roles/koji-gc: Deploy the Koji garbage collector

The *koji-gc* role sets up the Koji garbage collector utility to run
periodically. It uses cron for scheduling. A client certificate is
required for authentication, and must be supplied by placing it in the
`certs/koji/{{ inventory_hostname }}` directory.

roles/koji-gc/defaults/main.yml

@@ -0,0 +1,6 @@
+koji_gc_delay: 1 day
+koji_gc_grace_period: 1 week
+kojihub_host: '{{ ansible_fqdn }}'
+kojihub_url: https://{{ kojihub_host }}/kojihub
+kojiweb_hostname: '{{ kojihub_host }}'
+kojiweb_url: https://{{ kojiweb_hostname }}/koji

roles/koji-gc/files/koji-gc-cron.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+printf 'koji-gc run: %s\n' "$(date)" >> /var/log/koji-gc.log
+
+/usr/sbin/koji-gc --no-mail 2>&1 | tee -a /var/log/koji-gc.log | grep -Ei 'err|fail|warn'
+exit 0

roles/koji-gc/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: ensure packages are installed
+  package:
+    name=koji-utils
+    state=present
+  tags:
+  - install
+
+- name: ensure koji-gc certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/koji-gc/koji-gc.pem
+    mode=0400
+    owner=root
+    group=root
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/koji-gc.pem
+- name: ensure koji-gc ca certificates are installed
+  copy:
+    src={{ item }}
+    dest=/etc/koji-gc/{{ item|basename }}
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/*.crt
+- name: ensure koji hub server ca certificate is trusted
+  copy:
+    src={{ item }}
+    dest=/etc/pki/ca-trust/source/anchors/koji-hub.crt
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/serverca.crt
+  notify: update ca trust
+- name: ensure koji-gc is configured
+  template:
+    src=koji-gc.conf.j2
+    dest=/etc/koji-gc/koji-gc.conf
+    mode=0644
+
+- name: ensure koji-gc cron script is installed
+  copy:
+    src=koji-gc-cron.sh
+    dest=/usr/local/libexec/koji-gc-cron
+    mode=0755
+- name: ensure koji-gc is scheduled
+  template:
+    src=koji-gc.crond.j2
+    dest=/etc/cron.d/koji-gc
+    mode=0644

roles/koji-gc/templates/koji-gc.conf.j2

@@ -0,0 +1,60 @@
+#test policy file
+#earlier = higher precedence!
+
+[main]
+key_aliases =
+    30C9ECF8    fedora-test
+    4F2A6FD2    fedora-gold
+    897DA07A    redhat-beta
+    1AC70CE6    fedora-extras
+    527E5D3A    fmos-release
+
+unprotected_keys =
+    fedora-test
+    fedora-extras
+    redhat-beta
+
+delay = {{ koji_gc_delay }}
+grace_period = {{ koji_gc_grace_period }}
+
+server = {{ kojihub_url }}
+weburl = {{ kojiweb_url }}
+
+# The service name of the principal being used by the hub
+#krbservice = host
+
+cert = /etc/koji-gc/client.pem
+ca = /etc/koji-gc/clientca.crt
+serverca = /etc/koji-gc/serverca.crt
+
+# The domain name that will be appended to Koji usernames
+# when creating email notifications
+{% if koji_gc_email_domain is defined %}
+email_domain = {{ koji_gc_email_domain }}
+{% else %}
+#email_domain = fedoraproject.org
+{% endif %}
+{% if koji_gc_email_from is defined %}
+email_from = {{ koji_gc_email_from }}
+{% endif %}
+
+{# TODO: This should be configurable... #}
+[prune]
+policy =
+    #stuff to protect
+    #note that tags with master lock engaged are already protected
+    tag *-updates :: keep
+    age < 1 day :: skip
+    sig fedora-gold :: skip
+    sig fmos-release :: skip
+    sig fedora-test && age < 12 weeks :: keep
+
+    #stuff to chuck semi-rapidly
+    tag *-testing *-candidate :: {  # nested rules
+        order >= 2 :: untag
+        order > 0 && age > 6 weeks :: untag
+    }  #closing braces must be on a line by themselves (modulo comments/whitespace)
+    tag *-candidate && age > 60 weeks :: untag
+
+    #default: keep the last 3
+    order > 2 :: untag

roles/koji-gc/templates/koji-gc.crond.j2

@@ -0,0 +1,7 @@
+{% if koji_gc_notify is defined %}
+MAILTO={{ koji_gc_notify }}
+
+{% endif %}
+40 3 * * * root /usr/local/libexec/koji-gc-cron
+50 3 * * 0 root find {{ koji_home }}/scratch -mindepth 1 -not -newermt '-60 days' -delete
+55 3 * * 0 root find {{ koji_home }}/work -mindepth 1 -not -newermt '-30 days' -delete