/srv/repos/lock is the lock file location configured via a dbscripts
config. Only accessible for users in junior-packager group, a lot better
would be if sourceballs could write a lock file into
/run/sourceballs.lck as it is unrelated to /srv/repos.

Robin Candau authored 3 months ago and Robin Candau committed 3 months ago

See https://github.com/ansible/ansible/pull/77644

This seems to be a leftover from the migration of our packager roles.
All packagers should be able to upload sources to our packages
directory, hence change the permissions from the junior-dev group to the
junior-packager group.

Fixes #637

It is unclear why this was added, as we can just use the default lock
file path (/var/run/rsyncd.lock). Using a non-default path was not added
in the offending commit, but remove it in this revert commit
nevertheless, so the commit can be reverted.

This reverts commit e4e07516.

This is already done for the 'sudo' role, but we also have a few more
sudoers files which currently go in unverified.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Jelle van der Waa authored 1 year ago and Jelle van der Waa committed 1 year ago

Nginx does not directly support cgi scripts so we rely on fcgiwrap. All
git repositories under /srv/repos are exported if they have a special
git-daemon-export-ok file in their .git directory.

Jelle van der Waa authored 1 year ago and Jelle van der Waa committed 1 year ago

This drops all svn specific functionality and switches to dbscripts git
version. Drops the community repository as it's merged into extra.

Jelle van der Waa authored 1 year ago and Levente Polyak committed 1 year ago

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

Liberally add "noqa no-changed-when" tags to the problematic tasks,
except for two "systemd-tmpfiles --create" calls. For these we can
simply include the creates= parameter in the command module's call.

3690/tcp -> svn

Seems ansible-lint thinks a task calling the unqualified user module is
"not valid under any of the given schemas (schema[tasks])".

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

This might be a bug in ansible-lint 6.5.0, but it appears to ignore all
our 'skip_ansible_lint' tags. Fix this by replacing them with noqa tags.

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

As reported by ansible-lint 6.2.1:

schema: [{'PYTHONPATH': '.'}] is not of type 'object' (schema[tasks])
roles/aurweb/tasks/main.yml:1

schema: [{'SHELL': '/bin/bash'}] is not of type 'object' (schema[tasks])
roles/dbscripts/tasks/main.yml:1

- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The upstream branch is set by the earlier "git pull --set-upstream".

The default login shell for the svntogit user (/sbin/nologin) breaks
the Match Exec directives in /srv/svntogit/.ssh/config and prohibits
Git from using the correct SSH key.

While we're at it, add --set-upstream to the git pull command so the
task is more likely to accomplish its intended purpose.

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

Databases used by sogrep are fetched by syncrepo from gemini, no point
in duplicating this work; consider this to be part of roles/dbscripts.

It should make it easier to change how the certificates is issued.
Ex: If we want to switch to ECDSA certificates in the future or replace
certbot with something else.

Frederik Schwan authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

also use systemd instead of service module