mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-05 19:56:03 +02:00
Code Issues

Capitalize the first letter of all task names 

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])
This commit is contained in:
Evangelos Foutras 2022-08-23 05:49:23 +03:00
parent 19ee76d74c
commit 26f289b72b
No known key found for this signature in database
GPG Key ID: 51E8B148A9999C34
168 changed files with 1131 additions and 1131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/accounts.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup Keycloak server
- name: Setup Keycloak server
hosts: accounts.archlinux.org
remote_user: root
roles:

2
playbooks/all-hosts-basic.yml
View File

@ -1,4 +1,4 @@
- name: basic setup for all hosts
- name: Basic setup for all hosts
hosts: all
remote_user: root
roles:

2
playbooks/archive-mirrors.yml
View File

@ -1,4 +1,4 @@
- name: common playbook for archive-mirrors
- name: Common playbook for archive-mirrors
hosts: archive_mirrors
remote_user: root
roles:

4
playbooks/archlinux.org.yml
View File

@ -1,14 +1,14 @@
- name: "prepare postgres ssl hosts list"
hosts: archlinux.org
tasks:
- name: assign ipv4 addresses to fact postgres_hosts4
- name: Assign ipv4 addresses to fact postgres_hosts4
set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
vars:
gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: setup archlinux.org
- name: Setup archlinux.org
hosts: archlinux.org
remote_user: root
roles:

2
playbooks/aur.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup aur.archlinux.org
- name: Setup aur.archlinux.org
hosts: aur.archlinux.org
remote_user: root
roles:

2
playbooks/bbs.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup bbs.archlinux.org
- name: Setup bbs.archlinux.org
hosts: bbs.archlinux.org
remote_user: root
roles:

2
playbooks/bugs.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup bugs.archlinux.org
- name: Setup bugs.archlinux.org
hosts: bugs.archlinux.org
remote_user: root
roles:

2
playbooks/build.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup build.archlinux.org
- name: Setup build.archlinux.org
hosts: build.archlinux.org
remote_user: root
roles:

2
playbooks/dashboards.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup public dashboards server
- name: Setup public dashboards server
hosts: dashboards.archlinux.org
remote_user: root
roles:

2
playbooks/debuginfod.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup debuginfod.archlinux.org
- name: Setup debuginfod.archlinux.org
hosts: debuginfod.archlinux.org
remote_user: root
roles:

2
playbooks/gemini.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup gemini.archlinux.org
- name: Setup gemini.archlinux.org
hosts: gemini.archlinux.org
remote_user: root
vars:

2
playbooks/gitlab-runners.yml
View File

@ -1,4 +1,4 @@
- name: setup gitlab-runners
- name: Setup gitlab-runners
hosts: gitlab_runners
remote_user: root
roles:

2
playbooks/gitlab.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup gitlab server
- name: Setup gitlab server
hosts: gitlab.archlinux.org
remote_user: root
roles:

2
playbooks/gluebuddy.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup gluebuddy.archlinux.org
- name: Setup gluebuddy.archlinux.org
hosts: gluebuddy.archlinux.org
remote_user: root
roles:

2
playbooks/hetzner_storagebox.yml
View File

@ -1,4 +1,4 @@
- name: setup Hetzner storagebox account
- name: Setup Hetzner storagebox account
hosts: localhost
gather_facts: false
vars_files:

2
playbooks/homedir.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup homedir.archlinux.org
- name: Setup homedir.archlinux.org
hosts: homedir.archlinux.org
remote_user: root
roles:

2
playbooks/lists.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup mailman server
- name: Setup mailman server
hosts: lists.archlinux.org
remote_user: root
roles:

2
playbooks/mail.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup mail.archlinux.org
- name: Setup mail.archlinux.org
hosts: mail.archlinux.org
remote_user: root
roles:

2
playbooks/mailman3.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup mailman3 server
- name: Setup mailman3 server
hosts: mailman3.archlinux.org
remote_user: root
roles:

2
playbooks/man.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup man.archlinux.org
- name: Setup man.archlinux.org
hosts: man.archlinux.org
remote_user: root
roles:

2
playbooks/matrix.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup matrix
- name: Setup matrix
hosts: matrix.archlinux.org
remote_user: root
vars_files:

2
playbooks/md.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup hedgedoc server
- name: Setup hedgedoc server
hosts: md.archlinux.org
remote_user: root
roles:

2
playbooks/mirrors.yml
View File

@ -1,4 +1,4 @@
- name: common playbook for mirrors
- name: Common playbook for mirrors
hosts: mirrors
remote_user: root
roles:

2
playbooks/monitoring.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup prometheus server
- name: Setup prometheus server
hosts: monitoring.archlinux.org
remote_user: root
roles:

2
playbooks/patchwork.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup patchwork.archlinux.org
- name: Setup patchwork.archlinux.org
hosts: patchwork.archlinux.org
remote_user: root
roles:

2
playbooks/phrik.yml
View File

@ -1,4 +1,4 @@
- name: setup phrik bot server
- name: Setup phrik bot server
hosts: phrik.archlinux.org
remote_user: root
roles:

2
playbooks/quassel.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup quassel server
- name: Setup quassel server
hosts: quassel.archlinux.org
remote_user: root
roles:

2
playbooks/rebuilderd-workers.yml
View File

@ -1,4 +1,4 @@
- name: common playbook for rebuilderd_workers
- name: Common playbook for rebuilderd_workers
hosts: rebuilderd_workers
remote_user: root
roles:

2
playbooks/redirect.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup redirect.archlinux.org
- name: Setup redirect.archlinux.org
hosts: redirect.archlinux.org
remote_user: root
roles:

2
playbooks/reproducible.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup reproducible builds rebuilder
- name: Setup reproducible builds rebuilder
hosts: reproducible.archlinux.org
remote_user: root
roles:

2
playbooks/rsync.net.yml
View File

@ -1,4 +1,4 @@
- name: setup rsync.net account
- name: Setup rsync.net account
hosts: localhost
gather_facts: false
vars_files:

2
playbooks/security.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup security.archlinux.org
- name: Setup security.archlinux.org
hosts: security.archlinux.org
remote_user: root
roles:

2
playbooks/state.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup state.archlinux.org (terraform state store)
- name: Setup state.archlinux.org (terraform state store)
hosts: state.archlinux.org
remote_user: root
roles:

14
playbooks/tasks/fetch-borg-keys.yml
View File

@ -1,23 +1,23 @@
- name: prepare local storage directory
- name: Prepare local storage directory
hosts: localhost
tasks:
- name: create borg-keys directory
- name: Create borg-keys directory
file: path="{{ playbook_dir }}/../../borg-keys/" state=directory # noqa 208
- name: fetch borg keys
- name: Fetch borg keys
hosts: borg_clients
tasks:
- name: fetch borg key
- name: Fetch borg key
command: "/usr/local/bin/borg key export :: /dev/stdout"
register: borg_key
changed_when: "borg_key.rc == 0"
- name: fetch borg offsite key
- name: Fetch borg offsite key
command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
register: borg_offsite_key
changed_when: "borg_offsite_key.rc == 0"
- name: save borg key
- name: Save borg key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
args:
stdin: "{{ borg_key.stdout }}"
@ -26,7 +26,7 @@
register: gpg_key
changed_when: "gpg_key.rc == 0"
- name: save borg offsite key
- name: Save borg offsite key
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
args:
stdin: "{{ borg_offsite_key.stdout }}"

4
playbooks/tasks/include/reencrypt-vault-key.yml
View File

@ -1,7 +1,7 @@
- name: check if moreutils is installed
- name: Check if moreutils is installed
pacman: name=moreutils state=present
- name: reencrypt vault {{ vault_id }} key
- name: Reencrypt vault {{ vault_id }} key
shell: |
set -eo pipefail
gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg" \

30
playbooks/tasks/include/upgrade-server.yml
View File

@ -1,62 +1,62 @@
- name: ensure latest keyring
- name: Ensure latest keyring
pacman:
name: archlinux-keyring
state: latest
update_cache: yes
- name: upgrade all packages
- name: Upgrade all packages
pacman:
upgrade: yes
register: pacman_upgrade
- name: stop if no packages were upgraded
- name: Stop if no packages were upgraded
meta: end_host
when: pacman_upgrade is not changed
- name: check for running builds
- name: Check for running builds
block:
- name: list build-related processes
- name: List build-related processes
command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
register: pgrep
ignore_errors: true
- name: abort reboot with running builds
- name: Abort reboot with running builds
meta: end_host
when: pgrep is succeeded
when: "'buildservers' in group_names"
- name: check for active borg backup jobs
- name: Check for active borg backup jobs
block:
- name: check if /backup exists
- name: Check if /backup exists
stat: path=/backup
register: backup_mountdir
- name: abort reboot when borg backup is running
- name: Abort reboot when borg backup is running
meta: end_host
when: backup_mountdir.stat.exists
when: "'borg_clients' in group_names"
- name: gemini pre-reboot checks
- name: Gemini pre-reboot checks
block:
- name: list logged on users
- name: List logged on users
command: who
register: who
- name: abort reboot with logged on users
- name: Abort reboot with logged on users
meta: end_host
when:
- who is changed
- who.stdout_lines|length > 1
- name: stop arch-svntogit.timer
- name: Stop arch-svntogit.timer
service: name=arch-svntogit.timer state=stopped
- name: wait for svntogit to finish
- name: Wait for svntogit to finish
wait_for:
path: /srv/svntogit/update-repos.sh.lock
state: absent
when: inventory_hostname == "gemini.archlinux.org"
- name: reboot
- name: Reboot
reboot:

2
playbooks/tasks/install_arch.yml
View File

@ -1,7 +1,7 @@
# This script is for provisioning a server for first boot.
# Care: It is not idempotent by design.
- name: install_arch
- name: Install arch
hosts: all
remote_user: root
roles:

10
playbooks/tasks/pacman-website.yml
View File

@ -8,13 +8,13 @@
tempfile: state=directory suffix=pacman
register: tempdir
- name: fetch pacman tarball
- name: Fetch pacman tarball
get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.xz dest={{ tempdir.path }}/pacman.tar.xz
- name: unpack tarball
- name: Unpack tarball
unarchive: src={{ tempdir.path }}/pacman.tar.xz dest={{ tempdir.path }}
- name: build website
- name: Build website
command: "{{ item }}"
args:
chdir: "{{ tempdir.path }}/pacman-{{ pacman_version }}"
@ -23,10 +23,10 @@
- ninja -C build doc/website.tar.gz
- block:
- name: create website directory
- name: Create website directory
file: state=directory owner=root group=root mode=0755 path={{ pacman_dir }}
- name: upload website
- name: Upload website
unarchive:
src: "{{ tempdir.path }}/pacman-{{ pacman_version }}/build/doc/website.tar.gz"
dest: "{{ pacman_dir }}"

4
playbooks/tasks/reencrypt-vault-default-key.yml
View File

@ -1,7 +1,7 @@
- name: reencrypt vault default key
- name: Reencrypt vault default key
hosts: localhost
tasks:
- name: reencrypt vault default key
- name: Reencrypt vault default key
include_tasks: include/reencrypt-vault-key.yml
vars:
vault_id: default

4
playbooks/tasks/reencrypt-vault-super-key.yml
View File

@ -1,7 +1,7 @@
- name: reencrypt vault super key
- name: Reencrypt vault super key
hosts: localhost
tasks:
- name: reencrypt vault super key
- name: Reencrypt vault super key
include_tasks: include/reencrypt-vault-key.yml
vars:
vault_id: super

16
playbooks/tasks/sync-ssh-hostkeys.yml
View File

@ -1,8 +1,8 @@
- name: fetch ssh hostkeys
- name: Fetch ssh hostkeys
hosts: all
gather_facts: false
tasks:
- name: fetch hostkey checksums
- name: Fetch hostkey checksums
shell: |
for type in sha256 md5; do
for file in /etc/ssh/ssh_host_*.pub; do
@ -13,7 +13,7 @@
register: ssh_hostkeys
changed_when: ssh_hostkeys | length > 0
- name: fetch known_hosts
- name: Fetch known_hosts
shell: |
set -eo pipefail
ssh-keyscan 127.0.0.1 2>/dev/null \
@ -26,10 +26,10 @@
register: known_hosts
changed_when: known_hosts | length > 0
- name: store hostkeys
- name: Store hostkeys
hosts: localhost
tasks:
- name: store hostkeys
- name: Store hostkeys
copy:
dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
content: |
@ -40,7 +40,7 @@
{% endfor %}
mode: preserve
- name: store known_hosts
- name: Store known_hosts
blockinfile:
path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
block: |
@ -51,9 +51,9 @@
{% endfor %}
- name: upload known_hosts to all nodes
- name: Upload known_hosts to all nodes
hosts: all
tasks:
- name: upload known_hosts
- name: Upload known_hosts
copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
tags: ['upload-known-hosts']

8
playbooks/tasks/upgrade-servers.yml
View File

@ -1,19 +1,19 @@
- name: upgrade and reboot all hetzner servers
- name: Upgrade and reboot all hetzner servers
hosts: all,!kape_servers,!equinix_metal
max_fail_percentage: 0
serial: 20%
gather_facts: false
tasks:
- name: upgrade each host in this batch
- name: Upgrade each host in this batch
include_tasks: include/upgrade-server.yml
- name: upgrade and reboot all Kape and Equinix Metal servers
- name: Upgrade and reboot all Kape and Equinix Metal servers
hosts: kape_servers,equinix_metal
max_fail_percentage: 0
serial: 1
gather_facts: false
tasks:
- name: upgrade each host in this batch
- name: Upgrade each host in this batch
include_tasks: include/upgrade-server.yml

2
playbooks/wiki.archlinux.org.yml
View File

@ -1,4 +1,4 @@
- name: setup wiki.archlinux.org
- name: Setup wiki.archlinux.org
hosts: wiki.archlinux.org
remote_user: root
roles:

2
roles/acme_dns_challenge/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: restart powerdns
- name: Restart powerdns
service: name=pdns state=restarted

