mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-30 13:56:05 +02:00
Capitalize the first letter of all task names
ansible-lint 6.5.0 complains about: name: All names should start with an uppercase letter. (name[casing])
This commit is contained in:
parent
19ee76d74c
commit
26f289b72b
|
@ -1,4 +1,4 @@
|
|||
- name: setup Keycloak server
|
||||
- name: Setup Keycloak server
|
||||
hosts: accounts.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: basic setup for all hosts
|
||||
- name: Basic setup for all hosts
|
||||
hosts: all
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: common playbook for archive-mirrors
|
||||
- name: Common playbook for archive-mirrors
|
||||
hosts: archive_mirrors
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
- name: "prepare postgres ssl hosts list"
|
||||
hosts: archlinux.org
|
||||
tasks:
|
||||
- name: assign ipv4 addresses to fact postgres_hosts4
|
||||
- name: Assign ipv4 addresses to fact postgres_hosts4
|
||||
set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
|
||||
vars:
|
||||
gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
|
||||
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
|
||||
tags: ["postgres", "firewall"]
|
||||
|
||||
- name: setup archlinux.org
|
||||
- name: Setup archlinux.org
|
||||
hosts: archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup aur.archlinux.org
|
||||
- name: Setup aur.archlinux.org
|
||||
hosts: aur.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup bbs.archlinux.org
|
||||
- name: Setup bbs.archlinux.org
|
||||
hosts: bbs.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup bugs.archlinux.org
|
||||
- name: Setup bugs.archlinux.org
|
||||
hosts: bugs.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup build.archlinux.org
|
||||
- name: Setup build.archlinux.org
|
||||
hosts: build.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup public dashboards server
|
||||
- name: Setup public dashboards server
|
||||
hosts: dashboards.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup debuginfod.archlinux.org
|
||||
- name: Setup debuginfod.archlinux.org
|
||||
hosts: debuginfod.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup gemini.archlinux.org
|
||||
- name: Setup gemini.archlinux.org
|
||||
hosts: gemini.archlinux.org
|
||||
remote_user: root
|
||||
vars:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup gitlab-runners
|
||||
- name: Setup gitlab-runners
|
||||
hosts: gitlab_runners
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup gitlab server
|
||||
- name: Setup gitlab server
|
||||
hosts: gitlab.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup gluebuddy.archlinux.org
|
||||
- name: Setup gluebuddy.archlinux.org
|
||||
hosts: gluebuddy.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup Hetzner storagebox account
|
||||
- name: Setup Hetzner storagebox account
|
||||
hosts: localhost
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup homedir.archlinux.org
|
||||
- name: Setup homedir.archlinux.org
|
||||
hosts: homedir.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup mailman server
|
||||
- name: Setup mailman server
|
||||
hosts: lists.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup mail.archlinux.org
|
||||
- name: Setup mail.archlinux.org
|
||||
hosts: mail.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup mailman3 server
|
||||
- name: Setup mailman3 server
|
||||
hosts: mailman3.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup man.archlinux.org
|
||||
- name: Setup man.archlinux.org
|
||||
hosts: man.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup matrix
|
||||
- name: Setup matrix
|
||||
hosts: matrix.archlinux.org
|
||||
remote_user: root
|
||||
vars_files:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup hedgedoc server
|
||||
- name: Setup hedgedoc server
|
||||
hosts: md.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: common playbook for mirrors
|
||||
- name: Common playbook for mirrors
|
||||
hosts: mirrors
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup prometheus server
|
||||
- name: Setup prometheus server
|
||||
hosts: monitoring.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup patchwork.archlinux.org
|
||||
- name: Setup patchwork.archlinux.org
|
||||
hosts: patchwork.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup phrik bot server
|
||||
- name: Setup phrik bot server
|
||||
hosts: phrik.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup quassel server
|
||||
- name: Setup quassel server
|
||||
hosts: quassel.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: common playbook for rebuilderd_workers
|
||||
- name: Common playbook for rebuilderd_workers
|
||||
hosts: rebuilderd_workers
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup redirect.archlinux.org
|
||||
- name: Setup redirect.archlinux.org
|
||||
hosts: redirect.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup reproducible builds rebuilder
|
||||
- name: Setup reproducible builds rebuilder
|
||||
hosts: reproducible.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup rsync.net account
|
||||
- name: Setup rsync.net account
|
||||
hosts: localhost
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup security.archlinux.org
|
||||
- name: Setup security.archlinux.org
|
||||
hosts: security.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup state.archlinux.org (terraform state store)
|
||||
- name: Setup state.archlinux.org (terraform state store)
|
||||
hosts: state.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
- name: prepare local storage directory
|
||||
- name: Prepare local storage directory
|
||||
hosts: localhost
|
||||
tasks:
|
||||
- name: create borg-keys directory
|
||||
- name: Create borg-keys directory
|
||||
file: path="{{ playbook_dir }}/../../borg-keys/" state=directory # noqa 208
|
||||
|
||||
- name: fetch borg keys
|
||||
- name: Fetch borg keys
|
||||
hosts: borg_clients
|
||||
tasks:
|
||||
- name: fetch borg key
|
||||
- name: Fetch borg key
|
||||
command: "/usr/local/bin/borg key export :: /dev/stdout"
|
||||
register: borg_key
|
||||
changed_when: "borg_key.rc == 0"
|
||||
|
||||
- name: fetch borg offsite key
|
||||
- name: Fetch borg offsite key
|
||||
command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
|
||||
register: borg_offsite_key
|
||||
changed_when: "borg_offsite_key.rc == 0"
|
||||
|
||||
- name: save borg key
|
||||
- name: Save borg key
|
||||
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
|
||||
args:
|
||||
stdin: "{{ borg_key.stdout }}"
|
||||
|
@ -26,7 +26,7 @@
|
|||
register: gpg_key
|
||||
changed_when: "gpg_key.rc == 0"
|
||||
|
||||
- name: save borg offsite key
|
||||
- name: Save borg offsite key
|
||||
shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
|
||||
args:
|
||||
stdin: "{{ borg_offsite_key.stdout }}"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: check if moreutils is installed
|
||||
- name: Check if moreutils is installed
|
||||
pacman: name=moreutils state=present
|
||||
|
||||
- name: reencrypt vault {{ vault_id }} key
|
||||
- name: Reencrypt vault {{ vault_id }} key
|
||||
shell: |
|
||||
set -eo pipefail
|
||||
gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg" \
|
||||
|
|
|
@ -1,62 +1,62 @@
|
|||
- name: ensure latest keyring
|
||||
- name: Ensure latest keyring
|
||||
pacman:
|
||||
name: archlinux-keyring
|
||||
state: latest
|
||||
update_cache: yes
|
||||
|
||||
- name: upgrade all packages
|
||||
- name: Upgrade all packages
|
||||
pacman:
|
||||
upgrade: yes
|
||||
register: pacman_upgrade
|
||||
|
||||
- name: stop if no packages were upgraded
|
||||
- name: Stop if no packages were upgraded
|
||||
meta: end_host
|
||||
when: pacman_upgrade is not changed
|
||||
|
||||
- name: check for running builds
|
||||
- name: Check for running builds
|
||||
block:
|
||||
- name: list build-related processes
|
||||
- name: List build-related processes
|
||||
command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
|
||||
register: pgrep
|
||||
ignore_errors: true
|
||||
|
||||
- name: abort reboot with running builds
|
||||
- name: Abort reboot with running builds
|
||||
meta: end_host
|
||||
when: pgrep is succeeded
|
||||
when: "'buildservers' in group_names"
|
||||
|
||||
|
||||
- name: check for active borg backup jobs
|
||||
- name: Check for active borg backup jobs
|
||||
block:
|
||||
- name: check if /backup exists
|
||||
- name: Check if /backup exists
|
||||
stat: path=/backup
|
||||
register: backup_mountdir
|
||||
|
||||
- name: abort reboot when borg backup is running
|
||||
- name: Abort reboot when borg backup is running
|
||||
meta: end_host
|
||||
when: backup_mountdir.stat.exists
|
||||
when: "'borg_clients' in group_names"
|
||||
|
||||
- name: gemini pre-reboot checks
|
||||
- name: Gemini pre-reboot checks
|
||||
block:
|
||||
- name: list logged on users
|
||||
- name: List logged on users
|
||||
command: who
|
||||
register: who
|
||||
|
||||
- name: abort reboot with logged on users
|
||||
- name: Abort reboot with logged on users
|
||||
meta: end_host
|
||||
when:
|
||||
- who is changed
|
||||
- who.stdout_lines|length > 1
|
||||
|
||||
- name: stop arch-svntogit.timer
|
||||
- name: Stop arch-svntogit.timer
|
||||
service: name=arch-svntogit.timer state=stopped
|
||||
|
||||
- name: wait for svntogit to finish
|
||||
- name: Wait for svntogit to finish
|
||||
wait_for:
|
||||
path: /srv/svntogit/update-repos.sh.lock
|
||||
state: absent
|
||||
when: inventory_hostname == "gemini.archlinux.org"
|
||||
|
||||
- name: reboot
|
||||
- name: Reboot
|
||||
reboot:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# This script is for provisioning a server for first boot.
|
||||
# Care: It is not idempotent by design.
|
||||
|
||||
- name: install_arch
|
||||
- name: Install arch
|
||||
hosts: all
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -8,13 +8,13 @@
|
|||
tempfile: state=directory suffix=pacman
|
||||
register: tempdir
|
||||
|
||||
- name: fetch pacman tarball
|
||||
- name: Fetch pacman tarball
|
||||
get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.xz dest={{ tempdir.path }}/pacman.tar.xz
|
||||
|
||||
- name: unpack tarball
|
||||
- name: Unpack tarball
|
||||
unarchive: src={{ tempdir.path }}/pacman.tar.xz dest={{ tempdir.path }}
|
||||
|
||||
- name: build website
|
||||
- name: Build website
|
||||
command: "{{ item }}"
|
||||
args:
|
||||
chdir: "{{ tempdir.path }}/pacman-{{ pacman_version }}"
|
||||
|
@ -23,10 +23,10 @@
|
|||
- ninja -C build doc/website.tar.gz
|
||||
|
||||
- block:
|
||||
- name: create website directory
|
||||
- name: Create website directory
|
||||
file: state=directory owner=root group=root mode=0755 path={{ pacman_dir }}
|
||||
|
||||
- name: upload website
|
||||
- name: Upload website
|
||||
unarchive:
|
||||
src: "{{ tempdir.path }}/pacman-{{ pacman_version }}/build/doc/website.tar.gz"
|
||||
dest: "{{ pacman_dir }}"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: reencrypt vault default key
|
||||
- name: Reencrypt vault default key
|
||||
hosts: localhost
|
||||
tasks:
|
||||
- name: reencrypt vault default key
|
||||
- name: Reencrypt vault default key
|
||||
include_tasks: include/reencrypt-vault-key.yml
|
||||
vars:
|
||||
vault_id: default
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: reencrypt vault super key
|
||||
- name: Reencrypt vault super key
|
||||
hosts: localhost
|
||||
tasks:
|
||||
- name: reencrypt vault super key
|
||||
- name: Reencrypt vault super key
|
||||
include_tasks: include/reencrypt-vault-key.yml
|
||||
vars:
|
||||
vault_id: super
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
- name: fetch ssh hostkeys
|
||||
- name: Fetch ssh hostkeys
|
||||
hosts: all
|
||||
gather_facts: false
|
||||
tasks:
|
||||
- name: fetch hostkey checksums
|
||||
- name: Fetch hostkey checksums
|
||||
shell: |
|
||||
for type in sha256 md5; do
|
||||
for file in /etc/ssh/ssh_host_*.pub; do
|
||||
|
@ -13,7 +13,7 @@
|
|||
register: ssh_hostkeys
|
||||
changed_when: ssh_hostkeys | length > 0
|
||||
|
||||
- name: fetch known_hosts
|
||||
- name: Fetch known_hosts
|
||||
shell: |
|
||||
set -eo pipefail
|
||||
ssh-keyscan 127.0.0.1 2>/dev/null \
|
||||
|
@ -26,10 +26,10 @@
|
|||
register: known_hosts
|
||||
changed_when: known_hosts | length > 0
|
||||
|
||||
- name: store hostkeys
|
||||
- name: Store hostkeys
|
||||
hosts: localhost
|
||||
tasks:
|
||||
- name: store hostkeys
|
||||
- name: Store hostkeys
|
||||
copy:
|
||||
dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
|
||||
content: |
|
||||
|
@ -40,7 +40,7 @@
|
|||
{% endfor %}
|
||||
mode: preserve
|
||||
|
||||
- name: store known_hosts
|
||||
- name: Store known_hosts
|
||||
blockinfile:
|
||||
path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
|
||||
block: |
|
||||
|
@ -51,9 +51,9 @@
|
|||
|
||||
{% endfor %}
|
||||
|
||||
- name: upload known_hosts to all nodes
|
||||
- name: Upload known_hosts to all nodes
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: upload known_hosts
|
||||
- name: Upload known_hosts
|
||||
copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
|
||||
tags: ['upload-known-hosts']
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
- name: upgrade and reboot all hetzner servers
|
||||
- name: Upgrade and reboot all hetzner servers
|
||||
hosts: all,!kape_servers,!equinix_metal
|
||||
max_fail_percentage: 0
|
||||
serial: 20%
|
||||
gather_facts: false
|
||||
|
||||
tasks:
|
||||
- name: upgrade each host in this batch
|
||||
- name: Upgrade each host in this batch
|
||||
include_tasks: include/upgrade-server.yml
|
||||
|
||||
- name: upgrade and reboot all Kape and Equinix Metal servers
|
||||
- name: Upgrade and reboot all Kape and Equinix Metal servers
|
||||
hosts: kape_servers,equinix_metal
|
||||
max_fail_percentage: 0
|
||||
serial: 1
|
||||
gather_facts: false
|
||||
|
||||
tasks:
|
||||
- name: upgrade each host in this batch
|
||||
- name: Upgrade each host in this batch
|
||||
include_tasks: include/upgrade-server.yml
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: setup wiki.archlinux.org
|
||||
- name: Setup wiki.archlinux.org
|
||||
hosts: wiki.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: restart powerdns
|
||||
- name: Restart powerdns
|
||||
service: name=pdns state=restarted
|
||||
|
|
|
@ -1,24 +1,24 @@
|
|||
- name: install powerdns
|
||||
- name: Install powerdns
|
||||
pacman: name=powerdns state=present
|
||||
|
||||
- name: install PowerDNS configuration
|
||||
- name: Install PowerDNS configuration
|
||||
template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- {src: pdns.conf.j2, dest: pdns.conf}
|
||||
- {src: dnsupdate-policy.lua.j2, dest: dnsupdate-policy.lua}
|
||||
notify: restart powerdns
|
||||
|
||||
- name: create directory for sqlite3 dbs
|
||||
- name: Create directory for sqlite3 dbs
|
||||
file: path=/var/lib/powerdns state=directory owner=powerdns group=powerdns mode=0755
|
||||
|
||||
- name: initialize sqlite3 database for _acme-challenge zones
|
||||
- name: Initialize sqlite3 database for _acme-challenge zones
|
||||
command: sqlite3 -init /usr/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3 ""
|
||||
become: true
|
||||
become_user: powerdns
|
||||
args:
|
||||
creates: /var/lib/powerdns/pdns.sqlite3
|
||||
|
||||
- name: create _acme-challenge zones
|
||||
- name: Create _acme-challenge zones
|
||||
shell: |
|
||||
pdnsutil create-zone _acme-challenge.{{ item }} {{ inventory_hostname }}
|
||||
pdnsutil replace-rrset _acme-challenge.{{ item }} @ SOA "{{ inventory_hostname }}. root.archlinux.org. 0 10800 3600 604800 3600"
|
||||
|
@ -27,18 +27,18 @@
|
|||
become_user: powerdns
|
||||
changed_when: false
|
||||
|
||||
- name: import TSIG key (for certbot)
|
||||
- name: Import TSIG key (for certbot)
|
||||
command: pdnsutil import-tsig-key {{ certbot_rfc2136_key }} {{ certbot_rfc2136_algorithm }} {{ certbot_rfc2136_secret }}
|
||||
changed_when: false
|
||||
|
||||
- name: open powerdns ipv4 port for monitoring.archlinux.org
|
||||
- name: Open powerdns ipv4 port for monitoring.archlinux.org
|
||||
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
|
||||
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: open firewall hole
|
||||
- name: Open firewall hole
|
||||
ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes
|
||||
|
||||
- name: start and enable powerdns
|
||||
- name: Start and enable powerdns
|
||||
systemd: name=pdns.service enabled=yes daemon_reload=yes state=started
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: reload alertmanager
|
||||
- name: Reload alertmanager
|
||||
service: name=alertmanager state=reloaded
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
- name: install alertmanager server
|
||||
- name: Install alertmanager server
|
||||
