2016-05-29 16:22:44 +02:00
---
2016-06-01 12:21:15 +02:00
- name : install svn, git, rsync and some perl stuff
2016-06-14 10:35:04 +02:00
pacman : name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
2016-05-29 16:22:44 +02:00
- name : create dbscripts users
2016-06-13 19:49:20 +02:00
user : name="{{ item }}" shell=/bin/bash
2016-05-29 16:22:44 +02:00
with_items :
- svn-packages
- svn-community
2016-05-31 11:56:58 +02:00
- name : add cleanup user
user : name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
2016-05-29 16:22:44 +02:00
2016-06-13 19:49:20 +02:00
- name : add sourceballs user
user : name=sourceballs shell=/sbin/nologin
2016-06-13 20:59:05 +02:00
- name : set up sudoers.d for special users
copy : src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=600
2016-07-26 20:47:22 +02:00
- stat : path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
register : certfile
tags :
- nginx
2016-06-15 03:58:08 +02:00
- name : set up nginx
template : src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=644
notify :
- restart nginx
2016-07-26 20:47:22 +02:00
tags :
- nginx
2016-06-15 03:58:08 +02:00
- name : put dbscripts.htpasswd in place
copy : src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=640
2016-07-26 20:47:22 +02:00
tags :
- nginx
2016-06-15 03:58:08 +02:00
2016-05-30 03:58:07 +02:00
- name : create Arch Linux-specific users
user :
name : "{{ item.key }}"
group : users
groups : "{{ item.value.groups | join(',') }}"
comment : "{{ item.value.name}}"
state : present
with_dict : "{{ arch_users }}"
2016-06-14 03:06:24 +02:00
- name : gather all pubkeys of all users
set_fact : pubkeys_per_user="{{ lookup('file', '../pubkeys/' + item.value.ssh_key).split('\n') }}"
register : pubkeys
2016-05-30 03:58:07 +02:00
with_dict : "{{ arch_users }}"
2016-06-14 03:06:24 +02:00
- name : gather pubkeys for all devs
set_fact : dev_pubkeys_svn="{% for key in item.ansible_facts.pubkeys_per_user if 'dev' in item.item.value.groups and 'command' not in key %}{{ 'command=\"/usr/bin/svnserve --tunnel-user=' + item.item.key + ' -t\",no-port-forwarding,no-agent-forwarding,no-pty ' + key + '\n' }}{% endfor %}"
register : dev_pubkeys_svn_reg
with_items : "{{ pubkeys.results }}"
2016-05-30 03:58:07 +02:00
- name : join all dev pubkeys into a big string
2016-06-14 03:06:24 +02:00
set_fact : dev_pubkeys_string="{% for result in dev_pubkeys_svn_reg.results %}{{ result.ansible_facts.dev_pubkeys_svn }}{% endfor %}"
2016-05-30 03:58:07 +02:00
2016-06-14 03:06:24 +02:00
- name : gather pubkeys for all TUs
set_fact : tu_pubkeys_svn="{% for key in item.ansible_facts.pubkeys_per_user if 'tu' in item.item.value.groups and 'command' not in key %}{{ 'command=\"/usr/bin/svnserve --tunnel-user=' + item.item.key + ' -t\",no-port-forwarding,no-agent-forwarding,no-pty ' + key + '\n' }}{% endfor %}"
register : tu_pubkeys_svn_reg
with_items : "{{ pubkeys.results }}"
2016-05-30 03:58:07 +02:00
- name : join all tu pubkeys into a big string
2016-06-14 03:06:24 +02:00
set_fact : tu_pubkeys_string="{% for result in tu_pubkeys_svn_reg.results %}{{ result.ansible_facts.tu_pubkeys_svn }}{% endfor %}"
2016-05-30 03:58:07 +02:00
- name : configure ssh keys for devs
authorized_key :
user : svn-packages
2016-06-14 03:06:24 +02:00
key : "{{ dev_pubkeys_string }}"
2016-05-30 03:58:07 +02:00
manage_dir : yes
state : present
exclusive : yes
2016-05-31 11:56:58 +02:00
- name : configure ssh keys for TUs
2016-05-30 03:58:07 +02:00
authorized_key :
user : svn-community
2016-06-14 03:06:24 +02:00
key : "{{ tu_pubkeys_string }}"
2016-05-30 03:58:07 +02:00
manage_dir : yes
state : present
exclusive : yes
2016-05-29 16:22:44 +02:00
- name : create dbscripts paths
file : path="{{ item }}" state=directory
with_items :
- /srv/repos/svn-community
- /srv/repos/svn-packages
- file : path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
- acl : name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
- acl : name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
- acl : name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
- acl : name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
- acl : name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present
- file : path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
- acl : name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
- acl : name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
- acl : name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
- acl : name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
- acl : name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present
- file : path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
- file : path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755
- file : path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
- acl : name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
- acl : name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
- acl : name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present
- file : path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
- acl : name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
- acl : name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
- acl : name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present
- file : path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
- acl : name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present
