main.yml 13.3 KB
Newer Older
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
1
2
---

3
- name: install svn, git, rsync and some perl stuff
4
  pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
5

6
7
8
- name: install sourceballs requirements (makepkg download dependencies)
  pacman: name=git,subversion,mercurial,breezy state=present

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
9
- name: create dbscripts users
10
  user: name="{{ item }}" shell=/bin/bash
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
11
12
13
  with_items:
    - svn-packages
    - svn-community
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
14
15
16

- name: add cleanup user
  user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
17

18
19
20
- name: add sourceballs user
  user: name=sourceballs shell=/sbin/nologin

21
- name: set up sudoers.d for special users
22
  copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
23

24
- name: create ssl cert
25
  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ repos_domain }}' creates='/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem'
26

27
28
29
- name: make nginx log dir
  file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755

30
- name: set up nginx
31
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
32
  notify:
33
    - reload nginx
34
35
  tags:
    - nginx
36
37

- name: put dbscripts.htpasswd in place
38
  copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=0640
39
40
  tags:
    - nginx
41

42
43
44
45
46
- name: create Arch Linux-specific users
  user:
    name: "{{ item.key }}"
    group: users
    groups: "{{ item.value.groups | join(',') }}"
47
    comment: "{{ item.value.name }}"
48
49
50
    state: present
  with_dict: "{{ arch_users }}"

51
52
53
- name: create .ssh directory
  file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700

54
- name: configure ssh keys for devs
55
56
57
58
  template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
  vars:
    pubkey_groups: ['dev']
  tags: ['archusers']
59

60
61
62
- name: create .ssh directory
  file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
63
- name: configure ssh keys for TUs
64
65
66
67
  template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
  vars:
    pubkey_groups: ['tu']
  tags: ['archusers']
68

69
- name: create staging directories in user homes
70
71
  dbscripts_mkdirs:
    pathtmpl: '/home/{user}/staging/{dirname}'
72
    permissions: '755'
73
    directories: ['', 'core', 'extra', 'testing', 'staging', 'community', 'community-staging', 'community-testing',  'multilib', 'multilib-staging', 'multilib-testing']
74
    users: "{{ arch_users.keys() | list }}"
75
    group: users
76
  tags: ["archusers"]
77

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
78
- name: create dbscripts paths
79
  file: path="{{ item }}" state=directory owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
80
81
82
83
  with_items:
    - /srv/repos/svn-community
    - /srv/repos/svn-packages

84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
- name: create svn-community/package-cleanup directory
  file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
  acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present

- name: create svn-packages/package-cleanup directory
  file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
- name: add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
- name: add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
- name: add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
- name: add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present

- name: create svn-community/source-cleanup directory
  file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
- name: create svn-packages/source-cleanup directory
  file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755

- name: create svn-community/svn directory
  file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-community/svn
  acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-community/svn
  acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-community/svn
  acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present

- name: create svn-packages/svn directory
  file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
- name: add acl default:user::rwx to /srv/repos/svn-packages/svn
  acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
- name: add acl default:group::r-x to /srv/repos/svn-packages/svn
  acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
- name: add acl default:other::r-x to /srv/repos/svn-packages/svn
  acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present

- name: create svn-community/tmp directory
  file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
  acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present

- name: create svn-packages/tmp directory
  file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
- name: add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
  acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present

- name: touch /srv/ftp/lastsync file
  file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644

- name: touch /srv/ftp/lastupdate file
  file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
- name: add acl group:tu:rw- to /srv/ftp/lastupdate
  acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
- name: add acl group:dev:rw- to /srv/ftp/lastupdate
  acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
152

153
154
155
156
157
158
- name: fetch dbscripts PGP key
  command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
  with_items: '{{ dbscripts_pgp_emails }}'
  register: gpg
  changed_when: "gpg.rc == 0"

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
159
- name: clone dbscripts git repo
160
161
  git: >
    dest=/srv/repos/{{ item }}/dbscripts
162
    repo=https://github.com/archlinux/dbscripts.git
163
    version={{ dbscripts_commit }} update={{ dbscripts_update }}
164
    verify_commit=yes
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
165
166
167
168
169
  with_items:
    - svn-community
    - svn-packages

- name: make /srv/svn
170
  file: path=/srv/svn state=directory owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
171
172

- name: symlink /srv/svn/community to /srv/repos/svn-community/svn
173
  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
174
175

- name: symlink /srv/svn/packages to /srv/repos/svn-packages/svn
176
  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
177
178

- name: symlink /community to /srv/repos/svn-community/dbscripts
179
  file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
180
181

- name: symlink /packages to /srv/repos/svn-packages/dbscripts
182
  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
183

184
- name: put rsyncd.conf into tmpfiles
185
  copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
186
187
188
189
190
191
  register: rsyncdtmpfiles

- name: use tmpfiles.d/rsyncd.conf
  command: systemd-tmpfiles --create
  when: rsyncdtmpfiles.changed

192
- name: create rsyncd-conf-genscripts
193
  file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
194
195

- name: install rsync.conf.proto
196
  template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
197
198

- name: configure gen_rsyncd.conf.pl
199
  template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
200
  no_log: true
201
202
203

- name: generate mirror config
  command: /etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
204
205
  register: gen_rsyncd
  changed_when: "gen_rsyncd.rc == 0"
206

Florian Pritz's avatar
Florian Pritz committed
207
- name: install svnlog
208
  copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
Florian Pritz's avatar
Florian Pritz committed
209

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
210
211
212
213
214
215
216
- name: add arch-svntogit user
  user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096

- name: configure svntogit git user name
  command: git config --global user.name = 'svntogit'
  become: yes
  become_user: svntogit
217
218
  register: git_config_username
  changed_when: "git_config_username.rc == 0"
219
220
  tags:
  - skip_ansible_lint
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
221
222
223
224
225

- name: configure svntogit git user email
  command: git config --global user.name = 'svntogit@repos.archlinux.org'
  become: yes
  become_user: svntogit
226
227
  register: git_config_email
  changed_when: "git_config_email.rc == 0"
228
229
  tags:
  - skip_ansible_lint
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
230
231

- name: template arch-svntogit
232
  copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
233
234
235
236
237
238
239
240
241
242
243

- name: create svntogit repos subdir
  file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775

- name: clone git-svn repos
  command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit
244
245
  tags:
  - skip_ansible_lint
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
246
247

- name: add svntogit public remotes
248
  command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
249
250
251
252
253
254
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit
  ignore_errors: yes
255
256
  register: git_public_remote
  changed_when: "git_public_remote.rc == 0"
257
258
  tags:
  - skip_ansible_lint
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
259
260
261
262
263
264
265
266
267

  # The following command also serves as a way to get the data the first time the repo is set up
- name: configure svntogit pull upstream branch
  command: git pull public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit
268
269
  register: git_pull_upstream
  changed_when: "git_pull_upstream.rc == 0"
270
271
  tags:
  - skip_ansible_lint
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
272
273
274
275
276
277
278
279

- name: configure svntogit push upstream branch
  command: git push -u public master chdir=/srv/svntogit/repos/{{ item }}
  with_items:
    - community
    - packages
  become: yes
  become_user: svntogit
280
281
  register: git_push_master
  changed_when: "git_push_master.rc == 0"
282
283
  tags:
  - skip_ansible_lint
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
284
285
286
287

- name: fix svntogit home permissions
  file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775

288
- name: install repo helpers
289
  copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
290
291
292
293
  with_items:
    - lsrepo
    - checklib32

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
294
- name: start and enable rsync
295
296
  service: name=rsyncd.socket enabled=yes state=started

297
- name: open firewall holes for rsync
298
  firewalld: service=rsyncd permanent=true state=enabled immediate=yes
Florian Pritz's avatar
Florian Pritz committed
299
  when: configure_firewall
300
301
  tags:
    - firewall
302

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
303
- name: configure svnserve
304
  copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
305
306
307
308

- name: start and enable svnserve
  service: name=svnserve enabled=yes state=started

309
- name: open firewall holes for svnserve
310
  firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
Florian Pritz's avatar
Florian Pritz committed
311
  when: configure_firewall
312
313
  tags:
    - firewall
314

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
315
- name: install systemd timers
316
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
317
318
319
320
321
322
323
  with_items:
    - cleanup.timer
    - cleanup.service
    - sourceballs.timer
    - sourceballs.service
    - lastsync.timer
    - lastsync.service
324
325
    - gen_rsyncd.timer
    - gen_rsyncd.service
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
326
327
328
329
    - arch-svntogit.timer
    - arch-svntogit.service
  notify:
    - daemon reload
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
330

331
- name: activate systemd timers
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
332
333
334
335
336
  service: name={{ item }} enabled=yes state=started
  with_items:
    - cleanup.timer
    - sourceballs.timer
    - lastsync.timer
337
    - gen_rsyncd.timer
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
338
    - arch-svntogit.timer