Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • antiz/infrastructure
  • okabe/infrastructure
  • eworm/infrastructure
  • polyzen/infrastructure
  • pitastrudl/infrastructure
  • sjon/infrastructure
  • torxed/infrastructure
  • jinmiaoluo/infrastructure
  • moson/infrastructure
  • serebit/infrastructure
  • ivabus/infrastructure
  • lb-wilson/infrastructure
  • gromit/infrastructure
  • matt-1-2-3/infrastructure
  • jocke-l/infrastructure
  • alucryd/infrastructure
  • maximbaz/infrastructure
  • ainola/infrastructure
  • segaja/infrastructure
  • nl6720/infrastructure
  • peanutduck/infrastructure
  • aminvakil/infrastructure
  • xenrox/infrastructure
  • felixonmars/infrastructure
  • denisse/infrastructure
  • artafinde/infrastructure
  • jleclanche/infrastructure
  • kpcyrd/infrastructure
  • metalmatze/infrastructure
  • kevr/infrastructure
  • dvzrv/infrastructure
  • dhoppe/infrastructure
  • ekkelett/infrastructure
  • seblu/infrastructure
  • lahwaacz/infrastructure
  • klausenbusk/infrastructure
  • alerque/infrastructure
  • hashworks/infrastructure
  • foxboron/infrastructure
  • shibumi/infrastructure
  • lambdaclan/infrastructure
  • ffy00/infrastructure
  • freswa/infrastructure
  • archlinux/infrastructure
44 results
Show changes
Commits on Source (23)
Showing
with 129 additions and 86 deletions
......@@ -2,7 +2,7 @@ image: "archlinux:latest"
ansible-lint:
before_script:
- pacman -Syu --needed --noconfirm ansible-lint ansible
- pacman -Syu --needed --noconfirm ansible-lint ansible python-jmespath
script:
# Fix weird ansible bug: https://github.com/trailofbits/algo/issues/1637
# This probably happens due to gitlab-runner mounting the git repo into the container
......
......@@ -62,8 +62,8 @@ rspamadm dkim_keygen -s dkim-rsa -b 4096 -d archlinux.org -t rsa -k archlinux.or
the ouput gives you the DNS entries to add to the terraform files.
The keys generated need to go to the vault:
```
roles/rspamd/files/archlinux.org.dkim-rsa.key
roles/rspamd/files/archlinux.org.dkim-ed25519.key
roles/rspamd/files/archlinux.org.dkim-rsa.key.vault
roles/rspamd/files/archlinux.org.dkim-ed25519.key.vault
```
# Gitlab servicedesk
......
- name: Check if /backup exists
stat: path=/backup
register: backup_mountdir
- name: Abort reboot when borg backup is running
meta: end_host
when: backup_mountdir.stat.exists
- name: List build-related processes
command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
register: pgrep
ignore_errors: true
- name: Abort reboot with running builds
meta: end_host
when: pgrep is succeeded
- name: List logged on users
command: who
register: who
- name: Abort reboot with logged on users
meta: end_host
when:
- who is changed
- who.stdout_lines|length > 1
- name: Stop arch-svntogit.timer
service: name=arch-svntogit.timer state=stopped
- name: Wait for svntogit to finish
wait_for:
path: /srv/svntogit/update-repos.sh.lock
state: absent
......@@ -13,50 +13,17 @@
meta: end_host
when: pacman_upgrade is not changed
- name: Check for running builds
block:
- name: List build-related processes
command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
register: pgrep
ignore_errors: true
- name: Abort reboot with running builds
meta: end_host
when: pgrep is succeeded
when: "'buildservers' in group_names"
- name: Check for active borg backup jobs
block:
- name: Check if /backup exists
stat: path=/backup
register: backup_mountdir
- name: Abort reboot when borg backup is running
meta: end_host
when: backup_mountdir.stat.exists
- name: Run borg client post-upgrade tasks
include_tasks: include/post-upgrade/borg-clients.yml
when: "'borg_clients' in group_names"
- name: Gemini pre-reboot checks
block:
- name: List logged on users
command: who
register: who
- name: Abort reboot with logged on users
meta: end_host
when:
- who is changed
- who.stdout_lines|length > 1
- name: Stop arch-svntogit.timer
