repository' }
+    # server section
+    - { key: 'SSH_DOMAIN', value: "{{ gitea_domain_name }}", section: 'server' }
+    - { key: 'DOMAIN', value: "{{ gitea_domain_name }}", section: 'server' }
+    - { key: 'HTTP_PORT', value: '3000', section: 'server' }
+    - { key: 'ROOT_URL', value: "http://{{ gitea_domain_name }}/", section: 'server' }
+    - { key: 'APP_DATA_PATH', value: '/var/lib/gitea/data', section: 'server' }
+    - { key: 'DISABLE_SSH', value: 'false', section: 'server' }
+    - { key: 'SSH_PORT', value: '22', section: 'server' }
+    - { key: 'LFS_START_SERVER', value: 'true', section: 'server' }
+    - { key: 'OFFLINE_MODE', value: 'false', section: 'server' }
+    # security section
+    - { key: 'INSTALL_LOCK', value: 'true', section: 'security' }
+  notify:
+    - restart gitea
+
+- name: Generate Gitea systemd service
+  ansible.builtin.template:
+    src: gitea.service.j2
+    dest: /etc/systemd/system/gitea.service
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Generate Gitea httpd virtual host config
+  ansible.builtin.template:
+    src: httpd-vhost.conf.j2
+    dest: /etc/httpd/conf.d/{{ gitea_domain_name }}.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart httpd
+
+- name: Enable and start Gitea systemd service
+  ansible.builtin.systemd_service:
+    name: gitea
+    daemon_reload: true
+    enabled: true
+    state: started
+
+- name: Wait for Gitea service up
+  ansible.builtin.uri:
+    url: "http://127.0.0.1:3000/"
+    method: GET
+  register: result
+  until: result.status == 200
+  retries: 30
+  delay: 2
+
+- name: Check if Gitea administrator user exists
+  ansible.builtin.shell:
+    cmd: "/usr/local/bin/gitea -c /etc/gitea/app.ini admin user list --admin | tail -n +2 | grep '{{ gitea_admin_user }}'"
+  become: true
+  become_user: "{{ gitea_binary_system_user }}"
+  register: gitea_admin_list
+  changed_when: gitea_admin_list.rc != 0
+  failed_when: gitea_admin_list.rc not in [0, 1]
+
+- name: Create Gitea administrator user
+  ansible.builtin.command: "/usr/local/bin/gitea -c /etc/gitea/app.ini admin user create --admin --username '{{ gitea_admin_user }}' --password '{{ gitea_admin_password }}' --email '{{ gitea_admin_email }}' --must-change-password=false"
+  become: true
+  become_user: "{{ gitea_binary_system_user }}"
+  when: gitea_admin_list.rc != 0

roles/gitea_binary/templates/gitea.service.j2

@@ -0,0 +1,17 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+User={{ gitea_binary_system_user }}
+Group={{ gitea_binary_system_group }}
+WorkingDirectory=/var/lib/gitea/
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER={{ gitea_binary_system_user }} HOME=/home/{{ gitea_binary_system_user }} GITEA_WORK_DIR=/var/lib/gitea
+WatchdogSec=30s
+
+[Install]
+WantedBy=multi-user.target

roles/gitea_binary/templates/httpd-vhost.conf.j2

@@ -0,0 +1,19 @@
+<virtualhost *:443>
+  ServerName {{ gitea_domain_name }}
+  
+  SSLEngine on
+  SSLHonorCipherOrder on
+  SSLCipherSuite PROFILE=SYSTEM
+  SSLProxyCipherSuite PROFILE=SYSTEM
+  SSLCertificateFile {{ gitea_binary_cert_path }}
+  SSLCertificateKeyFile {{ gitea_binary_cert_key_path }}
+  SSLCertificateChainFile {{ gitea_binary_cert_chain_path }}
+  SSLCACertificateFile {{ gitea_binary_ca_cert_path }}
+  
+  ProxyPreserveHost On
+  ProxyRequests off
+  AllowEncodedSlashes NoDecode
+  ProxyPass / http://localhost:3000/ nocanon
+  ErrorLog /var/log/httpd/{{ gitea_domain_name }}-error.log
+  CustomLog /var/log/httpd/{{ gitea_domain_name }}-access.log combined
+</virtualhost>

