mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
f562b4e927
This should i.e. forbid crawlers to index all of the git diffs which put's unneccessary load on the server and is not really of benefit to be indexed anyways. Link: https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/610 Reviewed-by: Sven-Hendrik Haase <svenstaro@gmail.com> Reviewed-by: Levente Polyak <anthraxx@archlinux.org> Signed-off-by: Christian Heusel <christian@heusel.eu>
333 lines
10 KiB
YAML
333 lines
10 KiB
YAML
- name: Install required packages
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- asciidoc
|
|
- highlight
|
|
- make
|
|
- sudo
|
|
- uwsgi-plugin-cgi
|
|
- python-poetry
|
|
- gcc
|
|
- pkg-config
|
|
- goaurrpc
|
|
|
|
- name: Install the cgit package
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- cgit-aurweb
|
|
register: cgit
|
|
|
|
- name: Install the git package
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- git
|
|
register: git
|
|
|
|
- name: Make aur user
|
|
user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes
|
|
register: aur_user
|
|
|
|
- name: Github SSH configuration tasks
|
|
when: aurweb_environment_type == "prod"
|
|
block:
|
|
- name: Install SSH key for mirroring to GitHub
|
|
copy: src=id_ed25519.vault dest={{ aur_user.home }}/.ssh/id_ed25519 owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
|
|
|
|
- name: Fetch host keys for github.com
|
|
command: ssh-keyscan github.com
|
|
args:
|
|
creates: "{{ aur_user.home }}/.ssh/known_hosts"
|
|
register: github_host_keys
|
|
|
|
- name: Write github.com host keys to the aur user's known_hosts
|
|
lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644
|
|
loop: "{{ github_host_keys.stdout_lines }}"
|
|
when: github_host_keys.changed
|
|
|
|
- name: Create directory
|
|
file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
|
|
|
|
- name: Receive valid signing keys
|
|
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
|
|
loop: '{{ aurweb_pgp_keys }}'
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
register: gpg
|
|
changed_when: "gpg.rc == 0"
|
|
|
|
- name: Aurweb git repo check
|
|
git: >
|
|
repo={{ aurweb_repository }}
|
|
dest="{{ aurweb_dir }}"
|
|
version={{ aurweb_version }}
|
|
verify_commit=true
|
|
gpg_allowlist='{{ aurweb_pgp_keys }}'
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
register: release
|
|
check_mode: true
|
|
|
|
- name: Install AUR systemd service and timers
|
|
template: src={{ item.name }}.j2 dest=/etc/systemd/system/{{ item.name }} owner=root group=root mode=0644
|
|
with_items:
|
|
- "{{ aurweb_services }}"
|
|
- "{{ aurweb_timers }}"
|
|
when: release.changed and (item.install is not defined or item.install)
|
|
|
|
- name: Stop AUR systemd services and timers
|
|
service: name={{ item.name }} enabled=yes state=stopped
|
|
with_items:
|
|
- "{{ aurweb_services }}"
|
|
- "{{ aurweb_timers }}"
|
|
when: release.changed and (item.restart is not defined or item.restart)
|
|
|
|
- name: Clone aurweb repo
|
|
git: >
|
|
repo={{ aurweb_repository }}
|
|
dest="{{ aurweb_dir }}"
|
|
version={{ aurweb_version }}
|
|
verify_commit=true
|
|
gpg_allowlist='{{ aurweb_pgp_keys }}'
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: release.changed
|
|
|
|
- name: Create necessary directories
|
|
file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
|
|
with_items:
|
|
- 'aurblup'
|
|
- 'sessions'
|
|
- 'uploads'
|
|
- 'archives'
|
|
|
|
- name: Create aurweb conf dir
|
|
file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755
|
|
|
|
- name: Copy aurweb configuration file
|
|
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644
|
|
|
|
- name: Configure robots.txt
|
|
copy: src=robots.txt dest="{{ aurweb_dir }}/robots.txt" owner=root group=root mode=0644
|
|
|
|
- name: Install goaurrpc configuration
|
|
template: src=goaurrpc.conf.j2 dest=/etc/goaurrpc.conf owner=root group=root mode=0644
|
|
|
|
# Note: initdb needs the config
|
|
- name: Install custom aurweb configuration
|
|
template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644
|
|
|
|
- name: Create aur db
|
|
mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" encoding=utf8
|
|
register: db_created
|
|
no_log: true
|
|
|
|
- name: Create aur db user
|
|
mysql_user: name={{ aurweb_db_user }} password={{ vault_aurweb_db_password }}
|
|
login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}"
|
|
priv="{{ aurweb_db }}.*:ALL"
|
|
no_log: true
|
|
|
|
- name: Install python modules # noqa no-changed-when
|
|
command: poetry install
|
|
args:
|
|
chdir: "{{ aurweb_dir }}"
|
|
environment:
|
|
POETRY_VIRTUALENVS_IN_PROJECT: "true"
|
|
# https://github.com/python-poetry/poetry/issues/1917
|
|
PYTHON_KEYRING_BACKEND: "keyring.backends.null.Keyring"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Initialize the database # noqa no-changed-when
|
|
command: poetry run python -m aurweb.initdb
|
|
args:
|
|
chdir: "{{ aurweb_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: db_created.changed
|
|
|
|
- name: Run migrations # noqa no-changed-when
|
|
command: poetry run alembic upgrade head
|
|
args:
|
|
chdir: "{{ aurweb_dir }}"
|
|
environment:
|
|
PYTHONPATH: .