pacman: name=alertmanager state=present
|
||||
|
||||
- name: install alertmanager configuration
|
||||
- name: Install alertmanager configuration
|
||||
template: src=alertmanager.yml.j2 dest=/etc/alertmanager/alertmanager.yml owner=root group=alertmanager mode=640
|
||||
notify: reload alertmanager
|
||||
|
||||
- name: enable alertmanager server service
|
||||
- name: Enable alertmanager server service
|
||||
systemd: name=alertmanager enabled=yes daemon_reload=yes state=started
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
- name: install arch-boxes-sync.sh script dependencies
|
||||
- name: Install arch-boxes-sync.sh script dependencies
|
||||
pacman: name=curl,jq,unzip state=present
|
||||
|
||||
- name: install arch-boxes-sync.sh script
|
||||
- name: Install arch-boxes-sync.sh script
|
||||
copy: src=arch-boxes-sync.sh dest=/usr/local/bin/ owner=root group=root mode=0755
|
||||
|
||||
- name: install arch-boxes-sync.{service,timer}
|
||||
- name: Install arch-boxes-sync.{service,timer}
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- arch-boxes-sync.service
|
||||
|
@ -12,5 +12,5 @@
|
|||
notify:
|
||||
- daemon reload
|
||||
|
||||
- name: start and enable arch-boxes-sync.timer
|
||||
- name: Start and enable arch-boxes-sync.timer
|
||||
systemd: name=arch-boxes-sync.timer enabled=yes daemon_reload=yes state=started
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
- name: daemon reload
|
||||
- name: Daemon reload
|
||||
systemd:
|
||||
daemon-reload: true
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: install archbuild
|
||||
- name: Install archbuild
|
||||
pacman:
|
||||
name:
|
||||
- base-devel
|
||||
|
@ -16,7 +16,7 @@
|
|||
- appstream-generator
|
||||
state: present
|
||||
|
||||
- name: install archbuild scripts
|
||||
- name: Install archbuild scripts
|
||||
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
|
||||
with_items:
|
||||
- mkpkg
|
||||
|
@ -28,12 +28,12 @@
|
|||
- clean-offload-build
|
||||
- gitpkg
|
||||
|
||||
- name: install archbuild config files
|
||||
- name: Install archbuild config files
|
||||
copy: src={{ item }} dest=/usr/local/share/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- elinks-pkgdiffrepo.conf
|
||||
|
||||
- name: install archbuild units
|
||||
- name: Install archbuild units
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- clean-chroots.timer
|
||||
|
@ -47,33 +47,33 @@
|
|||
notify:
|
||||
- daemon reload
|
||||
|
||||
- name: install archbuild unit
|
||||
- name: Install archbuild unit
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- var-lib-archbuild.mount
|
||||
notify:
|
||||
- daemon reload
|
||||
|
||||
- name: install archbuild user units
|
||||
- name: Install archbuild user units
|
||||
copy: src={{ item }} dest=/etc/systemd/user/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- mkpkg@.timer
|
||||
- mkpkg@.service
|
||||
|
||||
- name: install user-.slice snippet
|
||||
- name: Install user-.slice snippet
|
||||
copy: src=user-.slice.d dest=/etc/systemd/system owner=root group=root mode=0644
|
||||
|
||||
- name: start and enable archbuild mounts
|
||||
- name: Start and enable archbuild mounts
|
||||
service: name={{ item }} enabled={{ "yes" if archbuild_fs == 'tmpfs' else "no" }} state={{ "started" if archbuild_fs == 'tmpfs' else "stopped" }}
|
||||
with_items:
|
||||
- var-lib-archbuild.mount
|
||||
|
||||
- name: start and enable archbuilddest mount
|
||||
- name: Start and enable archbuilddest mount
|
||||
service: name={{ item }} enabled=yes state=started
|
||||
with_items:
|
||||
- var-lib-archbuilddest.mount
|
||||
|
||||
- name: create archbuilddest
|
||||
- name: Create archbuilddest
|
||||
file:
|
||||
state: directory
|
||||
path: '/var/lib/{{ "/".join(item) }}'
|
||||
|
@ -84,7 +84,7 @@
|
|||
- [archbuilddest]
|
||||
- [srcdest]
|
||||
|
||||
- name: set acl on archbuilddest
|
||||
- name: Set acl on archbuilddest
|
||||
acl:
|
||||
name: '/var/lib/archbuilddest/{{ item[0] }}'
|
||||
state: present
|
||||
|
@ -104,18 +104,18 @@
|
|||
'default:other::r-x',
|
||||
'default:mask::rwx']
|
||||
|
||||
- name: start and enable archbuild units
|
||||
- name: Start and enable archbuild units
|
||||
service: name={{ item }} enabled=yes state=started
|
||||
with_items:
|
||||
- clean-chroots.timer
|
||||
- clean-dests.timer
|
||||
- clean-offload-build.timer
|
||||
|
||||
- name: install makepkg.conf
|
||||
- name: Install makepkg.conf
|
||||
template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644
|
||||
|
||||
- name: install archbuild sudoers config
|
||||
- name: Install archbuild sudoers config
|
||||
copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440
|
||||
|
||||
- name: install gitconfig
|
||||
- name: Install gitconfig
|
||||
copy: src=gitconfig dest=/etc/gitconfig owner=root group=root mode=0644
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: install archivetools package
|
||||
- name: Install archivetools package
|
||||
pacman: name=archivetools state=present
|
||||
|
||||
- name: make archive dir
|
||||
- name: Make archive dir
|
||||
file:
|
||||
path: "{{ archive_dir }}"
|
||||
state: directory
|
||||
|
@ -9,7 +9,7 @@
|
|||
group: archive
|
||||
mode: 0755
|
||||
|
||||
- name: setup archive configuration
|
||||
- name: Setup archive configuration
|
||||
template:
|
||||
src: archive.conf.j2
|
||||
dest: /etc/archive.conf
|
||||
|
@ -17,34 +17,34 @@
|
|||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: setup archive timer
|
||||
- name: Setup archive timer
|
||||
systemd: name=archive.timer enabled=yes state=started
|
||||
|
||||
- name: setup archive-hardlink timer
|
||||
- name: Setup archive-hardlink timer
|
||||
systemd: name=archive-hardlink.timer enabled=yes state=started
|
||||
- name: install internet archive packages
|
||||
- name: Install internet archive packages
|
||||
pacman: name=python-internetarchive,python-xtarfile state=present
|
||||
|
||||
- name: create archive user
|
||||
- name: Create archive user
|
||||
user: name={{ archive_user_name }} shell=/bin/false home="{{ archive_user_home }}" createhome=yes
|
||||
|
||||
- name: configure archive.org client
|
||||
- name: Configure archive.org client
|
||||
command: ia configure --username={{ vault_archive_username }} --password={{ vault_archive_password }} creates={{ archive_user_home }}/.config/ia.ini
|
||||
become: true
|
||||
become_user: "{{ archive_user_name }}"
|
||||
|
||||
- name: clone archive uploader code
|
||||
- name: Clone archive uploader code
|
||||
git: repo=https://github.com/archlinux/arch-historical-archive.git dest="{{ archive_repo }}" version="{{ archive_uploader_version }}"
|
||||
become: true
|
||||
become_user: "{{ archive_user_name }}"
|
||||
|
||||
- name: install system service
|
||||
- name: Install system service
|
||||
template: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- archive-uploader.service
|
||||
- archive-uploader.timer
|
||||
|
||||
- name: start uploader timer
|
||||
- name: Start uploader timer
|
||||
systemd:
|
||||
name: archive-uploader.timer
|
||||
enabled: true
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ archive_domain }}"]
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template:
|
||||
src: nginx.d.conf.j2
|
||||
dest: /etc/nginx/nginx.d/archive.conf
|
||||
|
@ -15,7 +15,7 @@
|
|||
- reload nginx
|
||||
tags: ['nginx']
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file:
|
||||
path: /var/log/nginx/{{ archive_domain }}
|
||||
state: directory
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ archmanweb_domain }}"]
|
||||
when: 'archmanweb_domain is defined'
|
||||
|
||||
- name: install required packages
|
||||
- name: Install required packages
|
||||
pacman:
|
||||
state: present
|
||||
name:
|
||||
|
@ -22,24 +22,24 @@
|
|||
- make
|
||||
- sassc
|
||||
|
||||
- name: make archmanweb user
|
||||
- name: Make archmanweb user
|
||||
user: name=archmanweb shell=/bin/false home="{{ archmanweb_dir }}"
|
||||
|
||||
- name: fix home permissions
|
||||
- name: Fix home permissions
|
||||
file: state=directory owner=archmanweb group=archmanweb mode=0755 path="{{ archmanweb_dir }}"
|
||||
|
||||
- name: set archmanweb groups
|
||||
- name: Set archmanweb groups
|
||||
user: name=archmanweb groups=uwsgi
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest="{{ archmanweb_nginx_conf }}" owner=root group=root mode=644
|
||||
notify: reload nginx
|
||||
tags: ['nginx']
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ archmanweb_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: clone archmanweb repo
|
||||
- name: Clone archmanweb repo
|
||||
git: >
|
||||
repo={{ archmanweb_repository }}
|
||||
dest="{{ archmanweb_dir }}/repo"
|
||||
|
@ -51,7 +51,7 @@
|
|||
become_user: archmanweb
|
||||
register: release
|
||||
|
||||
- name: build archlinux-common-style
|
||||
- name: Build archlinux-common-style
|
||||
command:
|
||||
cmd: make SASS=sassc
|
||||
chdir: "{{ archmanweb_dir }}/repo/archlinux-common-style"
|
||||
|
@ -59,27 +59,27 @@
|
|||
become_user: archmanweb
|
||||
when: release.changed or archmanweb_forced_deploy
|
||||
|
||||
- name: configure archmanweb
|
||||
- name: Configure archmanweb
|
||||
template: src=local_settings.py.j2 dest={{ archmanweb_dir }}/repo/local_settings.py owner=archmanweb group=archmanweb mode=0660
|
||||
register: config
|
||||
no_log: true
|
||||
|
||||
- name: copy robots.txt
|
||||
- name: Copy robots.txt
|
||||
copy: src=robots.txt dest="{{ archmanweb_dir }}/repo/robots.txt" owner=root group=root mode=0644
|
||||
|
||||
- name: create archmanweb db user
|
||||
- name: Create archmanweb db user
|
||||
postgresql_user: name={{ archmanweb_db_user }} password={{ vault_archmanweb_db_password }} login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
|
||||
no_log: true
|
||||
|
||||
- name: create archmanweb db
|
||||
- name: Create archmanweb db
|
||||
postgresql_db: name="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archmanweb_db_user }}"
|
||||
register: db_created
|
||||
|
||||
- name: add pg_trgm extension to the archmanweb db
|
||||
- name: Add pg_trgm extension to the archmanweb db
|
||||
postgresql_ext: name="pg_trgm" db="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}"
|
||||
when: db_created.changed or archmanweb_forced_deploy
|
||||
|
||||
- name: run Django management tasks
|
||||
- name: Run Django management tasks
|
||||
django_manage: app_path="{{ archmanweb_dir }}/repo" command="{{ item }}"
|
||||
with_items:
|
||||
- migrate
|
||||
|
@ -89,18 +89,18 @@
|
|||
become_user: archmanweb
|
||||
when: db_created.changed or release.changed or config.changed or archmanweb_forced_deploy
|
||||
|
||||
- name: configure UWSGI for archmanweb
|
||||
- name: Configure UWSGI for archmanweb
|
||||
template: src=archmanweb.ini.j2 dest=/etc/uwsgi/vassals/archmanweb.ini owner=archmanweb group=http mode=0640
|
||||
|
||||
- name: deploy new release
|
||||
- name: Deploy new release
|
||||
file: path=/etc/uwsgi/vassals/archmanweb.ini state=touch owner=archmanweb group=http mode=0640
|
||||
when: release.changed or config.changed or archmanweb_forced_deploy
|
||||
|
||||
- name: install systemd units
|
||||
- name: Install systemd units
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- archmanweb_update.service
|
||||
- archmanweb_update.timer
|
||||
|
||||
- name: start and enable archmanweb update timer
|
||||
- name: Start and enable archmanweb update timer
|
||||
systemd: name="archmanweb_update.timer" enabled=yes state=started daemon_reload=yes
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
- name: create Arch Linux-specific groups
|
||||
- name: Create Arch Linux-specific groups
|
||||
group: name="{{ item }}" state=present system=no
|
||||
with_items: "{{ arch_groups }}"
|
||||
|
||||
- name: filter arch_users for users with non-matching hosts
|
||||
- name: Filter arch_users for users with non-matching hosts
|
||||
set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [ item ] }}"
|
||||
when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
|
||||
with_dict: "{{ arch_users }}"
|
||||
|
||||
- name: create Arch Linux-specific users
|
||||
- name: Create Arch Linux-specific users
|
||||
user:
|
||||
name: "{{ item.key }}"
|
||||
group: users
|
||||
|
@ -19,25 +19,25 @@
|
|||
state: present
|
||||
loop: "{{ arch_users_filtered }}"
|
||||
|
||||
- name: create .ssh directory
|
||||
- name: Create .ssh directory
|
||||
file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700
|
||||
loop: "{{ arch_users_filtered }}"
|
||||
|
||||
- name: configure ssh keys
|
||||
- name: Configure ssh keys
|
||||
template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600
|
||||
when: item.value.ssh_key is defined
|
||||
loop: "{{ arch_users_filtered }}"
|
||||
|
||||
- name: remove ssh keys if undefined
|
||||
- name: Remove ssh keys if undefined
|
||||
file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent
|
||||
when: item.value.ssh_key is not defined
|
||||
loop: "{{ arch_users_filtered }}"
|
||||
|
||||
- name: get list of remote users
|
||||
- name: Get list of remote users
|
||||
find: paths="/home" file_type="directory"
|
||||
register: all_users
|
||||
|
||||
- name: disable ssh keys of disabled users
|
||||
- name: Disable ssh keys of disabled users
|
||||
file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
|
||||
when:
|
||||
- item not in (arch_users_filtered | map(attribute='key'))
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
- name: daemon reload
|
||||
- name: Daemon reload
|
||||
systemd:
|
||||
daemon-reload: true
|
||||
|
||||
- name: restart archweb memcached
|
||||
- name: Restart archweb memcached
|
||||
service: name=archweb-memcached state=restarted
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: run maintenance mode
|
||||
- name: Run maintenance mode
|
||||
include_role:
|
||||
name: maintenance
|
||||
vars:
|
||||
|
@ -9,41 +9,41 @@
|
|||
service_nginx_template: "maintenance-nginx.d.conf.j2"
|
||||
when: maintenance is defined and archweb_site
|
||||
|
||||
- name: install required packages
|
||||
- name: Install required packages
|
||||
pacman: name=git,python-setuptools,python-psycopg2,llvm-libs,uwsgi-plugin-python state=present
|
||||
|
||||
- name: make archweb user
|
||||
- name: Make archweb user
|
||||
user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no
|
||||
|
||||
- name: fix home permissions
|
||||
- name: Fix home permissions
|
||||
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
|
||||
|
||||
- name: set archweb groups
|
||||
- name: Set archweb groups
|
||||
user: name=archweb groups=uwsgi
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: "{{ [archweb_domain] + archweb_alternate_domains }}"
|
||||
when: archweb_site|bool and maintenance is not defined
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644
|
||||
notify: reload nginx
|
||||
when: archweb_site|bool and maintenance is not defined
|
||||
tags: ['nginx']
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: make rsync iso dir
|
||||
- name: Make rsync iso dir
|
||||
file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: clone archweb repo
|
||||
- name: Clone archweb repo
|
||||
git: >
|
||||
repo={{ archweb_repository }}
|
||||
dest="{{ archweb_dir }}"
|
||||
|
@ -54,36 +54,36 @@
|
|||
become_user: archweb
|
||||
register: release
|
||||
|
||||
- name: make virtualenv
|
||||
- name: Make virtualenv
|
||||
command: python -m venv --system-site-packages "{{ archweb_dir }}"/env creates="{{ archweb_dir }}/env/bin/python"
|
||||
become: true
|
||||
become_user: archweb
|
||||
|
||||
- name: install stuff into virtualenv
|
||||
- name: Install stuff into virtualenv
|
||||
pip: requirements="{{ archweb_dir }}/requirements_prod.txt" virtualenv="{{ archweb_dir }}/env"
|
||||
become: true
|
||||
become_user: archweb
|
||||
register: virtualenv
|
||||
|
||||
- name: create media dir
|
||||
- name: Create media dir
|
||||
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: fix home permissions
|
||||
- name: Fix home permissions
|
||||
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
|
||||
|
||||
- name: make archlinux.org dir
|
||||
- name: Make archlinux.org dir
|
||||
file: path="{{ archweb_dir }}/archlinux.org" state=directory owner=archweb group=archweb mode=0755
|
||||
|
||||
- name: configure robots.txt
|
||||
- name: Configure robots.txt
|
||||
copy: src=robots.txt dest="{{ archweb_dir }}/archlinux.org/robots.txt" owner=root group=root mode=0644
|
||||
|
||||
- name: configure archweb
|
||||
- name: Configure archweb
|
||||
template: src=local_settings.py.j2 dest={{ archweb_dir }}/local_settings.py owner=archweb group=archweb mode=0660
|
||||
register: config
|
||||
no_log: true
|
||||
|
||||
- name: create archweb db users
|
||||
- name: Create archweb db users
|
||||
postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
