mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-30 05:46:03 +02:00
f28d3ba595
Liberally add "noqa no-changed-when" tags to the problematic tasks, except for two "systemd-tmpfiles --create" calls. For these we can simply include the creates= parameter in the command module's call.
346 lines
14 KiB
YAML
346 lines
14 KiB
YAML
- name: Install svn, git, rsync and some perl stuff
|
|
pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
|
|
|
|
- name: Install sourceballs requirements (makepkg download dependencies)
|
|
pacman: name=git,subversion,mercurial,breezy state=present
|
|
|
|
- name: Install binutils for createlinks script
|
|
pacman: name=binutils state=present
|
|
|
|
- name: Create dbscripts users
|
|
user: name="{{ item }}" shell=/bin/bash
|
|
with_items:
|
|
- svn-packages
|
|
- svn-community
|
|
|
|
- name: Add cleanup user
|
|
user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
|
|
|
|
- name: Add sourceballs user
|
|
user: name=sourceballs shell=/sbin/nologin
|
|
|
|
- name: Set up sudoers.d for special users
|
|
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
|
|
|
|
- name: Create ssl cert
|
|
include_role:
|
|
name: certificate
|
|
vars:
|
|
domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"]
|
|
|
|
- name: Make nginx log dir
|
|
file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755
|
|
|
|
- name: Set up nginx
|
|
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
|
|
notify:
|
|
- Reload nginx
|
|
tags:
|
|
- nginx
|
|
|
|
- name: Create Arch Linux-specific users
|
|
ansible.builtin.user:
|
|
name: "{{ item.key }}"
|
|
group: users
|
|
groups: "{{ item.value.groups | join(',') }}"
|
|
comment: "{{ item.value.name }}"
|
|
state: present
|
|
with_dict: "{{ arch_users }}"
|
|
|
|
- name: Create .ssh directory
|
|
file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700
|
|
|
|
- name: Configure ssh keys for devs
|
|
template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
|
|
vars:
|
|
pubkey_groups: ['dev']
|
|
tags: ['archusers']
|
|
|
|
- name: Create .ssh directory
|
|
file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700
|
|
|
|
- name: Configure ssh keys for TUs
|
|
template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
|
|
vars:
|
|
pubkey_groups: ['tu']
|
|
tags: ['archusers']
|
|
|
|
- name: Create staging directories in user homes
|
|
dbscripts_mkdirs:
|
|
pathtmpl: '/home/{user}/staging/{dirname}'
|
|
permissions: '755'
|
|
directories: ['', 'core', 'extra', 'testing', 'staging', 'community', 'community-staging', 'community-testing', 'multilib', 'multilib-staging', 'multilib-testing']
|
|
users: "{{ arch_users.keys() | list }}"
|
|
group: users
|
|
tags: ["archusers"]
|
|
|
|
- name: Create dbscripts paths
|
|
file: path="{{ item }}" state=directory owner=root group=root mode=0755
|
|
with_items:
|
|
- /srv/repos/svn-community
|
|
- /srv/repos/svn-packages
|
|
|
|
- name: Create svn-community/package-cleanup directory
|
|
file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
|
|
- name: Add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
|
|
acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
|
|
- name: Add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
|
|
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
|
|
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
|
|
acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
|
|
- name: Add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
|
|
acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
|
|
- name: Add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
|
|
acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present
|
|
|
|
- name: Create svn-packages/package-cleanup directory
|
|
file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
|
|
- name: Add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
|
|
acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
|
|
- name: Add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
|
|
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
|
|
- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
|
|
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
|
|
- name: Add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
|
|
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
|
|
- name: Add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