service: name=arch-svntogit.timer state=stopped
- name: Check for host-specific post-upgrade tasks
local_action: stat path=include/post-upgrade/{{ inventory_hostname }}.yml
register: post_upgrade_tasks
- name: Wait for svntogit to finish
wait_for:
path: /srv/svntogit/update-repos.sh.lock
state: absent
when: inventory_hostname == "gemini.archlinux.org"
- name: Run host-specific post-upgrade tasks
include_tasks: "{{ post_upgrade_tasks.stat.path }}"
when: post_upgrade_tasks.stat.exists
- name: Reboot
reboot:
......@@ -6,4 +6,4 @@ Type=oneshot
ExecStart=/usr/local/bin/arch-boxes-sync.sh
ProtectSystem=strict
PrivateTmp=true
ReadWritePaths=/srv/ftp/images
ReadWritePaths=/srv/ftp/lastupdate /srv/ftp/images
......@@ -2,46 +2,72 @@
set -o nounset -o errexit -o pipefail
# https://docs.gitlab.com/ee/api/README.html#namespaced-path-encoding
readonly PROJECT_ID="archlinux%2Farch-boxes"
readonly JOB_NAME="build:secure"
readonly ARCH_BOXES_PATH="/srv/ftp/images"
readonly LASTUPDATE_PATH="/srv/ftp/lastupdate"
readonly MAX_RELEASES="6" # 3 months
RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases")"
LATEST_RELEASE_TAG="$(jq -r .[0].tag_name <<< "${RELEASES}")"
PACKAGES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/packages?per_page=1&sort=desc")"
LATEST_VERSION="$(jq -r .[0].version <<< "${PACKAGES}")"
if [[ -d ${ARCH_BOXES_PATH}/${LATEST_RELEASE_TAG} ]]; then
if [[ -d ${ARCH_BOXES_PATH}/${LATEST_VERSION} ]]; then
echo "Nothing to do"
exit
fi
echo "Adding release: ${LATEST_RELEASE_TAG}"
# The files aren't uploaded atomic, so avoid missing files by requiring every package to be at least 5 minutes old.
if (( $(date -d "-5 min" +%s) < $(date -d "$(jq -r .[0].created_at <<< "${PACKAGES}")" +%s) )); then
echo "Skipping release: ${LATEST_VERSION}, too new"
exit
fi
echo "Adding release: ${LATEST_VERSION}"
PACKAGE_ID="$(jq -r .[0].id <<< "${PACKAGES}")"
PACKAGE_NAME="$(jq -r .[0].name <<< "${PACKAGES}")"
PACKAGE_FILES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/packages/${PACKAGE_ID}/package_files")"
readonly TMPDIR="$(mktemp --directory --tmpdir="/var/tmp")"
trap "rm -rf \"${TMPDIR}\"" EXIT
cd "${TMPDIR}"
readonly HTTP_CODE="$(curl --silent --show-error --fail --output "output.zip" --write-out "%{http_code}" "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/jobs/artifacts/${LATEST_RELEASE_TAG}/download?job=${JOB_NAME}")"
# The releases are released/tagged and then built, so the artifacts aren't necessarily ready (yet).
if (( HTTP_CODE == 404 )); then
echo "Skipping release: ${LATEST_RELEASE_TAG}, artifacts not ready (404)"
exit
fi
mkdir "${LATEST_VERSION}"
while IFS= read -r FILE; do
FILE_CREATED_AT="$(jq -r .created_at <<< "${FILE}")"
FILE_NAME="$(jq -r .file_name <<< "${FILE}")"
FILE_SHA256="$(jq -r .file_sha256 <<< "${FILE}")"
mkdir "${LATEST_RELEASE_TAG}"
unzip output.zip
# People should download the vagrant images from Vagrant Cloud
rm output/*.box{,.*}
mv output/* "${LATEST_RELEASE_TAG}"
# People should download the vagrant images from Vagrant Cloud
if [[ $FILE_NAME =~ .*\.box(|\..*)$ ]]; then
continue
fi
for FILE in "${LATEST_RELEASE_TAG}"/*; do
if [[ $FILE == *${LATEST_RELEASE_TAG:1}* ]]; then
FILE="${FILE##*/}"
ln -s "${FILE}" "${LATEST_RELEASE_TAG}/${FILE//-${LATEST_RELEASE_TAG:1}}"
curl --silent --show-error --fail --output "${LATEST_VERSION}/${FILE_NAME}" "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/packages/generic/${PACKAGE_NAME}/${LATEST_VERSION}/${FILE_NAME}"
sha256sum --quiet -c <<< "${FILE_SHA256} ${LATEST_VERSION}/${FILE_NAME}"
touch --no-create --date="@$(date -d "${FILE_CREATED_AT}" +%s)" "${LATEST_VERSION}/${FILE_NAME}"
done < <(jq -c .[] <<< "${PACKAGE_FILES}")
for FILE in "${LATEST_VERSION}"/*; do
if [[ $FILE == *${LATEST_VERSION:1}* ]]; then
DEST="${FILE//-${LATEST_VERSION:1}}"
if [[ $FILE =~ .*\.SHA256$ ]]; then
sed "s/-${LATEST_VERSION:1}//" "${FILE}" > "${DEST}"
touch --no-create --reference="${FILE}" "${DEST}"
