roles/koji-web: Deploy the Koji Web UI

The *koji-web* role installs and configures the Koji Web GUI front-end
for Koji. It requires Apache and mod_wsgi. A client certificate is
required for authentication to the hub, and must be placed in the
host-specific subdirectory of `certs/koji`.

roles/koji-web/tasks/main.yml

@@ -0,0 +1,64 @@
+- name: ensure packages are installed
+  package:
+    name={{ koji_web_packages|join(',') }}
+    state=present
+  tags:
+  - install
+  notify: restart httpd
+- meta: flush_handlers
+
+- name: ensure koji group exists
+  group:
+    name=koji
+    gid={{ koji_gid }}
+    state=present
+- name: ensure koji user exists
+  user:
+    name=koji
+    home={{ koji_home }}
+    createhome=no
+    group=koji
+    uid={{ koji_uid }}
+    state=present
+
+- name: ensure koji web certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/kojiweb/{{ item|basename }}
+    mode=0440
+    owner=root
+    group=koji
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/kojiweb.pem
+- name: ensure koji web ca certificates are installed
+  copy:
+    src={{ item }}
+    dest=/etc/kojiweb/{{ item|basename }}
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/*.crt
+- name: ensure koji hub server ca certificate is trusted
+  copy:
+    src={{ item }}
+    dest=/etc/pki/ca-trust/source/anchors/koji-hub.crt
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ inventory_hostname }}/kojihubca.crt
+  notify: update ca trust
+- name: ensure koji web is configured
+  template:
+    src=web.conf.j2
+    dest=/etc/kojiweb/web.conf
+    mode=0644
+  notify: reload httpd
+
+- name: ensure apache is configured to serve koji web
+  template:
+    src=kojiweb.httpd.conf.j2
+    dest=/etc/httpd/conf.d/kojiweb.conf
+  notify: reload httpd
+- name: ensure apache is allowed to make network connections
+  seboolean:
+    name=httpd_can_network_connect
+    persistent=yes
+    state=yes