#20 move hardcoded domain to variable

README.rst

@@ -27,26 +27,52 @@ SSL configuration
     * ``/etc/pki/koji/koji-ca.key``
 
   The Apache web server HTTPS keypair (signed by koji-ca above):
-    * ``/etc/pki/koji/kojidev.example.com.chain.crt``
-    * ``/etc/pki/koji/kojidev.example.com.key``
+    * ``/etc/pki/koji/kojidev.<domain>.chain.crt``
+    * ``/etc/pki/koji/kojidev.<domain>.key``
 
   For GSSAPI (Kerberos) authentication, these are the only SSL certs you will
   need.
 
   The koji-hub role publishes the Koji CA at the following URL:
-  https://kojidev.example.com/kojifiles/koji-ca.crt . External Koji clients
+  https://kojidev.<domain>/kojifiles/koji-ca.crt . External Koji clients
   can download this file to verify the HTTPS connections.
 
-Hard-coded things
------------------
+Configure deploy
+----------------
+
+Prepare
+
+- Disable selinux
+- Disable firewalld
+- Install python3 package on the destination system.
+- Copy SSH public key
+
+KOJI Domain
+
+Domain can be configured in `setup-koji.yml` with variable `KOJI_DOMAIN`.domain
+For example,
+
+.. code-block:: yaml
+  vars:
+    KOJI_DOMAIN: stackwebservices.com
+
+The main username
+
+The main username is specified in `setup-koji.yml` file:
+
+For example,
 
-This is a santized code drop from a set of internal playbooks, so several
-things are currently hard-coded:
+.. code-block:: yaml
+  vars:
+    KOJI_USER: ktdreyer
+    KRB_PASSWORD: test
 
-* The hostname is hardcoded in several places as "kojidev.example.com".
 
-* The main username is hardcoded in several places as "kdreyer".
+Inventory
 
+```
+cp inventory.ini.tpl inventory.ini
+```
 
 Roles
 -----

inventory.ini.tpl

@@ -0,0 +1 @@
+koji.example.com ansible_host=192.168.1.111 ansible_user=root ansible_port=22 ansible_python_interpreter=python3

roles/activemq/tasks/main.yml

@@ -43,8 +43,8 @@
     - restart activemq
 
 - name: install activemq systemd config file
-  copy:
-    src: files/activemq.sysconfig
+  template:
+    src: templates/activemq.sysconfig
     dest: /etc/sysconfig/activemq
     owner: root
     group: root
@@ -64,10 +64,10 @@
 
 - name: combine activemq server cert into a pkcs12 file
   openssl_pkcs12:
-    path: /opt/activemq/kojidev.example.com.pkcs12
+    path: "/opt/activemq/kojidev.{{ KOJI_DOMAIN }}.pkcs12"
     friendly_name: koji
-    privatekey_path: /etc/pki/koji/kojidev.example.com.key
-    certificate_path: /etc/pki/koji/kojidev.example.com.crt
+    privatekey_path: "/etc/pki/koji/kojidev.{{ KOJI_DOMAIN }}.key"
+    certificate_path: "/etc/pki/koji/kojidev.{{ KOJI_DOMAIN }}.crt"
     other_certificates: /etc/pki/koji/koji-ca.crt
     passphrase: kojipass
     owner: activemq

roles/activemq/templates/activemq.sysconfig

@@ -0,0 +1 @@
+ACTIVEMQ_SSL_OPTS="-Djavax.net.debug=ssl,keymanager -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=/opt/activemq/kojidev.{{ KOJI_DOMAIN }}.pkcs12 -Djavax.net.ssl.keyStorePassword=kojipass -Djavax.net.ssl.trustStore=/opt/activemq/koji-ca.ks -Djavax.net.ssl.trustStorePassword=kojipass"

roles/kdc/library/krb_principal.py

@@ -59,7 +59,7 @@
 
 def kadmin(query):
     """ Call "kadmin.local -q" with this query. """
-    cmd = ('/usr/sbin/kadmin.local', '-q', query)
+    cmd = tuple(['/usr/sbin/kadmin.local']) + tuple(query.split())
     output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
     if PY2:
         return output

roles/kdc/tasks/kdcproxy.yml

@@ -1,19 +1,19 @@
-- name: set python values for el7
-  set_fact:
-    # No "python3" package name prefix.
-    python_kdcproxy: python-kdcproxy
-    # See /usr/lib/rpm/macros.d/macros.python2 for %python2_sitelib
-    python_sitelib: /usr/lib/python2.7/site-packages
-    mod_wsgi: mod_wsgi
-  when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 7
+# - name: set python values for el7
+#   set_fact:
+#     # No "python3" package name prefix.
+#     python_kdcproxy: python-kdcproxy
+#     # See /usr/lib/rpm/macros.d/macros.python2 for %python2_sitelib
+#     python_sitelib: /usr/lib/python2.7/site-packages
+#     mod_wsgi: mod_wsgi
+#   when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 7
 