# Don't create a symlink for the .SHA256.sig file, as we break the signature by fixing the checksum file.
elif [[ $FILE =~ .*\.SHA256.sig$ ]]; then
continue
else
SYMLINK="${FILE##*/}"
ln -s "${SYMLINK}" "${DEST}"
touch --no-create --reference="${FILE}" --no-dereference "${DEST}"
fi
fi
done
mv "${LATEST_RELEASE_TAG}" "${ARCH_BOXES_PATH}/"
ln -nsf "${LATEST_RELEASE_TAG}" "${ARCH_BOXES_PATH}/latest"
mv "${LATEST_VERSION}" "${ARCH_BOXES_PATH}/"
ln -nsf "${LATEST_VERSION}" "${ARCH_BOXES_PATH}/latest"
echo "Removing old releases"
cd "${ARCH_BOXES_PATH}"
comm --output-delimiter="" -3 <({ ls | grep -v latest | sort -r | head -n "${MAX_RELEASES}"; echo latest; } | sort) <(ls | sort) | tr -d '\0' | xargs --no-run-if-empty rm -rvf
date +%s > "${LASTUPDATE_PATH}"
......@@ -8,7 +8,7 @@
with_dict: "{{ arch_users }}"
- name: Create Arch Linux-specific users
user:
ansible.builtin.user:
name: "{{ item.key }}"
group: users
groups: "{{ item.value.groups | join(',') }}"
......
......@@ -20,28 +20,28 @@
- name: Set archweb groups
user: name=archweb groups=uwsgi
when: archweb_site|bool
when: archweb_site | bool
- name: Create ssl cert
include_role:
name: certificate
vars:
domains: "{{ [archweb_domain] + archweb_alternate_domains }}"
when: archweb_site|bool and maintenance is not defined
when: archweb_site | bool and maintenance is not defined
- name: Set up nginx
template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644
notify: Reload nginx
when: archweb_site|bool and maintenance is not defined
when: archweb_site | bool and maintenance is not defined
tags: ['nginx']
- name: Make nginx log dir
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
when: archweb_site|bool
when: archweb_site | bool
- name: Make rsync iso dir
file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
when: archweb_site|bool
when: archweb_site | bool
- name: Clone archweb repo
git: >
......@@ -67,7 +67,7 @@
- name: Create media dir
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
when: archweb_site|bool
when: archweb_site | bool
- name: Fix home permissions
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
......@@ -211,7 +211,7 @@
template: src="archweb-memcached.service.j2" dest="/etc/systemd/system/archweb-memcached.service" owner=root group=root mode=0644
notify:
- Daemon reload
when: archweb_site|bool
when: archweb_site | bool
- name: Install archweb rsync iso service and timer
template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
......@@ -220,11 +220,11 @@
- archweb-rsync_iso.timer
notify:
- Daemon reload
when: archweb_site|bool
when: archweb_site | bool
- name: Deploy archweb
template: src=archweb.ini.j2 dest=/etc/uwsgi/vassals/archweb.ini owner=archweb group=http mode=0640
when: archweb_site|bool
when: archweb_site | bool
- name: Deploy new release
file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=archweb group=http mode=0640
......@@ -240,7 +240,7 @@
with_items:
- archweb-memcached.service
- archweb-rsync_iso.timer
when: archweb_site|bool
when: archweb_site | bool
- name: Start and enable archweb reporead service
service: name="archweb-reporead.service" enabled=yes state=started
......@@ -288,7 +288,7 @@
- name: Create retro dir
file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
when: archweb_site|bool
when: archweb_site | bool
- name: Clone archweb-retro repo
git:
......@@ -297,4 +297,4 @@
version: "{{ archweb_retro_commit_hash }}"
become: true
become_user: archweb
when: archweb_site|bool
when: archweb_site | bool
galaxy_info:
description: archwiki role
standalone: false
dependencies:
- role: nginx
......@@ -33,7 +33,7 @@
file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700
- name: Install SSH key for mirroring to GitHub
copy: src=id_ed25519 dest={{ aur_user.home }}/.ssh/ owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
copy: src=id_ed25519.vault dest={{ aur_user.home }}/.ssh/id_ed25519 owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
- name: Fetch host keys for github.com
command: ssh-keyscan github.com
......
......@@ -6,6 +6,7 @@ RuntimeDirectory={{ aurweb_prom_dir }}
Environment=PROMETHEUS_MULTIPROC_DIR=/run/{{ aurweb_prom_dir }}
User={{ aurweb_user }}
WorkingDirectory={{ aurweb_dir }}
LimitNOFILE=2048
ExecStart=/usr/bin/poetry run gunicorn \
--log-config {{ aurweb_dir }}/logging.conf \
--bind {{ aurweb_asgi_bind }} \
......
......@@ -2,7 +2,7 @@
pacman: name=borg state=present
- name: Create borg user
user:
ansible.builtin.user:
name: borg
home: "{{ backup_dir }}"
......
......@@ -39,7 +39,7 @@
- nginx
- name: Create Arch Linux-specific users
user:
ansible.builtin.user:
name: "{{ item.key }}"
group: users
groups: "{{ item.value.groups | join(',') }}"
......
galaxy_info:
description: geo_dns role
standalone: false
dependencies:
- role: geoipupdate
vars:
......
......@@ -32,7 +32,7 @@ arch-chroot mnt pacman-key --populate
# shellcheck disable=SC2016
printf 'Server = https://geo.mirror.pkgbuild.com/$repo/os/$arch' > mnt/etc/pacman.d/mirrorlist
arch-chroot mnt systemctl disable reflector-init
arch-chroot mnt systemctl disable reflector-init systemd-time-wait-sync
arch-chroot mnt pacman -Sy --noconfirm --needed archlinux-keyring
arch-chroot mnt pacman -Syu --noconfirm --needed git git-lfs gitlab-runner
sed -E 's/^#(IgnorePkg *=)/\1 linux/' -i mnt/etc/pacman.conf
......
......@@ -478,6 +478,9 @@ hide_version = true
;allowed_domains =
;team_ids =
;allowed_organizations =
;role_attribute_path =
;role_attribute_strict = false
;allow_assign_grafana_admin = false
#################################### GitLab Auth #########################
[auth.gitlab]
......@@ -491,6 +494,9 @@ hide_version = true
;api_url = https://gitlab.com/api/v4
;allowed_domains =
;allowed_groups =
;role_attribute_path =
;role_attribute_strict = false
;allow_assign_grafana_admin = false
#################################### Google Auth ##########################
[auth.google]
......@@ -527,6 +533,7 @@ hide_version = true
;allowed_domains =
;allowed_groups =
;role_attribute_strict = false
;allow_assign_grafana_admin = false
#################################### Okta OAuth #######################
[auth.okta]
......@@ -543,6 +550,7 @@ hide_version = true
;allowed_groups =
;role_attribute_path =
;role_attribute_strict = false
;allow_assign_grafana_admin = false
{% if not grafana_anonymous_access %}
#################################### Generic OAuth ##########################
......@@ -576,6 +584,7 @@ role_attribute_strict = true
;tls_client_ca =
;use_pkce = false
;auth_style =
;allow_assign_grafana_admin = false
{% endif %}
#################################### Basic Auth ##########################
......
......@@ -31,7 +31,7 @@
register: tempfile
- name: Fill tempfile
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
template: src=authorized_keys.j2 dest={{ tempfile.path }} mode=preserve
no_log: true
- name: Upload authorized_keys for Arch DevOps
......@@ -83,7 +83,7 @@
- name: Update list of sub-accounts
set_fact:
subaccounts: "{{ subaccounts + [item.json.subaccount | combine({'comment':item.invocation.module_args.body.comment})] }}"
subaccounts: "{{ subaccounts + [item.json.subaccount | combine({'comment': item.invocation.module_args.body.comment})] }}"
loop: "{{ new_subaccounts_raw.results }}"
loop_control:
label: "{{ item.invocation.module_args.body.comment }}"
......