--- /dev/null
+# Required collections
+
+```
+ansible-galaxy collection install community.general
+```
+
+# Privileged data
+
+Privileged data is stored in Bitwarden. To use roles that fetch privileged data,
+the following utilities must be available:
+
+* [bw](https://bitwarden.com/help/cli/)
+
+Once installed, login and unlock the vault:
+
+```
+bw login # or, `bw unlock`
+export BW_SESSION=xxxx
+bw sync -f
+```
+
+# Running playbooks
+
+```
+ansible-playbook -i hosts [-l SUBSET] site.yaml
+```
--- /dev/null
+---
+jenkins_user: false
--- /dev/null
+---
+jenkins_user: true
#cloud07.internal.efficios.com
#cloud08.internal.efficios.com
+[infra_lava]
+lava-master-03.internal.efficios.com
+
[node_armhf]
ci-node-deb11-armhf-01
ci-node-deb11-armhf-02
--- /dev/null
+- hosts: infra_lava
+ roles:
+ - common
+ - lava-server
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIGYzCCBUugAwIBAgIME8HUfOP7nlNsYE4GMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
+BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
+bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEc0MB4XDTIzMDEwNTE3MTYyN1oXDTI0MDIw
+NjE3MTYyNlowIjEgMB4GA1UEAwwXKi5pbnRlcm5hbC5lZmZpY2lvcy5jb20wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMYxGUCLUIIKARfCF1oT6oKRSA
+dmMJpeI9k+bWMbDZ9m15xZXdlx33OwOJA0lgBLLuJnds/WxE9EFACjYbk7M3Vyp+
+97rVsFdZ2biLLGX7264I0/0LtQgg3UMqTH01DKj2RspCCCo1YsUncX2/h1V+Zo9b
+pJG7dqPQ+YjpGajXYVNahv5s0ljpzqcJWGNsKDOQFqvIZWKXDUhFelm+dY57J90W
+lGvB6eoOoilip7k4BSJ/3OIjvML6Pz6zvKJE2ZAn4ZT0HdpizCVqmO1zq96/qbdE
+VJpMpRCZs/RKMgookBp22ZDSsZ+zfAu441MiQEq+oQxjSU8Y9kLK5x3M0PAhAgMB
+AAGjggNtMIIDaTAOBgNVHQ8BAf8EBAMCBaAwgZMGCCsGAQUFBwEBBIGGMIGDMEYG
+CCsGAQUFBzAChjpodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9h
+bHBoYXNzbGNhc2hhMjU2ZzQuY3J0MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5n
+bG9iYWxzaWduLmNvbS9hbHBoYXNzbGNhc2hhMjU2ZzQwVwYDVR0gBFAwTjAIBgZn
+gQwBAgEwQgYKKwYBBAGgMgoBAzA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n
+bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJBgNVHRMEAjAAMEEGA1UdHwQ6MDgw
+NqA0oDKGMGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vYWxwaGFzc2xjYXNoYTI1
+Nmc0LmNybDA5BgNVHREEMjAwghcqLmludGVybmFsLmVmZmljaW9zLmNvbYIVaW50
+ZXJuYWwuZWZmaWNpb3MuY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
+AjAfBgNVHSMEGDAWgBRPy6yowu+r3YNva7/OmD1cWCV2FTAdBgNVHQ4EFgQUMzXk
+R9Q8ur0Bb8oOGN72GFCPBkswggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AG9T
+dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABhYLvJUgAAAQDAEcwRQIh
+ALuWQU0tdPDfxouzEvKu93ITGwF6lT5NYbS7xK36PsbRAiAGd1lNkbyptg9EKd2I
+J1Yt8TZEkJn0eT1zkYuGWfvvPwB1AHPZnokbTJZ4oCB9R53mssYc0FFecRkqjGuA
+EHrBd3K1AAABhYLvJXkAAAQDAEYwRAIgDWI/namYh4xclEmP7UAStAqghK8MAL2G
+iZpsFDnkSO8CICqUbt/aQCEuhIThMTzmxDa22hWdS2LGF/RMRft/lXe/AHcAdv+I
+Pwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGFgu8liwAABAMASDBGAiEA
+yRvXFPB/0uvpQRoWU/GAlQPRtUYI5arQWgojUv7M3j8CIQCp9cR8+Z7jOb71eDuJ
+lQK8gLgdmHDi6zgdQCk6xFZlGzANBgkqhkiG9w0BAQsFAAOCAQEAGzDx32bMP53h
+JHQmNKHo69Q2kLsx1YfxElMjoUriVpvaPjNkSUm4f94KSAPNw/h9nqSLp0PBIOPF
+xClutnF4We52GuINGtsxGjDBb8w0X+s3ObzrQxD1zAqXCS6kpHmdLf9xQ3dwxFML
+w4bOibIpxIaQXTVQuHW8qRKUHXKr2kUQx7+tIbavsrN/HUS6zc8Kjm/k/KadH+zA