-- name: Add yum repository to work around rhbz1827758 for el8
-  yum_repository:
-    name: bz1827758
-    description: work around rhbz1827758
-    baseurl: https://fedorapeople.org/~ktdreyer/bz1827758/
-    gpgcheck: false
-  when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8
+# - name: Add yum repository to work around rhbz1827758 for el8
+#   yum_repository:
+#     name: bz1827758
+#     description: work around rhbz1827758
+#     baseurl: https://fedorapeople.org/~ktdreyer/bz1827758/
+#     gpgcheck: false
+#   when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8
 
 - name: Install kdcproxy packages
   package:

roles/kdc/tasks/main.yml

@@ -4,7 +4,7 @@
     content: |
       127.0.0.1   localhost
       ::1         localhost
-      127.0.0.1   kojidev.example.com
+      127.0.0.1   kojidev.{{ KOJI_DOMAIN }}
     mode: "0644"
   when:
     - ansible_virtualization_type | default('') not in ['docker', 'podman', 'container', 'containerd']
@@ -19,8 +19,8 @@
     state: present
 
 - name: copy /etc/krb5.conf
-  copy:
-    src: files/krb5.conf
+  template:
+    src: krb5.conf
     dest: /etc/krb5.conf
     owner: root
     group: root
@@ -29,8 +29,8 @@
     - restart krb5kdc
 
 - name: copy /var/kerberos/krb5kdc/kdc.conf
-  copy:
-    src: files/kdc.conf
+  template:
+    src: kdc.conf
     dest: /var/kerberos/krb5kdc/kdc.conf
     owner: root
     group: root
@@ -45,12 +45,12 @@
     group: root
     mode: "0600"
     content: |
-      */admin@KOJIDEV.EXAMPLE.COM *
+      */admin@KOJIDEV.{{ KOJI_DOMAIN | upper }} *
   notify:
     - restart krb5kdc
 
 - name: initialize KDC DB
-  command: /usr/sbin/kdb5_util create -s -P test
+  command: /usr/sbin/kdb5_util create -s -P {{ KRB_PASSWORD }}
   args:
     creates: /var/kerberos/krb5kdc/principal.ok
   notify:
@@ -73,10 +73,11 @@
     name: "{{ item }}"
     keytab: "/var/local/{{ item | replace ('/', '.') }}.keytab"
   with_items:
-    - kdreyer
+    - "{{ KOJI_USER }}"
+    - builder
     - rcm/debbuild
-    - HTTP/kojidev.example.com
-    - compile/kojidev.example.com
+    - "HTTP/kojidev.{{ KOJI_DOMAIN }}"
+    - "compile/kojidev.{{ KOJI_DOMAIN }}"
     - koji/kojiweb
     - koji/kojira
     - koji/garbagecollector

roles/kdc/files/kdc.conf → roles/kdc/templates/kdc.conf

@@ -3,7 +3,7 @@
  kdc_tcp_ports = 88
 
 [realms]
- KOJIDEV.EXAMPLE.COM = {
+ KOJIDEV.{{ KOJI_DOMAIN | upper }} = {
   #master_key_type = aes256-cts
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words

roles/kdc/files/krb5.conf → roles/kdc/templates/krb5.conf

@@ -13,12 +13,12 @@ includedir /etc/krb5.conf.d/
  forwardable = true
  rdns = false
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
- default_realm = KOJIDEV.EXAMPLE.COM
+ default_realm = KOJIDEV.{{ KOJI_DOMAIN | upper }}
 
 [realms]
- KOJIDEV.EXAMPLE.COM = {
-  kdc = kojidev.example.com
-  admin_server = kojidev.example.com
+ KOJIDEV.{{ KOJI_DOMAIN | upper }} = {
+  kdc = kojidev.{{ KOJI_DOMAIN | lower }}
+  admin_server = kojidev.{{ KOJI_DOMAIN | lower }}
  }
 
 [domain_realm]

roles/kdc/vars/main.yml

@@ -1,3 +1,3 @@
 python_kdcproxy: python3-kdcproxy
-python_sitelib: /usr/lib/python3.6/site-packages
+python_sitelib: /usr/lib/python3.9/site-packages
 mod_wsgi: python3-mod_wsgi

roles/koji-builder/tasks/main.yml

@@ -22,8 +22,8 @@
     state: present
 
 - name: copy /etc/kojid/kojid.conf
-  copy:
-    src: files/kojid.conf
+  template:
+    src: kojid.conf
     dest: /etc/kojid/kojid.conf
     owner: root
     group: root

roles/koji-builder/files/kojid.conf → roles/koji-builder/templates/kojid.conf

@@ -44,12 +44,12 @@
 ; oz_install_timeout=7200
 
 ; The URL for the xmlrpc server
-server=https://kojidev.example.com/kojihub
+server=https://kojidev.{{ KOJI_DOMAIN }}/kojihub
 
