mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
199cc1fc2e
/srv/repos/lock is the lock file location configured via a dbscripts config. Only accessible for users in junior-packager group, a lot better would be if sourceballs could write a lock file into /run/sourceballs.lck as it is unrelated to /srv/repos.
267 lines
11 KiB
YAML
267 lines
11 KiB
YAML
- name: Install git, rsync and some perl stuff
|
|
pacman: name=git,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
|
|
|
|
- name: Install sourceballs requirements (makepkg download dependencies)
|
|
pacman: name=git,subversion,mercurial,breezy state=present
|
|
|
|
- name: Install binutils for createlinks script
|
|
pacman: name=binutils state=present
|
|
|
|
- name: Install fcgiwrap for the Git repo
|
|
pacman: name=fcgiwrap state=present
|
|
|
|
- name: Install fcgiwrap for the Git repo
|
|
systemd_service: name=fcgiwrap.socket enabled=yes state=started
|
|
|
|
- name: Allow state repo to be exported
|
|
file: path="/srv/repos/state/.git/git-daemon-export-ok" state=touch owner=git-packages group=junior-packager mode=0644
|
|
|
|
- name: Create dbscripts users
|
|
user: name="{{ item }}" shell=/bin/bash
|
|
loop:
|
|
- git-packages
|
|
|
|
- name: Add cleanup user
|
|
user: name=cleanup groups=junior-dev,dev,junior-packager,packager shell=/sbin/nologin
|
|
|
|
- name: Add sourceballs user
|
|
user: name=sourceballs groups=junior-dev,dev,junior-packager,packager shell=/sbin/nologin
|
|
|
|
- name: Set up sudoers.d for special users
|
|
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600 validate='visudo -cf %s'
|
|
|
|
- name: Create ssl cert
|
|
include_role:
|
|
name: certificate
|
|
vars:
|
|
domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"]
|
|
|
|
- name: Make nginx log dir
|
|
file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755
|
|
|
|
- name: Set up nginx
|
|
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
|
|
notify:
|
|
- Reload nginx
|
|
tags:
|
|
- nginx
|
|
|
|
- name: Create Arch Linux-specific users
|
|
ansible.builtin.user:
|
|
name: "{{ item.key }}"
|
|
group: users
|
|
groups: "{{ item.value.groups | join(',') }}"
|
|
comment: "{{ item.value.name }}"
|
|
state: present
|
|
loop: "{{ arch_users | dict2items }}"
|
|
|
|
- name: Create /etc/dbscripts directory
|
|
file: path=/etc/dbscripts state=directory owner=root group=root mode=0755
|
|
|
|
- name: Generate dbscripts authors mapping
|
|
template: src=authors.conf.j2 dest=/etc/dbscripts/authors.conf owner=root group=root mode=644
|
|
vars:
|
|
packager_groups: ['packager', 'junior-packager', 'dev', 'junior-dev']
|
|
tags: ['archusers']
|
|
|
|
- name: Create staging directories in user homes
|
|
dbscripts_mkdirs:
|
|
pathtmpl: '/home/{user}/staging/{dirname}'
|
|
permissions: '755'
|
|
directories: ['', 'core', 'extra', 'multilib', 'multilib-staging', 'multilib-testing', 'core-testing', 'core-staging', 'extra-testing', 'extra-staging']
|
|
users: "{{ arch_users.keys() | list }}"
|
|
group: users
|
|
tags: ["archusers"]
|
|
|
|
- name: Create dbscripts paths
|
|
file: path="{{ item }}" state=directory owner=root group=root mode=0755
|
|
loop:
|
|
- /srv/repos/git-packages
|
|
|
|
- name: Create git-packages/package-cleanup directory
|
|
file: path="/srv/repos/git-packages/package-cleanup" state=directory owner=git-packages group=junior-packager mode=0775
|
|
- name: Add acl user:cleanup:rwx to /srv/repos/git-packages/package-cleanup
|
|
acl: name=/srv/repos/git-packages/package-cleanup entry="user:cleanup:rwx" state=present
|
|
- name: Add acl default:user::rwx to /srv/repos/git-packages/package-cleanup
|
|
acl: name=/srv/repos/git-packages/package-cleanup entry="default:user::rwx" state=present
|
|
- name: Add acl default:user:cleanup:rwx to /srv/repos/git-packages/package-cleanup
|
|
acl: name=/srv/repos/git-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
|
|
- name: Add acl default:group::rwx to /srv/repos/git-packages/package-cleanup
|
|
acl: name=/srv/repos/git-packages/package-cleanup entry="default:group::rwx" state=present
|
|
- name: Add acl default:other::r-x to /srv/repos/git-packages/package-cleanup
|
|
acl: name=/srv/repos/git-packages/package-cleanup entry="default:other::r-x" state=present
|
|
|
|
- name: Create git-packages/source-cleanup directory
|
|
file: path="/srv/repos/git-packages/source-cleanup" state=directory owner=sourceballs group=git-packages mode=0755
|
|
|
|
- name: Add acl default:junior-packager::rwx to /srv/repos/state
|
|
acl: name=/srv/repos/git-packages/package-cleanup entry="default:group:junior-packager:rwx" state=present
|
|
|
|
- name: Create pkg cache directory
|
|
file: path="{{ git_pkg_cache }}" state=directory owner=git-packages group=junior-packager mode=0775
|
|
|
|
- name: Create state directory
|
|
file: path="{{ git_state_repo }}" state=directory owner=git-packages group=junior-packager mode=0775
|
|
|
|
- name: Create lock directory
|
|
file: path="{{ lock_dir }}" state=directory owner=git-packages group=junior-packager mode=0775
|
|
- name: Add acl default:group:junior-packager:rw- to lock_dir
|
|
acl: name="{{ lock_dir }}" entry="default:group:junior-packager:rw-" state=present
|
|
|
|
- name: Set permissions for state directory
|
|
file: path="{{ git_state_repo }}" state=directory owner=git-packages group=junior-packager mode=0775
|
|
- name: Add acl default:group:junior-packager:rw- to git_state_repo
|
|
acl: name="{{ git_state_repo }}" entry="default:group:junior-packager:rw-" state=present
|
|
|
|
- name: Git init repository # noqa command-instead-of-module
|
|
command: /usr/bin/git init --shared=group "{{ git_state_repo }}"
|
|
args:
|
|
creates: "{{ git_state_repo }}/.git/config"
|
|
|
|
- name: Create git-packages/tmp directory
|
|
file: path="/srv/repos/git-packages/tmp" state=directory owner=git-packages group=junior-packager mode=1775
|
|
- name: Add acl user:sourceballs:rwx to /srv/repos/git-packages/tmp
|
|
acl: name=/srv/repos/git-packages/tmp entry="user:sourceballs:rwx" state=present
|
|
- name: Add acl user:cleanup:rwx to /srv/repos/git-packages/tmp
|
|
acl: name=/srv/repos/git-packages/tmp entry="user:cleanup:rwx" state=present
|
|
|
|
- name: Touch /srv/ftp/lastsync file
|
|
file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
|
|
|
|
- name: Touch /srv/ftp/lastupdate file
|
|
file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
|
|
|
|
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
|
|
acl: name=/srv/ftp/lastupdate entry="group:packager:rw-" state=present
|
|
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
|
|
acl: name=/srv/ftp/lastupdate entry="group:junior-packager:rw-" state=present
|
|
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
|
|
acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
|
|
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
|
|
acl: name=/srv/ftp/lastupdate entry="group:junior-dev:rw-" state=present
|
|
|
|
- name: Fetch dbscripts PGP key
|
|
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
|
|
loop: '{{ dbscripts_pgp_emails }}'
|
|
register: gpg
|
|
changed_when: "gpg.rc == 0"
|
|
|
|
- name: Clone dbscripts git repo
|
|
git: >
|
|
dest=/srv/repos/git-packages/dbscripts
|
|
repo=https://gitlab.archlinux.org/archlinux/dbscripts.git
|
|
version={{ dbscripts_commit }} update={{ dbscripts_update }}
|
|
verify_commit=yes
|
|
|
|
- name: Symlink config file
|
|
file: path=/srv/repos/git-packages/dbscripts/config.local src=config.local.git state=link owner=root group=root mode=0644
|
|
|
|
- name: Symlink /packages to /srv/repos/git-packages/dbscripts
|
|
file: path=/packages src=/srv/repos/git-packages/dbscripts state=link owner=root group=root mode=0755
|
|
|
|
- name: Symlink dbscript binaries to /usr/local/bin
|
|
file: path=/usr/local/bin/{{ item }} src=/packages/{{ item }} state=link owner=root group=root mode=0755
|
|
loop:
|
|
- db-move
|
|
- db-update
|
|
- db-remove
|
|
- db-repo-add
|
|
- db-repo-remove
|
|
- testing2x
|
|
|
|
- name: Make debug packages pool
|
|
file: path=/srv/ftp/pool/packages state=directory owner=root group=junior-packager mode=0775
|
|
|
|
- name: Make debug packages-debug pool
|
|
file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=junior-packager mode=0775
|
|
|
|
- name: Make junior developer root repos
|
|
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
|
|
loop: '{{ junior_developer_repos }}'
|
|
|
|
- name: Make junior developer repos
|
|
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=junior-dev mode=0775
|
|
loop: '{{ junior_developer_repos }}'
|
|
|
|
- name: Make developer root repos
|
|
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
|
|
loop: '{{ developer_repos }}'
|
|
|
|
- name: Make developer repos
|
|
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
|
|
loop: '{{ developer_repos }}'
|
|
|
|
- name: Make junior packager root repos
|
|
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
|
|
loop: '{{ junior_packager_repos }}'
|
|
|
|
- name: Make junior packager repos
|
|
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=junior-packager mode=0775
|
|
loop: '{{ junior_packager_repos }}'
|
|
|
|
- name: Make packager root repos
|
|
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
|
|
loop: '{{ packager_repos }}'
|
|
|
|
- name: Make packager repos
|
|
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=packager mode=0775
|
|
loop: '{{ packager_repos }}'
|
|
|
|
- name: Make /srv/ftp/other/packages available
|
|
file: path=/srv/ftp/other/packages state=directory owner=root group=junior-packager mode=0775
|
|
|
|
- name: Create rsyncd-conf-genscripts
|
|
file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
|
|
|
|
- name: Install rsync.conf.proto
|
|
template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
|
|
|
|
- name: Configure gen_rsyncd.conf.pl
|
|
template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
|
|
no_log: true
|
|
|
|
- name: Generate mirror config
|
|
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
|
|
register: gen_rsyncd
|
|
changed_when: "gen_rsyncd.rc == 0"
|
|
|
|
- name: Install createlinks script
|
|
copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755
|
|
|
|
- name: Start and enable rsync
|
|
service: name=rsyncd.socket enabled=yes state=started
|
|
|
|
- name: Open firewall holes for rsync
|
|
ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
|
|
when: configure_firewall
|
|
tags:
|
|
- firewall
|
|
|
|
- name: Install systemd timers
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
|
loop:
|
|
- cleanup.timer
|
|
- cleanup.service
|
|
- sourceballs.timer
|
|
- sourceballs.service
|
|
- lastsync.timer
|
|
- lastsync.service
|
|
- gen_rsyncd.timer
|
|
- gen_rsyncd.service
|
|
- createlinks.timer
|
|
- createlinks.service
|
|
|
|
- name: Activate systemd timers
|
|
service: name={{ item }} enabled=yes state=started
|
|
loop:
|
|
- cleanup.timer
|
|
- sourceballs.timer
|
|
- lastsync.timer
|
|
- gen_rsyncd.timer
|
|
- createlinks.timer
|
|
|
|
# Allow different maintainers (unix users) to touch the git state repositories
|
|
# https://git-scm.com/docs/git-config/2.35.2#Documentation/git-config.txt-safedirectory
|
|
- name: Install gitconfig
|
|
copy: src=gitconfig dest=/etc/gitconfig owner=root group=root mode=0644
|