diff --git a/roles/kojira/defaults/main.yml b/roles/kojira/defaults/main.yml new file mode 100644 index 0000000..4eb03dc --- /dev/null +++ b/roles/kojira/defaults/main.yml @@ -0,0 +1,3 @@ +koji_home: /var/lib/koji +kojihub_host: "{{ ansible_fqdn }}" +kojihub_url: https://{{ kojihub_host }}/kojihub diff --git a/roles/kojira/handlers/main.yml b/roles/kojira/handlers/main.yml new file mode 100644 index 0000000..c702e00 --- /dev/null +++ b/roles/kojira/handlers/main.yml @@ -0,0 +1,6 @@ +- name: update ca trust + command: update-ca-trust +- name: restart kojira + service: + name=kojira + state=restarted diff --git a/roles/kojira/tasks/main.yml b/roles/kojira/tasks/main.yml new file mode 100644 index 0000000..32cdd3a --- /dev/null +++ b/roles/kojira/tasks/main.yml @@ -0,0 +1,49 @@ +- name: ensure packages are installed + package: + name=koji-utils + state=present + tags: + - install + +- name: ensure kojira certificate is installed + copy: + src={{ item }} + dest=/etc/kojira/kojira.pem + mode=0400 + owner=root + group=root + with_fileglob: + - certs/koji/{{ inventory_hostname }}/kojira.pem + notify: restart kojira +- name: ensure kojira ca certificates are installed + copy: + src={{ item }} + dest=/etc/kojira/{{ item|basename }} + mode=0644 + with_fileglob: + - certs/koji/{{ inventory_hostname }}/*.crt +- name: ensure koji hub server ca certificate is trusted + copy: + src={{ item }} + dest=/etc/pki/ca-trust/source/anchors/koji-hub.crt + mode=0644 + with_fileglob: + - certs/koji/{{ inventory_hostname }}/serverca.crt + notify: update ca trust +- name: ensure kojira is configured + template: + src=kojira.conf.j2 + dest=/etc/kojira/kojira.conf + notify: restart kojira + +# TODO: It would be better if kojira did not run as root + +- name: ensure kojira starts at boot + service: + name=kojira + enabled=yes +- meta: flush_handlers +- name: ensure kojira is running + service: + name=kojira + state=started diff --git a/roles/kojira/templates/kojira.conf.j2 b/roles/kojira/templates/kojira.conf.j2 new file mode 100644 index 0000000..31f179f --- /dev/null +++ b/roles/kojira/templates/kojira.conf.j2 @@ -0,0 +1,54 @@ +{#- vim: set ft=jinja : -#} +[kojira] +; For user/pass authentication +; user=kojira +; password=kojira + +; For Kerberos authentication +; the principal to connect with +;principal=koji/repo@EXAMPLE.COM +; The location of the keytab for the principal above +;keytab=/etc/kojira.keytab + +; The URL for the koji hub server +server={{ kojihub_url }} + +; The directory containing the repos/ directory +topdir={{ koji_home }} + +; Logfile +logfile=/var/log/kojira.log + +; Include srpms in repos? (not needed for normal operation) +with_src=no + +;configuration for Kerberos authentication + +;the kerberos principal to use +;principal = kojira@EXAMPLE.COM + +;location of the keytab +;keytab = /etc/kojira/kojira.keytab + +;the service name of the principal being used by the hub +;krbservice = host + +;configuration for SSL authentication + +;client certificate +cert = /etc/kojira/kojira.pem + +;certificate of the CA that issued the client certificate +ca = /etc/kojira/clientca.crt + +;certificate of the CA that issued the HTTP server certificate +serverca = /etc/kojira/serverca.crt + +;how soon (in seconds) to clean up expired repositories. 1 week default +;deleted_repo_lifetime = 604800 + +;how soon (in seconds) to clean up dist repositories. 1 week default here too +;dist_repo_lifetime = 604800 + +;turn on debugging statements in the log +;debug = false