18
roles/acme_dns_challenge/tasks/main.yml
View File

@ -1,24 +1,24 @@
- name: install powerdns
- name: Install powerdns
pacman: name=powerdns state=present
- name: install PowerDNS configuration
- name: Install PowerDNS configuration
template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644
loop:
- {src: pdns.conf.j2, dest: pdns.conf}
- {src: dnsupdate-policy.lua.j2, dest: dnsupdate-policy.lua}
notify: restart powerdns
- name: create directory for sqlite3 dbs
- name: Create directory for sqlite3 dbs
file: path=/var/lib/powerdns state=directory owner=powerdns group=powerdns mode=0755
- name: initialize sqlite3 database for _acme-challenge zones
- name: Initialize sqlite3 database for _acme-challenge zones
command: sqlite3 -init /usr/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3 ""
become: true
become_user: powerdns
args:
creates: /var/lib/powerdns/pdns.sqlite3
- name: create _acme-challenge zones
- name: Create _acme-challenge zones
shell: |
pdnsutil create-zone _acme-challenge.{{ item }} {{ inventory_hostname }}
pdnsutil replace-rrset _acme-challenge.{{ item }} @ SOA "{{ inventory_hostname }}. root.archlinux.org. 0 10800 3600 604800 3600"
@ -27,18 +27,18 @@
become_user: powerdns
changed_when: false
- name: import TSIG key (for certbot)
- name: Import TSIG key (for certbot)
command: pdnsutil import-tsig-key {{ certbot_rfc2136_key }} {{ certbot_rfc2136_algorithm }} {{ certbot_rfc2136_secret }}
changed_when: false
- name: open powerdns ipv4 port for monitoring.archlinux.org
- name: Open powerdns ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
tags:
- firewall
- name: open firewall hole
- name: Open firewall hole
ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes
- name: start and enable powerdns
- name: Start and enable powerdns
systemd: name=pdns.service enabled=yes daemon_reload=yes state=started

2
roles/alertmanager/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: reload alertmanager
- name: Reload alertmanager
service: name=alertmanager state=reloaded

6
roles/alertmanager/tasks/main.yml
View File

@ -1,9 +1,9 @@
- name: install alertmanager server
- name: Install alertmanager server
pacman: name=alertmanager state=present
- name: install alertmanager configuration
- name: Install alertmanager configuration
template: src=alertmanager.yml.j2 dest=/etc/alertmanager/alertmanager.yml owner=root group=alertmanager mode=640
notify: reload alertmanager
- name: enable alertmanager server service
- name: Enable alertmanager server service
systemd: name=alertmanager enabled=yes daemon_reload=yes state=started

8
roles/arch_boxes_sync/tasks/main.yml
View File

@ -1,10 +1,10 @@
- name: install arch-boxes-sync.sh script dependencies
- name: Install arch-boxes-sync.sh script dependencies
pacman: name=curl,jq,unzip state=present
- name: install arch-boxes-sync.sh script
- name: Install arch-boxes-sync.sh script
copy: src=arch-boxes-sync.sh dest=/usr/local/bin/ owner=root group=root mode=0755
- name: install arch-boxes-sync.{service,timer}
- name: Install arch-boxes-sync.{service,timer}
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- arch-boxes-sync.service
@ -12,5 +12,5 @@
notify:
- daemon reload
- name: start and enable arch-boxes-sync.timer
- name: Start and enable arch-boxes-sync.timer
systemd: name=arch-boxes-sync.timer enabled=yes daemon_reload=yes state=started

2
roles/archbuild/handlers/main.yml
View File

@ -1,3 +1,3 @@
- name: daemon reload
- name: Daemon reload
systemd:
daemon-reload: true

30
roles/archbuild/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: install archbuild
- name: Install archbuild
pacman:
name:
- base-devel
@ -16,7 +16,7 @@
- appstream-generator
state: present
- name: install archbuild scripts
- name: Install archbuild scripts
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
with_items:
- mkpkg
@ -28,12 +28,12 @@
- clean-offload-build
- gitpkg
- name: install archbuild config files
- name: Install archbuild config files
copy: src={{ item }} dest=/usr/local/share/{{ item }} owner=root group=root mode=0644
with_items:
- elinks-pkgdiffrepo.conf
- name: install archbuild units
- name: Install archbuild units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- clean-chroots.timer
@ -47,33 +47,33 @@
notify:
- daemon reload
- name: install archbuild unit
- name: Install archbuild unit
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- var-lib-archbuild.mount
notify:
- daemon reload
- name: install archbuild user units
- name: Install archbuild user units
copy: src={{ item }} dest=/etc/systemd/user/{{ item }} owner=root group=root mode=0644
with_items:
- mkpkg@.timer
- mkpkg@.service
- name: install user-.slice snippet
- name: Install user-.slice snippet
copy: src=user-.slice.d dest=/etc/systemd/system owner=root group=root mode=0644
- name: start and enable archbuild mounts
- name: Start and enable archbuild mounts
service: name={{ item }} enabled={{ "yes" if archbuild_fs == 'tmpfs' else "no" }} state={{ "started" if archbuild_fs == 'tmpfs' else "stopped" }}
with_items:
- var-lib-archbuild.mount
- name: start and enable archbuilddest mount
- name: Start and enable archbuilddest mount
service: name={{ item }} enabled=yes state=started
with_items:
- var-lib-archbuilddest.mount
- name: create archbuilddest
- name: Create archbuilddest
file:
state: directory
path: '/var/lib/{{ "/".join(item) }}'
@ -84,7 +84,7 @@
- [archbuilddest]
- [srcdest]
- name: set acl on archbuilddest
- name: Set acl on archbuilddest
acl:
name: '/var/lib/archbuilddest/{{ item[0] }}'
state: present
@ -104,18 +104,18 @@
'default:other::r-x',
'default:mask::rwx']
- name: start and enable archbuild units
- name: Start and enable archbuild units
service: name={{ item }} enabled=yes state=started
with_items:
- clean-chroots.timer
- clean-dests.timer
- clean-offload-build.timer
- name: install makepkg.conf
- name: Install makepkg.conf
template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644
- name: install archbuild sudoers config
- name: Install archbuild sudoers config
copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440
- name: install gitconfig
- name: Install gitconfig
copy: src=gitconfig dest=/etc/gitconfig owner=root group=root mode=0644

22
roles/archive/tasks/main.yml
View File

@ -1,7 +1,7 @@
- name: install archivetools package
- name: Install archivetools package
pacman: name=archivetools state=present
- name: make archive dir
- name: Make archive dir
file:
path: "{{ archive_dir }}"
state: directory
@ -9,7 +9,7 @@
group: archive
mode: 0755
- name: setup archive configuration
- name: Setup archive configuration
template:
src: archive.conf.j2
dest: /etc/archive.conf
@ -17,34 +17,34 @@
group: root
mode: 0644
- name: setup archive timer
- name: Setup archive timer
systemd: name=archive.timer enabled=yes state=started
- name: setup archive-hardlink timer
- name: Setup archive-hardlink timer
systemd: name=archive-hardlink.timer enabled=yes state=started
- name: install internet archive packages
- name: Install internet archive packages
pacman: name=python-internetarchive,python-xtarfile state=present
- name: create archive user
- name: Create archive user
user: name={{ archive_user_name }} shell=/bin/false home="{{ archive_user_home }}" createhome=yes
- name: configure archive.org client
- name: Configure archive.org client
command: ia configure --username={{ vault_archive_username }} --password={{ vault_archive_password }} creates={{ archive_user_home }}/.config/ia.ini
become: true
become_user: "{{ archive_user_name }}"
- name: clone archive uploader code
- name: Clone archive uploader code
git: repo=https://github.com/archlinux/arch-historical-archive.git dest="{{ archive_repo }}" version="{{ archive_uploader_version }}"
become: true
become_user: "{{ archive_user_name }}"
- name: install system service
- name: Install system service
template: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- archive-uploader.service
- archive-uploader.timer
- name: start uploader timer
- name: Start uploader timer
systemd:
name: archive-uploader.timer
enabled: true

6
roles/archive_web/tasks/main.yml
View File

@ -1,10 +1,10 @@
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ archive_domain }}"]
- name: set up nginx
- name: Set up nginx
template:
src: nginx.d.conf.j2
dest: /etc/nginx/nginx.d/archive.conf
@ -15,7 +15,7 @@
- reload nginx
tags: ['nginx']
- name: make nginx log dir
- name: Make nginx log dir
file:
path: /var/log/nginx/{{ archive_domain }}
state: directory

38
roles/archmanweb/tasks/main.yml
View File

@ -1,11 +1,11 @@
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ archmanweb_domain }}"]
when: 'archmanweb_domain is defined'
- name: install required packages
- name: Install required packages
pacman:
state: present
name:
@ -22,24 +22,24 @@
- make
- sassc
- name: make archmanweb user
- name: Make archmanweb user
user: name=archmanweb shell=/bin/false home="{{ archmanweb_dir }}"
- name: fix home permissions
- name: Fix home permissions
file: state=directory owner=archmanweb group=archmanweb mode=0755 path="{{ archmanweb_dir }}"
- name: set archmanweb groups
- name: Set archmanweb groups
user: name=archmanweb groups=uwsgi
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ archmanweb_nginx_conf }}" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ archmanweb_domain }} state=directory owner=root group=root mode=0755
- name: clone archmanweb repo
- name: Clone archmanweb repo
git: >
repo={{ archmanweb_repository }}
dest="{{ archmanweb_dir }}/repo"
@ -51,7 +51,7 @@
become_user: archmanweb
register: release
- name: build archlinux-common-style
- name: Build archlinux-common-style
command:
cmd: make SASS=sassc
chdir: "{{ archmanweb_dir }}/repo/archlinux-common-style"
@ -59,27 +59,27 @@
become_user: archmanweb
when: release.changed or archmanweb_forced_deploy
- name: configure archmanweb
- name: Configure archmanweb
template: src=local_settings.py.j2 dest={{ archmanweb_dir }}/repo/local_settings.py owner=archmanweb group=archmanweb mode=0660
register: config
no_log: true
- name: copy robots.txt
- name: Copy robots.txt
copy: src=robots.txt dest="{{ archmanweb_dir }}/repo/robots.txt" owner=root group=root mode=0644
- name: create archmanweb db user
- name: Create archmanweb db user
postgresql_user: name={{ archmanweb_db_user }} password={{ vault_archmanweb_db_password }} login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
no_log: true
- name: create archmanweb db
- name: Create archmanweb db
postgresql_db: name="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archmanweb_db_user }}"
register: db_created
- name: add pg_trgm extension to the archmanweb db
- name: Add pg_trgm extension to the archmanweb db
postgresql_ext: name="pg_trgm" db="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}"
when: db_created.changed or archmanweb_forced_deploy
- name: run Django management tasks
- name: Run Django management tasks
django_manage: app_path="{{ archmanweb_dir }}/repo" command="{{ item }}"
with_items:
- migrate
@ -89,18 +89,18 @@
become_user: archmanweb
when: db_created.changed or release.changed or config.changed or archmanweb_forced_deploy
- name: configure UWSGI for archmanweb
- name: Configure UWSGI for archmanweb
template: src=archmanweb.ini.j2 dest=/etc/uwsgi/vassals/archmanweb.ini owner=archmanweb group=http mode=0640
- name: deploy new release
- name: Deploy new release
file: path=/etc/uwsgi/vassals/archmanweb.ini state=touch owner=archmanweb group=http mode=0640
when: release.changed or config.changed or archmanweb_forced_deploy
- name: install systemd units
- name: Install systemd units
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archmanweb_update.service
- archmanweb_update.timer
- name: start and enable archmanweb update timer
- name: Start and enable archmanweb update timer
systemd: name="archmanweb_update.timer" enabled=yes state=started daemon_reload=yes

16
roles/archusers/tasks/main.yml
View File

@ -1,13 +1,13 @@
- name: create Arch Linux-specific groups
- name: Create Arch Linux-specific groups
group: name="{{ item }}" state=present system=no
with_items: "{{ arch_groups }}"
- name: filter arch_users for users with non-matching hosts
- name: Filter arch_users for users with non-matching hosts
set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [ item ] }}"
when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
with_dict: "{{ arch_users }}"
- name: create Arch Linux-specific users
- name: Create Arch Linux-specific users
user:
name: "{{ item.key }}"
group: users
@ -19,25 +19,25 @@
state: present
loop: "{{ arch_users_filtered }}"
- name: create .ssh directory
- name: Create .ssh directory
file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700
loop: "{{ arch_users_filtered }}"
- name: configure ssh keys
- name: Configure ssh keys
template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600
when: item.value.ssh_key is defined
loop: "{{ arch_users_filtered }}"
- name: remove ssh keys if undefined
- name: Remove ssh keys if undefined
file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent
when: item.value.ssh_key is not defined
loop: "{{ arch_users_filtered }}"
- name: get list of remote users
- name: Get list of remote users
find: paths="/home" file_type="directory"
register: all_users
- name: disable ssh keys of disabled users
- name: Disable ssh keys of disabled users
file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
when:
- item not in (arch_users_filtered | map(attribute='key'))

4
roles/archweb/handlers/main.yml
View File

@ -1,6 +1,6 @@
- name: daemon reload
- name: Daemon reload
systemd:
daemon-reload: true
- name: restart archweb memcached
- name: Restart archweb memcached
service: name=archweb-memcached state=restarted