roles/gitea_db_server/README.md

@@ -0,0 +1,32 @@
+# msvsphere.ci.gitea_db_server
+
+An Ansible role that configures a PostgreSQL server for Gitea.
+
+## Variables
+
+| Variable | Default value | Type | Description | Required |
+| -------- | ------------- | ---- | ----------- | -------- |
+| gitea_db_name | "gitea" | str | Gitea database name. | no |
+| gitea_db_user | "gitea" | str | Gitea database user. | no |
+| gitea_db_password | | str | Gitea database user password. | yes |
+| gitea_server_ip | | str | Gitea server IP address. | yes |
+| gitea_db_server_password_encryption | "scram-sha-256" | str | Password encryption algorithm. | no |
+
+## Example playbook
+
+```yaml
+---
+- hosts: all
+  roles:
+    - role: msvsphere.ci.gitea_db_server
+      gitea_server_ip: '127.0.0.1'
+      gitea_db_password: 'p@$Sw0Rd'
+```
+
+## License
+
+MIT.
+
+## Authors
+
+* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)

roles/gitea_db_server/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+gitea_db_name: gitea
+gitea_db_user: gitea
+gitea_db_password:
+gitea_server_ip:
+gitea_db_server_password_encryption: 'scram-sha-256'

roles/gitea_db_server/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart postgresql
+  ansible.builtin.service:
+    name: postgresql
+    state: restarted

roles/gitea_db_server/meta/argument_specs.yml

@@ -0,0 +1,34 @@
+---
+argument_specs:
+  main:
+    short_description: A role that configures a PostgreSQL server for Gitea.
+    author: Eugene Zamriy
+    version_added: '0.1.6'
+    options:
+      gitea_db_name:
+        description: Gitea database name.
+        default: 'gitea'
+        type: 'str'
+        required: false
+
+      gitea_db_user:
+        description: Gitea database user name.
+        default: 'gitea'
+        type: 'str'
+        required: false
+
+      gitea_db_password:
+        description: Gitea database user password.
+        type: 'str'
+        required: true
+
+      gitea_server_ip:
+        description: Gitea server IP address.
+        type: 'str'
+        required: true
+
+      gitea_db_server_password_encryption:
+        description: Password encryption algorithm.
+        default: 'scram-sha-256'
+        type: 'str'
+        required: false

roles/gitea_db_server/meta/main.yml

@@ -0,0 +1,16 @@
+---
+galaxy_info:
+  author: Eugene Zamriy
+  description: A role that configures a PostgreSQL server for Gitea.
+  company: Softline PJSC
+  license: MIT
+  min_ansible_version: 2.13
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - gitea
+    - postgresql
+
+dependencies: []

roles/gitea_db_server/tasks/main.yml

@@ -0,0 +1,75 @@
+---
+- name: Check if required variables are defined
+  ansible.builtin.fail:
+    msg: "{{ item }} is not defined or empty"
+  when: |
+    (vars[item] is undefined)
+    or (vars[item] is none)
+    or (vars[item] | trim | length == 0)    
+  with_items:
+    - gitea_db_name
+    - gitea_db_user
+    - gitea_db_password
+    - gitea_server_ip
+    - gitea_db_server_password_encryption
+
+- name: Install dependencies
+  dnf:
+    name:
+      - glibc-langpack-en
+      - python3-psycopg2
+    state: present
+
+- name: Create Gitea database
+  community.postgresql.postgresql_db:
+    name: "{{ gitea_db_name }}"
+    template: template0
+    encoding: UTF8
+    lc_collate: en_US.UTF-8
+    lc_ctype: en_US.UTF-8
+  become: true
+  become_user: postgres
+
+- name: Create Gitea database user
+  community.postgresql.postgresql_user:
+    db: "{{ gitea_db_name }}"
+    name: "{{ gitea_db_user }}"
+    password: "{{ gitea_db_password }}"
+  environment:
+    PGOPTIONS: "-c password_encryption=scram-sha-256"
+  become: true
+  become_user: postgres
+
+- name: Get PostgreSQL server version
+  community.postgresql.postgresql_info:
+    filter: ver*
+  become: true
+  become_user: postgres
+  register: postgres_version
+
+- name: GRANT USAGE, CREATE PRIVILEGES ON SCHEMA public TO gitea_db_user
+  community.postgresql.postgresql_privs:
+    db: "{{ gitea_db_name }}"
+    privs: USAGE,CREATE
+    type: schema
+    objs: public
+    role: "{{ gitea_db_user }}"
+  become: true
+  become_user: postgres
+  when: postgres_version.version.major >= 15
+
+- name: Allow requests from Gitea server
+  community.postgresql.postgresql_pg_hba:
+    dest: /var/lib/pgsql/data/pg_hba.conf
+    contype: host
+    databases: "{{ gitea_db_name }}"
+    users: "{{ gitea_db_user }}"
+    address: "{{ gitea_server_ip }}/32"
+    method: "{{ gitea_db_server_password_encryption }}"
+  register: pg_hba_status
+
+- name: Restart PostgreSQL
+  ansible.builtin.service:
+    name: postgresql
+    state: restarted
+  when: pg_hba_status.changed

