Update to 2021-12-01 19:13

roles/rabbitmq_server/defaults/main.yml

@@ -0,0 +1,34 @@
+---
+
+# Plain TCP port
+rabbitmq_port: 5672
+rabbitmq_ssl_port: 5671
+
+# Access to the plain port
+rabbitmq_src_ip: []
+# Access to the ssl port
+rabbitmq_ssl_src_ip: []
+
+# Can be either true, in which case a cert will be automatically obtained using letsencrypt
+# or can be a name, in which case you have to configure letsencrypt to obtain the cert yourself
+# rabbitmq_letsencrypt_cert: True
+# or
+# rabbitmq_letsencrypt_cert: rabbit.example.org
+# You have to deploy the letsencrypt role on the host for this to work
+
+# Or you can specify cert and key path. They must be readable by rabbitmq
+# Note that intermediate should be provided in the cacert file !
+# rabbitmq_ssl_cacert_path: /etc/rabbitmq/ssl/chain.pem
+# rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
+# rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem
+
+# HTTP API / Web management interface
+rabbitmq_web_port: 15672
+rabbitmq_web_src_ip: []
+
+# Should the guest user available from anywhere ? If False, it'll only be accepted from loopback
+rabbitmq_guest_from_anywhere: False
+
+# List of plugins to enable
+rabbitmq_plugins:
+  - rabbitmq_management

roles/rabbitmq_server/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: restart rabbitmq-server
+  service: name=rabbitmq-server state=restarted

roles/rabbitmq_server/meta/main.yml

@@ -0,0 +1,8 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: repo_rabbitmq
+    when:
+      - ansible_os_family == 'RedHat'
+      - ansible_distribution_major_version is version('8','>=')

roles/rabbitmq_server/tasks/conf.yml

@@ -0,0 +1,26 @@
+---
+
+- name: Remove unused config
+  file: path=/etc/rabbitmq/rabbitmq.config state=absent
+  when: rabbitmq_conf == 'rabbit.conf'
+  notify: restart rabbitmq-server
+  tags: rabbit
+
+  # Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
+  # turnserver must be started before that
+- import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/rabbitmq/ssl/cert.pem
+    - cert_key_path: /etc/rabbitmq/ssl/key.pem
+    - cert_user: rabbitmq
+  tags: rabbitmq
+
+- name: Deploy configuration
+  template: src={{ rabbitmq_conf }}.j2 dest=/etc/rabbitmq/{{ rabbitmq_conf }}
+  notify: restart rabbitmq-server
+  tags: rabbitmq
+
+- name: Deploy plugins to enable
+  template: src=enabled_plugins.j2 dest=/etc/rabbitmq/enabled_plugins
+  notify: restart rabbitmq-server
+  tags: rabbitmq

roles/rabbitmq_server/tasks/facts.yml

@@ -0,0 +1,12 @@
+---
+
+  # On EL8 and newer, rabbitmq config uses the new format
+- set_fact: rabbitmq_conf={{ ansible_distribution_major_version is version('8','>=') | ternary('rabbitmq.conf','rabbitmq.config') }}
+  tags: rabbitmq
+
+- when: rabbitmq_letsencrypt_cert is defined or rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined
+  block:
+    - set_fact: rabbitmq_ssl_cacert_path='/etc/rabbitmq/ssl/chain.pem'
+    - set_fact: rabbitmq_ssl_cert_path='/etc/rabbitmq/ssl/cert.pem'
+    - set_fact: rabbitmq_ssl_key_path='/etc/rabbitmq/ssl/key.pem'
+  tags: rabbitmq

roles/rabbitmq_server/tasks/install.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Install RabbitMQ
+  yum:
+    name:
+      - rabbitmq-server
+  tags: rabbitmq
+
+- name: Install pre/post backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/rabbitmq mode=755
+  loop:
+    - pre
+    - post
+  tags: rabbitmq
+
+- name: Create directories
+  file: path=/etc/rabbitmq/ssl state=directory owner=rabbitmq group=rabbitmq mode=700
+  tags: rabbitmq
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/rabbitmq.sh mode=755
+  tags: rabbitmq