104
roles/archweb/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: run maintenance mode
- name: Run maintenance mode
include_role:
name: maintenance
vars:
@ -9,41 +9,41 @@
service_nginx_template: "maintenance-nginx.d.conf.j2"
when: maintenance is defined and archweb_site
- name: install required packages
- name: Install required packages
pacman: name=git,python-setuptools,python-psycopg2,llvm-libs,uwsgi-plugin-python state=present
- name: make archweb user
- name: Make archweb user
user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no
- name: fix home permissions
- name: Fix home permissions
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
- name: set archweb groups
- name: Set archweb groups
user: name=archweb groups=uwsgi
when: archweb_site|bool
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: "{{ [archweb_domain] + archweb_alternate_domains }}"
when: archweb_site|bool and maintenance is not defined
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644
notify: reload nginx
when: archweb_site|bool and maintenance is not defined
tags: ['nginx']
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
when: archweb_site|bool
- name: make rsync iso dir
- name: Make rsync iso dir
file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
when: archweb_site|bool
- name: clone archweb repo
- name: Clone archweb repo
git: >
repo={{ archweb_repository }}
dest="{{ archweb_dir }}"
@ -54,36 +54,36 @@
become_user: archweb
register: release
- name: make virtualenv
- name: Make virtualenv
command: python -m venv --system-site-packages "{{ archweb_dir }}"/env creates="{{ archweb_dir }}/env/bin/python"
become: true
become_user: archweb
- name: install stuff into virtualenv
- name: Install stuff into virtualenv
pip: requirements="{{ archweb_dir }}/requirements_prod.txt" virtualenv="{{ archweb_dir }}/env"
become: true
become_user: archweb
register: virtualenv
- name: create media dir
- name: Create media dir
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
when: archweb_site|bool
- name: fix home permissions
- name: Fix home permissions
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
- name: make archlinux.org dir
- name: Make archlinux.org dir
file: path="{{ archweb_dir }}/archlinux.org" state=directory owner=archweb group=archweb mode=0755
- name: configure robots.txt
- name: Configure robots.txt
copy: src=robots.txt dest="{{ archweb_dir }}/archlinux.org/robots.txt" owner=root group=root mode=0644
- name: configure archweb
- name: Configure archweb
template: src=local_settings.py.j2 dest={{ archweb_dir }}/local_settings.py owner=archweb group=archweb mode=0660
register: config
no_log: true
- name: create archweb db users
- name: Create archweb db users
postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
no_log: true
when: archweb_site or archweb_services
@ -93,18 +93,18 @@
- { user: "{{ archweb_db_dbscripts_user }}", password: "{{ vault_archweb_db_dbscripts_password }}" }
- { user: "{{ archweb_db_backup_user }}", password: "{{ vault_archweb_db_backup_password }}" }
- name: create archweb db
- name: Create archweb db
postgresql_db: name="{{ archweb_db }}" login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archweb_db_site_user }}"
when: archweb_site or archweb_services
register: db_created
- name: django migrate
- name: Django migrate
django_manage: app_path="{{ archweb_dir }}" command=migrate virtualenv="{{ archweb_dir }}/env"
become: true
become_user: archweb
when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
- name: db privileges for archweb users
- name: DB privileges for archweb users
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
privs=CONNECT roles="{{ item }}" type=database
when: archweb_site or archweb_services
@ -113,7 +113,7 @@
- "{{ archweb_db_dbscripts_user }}"
- "{{ archweb_db_backup_user }}"
- name: table privileges for archweb users
- name: Table privileges for archweb users
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
when: archweb_site or archweb_services
@ -122,7 +122,7 @@
- { user: "{{ archweb_db_dbscripts_user }}", objs: "{{ archweb_db_dbscripts_table_objs }}" }
- { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" }
- name: sequence privileges for archweb users
- name: Sequence privileges for archweb users
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
when: archweb_site or archweb_services
@ -130,25 +130,25 @@
- { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_sequence_objs }}" }
- { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_sequence_objs }}" }
- name: django collectstatic
- name: Django collectstatic
django_manage: app_path="{{ archweb_dir }}" command=collectstatic virtualenv="{{ archweb_dir }}/env"
become: true
become_user: archweb
when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
- name: install reporead service
- name: Install reporead service
template: src="archweb-reporead.service.j2" dest="/etc/systemd/system/archweb-reporead.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_services or archweb_reporead
- name: install readlinks service
- name: Install readlinks service
template: src="archweb-readlinks.service.j2" dest="/etc/systemd/system/archweb-readlinks.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_services or archweb_reporead
- name: install mirrorcheck service and timer
- name: Install mirrorcheck service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-mirrorcheck.service
@ -157,7 +157,7 @@
- daemon reload
when: archweb_services or archweb_mirrorcheck
- name: install mirrorresolv service and timer
- name: Install mirrorresolv service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-mirrorresolv.service
@ -166,7 +166,7 @@
- daemon reload
when: archweb_services or archweb_mirrorresolv
- name: install populate_signoffs service and timer
- name: Install populate_signoffs service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-populate_signoffs.service
@ -175,7 +175,7 @@
- daemon reload
when: archweb_services or archweb_populate_signoffs
- name: install planet service and timer
- name: Install planet service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-planet.service
@ -184,7 +184,7 @@
- daemon reload
when: archweb_planet
- name: install rebuilderd status service and timer
- name: Install rebuilderd status service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-rebuilderd.service
@ -193,27 +193,27 @@
- daemon reload
when: archweb_site
- name: install pgp_import service
- name: Install pgp_import service
template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_services or archweb_pgp_import
- name: create pacman.d hooks dir
- name: Create pacman.d hooks dir
file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks"
when: archweb_services or archweb_pgp_import
- name: install pgp_import hook
- name: Install pgp_import hook
template: src="archweb-pgp_import-pacman-hook.j2" dest="/etc/pacman.d/hooks/archweb-pgp_import.hook" owner=root group=root mode=0644
when: archweb_services or archweb_pgp_import
- name: install archweb memcached service
- name: Install archweb memcached service
template: src="archweb-memcached.service.j2" dest="/etc/systemd/system/archweb-memcached.service" owner=root group=root mode=0644
notify:
- daemon reload
when: archweb_site|bool
- name: install archweb rsync iso service and timer
- name: Install archweb rsync iso service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- archweb-rsync_iso.service
@ -222,16 +222,16 @@
- daemon reload
when: archweb_site|bool
- name: deploy archweb
- name: Deploy archweb
template: src=archweb.ini.j2 dest=/etc/uwsgi/vassals/archweb.ini owner=archweb group=http mode=0640
when: archweb_site|bool
- name: deploy new release
- name: Deploy new release
file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=archweb group=http mode=0640
when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
notify: restart archweb memcached
- name: start and enable archweb memcached service and archweb-rsync_iso timer
- name: Start and enable archweb memcached service and archweb-rsync_iso timer
systemd:
name: "{{ item }}"
enabled: true
@ -242,55 +242,55 @@
- archweb-rsync_iso.timer
when: archweb_site|bool
- name: start and enable archweb reporead service
- name: Start and enable archweb reporead service
service: name="archweb-reporead.service" enabled=yes state=started
when: archweb_services or archweb_reporead
- name: restart archweb reporead service
- name: Restart archweb reporead service
service: name="archweb-reporead.service" state=restarted
when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
- name: start and enable archweb readlinks service
- name: Start and enable archweb readlinks service
service: name="archweb-readlinks.service" enabled=yes state=started
when: archweb_services or archweb_reporead
- name: restart archweb readlinks service
- name: Restart archweb readlinks service
service: name="archweb-readlinks.service" state=restarted
when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
- name: start and enable archweb mirrorcheck timer
- name: Start and enable archweb mirrorcheck timer
service: name="archweb-mirrorcheck.timer" enabled=yes state=started
when: archweb_services or archweb_mirrorcheck
- name: start and enable archweb mirrorresolv timer
- name: Start and enable archweb mirrorresolv timer
service: name="archweb-mirrorresolv.timer" enabled=yes state=started
when: archweb_services or archweb_mirrorresolv
- name: start and enable archweb populate_signoffs timer
- name: Start and enable archweb populate_signoffs timer
service: name="archweb-populate_signoffs.timer" enabled=yes state=started
when: archweb_services or archweb_populate_signoffs
- name: start and enable archweb planet timer
- name: Start and enable archweb planet timer
service: name="archweb-planet.timer" enabled=yes state=started
when: archweb_planet
- name: start and enable archweb rebulderd update timer
- name: Start and enable archweb rebulderd update timer
service: name="archweb-rebuilderd.timer" enabled=yes state=started
when: archweb_site
- name: install donation import wrapper script
- name: Install donation import wrapper script
template: src=donor_import_wrapper.sh.j2 dest=/usr/local/bin/donor_import_wrapper.sh owner=root group=root mode=0755
when: archweb_site
- name: install sudoer rights for fetchmail to call archweb django scripts
- name: Install sudoer rights for fetchmail to call archweb django scripts
template: src=sudoers-fetchmail-archweb.j2 dest=/etc/sudoers.d/fetchmail-archweb owner=root group=root mode=0440
when: archweb_site
- name: create retro dir
- name: Create retro dir
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
when: archweb_site|bool
- name: clone archweb-retro repo
- name: Clone archweb-retro repo
git:
repo: "{{ archweb_retro_repository }}"
dest: "{{ archweb_retro_dir }}"

8
roles/archwiki/handlers/main.yml
View File

@ -1,7 +1,7 @@
- name: restart php-fpm@archwiki
- name: Restart php-fpm@archwiki
service: name=php-fpm@{{ archwiki_user }} state=restarted
- name: run wiki updatescript
- name: Run wiki updatescript
command: php {{ archwiki_dir }}/public/maintenance/update.php --quick
become: true
become_user: "{{ archwiki_user }}"
@ -11,7 +11,7 @@
# otherwise nginx will spit errors into the log until it is restarted (even
# reload is not enough).
# reference: https://stackoverflow.com/a/6896903
- name: purge nginx cache
- name: Purge nginx cache
command: find /var/lib/nginx/cache -type f -delete
# The MediaWiki file cache can be invalidated by deleting the files in the
@ -20,5 +20,5 @@
# being set to true). References:
# - https://www.mediawiki.org/wiki/Manual:File_cache
# - https://www.mediawiki.org/wiki/Manual:$wgInvalidateCacheOnLocalSettingsChange
- name: invalidate MediaWiki file cache
- name: Invalidate MediaWiki file cache
file: path="{{ archwiki_dir }}/public/LocalSettings.php" state=touch owner=archwiki group=archwiki mode=0640

54
roles/archwiki/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: run maintenance mode
- name: Run maintenance mode
include_role:
name: maintenance
vars:
@ -8,49 +8,49 @@
service_nginx_conf: "{{ archwiki_nginx_conf }}"
when: maintenance is defined
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ archwiki_domain }}"]
when: 'archwiki_domain is defined'
- name: install packages
- name: Install packages
pacman: name=git,php-intl state=present
- name: make archwiki user
- name: Make archwiki user
user: name="{{ archwiki_user }}" shell=/bin/false home="{{ archwiki_dir }}" createhome=no
register: user_created
- name: fix home permissions
- name: Fix home permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0751 path="{{ archwiki_dir }}"
- name: fix cache permissions
- name: Fix cache permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/cache"
- name: fix sessions permissions
- name: Fix sessions permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/sessions"
- name: fix uploads permissions
- name: Fix uploads permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/uploads"
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
notify:
- reload nginx
when: maintenance is not defined
tags: ['nginx']
- name: configure robots.txt
- name: Configure robots.txt
copy: src=robots.txt dest="{{ archwiki_dir }}/robots.txt" owner=root group=root mode=0644
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ archwiki_domain }} state=directory owner=root group=root mode=0755
- name: make debug log dir
- name: Make debug log dir
file: path=/var/log/archwiki state=directory owner={{ archwiki_user }} group=root mode=0700
- name: clone archwiki repo
- name: Clone archwiki repo
git: repo={{ archwiki_repository }} dest="{{ archwiki_dir }}/public" version={{ archwiki_version }}
become: true
become_user: "{{ archwiki_user }}"
@ -61,41 +61,41 @@
- purge nginx cache
- invalidate MediaWiki file cache
- name: configure archwiki
- name: Configure archwiki
template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
register: config
no_log: true
- name: create archwiki db
- name: Create archwiki db
mysql_db: name="{{ archwiki_db }}" login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
register: db_created
- name: create archwiki db user
- name: Create archwiki db user
mysql_user: name={{ archwiki_db_user }} password={{ vault_archwiki_db_password }}
login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
priv="{{ archwiki_db }}.*:ALL"
no_log: true
- name: configure php-fpm
- name: Configure php-fpm
template:
src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ archwiki_user }}.conf"
owner=root group=root mode=0644
notify:
- restart php-fpm@{{ archwiki_user }}
- name: start and enable systemd socket
- name: Start and enable systemd socket
service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true
- name: create memcached.service.d drop-in directory
- name: Create memcached.service.d drop-in directory
file: path=/etc/systemd/system/memcached@archwiki.service.d state=directory owner=root group=root mode=0755
- name: install memcached.service drop-in
- name: Install memcached.service drop-in
template: src="memcached.service.d-archwiki.conf.j2" dest="/etc/systemd/system/memcached@archwiki.service.d/archwiki.conf" owner=root group=root mode=0644
- name: start and enable memcached service
- name: Start and enable memcached service
service: name=memcached@archwiki.service state=started enabled=true daemon_reload=true
- name: install systemd services/timers
- name: Install systemd services/timers
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
loop:
- archwiki-runjobs.service
@ -105,7 +105,7 @@
- archwiki-prune-cache.timer
- archwiki-question-updater.service
- name: start and enable archwiki timers and services
- name: Start and enable archwiki timers and services
systemd:
name: "{{ item }}"
enabled: true
@ -116,17 +116,17 @@
- archwiki-prune-cache.timer
- archwiki-runjobs-wait.service
- name: create question answer file
- name: Create question answer file
systemd:
name: archwiki-question-updater.service
state: started
daemon_reload: true
- name: ensure question answer file exists and set permissions
- name: Ensure question answer file exists and set permissions
file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
- name: create pacman.d hooks dir
- name: Create pacman.d hooks dir
file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks
- name: install archwiki question updater hook
- name: Install archwiki question updater hook
template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644