roles/koji_builder/README.md

@@ -0,0 +1,41 @@
+# msvsphere.ci.koji_builder
+
+An Ansible role that configures a Koji builder.
+
+## Variables
+
+| Variable | Default value | Type | Description | Required |
+| -------- | ------------- | ---- | ----------- | -------- |
+| koji_domain_name | | str | Koji server domain name. | yes |
+| koji_kerberos_realm | | str | Koji Kerberos realm.     | yes |
+| koji_builder_git_server_url | "git.inferitos.ru" | str | Sources git server domain name. | no |
+| koji_builder_storage_url | "sources.inferitos.ru" | str | Sources storage domain name. | no |
+| koji_builder_storage_proto | "http" | str | Sources storage protocol. | no |
+| koji_builder_ca_cert_path | "/mnt/koji/koji-ca.crt" | str | Koji CA certificate path. | no |
+| koji_builder_principal | "compile/{{ koji_domain_name }}@{{ koji_kerberos_realm }}" | str | Koji builder Kerberos principal. | no |
+| koji_builder_keytab | "/etc/kojid/kojid.keytab" | str | Koji builder Kerberos keytab file path. | no |
+| koji_builder_nfs_mount | true | bool | Mount /mnt/koji via NFS if true, use local directory otherwise. | no |
+| koji_builder_distribution | MSVSphere | str | RPM distribution macros. | no |
+| koji_builder_packager | MSVSphere | str | RPM packager macros. | no |
+| koji_builder_vendor | MSVSphere | str | RPM vendor macros. | no |
+
+## Example playbook
+
+```yaml
+---
+- hosts: all
+  roles:
+    - role: msvsphere.ci.koji_builder
+      koji_domain_name: 'koji.msvsphere.test'
+      koji_builder_nfs_mount: false
+      koji_kerberos_realm: 'MSVSPHERE.TEST'
+      koji_builder_ca_cert_path: '/etc/pki/koji/koji-ca.crt'
+```
+
+## License
+
+MIT.
+
+## Authors
+
+* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)

roles/koji_builder/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+koji_domain_name:
+koji_kerberos_realm:
+koji_builder_git_server_url: git.inferitos.ru
+koji_builder_storage_url: sources.inferitos.ru
+koji_builder_storage_proto: http
+koji_builder_ca_cert_path: /mnt/koji/koji-ca.crt
+koji_builder_principal: "compile/{{ koji_domain_name }}@{{ koji_kerberos_realm }}"
+koji_builder_keytab: /etc/kojid/kojid.keytab
+koji_builder_nfs_mount: true
+koji_builder_distribution: MSVSphere
+koji_builder_packager: MSVSphere
+koji_builder_vendor: MSVSphere

roles/koji_builder/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart kojid
+  ansible.builtin.service:
+    name: kojid
+    state: restarted

