mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-06-02 16:36:03 +02:00
5effc3f0aa
Use variables to define our systemd unit files. Signed-off-by: moson <moson@archlinux.org>
294 lines
9.4 KiB
YAML
294 lines
9.4 KiB
YAML
- name: Install required packages
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- asciidoc
|
|
- highlight
|
|
- make
|
|
- sudo
|
|
- uwsgi-plugin-cgi
|
|
- python-poetry
|
|
- gcc
|
|
- pkg-config
|
|
- goaurrpc
|
|
|
|
- name: Install the cgit package
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- cgit-aurweb
|
|
register: cgit
|
|
|
|
- name: Install the git package
|
|
pacman:
|
|
state: present
|
|
name:
|
|
- git
|
|
register: git
|
|
|
|
- name: Make aur user
|
|
user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes
|
|
register: aur_user
|
|
|
|
- name: Create .ssh for the aur user
|
|
file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700
|
|
|
|
- name: Install SSH key for mirroring to GitHub
|
|
copy: src=id_ed25519.vault dest={{ aur_user.home }}/.ssh/id_ed25519 owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
|
|
|
|
- name: Fetch host keys for github.com
|
|
command: ssh-keyscan github.com
|
|
args:
|
|
creates: "{{ aur_user.home }}/.ssh/known_hosts"
|
|
register: github_host_keys
|
|
|
|
- name: Write github.com host keys to the aur user's known_hosts
|
|
lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644
|
|
loop: "{{ github_host_keys.stdout_lines }}"
|
|
when: github_host_keys.changed
|
|
|
|
- name: Create directory
|
|
file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
|
|
|
|
- name: Receive valid signing keys
|
|
command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
|
|
loop: '{{ aurweb_pgp_keys }}'
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
register: gpg
|
|
changed_when: "gpg.rc == 0"
|
|
|
|
- name: Aurweb git repo check
|
|
git: >
|
|
repo={{ aurweb_repository }}
|
|
dest="{{ aurweb_dir }}"
|
|
version={{ aurweb_version }}
|
|
verify_commit=true
|
|
gpg_whitelist='{{ aurweb_pgp_keys }}'
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
register: release
|
|
check_mode: true
|
|
|
|
- name: Install AUR systemd service and timers
|
|
template: src={{ item.name }}.j2 dest=/etc/systemd/system/{{ item.name }} owner=root group=root mode=0644
|
|
with_items:
|
|
- "{{ aurweb_services }}"
|
|
- "{{ aurweb_timers }}"
|
|
when: release.changed and (item.install is not defined or item.install)
|
|
|
|
- name: Stop AUR systemd services and timers
|
|
service: name={{ item.name }} enabled=yes state=stopped
|
|
with_items:
|
|
- "{{ aurweb_services }}"
|
|
- "{{ aurweb_timers }}"
|
|
when: release.changed and (item.restart is not defined or item.restart)
|
|
|
|
- name: Clone aurweb repo
|
|
git: >
|
|
repo={{ aurweb_repository }}
|
|
dest="{{ aurweb_dir }}"
|
|
version={{ aurweb_version }}
|
|
verify_commit=true
|
|
gpg_whitelist='{{ aurweb_pgp_keys }}'
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: release.changed
|
|
|
|
- name: Create necessary directories
|
|
file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} mode=0755
|
|
with_items:
|
|
- 'aurblup'
|
|
- 'sessions'
|
|
- 'uploads'
|
|
- 'archives'
|
|
|
|
- name: Create aurweb conf dir
|
|
file: path={{ aurweb_conf_dir }} state=directory owner=root group=root mode=0755
|
|
|
|
- name: Copy aurweb configuration file
|
|
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes owner=root group=root mode=0644
|
|
|
|
- name: Install goaurrpc configuration
|
|
template: src=goaurrpc.conf.j2 dest=/etc/goaurrpc.conf owner=root group=root mode=0644
|
|
|
|
# Note: initdb needs the config
|
|
- name: Install custom aurweb configuration
|
|
template: src=config.j2 dest={{ aurweb_conf_dir }}/config owner=root group=root mode=0644
|
|
|
|
- name: Create aur db
|
|
mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" encoding=utf8
|
|
register: db_created
|
|
no_log: true
|
|
|
|
- name: Create aur db user
|
|
mysql_user: name={{ aurweb_db_user }} password={{ vault_aurweb_db_password }}
|
|
login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}"
|
|
priv="{{ aurweb_db }}.*:ALL"
|
|
no_log: true
|
|
|
|
- name: Install python modules # noqa no-changed-when
|
|
command: poetry install
|
|
args:
|
|
chdir: "{{ aurweb_dir }}"
|
|
environment:
|
|
POETRY_VIRTUALENVS_IN_PROJECT: "true"
|
|
# https://github.com/python-poetry/poetry/issues/1917
|
|
PYTHON_KEYRING_BACKEND: "keyring.backends.null.Keyring"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Initialize the database # noqa no-changed-when
|
|
command: poetry run python -m aurweb.initdb
|
|
args:
|
|
chdir: "{{ aurweb_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: db_created.changed
|
|
|
|
- name: Run migrations # noqa no-changed-when
|
|
command: poetry run alembic upgrade head
|
|
args:
|
|
chdir: "{{ aurweb_dir }}"
|
|
environment:
|
|
PYTHONPATH: .