6
roles/aurweb/handlers/main.yml
View File

@ -1,9 +1,9 @@
- name: daemon reload
- name: Daemon reload
systemd:
daemon-reload: true
- name: restart php-fpm@{{ aurweb_user }}
- name: Restart php-fpm@{{ aurweb_user }}
service: name=php-fpm@{{ aurweb_user }} state=restarted
- name: restart sshd
- name: Restart sshd
service: name=sshd state=restarted

82
roles/aurweb/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: install required packages
- name: Install required packages
pacman:
state: present
name:
@ -11,37 +11,37 @@
- gcc
- pkg-config
- name: install the cgit package
- name: Install the cgit package
pacman:
state: present
name:
- cgit-aurweb
register: cgit
- name: install the git package
- name: Install the git package
pacman:
state: present
name:
- git
register: git
- name: make aur user
- name: Make aur user
user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes
register: aur_user
- name: create .ssh for the aur user
- name: Create .ssh for the aur user
file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700
- name: install SSH key for mirroring to GitHub
- name: Install SSH key for mirroring to GitHub
copy: src=id_ed25519 dest={{ aur_user.home }}/.ssh/ owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
- name: fetch host keys for github.com
- name: Fetch host keys for github.com
command: ssh-keyscan github.com
args:
creates: "{{ aur_user.home }}/.ssh/known_hosts"
register: github_host_keys
- name: write github.com host keys to the aur user's known_hosts
- name: Write github.com host keys to the aur user's known_hosts
lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644
loop: "{{ github_host_keys.stdout_lines }}"
when: github_host_keys.changed
@ -49,7 +49,7 @@
- name: Create directory
file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
- name: receive valid signing keys
- name: Receive valid signing keys
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
loop: '{{ aurweb_pgp_keys }}'
become: true
@ -57,7 +57,7 @@
register: gpg
changed_when: "gpg.rc == 0"
- name: aurweb git repo check
- name: Aurweb git repo check
git: >
repo={{ aurweb_repository }}
dest="{{ aurweb_dir }}"
@ -69,7 +69,7 @@
register: release
check_mode: true
- name: install AUR systemd service and timers
- name: Install AUR systemd service and timers
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- aurweb-git.service
@ -91,7 +91,7 @@
- aurweb-github-mirror.timer
when: release.changed
- name: stop AUR systemd services and timers
- name: Stop AUR systemd services and timers
service: name={{ item }} enabled=yes state=stopped
with_items:
- aurweb-git.timer
@ -105,7 +105,7 @@
- aurweb-github-mirror.timer
when: release.changed
- name: clone aurweb repo
- name: Clone aurweb repo
git: >
repo={{ aurweb_repository }}
dest="{{ aurweb_dir }}"
@ -116,35 +116,35 @@
become_user: "{{ aurweb_user }}"
when: release.changed
- name: create necessary directories
- name: Create necessary directories
file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
with_items:
- 'aurblup'
- 'sessions'
- 'uploads'
- name: create aurweb conf dir
- name: Create aurweb conf dir
file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755
- name: copy aurweb configuration file
- name: Copy aurweb configuration file
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644
# Note: initdb needs the config
- name: install custom aurweb configuration
- name: Install custom aurweb configuration
template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644
- name: create aur db
- name: Create aur db
mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" encoding=utf8
register: db_created
no_log: true
- name: create aur db user
- name: Create aur db user
mysql_user: name={{ aurweb_db_user }} password={{ vault_aurweb_db_password }}
login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}"
priv="{{ aurweb_db }}.*:ALL"
no_log: true
- name: initialize the database
- name: Initialize the database
command: poetry run python -m aurweb.initdb
args:
chdir: "{{ aurweb_dir }}"
@ -152,7 +152,7 @@
become_user: "{{ aurweb_user }}"
when: db_created.changed
- name: run migrations
- name: Run migrations
command: poetry run alembic upgrade head
args:
chdir: "{{ aurweb_dir }}"
@ -183,19 +183,19 @@
become_user: "{{ aurweb_user }}"
when: release.changed or aurweb_installed.rc != 0
- name: install custom aurweb-git-auth wrapper script
- name: Install custom aurweb-git-auth wrapper script
template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
when: release.changed
- name: install custom aurweb-git-serve wrapper script
- name: Install custom aurweb-git-serve wrapper script
template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
when: release.changed
- name: install custom aurweb-git-update wrapper script
- name: Install custom aurweb-git-update wrapper script
template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
when: release.changed
- name: link custom aurweb-git-update wrapper to hooks/update
- name: Link custom aurweb-git-update wrapper to hooks/update
file:
src: /usr/local/bin/aurweb-git-update.sh
dest: "{{ aurweb_dir }}/aur.git/hooks/update"
@ -215,36 +215,36 @@
become: true
become_user: "{{ aurweb_user }}"
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ aurweb_domain }}"]
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
- name: install cgit configuration
- name: Install cgit configuration
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
- name: configure cgit uwsgi service
- name: Configure cgit uwsgi service
template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
- name: deploy new cgit release
- name: Deploy new cgit release
become: true
become_user: "{{ aurweb_user }}"
file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644
when: cgit.changed
- name: configure smartgit uwsgi service
- name: Configure smartgit uwsgi service
template: src=smartgit.ini.j2 dest=/etc/uwsgi/vassals/smartgit.ini owner={{ aurweb_user }} group=http mode=0644
- name: deploy new smartgit release
- name: Deploy new smartgit release
become: true
become_user: "{{ aurweb_user }}"
file:
@ -255,10 +255,10 @@
mode: 0644
when: git.changed
- name: create git repo dir
- name: Create git repo dir
file: path={{ aurweb_git_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
- name: init git directory
- name: Init git directory
command: git init --bare {{ aurweb_git_dir }}
args:
creates: "{{ aurweb_git_dir }}/HEAD"
@ -267,7 +267,7 @@
tags:
- skip_ansible_lint
- name: save hideRefs setting on var
- name: Save hideRefs setting on var
command: git config --local --get-all transfer.hideRefs
register: git_config
args:
@ -276,7 +276,7 @@
tags:
- skip_ansible_lint
- name: configure git tranfser.hideRefs
- name: Configure git tranfser.hideRefs
command: git config --local transfer.hideRefs '^refs/'
args:
chdir: "{{ aurweb_git_dir }}"
@ -286,7 +286,7 @@
tags:
- skip_ansible_lint
- name: configure git transfer.hideRefs second
- name: Configure git transfer.hideRefs second
command: git config --local --add transfer.hideRefs '!refs/'
args:
chdir: "{{ aurweb_git_dir }}"
@ -296,7 +296,7 @@
tags:
- skip_ansible_lint
- name: configure git transfer.hideRefs third
- name: Configure git transfer.hideRefs third
command: git config --local --add transfer.hideRefs '!HEAD'
args:
chdir: "{{ aurweb_git_dir }}"
@ -306,12 +306,12 @@
tags:
- skip_ansible_lint
- name: configure sshd
- name: Configure sshd
template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
notify:
- restart sshd
- name: start and enable AUR systemd services and timers
- name: Start and enable AUR systemd services and timers
service: name={{ item }} enabled=yes state=started daemon_reload=yes
with_items:
- aurweb-git.timer

28
roles/borg_client/tasks/main.yml
View File

@ -1,7 +1,7 @@
- name: install borg and tools
- name: Install borg and tools
pacman: name=borg state=present
- name: check if borg repository already exists
- name: Check if borg repository already exists
command: "{{ item['borg_cmd'] }} list {{ item['host'] }}/{{ item['dir'] }}"
environment:
BORG_RELOCATED_REPO_ACCESS_IS_OK: "yes"
@ -10,7 +10,7 @@
loop: "{{ backup_hosts }}"
changed_when: borg_list.stdout | length > 0
- name: init borg repository
- name: Init borg repository
command: "{{ item['borg_cmd'] }} init -e keyfile {{ item['host'] }}/{{ item['dir'] }}"
when: borg_list is failed
environment:
@ -21,48 +21,48 @@
- skip_ansible_lint
- name: install convenience scripts
- name: Install convenience scripts
template: src=borg.j2 dest=/usr/local/bin/borg{{ item['suffix'] }} owner=root group=root mode=0755
loop: "{{ backup_hosts }}"
- name: install borg backup scripts
- name: Install borg backup scripts
template: src=borg-backup.sh.j2 dest=/usr/local/bin/borg-backup{{ item['suffix'] }}.sh owner=root group=root mode=0755
loop: "{{ backup_hosts }}"
- name: install postgres backup script
- name: Install postgres backup script
template: src=backup-postgres.sh.j2 dest=/usr/local/bin/backup-postgres.sh owner=root group=root mode=0755
when: postgres_backup_dir is defined
- name: check whether postgres user exists
- name: Check whether postgres user exists
command: getent passwd postgres
register: check_postgres_user
ignore_errors: true
changed_when: check_postgres_user.stdout | length > 0
- name: make postgres backup directory
- name: Make postgres backup directory
file: path={{ postgres_backup_dir }} owner=root group=root mode=0755 state=directory
when: check_postgres_user is succeeded and postgres_backup_dir is defined
- name: install mysql backup script
- name: Install mysql backup script
template: src=backup-mysql.sh.j2 dest=/usr/local/bin/backup-mysql.sh owner=root group=root mode=0755
when: mysql_backup_dir is defined
- name: install mysql backup config
- name: Install mysql backup config
template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }} owner=root group=root mode=0644
when: mysql_backup_defaults is defined
- name: create mysql backup directory
- name: Create mysql backup directory
file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755
when: mysql_backup_dir is defined
- name: install systemd services for backup
- name: Install systemd services for backup
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- borg-backup.service
- borg-backup-offsite.service
- name: install systemd timer for backup
- name: Install systemd timer for backup
copy: src=borg-backup.timer dest=/etc/systemd/system/borg-backup.timer owner=root group=root mode=0644
- name: activate systemd timer for backup
- name: Activate systemd timer for backup
systemd: name=borg-backup.timer enabled=yes state=started daemon-reload=yes

12
roles/borg_server/tasks/main.yml
View File

@ -1,12 +1,12 @@
- name: install borg
- name: Install borg
pacman: name=borg state=present
- name: create borg user
- name: Create borg user
user:
name: borg
home: "{{ backup_dir }}"
- name: create borg user home
- name: Create borg user home
file:
path: "{{ backup_dir }}"
state: directory
@ -14,7 +14,7 @@
group: borg
mode: 0700
- name: create the root backup directory at {{ backup_dir }}
- name: Create the root backup directory at {{ backup_dir }}
file:
path: "{{ backup_dir }}/{{ item }}"
state: directory
@ -23,14 +23,14 @@
mode: 0700
with_items: "{{ backup_clients }}"
- name: fetch ssh keys from each borg client machine
- name: Fetch ssh keys from each borg client machine
command: cat /root/.ssh/id_rsa.pub
register: ssh_keys
delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}"
changed_when: ssh_keys.stdout | length > 0
- name: allow certain clients to connect
- name: Allow certain clients to connect
authorized_key:
user: borg
key: "{{ item.stdout }}"

12
roles/bugbot/tasks/main.yml
View File

@ -1,13 +1,13 @@
- name: install bugbot utilities
- name: Install bugbot utilities
pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present
- name: receive valid signing keys
- name: Receive valid signing keys
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
with_items: '{{ bugbot_pgp_emails }}'
register: gpg
changed_when: "gpg.rc == 0"
- name: clone bugbot source
- name: Clone bugbot source
git:
repo: https://gitlab.archlinux.org/archlinux/bugbot.git
dest: /srv/bugbot
@ -16,11 +16,11 @@
gpg_whitelist: '{{ bugbot_pgp_keys }}'
version: '{{ bugbot_version }}'
- name: install env file
- name: Install env file
template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
- name: install bugbot systemd service
- name: Install bugbot systemd service
copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service owner=root group=root mode=0644
- name: start and enable bugbot service
- name: Start and enable bugbot service
systemd: name=bugbot.service enabled=yes state=started daemon_reload=yes

14
roles/certbot/tasks/main.yml
View File

@ -1,30 +1,30 @@
- name: install certbot
- name: Install certbot
pacman: name=certbot{{ ",certbot-dns-rfc2136" if certbot_dns_support }} state=present
- name: install rfc2136.ini
- name: Install rfc2136.ini
template: src=rfc2136.ini.j2 dest=/etc/letsencrypt/rfc2136.ini owner=root group=root mode=0600
when: certbot_dns_support
- name: install letsencrypt hook
- name: Install letsencrypt hook
copy: src=hook.sh dest=/etc/letsencrypt/hook.sh owner=root group=root mode=0755
- name: create letsencrypt hook dir
- name: Create letsencrypt hook dir
file: state=directory path=/etc/letsencrypt/hook.d owner=root group=root mode=0755
- name: install letsencrypt renewal service
- name: Install letsencrypt renewal service
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- certbot-renewal.service
- certbot-renewal.timer
- name: activate letsencrypt renewal service
- name: Activate letsencrypt renewal service
systemd:
name: certbot-renewal.timer
enabled: true
state: started
daemon_reload: true
- name: open firewall holes for certbot standalone authenticator
- name: Open firewall holes for certbot standalone authenticator
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- http

4
roles/certificate/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: create ssl cert (HTTP-01)
- name: Create ssl cert (HTTP-01)
shell: |
set -o pipefail
# We can't start nginx without the certificate and we can't issue a certificate without nginx running.
@ -10,7 +10,7 @@
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
when: challenge | default(certificate_challenge) == "HTTP-01"
- name: create ssl cert (DNS-01)
- name: Create ssl cert (DNS-01)
command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
args:
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'

6
roles/common/handlers/main.yml
View File

@ -1,12 +1,12 @@
- name: restart journald
- name: Restart journald
systemd:
name: systemd-journald
state: restarted
daemon_reload: true
- name: systemd daemon-reload
- name: Systemd daemon-reload
systemd:
daemon_reload: true
- name: restart systemd-zram-setup@zram0
- name: Restart systemd-zram-setup@zram0
service: name=systemd-zram-setup@zram0 state=restarted daemon_reload=yes