roles/koji_builder/meta/argument_specs.yml

@@ -0,0 +1,76 @@
+---
+argument_specs:
+  main:
+    short_description: A role that configures a Koji builder.
+    author: Eugene Zamriy
+    version_added: '0.1.6'
+    options:
+      koji_domain_name:
+        description: Koji server domain name.
+        type: 'str'
+        required: true
+
+      koji_kerberos_realm:
+        description: Koji Kerberos realm.
+        type: 'str'
+        required: true
+
+      koji_builder_git_server_url:
+        description: Sources git server domain name.
+        default: git.inferitos.ru
+        type: 'str'
+        required: false
+
+      koji_builder_storage_url:
+        description: Sources storage domain name.
+        default: sources.inferitos.ru
+        type: 'str'
+        required: false
+
+      koji_builder_storage_proto:
+        description: Sources storage protocol.
+        default: http
+        type: 'str'
+        required: false
+
+      koji_builder_nfs_mount:
+        description: Mount /mnt/koji via NFS if true, use local directory otherwise.
+        default: true
+        type: 'bool'
+        required: false
+
+      koji_builder_ca_cert_path:
+        description: Koji CA certificate path.
+        default: /mnt/koji/koji-ca.crt
+        type: 'str'
+        required: false
+
+      koji_builder_principal:
+        description: Koji builder Kerberos principal.
+        default: 'compile/{{ koji_domain_name }}@{{ koji_kerberos_realm }}'
+        type: 'str'
+        required: false
+
+      koji_builder_keytab:
+        description: Koji builder Kerberos keytab file path.
+        default: '/etc/kojid/kojid.keytab'
+        type: 'str'
+        required: false
+
+      koji_builder_distribution:
+        description: RPM distribution macros.
+        default: 'MSVSphere'
+        type: 'str'
+        required: false
+
+      koji_builder_packager:
+        description: RPM packager macros.
+        default: 'MSVSphere'
+        type: 'str'
+        required: false
+
+      koji_builder_vendor:
+        description: RPM vendor macros.
+        default: 'MSVSphere'
+        type: 'str'
+        required: false

roles/koji_builder/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Eugene Zamriy
+  description: A role that configures a Koji builder.
+  company: Softline PJSC
+  license: MIT
+  min_ansible_version: 2.13
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - koji
+
+dependencies: []

roles/koji_builder/tasks/main.yml

@@ -0,0 +1,97 @@
+---
+- name: Check if required variables are defined
+  ansible.builtin.fail:
+    msg: "{{ item }} is not defined or empty"
+  when: |
+    (vars[item] is undefined)
+    or (vars[item] is none)
+    or (vars[item] | trim | length == 0)    
+  with_items:
+    - koji_domain_name
+    - koji_kerberos_realm
+    - koji_builder_git_server_url
+    - koji_builder_storage_url
+    - koji_builder_storage_proto
+    - koji_builder_principal
+    - koji_builder_keytab
+    - koji_builder_distribution
+    - koji_builder_packager
+    - koji_builder_vendor
+
+- name: Create /mnt/koji directory
+  ansible.builtin.file:
+    path: /mnt/koji
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- block:
+    - name: Install nfs-utils
+      ansible.builtin.dnf:
+        name: nfs-utils
+        state: installed
+
+    - name: Mount /mnt/koji NFS directory
+      ansible.posix.mount:
+        src: "{{ koji_domain_name }}:/mnt/koji"
+        path: /mnt/koji
+        fstype: nfs4
+        opts: ro
+        state: mounted
+  when: koji_builder_nfs_mount
+
+- name: Add Koji CA certificate to system
+  ansible.builtin.file:
+    src: "{{ koji_builder_ca_cert_path }}"
+    dest: /etc/pki/ca-trust/source/anchors/koji-ca.crt
+    state: link
+  register: koji_builder_ca_anchor
+
+- name: Trust Koji CA certificate
+  command: update-ca-trust extract
+  when: koji_builder_ca_anchor.changed
+  notify:
+    - restart kojid
+
+- name: Install koji-builder
+  ansible.builtin.dnf:
+    name: koji-builder
+    state: present
+
+# TODO: add FreeIPA support
+- name: Generate koji-builder principal keytab
+  ansible.builtin.include_role:
+    name: msvsphere.ci.kerberos_principal
+  vars:
+    kerberos_principal_name: "{{ koji_builder_principal }}"
+    kerberos_principal_keytab_path: "{{ koji_builder_keytab }}"
+
+- name: Configure kojid
+  community.general.ini_file:
+    path: /etc/kojid/kojid.conf
+    section: kojid
+    option: "{{ item.key }}"
+    value: "{{ item.value }}"
+  with_items:
+    - { key: 'server', value: "https://{{ koji_domain_name }}/kojihub" }
+    - { key: 'topurl', value: "https://{{ koji_domain_name }}/kojifiles" }
+    - { key: 'topdir', value: '/mnt/koji' }
+    - { key: 'workdir', value: '/tmp/koji' }
+    - { key: 'allowed_scms', value: "{{ koji_builder_git_server_url }}:/*:false:inferitpkg-get-sources,--storage-proto,{{ koji_builder_storage_proto }},--storage-url,{{ koji_builder_storage_url }}" }
+    - { key: 'krb_principal', value: "{{ koji_builder_principal }}" }
+    - { key: 'keytab', value: "{{ koji_builder_keytab }}" }
+    - { key: 'vendor', value: "{{ koji_builder_vendor }}" }
+    - { key: 'packager', value: "{{ koji_builder_packager }}" }
+    - { key: 'distribution', value: "{{ koji_builder_distribution }}" }
+    - { key: 'use_createrepo_c', value: 'True' }
+    # NOTE: this setting allows building i686 and x86_64 architectures in parallel
+    - { key: 'build_arch_can_fail', value: 'True' }
+  notify:
+    - restart kojid
+
+- name: Enable and start kojid service
+  ansible.builtin.service:
+    name: kojid
+    enabled: true
+    state: started