|
||||
no_log: true
|
||||
when: archweb_site or archweb_services
|
||||
|
@ -93,18 +93,18 @@
|
|||
- { user: "{{ archweb_db_dbscripts_user }}", password: "{{ vault_archweb_db_dbscripts_password }}" }
|
||||
- { user: "{{ archweb_db_backup_user }}", password: "{{ vault_archweb_db_backup_password }}" }
|
||||
|
||||
- name: create archweb db
|
||||
- name: Create archweb db
|
||||
postgresql_db: name="{{ archweb_db }}" login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archweb_db_site_user }}"
|
||||
when: archweb_site or archweb_services
|
||||
register: db_created
|
||||
|
||||
- name: django migrate
|
||||
- name: Django migrate
|
||||
django_manage: app_path="{{ archweb_dir }}" command=migrate virtualenv="{{ archweb_dir }}/env"
|
||||
become: true
|
||||
become_user: archweb
|
||||
when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
|
||||
|
||||
- name: db privileges for archweb users
|
||||
- name: DB privileges for archweb users
|
||||
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
|
||||
privs=CONNECT roles="{{ item }}" type=database
|
||||
when: archweb_site or archweb_services
|
||||
|
@ -113,7 +113,7 @@
|
|||
- "{{ archweb_db_dbscripts_user }}"
|
||||
- "{{ archweb_db_backup_user }}"
|
||||
|
||||
- name: table privileges for archweb users
|
||||
- name: Table privileges for archweb users
|
||||
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
|
||||
privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
|
||||
when: archweb_site or archweb_services
|
||||
|
@ -122,7 +122,7 @@
|
|||
- { user: "{{ archweb_db_dbscripts_user }}", objs: "{{ archweb_db_dbscripts_table_objs }}" }
|
||||
- { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" }
|
||||
|
||||
- name: sequence privileges for archweb users
|
||||
- name: Sequence privileges for archweb users
|
||||
postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
|
||||
privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
|
||||
when: archweb_site or archweb_services
|
||||
|
@ -130,25 +130,25 @@
|
|||
- { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_sequence_objs }}" }
|
||||
- { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_sequence_objs }}" }
|
||||
|
||||
- name: django collectstatic
|
||||
- name: Django collectstatic
|
||||
django_manage: app_path="{{ archweb_dir }}" command=collectstatic virtualenv="{{ archweb_dir }}/env"
|
||||
become: true
|
||||
become_user: archweb
|
||||
when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
|
||||
|
||||
- name: install reporead service
|
||||
- name: Install reporead service
|
||||
template: src="archweb-reporead.service.j2" dest="/etc/systemd/system/archweb-reporead.service" owner=root group=root mode=0644
|
||||
notify:
|
||||
- daemon reload
|
||||
when: archweb_services or archweb_reporead
|
||||
|
||||
- name: install readlinks service
|
||||
- name: Install readlinks service
|
||||
template: src="archweb-readlinks.service.j2" dest="/etc/systemd/system/archweb-readlinks.service" owner=root group=root mode=0644
|
||||
notify:
|
||||
- daemon reload
|
||||
when: archweb_services or archweb_reporead
|
||||
|
||||
- name: install mirrorcheck service and timer
|
||||
- name: Install mirrorcheck service and timer
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- archweb-mirrorcheck.service
|
||||
|
@ -157,7 +157,7 @@
|
|||
- daemon reload
|
||||
when: archweb_services or archweb_mirrorcheck
|
||||
|
||||
- name: install mirrorresolv service and timer
|
||||
- name: Install mirrorresolv service and timer
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- archweb-mirrorresolv.service
|
||||
|
@ -166,7 +166,7 @@
|
|||
- daemon reload
|
||||
when: archweb_services or archweb_mirrorresolv
|
||||
|
||||
- name: install populate_signoffs service and timer
|
||||
- name: Install populate_signoffs service and timer
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- archweb-populate_signoffs.service
|
||||
|
@ -175,7 +175,7 @@
|
|||
- daemon reload
|
||||
when: archweb_services or archweb_populate_signoffs
|
||||
|
||||
- name: install planet service and timer
|
||||
- name: Install planet service and timer
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- archweb-planet.service
|
||||
|
@ -184,7 +184,7 @@
|
|||
- daemon reload
|
||||
when: archweb_planet
|
||||
|
||||
- name: install rebuilderd status service and timer
|
||||
- name: Install rebuilderd status service and timer
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- archweb-rebuilderd.service
|
||||
|
@ -193,27 +193,27 @@
|
|||
- daemon reload
|
||||
when: archweb_site
|
||||
|
||||
- name: install pgp_import service
|
||||
- name: Install pgp_import service
|
||||
template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
|
||||
notify:
|
||||
- daemon reload
|
||||
when: archweb_services or archweb_pgp_import
|
||||
|
||||
- name: create pacman.d hooks dir
|
||||
- name: Create pacman.d hooks dir
|
||||
file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks"
|
||||
when: archweb_services or archweb_pgp_import
|
||||
|
||||
- name: install pgp_import hook
|
||||
- name: Install pgp_import hook
|
||||
template: src="archweb-pgp_import-pacman-hook.j2" dest="/etc/pacman.d/hooks/archweb-pgp_import.hook" owner=root group=root mode=0644
|
||||
when: archweb_services or archweb_pgp_import
|
||||
|
||||
- name: install archweb memcached service
|
||||
- name: Install archweb memcached service
|
||||
template: src="archweb-memcached.service.j2" dest="/etc/systemd/system/archweb-memcached.service" owner=root group=root mode=0644
|
||||
notify:
|
||||
- daemon reload
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: install archweb rsync iso service and timer
|
||||
- name: Install archweb rsync iso service and timer
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- archweb-rsync_iso.service
|
||||
|
@ -222,16 +222,16 @@
|
|||
- daemon reload
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: deploy archweb
|
||||
- name: Deploy archweb
|
||||
template: src=archweb.ini.j2 dest=/etc/uwsgi/vassals/archweb.ini owner=archweb group=http mode=0640
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: deploy new release
|
||||
- name: Deploy new release
|
||||
file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=archweb group=http mode=0640
|
||||
when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
|
||||
notify: restart archweb memcached
|
||||
|
||||
- name: start and enable archweb memcached service and archweb-rsync_iso timer
|
||||
- name: Start and enable archweb memcached service and archweb-rsync_iso timer
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: true
|
||||
|
@ -242,55 +242,55 @@
|
|||
- archweb-rsync_iso.timer
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: start and enable archweb reporead service
|
||||
- name: Start and enable archweb reporead service
|
||||
service: name="archweb-reporead.service" enabled=yes state=started
|
||||
when: archweb_services or archweb_reporead
|
||||
|
||||
- name: restart archweb reporead service
|
||||
- name: Restart archweb reporead service
|
||||
service: name="archweb-reporead.service" state=restarted
|
||||
when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
|
||||
|
||||
- name: start and enable archweb readlinks service
|
||||
- name: Start and enable archweb readlinks service
|
||||
service: name="archweb-readlinks.service" enabled=yes state=started
|
||||
when: archweb_services or archweb_reporead
|
||||
|
||||
- name: restart archweb readlinks service
|
||||
- name: Restart archweb readlinks service
|
||||
service: name="archweb-readlinks.service" state=restarted
|
||||
when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
|
||||
|
||||
- name: start and enable archweb mirrorcheck timer
|
||||
- name: Start and enable archweb mirrorcheck timer
|
||||
service: name="archweb-mirrorcheck.timer" enabled=yes state=started
|
||||
when: archweb_services or archweb_mirrorcheck
|
||||
|
||||
- name: start and enable archweb mirrorresolv timer
|
||||
- name: Start and enable archweb mirrorresolv timer
|
||||
service: name="archweb-mirrorresolv.timer" enabled=yes state=started
|
||||
when: archweb_services or archweb_mirrorresolv
|
||||
|
||||
- name: start and enable archweb populate_signoffs timer
|
||||
- name: Start and enable archweb populate_signoffs timer
|
||||
service: name="archweb-populate_signoffs.timer" enabled=yes state=started
|
||||
when: archweb_services or archweb_populate_signoffs
|
||||
|
||||
- name: start and enable archweb planet timer
|
||||
- name: Start and enable archweb planet timer
|
||||
service: name="archweb-planet.timer" enabled=yes state=started
|
||||
when: archweb_planet
|
||||
|
||||
- name: start and enable archweb rebulderd update timer
|
||||
- name: Start and enable archweb rebulderd update timer
|
||||
service: name="archweb-rebuilderd.timer" enabled=yes state=started
|
||||
when: archweb_site
|
||||
|
||||
- name: install donation import wrapper script
|
||||
- name: Install donation import wrapper script
|
||||
template: src=donor_import_wrapper.sh.j2 dest=/usr/local/bin/donor_import_wrapper.sh owner=root group=root mode=0755
|
||||
when: archweb_site
|
||||
|
||||
- name: install sudoer rights for fetchmail to call archweb django scripts
|
||||
- name: Install sudoer rights for fetchmail to call archweb django scripts
|
||||
template: src=sudoers-fetchmail-archweb.j2 dest=/etc/sudoers.d/fetchmail-archweb owner=root group=root mode=0440
|
||||
when: archweb_site
|
||||
|
||||
- name: create retro dir
|
||||
- name: Create retro dir
|
||||
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
|
||||
when: archweb_site|bool
|
||||
|
||||
- name: clone archweb-retro repo
|
||||
- name: Clone archweb-retro repo
|
||||
git:
|
||||
repo: "{{ archweb_retro_repository }}"
|
||||
dest: "{{ archweb_retro_dir }}"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: restart php-fpm@archwiki
|
||||
- name: Restart php-fpm@archwiki
|
||||
service: name=php-fpm@{{ archwiki_user }} state=restarted
|
||||
|
||||
- name: run wiki updatescript
|
||||
- name: Run wiki updatescript
|
||||
command: php {{ archwiki_dir }}/public/maintenance/update.php --quick
|
||||
become: true
|
||||
become_user: "{{ archwiki_user }}"
|
||||
|
@ -11,7 +11,7 @@
|
|||
# otherwise nginx will spit errors into the log until it is restarted (even
|
||||
# reload is not enough).
|
||||
# reference: https://stackoverflow.com/a/6896903
|
||||
- name: purge nginx cache
|
||||
- name: Purge nginx cache
|
||||
command: find /var/lib/nginx/cache -type f -delete
|
||||
|
||||
# The MediaWiki file cache can be invalidated by deleting the files in the
|
||||
|
@ -20,5 +20,5 @@
|
|||
# being set to true). References:
|
||||
# - https://www.mediawiki.org/wiki/Manual:File_cache
|
||||
# - https://www.mediawiki.org/wiki/Manual:$wgInvalidateCacheOnLocalSettingsChange
|
||||
- name: invalidate MediaWiki file cache
|
||||
- name: Invalidate MediaWiki file cache
|
||||
file: path="{{ archwiki_dir }}/public/LocalSettings.php" state=touch owner=archwiki group=archwiki mode=0640
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: run maintenance mode
|
||||
- name: Run maintenance mode
|
||||
include_role:
|
||||
name: maintenance
|
||||
vars:
|
||||
|
@ -8,49 +8,49 @@
|
|||
service_nginx_conf: "{{ archwiki_nginx_conf }}"
|
||||
when: maintenance is defined
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ archwiki_domain }}"]
|
||||
when: 'archwiki_domain is defined'
|
||||
|
||||
- name: install packages
|
||||
- name: Install packages
|
||||
pacman: name=git,php-intl state=present
|
||||
|
||||
- name: make archwiki user
|
||||
- name: Make archwiki user
|
||||
user: name="{{ archwiki_user }}" shell=/bin/false home="{{ archwiki_dir }}" createhome=no
|
||||
register: user_created
|
||||
|
||||
- name: fix home permissions
|
||||
- name: Fix home permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0751 path="{{ archwiki_dir }}"
|
||||
|
||||
- name: fix cache permissions
|
||||
- name: Fix cache permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/cache"
|
||||
|
||||
- name: fix sessions permissions
|
||||
- name: Fix sessions permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0750 path="{{ archwiki_dir }}/sessions"
|
||||
|
||||
- name: fix uploads permissions
|
||||
- name: Fix uploads permissions
|
||||
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0755 path="{{ archwiki_dir }}/uploads"
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
|
||||
notify:
|
||||
- reload nginx
|
||||
when: maintenance is not defined
|
||||
tags: ['nginx']
|
||||
|
||||
- name: configure robots.txt
|
||||
- name: Configure robots.txt
|
||||
copy: src=robots.txt dest="{{ archwiki_dir }}/robots.txt" owner=root group=root mode=0644
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ archwiki_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: make debug log dir
|
||||
- name: Make debug log dir
|
||||
file: path=/var/log/archwiki state=directory owner={{ archwiki_user }} group=root mode=0700
|
||||
|
||||
- name: clone archwiki repo
|
||||
- name: Clone archwiki repo
|
||||
git: repo={{ archwiki_repository }} dest="{{ archwiki_dir }}/public" version={{ archwiki_version }}
|
||||
become: true
|
||||
become_user: "{{ archwiki_user }}"
|
||||
|
@ -61,41 +61,41 @@
|
|||
- purge nginx cache
|
||||
- invalidate MediaWiki file cache
|
||||
|
||||
- name: configure archwiki
|
||||
- name: Configure archwiki
|
||||
template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
|
||||
register: config
|
||||
no_log: true
|
||||
|
||||
- name: create archwiki db
|
||||
- name: Create archwiki db
|
||||
mysql_db: name="{{ archwiki_db }}" login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
|
||||
register: db_created
|
||||
|
||||
- name: create archwiki db user
|
||||
- name: Create archwiki db user
|
||||
mysql_user: name={{ archwiki_db_user }} password={{ vault_archwiki_db_password }}
|
||||
login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
|
||||
priv="{{ archwiki_db }}.*:ALL"
|
||||
no_log: true
|
||||
|
||||
- name: configure php-fpm
|
||||
- name: Configure php-fpm
|
||||
template:
|
||||
src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ archwiki_user }}.conf"
|
||||
owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart php-fpm@{{ archwiki_user }}
|
||||
|
||||
- name: start and enable systemd socket
|
||||
- name: Start and enable systemd socket
|
||||
service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true
|
||||
|
||||
- name: create memcached.service.d drop-in directory
|
||||
- name: Create memcached.service.d drop-in directory
|
||||
file: path=/etc/systemd/system/memcached@archwiki.service.d state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: install memcached.service drop-in
|
||||
- name: Install memcached.service drop-in
|
||||
template: src="memcached.service.d-archwiki.conf.j2" dest="/etc/systemd/system/memcached@archwiki.service.d/archwiki.conf" owner=root group=root mode=0644
|
||||
|
||||
- name: start and enable memcached service
|
||||
- name: Start and enable memcached service
|
||||
service: name=memcached@archwiki.service state=started enabled=true daemon_reload=true
|
||||
|
||||
- name: install systemd services/timers
|
||||
- name: Install systemd services/timers
|
||||
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
loop:
|
||||
- archwiki-runjobs.service
|
||||
|
@ -105,7 +105,7 @@
|
|||
- archwiki-prune-cache.timer
|
||||
- archwiki-question-updater.service
|
||||
|
||||
- name: start and enable archwiki timers and services
|
||||
- name: Start and enable archwiki timers and services
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: true
|
||||
|
@ -116,17 +116,17 @@
|
|||
- archwiki-prune-cache.timer
|
||||
- archwiki-runjobs-wait.service
|
||||
|
||||
- name: create question answer file
|
||||
- name: Create question answer file
|
||||
systemd:
|
||||
name: archwiki-question-updater.service
|
||||
state: started
|
||||
daemon_reload: true
|
||||
|
||||
- name: ensure question answer file exists and set permissions
|
||||
- name: Ensure question answer file exists and set permissions
|
||||
file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
|
||||
|
||||
- name: create pacman.d hooks dir
|
||||
- name: Create pacman.d hooks dir
|
||||
file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks
|
||||
|
||||
- name: install archwiki question updater hook
|
||||
- name: Install archwiki question updater hook
|
||||
template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
- name: daemon reload
|
||||
- name: Daemon reload
|
||||
systemd:
|
||||
daemon-reload: true
|
||||
|
||||
- name: restart php-fpm@{{ aurweb_user }}
|
||||
- name: Restart php-fpm@{{ aurweb_user }}
|
||||
service: name=php-fpm@{{ aurweb_user }} state=restarted