74
roles/common/tasks/main.yml
View File

@ -1,66 +1,66 @@
- name: install essential tools
- name: Install essential tools
pacman: name=vim,nano,tmux,htop,ncdu,bash-completion,rsync,vnstat state=present
- name: start and enable vnstatd
- name: Start and enable vnstatd
service: name=vnstat enabled=yes state=started
- name: install inetutils for hostname
- name: Install inetutils for hostname
pacman: name=inetutils state=present
- name: set hostname
- name: Set hostname
hostname: name="{{ inventory_hostname }}"
- name: install pacman config
- name: Install pacman config
template: src=pacman.conf.j2 dest=/etc/pacman.conf mode=0644 owner=root group=root
- name: configure pacman mirror
- name: Configure pacman mirror
template: src=mirrorlist.j2 dest=/etc/pacman.d/mirrorlist owner=root group=root mode=0644
- name: update package cache
- name: Update package cache
pacman: update_cache=yes
- name: start and enable auditd
- name: Start and enable auditd
service: name=auditd enabled=yes state=started
- name: start and enable systemd-timesyncd
- name: Start and enable systemd-timesyncd
service: name=systemd-timesyncd enabled=yes state=started
- name: install smart
- name: Install smart
pacman: name=smartmontools state=present
when: "'hcloud' not in group_names"
- name: configure smartd to do periodic health checks
- name: Configure smartd to do periodic health checks
copy: src=smartd.conf dest=/etc/smartd.conf owner=root group=root mode=0644
when: "'hcloud' not in group_names"
- name: start and enable smart
- name: Start and enable smart
service: name=smartd enabled=yes state=started
when: "'hcloud' not in group_names"
- name: start and enable btrfs scrub timer
- name: Start and enable btrfs scrub timer
service: name=btrfs-scrub@{{ '-' if (item.mount | length == 1) else (item.mount.split("/", 1)[1] | replace("/", "-")) }}.timer enabled=yes state=started
loop: "{{ ansible_mounts | sort(attribute='mount') | groupby('uuid') | map(attribute=1) | map('first') }}"
when:
- item.fstype == 'btrfs'
- not 'backup' in item.mount
- name: generate locales
- name: Generate locales
locale_gen: name={{ item }} state=present
with_items:
- en_US.UTF-8
- name: configure locales
- name: Configure locales
template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644
- name: generate ssh key for root
- name: Generate ssh key for root
command: ssh-keygen -b 4096 -N "" -f /root/.ssh/id_rsa creates="/root/.ssh/id_rsa"
- name: configure networking
- name: Configure networking
include_role:
name: networking
when: configure_network
- name: configure tcp receive window limits
- name: Configure tcp receive window limits
sysctl:
name: net.ipv4.tcp_rmem
value: "{{ tcp_rmem }}"
@ -68,7 +68,7 @@
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_rmem is defined
- name: configure tcp send window limits
- name: Configure tcp send window limits
sysctl:
name: net.ipv4.tcp_wmem
value: "{{ tcp_wmem }}"
@ -76,48 +76,48 @@
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_wmem is defined
- name: create drop-in directories for systemd configuration
- name: Create drop-in directories for systemd configuration
file: path=/etc/systemd/{{ item }}.d state=directory owner=root group=root mode=0755
loop:
- system.conf
- journald.conf
- name: install journald.conf overrides
- name: Install journald.conf overrides
template: src=journald.conf.j2 dest=/etc/systemd/journald.conf.d/override.conf owner=root group=root mode=644
notify:
- restart journald
- name: install system.conf overrides
- name: Install system.conf overrides
template: src=system.conf.j2 dest=/etc/systemd/system.conf.d/override.conf owner=root group=root mode=0644
notify:
- systemd daemon-reload
- name: install zram-generator
- name: Install zram-generator
pacman: name=zram-generator state=present
when: enable_zram_swap
- name: install zram-generator config for zram
- name: Install zram-generator config for zram
template: src=zram-generator.conf dest=/etc/systemd/zram-generator.conf owner=root group=root mode=0644
notify:
- restart systemd-zram-setup@zram0
when: enable_zram_swap
- name: disable zswap to prevent conflict with zram
- name: Disable zswap to prevent conflict with zram
copy: content="w- /sys/module/zswap/parameters/enabled - - - - N" dest=/etc/tmpfiles.d/zram.conf owner=root group=root mode=0644
register: zramtmpfiles
when: enable_zram_swap
- name: use tmpfiles.d/zram.conf
- name: Use tmpfiles.d/zram.conf
command: systemd-tmpfiles --create
when: zramtmpfiles.changed
- name: create drop-in directories for oomd
- name: Create drop-in directories for oomd
file: path=/etc/systemd/system/{{ item }}.d state=directory owner=root group=root mode=0755
with_items:
- "-.slice"
- user@.service
- name: install drop-in snippets for oomd
- name: Install drop-in snippets for oomd
copy: src=oomd-override_{{ item }}.conf dest=/etc/systemd/system/{{ item }}.d/override.conf owner=root group=root mode=0644
with_items:
- "-.slice"
@ -125,32 +125,32 @@
notify:
- systemd daemon-reload
- name: start systemd-oomd
- name: Start systemd-oomd
service: name=systemd-oomd state=started enabled=yes
- name: install logrotate
- name: Install logrotate
pacman: name=logrotate state=present
- name: configure logrotate
- name: Configure logrotate
template: src=logrotate.conf.j2 dest=/etc/logrotate.conf owner=root group=root mode=0644
- name: enable logrotate timer
- name: Enable logrotate timer
service: name=logrotate.timer state=started enabled=yes
- name: create zsh directory
- name: Create zsh directory
file: path=/root/.zsh state=directory owner=root group=root mode=0700
- name: install root shell config
- name: Install root shell config
copy: src={{ item }} dest=/root/.{{ item }} owner=root group=root mode=0644
with_items:
- zshrc
- dircolors
- name: install pacman-contrib,archlinux-contrib
- name: Install pacman-contrib,archlinux-contrib
pacman: name=pacman-contrib,archlinux-contrib state=installed
- name: install custom paccache.service
- name: Install custom paccache.service
copy: src=paccache.service dest=/etc/systemd/system/paccache.service owner=root group=root mode=0644
- name: enable paccache timer
- name: Enable paccache timer
systemd: name=paccache.timer enabled=yes state=started daemon_reload=yes

170
roles/dbscripts/tasks/main.yml
View File

@ -1,44 +1,44 @@
- name: install svn, git, rsync and some perl stuff
- name: Install svn, git, rsync and some perl stuff
pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
- name: install sourceballs requirements (makepkg download dependencies)
- name: Install sourceballs requirements (makepkg download dependencies)
pacman: name=git,subversion,mercurial,breezy state=present
- name: install binutils for createlinks script
- name: Install binutils for createlinks script
pacman: name=binutils state=present
- name: create dbscripts users
- name: Create dbscripts users
user: name="{{ item }}" shell=/bin/bash
with_items:
- svn-packages
- svn-community
- name: add cleanup user
- name: Add cleanup user
user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
- name: add sourceballs user
- name: Add sourceballs user
user: name=sourceballs shell=/sbin/nologin
- name: set up sudoers.d for special users
- name: Set up sudoers.d for special users
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"]
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
notify:
- reload nginx
tags:
- nginx
- name: create Arch Linux-specific users
- name: Create Arch Linux-specific users
user:
name: "{{ item.key }}"
group: users
@ -47,25 +47,25 @@
state: present
with_dict: "{{ arch_users }}"
- name: create .ssh directory
- name: Create .ssh directory
file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700
- name: configure ssh keys for devs
- name: Configure ssh keys for devs
template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
vars:
pubkey_groups: ['dev']
tags: ['archusers']
- name: create .ssh directory
- name: Create .ssh directory
file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700
- name: configure ssh keys for TUs
- name: Configure ssh keys for TUs
template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
vars:
pubkey_groups: ['tu']
tags: ['archusers']
- name: create staging directories in user homes
- name: Create staging directories in user homes
dbscripts_mkdirs:
pathtmpl: '/home/{user}/staging/{dirname}'
permissions: '755'
@ -74,88 +74,88 @@
group: users
tags: ["archusers"]
- name: create dbscripts paths
- name: Create dbscripts paths
file: path="{{ item }}" state=directory owner=root group=root mode=0755
with_items:
- /srv/repos/svn-community
- /srv/repos/svn-packages
- name: create svn-community/package-cleanup directory
- name: Create svn-community/package-cleanup directory
file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
- name: Add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
- name: Add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present
- name: create svn-packages/package-cleanup directory
- name: Create svn-packages/package-cleanup directory
file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
- name: Add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present
- name: create svn-community/source-cleanup directory
- name: Create svn-community/source-cleanup directory
file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
- name: create svn-packages/source-cleanup directory
- name: Create svn-packages/source-cleanup directory
file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755
- name: create svn-community/svn directory
- name: Create svn-community/svn directory
file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-community/svn
- name: Add acl default:user::rwx to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-community/svn
- name: Add acl default:group::r-x to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/svn
- name: Add acl default:other::r-x to /srv/repos/svn-community/svn
acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present
- name: create svn-packages/svn directory
- name: Create svn-packages/svn directory
file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-packages/svn
- name: Add acl default:user::rwx to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-packages/svn
- name: Add acl default:group::r-x to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/svn
- name: Add acl default:other::r-x to /srv/repos/svn-packages/svn
acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present
- name: create svn-community/tmp directory
- name: Create svn-community/tmp directory
file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present
- name: create svn-packages/tmp directory
- name: Create svn-packages/tmp directory
file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present
- name: touch /srv/ftp/lastsync file
- name: Touch /srv/ftp/lastsync file
file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
- name: touch /srv/ftp/lastupdate file
- name: Touch /srv/ftp/lastupdate file
file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
- name: add acl group:tu:rw- to /srv/ftp/lastupdate
- name: Add acl group:tu:rw- to /srv/ftp/lastupdate
acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
- name: add acl group:dev:rw- to /srv/ftp/lastupdate
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
- name: fetch dbscripts PGP key
- name: Fetch dbscripts PGP key
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
with_items: '{{ dbscripts_pgp_emails }}'
register: gpg
changed_when: "gpg.rc == 0"
- name: clone dbscripts git repo
- name: Clone dbscripts git repo
git: >
dest=/srv/repos/{{ item }}/dbscripts
repo=https://gitlab.archlinux.org/archlinux/dbscripts.git
@ -165,73 +165,73 @@
- svn-community
- svn-packages
- name: make /srv/svn
- name: Make /srv/svn
file: path=/srv/svn state=directory owner=root group=root mode=0755
- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
- name: Symlink /srv/svn/community to /srv/repos/svn-community/svn
file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
- name: Symlink /srv/svn/packages to /srv/repos/svn-packages/svn
file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
- name: symlink /community to /srv/repos/svn-community/dbscripts
- name: Symlink /community to /srv/repos/svn-community/dbscripts
file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
- name: symlink /packages to /srv/repos/svn-packages/dbscripts
- name: Symlink /packages to /srv/repos/svn-packages/dbscripts
file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
- name: make debug packages-debug pool
- name: Make debug packages-debug pool
file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=dev mode=0775
- name: make debug community-debug pool
- name: Make debug community-debug pool
file: path=/srv/ftp/pool/community-debug state=directory owner=root group=tu mode=2775
- name: make package root debug repos
- name: Make package root debug repos
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
with_items: '{{ package_repos }}'
- name: make community root debug repos
- name: Make community root debug repos
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=00755
with_items: '{{ community_repos }}'
- name: make package debug repos
- name: Make package debug repos
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
with_items: '{{ package_repos }}'
- name: make community debug repos
- name: Make community debug repos
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=tu mode=0775
with_items: '{{ community_repos }}'
- name: put rsyncd.conf into tmpfiles
- name: Put rsyncd.conf into tmpfiles
copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
register: rsyncdtmpfiles
- name: use tmpfiles.d/rsyncd.conf
- name: Use tmpfiles.d/rsyncd.conf
command: systemd-tmpfiles --create
when: rsyncdtmpfiles.changed
- name: create rsyncd-conf-genscripts
- name: Create rsyncd-conf-genscripts
file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
- name: install rsync.conf.proto
- name: Install rsync.conf.proto
template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
- name: configure gen_rsyncd.conf.pl
- name: Configure gen_rsyncd.conf.pl
template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
no_log: true
- name: generate mirror config
- name: Generate mirror config
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
register: gen_rsyncd
changed_when: "gen_rsyncd.rc == 0"
- name: install svnlog
- name: Install svnlog
copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
- name: add arch-svntogit user
- name: Add arch-svntogit user
user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
- name: configure svntogit git user name
- name: Configure svntogit git user name
command: git config --global user.name svntogit
become: true
become_user: svntogit
@ -240,7 +240,7 @@
tags:
- skip_ansible_lint
- name: configure svntogit git user email
- name: Configure svntogit git user email
command: git config --global user.email svntogit@repos.archlinux.org
become: true
become_user: svntogit
@ -249,13 +249,13 @@
tags:
- skip_ansible_lint
- name: template arch-svntogit
- name: Template arch-svntogit
copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
- name: create svntogit repos subdir
- name: Create svntogit repos subdir
file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775
- name: clone git-svn repos
- name: Clone git-svn repos
command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
with_items:
- community
@ -265,7 +265,7 @@
tags:
- skip_ansible_lint
- name: add svntogit public remotes
- name: Add svntogit public remotes
command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
with_items:
- community
@ -279,7 +279,7 @@
- skip_ansible_lint
# The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch
- name: Configure svntogit pull upstream branch
command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }}
environment:
SHELL: /bin/bash
@ -293,40 +293,40 @@
tags:
- skip_ansible_lint
- name: fix svntogit home permissions
- name: Fix svntogit home permissions
file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
- name: install repo helpers
- name: Install repo helpers
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
with_items:
- lsrepo
- checklib32
- name: install createlinks script
- name: Install createlinks script
copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755
- name: start and enable rsync
- name: Start and enable rsync
service: name=rsyncd.socket enabled=yes state=started
- name: open firewall holes for rsync
- name: Open firewall holes for rsync
ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
- firewall
- name: configure svnserve
- name: Configure svnserve
copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
- name: start and enable svnserve
- name: Start and enable svnserve
service: name=svnserve enabled=yes state=started
- name: open firewall holes for svnserve
- name: Open firewall holes for svnserve
ansible.posix.firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
when: configure_firewall
tags:
- firewall
- name: install systemd timers
- name: Install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- cleanup.timer
@ -344,7 +344,7 @@
notify:
- daemon reload
- name: activate systemd timers
- name: Activate systemd timers
service: name={{ item }} enabled=yes state=started
with_items:
- cleanup.timer

