mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
master
infrastructure/roles/security_tracker/tasks/main.yml
Robin Candau 701c1d01ef Migrate 'with_X' to 'loop'
2024-12-23 17:43:01 +00:00

117 lines
3.5 KiB
YAML
Raw Permalink Blame History

- name: Run maintenance mode
include_role:
name: maintenance
vars:
service_name: "security tracker"
service_domain: "{{ security_tracker_domain }}"
service_nginx_conf: "{{ security_tracker_nginx_conf }}"
when: maintenance is defined
- name: Install packages
pacman:
state: present
name:
- git
- make
- python
- python-authlib
- python-sqlalchemy
- python-sqlalchemy-continuum
- python-flask
- python-flask-sqlalchemy
- python-flask-wtf
- python-flask-login
- python-flask-talisman
- python-requests
- python-flask-migrate
- python-scrypt
- python-feedgen
- python-pytz
- python-email-validator
- python-markupsafe
- pyalpm
- sqlite
- expac
- uwsgi-plugin-python
- name: Make security user
user: name=security shell=/bin/false home="{{ security_tracker_dir }}" createhome=no
- name: Fix home permissions
file: state=directory mode=0750 owner=security group=http path="{{ security_tracker_dir }}"
- name: Copy security-tracker units
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
loop:
- security-tracker-update.timer
- security-tracker-update.service
notify:
- Daemon reload
- name: Disable security-tracker timer
service: name="security-tracker-update.timer" enabled=no state=stopped
when: maintenance is defined
- name: Receive valid signing keys
become: true
become_user: security
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
loop:
- anthraxx@archlinux.org
- jelle@archlinux.org
- foutrelis@archlinux.org
register: gpg
changed_when: "gpg.rc == 0"
- name: Clone security-tracker repo
git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
become: true
become_user: security
register: release
notify:
- Post security-tracker deploy
- name: Run initial setup
become: true
become_user: security
command: /usr/bin/make chdir="{{ security_tracker_dir }}" creates=*.db
- name: Restrict database permissions
file: mode=0640 owner=security group=security path="{{ security_tracker_dir }}/tracker.db"
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ security_tracker_domain }}"]
- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ security_tracker_nginx_conf }}" owner=root group=root mode=644
notify:
- Reload nginx
when: maintenance is not defined
tags: ['nginx']
- name: Make nginx log dir
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
- name: Configure security-tracker
template: src=20-user.local.conf.j2 dest={{ security_tracker_dir }}/config/20-user.local.conf owner=security group=security mode=0640
- name: Deploy security-tracker
template: src=security-tracker.ini.j2 dest=/etc/uwsgi/vassals/security-tracker.ini owner=security group=http mode=0644
- name: Deploy new release
become: true
become_user: security
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=security group=http mode=0644
when: release.changed
- name: Start and enable security-tracker timer
systemd_service:
name: security-tracker-update.timer
enabled: true
state: started
daemon_reload: true
when: maintenance is not defined
View Git Blame Copy Permalink