archweb: add planet functionality related service/timers

playbooks/apollo.yml

@@ -43,7 +43,7 @@
     - { role: uwsgi, tags: ['uwsgi'] }
     - { role: php-fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'], tags: ["php-fpm"] }
     - { role: memcached, tags: ['memcached'] }
-    - { role: archweb, tags: ["archweb"] }
+    - { role: archweb, archweb_planet: true, tags: ["archweb"] }
     - role: security_tracker
       security_tracker_domain: "security.archlinux.org"
       security_tracker_nginx_conf: '/etc/nginx/nginx.d/security-tracker.conf'

roles/archweb/tasks/main.yml

@@ -165,6 +165,18 @@
     - daemon reload
   when: archweb_services or archweb_populate_signoffs
 
+- name: install planet service
+  template: src="archweb-planet.service.j2" dest="/etc/systemd/system/archweb-planet.service" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_planet
+
+- name: install planet timer
+  template: src="archweb-planet.timer.j2" dest="/etc/systemd/system/archweb-planet.timer" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_planet
+
 - name: install pgp_import service
   template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
   notify:
@@ -273,6 +285,10 @@
   service: name="archweb-populate_signoffs.timer" enabled=yes state=started
   when: archweb_services or archweb_populate_signoffs
 
+- name: start and enable archweb planet timer
+  service: name="archweb-planet.timer" enabled=yes state=started
+  when: archweb_planet
+
 - name: start and enable archweb donor_import timer
   service: name="archweb-donor_import.timer" enabled=yes state=started
   when: archweb_donor_import|bool

roles/archweb/templates/archweb-planet.service.j2

+[Unit]
+Description=archweb update planet service
+After=network.target
+
+[Service]
+Type=oneshot
+User=archweb
+WorkingDirectory={{ archweb_dir }}
+ExecStart={{ archweb_dir }}/env/bin/python manage.py update_planet -v3
+
+ProtectSystem=full
+PrivateTmp=true
+PrivateDevices=true
+
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+NoNewPrivileges=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

roles/archweb/templates/archweb-planet.timer.j2

+[Unit]
+Description=archweb planet timer
+
+[Timer]
+OnUnitActiveSec=60m
+OnBootSec=15min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target