From 1a8d7ce29a181fd74c3a66e7ded06fc64a7792a6 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 12 Aug 2018 09:58:56 -0500
Subject: [PATCH] roles/koji-gc: Deploy the Koji garbage collector

The *koji-gc* role sets up the Koji garbage collector utility to run
periodically. It uses cron for scheduling. A client certificate is
required for authentication, and must be supplied by placing it in the
`certs/koji/{{ inventory_hostname }}` directory.
---
 roles/koji-gc/defaults/main.yml          |  6 +++
 roles/koji-gc/files/koji-gc-cron.sh      |  6 +++
 roles/koji-gc/tasks/main.yml             | 47 +++++++++++++++++++
 roles/koji-gc/templates/koji-gc.conf.j2  | 60 ++++++++++++++++++++++++
 roles/koji-gc/templates/koji-gc.crond.j2 |  7 +++
 5 files changed, 126 insertions(+)
 create mode 100644 roles/koji-gc/defaults/main.yml
 create mode 100644 roles/koji-gc/files/koji-gc-cron.sh
 create mode 100644 roles/koji-gc/tasks/main.yml
 create mode 100644 roles/koji-gc/templates/koji-gc.conf.j2
 create mode 100644 roles/koji-gc/templates/koji-gc.crond.j2

diff --git a/roles/koji-gc/defaults/main.yml b/roles/koji-gc/defaults/main.yml
new file mode 100644
index 0000000..51a1dfe
--- /dev/null
+++ b/roles/koji-gc/defaults/main.yml
@@ -0,0 +1,6 @@
+koji_gc_delay: 1 day
+koji_gc_grace_period: 1 week
+kojihub_host: '{{ ansible_fqdn }}'
+kojihub_url: https://{{ kojihub_host }}/kojihub
+kojiweb_hostname: '{{ kojihub_host }}'
+kojiweb_url: https://{{ kojiweb_hostname }}/koji
diff --git a/roles/koji-gc/files/koji-gc-cron.sh b/roles/koji-gc/files/koji-gc-cron.sh
new file mode 100644
index 0000000..513e483
--- /dev/null
+++ b/roles/koji-gc/files/koji-gc-cron.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+printf 'koji-gc run: %s\n' "$(date)" >> /var/log/koji-gc.log
+
+/usr/sbin/koji-gc --no-mail 2>&1 | tee -a /var/log/koji-gc.log | grep -Ei 'err|fail|warn'
+exit 0
diff --git a/roles/koji-gc/tasks/main.yml b/roles/koji-gc/tasks/main.yml
new file mode 100644
index 0000000..1563253
--- /dev/null
+++ b/roles/koji-gc/tasks/main.yml
@@ -0,0 +1,47 @@
+- name: ensure packages are installed
+  package:
+    name=koji-utils
+    state=present
+  tags:
+  - install
+
+- name: ensure koji-gc certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/koji-gc/koji-gc.pem
+    mode=0400
+    owner=root
+    group=root
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/koji-gc.pem
+- name: ensure koji-gc ca certificates are installed
+  copy:
+    src={{ item }}
+    dest=/etc/koji-gc/{{ item|basename }}
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/*.crt
+- name: ensure koji hub server ca certificate is trusted
+  copy:
+    src={{ item }}
+    dest=/etc/pki/ca-trust/source/anchors/koji-hub.crt
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/serverca.crt
+  notify: update ca trust
+- name: ensure koji-gc is configured
+  template:
+    src=koji-gc.conf.j2
+    dest=/etc/koji-gc/koji-gc.conf
+    mode=0644
+
+- name: ensure koji-gc cron script is installed
+  copy:
+    src=koji-gc-cron.sh
+    dest=/usr/local/libexec/koji-gc-cron
+    mode=0755
+- name: ensure koji-gc is scheduled
+  template:
+    src=koji-gc.crond.j2
+    dest=/etc/cron.d/koji-gc
+    mode=0644
diff --git a/roles/koji-gc/templates/koji-gc.conf.j2 b/roles/koji-gc/templates/koji-gc.conf.j2
new file mode 100644
index 0000000..928fda5
--- /dev/null
+++ b/roles/koji-gc/templates/koji-gc.conf.j2
@@ -0,0 +1,60 @@
+#test policy file
+#earlier = higher precedence!
+
+[main]
+key_aliases =
+    30C9ECF8    fedora-test
+    4F2A6FD2    fedora-gold
+    897DA07A    redhat-beta
+    1AC70CE6    fedora-extras
+    527E5D3A    fmos-release
+
+unprotected_keys =
+    fedora-test
+    fedora-extras
+    redhat-beta
+
+delay = {{ koji_gc_delay }}
+grace_period = {{ koji_gc_grace_period }}
+
+server = {{ kojihub_url }}
+weburl = {{ kojiweb_url }}
+
+# The service name of the principal being used by the hub
+#krbservice = host
+
+cert = /etc/koji-gc/client.pem
+ca = /etc/koji-gc/clientca.crt
+serverca = /etc/koji-gc/serverca.crt
+
+# The domain name that will be appended to Koji usernames
+# when creating email notifications
+{% if koji_gc_email_domain is defined %}
+email_domain = {{ koji_gc_email_domain }}
+{% else %}
+#email_domain = fedoraproject.org
+{% endif %}
+{% if koji_gc_email_from is defined %}
+email_from = {{ koji_gc_email_from }}
+{% endif %}
+
+{# TODO: This should be configurable... #}
+[prune]
+policy =
+    #stuff to protect
+    #note that tags with master lock engaged are already protected
+    tag *-updates :: keep
+    age < 1 day :: skip
+    sig fedora-gold :: skip
+    sig fmos-release :: skip
+    sig fedora-test && age < 12 weeks :: keep
+
+    #stuff to chuck semi-rapidly
+    tag *-testing *-candidate :: {  # nested rules
+        order >= 2 :: untag
+        order > 0 && age > 6 weeks :: untag
+    }  #closing braces must be on a line by themselves (modulo comments/whitespace)
+    tag *-candidate && age > 60 weeks :: untag
+
+    #default: keep the last 3
+    order > 2 :: untag
diff --git a/roles/koji-gc/templates/koji-gc.crond.j2 b/roles/koji-gc/templates/koji-gc.crond.j2
new file mode 100644
index 0000000..0374d7d
--- /dev/null
+++ b/roles/koji-gc/templates/koji-gc.crond.j2
@@ -0,0 +1,7 @@
+{% if koji_gc_notify is defined %}
+MAILTO={{ koji_gc_notify }}
+
+{% endif %}
+40 3 * * * root /usr/local/libexec/koji-gc-cron
+50 3 * * 0 root find {{ koji_home }}/scratch -mindepth 1 -not -newermt '-60 days' -delete
+55 3 * * 0 root find {{ koji_home }}/work -mindepth 1 -not -newermt '-30 days' -delete