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: release.changed or db_created.changed
|
|
|
|
- name: Install custom aurweb-git-auth wrapper script
|
|
template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
|
|
when: release.changed
|
|
|
|
- name: Install custom aurweb-git-serve wrapper script
|
|
template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
|
|
when: release.changed
|
|
|
|
- name: Install custom aurweb-git-update wrapper script
|
|
template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
|
|
when: release.changed
|
|
|
|
# - name: Install aurweb-git-gc script
|
|
# template: src=aurweb-git-gc.sh.j2 dest=/usr/local/bin/aurweb-git-gc.sh owner=root group=root mode=0755
|
|
# when: release.changed
|
|
|
|
- name: Generate HTML documentation
|
|
make:
|
|
chdir: "{{ aurweb_dir }}/doc"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Generate Translations
|
|
make:
|
|
chdir: "{{ aurweb_dir }}/po"
|
|
target: "install"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Create ssl cert
|
|
include_role:
|
|
name: certificate
|
|
vars:
|
|
domains: ["{{ aurweb_domain }}"]
|
|
|
|
- name: Set up nginx
|
|
template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=http mode=640
|
|
notify: Reload nginx
|
|
tags: ['nginx']
|
|
|
|
- name: Make nginx log dir
|
|
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
|
|
|
|
- name: Install cgit configuration
|
|
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
|
|
|
|
- name: Configure cgit uwsgi service
|
|
template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
|
|
|
|
- name: Deploy new cgit release
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner={{ aurweb_user }} group=http mode=0644
|
|
when: cgit.changed
|
|
|
|
- name: Configure smartgit uwsgi service
|
|
template: src=smartgit.ini.j2 dest=/etc/uwsgi/vassals/smartgit.ini owner={{ aurweb_user }} group=http mode=0644
|
|
|
|
- name: Deploy new smartgit release
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
file:
|
|
path: /etc/uwsgi/vassals/smartgit.ini
|
|
state: touch
|
|
owner: "{{ aurweb_user }}"
|
|
group: http
|
|
mode: '0644'
|
|
when: git.changed
|
|
|
|
- name: Create git repo dir
|
|
file: path={{ aurweb_git_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
|
|
|
|
- name: Init git directory # noqa command-instead-of-module
|
|
command: git init --bare {{ aurweb_git_dir }}
|
|
args:
|
|
creates: "{{ aurweb_git_dir }}/HEAD"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Save hideRefs setting on var # noqa command-instead-of-module no-changed-when
|
|
command: git config --file config --get-all transfer.hideRefs
|
|
register: git_config
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
failed_when: git_config.rc == 2 # FIXME: does not work.
|
|
|
|
- name: Configure git tranfser.hideRefs # noqa command-instead-of-module no-changed-when
|
|
command: git config --local transfer.hideRefs '^refs/'
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: git_config.stdout.find('^refs/') == -1
|
|
|
|
- name: Configure git transfer.hideRefs second # noqa command-instead-of-module no-changed-when
|
|
command: git config --local --add transfer.hideRefs '!refs/'
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: git_config.stdout.find('!refs/') == -1
|
|
|
|
- name: Configure git transfer.hideRefs third # noqa command-instead-of-module no-changed-when
|
|
command: git config --local --add transfer.hideRefs '!HEAD'
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: git_config.stdout.find('!HEAD') == -1
|
|
|
|
- name: Set git-receive-pack to explicitly check all received objects # noqa command-instead-of-module no-changed-when
|
|
command: git config --local receive.fsckobjects true
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Link custom aurweb-git-update wrapper to hooks/update
|
|
file:
|
|
src: /usr/local/bin/aurweb-git-update.sh
|
|
dest: "{{ aurweb_dir }}/aur.git/hooks/update"
|
|
state: link
|
|
when: release.changed
|
|
|
|
- name: Configure sshd
|
|
template: src=aurweb_config.j2 dest=/etc/ssh/sshd_config.d/aurweb.conf owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: Start and enable AUR systemd services and timers
|
|
systemd: name={{ item.name }} enabled=yes state=started daemon_reload=yes
|
|
with_items:
|
|
- "{{ aurweb_services }}"
|
|
- "{{ aurweb_timers }}"
|
|
when: release.changed and (item.restart is not defined or item.restart)
|
|
|
|
- name: Generate and import dummy data
|
|
when: aurweb_environment_type == "dev"
|
|
block:
|
|
- name: Install packages for dummy data generation
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- words
|
|
- fortune-mod
|
|
|
|
- name: Create data dir
|
|
file:
|
|
path: "{{ aurweb_dir }}/data"
|
|
state: directory
|
|
mode: "0755"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Generate dummy data
|
|
command: poetry run schema/gendummydata.py data/dummy.sql
|
|
register: generated_data
|
|
args:
|
|
chdir: "{{ aurweb_dir }}"
|
|
creates: "{{ aurweb_dir }}/data/dummy.sql"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Import dummy data
|
|
mysql_db:
|
|
name: "{{ aurweb_db }}"
|
|
login_host: "{{ aurweb_db_host }}"
|
|
login_password: "{{ vault_mariadb_users.root }}"
|
|
state: import
|
|
target: "{{ aurweb_dir }}/data/dummy.sql"
|
|
when: generated_data.changed
|