2
roles/debuginfod/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: reload debuginfod
- name: Reload debuginfod
service: name=debuginfod state=reloaded

22
roles/debuginfod/tasks/main.yml
View File

@ -1,53 +1,53 @@
- name: install debuginfod
- name: Install debuginfod
pacman: name=debuginfod state=present
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ debuginfod_domain }}"]
when: debuginfod_domain
- name: configure debuginfod systemd service
- name: Configure debuginfod systemd service
template: src=debuginfod.service.j2 dest=/etc/systemd/system/debuginfod.service owner=root group=root mode=0644
vars:
debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
notify:
- reload debuginfod
- name: create http directory for debuginfod website files
- name: Create http directory for debuginfod website files
file: path=/srv/http/debuginfod state=directory owner=root group=root mode=0755
- name: install website files
- name: Install website files
copy: src={{ item }} dest=/srv/http/debuginfod/{{ item }} owner=root group=root mode=0644
loop:
- archlinux.png
- index.html
- name: install packagelist units
- name: Install packagelist units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- packagelist.timer
- packagelist.service
- name: start and enable packagelist.timer
- name: Start and enable packagelist.timer
service: name=packagelist.timer enabled=yes state=started
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
notify:
- reload nginx
when: debuginfod_domain
tags: ['nginx']
- name: open debuginfod ipv4 port for monitoring.archlinux.org
- name: Open debuginfod ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8002 accept"
tags:
- firewall
- name: start and enable debuginfod
- name: Start and enable debuginfod
service: name=debuginfod enabled=yes state=started

4
roles/dovecot/handlers/main.yml
View File

@ -1,7 +1,7 @@
- name: reload dovecot
- name: Reload dovecot
service: name=dovecot state=restarted
- name: run sievec
- name: Run sievec
command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }}
loop:
- spam-to-folder.sieve

30
roles/dovecot/tasks/main.yml
View File

@ -1,48 +1,48 @@
- name: install dovecot
- name: Install dovecot
pacman: name=dovecot,pigeonhole state=present
# FIXME: check directory permissions
- name: create dovecot configuration directory
- name: Create dovecot configuration directory
file: path=/etc/dovecot state=directory owner=root group=root mode=0755
- name: create dhparam
- name: Create dhparam
command: openssl dhparam -out /etc/dovecot/dh.pem 4096 creates=/etc/dovecot/dh.pem
- name: install dovecot.conf
- name: Install dovecot.conf
template: src=dovecot.conf.j2 dest=/etc/dovecot/dovecot.conf owner=root group=root mode=0644
notify:
- reload dovecot
- name: add vmail group
- name: Add vmail group
group: name=vmail gid=5000
- name: add vmail user
- name: Add vmail user
user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
- name: install PAM config
- name: Install PAM config
copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
- name: create dovecot sieve dir
- name: Create dovecot sieve dir
file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755
- name: install spam-to-folder.sieve
- name: Install spam-to-folder.sieve
copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve/ mode=0644 owner=root group=root
notify:
- run sievec
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ mail_domain }}"]
- name: install dovecot cert renewal hook
- name: Install dovecot cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/dovecot owner=root group=root mode=0755
- name: start and enable dovecot
- name: Start and enable dovecot
service: name=dovecot enabled=yes state=started
- name: open firewall holes
- name: Open firewall holes
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
with_items:
- imaps
@ -51,13 +51,13 @@
tags:
- firewall
- name: install systemd timers
- name: Install systemd timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- dovecot-cleanup.timer
- dovecot-cleanup.service
- name: activate systemd timers
- name: Activate systemd timers
systemd:
name: "{{ item }}"
state: started

4
roles/fail2ban/handlers/main.yml
View File

@ -1,7 +1,7 @@
- name: restart fail2ban
- name: Restart fail2ban
systemd:
name: fail2ban
state: restarted
- name: reload fail2ban jails
- name: Reload fail2ban jails
shell: type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true

20
roles/fail2ban/tasks/main.yml
View File

@ -1,11 +1,11 @@
- name: install fail2ban
- name: Install fail2ban
package:
name: "fail2ban"
state: "present"
notify:
- restart fail2ban
- name: create systemd unit override path
- name: Create systemd unit override path
file:
path: "/etc/systemd/system/fail2ban.service.d"
state: "directory"
@ -13,7 +13,7 @@
group: "root"
mode: 0755
- name: install systemd unit override file
- name: Install systemd unit override file
template:
src: "fail2ban.service.j2"
dest: "/etc/systemd/system/fail2ban.service.d/override.conf"
@ -21,7 +21,7 @@
group: "root"
mode: 0644
- name: install local config files
- name: Install local config files
template:
src: "{{ item }}.j2"
dest: "/etc/fail2ban/{{ item }}"
@ -34,7 +34,7 @@
notify:
- restart fail2ban
- name: install firewallcmd-allports.local
- name: Install firewallcmd-allports.local
template:
src: "firewallcmd-allports.local.j2"
dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
@ -44,7 +44,7 @@
notify:
- restart fail2ban
- name: install sshd jail
- name: Install sshd jail
when: fail2ban_jails.sshd
template:
src: "sshd.jail.j2"
@ -55,7 +55,7 @@
notify:
- reload fail2ban jails
- name: install postfix jail
- name: Install postfix jail
when: fail2ban_jails.postfix
template:
src: "postfix.jail.j2"
@ -66,7 +66,7 @@
notify:
- reload fail2ban jails
- name: install dovecot jail
- name: Install dovecot jail
when: fail2ban_jails.dovecot
template:
src: "dovecot.jail.j2"
@ -77,7 +77,7 @@
notify:
- reload fail2ban jails
- name: install nginx-limit-req jail
- name: Install nginx-limit-req jail
when: fail2ban_jails.nginx_limit_req
template:
src: "nginx-limit-req.jail.j2"
@ -88,7 +88,7 @@
notify:
- reload fail2ban jails
- name: start and enable service
- name: Start and enable service
systemd:
name: "fail2ban.service"
enabled: true

2
roles/fetchmail/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: restart fetchmail
- name: Restart fetchmail
service: name=fetchmail state=restarted

6
roles/fetchmail/tasks/main.yml
View File

@ -1,10 +1,10 @@
- name: install fetchmail
- name: Install fetchmail
pacman: name=fetchmail state=present
- name: template fetchmail config
- name: Template fetchmail config
template: src=fetchmailrc.j2 dest=/etc/fetchmailrc owner=fetchmail group=nobody mode=600
notify:
- restart fetchmail
- name: start and enable fetchmail
- name: Start and enable fetchmail
service: name=fetchmail enabled=yes state=started

6
roles/firewalld/handlers/main.yml
View File

@ -1,11 +1,11 @@
# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
# https://github.com/systemd/systemd/issues/2830
# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
# - name: restart firewalld
# - name: Restart firewalld
# service: name=firewalld state=restarted
- name: stop firewalld
- name: Stop firewalld
service: name=firewalld state=stopped
listen: restart firewalld
- name: start firewalld
- name: Start firewalld
service: name=firewalld state=started
listen: restart firewalld

8
roles/firewalld/tasks/main.yml
View File

@ -1,20 +1,20 @@
- name: install firewalld
- name: Install firewalld
pacman:
name: firewalld
state: present
- name: install firewalld config
- name: Install firewalld config
template: src=firewalld.conf.j2 dest=/etc/firewalld/firewalld.conf owner=root group=root mode=0644
notify:
- restart firewalld
- name: start and enable firewalld
- name: Start and enable firewalld
service:
name: firewalld
enabled: "{{ configure_firewall }}"
state: "{{ configure_firewall | ternary('started', 'stopped') }}"
- name: disable default dhcpv6-client rule
- name: Disable default dhcpv6-client rule
ansible.posix.firewalld:
service: dhcpv6-client
state: disabled

2
roles/fluxbb/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: restart php-fpm@fluxbb
- name: Restart php-fpm@fluxbb
systemd: name=php-fpm@fluxbb.service state=restarted

30
roles/fluxbb/tasks/main.yml
View File

@ -1,67 +1,67 @@
- name: create user
- name: Create user
user: >
name=fluxbb home="{{ fluxbb_dir }}"
shell=/bin/false system=yes createhome=no
- name: clone fluxbb
- name: Clone fluxbb
git:
repo: https://gitlab.archlinux.org/archlinux/archbbs.git
dest: "{{ fluxbb_dir }}"
version: "{{ fluxbb_version }}"
- name: fix home permissions
- name: Fix home permissions
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}"
changed_when: false
- name: create uploads directory
- name: Create uploads directory
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"
- name: create mariadb database
- name: Create mariadb database
mysql_db: name=fluxbb state=present
- name: create mariadb user
- name: Create mariadb user
mysql_user: >
user=fluxbb host=localhost password={{ fluxbb_db_password }}
priv='fluxbb.*:ALL'
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ fluxbb_domain }}"]
- name: create nginx log directory
- name: Create nginx log directory
file: path=/var/log/nginx/{{ fluxbb_domain }} state=directory owner=root group=root mode=0755
- name: configure nginx
- name: Configure nginx
template: >
src=nginx.conf.j2 dest=/etc/nginx/nginx.d/fluxbb.conf
owner=root group=root mode=0644
notify: reload nginx
- name: install python-passlib
- name: Install python-passlib
pacman: name=python-passlib
- name: create auth file
- name: Create auth file
htpasswd: >
path=/etc/nginx/auth/fluxx
name={{ fluxbb_htpasswd.username }}
password={{ fluxbb_htpasswd.password }}
owner=root group=http mode=0640
- name: install forum config
- name: Install forum config
template: >
src=config.php.j2 dest={{ fluxbb_dir }}/config.php
owner=fluxbb group=fluxbb mode=400
- name: install php-apcu
- name: Install php-apcu
pacman: name=php-apcu,php-intl
- name: configure php-fpm
- name: Configure php-fpm
template: >
src=php-fpm.conf.j2 dest=/etc/php/php-fpm.d/fluxbb.conf
owner=root group=root mode=0644
notify: restart php-fpm@fluxbb
- name: start and enable systemd socket
- name: Start and enable systemd socket
service: name=php-fpm@fluxbb.socket state=started enabled=true

2
roles/flyspray/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: restart php-fpm7@flyspray
- name: Restart php-fpm7@flyspray
service: name=php-fpm7@flyspray state=restarted

36
roles/flyspray/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: run maintenance mode
- name: Run maintenance mode
include_role:
name: maintenance
vars:
@ -8,40 +8,40 @@
service_nginx_conf: "{{ flyspray_nginx_conf }}"
when: maintenance is defined
- name: install git
- name: Install git
pacman: name=git state=present
- name: make flyspray user
- name: Make flyspray user
user: name="{{ flyspray_user }}" shell=/bin/false home="{{ flyspray_dir }}" createhome=no
register: user_created
- name: fix home permissions
- name: Fix home permissions
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0755
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ flyspray_domain }}"]
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644
notify:
- reload nginx
when: maintenance is not defined
tags: ['nginx']
- name: install nginx migrated-tasks.map
- name: Install nginx migrated-tasks.map
copy: src=migrated-tasks.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755
- name: create setup dir with write permissions
- name: Create setup dir with write permissions
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755
when: not user_created.changed
- name: clone flyspray repo
- name: Clone flyspray repo
git:
repo: https://gitlab.archlinux.org/archlinux/flyspray.git
version: "{{ flyspray_commit }}"
@ -50,44 +50,44 @@
become_user: "{{ flyspray_user }}"
register: release
- name: take away setup dir write permissions
- name: Take away setup dir write permissions
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000
- name: configure flyspray
- name: Configure flyspray
template: src=flyspray.conf.php.j2 dest=/srv/http/flyspray/flyspray.conf.php owner="{{ flyspray_user }}" group="{{ flyspray_user }}" mode=0660
register: config
no_log: true
- name: create flyspray db
- name: Create flyspray db
mysql_db: name="{{ flyspray_db }}" login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}"
register: db_created
- name: create flyspray db user
- name: Create flyspray db user
mysql_user: name={{ flyspray_db_user }} password={{ vault_flyspray_db_password }}
login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}"
priv="{{ flyspray_db }}.*:ALL"
no_log: true
- name: configure php-fpm
- name: Configure php-fpm
template:
src=php-fpm.conf.j2 dest="/etc/php7/php-fpm.d/{{ flyspray_user }}.conf"
owner=root group=root mode=0644
notify:
- restart php-fpm7@flyspray
- name: install fail2ban register ban filter
- name: Install fail2ban register ban filter
template: src=fail2ban.filter.j2 dest=/etc/fail2ban/filter.d/nginx-flyspray-register.local owner=root group=root mode=0644
notify:
- restart fail2ban
tags:
- fail2ban
- name: install fail2ban register ban jail
- name: Install fail2ban register ban jail
template: src=fail2ban.jail.j2 dest=/etc/fail2ban/jail.d/nginx-flyspray-register.local owner=root group=root mode=0644
notify:
- restart fail2ban
tags:
- fail2ban
- name: start and enable systemd socket
- name: Start and enable systemd socket
service: name=php-fpm7@flyspray.socket state=started enabled=true

2
roles/geo_dns/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: restart powerdns
- name: Restart powerdns
service: name=pdns state=restarted

