main.yml 11 KB
Newer Older
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
1
2
---

3
- name: install svn, git, rsync and some perl stuff
4
  pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
5
6

- name: create dbscripts users
7
  user: name="{{ item }}" shell=/bin/bash
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
8
9
10
  with_items:
    - svn-packages
    - svn-community
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
11
12
13

- name: add cleanup user
  user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
14

15
16
17
- name: add sourceballs user
  user: name=sourceballs shell=/sbin/nologin

18
- name: set up sudoers.d for special users
19
  copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
20

21
22
23
24
25
- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
  register: certfile
  tags:
    - nginx

26
- name: set up nginx
27
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
28
29
  notify:
    - restart nginx
30
31
  tags:
    - nginx
32
33

- name: put dbscripts.htpasswd in place
34
  copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=0640
35
36
  tags:
    - nginx
37

38
39
40
41
42
43
44
45
46
- name: create Arch Linux-specific users
  user:
    name: "{{ item.key }}"
    group: users
    groups: "{{ item.value.groups | join(',') }}"
    comment: "{{ item.value.name}}"
    state: present
  with_dict: "{{ arch_users }}"

47
48
49
- name: gather all pubkeys of all users
  set_fact: pubkeys_per_user="{{ lookup('file', '../pubkeys/' + item.value.ssh_key).split('\n') }}"
  register: pubkeys
50
  with_dict: "{{ arch_users }}"
51
  tags: ["archusers"]
52

53
54
55
56
- name: gather pubkeys for all devs
  set_fact: dev_pubkeys_svn="{% for key in item.ansible_facts.pubkeys_per_user if 'dev' in item.item.value.groups and 'command' not in key %}{{ 'command=\"/usr/bin/svnserve --tunnel-user=' + item.item.key + ' -t\",no-port-forwarding,no-agent-forwarding,no-pty ' + key + '\n' }}{% endfor %}"
  register: dev_pubkeys_svn_reg
  with_items: "{{ pubkeys.results }}"
57
  tags: ["archusers"]
58

59
- name: join all dev pubkeys into a big string
60
  set_fact: dev_pubkeys_string="{% for result in dev_pubkeys_svn_reg.results %}{{ result.ansible_facts.dev_pubkeys_svn }}{% endfor %}"
61

62
63
64
65
- name: gather pubkeys for all TUs
  set_fact: tu_pubkeys_svn="{% for key in item.ansible_facts.pubkeys_per_user if 'tu' in item.item.value.groups and 'command' not in key %}{{ 'command=\"/usr/bin/svnserve --tunnel-user=' + item.item.key + ' -t\",no-port-forwarding,no-agent-forwarding,no-pty ' + key + '\n' }}{% endfor %}"
  register: tu_pubkeys_svn_reg
  with_items: "{{ pubkeys.results }}"
66
  tags: ["archusers"]
67
68

- name: join all tu pubkeys into a big string
69
  set_fact: tu_pubkeys_string="{% for result in tu_pubkeys_svn_reg.results %}{{ result.ansible_facts.tu_pubkeys_svn }}{% endfor %}"
70
  tags: ["archusers"]
71
72
73
74

- name: configure ssh keys for devs
  authorized_key:
    user: svn-packages
75
    key: "{{ dev_pubkeys_string }}"
76
77
78
    manage_dir: yes
    state: present
    exclusive: yes
79
  tags: ["archusers"]
80

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
81
- name: configure ssh keys for TUs
82
83
  authorized_key:
    user: svn-community
84
    key: "{{ tu_pubkeys_string }}"
85
86
87
    manage_dir: yes
    state: present
    exclusive: yes
88
  tags: ["archusers"]
89

90
- name: create staging directories in user homes
91
  file: path=/home/{{item[0]}}/staging/{{item[1]}} state=directory owner={{item[0]}} group=users mode=0755
92
93
94
  with_nested:
    - "{{arch_users}}"
    - ['core', 'extra', 'testing', 'staging', 'community', 'community-staging', 'community-testing',  'multilib', 'multilib-staging', 'multilib-testing']
95
  tags: ["archusers"]
96

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
- name: create dbscripts paths
  file: path="{{ item }}" state=directory
  with_items:
    - /srv/repos/svn-community
    - /srv/repos/svn-packages

- file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
- acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
- acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
- file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755

- file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
- acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
- acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
- acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
- acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
- acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present

- file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
- acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present

136
137
- file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644

138
139
140
141
- file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
- acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
- acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
142
- name: clone dbscripts git repo
143
  git: dest=/srv/repos/{{ item }}/dbscripts repo=https://git.archlinux.org/dbscripts.git
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
  with_items:
    - svn-community
    - svn-packages

- name: make /srv/svn
  file: path=/srv/svn state=directory

- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link

- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link

- name: symlink /community to /srv/repos/svn-community/dbscripts
  file: path=/community src=/srv/repos/svn-community/dbscripts state=link

- name: symlink /packages to /srv/repos/svn-packages/dbscripts
161
  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
162

163
- name: put rsyncd.conf into tmpfiles
164
  copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
165
166
167
168
169
170
  register: rsyncdtmpfiles

- name: use tmpfiles.d/rsyncd.conf
  command: systemd-tmpfiles --create
  when: rsyncdtmpfiles.changed

171
- name: create rsyncd-conf-genscripts
172
  file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
173
174

- name: install rsync.conf.proto
175
  copy: src=rsyncd.conf.proto dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
176

Florian Pritz's avatar
Florian Pritz committed
177
- name: install rsyncd.secrets
178
  copy: src=rsyncd.secrets dest=/etc/rsyncd.secrets owner=root group=root mode=0600
Florian Pritz's avatar
Florian Pritz committed
179

180
- name: configure gen_rsyncd.conf.pl
181
  template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
182
183
184
185

- name: generate mirror config
  command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl

Florian Pritz's avatar
Florian Pritz committed
186
- name: install svnlog
187
  copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
Florian Pritz's avatar
Florian Pritz committed
188

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
189
190
191
192
193
194
195
196
197
198
199
200
201
202
- name: add arch-svntogit user
  user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096

- name: configure svntogit git user name
  command: git config --global user.name = 'svntogit'
  become: yes
  become_user: svntogit

- name: configure svntogit git user email
  command: git config --global user.name = 'svntogit@repos.archlinux.org'
  become: yes
  become_user: svntogit

- name: template arch-svntogit
203
  copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244

- name: create svntogit repos subdir
  file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775

- name: clone git-svn repos
  command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit

- name: add svntogit public remotes
  command: git remote add public ssh://git.archlinux.org/srv/git/svntogit/{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit
  ignore_errors: yes

  # The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch
  command: git pull public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit

- name: configure svntogit push upstream branch
  command: git push -u public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit

- name: fix svntogit home permissions
  file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775

245
- name: install repo helpers
246
  copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
247
248
249
250
  with_items:
    - lsrepo
    - checklib32

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
251
- name: start and enable rsync
252
253
  service: name=rsyncd.socket enabled=yes state=started

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
254
255
256
257
258
259
- name: configure svnserve
  copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"

- name: start and enable svnserve
  service: name=svnserve enabled=yes state=started

260
- name: set up update-abs
261
  template: src=update-abs.sh.j2 dest=/usr/local/bin/update-abs.sh owner=root group=root mode=0755
262

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
263
- name: install systemd timers
264
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
265
  with_items:
266
267
    - update-abs.timer
    - update-abs.service
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
268
269
270
271
272
273
274
275
    - cleanup.timer
    - cleanup.service
    - sourceballs.timer
    - sourceballs.service
    - integrity-check.timer
    - integrity-check.service
    - lastsync.timer
    - lastsync.service
276
277
    - gen_rsyncd.timer
    - gen_rsyncd.service
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
278
279
280
281
    - arch-svntogit.timer
    - arch-svntogit.service
  notify:
    - daemon reload
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
282

283
- name: activate systemd timers
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
284
285
  service: name={{ item }} enabled=yes state=started
  with_items:
286
    - update-abs.timer
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
287
288
289
290
    - cleanup.timer
    - sourceballs.timer
    - integrity-check.timer
    - lastsync.timer
291
    - gen_rsyncd.timer
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
292
    - arch-svntogit.timer