roles/kojira: Deploy the Koji repository agent

The *kojira* role sets up the Koji repository agent to manage
repository metadata for build tags. It runs as a daemon, usually on the
same machine as the Koji hub. A client certificate is required for
authentication, and must be supplied by placing it in the
`certs/koji/{{ inventory_hostname }}` directory.

roles/kojira/defaults/main.yml

@@ -0,0 +1,3 @@
+koji_home: /var/lib/koji
+kojihub_host: "{{ ansible_fqdn }}"
+kojihub_url: https://{{ kojihub_host }}/kojihub

roles/kojira/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: update ca trust
+  command: update-ca-trust
+- name: restart kojira
+  service:
+    name=kojira
+    state=restarted

roles/kojira/tasks/main.yml

@@ -0,0 +1,49 @@
+- name: ensure packages are installed
+  package:
+    name=koji-utils
+    state=present
+  tags:
+  - install
+
+- name: ensure kojira certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/kojira/kojira.pem
+    mode=0400
+    owner=root
+    group=root
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/kojira.pem
+  notify: restart kojira
+- name: ensure kojira ca certificates are installed
+  copy:
+    src={{ item }}
+    dest=/etc/kojira/{{ item|basename }}
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/*.crt
+- name: ensure koji hub server ca certificate is trusted
+  copy:
+    src={{ item }}
+    dest=/etc/pki/ca-trust/source/anchors/koji-hub.crt
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/serverca.crt
+  notify: update ca trust
+- name: ensure kojira is configured
+  template:
+    src=kojira.conf.j2
+    dest=/etc/kojira/kojira.conf
+  notify: restart kojira
+
+# TODO: It would be better if kojira did not run as root
+
+- name: ensure kojira starts at boot
+  service:
+    name=kojira
+    enabled=yes
+- meta: flush_handlers
+- name: ensure kojira is running
+  service:
+    name=kojira
+    state=started

roles/kojira/templates/kojira.conf.j2

@@ -0,0 +1,54 @@
+{#- vim: set ft=jinja : -#}
+[kojira]
+; For user/pass authentication
+; user=kojira
+; password=kojira
+
+; For Kerberos authentication
+; the principal to connect with
+;principal=koji/repo@EXAMPLE.COM
+; The location of the keytab for the principal above
+;keytab=/etc/kojira.keytab
+
+; The URL for the koji hub server
+server={{ kojihub_url }}
+
+; The directory containing the repos/ directory
+topdir={{ koji_home }}
+
+; Logfile
+logfile=/var/log/kojira.log
+
+; Include srpms in repos? (not needed for normal operation)
+with_src=no
+
+;configuration for Kerberos authentication
+
+;the kerberos principal to use
+;principal = kojira@EXAMPLE.COM
+
+;location of the keytab
+;keytab = /etc/kojira/kojira.keytab
+
+;the service name of the principal being used by the hub
+;krbservice = host
+
+;configuration for SSL authentication
+
+;client certificate
+cert = /etc/kojira/kojira.pem
+
+;certificate of the CA that issued the client certificate
+ca = /etc/kojira/clientca.crt
+
+;certificate of the CA that issued the HTTP server certificate
+serverca = /etc/kojira/serverca.crt
+
+;how soon (in seconds) to clean up expired repositories. 1 week default
+;deleted_repo_lifetime = 604800
+
+;how soon (in seconds) to clean up dist repositories. 1 week default here too
+;dist_repo_lifetime = 604800
+
+;turn on debugging statements in the log
+;debug = false