14
roles/geo_dns/tasks/main.yml
View File

@ -1,27 +1,27 @@
- name: install powerdns and geoip
- name: Install powerdns and geoip
pacman: name=powerdns,libmaxminddb,geoip,yaml-cpp state=present
- name: install PowerDNS configuration
- name: Install PowerDNS configuration
template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644
loop:
- {src: pdns.conf.j2, dest: pdns.conf}
- {src: geo.yml.j2, dest: geo.yml}
notify: restart powerdns
- name: create drop-in directory for geoipupdate
- name: Create drop-in directory for geoipupdate
file: path=/etc/systemd/system/geoipupdate.service.d state=directory owner=root group=root mode=0755
- name: install drop-in snippet for geoipupdate
- name: Install drop-in snippet for geoipupdate
copy: src=geoipupdate-pdns-reload.conf dest=/etc/systemd/system/geoipupdate.service.d/pdns-reload.conf owner=root group=root mode=0644
- name: open powerdns ipv4 port for monitoring.archlinux.org
- name: Open powerdns ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
tags:
- firewall
- name: open firewall hole
- name: Open firewall hole
ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes
- name: start and enable powerdns
- name: Start and enable powerdns
systemd: name=pdns.service enabled=yes daemon_reload=yes state=started

8
roles/geoipupdate/tasks/main.yml
View File

@ -1,14 +1,14 @@
- name: install geoipupdate
- name: Install geoipupdate
pacman: name=geoipupdate state=present
register: installation
- name: configure geoipupdate
- name: Configure geoipupdate
template: src=GeoIP.conf.j2 dest=/etc/GeoIP.conf owner=root group=root mode=0600
register: configuration
- name: run geoipupdate after installation or configuration change
- name: Run geoipupdate after installation or configuration change
systemd: name=geoipupdate state=restarted
when: installation is changed or configuration is changed
- name: start and enable geoipupdate.timer
- name: Start and enable geoipupdate.timer
systemd: name=geoipupdate.timer enabled=yes state=started

16
roles/gitlab/tasks/main.yml
View File

@ -1,13 +1,13 @@
- name: install docker dependencies
- name: Install docker dependencies
pacman: name=docker,python-docker state=present
- name: start docker
- name: Start docker
service: name=docker enabled=yes state=started
- name: copy sshd_config into place to change the port to 222
- name: Copy sshd_config into place to change the port to 222
copy: src=sshd_config dest=/srv/gitlab/sshd_config owner=root group=root mode=640
- name: start docker gitlab image
- name: Start docker gitlab image
docker_container:
name: gitlab
image: gitlab/gitlab-ee:latest
@ -99,11 +99,11 @@
- "/srv/gitlab/data:/var/opt/gitlab"
- "/srv/gitlab/sshd_config:/assets/sshd_config"
- name: prune unused docker images
- name: Prune unused docker images
docker_prune:
images: true
- name: open firewall holes
- name: Open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
when: configure_firewall
with_items:
@ -114,11 +114,11 @@
tags:
- firewall
- name: copy gitlab-cleanup timer and service
- name: Copy gitlab-cleanup timer and service
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- gitlab-cleanup.timer
- gitlab-cleanup.service
- name: activate systemd timers for gitlab-cleanup
- name: Activate systemd timers for gitlab-cleanup
systemd: name=gitlab-cleanup.timer enabled=yes state=started daemon-reload=yes

8
roles/gitlab_runner/handlers/main.yml
View File

@ -1,11 +1,11 @@
- name: systemd daemon-reload
- name: Systemd daemon-reload
systemd: daemon_reload=yes
- name: restart gitlab-runner
- name: Restart gitlab-runner
service: name=gitlab-runner state=restarted
- name: restart gitlab-runner-docker-cleanup.timer
- name: Restart gitlab-runner-docker-cleanup.timer
service: name=gitlab-runner-docker-cleanup.timer state=restarted daemon_reload=yes
- name: restart docker
- name: Restart docker
service: name=docker state=restarted

32
roles/gitlab_runner/tasks/main.yml
View File

@ -1,15 +1,15 @@
- name: install dependencies
- name: Install dependencies
pacman: name=docker,python-docker,python-gitlab,gitlab-runner state=latest update_cache=yes
notify: restart gitlab-runner
- name: install docker.slice
- name: Install docker.slice
copy: src=docker.slice dest=/etc/systemd/system/ owner=root group=root mode=0644
notify: systemd daemon-reload
- name: start docker
- name: Start docker
systemd: name=docker enabled=yes state=started daemon_reload=yes
- name: configure Docker daemon for IPv6
- name: Configure Docker daemon for IPv6
copy: src=daemon.json dest=/etc/docker/daemon.json owner=root group=root mode=0644
notify: restart docker
@ -17,7 +17,7 @@
# https://medium.com/@skleeschulte/how-to-enable-ipv6-for-docker-containers-on-ubuntu-18-04-c68394a219a2
# https://github.com/docker/docker.github.io/blob/c0eb65aabe4de94d56bbc20249179f626df5e8c3/engine/userguide/networking/default_network/ipv6.md
# https://github.com/moby/moby/issues/36954
- name: add IPv6 NAT for docker
- name: Add IPv6 NAT for docker
ansible.posix.firewalld:
zone: public
permanent: true
@ -42,11 +42,11 @@
# --locked=false \ # Use true for secure runners
# --access-level=not_protected # Use ref_protected for secure runners
# Note: Secure runners must be added manually to the relevant projects
- name: install runner configuration
- name: Install runner configuration
template: src=config.toml.j2 dest=/etc/gitlab-runner/config.toml owner=root group=root mode=0600
notify: restart gitlab-runner
- name: install gitlab-runner-docker-cleanup.{service,timer}
- name: Install gitlab-runner-docker-cleanup.{service,timer}
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- gitlab-runner-docker-cleanup.service
@ -54,24 +54,24 @@
notify:
- restart gitlab-runner-docker-cleanup.timer
- name: enable and start gitlab-runner-docker-cleanup.timer
- name: Enable and start gitlab-runner-docker-cleanup.timer
systemd: name=gitlab-runner-docker-cleanup.timer state=started enabled=yes daemon_reload=yes
- name: enable and start gitlab runner service
- name: Enable and start gitlab runner service
systemd: name=gitlab-runner state=started enabled=yes daemon_reload=yes
- name: setup libvirt-executor
- name: Setup libvirt-executor
block:
- name: install libvirt-executor-update-base-image dependencies
- name: Install libvirt-executor-update-base-image dependencies
pacman: name=arch-install-scripts,sequoia-sq state=present
- name: create libvirt-executor configuration and data directories
- name: Create libvirt-executor configuration and data directories
file: path={{ item }} state=directory owner=root group=root mode=0755
loop:
- /etc/libvirt-executor
- /usr/local/lib/libvirt-executor
- name: install libvirt-executor
- name: Install libvirt-executor
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }}
loop:
- {src: arch-boxes.asc, dest: /usr/local/lib/libvirt-executor/, mode: 644}
@ -79,17 +79,17 @@
- {src: libvirt-executor, dest: /usr/local/bin/, mode: 755}
- {src: libvirt-executor-update-base-image, dest: /usr/local/bin/, mode: 755}
- name: create SSH keys for libvirt-executor
- name: Create SSH keys for libvirt-executor
command: ssh-keygen -N "" -f /etc/libvirt-executor/id_ed25519 -t ed25519
args:
creates: /etc/libvirt-executor/id_ed25519
- name: install libvirt-executor-update-base-image.{service,timer}
- name: Install libvirt-executor-update-base-image.{service,timer}
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- libvirt-executor-update-base-image.service
- libvirt-executor-update-base-image.timer
- name: enable and start libvirt-executor-update-base-image.timer
- name: Enable and start libvirt-executor-update-base-image.timer
systemd: name=libvirt-executor-update-base-image.timer state=started enabled=yes daemon_reload=yes
when: "'gitlab_vm_runners' in group_names"

2
roles/gluebuddy/handlers/main.yml
View File

@ -1,3 +1,3 @@
- name: daemon reload
- name: Daemon reload
systemd:
daemon-reload: true

12
roles/gluebuddy/tasks/main.yml
View File

@ -1,7 +1,7 @@
- name: install sequoia
- name: Install sequoia
pacman: name=sequoia-sq state=present
- name: install systemd service/timer
- name: Install systemd service/timer
copy: src={{ item }} dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items:
- gluebuddy.service
@ -9,16 +9,16 @@
notify:
- daemon reload
- name: enable timer
- name: Enable timer
systemd: name=gluebuddy.timer enabled=yes state=started
- name: install conf file
- name: Install conf file
template: src=gluebuddy.conf.j2 dest=/etc/conf.d/gluebuddy owner=root group=root mode=0600
- name: install download script
- name: Install download script
copy: src=gluebuddy_download.sh dest=/usr/local/bin/gluebuddy_download.sh owner=root group=root mode=0755
- name: download latest gluebuddy
- name: Download latest gluebuddy
command: /usr/local/bin/gluebuddy_download.sh
tags:
- skip_ansible_lint

2
roles/grafana/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: restart grafana
- name: Restart grafana
service: name=grafana state=restarted

26
roles/grafana/tasks/main.yml
View File

@ -1,25 +1,25 @@
- name: install grafana
- name: Install grafana
pacman: name=grafana state=present
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ grafana_domain }}"]
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=http mode=640
notify:
- reload nginx
tags: ['nginx']
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ grafana_domain }} state=directory owner=root group=root mode=0755
- name: create grafana config directory
- name: Create grafana config directory
file: path=/etc/grafana mode=0700 owner=grafana group=grafana state=directory
- name: create grafana provisioning directory
- name: Create grafana provisioning directory
file: path={{ item }} mode=0700 owner=grafana group=grafana state=directory
with_items:
- /etc/grafana/provisioning
@ -29,27 +29,27 @@
- /etc/grafana/provisioning/notifiers
- /var/lib/grafana/dashboards
- name: install grafana datasources provisioning
- name: Install grafana datasources provisioning
template: src=datasources.yaml.j2 dest=/etc/grafana/provisioning/datasources/prometheus.yml owner=grafana group=root mode=0600
notify: restart grafana
- name: install grafana dashboard provisioning
- name: Install grafana dashboard provisioning
template: src=dashboard.yaml.j2 dest=/etc/grafana/provisioning/dashboards/dasbhoard.yml owner=grafana group=root mode=0600
notify: restart grafana
- name: copy grafana dashboards
- name: Copy grafana dashboards
copy: src=dashboards dest=/var/lib/grafana/dashboards owner=grafana group=grafana mode=0600
- name: copy (public) grafana dashboards
- name: Copy (public) grafana dashboards
copy: src=public-dashboards dest=/var/lib/grafana/ owner=root group=grafana mode=0640
when: grafana_anonymous_access
- name: install grafana config
- name: Install grafana config
template: src=grafana.ini.j2 dest=/etc/grafana.ini owner=grafana group=root mode=0600
notify: restart grafana
- name: fix /var/lib/grafana permissions
- name: Fix /var/lib/grafana permissions
file: path=/var/lib/grafana mode=0700 owner=grafana group=grafana
- name: start and enable service
- name: Start and enable service
service: name=grafana state=started enabled=true

2
roles/hardening/handlers/main.yml
View File

@ -1,2 +1,2 @@
- name: apply sysctl settings
- name: Apply sysctl settings
command: sysctl --system

16
roles/hardening/tasks/main.yml
View File

@ -1,40 +1,40 @@
- name: set restricted access to kernel logs
- name: Set restricted access to kernel logs
copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
- name: Set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
when: "'buildservers' not in group_names"
notify:
- apply sysctl settings
- name: set restricted access to kernel pointers in proc fs
- name: Set restricted access to kernel pointers in proc fs
copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
- name: enable JIT hardening for all users
- name: Enable JIT hardening for all users
copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
- name: disable unprivileged bpf
- name: Disable unprivileged bpf
copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
- name: disable unprivileged userns
- name: Disable unprivileged userns
copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
- name: disable kexec load
- name: Disable kexec load
copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644
notify:
- apply sysctl settings
- name: set kernel lockdown to restricted
- name: Set kernel lockdown to restricted
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
when: "'hcloud' in group_names"
notify:

20
roles/hedgedoc/tasks/main.yml
View File

@ -1,40 +1,40 @@
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ hedgedoc_domain }}"]
- name: install hedgedoc
- name: Install hedgedoc
pacman: name=hedgedoc state=present
- name: add hedgedoc postgres db
- name: Add hedgedoc postgres db
postgresql_db: db=hedgedoc
become: true
become_user: postgres
become_method: su
- name: add hedgedoc postgres user
- name: Add hedgedoc postgres user
postgresql_user: db=hedgedoc name=hedgedoc password={{ vault_postgres_users.hedgedoc }} encrypted=true
become: true
become_user: postgres
become_method: su
- name: make nginx log dir
- name: Make nginx log dir
file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=http mode=640
notify: reload nginx
tags: ['nginx']
- name: add hedgedoc.service.d dir
- name: Add hedgedoc.service.d dir
file: state=directory path=/etc/systemd/system/hedgedoc.service.d owner=root group=root mode=0755
- name: install hedgedoc.service snippet for configuration
- name: Install hedgedoc.service snippet for configuration
template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0644
- name: install hedgedoc config file
- name: Install hedgedoc config file
template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=root mode=0644
- name: start and enable hedgedoc
- name: Start and enable hedgedoc
service: name=hedgedoc.service enabled=yes state=started