+u2vcgAw+4RAeKfzG3e3zNUwl8Dn7GTL0DL87SGSb5Hj3HFyojYqIOMNzQ1MO00i4
+p/oq2AWSUndRFD9VTVdZwvgpBB4Qh39J2yExyd+8+ob56q1FmzMe5kTT+8IkSXSG
+YkjI4uyfJA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEijCCA3KgAwIBAgIQfU1CqStDHX5kU+fBmo1YdzANBgkqhkiG9w0BAQsFADBX
+MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
+CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIyMTAx
+MjAzNDk0M1oXDTI3MTAxMjAwMDAwMFowTDELMAkGA1UEBhMCQkUxGTAXBgNVBAoT
+EEdsb2JhbFNpZ24gbnYtc2ExIjAgBgNVBAMTGUFscGhhU1NMIENBIC0gU0hBMjU2
+IC0gRzQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtJCmVZhWIPzOH
+A3jP1QwkuDFT8/+DImyZlSt85UpZwq7G0Sqd+n8gLlHIZypQkad5VkT7OLU+MI78
+lC7LVwxpU19ExlaWL67ANyWG8XHx3AJFQoZhuDbvUeNzRQyQs6XS5wN6uDlF0Bf1
+AtCUQWrGGLGYwyC1xTrzgrFKpESsIXMqklUGTsh8i7DKZhRUVfgrPLJUkbbLUrLY
+42+KRCiwfSvBloC5PgDYnj3oMZ1aTe3Wfk3l1I4D3RKaJ4PU1qHXhHJOge2bjGIG
+l6MsaBN+BB2sr6EnxX0xnMIbew2oIfOFoLqs47vh/GH4JN0qql2WBHfDPVDm3b+G
+QxY6N/LXAgMBAAGjggFbMIIBVzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE
+FE/LrKjC76vdg29rv86YPVxYJXYVMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTN
+NKj//P1LMHoGCCsGAQUFBwEBBG4wbDAtBggrBgEFBQcwAYYhaHR0cDovL29jc3Au
+Z2xvYmFsc2lnbi5jb20vcm9vdHIxMDsGCCsGAQUFBzAChi9odHRwOi8vc2VjdXJl
+Lmdsb2JhbHNpZ24uY29tL2NhY2VydC9yb290LXIxLmNydDAzBgNVHR8ELDAqMCig
+JqAkhiJodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL3Jvb3QuY3JsMCEGA1UdIAQa
+MBgwCAYGZ4EMAQIBMAwGCisGAQQBoDIKAQMwDQYJKoZIhvcNAQELBQADggEBABol
+9nNkiECpWQenQ7oVP1FhvRX/LWTdzXpdMmp/SELnEJhoOe+366E0dt8tWGg+ezAc
+DPeGYPmp83nAVLeDpji7Nqu8ldB8+G/B6U9GB8i2DDIAqSsFEvcMbWb5gZ2/DmRN
+cifGi9FKAuFu2wyft4s4DHwzL2CJ2zjMlUOM3RaE1cxuOs+Om6MCD9G7vnkAtSiC
+/OOfHO902f4yI2a48K+gKaAf3lISFXjd32pwQ21LpM3ueIGydaJ+1/z8nv+C7SUT
+5bHoz7cYU27LUvh1n2WSNnC6/QwFSoP6gNKa4POO/oO13xjhrLRHJ/04cKMbRALt
+JWQkPacJ8SJVhB2R7BI=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----
\ No newline at end of file
--- /dev/null
+---
+- name: Deploy internal certificate
+ ansible.builtin.copy:
+ dest: /etc/ssl/certs/internal.efficios.com.pem
+ mode: '0644'
+ owner: 'root'
+ group: 'root'
+ src: 'internal.efficios.com.pem'
+- name: Deploy internal certificate key
+ ansible.builtin.copy:
+ dest: /etc/ssl/private/internal.efficios.com.key
+ mode: '0640'
+ owner: 'root'
+ group: 'root'
+ content: "{{lookup('community.general.bitwarden', 'TLS Certificate internal.efficios.com', collection_id='35c5d8b1-2520-4450-a479-aef50131b930')[0]['notes'] }}"
remove: yes
- name: Create jenkins user
+ when: jenkins_user | bool
user:
name: 'jenkins'
- name: Set up authorized_keys for the jenkins user
+ when: jenkins_user | bool
authorized_key:
user: 'jenkins'
key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA3fwpioVLDoCQsQkYK5bOwPb8N0EXeYm2MleBQTfqxtKaqWWbmUtFXAiyclKHRspjcAiIKwwqLyhPopHBqJzmXnB0GsfGmxXJ6wSBgKJ4kdBVRM+nKlK0wCl1oQkFeV/Xl3jzt1Ey96XiNWlesfkvgcMCpsJzQ7/xRb9IcghskzlQbLOwDNir/156JgAYUYvOLqNCcE+xcgPxJGanfZDXTLkfBYxaeaB8isBPeEU6fhPvu/W055M1uB7E0qhcbFtuKCBu1Fg4jzsW4yDU8+ZB1b5mAXwEAuMbVGMrOf4rjtTpGpQd6XFsXpFT28NU1u5j2cUbtANJalkNDX/UY6XJ jenkins@ci-master-02'
--- /dev/null
+<VirtualHost *:443>
+ ServerAdmin webmaster@localhost
+
+ SSLEngine On
