-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmain.yml
257 lines (218 loc) · 10.3 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
# Default variables for kojihub role
# Which koji version (RPM / ENVR style) we want to deploy (cherry-picking version from repository and not `latest`)
koji_version: 1.34.0-3
# Do we need to use specific repo to deploy newer/specific koji pkgs
kojid_kojihub_repo: False
kojid_kojihub_repo_url: http://internal.repo.org/builder/$basearch/
kojid_kojihub_repo_gpgcheck: False
kojid_kojihub_repo_gpgkey: RPM-GPG-KEY-CentOS-Infra
# Database settings
# Remote postgresql host - used for delegated task for db creation and internal config
koji_db_remote: False
koji_db_host: psql.dev.centos.org
# DB settings
koji_db_name: koji
koji_db_user: koji
koji_db_pass: MySQLSuckS
# kojihub/web settings
koji_sitename: CentOS Community Build Service
koji_custom_theme: True
koji_theme: centos
koji_theme_file: koji-theme-centos.tar.gz
koji_web_greeting: 'Welcome to Koji Web'
koji_hub_url: https://koji.centos.org/kojihub
koji_web_url: https://koji.centos.org/koji
koji_files_url: https://koji.centos.org/kojifiles
koji_hub_secret: aoYvNQPWTb7BieCco1iljBqym # Don't forget to change this before deployment
# Do we want to automatically create users in koji db on succesfull auth (tls or kerberos)
# If not, you have to use a sync tool and group memberships, like fas or fasjson - see below)
koji_create_users: False
# TLS settings for crl
# Where to retrieve the updated CRL file
koji_hub_tls_crl_url: https://accounts.centos.org/ca/crl.pem
# For https frontend so needed despite using kerberos (or not) auth, see below
koji_web_cacert: koji.centos.org-CAChain.crt
koji_web_tls_key: koji.centos.org.key
koji_web_tls_cert: koji.centos.org.crt
# some httpd snipped to eventually inject into httpd vhost
# Nothing defined by default but can be defined like this:
# koji_web_httpd_snippet: |
# <If "-n %{HTTP:X-Forwarded-For}" >
# AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
# Substitute "s|replace_internal_name|public_hostname|in"
# </If>
# Authentication TLS vs Kerberos
# Set *one* of the koji_auth_tls *or* koji_auth_kerberos boolean to True and so declare needed variables
# TLS auth
koji_auth_tls: True
koji_tls_proxydn: C=NA, ST=NA, O=The CentOS Project, CN=kojihub.cbs.centos.org/[email protected]
# Our CA for tls auth
koji_hub_cacert: fas_ca_cert-prod.crt
koji_hub_tls_key: kojihub.centos.org.key
koji_hub_tls_cert: kojihub.centos.org.crt
# Kerberos Auth
koji_auth_kerberos: False
koji_auth_principal: HTTP/[email protected]
koji_auth_keytab: HTTP-stream-hub.dev.centos.org.keytab
koji_auth_proxyprincipals: HTTP/[email protected]
# This is the default REALM used between koji components. For other allowed REALMS, see next one
koji_auth_realm: DEV.CENTOS.ORG
# By default we'll only use the same REALM but you can have multiple ones, separated by comma but then read info below
koji_auth_allowed_realms: DEV.CENTOS.ORG
# for koji web
koji_auth_webprincipal: HTTP/[email protected]
koji_auth_webkeytab: HTTP-stream-hub.dev.centos.org.keytab
# Important settings WRT multiple allowed REALMS (koji_auth_realm var, separated by ',')
# If we allow multiple REALMs we need local krb5.conf to map realms
# And also enable https://github.com/gssapi/mod_auth_gssapi#gssapilocalname
# Let's so default to false
# IT enabled that will import krb5-client role so don't forget to also setup your variables for that role !
koji_auth_gssapi_localname: False
# File that will be distributed and in {{ filestore }}/koji repo
# Do we want to push a config file (probably reviewed elsewhere than ansible inventory)
# Important: it will run under koji_admin_client (see below) account so should be configured/enabled too
kojihub_policy_file: True
kojihub_policy_filename: policy.conf
# Do we want to run koji-gc (Garbage Collector - see https://docs.pagure.org/koji/utils/#garbage-collector )
# If true, which static (non .j2 template) file to distribute from {{ filestore }}/koji
# Easier to have a single static file to review online (gitlab/github)
kojihub_gc_enabled: False
kojihub_gc_file: koji-gc.conf
# We can define which koji_gc actions to trigger (see koji doc above)
# example for all
# kojihub_gc_actions:
# - prune
# - delete
# - trash
# - salvage
kojihub_gc_actions: [ ]
# Other cli options we want to use like `--test` to just dry-run koji-gc eventuall
kojihub_gc_options: ''
# Do we want to also run kojira
# In case of TLS auth it needs a .pem file and in case of kerberos auth, a keytab
koji_kojira: True
koji_kojira_user: kojira
koji_kojira_tls_pem: kojira.pem # CN has to match with koji_kojira_user defined
# if kerberos
koji_kojira_principal: koji/[email protected]
koji_kojira_keytab: kojira.keytab # Needed only if koji_auth_kerberos above
# do we want to ignore some specific tags in kojira ?
koji_kojira_ignore_tags: False
# just one string, glob separated by space
koji_kojira_ignored_tags: '*el6* *el5*'
# Kojira can delete deleted and dist repo automatically
# default values:
kojira_delete_repo_lifetime: '172800'
kojira_dist_repo_lifetime: '172800'