|
|
acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present
|
|
|
|
- name: Create svn-community/source-cleanup directory
|
|
file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
|
|
- name: Create svn-packages/source-cleanup directory
|
|
file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755
|
|
|
|
- name: Create svn-community/svn directory
|
|
file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
|
|
- name: Add acl default:user::rwx to /srv/repos/svn-community/svn
|
|
acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
|
|
- name: Add acl default:group::r-x to /srv/repos/svn-community/svn
|
|
acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
|
|
- name: Add acl default:other::r-x to /srv/repos/svn-community/svn
|
|
acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present
|
|
|
|
- name: Create svn-packages/svn directory
|
|
file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
|
|
- name: Add acl default:user::rwx to /srv/repos/svn-packages/svn
|
|
acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
|
|
- name: Add acl default:group::r-x to /srv/repos/svn-packages/svn
|
|
acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
|
|
- name: Add acl default:other::r-x to /srv/repos/svn-packages/svn
|
|
acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present
|
|
|
|
- name: Create svn-community/tmp directory
|
|
file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
|
|
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
|
|
acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present
|
|
|
|
- name: Create svn-packages/tmp directory
|
|
file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
|
|
- name: Add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
|
|
acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present
|
|
|
|
- name: Touch /srv/ftp/lastsync file
|
|
file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
|
|
|
|
- name: Touch /srv/ftp/lastupdate file
|
|
file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
|
|
- name: Add acl group:tu:rw- to /srv/ftp/lastupdate
|
|
acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
|
|
- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
|
|
acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
|
|
|
|
- name: Fetch dbscripts PGP key
|
|
command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
|
|
with_items: '{{ dbscripts_pgp_emails }}'
|
|
register: gpg
|
|
changed_when: "gpg.rc == 0"
|
|
|
|
- name: Clone dbscripts git repo
|
|
git: >
|
|
dest=/srv/repos/{{ item }}/dbscripts
|
|
repo=https://gitlab.archlinux.org/archlinux/dbscripts.git
|
|
version={{ dbscripts_commit }} update={{ dbscripts_update }}
|
|
verify_commit=yes
|
|
with_items:
|
|
- svn-community
|
|
- svn-packages
|
|
|
|
- name: Make /srv/svn
|
|
file: path=/srv/svn state=directory owner=root group=root mode=0755
|
|
|
|
- name: Symlink /srv/svn/community to /srv/repos/svn-community/svn
|
|
file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
|
|
|
|
- name: Symlink /srv/svn/packages to /srv/repos/svn-packages/svn
|
|
file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
|
|
|
|
- name: Symlink /community to /srv/repos/svn-community/dbscripts
|
|
file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
|
|
|
|
- name: Symlink /packages to /srv/repos/svn-packages/dbscripts
|
|
file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
|
|
|
|
- name: Make debug packages-debug pool
|
|
file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=dev mode=0775
|
|
|
|
- name: Make debug community-debug pool
|
|
file: path=/srv/ftp/pool/community-debug state=directory owner=root group=tu mode=2775
|
|
|
|
- name: Make package root debug repos
|
|
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
|
|
with_items: '{{ package_repos }}'
|
|
|
|
- name: Make community root debug repos
|
|
file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=00755
|
|
with_items: '{{ community_repos }}'
|
|
|
|
- name: Make package debug repos
|
|
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
|
|
with_items: '{{ package_repos }}'
|
|
|
|
- name: Make community debug repos
|
|
file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=tu mode=0775
|
|
with_items: '{{ community_repos }}'
|
|
|
|
- name: Put rsyncd.conf into tmpfiles
|
|
copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
|
|
register: rsyncdtmpfiles
|
|
|
|
- name: Use tmpfiles.d/rsyncd.conf
|
|
command: systemd-tmpfiles --create creates=/run/rsyncd
|
|
when: rsyncdtmpfiles.changed
|
|
|
|
- name: Create rsyncd-conf-genscripts
|
|
file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
|
|
|
|
- name: Install rsync.conf.proto
|
|
template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
|
|
|
|
- name: Configure gen_rsyncd.conf.pl
|
|
template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
|
|
no_log: true
|
|
|
|
- name: Generate mirror config
|
|
command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
|
|
register: gen_rsyncd
|
|
changed_when: "gen_rsyncd.rc == 0"
|
|
|
|
- name: Install svnlog
|
|
copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
|
|
|
|
- name: Add arch-svntogit user
|
|
user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
|
|
|
|
- name: Configure svntogit git user name # noqa command-instead-of-module
|
|
command: git config --global user.name svntogit
|
|
become: true
|
|
become_user: svntogit
|
|
register: git_config_username
|
|
changed_when: "git_config_username.rc == 0"
|
|
|
|
- name: Configure svntogit git user email # noqa command-instead-of-module
|
|
command: git config --global user.email svntogit@repos.archlinux.org
|
|
become: true
|
|
become_user: svntogit
|
|
register: git_config_email
|
|
changed_when: "git_config_email.rc == 0"
|
|
|
|
- name: Template arch-svntogit
|
|
copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
|
|
|
|
- name: Create svntogit repos subdir
|
|
file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775
|
|
|
|
- name: Clone git-svn repos # noqa command-instead-of-module
|
|
command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
|
|
with_items:
|
|
- community
|
|
- packages
|
|
become: true
|
|
become_user: svntogit
|
|
|
|
- name: Add svntogit public remotes # noqa command-instead-of-module
|
|
command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
|
|
with_items:
|
|
- community
|
|
- packages
|
|
become: true
|
|
become_user: svntogit
|
|
ignore_errors: true
|
|
register: git_public_remote
|
|
changed_when: "git_public_remote.rc == 0"
|
|
|
|
# The following command also serves as a way to get the data the first time the repo is set up
|
|
- name: Configure svntogit pull upstream branch # noqa command-instead-of-module
|
|
command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }}
|
|
environment:
|
|
SHELL: /bin/bash
|
|
with_items:
|
|
- community
|
|
- packages
|
|
become: true
|
|
become_user: svntogit
|
|
register: git_pull_upstream
|
|
changed_when: "git_pull_upstream.rc == 0"
|
|
|
|
- name: Fix svntogit home permissions
|
|
file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
|
|
|
|
- name: Install repo helpers
|
|
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
|
|
with_items:
|
|
- lsrepo
|
|
- checklib32
|
|
|
|
- name: Install createlinks script
|
|
copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755
|
|
|
|
- name: Start and enable rsync
|
|
service: name=rsyncd.socket enabled=yes state=started
|
|
|
|
- name: Open firewall holes for rsync
|
|
ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
|
|
when: configure_firewall
|
|
tags:
|
|
- firewall
|
|
|
|
- name: Configure svnserve
|
|
copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
|
|
|
|
- name: Start and enable svnserve
|
|
service: name=svnserve enabled=yes state=started
|
|
|
|
- name: Open firewall hole for svnserve
|
|
ansible.posix.firewalld: service=svn permanent=true state=enabled immediate=yes
|
|
when: configure_firewall
|
|
tags:
|
|
- firewall
|
|
|
|
- name: Install systemd timers
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
|
with_items:
|
|
- cleanup.timer
|
|
- cleanup.service
|
|
- sourceballs.timer
|
|
- sourceballs.service
|
|
- lastsync.timer
|
|
- lastsync.service
|
|
- gen_rsyncd.timer
|
|
- gen_rsyncd.service
|
|
- arch-svntogit.timer
|
|
- arch-svntogit.service
|
|
- createlinks.timer
|
|
- createlinks.service
|
|
notify:
|
|
- Daemon reload
|
|
|
|
- name: Activate systemd timers
|
|
service: name={{ item }} enabled=yes state=started
|
|
with_items:
|
|
- cleanup.timer
|
|
- sourceballs.timer
|
|
- lastsync.timer
|
|
- gen_rsyncd.timer
|
|
- arch-svntogit.timer
|
|
- createlinks.timer
|