main.yml 3.38 KB
Newer Older
1
---
2
3
4
5
6
7
8
9
10
- name: run maintenance mode
  include_role:
    name: maintenance
  vars:
    service_name: "security tracker"
    service_domain: "{{ security_tracker_domain }}"
    service_alternate_domains: []
    service_nginx_conf: "{{ security_tracker_nginx_conf }}"
  when: maintenance is defined
11
12

- name: install packages
13
14
15
16
  pacman:
    state: present
    name:
      - git
17
      - make
18
      - python
19
      - python-sqlalchemy1.3
20
      - python-sqlalchemy-continuum
21
22
23
24
25
26
      - python-flask
      - python-flask-sqlalchemy
      - python-flask-wtf
      - python-flask-login
      - python-flask-talisman
      - python-requests
27
      - python-flask-migrate
28
      - python-scrypt
29
30
31
      - python-feedgen
      - python-pytz
      - python-email-validator
32
33
34
35
      - pyalpm
      - sqlite
      - expac
      - uwsgi-plugin-python
36
37
38
39
40

- name: make security user
  user: name=security shell=/bin/false home="{{ security_tracker_dir }}" createhome=no

- name: fix home permissions
41
  file: state=directory mode=0750 owner=security group=http path="{{ security_tracker_dir }}"
42

43
44
45
46
47
48
49
50
51
52
53
54
- name: copy security-tracker units
  copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - security-tracker-update.timer
    - security-tracker-update.service
  notify:
    - daemon reload

- name: disable security-tracker timer
  service: name="security-tracker-update.timer" enabled=no state=stopped
  when: maintenance is defined

55
56
57
58
59
60
- name: receive valid signing keys
  become: true
  become_user: security
  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv "{{ item }}"
  with_items:
    - E240B57E2C4630BA768E2F26FC1B547C8D8172C8
61
62
  register: gpg
  changed_when: "gpg.rc == 0"
63

64
- name: clone security-tracker repo
65
  git: repo=https://github.com/archlinux/arch-security-tracker.git version="{{ security_tracker_version }}" dest="{{ security_tracker_dir }}" force=true verify_commit=true
66
67
  become: true
  become_user: security
68
  register: release
69
70
  notify:
    - post security-tracker deploy
71

72
73
74
75
76
- name: run initial setup
  become: true
  become_user: security
  command: /usr/bin/make chdir="{{ security_tracker_dir }}" creates=*.db

77
78
79
- name: restrict database permissions
  file: mode=0640 owner=security group=security path="{{ security_tracker_dir }}/tracker.db"

80
81
82
83
84
85
- name: create ssl cert
  include_role:
    name: certificate
  vars:
    domains: ["{{ security_tracker_domain }}"]

86
- name: set up nginx
87
  template: src=nginx.d.conf.j2 dest="{{ security_tracker_nginx_conf }}" owner=root group=root mode=644
88
  notify:
89
    - reload nginx
90
  when: maintenance is not defined
91
  tags: ['nginx']
92
93

- name: make nginx log dir
94
  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
95
96
97
98
99
100
101

- name: configure security-tracker
  template: src=20-user.local.conf.j2 dest={{ security_tracker_dir }}/config/20-user.local.conf owner=security group=security mode=0640

- name: deploy security-tracker
  template: src=security-tracker.ini.j2 dest=/etc/uwsgi/vassals/security-tracker.ini owner=security group=http mode=0644

102
103
104
- name: deploy new release
  become: true
  become_user: security
105
  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
106
107
  when: release.changed

108
- name: start and enable security-tracker timer
109
110
  systemd:
    name: security-tracker-update.timer
Kristian Klausen's avatar
Kristian Klausen committed
111
    enabled: true
112
    state: started
Kristian Klausen's avatar
Kristian Klausen committed
113
    daemon_reload: true
114
  when: maintenance is not defined