- file : path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
- acl : name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present
2016-06-15 00:04:05 +02:00
- file : path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
2016-05-30 03:58:07 +02:00
- file : path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
- acl : name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
- acl : name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
2016-05-29 16:22:44 +02:00
- name : clone dbscripts git repo
2016-05-30 11:51:18 +02:00
git : dest=/srv/repos/{{ item }}/dbscripts repo=https://git.archlinux.org/dbscripts.git
2016-05-29 16:22:44 +02:00
with_items :
- svn-community
- svn-packages
- name : make /srv/svn
file : path=/srv/svn state=directory
- name : symlink /srv/svn/community to /srv/repos/svn-community/svn
file : path=/srv/svn/community src=/srv/repos/svn-community/svn state=link
- name : symlink /srv/svn/packages to /srv/repos/svn-packages/svn
file : path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link
- name : symlink /community to /srv/repos/svn-community/dbscripts
file : path=/community src=/srv/repos/svn-community/dbscripts state=link
- name : symlink /packages to /srv/repos/svn-packages/dbscripts
2016-06-14 09:50:28 +02:00
file : path=/packages src=/srv/repos/svn-packages/dbscripts state=link
2016-05-29 16:22:44 +02:00
2016-06-15 16:33:23 +02:00
- name : put rsyncd.conf into tmpfiles
copy : src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=644
register : rsyncdtmpfiles
- name : use tmpfiles.d/rsyncd.conf
command : systemd-tmpfiles --create
when : rsyncdtmpfiles.changed
2016-06-01 12:21:15 +02:00
- name : create rsyncd-conf-genscripts
file : path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=700
- name : install rsync.conf.proto
copy : src=rsyncd.conf.proto dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=644
2016-06-15 10:59:53 +02:00
- name : install rsyncd.secrets
copy : src=rsyncd.secrets dest=/etc/rsyncd.secrets owner=root group=root mode=600
2016-06-01 12:21:15 +02:00
- name : configure gen_rsyncd.conf.pl
template : src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=700
- name : generate mirror config
command : /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
2016-06-14 10:15:38 +02:00
- name : install svnlog
copy : src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=755
2016-06-19 20:08:37 +02:00
- name : add arch-svntogit user
user : name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
- name : configure svntogit git user name
command : git config --global user.name = 'svntogit'
become : yes
become_user : svntogit
- name : configure svntogit git user email
command : git config --global user.name = 'svntogit@repos.archlinux.org'
become : yes
become_user : svntogit
- name : template arch-svntogit
copy : src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=755
- name : create svntogit repos subdir
file : path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775
- name : clone git-svn repos
command : git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
with_items :
- community
- packages
become : yes
become_user : svntogit
- name : add svntogit public remotes
command : git remote add public ssh://git.archlinux.org/srv/git/svntogit/{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
with_items :
- community
- packages
become : yes
become_user : svntogit
ignore_errors : yes
# The following command also serves as a way to get the data the first time the repo is set up
- name : configure svntogit pull upstream branch
command : git pull public master chdir=/srv/svntogit/repos/{{ item }}
with_items :
- community
- packages
become : yes
become_user : svntogit
- name : configure svntogit push upstream branch
command : git push -u public master chdir=/srv/svntogit/repos/{{ item }}
with_items :
- community
- packages
become : yes
become_user : svntogit
- name : fix svntogit home permissions
file : path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
2016-06-15 15:29:24 +02:00
- name : start and enable rsync
2016-06-01 12:21:15 +02:00
service : name=rsyncd.socket enabled=yes state=started
2016-06-15 15:29:24 +02:00
- name : configure svnserve
copy : dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"
- name : start and enable svnserve
service : name=svnserve enabled=yes state=started
2016-06-18 00:22:54 +02:00
- name : set up update-abs
template : src=update-abs.sh.j2 dest=/usr/local/bin/update-abs.sh owner=root group=root mode=755
2016-05-29 16:22:44 +02:00
- name : install systemd timers
copy : src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=644
with_items :
2016-06-18 00:22:54 +02:00
- update-abs.timer
- update-abs.service
2016-05-29 16:22:44 +02:00
- cleanup.timer
- cleanup.service
- sourceballs.timer
- sourceballs.service
- integrity-check.timer
- integrity-check.service
- lastsync.timer
- lastsync.service
2016-06-01 12:21:15 +02:00
- gen_rsyncd.timer
- gen_rsyncd.service
2016-06-19 20:08:37 +02:00
- arch-svntogit.timer
- arch-svntogit.service
notify :
- daemon reload
2016-05-29 16:22:44 +02:00
2016-05-30 03:58:07 +02:00
- name : activate systemd timers
2016-05-29 16:22:44 +02:00
service : name={{ item }} enabled=yes state=started
with_items :
2016-06-18 00:22:54 +02:00
- update-abs.timer
2016-05-29 16:22:44 +02:00
- cleanup.timer
- sourceballs.timer
- integrity-check.timer
- lastsync.timer
2016-06-01 12:21:15 +02:00
- gen_rsyncd.timer
2016-06-19 20:08:37 +02:00
- arch-svntogit.timer