|
||||
|
||||
- name: restart sshd
|
||||
- name: Restart sshd
|
||||
service: name=sshd state=restarted
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: install required packages
|
||||
- name: Install required packages
|
||||
pacman:
|
||||
state: present
|
||||
name:
|
||||
|
@ -11,37 +11,37 @@
|
|||
- gcc
|
||||
- pkg-config
|
||||
|
||||
- name: install the cgit package
|
||||
- name: Install the cgit package
|
||||
pacman:
|
||||
state: present
|
||||
name:
|
||||
- cgit-aurweb
|
||||
register: cgit
|
||||
|
||||
- name: install the git package
|
||||
- name: Install the git package
|
||||
pacman:
|
||||
state: present
|
||||
name:
|
||||
- git
|
||||
register: git
|
||||
|
||||
- name: make aur user
|
||||
- name: Make aur user
|
||||
user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes
|
||||
register: aur_user
|
||||
|
||||
- name: create .ssh for the aur user
|
||||
- name: Create .ssh for the aur user
|
||||
file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700
|
||||
|
||||
- name: install SSH key for mirroring to GitHub
|
||||
- name: Install SSH key for mirroring to GitHub
|
||||
copy: src=id_ed25519 dest={{ aur_user.home }}/.ssh/ owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
|
||||
|
||||
- name: fetch host keys for github.com
|
||||
- name: Fetch host keys for github.com
|
||||
command: ssh-keyscan github.com
|
||||
args:
|
||||
creates: "{{ aur_user.home }}/.ssh/known_hosts"
|
||||
register: github_host_keys
|
||||
|
||||
- name: write github.com host keys to the aur user's known_hosts
|
||||
- name: Write github.com host keys to the aur user's known_hosts
|
||||
lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644
|
||||
loop: "{{ github_host_keys.stdout_lines }}"
|
||||
when: github_host_keys.changed
|
||||
|
@ -49,7 +49,7 @@
|
|||
- name: Create directory
|
||||
file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
|
||||
|
||||
- name: receive valid signing keys
|
||||
- name: Receive valid signing keys
|
||||
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
|
||||
loop: '{{ aurweb_pgp_keys }}'
|
||||
become: true
|
||||
|
@ -57,7 +57,7 @@
|
|||
register: gpg
|
||||
changed_when: "gpg.rc == 0"
|
||||
|
||||
- name: aurweb git repo check
|
||||
- name: Aurweb git repo check
|
||||
git: >
|
||||
repo={{ aurweb_repository }}
|
||||
dest="{{ aurweb_dir }}"
|
||||
|
@ -69,7 +69,7 @@
|
|||
register: release
|
||||
check_mode: true
|
||||
|
||||
- name: install AUR systemd service and timers
|
||||
- name: Install AUR systemd service and timers
|
||||
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- aurweb-git.service
|
||||
|
@ -91,7 +91,7 @@
|
|||
- aurweb-github-mirror.timer
|
||||
when: release.changed
|
||||
|
||||
- name: stop AUR systemd services and timers
|
||||
- name: Stop AUR systemd services and timers
|
||||
service: name={{ item }} enabled=yes state=stopped
|
||||
with_items:
|
||||
- aurweb-git.timer
|
||||
|
@ -105,7 +105,7 @@
|
|||
- aurweb-github-mirror.timer
|
||||
when: release.changed
|
||||
|
||||
- name: clone aurweb repo
|
||||
- name: Clone aurweb repo
|
||||
git: >
|
||||
repo={{ aurweb_repository }}
|
||||
dest="{{ aurweb_dir }}"
|
||||
|
@ -116,35 +116,35 @@
|
|||
become_user: "{{ aurweb_user }}"
|
||||
when: release.changed
|
||||
|
||||
- name: create necessary directories
|
||||
- name: Create necessary directories
|
||||
file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
|
||||
with_items:
|
||||
- 'aurblup'
|
||||
- 'sessions'
|
||||
- 'uploads'
|
||||
|
||||
- name: create aurweb conf dir
|
||||
- name: Create aurweb conf dir
|
||||
file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: copy aurweb configuration file
|
||||
- name: Copy aurweb configuration file
|
||||
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644
|
||||
|
||||
# Note: initdb needs the config
|
||||
- name: install custom aurweb configuration
|
||||
- name: Install custom aurweb configuration
|
||||
template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644
|
||||
|
||||
- name: create aur db
|
||||
- name: Create aur db
|
||||
mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" encoding=utf8
|
||||
register: db_created
|
||||
no_log: true
|
||||
|
||||
- name: create aur db user
|
||||
- name: Create aur db user
|
||||
mysql_user: name={{ aurweb_db_user }} password={{ vault_aurweb_db_password }}
|
||||
login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}"
|
||||
priv="{{ aurweb_db }}.*:ALL"
|
||||
no_log: true
|
||||
|
||||
- name: initialize the database
|
||||
- name: Initialize the database
|
||||
command: poetry run python -m aurweb.initdb
|
||||
args:
|
||||
chdir: "{{ aurweb_dir }}"
|
||||
|
@ -152,7 +152,7 @@
|
|||
become_user: "{{ aurweb_user }}"
|
||||
when: db_created.changed
|
||||
|
||||
- name: run migrations
|
||||
- name: Run migrations
|
||||
command: poetry run alembic upgrade head
|
||||
args:
|
||||
chdir: "{{ aurweb_dir }}"
|
||||
|
@ -183,19 +183,19 @@
|
|||
become_user: "{{ aurweb_user }}"
|
||||
when: release.changed or aurweb_installed.rc != 0
|
||||
|
||||
- name: install custom aurweb-git-auth wrapper script
|
||||
- name: Install custom aurweb-git-auth wrapper script
|
||||
template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
|
||||
when: release.changed
|
||||
|
||||
- name: install custom aurweb-git-serve wrapper script
|
||||
- name: Install custom aurweb-git-serve wrapper script
|
||||
template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
|
||||
when: release.changed
|
||||
|
||||
- name: install custom aurweb-git-update wrapper script
|
||||
- name: Install custom aurweb-git-update wrapper script
|
||||
template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
|
||||
when: release.changed
|
||||
|
||||
- name: link custom aurweb-git-update wrapper to hooks/update
|
||||
- name: Link custom aurweb-git-update wrapper to hooks/update
|
||||
file:
|
||||
src: /usr/local/bin/aurweb-git-update.sh
|
||||
dest: "{{ aurweb_dir }}/aur.git/hooks/update"
|
||||
|
@ -215,36 +215,36 @@
|
|||
become: true
|
||||
become_user: "{{ aurweb_user }}"
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ aurweb_domain }}"]
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=root mode=644
|
||||
notify: reload nginx
|
||||
tags: ['nginx']
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: install cgit configuration
|
||||
- name: Install cgit configuration
|
||||
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
|
||||
|
||||
- name: configure cgit uwsgi service
|
||||
- name: Configure cgit uwsgi service
|
||||
template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
|
||||
|
||||
- name: deploy new cgit release
|
||||
- name: Deploy new cgit release
|
||||
become: true
|
||||
become_user: "{{ aurweb_user }}"
|
||||
file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644
|
||||
when: cgit.changed
|
||||
|
||||
- name: configure smartgit uwsgi service
|
||||
- name: Configure smartgit uwsgi service
|
||||
template: src=smartgit.ini.j2 dest=/etc/uwsgi/vassals/smartgit.ini owner={{ aurweb_user }} group=http mode=0644
|
||||
|
||||
- name: deploy new smartgit release
|
||||
- name: Deploy new smartgit release
|
||||
become: true
|
||||
become_user: "{{ aurweb_user }}"
|
||||
file:
|
||||
|
@ -255,10 +255,10 @@
|
|||
mode: 0644
|
||||
when: git.changed
|
||||
|
||||
- name: create git repo dir
|
||||
- name: Create git repo dir
|
||||
file: path={{ aurweb_git_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
|
||||
|
||||
- name: init git directory
|
||||
- name: Init git directory
|
||||
command: git init --bare {{ aurweb_git_dir }}
|
||||
args:
|
||||
creates: "{{ aurweb_git_dir }}/HEAD"
|
||||
|
@ -267,7 +267,7 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: save hideRefs setting on var
|
||||
- name: Save hideRefs setting on var
|
||||
command: git config --local --get-all transfer.hideRefs
|
||||
register: git_config
|
||||
args:
|
||||
|
@ -276,7 +276,7 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: configure git tranfser.hideRefs
|
||||
- name: Configure git tranfser.hideRefs
|
||||
command: git config --local transfer.hideRefs '^refs/'
|
||||
args:
|
||||
chdir: "{{ aurweb_git_dir }}"
|
||||
|
@ -286,7 +286,7 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: configure git transfer.hideRefs second
|
||||
- name: Configure git transfer.hideRefs second
|
||||
command: git config --local --add transfer.hideRefs '!refs/'
|
||||
args:
|
||||
chdir: "{{ aurweb_git_dir }}"
|
||||
|
@ -296,7 +296,7 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: configure git transfer.hideRefs third
|
||||
- name: Configure git transfer.hideRefs third
|
||||
command: git config --local --add transfer.hideRefs '!HEAD'
|
||||
args:
|
||||
chdir: "{{ aurweb_git_dir }}"
|
||||
|
@ -306,12 +306,12 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: configure sshd
|
||||
- name: Configure sshd
|
||||
template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
|
||||
notify:
|
||||
- restart sshd
|
||||
|
||||
- name: start and enable AUR systemd services and timers
|
||||
- name: Start and enable AUR systemd services and timers
|
||||
service: name={{ item }} enabled=yes state=started daemon_reload=yes
|
||||
with_items:
|
||||
- aurweb-git.timer
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: install borg and tools
|
||||
- name: Install borg and tools
|
||||
pacman: name=borg state=present
|
||||
|
||||
- name: check if borg repository already exists
|
||||
- name: Check if borg repository already exists
|
||||
command: "{{ item['borg_cmd'] }} list {{ item['host'] }}/{{ item['dir'] }}"
|
||||
environment:
|
||||
BORG_RELOCATED_REPO_ACCESS_IS_OK: "yes"
|
||||
|
@ -10,7 +10,7 @@
|
|||
loop: "{{ backup_hosts }}"
|
||||
changed_when: borg_list.stdout | length > 0
|
||||
|
||||
- name: init borg repository
|
||||
- name: Init borg repository
|
||||
command: "{{ item['borg_cmd'] }} init -e keyfile {{ item['host'] }}/{{ item['dir'] }}"
|
||||
when: borg_list is failed
|
||||
environment:
|
||||
|
@ -21,48 +21,48 @@
|
|||
- skip_ansible_lint
|
||||
|
||||
|
||||
- name: install convenience scripts
|
||||
- name: Install convenience scripts
|
||||
template: src=borg.j2 dest=/usr/local/bin/borg{{ item['suffix'] }} owner=root group=root mode=0755
|
||||
loop: "{{ backup_hosts }}"
|
||||
|
||||
- name: install borg backup scripts
|
||||
- name: Install borg backup scripts
|
||||
template: src=borg-backup.sh.j2 dest=/usr/local/bin/borg-backup{{ item['suffix'] }}.sh owner=root group=root mode=0755
|
||||
loop: "{{ backup_hosts }}"
|
||||
|
||||
- name: install postgres backup script
|
||||
- name: Install postgres backup script
|
||||
template: src=backup-postgres.sh.j2 dest=/usr/local/bin/backup-postgres.sh owner=root group=root mode=0755
|
||||
when: postgres_backup_dir is defined
|
||||
|
||||
- name: check whether postgres user exists
|
||||
- name: Check whether postgres user exists
|
||||
command: getent passwd postgres
|
||||
register: check_postgres_user
|
||||
ignore_errors: true
|
||||
changed_when: check_postgres_user.stdout | length > 0
|
||||
|
||||
- name: make postgres backup directory
|
||||
- name: Make postgres backup directory
|
||||
file: path={{ postgres_backup_dir }} owner=root group=root mode=0755 state=directory
|
||||
when: check_postgres_user is succeeded and postgres_backup_dir is defined
|
||||
|
||||
- name: install mysql backup script
|
||||
- name: Install mysql backup script
|
||||
template: src=backup-mysql.sh.j2 dest=/usr/local/bin/backup-mysql.sh owner=root group=root mode=0755
|
||||
when: mysql_backup_dir is defined
|
||||
|
||||
- name: install mysql backup config
|
||||
- name: Install mysql backup config
|
||||
template: src=backup-my.cnf.j2 dest={{ mysql_backup_defaults }} owner=root group=root mode=0644
|
||||
when: mysql_backup_defaults is defined
|
||||
|
||||
- name: create mysql backup directory
|
||||
- name: Create mysql backup directory
|
||||
file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755
|
||||
when: mysql_backup_dir is defined
|
||||
|
||||
- name: install systemd services for backup
|
||||
- name: Install systemd services for backup
|
||||
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- borg-backup.service
|
||||
- borg-backup-offsite.service
|
||||
|
||||
- name: install systemd timer for backup
|
||||
- name: Install systemd timer for backup
|
||||
copy: src=borg-backup.timer dest=/etc/systemd/system/borg-backup.timer owner=root group=root mode=0644
|
||||
|
||||
- name: activate systemd timer for backup
|
||||
- name: Activate systemd timer for backup
|
||||
systemd: name=borg-backup.timer enabled=yes state=started daemon-reload=yes
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
- name: install borg
|
||||
- name: Install borg
|
||||
pacman: name=borg state=present
|
||||
|
||||
- name: create borg user
|
||||
- name: Create borg user
|
||||
user:
|
||||
name: borg
|
||||
home: "{{ backup_dir }}"
|
||||
|
||||
- name: create borg user home
|
||||
- name: Create borg user home
|
||||
file:
|
||||
path: "{{ backup_dir }}"
|
||||
state: directory
|
||||
|
@ -14,7 +14,7 @@
|
|||
group: borg
|
||||
mode: 0700
|
||||
|
||||
- name: create the root backup directory at {{ backup_dir }}
|
||||
- name: Create the root backup directory at {{ backup_dir }}
|
||||
file:
|
||||
path: "{{ backup_dir }}/{{ item }}"
|
||||
state: directory
|
||||
|
@ -23,14 +23,14 @@
|
|||
mode: 0700
|
||||
with_items: "{{ backup_clients }}"
|
||||
|
||||
- name: fetch ssh keys from each borg client machine
|
||||
- name: Fetch ssh keys from each borg client machine
|
||||
command: cat /root/.ssh/id_rsa.pub
|
||||
register: ssh_keys
|
||||
delegate_to: "{{ item }}"
|
||||
with_items: "{{ backup_clients }}"
|
||||
changed_when: ssh_keys.stdout | length > 0
|
||||
|
||||
- name: allow certain clients to connect
|
||||
- name: Allow certain clients to connect
|
||||
authorized_key:
|
||||
user: borg
|
||||
key: "{{ item.stdout }}"
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
- name: install bugbot utilities
|
||||
- name: Install bugbot utilities
|
||||
pacman: name=python-irc,python-beautifulsoup4,python-lxml state=present
|
||||
|
||||
- name: receive valid signing keys
|
||||
- name: Receive valid signing keys
|
||||
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
|
||||
with_items: '{{ bugbot_pgp_emails }}'
|
||||
register: gpg
|
||||
changed_when: "gpg.rc == 0"
|
||||
|
||||
- name: clone bugbot source
|
||||
- name: Clone bugbot source
|
||||
git:
|
||||
repo: https://gitlab.archlinux.org/archlinux/bugbot.git
|
||||
dest: /srv/bugbot
|
||||
|
@ -16,11 +16,11 @@
|
|||
gpg_whitelist: '{{ bugbot_pgp_keys }}'
|
||||
version: '{{ bugbot_version }}'
|
||||
|
||||
- name: install env file
|
||||
- name: Install env file
|
||||
template: src=bugbot.j2 dest=/srv/bugbot/env owner=root group=root mode=0600
|
||||
|
||||
- name: install bugbot systemd service
|
||||
- name: Install bugbot systemd service
|
||||
copy: src=bugbot.service dest=/etc/systemd/system/bugbot.service owner=root group=root mode=0644
|
||||
|
||||
- name: start and enable bugbot service
|
||||
- name: Start and enable bugbot service
|
||||
systemd: name=bugbot.service enabled=yes state=started daemon_reload=yes
|
||||
|
|
|
@ -1,30 +1,30 @@
|
|||
- name: install certbot
|
||||
- name: Install certbot
|
||||
pacman: name=certbot{{ ",certbot-dns-rfc2136" if certbot_dns_support }} state=present
|
||||
|
||||
- name: install rfc2136.ini
|
||||
- name: Install rfc2136.ini
|
||||
template: src=rfc2136.ini.j2 dest=/etc/letsencrypt/rfc2136.ini owner=root group=root mode=0600
|
||||
when: certbot_dns_support
|
||||
|
||||
- name: install letsencrypt hook
|
||||
- name: Install letsencrypt hook
|
||||
copy: src=hook.sh dest=/etc/letsencrypt/hook.sh owner=root group=root mode=0755
|
||||
|
||||
- name: create letsencrypt hook dir
|
||||
- name: Create letsencrypt hook dir
|
||||
file: state=directory path=/etc/letsencrypt/hook.d owner=root group=root mode=0755
|
||||
|
||||
- name: install letsencrypt renewal service
|
||||
- name: Install letsencrypt renewal service
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- certbot-renewal.service
|
||||
- certbot-renewal.timer
|
||||
|
||||
- name: activate letsencrypt renewal service
|
||||
- name: Activate letsencrypt renewal service
|
||||
systemd:
|
||||
name: certbot-renewal.timer
|
||||
enabled: true
|
||||
state: started
|
||||
daemon_reload: true
|
||||
|
||||
- name: open firewall holes for certbot standalone authenticator
|
||||
- name: Open firewall holes for certbot standalone authenticator
|
||||
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
|
||||
with_items:
|
||||
- http
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: create ssl cert (HTTP-01)
|
||||
- name: Create ssl cert (HTTP-01)