# Do we want to have kojira checking for external repositories ?
# If True it will automatically kick regen-repo when upstream repos are updated
koji_kojira_check_external_repos: False
# Do we want also to clean-up side-tags ?
koji_kojira_sidetag_cleanup: False
# how many days to keep sidetags before removing/deleting ?
koji_kojira_sidetag_cleanup_delay: '90' # in days
# Do we want to regen-repo on regular basis/cron
koji_regen_repo_cron: False
koji_regen_repo_hour: '*'
koji_regen_repo_min: '*/2'
# Do we want to also run mash
koji_mash: False
# Storage settings
# We'll start with just one main volume but we'll add other options below for multi-volumes koji
koji_nfs_mount: True
koji_mountpoint: /mnt/kojishare
koji_nfs_path: nfs-host.domain.com:/exports/kojishare
koji_mnt_symlink_workaround: True
# Koji multiple volumes setup (see https://docs.pagure.org/koji/volumes/)
# Do we need other NFS volumes to be mounted ? and if so nfs path and dest (should be mounted *everywhere*)
koji_nfs_mount_multi: False
# If True, where do we mount these
koji_nfs_additional_mountpoints:
- src: nfs-host.domain.com:/exports/koji-vol-1
dest: /mnt/kojishare/koji/vol/vol1
- src: nfs-host2.domain.com:/exports/koji-vol-2
dest: /mnt/kojishare/koji/vol/vol2
# Storage clean-up tasks
# Do we want to prune old scratch/work jobs and what's the retention in days
koji_prune_scratch_jobs: False
koji_prune_scratch_jobs_retention: '7'
koji_prune_work_jobs_retention: '7'
# Do we want to grant permissions based on group membership from FAS/ACO
koji_fas_sync: True
# Where to gather users/group membership from
koji_fas_url: https://accounts.centos.org
koji_fas_user:
koji_fas_pass:
# Instead of using legacy FAS, do we want to use IPA/FASJSON to sync group memberships ?
# It will require also a service keytab to auth against fasjson url endpoint
koji_fasjson_sync: False
koji_fasjson_url: https://fasjson.stg.fedoraproject.org
koji_fasjson_keytab: # keytab file distributed by this role
# Do we need some SIGs default configs for CBS ?
# This will also import all cbs scripts/snippet specific for some cbs.c.o operations
koji_cbs_sigs_config: False
# IF cbs content, do we want to also sync external repo
# like centos 9 stream buildroot or epel
koji_cbs_reposync: False
# If we sync from fas/ipa, which sig-<name> do we want to eventually exclude for koji perms
koji_fas_excluded_groups:
- hpv
- webdev
# For the sync, which are our local koji system users (for koji and kojira)
# They'll not be checked for the fas_perms_to_koji perms script (not coming from IPA/FAS)
koji_system_users:
- koji
- kojira
# Do we need a local admin user on the hub itself ?
# In case of TLS auth it needs a .pem file and in case of kerberos auth, a keytab
koji_admin_client: True
koji_admin_user: admin
koji_admin_pem: admin.pem
# If using kerberos
koji_admin_principal: [email protected]
koji_admin_keytab: koji-admin.keytab # Needed only if koji_auth_kerberos above and vice/versa with TLS
# Kojihub plugins
# Worth knowing that this role supports following plugins:
# - centmsg # sending to MQTT message broker, already in use in centos infra
# - fedmsg-koji-plugin # sending to fedora-messaging/rabbitmq, only for specific builders
# - sidetag_hub # from koji plugins, so nothing to copy/import
# - runroot_hub # from koji plugins, so nothing to copy/import
# - save_failed_tree # from koji plugins, so nothing to copy/import
# Each plugin can have its own config, see below
# As we'll copy a conf for each, at least ensure there is (even empty) one under templates/koji-hub/plugins/{{ item }}.conf.j2 - see for example runroot_hub.conf.j2
# Do we want to enable plugins on Hub ?
koji_hub_plugins: True
# Custom plugins we'll copy from ansible roles, like centmsg, fedmsg-koji-plugin, not koji built-in plugins
koji_hub_install_plugins: []
# Plugins to enable, so can be a mix of built-in plugins and from koji_hub_install_plugins
# For each plugin, there is a .conf.j2 template (empty if no config required) that will be deployed by ansible
# Supported plugins : centmsg, fedmsg-koji-plugin, fedora-messaging, runroot_hub, sidetag_hub, kiwi
koji_hub_plugins_list: []
# Now the plugins settings, if needed/defined
# centmsg / mqtt
koji_hub_plugin_mqtt_host: mqtt.dev.centos.org
koji_hub_plugin_mqtt_topic: koji
koji_hub_plugin_mqtt_excluded_tags:
- sclo-testing-tag
# fedmsg-koji-plugin
koji_hub_plugin_fedmsg_tls_ca:
koji_hub_plugin_fedmsg_tls_cert:
koji_hub_plugin_fedmsg_tls_key:
koji_hub_plugin_fedmsg_topic:
koji_hub_plugin_fedmsg_amqp_url: "amqps://koji.prod:@rabbitmq.prod.fedoraproject.org/%2Fpubsub"
# protonmsg plugin
koji_hub_plugin_protonmsg_url: amqps://broker1.domaine.com:5671
koji_hub_plugin_protonmsg_cert: my-amqp-cert.crt
koji_hub_plugin_protonmsg_ca: my-amqp-ca.crt
koji_hub_plugin_protonmsg_topic_prefix: VirtualTopic.topic
koji_hub_plugin_protonmsg_queue_enabled: true
# Zabbix/monitoring part
kojihub_zabbix_templates:
- Template CentOS Koji Hub
- Template CentOS http server
- Template CentOS - https SSL Cert Check External
kojihub_zabbix_groups:
- CentOS CBS koji hosts
# Making koji offline for maintainance purposes
koji_hub_offline: False
koji_hub_outage_message: "Maintenance: Koji is currently going through maintainance, please check #centos-devel for more info"