26
roles/hetzner_storagebox/tasks/main.yml
View File

@ -1,12 +1,12 @@
# This role runs on localhost; use commands like sftp to upload configuration
- name: create the root backup directory at {{ backup_dir }}
- name: Create the root backup directory at {{ backup_dir }}
expect:
command: bash -c "echo 'mkdir {{ backup_dir }}' | sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }}"
responses:
(?i)password: "{{ storagebox_password }}"
- name: create a home directory for each sub-account
- name: Create a home directory for each sub-account
expect:
command: |
bash -c 'sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
@ -17,7 +17,7 @@
responses:
(?i)password: "{{ storagebox_password }}"
- name: fetch ssh keys from each borg client machine
- name: Fetch ssh keys from each borg client machine
command: cat /root/.ssh/id_rsa.pub
check_mode: false
register: client_ssh_keys
@ -25,16 +25,16 @@
with_items: "{{ backup_clients }}"
changed_when: client_ssh_keys.changed
- name: create tempfile
- name: Create tempfile
tempfile: state=file
check_mode: false
register: tempfile
- name: fill tempfile
- name: Fill tempfile
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
no_log: true
- name: upload authorized_keys for Arch DevOps
- name: Upload authorized_keys for Arch DevOps
expect:
command: |
bash -c 'sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
@ -46,13 +46,13 @@
responses:
(?i)password: "{{ storagebox_password }}"
- name: upload authorized_keys for each backup client
- name: Upload authorized_keys for each backup client
include_tasks: upload_client_authorized_keys.yml
loop: "{{ client_ssh_keys.results }}"
loop_control:
label: "{{ item.item }}"
- name: retrieve sub-account information
- name: Retrieve sub-account information
uri:
url: https://robot-ws.your-server.de/storagebox/{{ storagebox_id }}/subaccount
user: "{{ hetzner_webservice_username }}"
@ -61,11 +61,11 @@
register: subaccounts_raw
no_log: true
- name: get list of sub-accounts
- name: Get list of sub-accounts
set_fact:
subaccounts: "{{ subaccounts_raw.json | json_query('[].subaccount') }}"
- name: create missing sub-accounts
- name: Create missing sub-accounts
uri:
timeout: 60
url: https://robot-ws.your-server.de/storagebox/{{ storagebox_id }}/subaccount
@ -81,21 +81,21 @@
register: new_subaccounts_raw
no_log: true
- name: update list of sub-accounts
- name: Update list of sub-accounts
set_fact:
subaccounts: "{{ subaccounts + [item.json.subaccount | combine({'comment': item.invocation.module_args.body.comment})] }}"
loop: "{{ new_subaccounts_raw.results }}"
loop_control:
label: "{{ item.invocation.module_args.body.comment }}"
- name: match usernames to backup clients
- name: Match usernames to backup clients
set_fact:
backup_client_usernames: "{{ backup_client_usernames | default({}) | combine({item.comment: item.username}) }}"
loop: "{{ subaccounts }}"
loop_control:
label: "{{ {item.comment: item.username} }}"
- name: configure ssh on backup clients
- name: Configure ssh on backup clients
blockinfile:
path: /root/.ssh/config
create: true

4
roles/hetzner_storagebox/tasks/upload_client_authorized_keys.yml
View File

@ -1,8 +1,8 @@
- name: fill tempfile
- name: Fill tempfile
copy: content="{{ lookup('template', 'authorized_keys_client.j2') }}" dest="{{ tempfile.path }}" mode=preserve
no_log: true
- name: upload authorized_keys file to {{ backup_dir }}/{{ item.item }}
- name: Upload authorized_keys file to {{ backup_dir }}/{{ item.item }}
expect:
command: |
bash -c 'sftp {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF

84
roles/install_arch/tasks/main.yml
View File

@ -1,138 +1,138 @@
- name: read /etc/motd
- name: Read /etc/motd
command: cat /etc/motd
register: motd_contents
changed_when: motd_contents.stdout | length > 0
- name: check whether we're running in Hetzner or Equinix Metal rescue environment
- name: Check whether we're running in Hetzner or Equinix Metal rescue environment
fail: msg="Not running in rescue system!"
when: "'Hetzner Rescue' not in motd_contents.stdout and 'Rescue environment based on Alpine Linux' not in motd_contents.stdout"
- name: make sure all required packages are installed in the rescue system for installation
- name: Make sure all required packages are installed in the rescue system for installation
apk: name=sgdisk,btrfs-progs,tar update_cache=yes
when: ansible_facts['os_family'] == "Alpine"
- name: create GRUB embed partitions
- name: Create GRUB embed partitions
command: sgdisk -g --clear -n 1:0:+1M {{ item }} -c 1:boot -t 1:ef02
with_items:
- "{{ system_disks }}"
register: sgdisk
changed_when: "sgdisk.rc == 0"
- name: create root partitions
- name: Create root partitions
command: sgdisk -n 2:0:0 {{ item }} -c 2:root
with_items:
- "{{ system_disks }}"
register: sgdisk
changed_when: "sgdisk.rc == 0"
- name: partition and format the disks (btrfs RAID)
- name: Partition and format the disks (btrfs RAID)
command: mkfs.btrfs -f -L root -d {{ raid_level|default('raid1') }} -m {{ raid_level|default('raid1') }} -O no-holes {{ system_disks | map('regex_replace', '^(.*)$', '\g<1>p2' if 'nvme' in system_disks[0] else '\g<1>2') | join(' ') }}
when: filesystem == "btrfs" and system_disks|length >= 2
- name: partition and format the disks (btrfs single)
- name: Partition and format the disks (btrfs single)
command: mkfs.btrfs -f -L root -d single -m single -O no-holes {{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}
when: filesystem == "btrfs" and system_disks|length == 1
- name: mount the filesystem (btrfs)
- name: Mount the filesystem (btrfs)
mount: src="{{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}" path=/mnt state=mounted fstype=btrfs opts="compress-force=zstd,space_cache=v2"
when: filesystem == "btrfs"
- name: touch LOCK file on mountpoint
- name: Touch LOCK file on mountpoint
file: path=/mnt/LOCK state=touch owner=root group=root mode=0644
- name: download bootstrap image
- name: Download bootstrap image
get_url:
url: https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz
dest: /tmp/
mode: 0644
- name: extract boostrap image # noqa 208
- name: Extract boostrap image # noqa 208
unarchive:
src: /tmp/archlinux-bootstrap-x86_64.tar.gz
dest: /tmp
remote_src: true
creates: /tmp/root.x86_64
- name: copy resolv.conf to bootstrap chroot
- name: Copy resolv.conf to bootstrap chroot
copy: remote_src=true src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644
- name: mount /proc to bootstrap chroot
- name: Mount /proc to bootstrap chroot
command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime # noqa 303
- name: mount /sys to bootstrap chroot
- name: Mount /sys to bootstrap chroot
command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev # noqa 303
- name: mount /dev to bootstrap chroot
- name: Mount /dev to bootstrap chroot
command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero # noqa 303
- name: mount /mnt to bootstrap chroot
- name: Mount /mnt to bootstrap chroot
command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK # noqa 303
- name: configure pacman mirror
- name: Configure pacman mirror
template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644
- name: initialize pacman keyring inside bootstrap chroot
- name: Initialize pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --init
register: chroot_pacman_key_init
changed_when: "chroot_pacman_key_init.rc == 0"
- name: populate pacman keyring inside bootstrap chroot
- name: Populate pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
register: chroot_pacman_key_populate
changed_when: "chroot_pacman_key_populate.rc == 0"
- name: install ucode update
- name: Install ucode update
block:
- name: install ucode update for Intel
- name: Install ucode update for Intel
set_fact: ucode="intel-ucode"
when: "'GenuineIntel' in ansible_facts['processor']"
- name: install ucode update for AMD
- name: Install ucode update for AMD
set_fact: ucode="amd-ucode"
when: "'AuthenticAMD' in ansible_facts['processor']"
when:
- "'hcloud' not in group_names"
- inventory_hostname != 'packer-base-image'
- name: install arch base from bootstrap chroot
- name: Install arch base from bootstrap chroot
command: chroot /tmp/root.x86_64 pacstrap /mnt base linux btrfs-progs grub openssh python-requests python-yaml inetutils {{ ucode | default('') }}
args:
creates: /tmp/root.x86_64/mnt/bin
- name: mount /proc to new chroot
- name: Mount /proc to new chroot
command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime # noqa 303
- name: mount /sys to new chroot
- name: Mount /sys to new chroot
command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev # noqa 303
- name: mount /dev to new chroot
- name: Mount /dev to new chroot
command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero # noqa 303
- name: configure locale.gen
- name: Configure locale.gen
lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644
- name: run locale-gen inside chroot
- name: Run locale-gen inside chroot
command: chroot /mnt locale-gen
register: chroot_locale_gen
changed_when: "chroot_locale_gen.rc == 0"
- name: run systemd-firstboot
- name: Run systemd-firstboot
command: chroot /mnt systemd-firstboot --locale=C.UTF-8 --timezone=UTC --hostname={{ hostname }}
register: chroot_systemd_firstboot
changed_when: "chroot_systemd_firstboot.rc == 0"
- name: run mkinitcpio
- name: Run mkinitcpio
command: chroot /mnt mkinitcpio -p linux
register: chroot_mkinitcpio
changed_when: "chroot_mkinitcpio.rc == 0"
- name: configure networking
- name: Configure networking
include_role:
name: networking
vars:
chroot_path: "/mnt"
- name: provide default mount options (btrfs)
- name: Provide default mount options (btrfs)
lineinfile:
path: /mnt/etc/default/grub
owner: root
@ -142,45 +142,45 @@
line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
when: filesystem == "btrfs"
- name: install grub
- name: Install grub
command: chroot /mnt grub-install --recheck {{ item }}
with_items:
- "{{ system_disks }}"
register: chroot_grub_install
changed_when: "chroot_grub_install.rc == 0"
- name: configure grub
- name: Configure grub
command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
register: chroot_grub_mkconfig
changed_when: "chroot_grub_mkconfig.rc == 0"
- name: setup pacman-init.service on first boot
- name: Setup pacman-init.service on first boot
copy: src=pacman-init.service dest=/mnt/etc/systemd/system/ owner=root group=root mode=0644
- name: remove generated keyring in the installation process
- name: Remove generated keyring in the installation process
file: path=/mnt/etc/pacman.d/gnupg state=absent
- name: make sure /etc/machine-id is absent
- name: Make sure /etc/machine-id is absent
file: path=/mnt/etc/machine-id state=absent
- name: enable services inside chroot
- name: Enable services inside chroot
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer pacman-init
register: chroot_systemd_services
changed_when: "chroot_systemd_services.rc == 0"
- name: add authorized key for root
- name: Add authorized key for root
include_role:
name: root_ssh
vars:
root_ssh_directory: /tmp/root.x86_64/mnt/root/.ssh
- name: configure sshd
- name: Configure sshd
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
- name: clean pacman cache
- name: Clean pacman cache
shell: yes | chroot /mnt pacman -Scc # noqa risky-shell-pipe ("Illegal option -o pipefail" in Hetzner's recovery environment (dash?))
register: chroot_pacman_clean_cache
changed_when: "chroot_pacman_clean_cache.rc == 0"
- name: remove LOCK file on mountpoint
- name: Remove LOCK file on mountpoint
file: path=/mnt/LOCK state=absent

4
roles/keycloak/handlers/main.yml
View File

@ -1,6 +1,6 @@
- name: restart keycloak
- name: Restart keycloak
service: name=keycloak state=restarted
- name: daemon reload
- name: Daemon reload
systemd:
daemon-reload: true

36
roles/keycloak/tasks/main.yml
View File

@ -1,56 +1,56 @@
- name: install keycloak
- name: Install keycloak
pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present
- name: create postgres keycloak user
- name: Create postgres keycloak user
postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
become: true
become_user: postgres
become_method: su
no_log: true
- name: create keycloak db
- name: Create keycloak db
postgresql_db: name="{{ keycloak_db_name }}" owner="{{ vault_keycloak_db_user }}"
become: true
become_user: postgres
become_method: su
- name: template keycloak config
- name: Template keycloak config
template: src=keycloak.conf.j2 dest=/etc/keycloak/keycloak.conf owner=root group=keycloak mode=640
no_log: true
notify:
- restart keycloak
- name: create drop-in directory for keycloak.service
- name: Create drop-in directory for keycloak.service
file: path=/etc/systemd/system/keycloak.service.d state=directory owner=root group=root mode=0755
- name: get service facts
- name: Get service facts
service_facts:
- name: create an admin user when first starting keycloak
- name: Create an admin user when first starting keycloak
block:
- name: install admin creation drop-in for keycloak.service
- name: Install admin creation drop-in for keycloak.service
copy: src=create-keycloak-admin.conf dest=/etc/systemd/system/keycloak.service.d/ owner=root group=root mode=0644
- name: install temporary environment file with admin credentials
- name: Install temporary environment file with admin credentials
template: src=admin-user.conf.j2 dest=/etc/keycloak/admin-user.conf owner=root group=root mode=0600
no_log: true
- name: start and enable keycloak
- name: Start and enable keycloak
service: name=keycloak enabled=yes daemon_reload=yes state=started
- name: wait for keycloak to initialize
- name: Wait for keycloak to initialize
wait_for: port={{ keycloak_port }}
always:
- name: remove admin credentials once keycloak is running
- name: Remove admin credentials once keycloak is running
file: path=/etc/keycloak/admin-user.conf state=absent
- name: remove admin creation drop-in
- name: Remove admin creation drop-in
file: path=/etc/systemd/system/keycloak.service.d/create-keycloak-admin.conf state=absent
notify:
- daemon reload
when: ansible_facts.services["keycloak.service"]["state"] != "running"
- name: open firewall hole
- name: Open firewall hole
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
when: configure_firewall
with_items:
@ -59,7 +59,7 @@
tags:
- firewall
- name: create htpasswd for nginx prometheus endpoint
- name: Create htpasswd for nginx prometheus endpoint
htpasswd:
path: "{{ keycloak_nginx_htpasswd }}"
name: "{{ vault_keycloak_nginx_user }}"
@ -68,16 +68,16 @@
group: http
mode: 0640
- name: create ssl cert
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ keycloak_domain }}"]
- name: make nginx log dir
- name: Make nginx log dir
file: path="/var/log/nginx/{{ keycloak_domain }}" state=directory owner=root mode=0755
- name: set up nginx
- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/keycloak.conf owner=root group=root mode=0644
notify:
- reload nginx

Some files were not shown because too many files have changed in this diff Show More