roles/koji_server/README.md

@@ -7,6 +7,7 @@ An Ansible role that configures a Koji server.
 | Variable | Default value | Type | Description | Required |
 | -------- | ------------- | ---- | ----------- | -------- |
 | koji_domain_name      |        | str | Koji server domain name.                 | yes |
+| koji_builders         | []     | list | Koji builders list.                     | no  |
 | koji_db_name          | "koji" | str | Koji PostgreSQL database name.           | no  |
 | koji_db_user          | "koji" | str | Koji PostgreSQL database user.           | no  |
 | koji_db_password      |        | str | Koji PostgreSQL database user password.  | yes |

roles/koji_server/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 koji_domain_name:
+koji_builders: []
 koji_db_name: koji
 koji_db_user: koji
 koji_db_password:

roles/koji_server/meta/argument_specs.yml

@@ -11,6 +11,13 @@ argument_specs:
         type: str
         required: false
 
+      koji_builders:
+        description: Koji builders list.
+        default: []
+        type: list
+        elements: str
+        version_added: '0.1.6'
+
       koji_db_user:
         description: Koji database user.
         default: koji

roles/koji_server/tasks/koji_add_host.yml

@@ -0,0 +1,20 @@
+---
+- name: Check if Koji build host is already exist
+  ansible.builtin.shell: "koji list-hosts | grep {{ koji_build_host }}"
+  ignore_errors: true
+  register: koji_list_hosts
+  changed_when: koji_list_hosts.rc != 0
+
+- name: Add Koji build host
+  ansible.builtin.command: "koji add-host {{ koji_build_host }} i386 x86_64"
+  register: koji_add_host
+  when: koji_list_hosts.rc != 0
+
+- name: Add Koji build host to createrepo channel
+  ansible.builtin.command: "koji add-host-to-channel {{ koji_build_host }} createrepo"
+  when: koji_list_hosts.rc != 0 and koji_build_host_createrepo is true
+
+# TODO: make capacity configurable
+- name: Set Koji build host capacity to 10
+  ansible.builtin.command: "koji edit-host {{ koji_build_host }} --capacity=10"
+  when: koji_list_hosts.rc != 0

roles/koji_server/tasks/main.yml

@@ -114,3 +114,21 @@
 
 - name: Install and configure kojira
   import_tasks: kojira.yml
+
+- name: Add Koji builders
+  block:
+    - name: Obtain Koji admin kerberos ticket
+      ansible.builtin.shell: "echo '{{ koji_admin_password }}' | kinit {{ koji_admin_principal }}"
+      changed_when: False
+    
+    - include: koji_add_host.yml
+      vars:
+        koji_build_host: "{{ item }}"
+        koji_build_host_createrepo: true
+      with_items: "{{ koji_builders }}"
+  always:
+    - name: Destroy Koji admin kerberos ticket
+      ansible.builtin.command: "kdestroy -p {{ koji_admin_principal }}"
+      ignore_errors: true
+      changed_when: False
+  when: koji_builders

roles/koji_server_ca/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+koji_server_ca_fqdn: