main.yml

---

- name: install svn, git, rsync and some perl stuff
  pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present

- name: install sourceballs requirements (makepkg download dependencies)
  pacman: name=git,subversion,mercurial,breezy state=present

- name: install binutils for createlinks script
  pacman: name=binutils state=present

- name: create dbscripts users
  user: name="{{ item }}" shell=/bin/bash
  with_items:
    - svn-packages
    - svn-community

- name: add cleanup user
  user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin

- name: add sourceballs user
  user: name=sourceballs shell=/sbin/nologin

- name: set up sudoers.d for special users
  copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600

- name: create ssl cert
  include_role:
    name: certificate
  vars:
    domains: ["{{ repos_domain }}", "{{ repos_rsync_domain }}"]

- name: make nginx log dir
  file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755

- name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
  notify:
    - reload nginx
  tags:
    - nginx

- name: put dbscripts.htpasswd in place
  copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=0640
  tags:
    - nginx

- name: create Arch Linux-specific users
  user:
    name: "{{ item.key }}"
    group: users
    groups: "{{ item.value.groups | join(',') }}"
    comment: "{{ item.value.name }}"
    state: present
  with_dict: "{{ arch_users }}"

- name: create .ssh directory
  file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700

- name: configure ssh keys for devs
  template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
  vars:
    pubkey_groups: ['dev']
  tags: ['archusers']

- name: create .ssh directory
  file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700

- name: configure ssh keys for TUs
  template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
  vars:
    pubkey_groups: ['tu']
  tags: ['archusers']

- name: create staging directories in user homes
  dbscripts_mkdirs:
    pathtmpl: '/home/{user}/staging/{dirname}'
    permissions: '755'
    directories: ['', 'core', 'extra', 'testing', 'staging', 'community', 'community-staging', 'community-testing', 'multilib', 'multilib-staging', 'multilib-testing']
    users: "{{ arch_users.keys() | list }}"
    group: users
  tags: ["archusers"]

- name: create dbscripts paths
  file: path="{{ item }}" state=directory owner=root group=root mode=0755
  with_items:
    - /srv/repos/svn-community
    - /srv/repos/svn-packages

- name: create svn-community/package-cleanup directory
  file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present

- name: create svn-packages/package-cleanup directory
  file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present

- name: create svn-community/source-cleanup directory
  file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
- name: create svn-packages/source-cleanup directory
  file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755

- name: create svn-community/svn directory
  file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-community/svn
  acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-community/svn
  acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/svn
  acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present

- name: create svn-packages/svn directory
  file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-packages/svn
  acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-packages/svn
  acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/svn
  acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present

- name: create svn-community/tmp directory
  file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
  acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present

- name: create svn-packages/tmp directory
  file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
  acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present

- name: touch /srv/ftp/lastsync file
  file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644

- name: touch /srv/ftp/lastupdate file
  file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
- name: add acl group:tu:rw- to /srv/ftp/lastupdate
  acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
- name: add acl group:dev:rw- to /srv/ftp/lastupdate
  acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present

- name: fetch dbscripts PGP key
  command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
  with_items: '{{ dbscripts_pgp_emails }}'
  register: gpg
  changed_when: "gpg.rc == 0"

- name: clone dbscripts git repo
  git: >
    dest=/srv/repos/{{ item }}/dbscripts
    repo=https://github.com/archlinux/dbscripts.git
    version={{ dbscripts_commit }} update={{ dbscripts_update }}
    verify_commit=yes
  with_items:
    - svn-community
    - svn-packages

- name: make /srv/svn
  file: path=/srv/svn state=directory owner=root group=root mode=0755

- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755

- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755

- name: symlink /community to /srv/repos/svn-community/dbscripts
  file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755

- name: symlink /packages to /srv/repos/svn-packages/dbscripts
  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755

- name: put rsyncd.conf into tmpfiles
  copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
  register: rsyncdtmpfiles

- name: use tmpfiles.d/rsyncd.conf
  command: systemd-tmpfiles --create
  when: rsyncdtmpfiles.changed

- name: create rsyncd-conf-genscripts
  file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700

- name: install rsync.conf.proto
  template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644

- name: configure gen_rsyncd.conf.pl
  template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
  no_log: true

- name: generate mirror config
  command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
  register: gen_rsyncd
  changed_when: "gen_rsyncd.rc == 0"

- name: install svnlog
  copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755

- name: add arch-svntogit user
  user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096

- name: configure svntogit git user name
  command: git config --global user.name = 'svntogit'
  become: true
  become_user: svntogit
  register: git_config_username
  changed_when: "git_config_username.rc == 0"
  tags:
    - skip_ansible_lint

- name: configure svntogit git user email
  command: git config --global user.name = 'svntogit@repos.archlinux.org'
  become: true
  become_user: svntogit
  register: git_config_email
  changed_when: "git_config_email.rc == 0"
  tags:
    - skip_ansible_lint

- name: template arch-svntogit
  copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755

- name: create svntogit repos subdir
  file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775

- name: clone git-svn repos
  command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: true
  become_user: svntogit
  tags:
    - skip_ansible_lint

- name: add svntogit public remotes
  command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: true
  become_user: svntogit
  ignore_errors: true
  register: git_public_remote
  changed_when: "git_public_remote.rc == 0"
  tags:
    - skip_ansible_lint

# The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch
  command: git pull public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: true
  become_user: svntogit
  register: git_pull_upstream
  changed_when: "git_pull_upstream.rc == 0"
  tags:
    - skip_ansible_lint

- name: configure svntogit push upstream branch
  command: git push -u public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: true
  become_user: svntogit
  register: git_push_master
  changed_when: "git_push_master.rc == 0"
  tags:
    - skip_ansible_lint

- name: fix svntogit home permissions
  file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775

- name: install repo helpers
  copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
  with_items:
    - lsrepo
    - checklib32

- name: install createlinks script
  copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755

- name: start and enable rsync
  service: name=rsyncd.socket enabled=yes state=started

- name: open firewall holes for rsync
  ansible.posix.firewalld: service=rsyncd permanent=true state=enabled immediate=yes
  when: configure_firewall
  tags:
    - firewall

- name: configure svnserve
  copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"

- name: start and enable svnserve
  service: name=svnserve enabled=yes state=started

- name: open firewall holes for svnserve
  ansible.posix.firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
  when: configure_firewall
  tags:
    - firewall

- name: install systemd timers
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
  with_items:
    - cleanup.timer
    - cleanup.service
    - sourceballs.timer
    - sourceballs.service
    - lastsync.timer
    - lastsync.service
    - gen_rsyncd.timer
    - gen_rsyncd.service
    - arch-svntogit.timer
    - arch-svntogit.service
    - createlinks.timer
    - createlinks.service
  notify:
    - daemon reload

- name: activate systemd timers
  service: name={{ item }} enabled=yes state=started
  with_items:
    - cleanup.timer
    - sourceballs.timer
    - lastsync.timer
    - gen_rsyncd.timer
    - arch-svntogit.timer
    - createlinks.timer