+ SSLCertificateKeyFile /etc/ssl/private/internal.efficios.com.key
+ SSLCertificateFile /etc/ssl/certs/internal.efficios.com.pem
+
+ Alias /tmp/ /var/lib/lava/dispatcher/tmp/
+
+ # Let apache2 handle these URIs
+ ProxyPass /tmp !
+ # Send web socket requests to lava-publisher
+ ProxyPass /ws/ ws://127.0.0.1:8001/ws/
+ ProxyPassReverse /ws/ ws://127.0.0.1:8001/ws/
+ # Send request to Gunicorn
+ ProxyPass / http://127.0.0.1:8000/
+ ProxyPassReverse / http://127.0.0.1:8000/
+ ProxyPreserveHost On
+
+ DocumentRoot /usr/share/lava-server/static/lava_server/
+
+ <Directory /var/lib/lava/dispatcher/tmp>
+ Options -Indexes
+ Require all granted
+ AllowOverride None
+ <IfModule mod_php7.c>
+ php_admin_flag engine Off
+ </IfModule>
+ </Directory>
+
+ LogLevel info
+ ErrorLog ${APACHE_LOG_DIR}/lava-server.log
+ CustomLog ${APACHE_LOG_DIR}/lava-server.log combined
+</VirtualHost>
\ No newline at end of file
--- /dev/null
+---
+- name: Reload apache
+ shell:
+ cmd: apache2ctl graceful
+- name: Restart apache
+ ansible.builtin.service:
+ name: apache2
+ state: restarted
+- name: Restart lava-server-gunicorn
+ ansible.builtin.service:
+ name: lava-server-gunicorn
+ state: restarted
--- /dev/null
+---
+- name: Check device type details
+ become: yes
+ become_user: lavaserver
+ register: device_details
+ ignore_errors: true
+ shell:
+ cmd: "lava-server manage device-types details {{item}}"
+- name: Enable device type
+ become: yes
+ become_user: lavaserver
+ when: device_details.rc == 1
+ shell:
+ cmd: "lava-server manage device-types add {{item}}"
--- /dev/null
+---
+- name: Install lava-server
+ apt:
+ name:
+ - lava-server
+ - libvirt-clients
+- name: Enable apache modules
+ shell:
+ cmd: a2enmod "{{ item }}"
+ creates: "/etc/apache2/mods-enabled/{{item}}.load"
+ loop:
+ - proxy
+ - proxy_http
+ - ssl
+ notify:
+ - Restart apache
+- name: Disable default apache2 site
+ ansible.builtin.file:
+ path: /etc/apache2/sites-enable/000-default.conf
+ state: absent
+ notify:
+ - Reload apache
+- name: Enable lava-server site
+ shell:
+ cmd: a2ensite lava-server.conf
+ creates: /etc/apache2/sites-enabled/lava-server.conf
+ notify:
+ - Reload apache
+- name: Deploy internal certificate
+ import_role:
+ name: common
+ tasks_from: certs
+ notify:
+ - Reload apache
+- name: Create TLS vhost
+ copy:
+ src: vhost-tls.conf
+ dest: /etc/apache2/sites-enabled/lava-server-tls.conf
+ notify:
+ - Reload apache
+- name: Configure lava-server allowed hosts
+ ansible.builtin.template:
+ src: allowed_hosts.yaml.j2
+ dest: /etc/lava-server/settings.d/00-hosts.yaml
+ owner: lavaserver
+ group: lavaserver
+ mode: '0640'
+ notify:
+ - Restart lava-server-gunicorn
+- name: Configure lava-server LDAP integration
+ ansible.builtin.template:
+ src: ldap.yaml.j2
+ dest: /etc/lava-server/settings.d/01-ldap.yaml
+ owner: lavaserver
+ group: lavaserver
+ mode: '0640'
+ notify:
+ - Restart lava-server-gunicorn
+- name: Add lava devices
+ include_tasks: enable_device.yml
+ loop:
+ - qemu
+ - x86
+ - imx6q-wandboard
+ - cubietruck
+- name: Clone lttng-ci repo
+ become: yes
+ become_user: lavaserver
+ git:
+ dest: /var/lib/lava-server/home/lttng-ci