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: release.changed or db_created.changed
|
|
|
|
- name: Install custom aurweb-git-auth wrapper script
|
|
template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
|
|
when: release.changed
|
|
|
|
- name: Install custom aurweb-git-serve wrapper script
|
|
template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
|
|
when: release.changed
|
|
|
|
- name: Install custom aurweb-git-update wrapper script
|
|
template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
|
|
when: release.changed
|
|
|
|
- name: Install aurweb-git-gc script
|
|
template: src=aurweb-git-gc.sh.j2 dest=/usr/local/bin/aurweb-git-gc.sh owner=root group=root mode=0755
|
|
when: release.changed
|
|
|
|
- name: Generate HTML documentation
|
|
make:
|
|
chdir: "{{ aurweb_dir }}/doc"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Generate Translations
|
|
make:
|
|
chdir: "{{ aurweb_dir }}/po"
|
|
target: "install"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Create ssl cert
|
|
include_role:
|
|
name: certificate
|
|
vars:
|
|
domains: ["{{ aurweb_domain }}"]
|
|
|
|
- name: Set up nginx
|
|
template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=http mode=640
|
|
notify: Reload nginx
|
|
tags: ['nginx']
|
|
|
|
- name: Make nginx log dir
|
|
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
|
|
|
|
- name: Install cgit configuration
|
|
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
|
|
|
|
- name: Configure cgit uwsgi service
|
|
template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644
|
|
|
|
- name: Deploy new cgit release
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner={{ aurweb_user }} group=http mode=0644
|
|
when: cgit.changed
|
|
|
|
- name: Configure smartgit uwsgi service
|
|
template: src=smartgit.ini.j2 dest=/etc/uwsgi/vassals/smartgit.ini owner={{ aurweb_user }} group=http mode=0644
|
|
|
|
- name: Deploy new smartgit release
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
file:
|
|
path: /etc/uwsgi/vassals/smartgit.ini
|
|
state: touch
|
|
owner: "{{ aurweb_user }}"
|
|
group: http
|
|
mode: '0644'
|
|
when: git.changed
|
|
|
|
- name: Create git repo dir
|
|
file: path={{ aurweb_git_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
|
|
|
|
- name: Init git directory # noqa command-instead-of-module
|
|
command: git init --bare {{ aurweb_git_dir }}
|
|
args:
|
|
creates: "{{ aurweb_git_dir }}/HEAD"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Save hideRefs setting on var # noqa command-instead-of-module no-changed-when
|
|
command: git config --file config --get-all transfer.hideRefs
|
|
register: git_config
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
failed_when: git_config.rc == 2 # FIXME: does not work.
|
|
|
|
- name: Configure git tranfser.hideRefs # noqa command-instead-of-module no-changed-when
|
|
command: git config --local transfer.hideRefs '^refs/'
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: git_config.stdout.find('^refs/') == -1
|
|
|
|
- name: Configure git transfer.hideRefs second # noqa command-instead-of-module no-changed-when
|
|
command: git config --local --add transfer.hideRefs '!refs/'
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: git_config.stdout.find('!refs/') == -1
|
|
|
|
- name: Configure git transfer.hideRefs third # noqa command-instead-of-module no-changed-when
|
|
command: git config --local --add transfer.hideRefs '!HEAD'
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
when: git_config.stdout.find('!HEAD') == -1
|
|
|
|
- name: Set git-receive-pack to explicitly check all received objects # noqa command-instead-of-module no-changed-when
|
|
command: git config --local receive.fsckobjects true
|
|
args:
|
|
chdir: "{{ aurweb_git_dir }}"
|
|
become: true
|
|
become_user: "{{ aurweb_user }}"
|
|
|
|
- name: Link custom aurweb-git-update wrapper to hooks/update
|
|
file:
|
|
src: /usr/local/bin/aurweb-git-update.sh
|
|
dest: "{{ aurweb_dir }}/aur.git/hooks/update"
|
|
state: link
|
|
when: release.changed
|
|
|
|
- name: Configure sshd
|
|
template: src=aurweb_config.j2 dest=/etc/ssh/sshd_config.d/aurweb.conf owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: Start and enable AUR systemd services and timers
|
|
systemd: name={{ item.name }} enabled=yes state=started daemon_reload=yes
|
|
with_items:
|
|
- "{{ aurweb_services }}"
|
|
- "{{ aurweb_timers }}"
|
|
when: release.changed and (item.restart is not defined or item.restart)
|