roles/quassel: Add quassel core role

69860cda · Jan Alexander Steffens (heftig) · e9fbb88c · 69860cda · 69860cda · 69860cda
Verified Commit 69860cda authored 8 years ago by Jan Alexander Steffens (heftig)
--- a/group_vars/all/postgres.yml
+++ b/group_vars/all/postgres.yml
 $ANSIBLE_VAULT;1.1;AES256
-35326537366663376136373363653536633264376661306131393766626630383036386634653335
-3632653431353134353236666163326364616465643662300a353761333933363738623561353333
-39383537373232313931303137326333663364363631633465623663626165386138343864353562
-3963343266393437650a643739373531343833336231376139633665613265313432356133623635
-64343262653361363465613766376638323138316561323738313235663661333831306334366438
-64616230623334333836333231363362633362626535656462386366666239346263343436383732
-30333134306131353031656233376335373430333032366365656364633235343066313132663232
-38613335343037613234623537353736353465343763623861343961626538326137643638353238
-63646335623463363336613938616639376263663765353939616461633032373564386132326531
-3939383638323166386661356634613066626466646437326337
+38366233306531663265333439663064393934303134316437626564646233663139313233653463
+3364616531313130316633653163653761626562633064330a643234636263336238666265353065
+37656338643565643930646534653565346531656437333039643333623566653962366262303733
+6138616366346335620a376237613633663836643038373937653738356232353337383861333736
+38336133646230313339393231396563383338646261623664323433373361396665323836643236
+63343038313763643065353530643932366438666236333665623033616332623139636337356532
+38636435336466323630356439373564373630356538393532623031623439376566643863646166
+37303337613963363661633234376537336661323338633036323738346465653331383336373332
+38636234333434373865363634643164353539383535613538323937393763383062616430336238
+38343731316562336633326533623062363161663164373931356336326130636139636432366638
+32306131323237656332356163653834383365326663333431623136353531653139353839313538
+32343033323734623436663164613235636532653138313738393433336262666235626434646161
+6138
--- a/playbooks/soyuz.yml
+++ b/playbooks/soyuz.yml
@@ -13,3 +13,4 @@
    - { role: nginx, letsencrypt_validation_dir: "/var/lib/letsencrypt", tags: ["nginx"] }
    - { role: sudo, tags: ['sudo', 'archusers'] }
    - { role: postgres, tags: ['postgres'] }
+    - { role: quassel, quassel_domain: "quassel.archlinux.org", tags: ['quassel'] }
--- a/roles/quassel/files/clean-quassel.service
+++ b/roles/quassel/files/clean-quassel.service
+[Unit]
+Description=Clean up Quassel backlog
+Requisite=postgresql.service
+After=postgresql.service
+
+[Service]
+User=quassel
+Group=quassel
+Type=oneshot
+ExecStart=/usr/bin/psql -c "DELETE FROM backlog WHERE time < NOW() - INTERVAL '1 months';"
+ExecStart=/usr/bin/psql -c "CLUSTER backlog USING backlog_bufferid_idx;"
+ExecStart=/usr/bin/psql -c "VACUUM FULL ANALYZE backlog;"
--- a/roles/quassel/files/clean-quassel.timer
+++ b/roles/quassel/files/clean-quassel.timer
+[Unit]
+Description=Daily Quassel cleanup
+
+[Timer]
+OnCalendar=daily
+AccuracySec=24h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/roles/quassel/files/givemequassel
+++ b/roles/quassel/files/givemequassel
+#!/bin/bash -e
+
+if [[ `/usr/bin/whoami` != quassel ]]; then
+  if [[ -n $BREAK_RECURSION ]]; then
+    echo >&2 "Couldn't become quassel."
+    exit 1
+  fi
+  exec /usr/bin/sudo -u quassel -- env BREAK_RECURSION=1 "$0"
+fi
+
+shopt -s extglob
+export PATH=/usr/bin
+export LC_ALL=C
+
+case $SUDO_USER in
+  (""|root) echo >&2 "You need to run this as the user you want to add."
+    exit 1 ;;
+  (+([a-z])) ;;
+  (*) echo >&2 "Invalid user."
+    exit 1 ;;
+esac
+
+if [[ `users` != *$SUDO_USER* ]]; then
+  echo >&2 "Unknown user."
+  exit 1
+fi
+
+ttyopts=`stty -g`
+trap 'stty $ttyopts' EXIT
+
+stty -echo
+echo >&2 -n "New password for $SUDO_USER's Quassel user: "
+read <&2
+pw="$REPLY"
+echo
+echo >&2 -n "Repeat the password: "
+read <&2
+echo
+if [[ $pw != $REPLY ]]; then
+  echo >&2 "Passwords don't match."
+  exit 1
+fi
+sha1=(`printf %s "$pw" | sha1sum`)
+
+if psql -c "INSERT INTO quasseluser (username, password) VALUES ('$SUDO_USER', '${sha1[0]}')" &>/dev/null; then
+  echo >&2 "Added user '$SUDO_USER'."
+  exit 0
+fi
+
+if psql -c "UPDATE quasseluser SET password = '${sha1[0]}' WHERE username = '$SUDO_USER'" &>/dev/null; then
+  echo >&2 "Updated password for user '$SUDO_USER'."
+  exit 0
+fi
+
+echo >&2 "SQL error."
+exit 1
--- a/roles/quassel/files/givemequassel.sudoers
+++ b/roles/quassel/files/givemequassel.sudoers
+%users ALL = (quassel) NOPASSWD: /usr/local/bin/givemequassel ""
--- a/roles/quassel/files/oidentd.conf
+++ b/roles/quassel/files/oidentd.conf
+user quassel {
+  default {
+    allow spoof
+    allow spoof_all
+  }
+}
--- a/roles/quassel/handlers/main.yml
+++ b/roles/quassel/handlers/main.yml
+---
+
+- name: daemon reload
+  command: systemctl daemon-reload
--- a/roles/quassel/tasks/main.yml
+++ b/roles/quassel/tasks/main.yml
+---
+
+- name: install quassel
+  pacman: name=quassel-core,oidentd,python2-pexpect state=present
+
+- name: add quassel postgres db
+  postgresql_db: db=quassel
+  become: yes
+  become_user: postgres
+  become_method: su
+
+- name: add quassel postgres user
+  postgresql_user: db=quassel name=quassel password={{ postgres_users.quassel }}
+  become: yes
+  become_user: postgres
+  become_method: su
+
+- name: initialize quassel
+  become: yes
+  become_user: quassel
+  become_method: sudo
+  expect:
+    command: quasselcore --configdir=/var/lib/quassel --select-backend=PostgreSQL
+    responses:
+      Username: ''
+      Password:
+        - '{{ postgres_users.quassel }}'
+        - ''
+        - ''
+        - ''
+      Hostname: ''
+      Port: ''
+      Database: ''
+    creates: /var/lib/quassel/quasselcore.conf
+
+- name: install quassel cert renewal hook
+  template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/quassel owner=root group=root mode=0755
+
+- name: install quassel units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - clean-quassel.timer
+    - clean-quassel.service
+  notify:
+    - daemon reload
+
+- name: add quassel.service.d dir
+  file: state=directory path=/etc/systemd/system/quassel.service.d owner=root group=root mode=0755
+
+- name: install quassel.service snippet
+  template: src=quassel.service.d.j2 dest=/etc/systemd/system/quassel.service.d/local.conf owner=root group=root mode=0644
+
+- name: install givemequassel script
+  copy: src=givemequassel dest=/usr/local/bin/givemequassel owner=root group=root mode=0755
+
+- name: install givemequassel sudoers config
+  copy: src=givemequassel.sudoers dest=/etc/sudoers.d/givemequassel
+
+- name: start and enable quassel
+  service: name={{ item }} enabled=yes state=started
+  with_items:
+    - quassel.service
+    - clean-quassel.timer
--- a/roles/quassel/templates/letsencrypt.hook.d.j2
+++ b/roles/quassel/templates/letsencrypt.hook.d.j2
+#!/bin/sh
+
+test "$1" = renew || exit 0
+
+for domain in $RENEWED_DOMAINS; do
+  case "$domain" in
+    {{ quassel_domain }})
+      systemctl restart quassel
+      ;;
+  esac
+done
--- a/roles/quassel/templates/quassel.service.d.j2
+++ b/roles/quassel/templates/quassel.service.d.j2
+[Service]
+ExecStartPre=/usr/bin/truncate -s 0 /var/lib/quassel/.oidentd.conf
+ExecStart=
+ExecStart=/usr/bin/quasselcore --configdir=/var/lib/quassel --oidentd --syslog --require-ssl \
+    --ssl-cert=/etc/letsencrypt/live/{{ quassel_domain }}/fullchain.pem \
+    --ssl-key=/etc/letsencrypt/live/{{ quassel_domain }}/privkey.pem