main.yml 2.35 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
---

- name: install packages
  pacman: name={{ item }} state=present
  with_items:
    - git
    - python
    - python-sqlalchemy
    - python-flask
    - python-flask-sqlalchemy
    - python-flask-wtf
    - python-flask-login
13
    - python-flask-talisman
14
15
16
17
18
    - python-requests
    - python-scrypt
    - pyalpm
    - sqlite
    - expac
19
    - uwsgi-plugin-python
20
21
22
23
24
25
26
27

- name: make security user
  user: name=security shell=/bin/false home="{{ security_tracker_dir }}" createhome=no

- name: fix home permissions
  file: state=directory owner=security group=security path="{{ security_tracker_dir }}"

- name: clone security-tracker repo
28
  git: repo=https://github.com/archlinux/arch-security-tracker.git version="329112aebb31804cbc6d7651d2d333cda75a4efc" dest="{{ security_tracker_dir }}"
29
30
  become: true
  become_user: security
31
  register: release
32

33
34
35
36
37
- name: run initial setup
  become: true
  become_user: security
  command: /usr/bin/make chdir="{{ security_tracker_dir }}" creates=*.db

38
39
- name: fix home permissions
  file: state=directory owner=security group=security path="{{ security_tracker_dir }}"
40
41
42
43

- name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/security-tracker.conf owner=root group=root mode=644
  notify:
44
    - reload nginx
45
  tags: ['nginx']
46
47

- name: make nginx log dir
48
  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

- name: copy security-tracker units
  copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - security-tracker-update.timer
    - security-tracker-update.service
  notify:
    - daemon reload

- name: configure security-tracker
  template: src=20-user.local.conf.j2 dest={{ security_tracker_dir }}/config/20-user.local.conf owner=security group=security mode=0640

- name: deploy security-tracker
  template: src=security-tracker.ini.j2 dest=/etc/uwsgi/vassals/security-tracker.ini owner=security group=http mode=0644

64
65
66
67
68
69
- name: deploy new release
  become: true
  become_user: security
  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch
  when: release.changed

70
71
- name: start and enable security-tracker timer
  service: name="security-tracker-update.timer" enabled=yes state=started
72
73
74

- name: enable systemd ressource accounting
  command: systemctl set-property security-tracker-update CPUAccounting=yes MemoryAccounting=yes