roles/rabbitmq_server/tasks/iptables.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Handle RabbitMQ Server port in the firewall
+  iptables_raw:
+    name: "{{ item.name }}"
+    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
+  loop:
+    - name: rabbitmq_port
+      port: "{{ rabbitmq_port }}"
+      src_ip: "{{ rabbitmq_src_ip }}"
+    - name: rabbitmq_ssl_port
+      port: "{{ rabbitmq_ssl_port }}"
+      src_ip: "{{ rabbitmq_ssl_src_ip }}"
+    - name: rabbitmq_web_port
+      port: "{{ rabbitmq_web_port }}"
+      src_ip: "{{ rabbitmq_web_src_ip }}"
+  tags: firewall,rabbitmq

roles/rabbitmq_server/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- include: facts.yml
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml

roles/rabbitmq_server/tasks/services.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable the service
+  service: name=rabbitmq-server state=started enabled=True
+  tags: rabbitmq

roles/rabbitmq_server/templates/dehydrated_hook.sh.j2

@@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+{% if rabbitmq_letsencrypt_cert is defined %}
+
+{% if rabbitmq_letsencrypt_cert == True %}
+{% set cert = inventory_hostname %}
+{% elif rabbitmq_letsencrypt_cert is string %}
+{% set cert = rabbitmq_letsencrypt_cert %}
+{% endif %}
+
+if [ $1 == "{{ cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/chain.pem /etc/rabbitmq/ssl/chain.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/cert.pem /etc/rabbitmq/ssl/cert.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/rabbitmq/ssl/key.pem
+  chown :rabbitmq /etc/rabbitmq/ssl/key.pem
+  chmod 644 /etc/rabbitmq/ssl/{cert,chain}.pem
+  chmod 640 /etc/rabbitmq/ssl/key.pem
+  systemctl restart rabbitmq-server
+fi
+{% endif %}
+

roles/rabbitmq_server/templates/enabled_plugins.j2

@@ -0,0 +1 @@
+[{{ rabbitmq_plugins | join(',') }}].

roles/rabbitmq_server/templates/post-backup.j2

@@ -0,0 +1,8 @@
+#!/bin/bash -e
+
+{% if rabbitmq_conf == 'rabbitmq.conf' %}
+rm -f /home/lbkp/rabbitmq/definitions.json
+{% else %}
+# RabbitMQ version too old to support export_definitions
+{% endif %}
+

roles/rabbitmq_server/templates/pre-backup.j2

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% if rabbitmq_conf == 'rabbitmq.conf' %}
+mkdir -p /home/lbkp/rabbitmq/
+/usr/sbin/rabbitmqctl export_definitions --format json definitions.json
+mv /var/lib/rabbitmq/definitions.json /home/lbkp/rabbitmq/
+{% else %}
+# RabbitMQ version too old to support export_definitions
+{% endif %}

roles/rabbitmq_server/templates/rabbitmq.conf.j2

@@ -0,0 +1,10 @@
+listeners.tcp.default = {{ rabbitmq_port }}
+listeners.ssl.default = {{ rabbitmq_ssl_port }}
+{% if rabbitmq_ssl_cacert_path is defined %}
+ssl_options.cacertfile = {{ rabbitmq_ssl_cacert_path }}
+{% endif %}
+ssl_options.certfile = {{ rabbitmq_ssl_cert_path }}
+ssl_options.keyfile = {{ rabbitmq_ssl_key_path }}
+loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }}
+management.tcp.port = {{ rabbitmq_web_port }}
+management.tcp.ip = 0.0.0.0

roles/rabbitmq_server/templates/rabbitmq.config.j2

@@ -0,0 +1,12 @@
+%% {{ ansible_managed }}
+
+[
+  {rabbit, [
+      {tcp_listeners, [{{ rabbitmq_port }}]}
+     ,{reverse_dns_lookups, false}
+{% if rabbitmq_guest_from_anywhere %}
+     ,{loopback_users, []}
+{% endif %}
+    ]
+  }
+].