|
||||
shell: |
|
||||
set -o pipefail
|
||||
# We can't start nginx without the certificate and we can't issue a certificate without nginx running.
|
||||
|
@ -10,7 +10,7 @@
|
|||
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
|
||||
when: challenge | default(certificate_challenge) == "HTTP-01"
|
||||
|
||||
- name: create ssl cert (DNS-01)
|
||||
- name: Create ssl cert (DNS-01)
|
||||
command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
|
||||
args:
|
||||
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
- name: restart journald
|
||||
- name: Restart journald
|
||||
systemd:
|
||||
name: systemd-journald
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: systemd daemon-reload
|
||||
- name: Systemd daemon-reload
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
|
||||
- name: restart systemd-zram-setup@zram0
|
||||
- name: Restart systemd-zram-setup@zram0
|
||||
service: name=systemd-zram-setup@zram0 state=restarted daemon_reload=yes
|
||||
|
|
|
@ -1,66 +1,66 @@
|
|||
- name: install essential tools
|
||||
- name: Install essential tools
|
||||
pacman: name=vim,nano,tmux,htop,ncdu,bash-completion,rsync,vnstat state=present
|
||||
|
||||
- name: start and enable vnstatd
|
||||
- name: Start and enable vnstatd
|
||||
service: name=vnstat enabled=yes state=started
|
||||
|
||||
- name: install inetutils for hostname
|
||||
- name: Install inetutils for hostname
|
||||
pacman: name=inetutils state=present
|
||||
|
||||
- name: set hostname
|
||||
- name: Set hostname
|
||||
hostname: name="{{ inventory_hostname }}"
|
||||
|
||||
- name: install pacman config
|
||||
- name: Install pacman config
|
||||
template: src=pacman.conf.j2 dest=/etc/pacman.conf mode=0644 owner=root group=root
|
||||
|
||||
- name: configure pacman mirror
|
||||
- name: Configure pacman mirror
|
||||
template: src=mirrorlist.j2 dest=/etc/pacman.d/mirrorlist owner=root group=root mode=0644
|
||||
|
||||
- name: update package cache
|
||||
- name: Update package cache
|
||||
pacman: update_cache=yes
|
||||
|
||||
- name: start and enable auditd
|
||||
- name: Start and enable auditd
|
||||
service: name=auditd enabled=yes state=started
|
||||
|
||||
- name: start and enable systemd-timesyncd
|
||||
- name: Start and enable systemd-timesyncd
|
||||
service: name=systemd-timesyncd enabled=yes state=started
|
||||
|
||||
- name: install smart
|
||||
- name: Install smart
|
||||
pacman: name=smartmontools state=present
|
||||
when: "'hcloud' not in group_names"
|
||||
|
||||
- name: configure smartd to do periodic health checks
|
||||
- name: Configure smartd to do periodic health checks
|
||||
copy: src=smartd.conf dest=/etc/smartd.conf owner=root group=root mode=0644
|
||||
when: "'hcloud' not in group_names"
|
||||
|
||||
- name: start and enable smart
|
||||
- name: Start and enable smart
|
||||
service: name=smartd enabled=yes state=started
|
||||
when: "'hcloud' not in group_names"
|
||||
|
||||
- name: start and enable btrfs scrub timer
|
||||
- name: Start and enable btrfs scrub timer
|
||||
service: name=btrfs-scrub@{{ '-' if (item.mount | length == 1) else (item.mount.split("/", 1)[1] | replace("/", "-")) }}.timer enabled=yes state=started
|
||||
loop: "{{ ansible_mounts | sort(attribute='mount') | groupby('uuid') | map(attribute=1) | map('first') }}"
|
||||
when:
|
||||
- item.fstype == 'btrfs'
|
||||
- not 'backup' in item.mount
|
||||
|
||||
- name: generate locales
|
||||
- name: Generate locales
|
||||
locale_gen: name={{ item }} state=present
|
||||
with_items:
|
||||
- en_US.UTF-8
|
||||
|
||||
- name: configure locales
|
||||
- name: Configure locales
|
||||
template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644
|
||||
|
||||
- name: generate ssh key for root
|
||||
- name: Generate ssh key for root
|
||||
command: ssh-keygen -b 4096 -N "" -f /root/.ssh/id_rsa creates="/root/.ssh/id_rsa"
|
||||
|
||||
- name: configure networking
|
||||
- name: Configure networking
|
||||
include_role:
|
||||
name: networking
|
||||
when: configure_network
|
||||
|
||||
- name: configure tcp receive window limits
|
||||
- name: Configure tcp receive window limits
|
||||
sysctl:
|
||||
name: net.ipv4.tcp_rmem
|
||||
value: "{{ tcp_rmem }}"
|
||||
|
@ -68,7 +68,7 @@
|
|||
sysctl_file: /etc/sysctl.d/net.conf
|
||||
when: tcp_rmem is defined
|
||||
|
||||
- name: configure tcp send window limits
|
||||
- name: Configure tcp send window limits
|
||||
sysctl:
|
||||
name: net.ipv4.tcp_wmem
|
||||
value: "{{ tcp_wmem }}"
|
||||
|
@ -76,48 +76,48 @@
|
|||
sysctl_file: /etc/sysctl.d/net.conf
|
||||
when: tcp_wmem is defined
|
||||
|
||||
- name: create drop-in directories for systemd configuration
|
||||
- name: Create drop-in directories for systemd configuration
|
||||
file: path=/etc/systemd/{{ item }}.d state=directory owner=root group=root mode=0755
|
||||
loop:
|
||||
- system.conf
|
||||
- journald.conf
|
||||
|
||||
- name: install journald.conf overrides
|
||||
- name: Install journald.conf overrides
|
||||
template: src=journald.conf.j2 dest=/etc/systemd/journald.conf.d/override.conf owner=root group=root mode=644
|
||||
notify:
|
||||
- restart journald
|
||||
|
||||
- name: install system.conf overrides
|
||||
- name: Install system.conf overrides
|
||||
template: src=system.conf.j2 dest=/etc/systemd/system.conf.d/override.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- systemd daemon-reload
|
||||
|
||||
- name: install zram-generator
|
||||
- name: Install zram-generator
|
||||
pacman: name=zram-generator state=present
|
||||
when: enable_zram_swap
|
||||
|
||||
- name: install zram-generator config for zram
|
||||
- name: Install zram-generator config for zram
|
||||
template: src=zram-generator.conf dest=/etc/systemd/zram-generator.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart systemd-zram-setup@zram0
|
||||
when: enable_zram_swap
|
||||
|
||||
- name: disable zswap to prevent conflict with zram
|
||||
- name: Disable zswap to prevent conflict with zram
|
||||
copy: content="w- /sys/module/zswap/parameters/enabled - - - - N" dest=/etc/tmpfiles.d/zram.conf owner=root group=root mode=0644
|
||||
register: zramtmpfiles
|
||||
when: enable_zram_swap
|
||||
|
||||
- name: use tmpfiles.d/zram.conf
|
||||
- name: Use tmpfiles.d/zram.conf
|
||||
command: systemd-tmpfiles --create
|
||||
when: zramtmpfiles.changed
|
||||
|
||||
- name: create drop-in directories for oomd
|
||||
- name: Create drop-in directories for oomd
|
||||
file: path=/etc/systemd/system/{{ item }}.d state=directory owner=root group=root mode=0755
|
||||
with_items:
|
||||
- "-.slice"
|
||||
- user@.service
|
||||
|
||||
- name: install drop-in snippets for oomd
|
||||
- name: Install drop-in snippets for oomd
|
||||
copy: src=oomd-override_{{ item }}.conf dest=/etc/systemd/system/{{ item }}.d/override.conf owner=root group=root mode=0644
|
||||
with_items:
|
||||
- "-.slice"
|
||||
|
@ -125,32 +125,32 @@
|
|||
notify:
|
||||
- systemd daemon-reload
|
||||
|
||||
- name: start systemd-oomd
|
||||
- name: Start systemd-oomd
|
||||
service: name=systemd-oomd state=started enabled=yes
|
||||
|
||||
- name: install logrotate
|
||||
- name: Install logrotate
|
||||
pacman: name=logrotate state=present
|
||||
|
||||
- name: configure logrotate
|
||||
- name: Configure logrotate
|
||||
template: src=logrotate.conf.j2 dest=/etc/logrotate.conf owner=root group=root mode=0644
|
||||
|
||||
- name: enable logrotate timer
|
||||
- name: Enable logrotate timer
|
||||
service: name=logrotate.timer state=started enabled=yes
|
||||
|
||||
- name: create zsh directory
|
||||
- name: Create zsh directory
|
||||
file: path=/root/.zsh state=directory owner=root group=root mode=0700
|
||||
|
||||
- name: install root shell config
|
||||
- name: Install root shell config
|
||||
copy: src={{ item }} dest=/root/.{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- zshrc
|
||||
- dircolors
|
||||
|
||||
- name: install pacman-contrib,archlinux-contrib
|
||||
- name: Install pacman-contrib,archlinux-contrib
|
||||
pacman: name=pacman-contrib,archlinux-contrib state=installed
|
||||
|
||||
- name: install custom paccache.service
|
||||
- name: Install custom paccache.service
|
||||
copy: src=paccache.service dest=/etc/systemd/system/paccache.service owner=root group=root mode=0644
|
||||
|
||||
- name: enable paccache timer
|
||||
- name: Enable paccache timer
|
||||
systemd: name=paccache.timer enabled=yes state=started daemon_reload=yes
|
||||
|
|
|
@ -1,44 +1,44 @@
|
|||
- name: install svn, git, rsync and some perl stuff
|
||||
- name: Install svn, git, rsync and some perl stuff
|
||||
pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
|
||||
|
||||
- name: install sourceballs requirements (makepkg download dependencies)
|
||||
- name: Install sourceballs requirements (makepkg download dependencies)
|
||||
pacman: name=git,subversion,mercurial,breezy state=present
|
||||
|
||||
- name: install binutils for createlinks script
|
||||
- name: Install binutils for createlinks script
|
||||
pacman: name=binutils state=present
|
||||
|
||||
- name: create dbscripts users
|
||||
- name: Create dbscripts users
|
||||
user: name="{{ item }}" shell=/bin/bash
|
||||
with_items:
|
||||
- svn-packages
|
||||
- svn-community
|
||||
|
||||
- name: add cleanup user
|
||||
- name: Add cleanup user
|
||||
user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
|
||||
|
||||
- name: add sourceballs user
|
||||
- name: Add sourceballs user
|
||||
user: name=sourceballs shell=/sbin/nologin
|
||||
|
||||
- name: set up sudoers.d for special users
|
||||
- name: Set up sudoers.d for special users
|
||||
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"]
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: create Arch Linux-specific users
|
||||
- name: Create Arch Linux-specific users
|
||||
user:
|
||||
name: "{{ item.key }}"
|
||||
group: users
|
||||
|
@ -47,25 +47,25 @@
|
|||
state: present
|
||||
with_dict: "{{ arch_users }}"
|
||||
|
||||
- name: create .ssh directory
|
||||
- name: Create .ssh directory
|
||||
file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700
|
||||
|
||||
- name: configure ssh keys for devs
|
||||
- name: Configure ssh keys for devs
|
||||
template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
|
||||
vars:
|
||||
pubkey_groups: ['dev']
|
||||
tags: ['archusers']
|
||||
|
||||
- name: create .ssh directory
|
||||
- name: Create .ssh directory
|
||||
file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700
|
||||
|
||||
- name: configure ssh keys for TUs
|
||||
- name: Configure ssh keys for TUs
|
||||
template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
|
||||
vars:
|
||||
pubkey_groups: ['tu']
|
||||
tags: ['archusers']
|
||||
|
||||
- name: create staging directories in user homes
|
||||
- name: Create staging directories in user homes
|
||||
dbscripts_mkdirs:
|
||||
pathtmpl: '/home/{user}/staging/{dirname}'
|
||||
permissions: '755'
|
||||
|
@ -74,88 +74,88 @@
|
|||
group: users
|
||||
tags: ["archusers"]
|
||||
|
||||
- name: create dbscripts paths
|
||||
- name: Create dbscripts paths
|
||||
file: path="{{ item }}" state=directory owner=root group=root mode=0755
|
||||
with_items:
|
||||
- /srv/repos/svn-community
|
||||
- /srv/repos/svn-packages
|
||||
|
||||
- name: create svn-community/package-cleanup directory
|
||||
- name: Create svn-community/package-cleanup directory
|
||||
file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
|
||||
- name: add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
|
||||
- name: Add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
|
||||
acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
|
||||
- name: add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
|
||||
- name: Add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
|
||||
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
|
||||
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
|
||||
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
|
||||
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
|
||||
- name: add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
|
||||
- name: Add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
|
||||
acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
|
||||
- name: add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
|
||||
- name: Add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
|
||||
acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present
|
||||
|
||||
- name: create svn-packages/package-cleanup directory
|
||||
- name: Create svn-packages/package-cleanup directory
|
||||
file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
|
||||
- name: add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
|
||||
- name: Add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
|
||||
acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
|
||||
- name: add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
|
||||
- name: Add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
|
||||
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
|
||||
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
|
||||
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
|
||||
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
|
||||
- name: add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
|
||||
- name: Add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
|
||||
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
|
||||
- name: add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
|
||||
- name: Add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
|
||||
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present
|
||||
|
||||
- name: create svn-community/source-cleanup directory
|
||||
- name: Create svn-community/source-cleanup directory
|
||||
file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
|
||||
- name: create svn-packages/source-cleanup directory
|
||||
- name: Create svn-packages/source-cleanup directory
|
||||
file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755
|
||||
|
||||
- name: create svn-community/svn directory
|
||||
- name: Create svn-community/svn directory
|
||||
file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
|
||||
- name: add acl default:user::rwx to /srv/repos/svn-community/svn
|
||||
- name: Add acl default:user::rwx to /srv/repos/svn-community/svn
|
||||
acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
|
||||
- name: add acl default:group::r-x to /srv/repos/svn-community/svn
|
||||
- name: Add acl default:group::r-x to /srv/repos/svn-community/svn
|
||||
acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
|
||||
- name: add acl default:other::r-x to /srv/repos/svn-community/svn
|
||||
- name: Add acl default:other::r-x to /srv/repos/svn-community/svn
|
||||
acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present
|
||||
|
||||
- name: create svn-packages/svn directory
|
||||
- name: Create svn-packages/svn directory
|
||||
file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
|
||||
- name: add acl default:user::rwx to /srv/repos/svn-packages/svn
|
||||
- name: Add acl default:user::rwx to /srv/repos/svn-packages/svn
|
||||
acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
|
||||
- name: add acl default:group::r-x to /srv/repos/svn-packages/svn
|
||||
- name: Add acl default:group::r-x to /srv/repos/svn-packages/svn
|
||||
acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
|
||||
- name: add acl default:other::r-x to /srv/repos/svn-packages/svn
|
||||
- name: Add acl default:other::r-x to /srv/repos/svn-packages/svn
|
||||
acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present
|
||||
|
||||
- name: create svn-community/tmp directory
|
||||
- name: Create svn-community/tmp directory
|
||||
file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
|
||||
- name: add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
|
||||
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
|
||||
acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present
|
||||
|
||||
- name: create svn-packages/tmp directory
|
||||
- name: Create svn-packages/tmp directory
|
||||
file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
|
||||
- name: add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
|
||||
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
|
||||
acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present
|
||||
|
||||
- name: touch /srv/ftp/lastsync file
|
||||
- name: Touch /srv/ftp/lastsync file
|
||||
file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
|
||||
|
||||
- name: touch /srv/ftp/lastupdate file
|
||||
- name: Touch /srv/ftp/lastupdate file
|
||||
file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
|
||||
- name: add acl group:tu:rw- to /srv/ftp/lastupdate
|
||||
- name: Add acl group:tu:rw- to /srv/ftp/lastupdate
|
||||
acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
|
||||
- name: add acl group:dev:rw- to /srv/ftp/lastupdate
|
||||
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
|
||||
acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
|
||||
|
||||
- name: fetch dbscripts PGP key
|
||||
- name: Fetch dbscripts PGP key
|
||||
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
|
||||
with_items: '{{ dbscripts_pgp_emails }}'
|
||||
register: gpg
|
||||
changed_when: "gpg.rc == 0"
|
||||
|
||||
- name: clone dbscripts git repo
|
||||
- name: Clone dbscripts git repo
|
||||
git: >
|
||||
dest=/srv/repos/{{ item }}/dbscripts
|
||||
repo=https://gitlab.archlinux.org/archlinux/dbscripts.git
|
||||
|
@ -165,73 +165,73 @@
|
|||
- svn-community
|
||||
- svn-packages
|
||||
|
||||
- name: make /srv/svn
|
||||
- name: Make /srv/svn
|
||||
file: path=/srv/svn state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
|
||||
- name: Symlink /srv/svn/community to /srv/repos/svn-community/svn
|
||||
file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
|
||||
- name: Symlink /srv/svn/packages to /srv/repos/svn-packages/svn
|
||||
file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /community to /srv/repos/svn-community/dbscripts
|
||||
- name: Symlink /community to /srv/repos/svn-community/dbscripts
|
||||
file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
|
||||
|
||||
- name: symlink /packages to /srv/repos/svn-packages/dbscripts
|
||||
- name: Symlink /packages to /srv/repos/svn-packages/dbscripts
|
||||
file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
|
||||
|
||||
- name: make debug packages-debug pool
|
||||
- name: Make debug packages-debug pool
|
||||
file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=dev mode=0775
|
||||
|
||||
- name: make debug community-debug pool
|
||||
- name: Make debug community-debug pool
|
||||
file: path=/srv/ftp/pool/community-debug state=directory owner=root group=tu mode=2775
|
||||
|
||||
- name: make package root debug repos
|
||||
- name: Make package root debug repos
|
||||
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
|
||||
with_items: '{{ package_repos }}'
|
||||
|
||||
- name: make community root debug repos
|
||||
- name: Make community root debug repos
|
||||
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=00755
|
||||
with_items: '{{ community_repos }}'
|
||||
|
||||
- name: make package debug repos
|
||||
- name: Make package debug repos
|
||||
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
|
||||
with_items: '{{ package_repos }}'
|
||||
|
||||
- name: make community debug repos
|
||||
- name: Make community debug repos
|
||||
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=tu mode=0775
|
||||
with_items: '{{ community_repos }}'
|
||||
|
||||
- name: put rsyncd.conf into tmpfiles
|
||||
- name: Put rsyncd.conf into tmpfiles
|
||||
copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
|
||||
register: rsyncdtmpfiles
|
||||
|
||||
- name: use tmpfiles.d/rsyncd.conf
|
||||
- name: Use tmpfiles.d/rsyncd.conf
|
||||
command: systemd-tmpfiles --create
|
||||
when: rsyncdtmpfiles.changed
|
||||
|
||||
- name: create rsyncd-conf-genscripts
|
||||
- name: Create rsyncd-conf-genscripts
|
||||
file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
|
||||
|
||||
- name: install rsync.conf.proto
|
||||
- name: Install rsync.conf.proto
|
||||
template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
|
||||
|
||||
- name: configure gen_rsyncd.conf.pl
|
||||
- name: Configure gen_rsyncd.conf.pl
|
||||
template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
|
||||
no_log: true
|
||||
|
||||
- name: generate mirror config
