main.yml 10.9 KB
Newer Older
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
1
2
---

3
- name: install svn, git, rsync and some perl stuff
4
  pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
5
6

- name: create dbscripts users
7
  user: name="{{ item }}" shell=/bin/bash
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
8
9
10
  with_items:
    - svn-packages
    - svn-community
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
11
12
13

- name: add cleanup user
  user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
14

15
16
17
- name: add sourceballs user
  user: name=sourceballs shell=/sbin/nologin

18
19
20
- name: set up sudoers.d for special users
  copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=600

21
22
23
24
25
- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
  register: certfile
  tags:
    - nginx

26
27
28
29
- name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=644
  notify:
    - restart nginx
30
31
  tags:
    - nginx
32
33
34

- name: put dbscripts.htpasswd in place
  copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=640
35
36
  tags:
    - nginx
37

38
39
40
41
42
43
44
45
46
- name: create Arch Linux-specific users
  user:
    name: "{{ item.key }}"
    group: users
    groups: "{{ item.value.groups | join(',') }}"
    comment: "{{ item.value.name}}"
    state: present
  with_dict: "{{ arch_users }}"

47
48
49
- name: gather all pubkeys of all users
  set_fact: pubkeys_per_user="{{ lookup('file', '../pubkeys/' + item.value.ssh_key).split('\n') }}"
  register: pubkeys
50
51
  with_dict: "{{ arch_users }}"

52
53
54
55
56
- name: gather pubkeys for all devs
  set_fact: dev_pubkeys_svn="{% for key in item.ansible_facts.pubkeys_per_user if 'dev' in item.item.value.groups and 'command' not in key %}{{ 'command=\"/usr/bin/svnserve --tunnel-user=' + item.item.key + ' -t\",no-port-forwarding,no-agent-forwarding,no-pty ' + key + '\n' }}{% endfor %}"
  register: dev_pubkeys_svn_reg
  with_items: "{{ pubkeys.results }}"

57
- name: join all dev pubkeys into a big string
58
  set_fact: dev_pubkeys_string="{% for result in dev_pubkeys_svn_reg.results %}{{ result.ansible_facts.dev_pubkeys_svn }}{% endfor %}"
59

60
61
62
63
- name: gather pubkeys for all TUs
  set_fact: tu_pubkeys_svn="{% for key in item.ansible_facts.pubkeys_per_user if 'tu' in item.item.value.groups and 'command' not in key %}{{ 'command=\"/usr/bin/svnserve --tunnel-user=' + item.item.key + ' -t\",no-port-forwarding,no-agent-forwarding,no-pty ' + key + '\n' }}{% endfor %}"
  register: tu_pubkeys_svn_reg
  with_items: "{{ pubkeys.results }}"
64
65

- name: join all tu pubkeys into a big string
66
  set_fact: tu_pubkeys_string="{% for result in tu_pubkeys_svn_reg.results %}{{ result.ansible_facts.tu_pubkeys_svn }}{% endfor %}"
67
68
69
70

- name: configure ssh keys for devs
  authorized_key:
    user: svn-packages
71
    key: "{{ dev_pubkeys_string }}"
72
73
74
75
    manage_dir: yes
    state: present
    exclusive: yes

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
76
- name: configure ssh keys for TUs
77
78
  authorized_key:
    user: svn-community
79
    key: "{{ tu_pubkeys_string }}"
80
81
82
83
    manage_dir: yes
    state: present
    exclusive: yes

84
85
86
87
88
89
- name: create staging directories in user homes
  file: path=/home/{{item[0]}}/staging/{{item[1]}} state=directory owner={{item[0]}} group=users mode=755
  with_nested:
    - "{{arch_users}}"
    - ['core', 'extra', 'testing', 'staging', 'community', 'community-staging', 'community-testing',  'multilib', 'multilib-staging', 'multilib-testing']

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
- name: create dbscripts paths
  file: path="{{ item }}" state=directory
  with_items:
    - /srv/repos/svn-community
    - /srv/repos/svn-packages

- file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
- acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
- acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
- acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
- acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
- file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755

- file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
- acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
- acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
- acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
- acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
- acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present

- file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
- acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present

- file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
- acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present

129
130
- file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644

131
132
133
134
- file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
- acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
- acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
135
- name: clone dbscripts git repo
136
  git: dest=/srv/repos/{{ item }}/dbscripts repo=https://git.archlinux.org/dbscripts.git
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
  with_items:
    - svn-community
    - svn-packages

- name: make /srv/svn
  file: path=/srv/svn state=directory

- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link

- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link

- name: symlink /community to /srv/repos/svn-community/dbscripts
  file: path=/community src=/srv/repos/svn-community/dbscripts state=link

- name: symlink /packages to /srv/repos/svn-packages/dbscripts
154
  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
155

156
157
158
159
160
161
162
163
- name: put rsyncd.conf into tmpfiles
  copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=644
  register: rsyncdtmpfiles

- name: use tmpfiles.d/rsyncd.conf
  command: systemd-tmpfiles --create
  when: rsyncdtmpfiles.changed

164
165
166
167
168
169
- name: create rsyncd-conf-genscripts
  file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=700

- name: install rsync.conf.proto
  copy: src=rsyncd.conf.proto dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=644

Florian Pritz's avatar
Florian Pritz committed
170
171
172
- name: install rsyncd.secrets
  copy: src=rsyncd.secrets dest=/etc/rsyncd.secrets owner=root group=root mode=600

173
174
175
176
177
178
- name: configure gen_rsyncd.conf.pl
  template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=700

- name: generate mirror config
  command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl

Florian Pritz's avatar
Florian Pritz committed
179
180
181
- name: install svnlog
  copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=755

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
- name: add arch-svntogit user
  user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096

- name: configure svntogit git user name
  command: git config --global user.name = 'svntogit'
  become: yes
  become_user: svntogit

- name: configure svntogit git user email
  command: git config --global user.name = 'svntogit@repos.archlinux.org'
  become: yes
  become_user: svntogit

- name: template arch-svntogit
  copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=755

- name: create svntogit repos subdir
  file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775

- name: clone git-svn repos
  command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit

- name: add svntogit public remotes
  command: git remote add public ssh://git.archlinux.org/srv/git/svntogit/{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit
  ignore_errors: yes

  # The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch
  command: git pull public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit

- name: configure svntogit push upstream branch
  command: git push -u public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit

- name: fix svntogit home permissions
  file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775

238
239
240
241
242
243
- name: install repo helpers
  copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=755
  with_items:
    - lsrepo
    - checklib32

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
244
- name: start and enable rsync
245
246
  service: name=rsyncd.socket enabled=yes state=started

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
247
248
249
250
251
252
- name: configure svnserve
  copy: dest=/etc/conf.d/svnserve content="SVNSERVE_ARGS=-R -r /srv/svn\n"

- name: start and enable svnserve
  service: name=svnserve enabled=yes state=started

253
254
255
- name: set up update-abs
  template: src=update-abs.sh.j2 dest=/usr/local/bin/update-abs.sh owner=root group=root mode=755

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
256
257
258
- name: install systemd timers
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=644
  with_items:
259
260
    - update-abs.timer
    - update-abs.service
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
261
262
263
264
265
266
267
268
    - cleanup.timer
    - cleanup.service
    - sourceballs.timer
    - sourceballs.service
    - integrity-check.timer
    - integrity-check.service
    - lastsync.timer
    - lastsync.service
269
270
    - gen_rsyncd.timer
    - gen_rsyncd.service
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
271
272
273
274
    - arch-svntogit.timer
    - arch-svntogit.service
  notify:
    - daemon reload
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
275

276
- name: activate systemd timers
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
277
278
  service: name={{ item }} enabled=yes state=started
  with_items:
279
    - update-abs.timer
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
280
281
282
283
    - cleanup.timer
    - sourceballs.timer
    - integrity-check.timer
    - lastsync.timer
284
    - gen_rsyncd.timer
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
285
    - arch-svntogit.timer