 ; The URL for the file access
 ; Cannot use https with our custom CA here yet, see
 ; https://github.com/rpm-software-management/mock/issues/588
-topurl=http://kojidev.example.com/kojifiles
+topurl=http://kojidev.{{ KOJI_DOMAIN }}/kojifiles
 
 ; use createrepo_c rather than createrepo
 ; use_createrepo_c=False
@@ -73,6 +73,10 @@ allowed_scms=
   !src.fedoraproject.org:/pagure/fork/*
   !src.fedoraproject.org:/pagure/forks/*
   src.fedoraproject.org:/*:false:fedpkg,sources
+  src.fedoraproject.org:/rpms/*:no
+  git.rockylinux.org:/*:no
+
+;  !git.rockylinux.org:/staging/rpms/*:false:make,sources
 
 ; The mail host to use for sending email notifications
 ;smtphost=example.com
@@ -92,11 +96,11 @@ allowed_scms=
 ; control.
 ; You can override the (imho broken) auto-discovery by setting krb_principal
 ; directly here:
-krb_principal = compile/kojidev.example.com@KOJIDEV.EXAMPLE.COM
+krb_principal = compile/kojidev.{{ KOJI_DOMAIN }}@KOJIDEV.{{ KOJI_DOMAIN | upper }}
 
 ;location of the keytab
 ;keytab = /etc/kojid/kojid.keytab
-keytab = /var/local/compile.kojidev.example.com.keytab
+keytab = /var/local/compile.kojidev.{{ KOJI_DOMAIN }}.keytab
 
 ;the service name of the principal being used by the hub
 ;krbservice = host

roles/koji-client/tasks/main.yml

@@ -1,5 +1,11 @@
 # Set up the client for authentication
 
+- name: Install epel repository required by koji
+  package:
+    name:
+      - epel-release
+    state: present
+
 - name: Install Koji client packages
   package:
     name:
@@ -8,8 +14,8 @@
     state: present
 
 - name: copy koji client profile configuration
-  copy:
-    src: files/kojidev.conf
+  template:
+    src: templates/kojidev.conf
     dest: /etc/koji.conf.d/kojidev.conf
     owner: root
     group: root
@@ -42,13 +48,13 @@
     mode: "0700"
     owner: "{{ unprivileged_user }}"
 
-- name: symlink kdreyer.keytab for unprivileged user
+- name: symlink {{ KOJI_USER }}.keytab for unprivileged user
   file:
-    src: /var/local/kdreyer.keytab
+    src: "/var/local/{{ KOJI_USER }}.keytab"
     dest: "/var/kerberos/krb5/user/{{ unprivileged_uid }}/client.keytab"
     state: link
 
 - name: make keytab readable by unprivileged user
   file:
-    path: /var/local/kdreyer.keytab
+    path: "/var/local/{{ KOJI_USER }}.keytab"
     owner: "{{ unprivileged_user }}"

roles/koji-client/files/kojidev.conf → roles/koji-client/templates/kojidev.conf

@@ -1,9 +1,9 @@
 [kojidev]
-server = https://kojidev.example.com/kojihub
+server = https://kojidev.{{ KOJI_DOMAIN }}/kojihub
 authtype = kerberos
 topdir = /mnt/koji
-weburl = https://kojidev.example.com/koji
-topurl = https://kojidev.example.com/kojifiles
+weburl = https://kojidev.{{ KOJI_DOMAIN }}/koji
+topurl = https://kojidev.{{ KOJI_DOMAIN }}/kojifiles
 
 # soon to be optional? see https://pagure.io/koji/pull-request/1194
 serverca = /etc/pki/koji/koji-ca.crt

roles/koji-gc/tasks/main.yml

@@ -4,8 +4,8 @@
     state: present
 
 - name: copy /etc/koji-gc/koji-gc.conf
-  copy:
-    src: files/koji-gc.conf
+  template:
+    src: templates/koji-gc.conf
     dest: /etc/koji-gc/koji-gc.conf
     owner: root
     group: root

roles/koji-gc/files/koji-gc.conf → roles/koji-gc/templates/koji-gc.conf

@@ -13,8 +13,8 @@ unprotected_keys =
     fedora-extras
     redhat-beta
 
-server = https://kojidev.example.com/kojihub
-weburl = https://kojidev.example.com/koji
+server = https://kojidev.{{ KOJI_DOMAIN }}/kojihub
+weburl = https://kojidev.{{ KOJI_DOMAIN }}/koji
 
 keytab = /var/local/koji.garbagecollector.keytab