mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-05 18:46:02 +02:00
4112bdf9fd
yaml: truthy value should be one of [false, true] (truthy) yaml: wrong indentation: expected 4 but found 2 (indentation) yaml: too few spaces before comment (comments) yaml: missing starting space in comment (comments) yaml: too many blank lines (1 > 0) (empty-lines) yaml: too many spaces after colon (colons) yaml: comment not indented like content (comments-indentation) yaml: no new line character at the end of file (new-line-at-end-of-file) load-failure: Failed to load or parse file parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
109 lines
3.3 KiB
YAML
109 lines
3.3 KiB
YAML
---
|
|
- name: run maintenance mode
|
|
include_role:
|
|
name: maintenance
|
|
vars:
|
|
service_name: "security tracker"
|
|
service_domain: "{{ security_tracker_domain }}"
|
|
service_alternate_domains: []
|
|
service_nginx_conf: "{{ security_tracker_nginx_conf }}"
|
|
when: maintenance is defined
|
|
|
|
- name: install packages
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- git
|
|
- make
|
|
- python
|
|
- python-sqlalchemy
|
|
- python-sqlalchemy-continuum
|
|
- python-flask
|
|
- python-flask-sqlalchemy
|
|
- python-flask-wtf
|
|
- python-flask-login
|
|
- python-flask-talisman
|
|
- python-requests
|
|
- python-flask-migrate
|
|
- python-scrypt
|
|
- python-feedgen
|
|
- python-pytz
|
|
- python-email-validator
|
|
- pyalpm
|
|
- sqlite
|
|
- expac
|
|
- uwsgi-plugin-python
|
|
|
|
- name: make security user
|
|
user: name=security shell=/bin/false home="{{ security_tracker_dir }}" createhome=no
|
|
|
|
- name: fix home permissions
|
|
file: state=directory mode=0750 owner=security group=http path="{{ security_tracker_dir }}"
|
|
|
|
- name: copy security-tracker units
|
|
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
|
with_items:
|
|
- security-tracker-update.timer
|
|
- security-tracker-update.service
|
|
notify:
|
|
- daemon reload
|
|
|
|
- name: disable security-tracker timer
|
|
service: name="security-tracker-update.timer" enabled=no state=stopped
|
|
when: maintenance is defined
|
|
|
|
- name: receive valid signing keys
|
|
become: true
|
|
become_user: security
|
|
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
|
|
with_items:
|
|
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8
|
|
register: gpg
|
|
changed_when: "gpg.rc == 0"
|
|
|
|
- name: clone security-tracker repo
|
|
git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
|
|
become: true
|
|
become_user: security
|
|
register: release
|
|
notify:
|
|
- post security-tracker deploy
|
|
|
|
- name: run initial setup
|
|
become: true
|
|
become_user: security
|
|
command: /usr/bin/make chdir="{{ security_tracker_dir }}" creates=*.db
|
|
|
|
- name: restrict database permissions
|
|
file: mode=0640 owner=security group=security path="{{ security_tracker_dir }}/tracker.db"
|
|
|
|
- name: set up nginx
|
|
template: src=nginx.d.conf.j2 dest="{{ security_tracker_nginx_conf }}" owner=root group=root mode=644
|
|
notify:
|
|
- reload nginx
|
|
when: maintenance is not defined
|
|
tags: ['nginx']
|
|
|
|
- name: make nginx log dir
|
|
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
|
|
|
|
- name: configure security-tracker
|
|
template: src=20-user.local.conf.j2 dest={{ security_tracker_dir }}/config/20-user.local.conf owner=security group=security mode=0640
|
|
|
|
- name: deploy security-tracker
|
|
template: src=security-tracker.ini.j2 dest=/etc/uwsgi/vassals/security-tracker.ini owner=security group=http mode=0644
|
|
|
|
- name: deploy new release
|
|
become: true
|
|
become_user: security
|
|
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
|
|
when: release.changed
|
|
|
|
- name: start and enable security-tracker timer
|
|
systemd:
|
|
name: security-tracker-update.timer
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|
|
when: maintenance is not defined
|