+ repo: https://github.com/lttng/lttng-ci
+ register: clone_result
+- name: List devices in lttng-ci repo
+ when: clone_result.before != clone_result.after
+ find:
+ paths:
+ - /var/lib/lava-server/home/lttng-ci/lava/devices/
+ register: found_lava_devices
+- name: Create device links
+ when: clone_result.before != clone_result.after
+ ansible.builtin.file:
+ src: "{{item}}"
+ path: "/etc/lava-server/dispatcher-config/devices/{{item | basename }}"
+ state: link
+ loop: "{{found_lava_devices['files'] | map(attribute='path')}}"
+- name: Configure PDU Daemon
+ import_tasks: pdudaemon.yml
+- name: Generate root SSH keypair
+ # The public key can be installed on qemu hosts
+ # lava-worker runs as root, not as lavaserver.
+ community.crypto.openssh_keypair:
+ path: /root/.ssh/id_ed25519
+ type: ed25519
--- /dev/null
+---
+- name: Install dependencies
+ apt:
+ name:
+ - python3-venv
+ - python3-pip
+ - python3-pexpect
+ - python3-requests
+ - python3-systemd
+ - python3-paramiko
+ - python3-serial
+- name: Clone pdudaemon
+ become: yes
+ become_user: lavaserver
+ git:
+ dest: /var/lib/lava-server/home/pdudaemon
+ repo: https://git.internal.efficios.com/efficios/pdudaemon.git
+ version: console_server_update
+ register: pdudaemon_clone
+- name: Build pdudaemon
+ become: yes
+ become_user: lavaserver
+ when: pdudaemon_clone.before != pdudaemon_clone.after
+ shell:
+ chdir: /var/lib/lava-server/home/pdudaemon
+ cmd: "python3 ./setup.py build"
+- name: Install pdudaemon
+ when: pdudaemon_clone.before != pdudaemon_clone.after
+ shell:
+ chdir: /var/lib/lava-server/home/pdudaemon
+ cmd: "python3 setup.py install --prefix=/usr/local/"
+- name: Copy pdudaemon service file
+ when: pdudaemon_clone.before != pdudaemon_clone.after
+ copy:
+ remote_src: true
+ src: /var/lib/lava-server/home/lttng-ci/lava/pdudaemon/pdudaemon.service
+ dest: /etc/systemd/system/pdudaemon.service
+ mode: '0644'
+- name: Enable pdudaemon service
+ ansible.builtin.systemd:
+ daemon_reload: true
+ name: pdudaemon.service
+ enabled: true
+ state: started
--- /dev/null
+ALLOWED_HOSTS:
+ # This allows the local dispatcher to run without issues
+ - localhost
+{% for host in lava_allowed_hosts %}
+ - {{host}}
+{% endfor%}
--- /dev/null
+AUTH_LDAP_SERVER_URI: "ldap://smb-adc02.internal.efficios.com:389"
+AUTH_LDAP_START_TLS: true
+AUTH_LDAP_BIND_DN: "{{ lookup('community.general.bitwarden', 'Jenkins Domain Account', field='binddn', collection_id='35c5d8b1-2520-4450-a479-aef50131b930')[0] }}"
+AUTH_LDAP_BIND_PASSWORD: "{{ lookup('community.general.bitwarden', 'Jenkins Domain Account', field='password', collection_id='35c5d8b1-2520-4450-a479-aef50131b930')[0] }}"
+AUTH_LDAP_USER_SEARCH: 'LDAPSearch("CN=Users,DC=internal,DC=efficios,DC=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")'
+AUTH_LDAP_USER_ATTR_MAP:
+ first_name: "givenName"
+ email: "mail"
--- /dev/null
+lava_allowed_hosts:
+ - "{{ ansible_facts['fqdn'] }}"
---
- import_playbook: hosts.yml
+- import_playbook: infra_lava.yml
- import_playbook: node_armhf.yml
- import_playbook: node_arm64.yml
- import_playbook: node_ppc64el.yml
projects / lttng-ci.git / commitdiff