|
||||
- name: Generate mirror config
|
||||
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
|
||||
register: gen_rsyncd
|
||||
changed_when: "gen_rsyncd.rc == 0"
|
||||
|
||||
- name: install svnlog
|
||||
- name: Install svnlog
|
||||
copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
|
||||
|
||||
- name: add arch-svntogit user
|
||||
- name: Add arch-svntogit user
|
||||
user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
|
||||
|
||||
- name: configure svntogit git user name
|
||||
- name: Configure svntogit git user name
|
||||
command: git config --global user.name svntogit
|
||||
become: true
|
||||
become_user: svntogit
|
||||
|
@ -240,7 +240,7 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: configure svntogit git user email
|
||||
- name: Configure svntogit git user email
|
||||
command: git config --global user.email svntogit@repos.archlinux.org
|
||||
become: true
|
||||
become_user: svntogit
|
||||
|
@ -249,13 +249,13 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: template arch-svntogit
|
||||
- name: Template arch-svntogit
|
||||
copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
|
||||
|
||||
- name: create svntogit repos subdir
|
||||
- name: Create svntogit repos subdir
|
||||
file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775
|
||||
|
||||
- name: clone git-svn repos
|
||||
- name: Clone git-svn repos
|
||||
command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
|
||||
with_items:
|
||||
- community
|
||||
|
@ -265,7 +265,7 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: add svntogit public remotes
|
||||
- name: Add svntogit public remotes
|
||||
command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
|
||||
with_items:
|
||||
- community
|
||||
|
@ -279,7 +279,7 @@
|
|||
- skip_ansible_lint
|
||||
|
||||
# The following command also serves as a way to get the data the first time the repo is set up
|
||||
- name: configure svntogit pull upstream branch
|
||||
- name: Configure svntogit pull upstream branch
|
||||
command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }}
|
||||
environment:
|
||||
SHELL: /bin/bash
|
||||
|
@ -293,40 +293,40 @@
|
|||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: fix svntogit home permissions
|
||||
- name: Fix svntogit home permissions
|
||||
file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
|
||||
|
||||
- name: install repo helpers
|
||||
- name: Install repo helpers
|
||||
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
|
||||
with_items:
|
||||
- lsrepo
|
||||
- checklib32
|
||||
|
||||
- name: install createlinks script
|
||||
- name: Install createlinks script
|
||||
copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755
|
||||
|
||||
- name: start and enable rsync
|
||||
- name: Start and enable rsync
|
||||
service: name=rsyncd.socket enabled=yes state=started
|
||||
|
||||
- name: open firewall holes for rsync
|
||||
- name: Open firewall holes for rsync
|
||||
ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
|
||||
when: configure_firewall
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: configure svnserve
|
||||
- name: Configure svnserve
|
||||
copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
|
||||
|
||||
- name: start and enable svnserve
|
||||
- name: Start and enable svnserve
|
||||
service: name=svnserve enabled=yes state=started
|
||||
|
||||
- name: open firewall holes for svnserve
|
||||
- name: Open firewall holes for svnserve
|
||||
ansible.posix.firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
|
||||
when: configure_firewall
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: install systemd timers
|
||||
- name: Install systemd timers
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- cleanup.timer
|
||||
|
@ -344,7 +344,7 @@
|
|||
notify:
|
||||
- daemon reload
|
||||
|
||||
- name: activate systemd timers
|
||||
- name: Activate systemd timers
|
||||
service: name={{ item }} enabled=yes state=started
|
||||
with_items:
|
||||
- cleanup.timer
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: reload debuginfod
|
||||
- name: Reload debuginfod
|
||||
service: name=debuginfod state=reloaded
|
||||
|
|
|
@ -1,53 +1,53 @@
|
|||
- name: install debuginfod
|
||||
- name: Install debuginfod
|
||||
pacman: name=debuginfod state=present
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ debuginfod_domain }}"]
|
||||
when: debuginfod_domain
|
||||
|
||||
- name: configure debuginfod systemd service
|
||||
- name: Configure debuginfod systemd service
|
||||
template: src=debuginfod.service.j2 dest=/etc/systemd/system/debuginfod.service owner=root group=root mode=0644
|
||||
vars:
|
||||
debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
|
||||
notify:
|
||||
- reload debuginfod
|
||||
|
||||
- name: create http directory for debuginfod website files
|
||||
- name: Create http directory for debuginfod website files
|
||||
file: path=/srv/http/debuginfod state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: install website files
|
||||
- name: Install website files
|
||||
copy: src={{ item }} dest=/srv/http/debuginfod/{{ item }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- archlinux.png
|
||||
- index.html
|
||||
|
||||
- name: install packagelist units
|
||||
- name: Install packagelist units
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- packagelist.timer
|
||||
- packagelist.service
|
||||
|
||||
- name: start and enable packagelist.timer
|
||||
- name: Start and enable packagelist.timer
|
||||
service: name=packagelist.timer enabled=yes state=started
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- reload nginx
|
||||
when: debuginfod_domain
|
||||
tags: ['nginx']
|
||||
|
||||
- name: open debuginfod ipv4 port for monitoring.archlinux.org
|
||||
- name: Open debuginfod ipv4 port for monitoring.archlinux.org
|
||||
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
|
||||
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8002 accept"
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: start and enable debuginfod
|
||||
- name: Start and enable debuginfod
|
||||
service: name=debuginfod enabled=yes state=started
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: reload dovecot
|
||||
- name: Reload dovecot
|
||||
service: name=dovecot state=restarted
|
||||
|
||||
- name: run sievec
|
||||
- name: Run sievec
|
||||
command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }}
|
||||
loop:
|
||||
- spam-to-folder.sieve
|
||||
|
|
|
@ -1,48 +1,48 @@
|
|||
- name: install dovecot
|
||||
- name: Install dovecot
|
||||
pacman: name=dovecot,pigeonhole state=present
|
||||
|
||||
# FIXME: check directory permissions
|
||||
- name: create dovecot configuration directory
|
||||
- name: Create dovecot configuration directory
|
||||
file: path=/etc/dovecot state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: create dhparam
|
||||
- name: Create dhparam
|
||||
command: openssl dhparam -out /etc/dovecot/dh.pem 4096 creates=/etc/dovecot/dh.pem
|
||||
|
||||
- name: install dovecot.conf
|
||||
- name: Install dovecot.conf
|
||||
template: src=dovecot.conf.j2 dest=/etc/dovecot/dovecot.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- reload dovecot
|
||||
|
||||
- name: add vmail group
|
||||
- name: Add vmail group
|
||||
group: name=vmail gid=5000
|
||||
|
||||
- name: add vmail user
|
||||
- name: Add vmail user
|
||||
user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
|
||||
|
||||
- name: install PAM config
|
||||
- name: Install PAM config
|
||||
copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
|
||||
|
||||
- name: create dovecot sieve dir
|
||||
- name: Create dovecot sieve dir
|
||||
file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: install spam-to-folder.sieve
|
||||
- name: Install spam-to-folder.sieve
|
||||
copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve/ mode=0644 owner=root group=root
|
||||
notify:
|
||||
- run sievec
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ mail_domain }}"]
|
||||
|
||||
- name: install dovecot cert renewal hook
|
||||
- name: Install dovecot cert renewal hook
|
||||
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/dovecot owner=root group=root mode=0755
|
||||
|
||||
- name: start and enable dovecot
|
||||
- name: Start and enable dovecot
|
||||
service: name=dovecot enabled=yes state=started
|
||||
|
||||
- name: open firewall holes
|
||||
- name: Open firewall holes
|
||||
ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
|
||||
with_items:
|
||||
- imaps
|
||||
|
@ -51,13 +51,13 @@
|
|||
tags:
|
||||
- firewall
|
||||
|
||||
- name: install systemd timers
|
||||
- name: Install systemd timers
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- dovecot-cleanup.timer
|
||||
- dovecot-cleanup.service
|
||||
|
||||
- name: activate systemd timers
|
||||
- name: Activate systemd timers
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: restart fail2ban
|
||||
- name: Restart fail2ban
|
||||
systemd:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
|
||||
- name: reload fail2ban jails
|
||||
- name: Reload fail2ban jails
|
||||
shell: type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
- name: install fail2ban
|
||||
- name: Install fail2ban
|
||||
package:
|
||||
name: "fail2ban"
|
||||
state: "present"
|
||||
notify:
|
||||
- restart fail2ban
|
||||
|
||||
- name: create systemd unit override path
|
||||
- name: Create systemd unit override path
|
||||
file:
|
||||
path: "/etc/systemd/system/fail2ban.service.d"
|
||||
state: "directory"
|
||||
|
@ -13,7 +13,7 @@
|
|||
group: "root"
|
||||
mode: 0755
|
||||
|
||||
- name: install systemd unit override file
|
||||
- name: Install systemd unit override file
|
||||
template:
|
||||
src: "fail2ban.service.j2"
|
||||
dest: "/etc/systemd/system/fail2ban.service.d/override.conf"
|
||||
|
@ -21,7 +21,7 @@
|
|||
group: "root"
|
||||
mode: 0644
|
||||
|
||||
- name: install local config files
|
||||
- name: Install local config files
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/fail2ban/{{ item }}"
|
||||
|
@ -34,7 +34,7 @@
|
|||
notify:
|
||||
- restart fail2ban
|
||||
|
||||
- name: install firewallcmd-allports.local
|
||||
- name: Install firewallcmd-allports.local
|
||||
template:
|
||||
src: "firewallcmd-allports.local.j2"
|
||||
dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
|
||||
|
@ -44,7 +44,7 @@
|
|||
notify:
|
||||
- restart fail2ban
|
||||
|
||||
- name: install sshd jail
|
||||
- name: Install sshd jail
|
||||
when: fail2ban_jails.sshd
|
||||
template:
|
||||
src: "sshd.jail.j2"
|
||||
|
@ -55,7 +55,7 @@
|
|||
notify:
|
||||
- reload fail2ban jails
|
||||
|
||||
- name: install postfix jail
|
||||
- name: Install postfix jail
|
||||
when: fail2ban_jails.postfix
|
||||
template:
|
||||
src: "postfix.jail.j2"
|
||||
|
@ -66,7 +66,7 @@
|
|||
notify:
|
||||
- reload fail2ban jails
|
||||
|
||||
- name: install dovecot jail
|
||||
- name: Install dovecot jail
|
||||
when: fail2ban_jails.dovecot
|
||||
template:
|
||||
src: "dovecot.jail.j2"
|
||||
|
@ -77,7 +77,7 @@
|
|||
notify:
|
||||
- reload fail2ban jails
|
||||
|
||||
- name: install nginx-limit-req jail
|
||||
- name: Install nginx-limit-req jail
|
||||
when: fail2ban_jails.nginx_limit_req
|
||||
template:
|
||||
src: "nginx-limit-req.jail.j2"
|
||||
|
@ -88,7 +88,7 @@
|
|||
notify:
|
||||
- reload fail2ban jails
|
||||
|
||||
- name: start and enable service
|
||||
- name: Start and enable service
|
||||
systemd:
|
||||
name: "fail2ban.service"
|
||||
enabled: true
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: restart fetchmail
|
||||
- name: Restart fetchmail
|
||||
service: name=fetchmail state=restarted
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
- name: install fetchmail
|
||||
- name: Install fetchmail
|
||||
pacman: name=fetchmail state=present
|
||||
|
||||
- name: template fetchmail config
|
||||
- name: Template fetchmail config
|
||||
template: src=fetchmailrc.j2 dest=/etc/fetchmailrc owner=fetchmail group=nobody mode=600
|
||||
notify:
|
||||
- restart fetchmail
|
||||
|
||||
- name: start and enable fetchmail
|
||||
- name: Start and enable fetchmail
|
||||
service: name=fetchmail enabled=yes state=started
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
|
||||
# https://github.com/systemd/systemd/issues/2830
|
||||
# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
|
||||
# - name: restart firewalld
|
||||
# - name: Restart firewalld
|
||||
# service: name=firewalld state=restarted
|
||||
- name: stop firewalld
|
||||
- name: Stop firewalld
|
||||
service: name=firewalld state=stopped
|
||||
listen: restart firewalld
|
||||
- name: start firewalld
|
||||
- name: Start firewalld
|
||||
service: name=firewalld state=started
|
||||
listen: restart firewalld
|
||||
|
|
|
@ -1,20 +1,20 @@
|
|||
- name: install firewalld
|
||||
- name: Install firewalld
|
||||
pacman:
|
||||
name: firewalld
|
||||
state: present
|
||||
|
||||
- name: install firewalld config
|
||||
- name: Install firewalld config
|
||||
template: src=firewalld.conf.j2 dest=/etc/firewalld/firewalld.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart firewalld
|
||||
|
||||
- name: start and enable firewalld
|
||||
- name: Start and enable firewalld
|
||||
service:
|
||||
name: firewalld
|
||||
enabled: "{{ configure_firewall }}"
|
||||
state: "{{ configure_firewall | ternary('started', 'stopped') }}"
|
||||
|
||||
- name: disable default dhcpv6-client rule
|
||||
- name: Disable default dhcpv6-client rule
|
||||
ansible.posix.firewalld:
|
||||
service: dhcpv6-client
|
||||
state: disabled
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: restart php-fpm@fluxbb
|
||||
- name: Restart php-fpm@fluxbb
|
||||
systemd: name=php-fpm@fluxbb.service state=restarted
|
||||
|
|
|
@ -1,67 +1,67 @@
|
|||
- name: create user
|
||||
- name: Create user
|
||||
user: >
|
||||
name=fluxbb home="{{ fluxbb_dir }}"
|
||||
shell=/bin/false system=yes createhome=no
|
||||
|
||||
- name: clone fluxbb
|
||||
- name: Clone fluxbb
|
||||
git:
|
||||
repo: https://gitlab.archlinux.org/archlinux/archbbs.git
|
||||
dest: "{{ fluxbb_dir }}"
|
||||
version: "{{ fluxbb_version }}"
|
||||
|
||||
- name: fix home permissions
|
||||
- name: Fix home permissions
|
||||
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}"
|
||||
changed_when: false
|
||||
|
||||
- name: create uploads directory
|
||||
- name: Create uploads directory
|
||||
file: state=directory owner=fluxbb group=fluxbb mode=0755 path="{{ fluxbb_dir }}/uploads"
|
||||
|
||||
- name: create mariadb database
|
||||
- name: Create mariadb database
|
||||
mysql_db: name=fluxbb state=present
|
||||
|
||||
- name: create mariadb user
|
||||
- name: Create mariadb user
|
||||
mysql_user: >
|
||||
user=fluxbb host=localhost password={{ fluxbb_db_password }}
|
||||
priv='fluxbb.*:ALL'
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ fluxbb_domain }}"]
|
||||
|
||||
- name: create nginx log directory
|
||||
- name: Create nginx log directory
|
||||
file: path=/var/log/nginx/{{ fluxbb_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: configure nginx
|
||||
- name: Configure nginx
|
||||
template: >
|
||||
src=nginx.conf.j2 dest=/etc/nginx/nginx.d/fluxbb.conf
|
||||
owner=root group=root mode=0644
|
||||
notify: reload nginx
|
||||
|
||||
- name: install python-passlib
|
||||
- name: Install python-passlib
|
||||
pacman: name=python-passlib
|
||||
|
||||
- name: create auth file
|
||||
- name: Create auth file
|
||||
htpasswd: >
|
||||
path=/etc/nginx/auth/fluxx
|
||||
name={{ fluxbb_htpasswd.username }}
|
||||
password={{ fluxbb_htpasswd.password }}
|
||||
owner=root group=http mode=0640
|
||||
|
||||
- name: install forum config
|
||||
- name: Install forum config
|
||||
template: >
|
||||
src=config.php.j2 dest={{ fluxbb_dir }}/config.php
|
||||
owner=fluxbb group=fluxbb mode=400
|
||||
|
||||
- name: install php-apcu
|
||||
- name: Install php-apcu
|
||||
pacman: name=php-apcu,php-intl
|
||||
|
||||
- name: configure php-fpm
|
||||
- name: Configure php-fpm
|
||||
template: >
|
||||
src=php-fpm.conf.j2 dest=/etc/php/php-fpm.d/fluxbb.conf
|
||||
owner=root group=root mode=0644
|
||||
notify: restart php-fpm@fluxbb
|
||||
|
||||
- name: start and enable systemd socket
|
||||
- name: Start and enable systemd socket
|
||||
service: name=php-fpm@fluxbb.socket state=started enabled=true
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: restart php-fpm7@flyspray
|
||||
- name: Restart php-fpm7@flyspray
|
||||
service: name=php-fpm7@flyspray state=restarted
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- name: run maintenance mode
|
||||
- name: Run maintenance mode
|
||||
include_role:
|
||||
name: maintenance
|
||||
vars:
|
||||
|
@ -8,40 +8,40 @@
|
|||
service_nginx_conf: "{{ flyspray_nginx_conf }}"
|
||||
when: maintenance is defined
|
||||
|
||||
- name: install git
|
||||
- name: Install git
|
||||
pacman: name=git state=present
|
||||
|
||||
- name: make flyspray user
|
||||
- name: Make flyspray user
|
||||
user: name="{{ flyspray_user }}" shell=/bin/false home="{{ flyspray_dir }}" createhome=no
|
||||
register: user_created
|
||||
|
||||
- name: fix home permissions
|
||||
- name: Fix home permissions
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}" mode=0755
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ flyspray_domain }}"]
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest="{{ flyspray_nginx_conf }}" owner=root group=root mode=644
|
||||
notify:
|
||||
- reload nginx
|
||||
when: maintenance is not defined
|
||||
tags: ['nginx']
|
||||
|
||||
- name: install nginx migrated-tasks.map
|
||||
- name: Install nginx migrated-tasks.map
|
||||
copy: src=migrated-tasks.map dest=/etc/nginx/maps/ owner=root group=root mode=0644
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: create setup dir with write permissions
|
||||
- name: Create setup dir with write permissions
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755
|
||||
when: not user_created.changed
|
||||
|
||||
- name: clone flyspray repo
|
||||
- name: Clone flyspray repo
|
||||
git:
|
||||
repo: https://gitlab.archlinux.org/archlinux/flyspray.git
|
||||
version: "{{ flyspray_commit }}"
|
||||
|
@ -50,44 +50,44 @@
|
|||
become_user: "{{ flyspray_user }}"
|
||||
register: release
|
||||
|
||||
- name: take away setup dir write permissions
|
||||
- name: Take away setup dir write permissions
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=000
|
||||
|
||||
- name: configure flyspray
|
||||
- name: Configure flyspray
|
||||
template: src=flyspray.conf.php.j2 dest=/srv/http/flyspray/flyspray.conf.php owner="{{ flyspray_user }}" group="{{ flyspray_user }}" mode=0660
|
||||
register: config
|
||||
no_log: true
|
||||
|
||||
- name: create flyspray db
|
||||
- name: Create flyspray db
|
||||
mysql_db: name="{{ flyspray_db }}" login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}"
|
||||
register: db_created
|
||||
|
||||
- name: create flyspray db user
|
||||
- name: Create flyspray db user
|
||||
mysql_user: name={{ flyspray_db_user }} password={{ vault_flyspray_db_password }}
|
||||
login_host="{{ flyspray_db_host }}" login_password="{{ vault_mariadb_users.root }}"
|
||||
priv="{{ flyspray_db }}.*:ALL"
|
||||
no_log: true
|
||||
|
||||
- name: configure php-fpm
|
||||
- name: Configure php-fpm
|
||||
template:
|
||||
src=php-fpm.conf.j2 dest="/etc/php7/php-fpm.d/{{ flyspray_user }}.conf"
|
||||
owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart php-fpm7@flyspray
|
||||
|
||||
- name: install fail2ban register ban filter
|
||||
- name: Install fail2ban register ban filter
|
||||
template: src=fail2ban.filter.j2 dest=/etc/fail2ban/filter.d/nginx-flyspray-register.local owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: install fail2ban register ban jail
|
||||
- name: Install fail2ban register ban jail
|
||||
template: src=fail2ban.jail.j2 dest=/etc/fail2ban/jail.d/nginx-flyspray-register.local owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: start and enable systemd socket
|
||||
- name: Start and enable systemd socket
|
||||
service: name=php-fpm7@flyspray.socket state=started enabled=true
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: restart powerdns
|
||||
- name: Restart powerdns
|
||||
service: name=pdns state=restarted
|
||||
|
|
|
@ -1,27 +1,27 @@
|
|||
- name: install powerdns and geoip
|
||||
- name: Install powerdns and geoip
|
||||
pacman: name=powerdns,libmaxminddb,geoip,yaml-cpp state=present
|
||||
|
||||
- name: install PowerDNS configuration
|
||||
- name: Install PowerDNS configuration
|
||||
template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- {src: pdns.conf.j2, dest: pdns.conf}
|
||||
- {src: geo.yml.j2, dest: geo.yml}
|
||||
notify: restart powerdns
|
||||
|
||||
- name: create drop-in directory for geoipupdate
|
||||
- name: Create drop-in directory for geoipupdate
|
||||
file: path=/etc/systemd/system/geoipupdate.service.d state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: install drop-in snippet for geoipupdate
|
||||
- name: Install drop-in snippet for geoipupdate
|
||||
copy: src=geoipupdate-pdns-reload.conf dest=/etc/systemd/system/geoipupdate.service.d/pdns-reload.conf owner=root group=root mode=0644
|
||||
|
||||
- name: open powerdns ipv4 port for monitoring.archlinux.org
|
||||
- name: Open powerdns ipv4 port for monitoring.archlinux.org
|
||||
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
|
||||
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: open firewall hole
|
||||
- name: Open firewall hole
|
||||
ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes
|
||||
|
||||
- name: start and enable powerdns
|
||||
- name: Start and enable powerdns
|
||||
systemd: name=pdns.service enabled=yes daemon_reload=yes state=started
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
- name: install geoipupdate
|
||||
- name: Install geoipupdate
|
||||
pacman: name=geoipupdate state=present
|
||||
register: installation
|
||||
|
||||
- name: configure geoipupdate
|
||||
- name: Configure geoipupdate
|
||||
template: src=GeoIP.conf.j2 dest=/etc/GeoIP.conf owner=root group=root mode=0600
|
||||
register: configuration
|
||||
|
||||
- name: run geoipupdate after installation or configuration change
|
||||
- name: Run geoipupdate after installation or configuration change
|
||||
systemd: name=geoipupdate state=restarted
|
||||
when: installation is changed or configuration is changed
|
||||
|
||||
- name: start and enable geoipupdate.timer
|
||||
- name: Start and enable geoipupdate.timer
|
||||
systemd: name=geoipupdate.timer enabled=yes state=started
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
- name: install docker dependencies
|
||||
- name: Install docker dependencies
|
||||
pacman: name=docker,python-docker state=present
|
||||
|
||||
- name: start docker
|
||||
- name: Start docker
|
||||
service: name=docker enabled=yes state=started
|
||||
|
||||
- name: copy sshd_config into place to change the port to 222
|
||||
- name: Copy sshd_config into place to change the port to 222
|
||||
copy: src=sshd_config dest=/srv/gitlab/sshd_config owner=root group=root mode=640
|
||||
|
||||
- name: start docker gitlab image
|
||||
- name: Start docker gitlab image
|
||||
docker_container:
|
||||
name: gitlab
|
||||
image: gitlab/gitlab-ee:latest
|
||||
|
@ -99,11 +99,11 @@
|
|||
- "/srv/gitlab/data:/var/opt/gitlab"
|
||||
- "/srv/gitlab/sshd_config:/assets/sshd_config"
|
||||
|
||||
- name: prune unused docker images
|
||||
- name: Prune unused docker images
|
||||
docker_prune:
|
||||
images: true
|
||||
|
||||
- name: open firewall holes
|
||||
- name: Open firewall holes
|
||||
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
|
||||
when: configure_firewall
|
||||
with_items:
|
||||
|
@ -114,11 +114,11 @@
|
|||
tags:
|
||||
- firewall
|
||||
|
||||
- name: copy gitlab-cleanup timer and service
|
||||
- name: Copy gitlab-cleanup timer and service
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
with_items:
|
||||
- gitlab-cleanup.timer
|
||||
- gitlab-cleanup.service
|
||||
|
||||
- name: activate systemd timers for gitlab-cleanup
|
||||
- name: Activate systemd timers for gitlab-cleanup
|
||||
systemd: name=gitlab-cleanup.timer enabled=yes state=started daemon-reload=yes
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
- name: systemd daemon-reload
|
||||
- name: Systemd daemon-reload
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: restart gitlab-runner
|
||||
- name: Restart gitlab-runner
|
||||
service: name=gitlab-runner state=restarted
|
||||
|
||||
- name: restart gitlab-runner-docker-cleanup.timer
|
||||
- name: Restart gitlab-runner-docker-cleanup.timer
|
||||
service: name=gitlab-runner-docker-cleanup.timer state=restarted daemon_reload=yes
|
||||
|
||||
- name: restart docker
|
||||
- name: Restart docker
|
||||
service: name=docker state=restarted
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
- name: install dependencies
|
||||
- name: Install dependencies
|
||||
pacman: name=docker,python-docker,python-gitlab,gitlab-runner state=latest update_cache=yes
|
||||
notify: restart gitlab-runner
|
||||
|
||||
- name: install docker.slice
|
||||
- name: Install docker.slice
|
||||
copy: src=docker.slice dest=/etc/systemd/system/ owner=root group=root mode=0644
|
||||
notify: systemd daemon-reload
|
||||
|
||||
- name: start docker
|
||||
- name: Start docker
|
||||
systemd: name=docker enabled=yes state=started daemon_reload=yes
|
||||
|
||||
- name: configure Docker daemon for IPv6
|
||||
- name: Configure Docker daemon for IPv6
|
||||
copy: src=daemon.json dest=/etc/docker/daemon.json owner=root group=root mode=0644
|
||||
notify: restart docker
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
|||
# https://medium.com/@skleeschulte/how-to-enable-ipv6-for-docker-containers-on-ubuntu-18-04-c68394a219a2
|
||||
# https://github.com/docker/docker.github.io/blob/c0eb65aabe4de94d56bbc20249179f626df5e8c3/engine/userguide/networking/default_network/ipv6.md
|
||||
# https://github.com/moby/moby/issues/36954
|
||||
- name: add IPv6 NAT for docker
|
||||
- name: Add IPv6 NAT for docker
|
||||
ansible.posix.firewalld:
|
||||
zone: public
|
||||
permanent: true
|
||||
|
@ -42,11 +42,11 @@
|
|||
# --locked=false \ # Use true for secure runners
|
||||
# --access-level=not_protected # Use ref_protected for secure runners
|
||||
# Note: Secure runners must be added manually to the relevant projects
|
||||
- name: install runner configuration
|
||||
- name: Install runner configuration
|
||||
template: src=config.toml.j2 dest=/etc/gitlab-runner/config.toml owner=root group=root mode=0600
|
||||
notify: restart gitlab-runner
|
||||
|
||||
- name: install gitlab-runner-docker-cleanup.{service,timer}
|
||||
- name: Install gitlab-runner-docker-cleanup.{service,timer}
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- gitlab-runner-docker-cleanup.service
|
||||
|
@ -54,24 +54,24 @@
|
|||
notify:
|
||||
- restart gitlab-runner-docker-cleanup.timer
|
||||
|
||||
- name: enable and start gitlab-runner-docker-cleanup.timer
|
||||
- name: Enable and start gitlab-runner-docker-cleanup.timer
|
||||
systemd: name=gitlab-runner-docker-cleanup.timer state=started enabled=yes daemon_reload=yes
|
||||
|
||||
- name: enable and start gitlab runner service
|
||||
- name: Enable and start gitlab runner service
|
||||
systemd: name=gitlab-runner state=started enabled=yes daemon_reload=yes
|
||||
|
||||
- name: setup libvirt-executor
|
||||
- name: Setup libvirt-executor
|
||||
block:
|
||||
- name: install libvirt-executor-update-base-image dependencies
|
||||
- name: Install libvirt-executor-update-base-image dependencies
|
||||
pacman: name=arch-install-scripts,sequoia-sq state=present
|
||||
|
||||
- name: create libvirt-executor configuration and data directories
|
||||
- name: Create libvirt-executor configuration and data directories
|
||||
file: path={{ item }} state=directory owner=root group=root mode=0755
|
||||
loop:
|
||||
- /etc/libvirt-executor
|
||||
- /usr/local/lib/libvirt-executor
|
||||
|
||||
- name: install libvirt-executor
|
||||
- name: Install libvirt-executor
|
||||
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode={{ item.mode }}
|
||||
loop:
|
||||
- {src: arch-boxes.asc, dest: /usr/local/lib/libvirt-executor/, mode: 644}
|
||||
|
@ -79,17 +79,17 @@
|
|||
- {src: libvirt-executor, dest: /usr/local/bin/, mode: 755}
|
||||
- {src: libvirt-executor-update-base-image, dest: /usr/local/bin/, mode: 755}
|
||||
|
||||
- name: create SSH keys for libvirt-executor
|
||||
- name: Create SSH keys for libvirt-executor
|
||||
command: ssh-keygen -N "" -f /etc/libvirt-executor/id_ed25519 -t ed25519
|
||||
args:
|
||||
creates: /etc/libvirt-executor/id_ed25519
|
||||
|
||||
- name: install libvirt-executor-update-base-image.{service,timer}
|
||||
- name: Install libvirt-executor-update-base-image.{service,timer}
|
||||
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
||||
loop:
|
||||
- libvirt-executor-update-base-image.service
|
||||
- libvirt-executor-update-base-image.timer
|
||||
|
||||
- name: enable and start libvirt-executor-update-base-image.timer
|
||||
- name: Enable and start libvirt-executor-update-base-image.timer
|
||||
systemd: name=libvirt-executor-update-base-image.timer state=started enabled=yes daemon_reload=yes
|
||||
when: "'gitlab_vm_runners' in group_names"
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
- name: daemon reload
|
||||
- name: Daemon reload
|
||||
systemd:
|
||||
daemon-reload: true
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: install sequoia
|
||||
- name: Install sequoia
|
||||
pacman: name=sequoia-sq state=present
|
||||
|
||||
- name: install systemd service/timer
|
||||
- name: Install systemd service/timer
|
||||
copy: src={{ item }} dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
with_items:
|
||||
- gluebuddy.service
|
||||
|
@ -9,16 +9,16 @@
|
|||
notify:
|
||||
- daemon reload
|
||||
|
||||
- name: enable timer
|
||||
- name: Enable timer
|
||||
systemd: name=gluebuddy.timer enabled=yes state=started
|
||||
|
||||
- name: install conf file
|
||||
- name: Install conf file
|
||||
template: src=gluebuddy.conf.j2 dest=/etc/conf.d/gluebuddy owner=root group=root mode=0600
|
||||
|
||||
- name: install download script
|
||||
- name: Install download script
|
||||
copy: src=gluebuddy_download.sh dest=/usr/local/bin/gluebuddy_download.sh owner=root group=root mode=0755
|
||||
|
||||
- name: download latest gluebuddy
|
||||
- name: Download latest gluebuddy
|
||||
command: /usr/local/bin/gluebuddy_download.sh
|
||||
tags:
|
||||
- skip_ansible_lint
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: restart grafana
|
||||
- name: Restart grafana
|
||||
service: name=grafana state=restarted
|
||||
|
|
|
@ -1,25 +1,25 @@
|
|||
- name: install grafana
|
||||
- name: Install grafana
|
||||
pacman: name=grafana state=present
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ grafana_domain }}"]
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/grafana.conf owner=root group=http mode=640
|
||||
notify:
|
||||
- reload nginx
|
||||
tags: ['nginx']
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ grafana_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: create grafana config directory
|
||||
- name: Create grafana config directory
|
||||
file: path=/etc/grafana mode=0700 owner=grafana group=grafana state=directory
|
||||
|
||||
- name: create grafana provisioning directory
|
||||
- name: Create grafana provisioning directory
|
||||
file: path={{ item }} mode=0700 owner=grafana group=grafana state=directory
|
||||
with_items:
|
||||
- /etc/grafana/provisioning
|
||||
|
@ -29,27 +29,27 @@
|
|||
- /etc/grafana/provisioning/notifiers
|
||||
- /var/lib/grafana/dashboards
|
||||
|
||||
- name: install grafana datasources provisioning
|
||||
- name: Install grafana datasources provisioning
|
||||
template: src=datasources.yaml.j2 dest=/etc/grafana/provisioning/datasources/prometheus.yml owner=grafana group=root mode=0600
|
||||
notify: restart grafana
|
||||
|
||||
- name: install grafana dashboard provisioning
|
||||
- name: Install grafana dashboard provisioning
|
||||
template: src=dashboard.yaml.j2 dest=/etc/grafana/provisioning/dashboards/dasbhoard.yml owner=grafana group=root mode=0600
|
||||
notify: restart grafana
|
||||
|
||||
- name: copy grafana dashboards
|
||||
- name: Copy grafana dashboards
|
||||
copy: src=dashboards dest=/var/lib/grafana/dashboards owner=grafana group=grafana mode=0600
|
||||
|
||||
- name: copy (public) grafana dashboards
|
||||
- name: Copy (public) grafana dashboards
|
||||
copy: src=public-dashboards dest=/var/lib/grafana/ owner=root group=grafana mode=0640
|
||||
when: grafana_anonymous_access
|
||||
|
||||
- name: install grafana config
|
||||
- name: Install grafana config
|
||||
template: src=grafana.ini.j2 dest=/etc/grafana.ini owner=grafana group=root mode=0600
|
||||
notify: restart grafana
|
||||
|
||||
- name: fix /var/lib/grafana permissions
|
||||
- name: Fix /var/lib/grafana permissions
|
||||
file: path=/var/lib/grafana mode=0700 owner=grafana group=grafana
|
||||
|
||||
- name: start and enable service
|
||||
- name: Start and enable service
|
||||
service: name=grafana state=started enabled=true
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
- name: apply sysctl settings
|
||||
- name: Apply sysctl settings
|
||||
command: sysctl --system
|
||||
|
|
|
@ -1,40 +1,40 @@
|
|||
- name: set restricted access to kernel logs
|
||||
- name: Set restricted access to kernel logs
|
||||
copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
|
||||
- name: Set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
|
||||
copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
|
||||
when: "'buildservers' not in group_names"
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: set restricted access to kernel pointers in proc fs
|
||||
- name: Set restricted access to kernel pointers in proc fs
|
||||
copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: enable JIT hardening for all users
|
||||
- name: Enable JIT hardening for all users
|
||||
copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: disable unprivileged bpf
|
||||
- name: Disable unprivileged bpf
|
||||
copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: disable unprivileged userns
|
||||
- name: Disable unprivileged userns
|
||||
copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: disable kexec load
|
||||
- name: Disable kexec load
|
||||
copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: set kernel lockdown to restricted
|
||||
- name: Set kernel lockdown to restricted
|
||||
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
|
||||
when: "'hcloud' in group_names"
|
||||
notify:
|
||||
|
|
|
@ -1,40 +1,40 @@
|
|||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ hedgedoc_domain }}"]
|
||||
|
||||
- name: install hedgedoc
|
||||
- name: Install hedgedoc
|
||||
pacman: name=hedgedoc state=present
|
||||
|
||||
- name: add hedgedoc postgres db
|
||||
- name: Add hedgedoc postgres db
|
||||
postgresql_db: db=hedgedoc
|
||||
become: true
|
||||
become_user: postgres
|
||||
become_method: su
|
||||
|
||||
- name: add hedgedoc postgres user
|
||||
- name: Add hedgedoc postgres user
|
||||
postgresql_user: db=hedgedoc name=hedgedoc password={{ vault_postgres_users.hedgedoc }} encrypted=true
|
||||
become: true
|
||||
become_user: postgres
|
||||
become_method: su
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=http mode=640
|
||||
notify: reload nginx
|
||||
tags: ['nginx']
|
||||
|
||||
- name: add hedgedoc.service.d dir
|
||||
- name: Add hedgedoc.service.d dir
|
||||
file: state=directory path=/etc/systemd/system/hedgedoc.service.d owner=root group=root mode=0755
|
||||
|
||||
- name: install hedgedoc.service snippet for configuration
|
||||
- name: Install hedgedoc.service snippet for configuration
|
||||
template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0644
|
||||
|
||||
- name: install hedgedoc config file
|
||||
- name: Install hedgedoc config file
|
||||
template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=root mode=0644
|
||||
|
||||
- name: start and enable hedgedoc
|
||||
- name: Start and enable hedgedoc
|
||||
service: name=hedgedoc.service enabled=yes state=started
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# This role runs on localhost; use commands like sftp to upload configuration
|
||||
|
||||
- name: create the root backup directory at {{ backup_dir }}
|
||||
- name: Create the root backup directory at {{ backup_dir }}
|
||||
expect:
|
||||
command: bash -c "echo 'mkdir {{ backup_dir }}' | sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }}"
|
||||
responses:
|
||||
(?i)password: "{{ storagebox_password }}"
|
||||
|
||||
- name: create a home directory for each sub-account
|
||||
- name: Create a home directory for each sub-account
|
||||
expect:
|
||||
command: |
|
||||
bash -c 'sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
|
||||
|
@ -17,7 +17,7 @@
|
|||
responses:
|
||||
(?i)password: "{{ storagebox_password }}"
|
||||
|
||||
- name: fetch ssh keys from each borg client machine
|
||||
- name: Fetch ssh keys from each borg client machine
|
||||
command: cat /root/.ssh/id_rsa.pub
|
||||
check_mode: false
|
||||
register: client_ssh_keys
|
||||
|
@ -25,16 +25,16 @@
|
|||
with_items: "{{ backup_clients }}"
|
||||
changed_when: client_ssh_keys.changed
|
||||
|
||||
- name: create tempfile
|
||||
- name: Create tempfile
|
||||
tempfile: state=file
|
||||
check_mode: false
|
||||
register: tempfile
|
||||
|
||||
- name: fill tempfile
|
||||
- name: Fill tempfile
|
||||
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
|
||||
no_log: true
|
||||
|
||||
- name: upload authorized_keys for Arch DevOps
|
||||
- name: Upload authorized_keys for Arch DevOps
|
||||
expect:
|
||||
command: |
|
||||
bash -c 'sftp -P 23 {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
|
||||
|
@ -46,13 +46,13 @@
|
|||
responses:
|
||||
(?i)password: "{{ storagebox_password }}"
|
||||
|
||||
- name: upload authorized_keys for each backup client
|
||||
- name: Upload authorized_keys for each backup client
|
||||
include_tasks: upload_client_authorized_keys.yml
|
||||
loop: "{{ client_ssh_keys.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
|
||||
- name: retrieve sub-account information
|
||||
- name: Retrieve sub-account information
|
||||
uri:
|
||||
url: https://robot-ws.your-server.de/storagebox/{{ storagebox_id }}/subaccount
|
||||
user: "{{ hetzner_webservice_username }}"
|
||||
|
@ -61,11 +61,11 @@
|
|||
register: subaccounts_raw
|
||||
no_log: true
|
||||
|
||||
- name: get list of sub-accounts
|
||||
- name: Get list of sub-accounts
|
||||
set_fact:
|
||||
subaccounts: "{{ subaccounts_raw.json | json_query('[].subaccount') }}"
|
||||
|
||||
- name: create missing sub-accounts
|
||||
- name: Create missing sub-accounts
|
||||
uri:
|
||||
timeout: 60
|
||||
url: https://robot-ws.your-server.de/storagebox/{{ storagebox_id }}/subaccount
|
||||
|
@ -81,21 +81,21 @@
|
|||
register: new_subaccounts_raw
|
||||
no_log: true
|
||||
|
||||
- name: update list of sub-accounts
|
||||
- name: Update list of sub-accounts
|
||||
set_fact:
|
||||
subaccounts: "{{ subaccounts + [item.json.subaccount | combine({'comment': item.invocation.module_args.body.comment})] }}"
|
||||
loop: "{{ new_subaccounts_raw.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.invocation.module_args.body.comment }}"
|
||||
|
||||
- name: match usernames to backup clients
|
||||
- name: Match usernames to backup clients
|
||||
set_fact:
|
||||
backup_client_usernames: "{{ backup_client_usernames | default({}) | combine({item.comment: item.username}) }}"
|
||||
loop: "{{ subaccounts }}"
|
||||
loop_control:
|
||||
label: "{{ {item.comment: item.username} }}"
|
||||
|
||||
- name: configure ssh on backup clients
|
||||
- name: Configure ssh on backup clients
|
||||
blockinfile:
|
||||
path: /root/.ssh/config
|
||||
create: true
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
- name: fill tempfile
|
||||
- name: Fill tempfile
|
||||
copy: content="{{ lookup('template', 'authorized_keys_client.j2') }}" dest="{{ tempfile.path }}" mode=preserve
|
||||
no_log: true
|
||||
|
||||
- name: upload authorized_keys file to {{ backup_dir }}/{{ item.item }}
|
||||
- name: Upload authorized_keys file to {{ backup_dir }}/{{ item.item }}
|
||||
expect:
|
||||
command: |
|
||||
bash -c 'sftp {{ storagebox_username }}@{{ storagebox_hostname }} <<EOF
|
||||
|
|
|
@ -1,138 +1,138 @@
|
|||
- name: read /etc/motd
|
||||
- name: Read /etc/motd
|
||||
command: cat /etc/motd
|
||||
register: motd_contents
|
||||
changed_when: motd_contents.stdout | length > 0
|
||||
|
||||
- name: check whether we're running in Hetzner or Equinix Metal rescue environment
|
||||
- name: Check whether we're running in Hetzner or Equinix Metal rescue environment
|
||||
fail: msg="Not running in rescue system!"
|
||||
when: "'Hetzner Rescue' not in motd_contents.stdout and 'Rescue environment based on Alpine Linux' not in motd_contents.stdout"
|
||||
|
||||
- name: make sure all required packages are installed in the rescue system for installation
|
||||
- name: Make sure all required packages are installed in the rescue system for installation
|
||||
apk: name=sgdisk,btrfs-progs,tar update_cache=yes
|
||||
when: ansible_facts['os_family'] == "Alpine"
|
||||
|
||||
- name: create GRUB embed partitions
|
||||
- name: Create GRUB embed partitions
|
||||
command: sgdisk -g --clear -n 1:0:+1M {{ item }} -c 1:boot -t 1:ef02
|
||||
with_items:
|
||||
- "{{ system_disks }}"
|
||||
register: sgdisk
|
||||
changed_when: "sgdisk.rc == 0"
|
||||
|
||||
- name: create root partitions
|
||||
- name: Create root partitions
|
||||
command: sgdisk -n 2:0:0 {{ item }} -c 2:root
|
||||
with_items:
|
||||
- "{{ system_disks }}"
|
||||
register: sgdisk
|
||||
changed_when: "sgdisk.rc == 0"
|
||||
|
||||
- name: partition and format the disks (btrfs RAID)
|
||||
- name: Partition and format the disks (btrfs RAID)
|
||||
command: mkfs.btrfs -f -L root -d {{ raid_level|default('raid1') }} -m {{ raid_level|default('raid1') }} -O no-holes {{ system_disks | map('regex_replace', '^(.*)$', '\g<1>p2' if 'nvme' in system_disks[0] else '\g<1>2') | join(' ') }}
|
||||
when: filesystem == "btrfs" and system_disks|length >= 2
|
||||
|
||||
- name: partition and format the disks (btrfs single)
|
||||
- name: Partition and format the disks (btrfs single)
|
||||
command: mkfs.btrfs -f -L root -d single -m single -O no-holes {{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}
|
||||
when: filesystem == "btrfs" and system_disks|length == 1
|
||||
|
||||
- name: mount the filesystem (btrfs)
|
||||
- name: Mount the filesystem (btrfs)
|
||||
mount: src="{{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}" path=/mnt state=mounted fstype=btrfs opts="compress-force=zstd,space_cache=v2"
|
||||
when: filesystem == "btrfs"
|
||||
|
||||
- name: touch LOCK file on mountpoint
|
||||
- name: Touch LOCK file on mountpoint
|
||||
file: path=/mnt/LOCK state=touch owner=root group=root mode=0644
|
||||
|
||||
- name: download bootstrap image
|
||||
- name: Download bootstrap image
|
||||
get_url:
|
||||
url: https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz
|
||||
dest: /tmp/
|
||||
mode: 0644
|
||||
|
||||
- name: extract boostrap image # noqa 208
|
||||
- name: Extract boostrap image # noqa 208
|
||||
unarchive:
|
||||
src: /tmp/archlinux-bootstrap-x86_64.tar.gz
|
||||
dest: /tmp
|
||||
remote_src: true
|
||||
creates: /tmp/root.x86_64
|
||||
|
||||
- name: copy resolv.conf to bootstrap chroot
|
||||
- name: Copy resolv.conf to bootstrap chroot
|
||||
copy: remote_src=true src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf owner=root group=root mode=0644
|
||||
|
||||
- name: mount /proc to bootstrap chroot
|
||||
- name: Mount /proc to bootstrap chroot
|
||||
command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime # noqa 303
|
||||
|
||||
- name: mount /sys to bootstrap chroot
|
||||
- name: Mount /sys to bootstrap chroot
|
||||
command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev # noqa 303
|
||||
|
||||
- name: mount /dev to bootstrap chroot
|
||||
- name: Mount /dev to bootstrap chroot
|
||||
command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero # noqa 303
|
||||
|
||||
- name: mount /mnt to bootstrap chroot
|
||||
- name: Mount /mnt to bootstrap chroot
|
||||
command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK # noqa 303
|
||||
|
||||
- name: configure pacman mirror
|
||||
- name: Configure pacman mirror
|
||||
template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644
|
||||
|
||||
- name: initialize pacman keyring inside bootstrap chroot
|
||||
- name: Initialize pacman keyring inside bootstrap chroot
|
||||
command: chroot /tmp/root.x86_64 pacman-key --init
|
||||
register: chroot_pacman_key_init
|
||||
changed_when: "chroot_pacman_key_init.rc == 0"
|
||||
|
||||
- name: populate pacman keyring inside bootstrap chroot
|
||||
- name: Populate pacman keyring inside bootstrap chroot
|
||||
command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
|
||||
register: chroot_pacman_key_populate
|
||||
changed_when: "chroot_pacman_key_populate.rc == 0"
|
||||
|
||||
- name: install ucode update
|
||||
- name: Install ucode update
|
||||
block:
|
||||
- name: install ucode update for Intel
|
||||
- name: Install ucode update for Intel
|
||||
set_fact: ucode="intel-ucode"
|
||||
when: "'GenuineIntel' in ansible_facts['processor']"
|
||||
|
||||
- name: install ucode update for AMD
|
||||
- name: Install ucode update for AMD
|
||||
set_fact: ucode="amd-ucode"
|
||||
when: "'AuthenticAMD' in ansible_facts['processor']"
|
||||
when:
|
||||
- "'hcloud' not in group_names"
|
||||
- inventory_hostname != 'packer-base-image'
|
||||
|
||||
- name: install arch base from bootstrap chroot
|
||||
- name: Install arch base from bootstrap chroot
|
||||
command: chroot /tmp/root.x86_64 pacstrap /mnt base linux btrfs-progs grub openssh python-requests python-yaml inetutils {{ ucode | default('') }}
|
||||
args:
|
||||
creates: /tmp/root.x86_64/mnt/bin
|
||||
|
||||
- name: mount /proc to new chroot
|
||||
- name: Mount /proc to new chroot
|
||||
command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime # noqa 303
|
||||
|
||||
- name: mount /sys to new chroot
|
||||
- name: Mount /sys to new chroot
|
||||
command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev # noqa 303
|
||||
|
||||
- name: mount /dev to new chroot
|
||||
- name: Mount /dev to new chroot
|
||||
command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero # noqa 303
|
||||
|
||||
- name: configure locale.gen
|
||||
- name: Configure locale.gen
|
||||
lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8" owner=root group=root mode=0644
|
||||
|
||||
- name: run locale-gen inside chroot
|
||||
- name: Run locale-gen inside chroot
|
||||
command: chroot /mnt locale-gen
|
||||
register: chroot_locale_gen
|
||||
changed_when: "chroot_locale_gen.rc == 0"
|
||||
|
||||
- name: run systemd-firstboot
|
||||
- name: Run systemd-firstboot
|
||||
command: chroot /mnt systemd-firstboot --locale=C.UTF-8 --timezone=UTC --hostname={{ hostname }}
|
||||
register: chroot_systemd_firstboot
|
||||
changed_when: "chroot_systemd_firstboot.rc == 0"
|
||||
|
||||
- name: run mkinitcpio
|
||||
- name: Run mkinitcpio
|
||||
command: chroot /mnt mkinitcpio -p linux
|
||||
register: chroot_mkinitcpio
|
||||
changed_when: "chroot_mkinitcpio.rc == 0"
|
||||
|
||||
- name: configure networking
|
||||
- name: Configure networking
|
||||
include_role:
|
||||
name: networking
|
||||
vars:
|
||||
chroot_path: "/mnt"
|
||||
|
||||
- name: provide default mount options (btrfs)
|
||||
- name: Provide default mount options (btrfs)
|
||||
lineinfile:
|
||||
path: /mnt/etc/default/grub
|
||||
owner: root
|
||||
|
@ -142,45 +142,45 @@
|
|||
line: "GRUB_CMDLINE_LINUX_DEFAULT=\"rootflags=compress-force=zstd\""
|
||||
when: filesystem == "btrfs"
|
||||
|
||||
- name: install grub
|
||||
- name: Install grub
|
||||
command: chroot /mnt grub-install --recheck {{ item }}
|
||||
with_items:
|
||||
- "{{ system_disks }}"
|
||||
register: chroot_grub_install
|
||||
changed_when: "chroot_grub_install.rc == 0"
|
||||
|
||||
- name: configure grub
|
||||
- name: Configure grub
|
||||
command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
|
||||
register: chroot_grub_mkconfig
|
||||
changed_when: "chroot_grub_mkconfig.rc == 0"
|
||||
|
||||
- name: setup pacman-init.service on first boot
|
||||
- name: Setup pacman-init.service on first boot
|
||||
copy: src=pacman-init.service dest=/mnt/etc/systemd/system/ owner=root group=root mode=0644
|
||||
|
||||
- name: remove generated keyring in the installation process
|
||||
- name: Remove generated keyring in the installation process
|
||||
file: path=/mnt/etc/pacman.d/gnupg state=absent
|
||||
|
||||
- name: make sure /etc/machine-id is absent
|
||||
- name: Make sure /etc/machine-id is absent
|
||||
file: path=/mnt/etc/machine-id state=absent
|
||||
|
||||
- name: enable services inside chroot
|
||||
- name: Enable services inside chroot
|
||||
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer pacman-init
|
||||
register: chroot_systemd_services
|
||||
changed_when: "chroot_systemd_services.rc == 0"
|
||||
|
||||
- name: add authorized key for root
|
||||
- name: Add authorized key for root
|
||||
include_role:
|
||||
name: root_ssh
|
||||
vars:
|
||||
root_ssh_directory: /tmp/root.x86_64/mnt/root/.ssh
|
||||
|
||||
- name: configure sshd
|
||||
- name: Configure sshd
|
||||
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
|
||||
|
||||
- name: clean pacman cache
|
||||
- name: Clean pacman cache
|
||||
shell: yes | chroot /mnt pacman -Scc # noqa risky-shell-pipe ("Illegal option -o pipefail" in Hetzner's recovery environment (dash?))
|
||||
register: chroot_pacman_clean_cache
|
||||
changed_when: "chroot_pacman_clean_cache.rc == 0"
|
||||
|
||||
- name: remove LOCK file on mountpoint
|
||||
- name: Remove LOCK file on mountpoint
|
||||
file: path=/mnt/LOCK state=absent
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
- name: restart keycloak
|
||||
- name: Restart keycloak
|
||||
service: name=keycloak state=restarted
|
||||
|
||||
- name: daemon reload
|
||||
- name: Daemon reload
|
||||
systemd:
|
||||
daemon-reload: true
|
||||
|
|
|
@ -1,56 +1,56 @@
|
|||
- name: install keycloak
|
||||
- name: Install keycloak
|
||||
pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present
|
||||
|
||||
- name: create postgres keycloak user
|
||||
- name: Create postgres keycloak user
|
||||
postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
become_method: su
|
||||
no_log: true
|
||||
|
||||
- name: create keycloak db
|
||||
- name: Create keycloak db
|
||||
postgresql_db: name="{{ keycloak_db_name }}" owner="{{ vault_keycloak_db_user }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
become_method: su
|
||||
|
||||
- name: template keycloak config
|
||||
- name: Template keycloak config
|
||||
template: src=keycloak.conf.j2 dest=/etc/keycloak/keycloak.conf owner=root group=keycloak mode=640
|
||||
no_log: true
|
||||
notify:
|
||||
- restart keycloak
|
||||
|
||||
- name: create drop-in directory for keycloak.service
|
||||
- name: Create drop-in directory for keycloak.service
|
||||
file: path=/etc/systemd/system/keycloak.service.d state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: get service facts
|
||||
- name: Get service facts
|
||||
service_facts:
|
||||
|
||||
- name: create an admin user when first starting keycloak
|
||||
- name: Create an admin user when first starting keycloak
|
||||
block:
|
||||
- name: install admin creation drop-in for keycloak.service
|
||||
- name: Install admin creation drop-in for keycloak.service
|
||||
copy: src=create-keycloak-admin.conf dest=/etc/systemd/system/keycloak.service.d/ owner=root group=root mode=0644
|
||||
|
||||
- name: install temporary environment file with admin credentials
|
||||
- name: Install temporary environment file with admin credentials
|
||||
template: src=admin-user.conf.j2 dest=/etc/keycloak/admin-user.conf owner=root group=root mode=0600
|
||||
no_log: true
|
||||
|
||||
- name: start and enable keycloak
|
||||
- name: Start and enable keycloak
|
||||
service: name=keycloak enabled=yes daemon_reload=yes state=started
|
||||
|
||||
- name: wait for keycloak to initialize
|
||||
- name: Wait for keycloak to initialize
|
||||
wait_for: port={{ keycloak_port }}
|
||||
always:
|
||||
- name: remove admin credentials once keycloak is running
|
||||
- name: Remove admin credentials once keycloak is running
|
||||
file: path=/etc/keycloak/admin-user.conf state=absent
|
||||
|
||||
- name: remove admin creation drop-in
|
||||
- name: Remove admin creation drop-in
|
||||
file: path=/etc/systemd/system/keycloak.service.d/create-keycloak-admin.conf state=absent
|
||||
notify:
|
||||
- daemon reload
|
||||
when: ansible_facts.services["keycloak.service"]["state"] != "running"
|
||||
|
||||
- name: open firewall hole
|
||||
- name: Open firewall hole
|
||||
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
|
||||
when: configure_firewall
|
||||
with_items:
|
||||
|
@ -59,7 +59,7 @@
|
|||
tags:
|
||||
- firewall
|
||||
|
||||
- name: create htpasswd for nginx prometheus endpoint
|
||||
- name: Create htpasswd for nginx prometheus endpoint
|
||||
htpasswd:
|
||||
path: "{{ keycloak_nginx_htpasswd }}"
|
||||
name: "{{ vault_keycloak_nginx_user }}"
|
||||
|
@ -68,16 +68,16 @@
|
|||
group: http
|
||||
mode: 0640
|
||||
|
||||
- name: create ssl cert
|
||||
- name: Create ssl cert
|
||||
include_role:
|
||||
name: certificate
|
||||
vars:
|
||||
domains: ["{{ keycloak_domain }}"]
|
||||
|
||||
- name: make nginx log dir
|
||||
- name: Make nginx log dir
|
||||
file: path="/var/log/nginx/{{ keycloak_domain }}" state=directory owner=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
- name: Set up nginx
|
||||
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/keycloak.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- reload nginx
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue