main.yml 11.9 KB
Newer Older
1
---
2
3
4
5
6
7
8
- name: run maintenance mode
  include_role:
    name: maintenance
  vars:
    service_name: "site"
    service_domain: "{{ archweb_domain }}"
    service_alternate_domains: "{{ archweb_alternate_domains }}"
9
    service_nginx_conf: "{{ archweb_nginx_conf }}"
10
11
    service_nginx_template: "maintenance-nginx.d.conf.j2"
  when: maintenance is defined and archweb_site
12

13
- name: install required packages
14
  pacman: name=git,python-setuptools,python-psycopg2,llvm-libs,uwsgi-plugin-python state=present
15

Florian Pritz's avatar
Florian Pritz committed
16
- name: make archweb user
17
  user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no
18
19

- name: fix home permissions
20
  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
21

22
23
- name: set archweb groups
  user: name=archweb groups=uwsgi
24
  when: archweb_site|bool
25

26
27
28
29
- name: create ssl cert
  include_role:
    name: certificate
  vars:
30
    domains: "{{ [archweb_domain] + archweb_alternate_domains }}"
31
  when: archweb_site|bool and maintenance is not defined
32

33
- name: set up nginx
34
  template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644
35
  notify: reload nginx
36
  when: archweb_site|bool and maintenance is not defined
37
  tags: ['nginx']
38
39

- name: make nginx log dir
40
  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
41
  when: archweb_site|bool
42

43
- name: make rsync iso dir
44
  file: path={{ archweb_rsync_iso_dir }} state=directory owner=archweb group=archweb mode=0755
45
  when: archweb_site|bool
46

47
- name: clone archweb repo
48
  git: >
49
    repo={{ archweb_repository }}
50
51
    dest="{{ archweb_dir }}"
    version={{ archweb_version }}
52
    verify_commit=true
53
    gpg_whitelist={{ archweb_pgp_key }}
54
55
  become: true
  become_user: archweb
56
  register: release
57
58

- name: make virtualenv
59
  command: python -m venv --system-site-packages "{{ archweb_dir }}"/env creates="{{ archweb_dir }}/env/bin/python"
60
61
62
63
  become: true
  become_user: archweb

- name: install stuff into virtualenv
64
  pip: requirements="{{ archweb_dir }}/requirements_prod.txt" virtualenv="{{ archweb_dir }}/env"
65
66
  become: true
  become_user: archweb
67
  register: virtualenv
68

69
- name: create media dir
70
  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}/media"
71
  when: archweb_site|bool
72

73
- name: fix home permissions
74
  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
75

Thorben Günther's avatar
Thorben Günther committed
76
77
78
79
80
81
- name: make archlinux.org dir
  file: path="{{ archweb_dir }}/archlinux.org" state=directory owner=archweb group=archweb mode=0755

- name: configure robots.txt
  copy: src=robots.txt dest="{{ archweb_dir }}/archlinux.org/robots.txt" owner=root group=root mode=0644

82
- name: configure archweb
83
  template: src=local_settings.py.j2 dest={{ archweb_dir }}/local_settings.py owner=archweb group=archweb mode=0660
84
  register: config
85
86
  no_log: true

87
- name: create archweb db users
88
  postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
89
  no_log: true
90
  when: archweb_site or archweb_services
91
  with_items:
92
93
94
95
    - { user: "{{ archweb_db_site_user }}", password: "{{ vault_archweb_db_site_password }}" }
    - { user: "{{ archweb_db_services_user }}", password: "{{ vault_archweb_db_services_password }}" }
    - { user: "{{ archweb_db_dbscripts_user }}", password: "{{ vault_archweb_db_dbscripts_password }}" }
    - { user: "{{ archweb_db_backup_user }}", password: "{{ vault_archweb_db_backup_password }}" }
96
97

- name: create archweb db
98
  postgresql_db: name="{{ archweb_db }}" login_host="{{ archweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archweb_db_site_user }}"
99
  when: archweb_site or archweb_services
100
101
102
103
104
105
  register: db_created

- name: django migrate
  django_manage: app_path="{{ archweb_dir }}" command=migrate virtualenv="{{ archweb_dir }}/env"
  become: true
  become_user: archweb
106
  when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
107

108
- name: db privileges for archweb users
109
  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
110
                    privs=CONNECT roles="{{ item }}" type=database
111
  when: archweb_site or archweb_services
112
113
114
115
116
117
  with_items:
    - "{{ archweb_db_services_user }}"
    - "{{ archweb_db_dbscripts_user }}"
    - "{{ archweb_db_backup_user }}"

- name: table privileges for archweb users
118
  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
119
                    privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
120
  when: archweb_site or archweb_services
121
122
123
124
125
126
  with_items:
    - { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_table_objs }}" }
    - { user: "{{ archweb_db_dbscripts_user }}", objs: "{{ archweb_db_dbscripts_table_objs }}" }
    - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" }

- name: sequence privileges for archweb users
127
  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
128
                    privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
129
  when: archweb_site or archweb_services
130
131
132
133
  with_items:
    - { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_sequence_objs }}" }
    - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_sequence_objs }}" }

134
135
136
137
- name: django collectstatic
  django_manage: app_path="{{ archweb_dir }}" command=collectstatic virtualenv="{{ archweb_dir }}/env"
  become: true
  become_user: archweb
138
  when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
139

140
141
142
143
- name: install reporead service
  template: src="archweb-reporead.service.j2" dest="/etc/systemd/system/archweb-reporead.service" owner=root group=root mode=0644
  notify:
    - daemon reload
144
  when: archweb_services or archweb_reporead
145

146
147
148
149
150
151
- name: install readlinks service
  template: src="archweb-readlinks.service.j2" dest="/etc/systemd/system/archweb-readlinks.service" owner=root group=root mode=0644
  notify:
    - daemon reload
  when: archweb_services or archweb_reporead

152
153
154
155
156
- name: install mirrorcheck service and timer
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - archweb-mirrorcheck.service
    - archweb-mirrorcheck.timer
157
158
  notify:
    - daemon reload
159
  when: archweb_services or archweb_mirrorcheck
160

161
162
163
164
165
- name: install mirrorresolv service and timer
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - archweb-mirrorresolv.service
    - archweb-mirrorresolv.timer
166
167
168
169
  notify:
    - daemon reload
  when: archweb_services or archweb_mirrorresolv

170
171
172
173
174
- name: install populate_signoffs service and timer
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - archweb-populate_signoffs.service
    - archweb-populate_signoffs.timer
175
176
177
178
  notify:
    - daemon reload
  when: archweb_services or archweb_populate_signoffs

179
180
181
182
183
- name: install planet service and timer
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - archweb-planet.service
    - archweb-planet.timer
184
185
186
187
  notify:
    - daemon reload
  when: archweb_planet

188
189
190
191
192
- name: install rebuilderd status service and timer
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - archweb-rebuilderd.service
    - archweb-rebuilderd.timer
193
194
195
196
  notify:
    - daemon reload
  when: archweb_site

197
198
199
200
201
202
203
- name: install pgp_import service
  template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
  notify:
    - daemon reload
  when: archweb_services or archweb_pgp_import

- name: create pacman.d hooks dir
204
  file: state=directory owner=root group=root mode=0750 path="/etc/pacman.d/hooks"
205
206
207
208
209
210
  when: archweb_services or archweb_pgp_import

- name: install pgp_import hook
  template: src="archweb-pgp_import-pacman-hook.j2" dest="/etc/pacman.d/hooks/archweb-pgp_import.hook" owner=root group=root mode=0644
  when: archweb_services or archweb_pgp_import

211
- name: install archweb memcached service
212
  template: src="archweb-memcached.service.j2" dest="/etc/systemd/system/archweb-memcached.service" owner=root group=root mode=0644
213
214
  notify:
    - daemon reload
215
  when: archweb_site|bool
216

217
218
219
220
221
- name: install archweb rsync iso service and timer
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  with_items:
    - archweb-rsync_iso.service
    - archweb-rsync_iso.timer
222
223
  notify:
    - daemon reload
224
  when: archweb_site|bool
225

226
- name: deploy archweb
227
  template: src=archweb.ini.j2 dest=/etc/uwsgi/vassals/archweb.ini owner=archweb group=http mode=0640
228
  when: archweb_site|bool
229

230
- name: deploy new release
231
  file: path=/etc/uwsgi/vassals/archweb.ini state=touch owner=archweb group=http mode=0640
232
233
  when: archweb_site and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)
  notify: restart archweb memcached
234

235
236
237
- name: start and enable archweb memcached service and archweb-rsync_iso timer
  systemd:
    name: "{{ item }}"
Kristian Klausen's avatar
Kristian Klausen committed
238
    enabled: true
239
    state: started
Kristian Klausen's avatar
Kristian Klausen committed
240
    daemon_reload: true
241
242
243
  with_items:
    - archweb-memcached.service
    - archweb-rsync_iso.timer
244
  when: archweb_site|bool
245

246
247
248
249
- name: start and enable archweb reporead service
  service: name="archweb-reporead.service" enabled=yes state=started
  when: archweb_services or archweb_reporead

250
251
252
253
- name: restart archweb reporead service
  service: name="archweb-reporead.service" state=restarted
  when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)

254
255
256
257
258
259
260
261
- name: start and enable archweb readlinks service
  service: name="archweb-readlinks.service" enabled=yes state=started
  when: archweb_services or archweb_reporead

- name: restart archweb readlinks service
  service: name="archweb-readlinks.service" state=restarted
  when: archweb_services or archweb_reporead and (release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)

262
263
264
- name: start and enable archweb mirrorcheck timer
  service: name="archweb-mirrorcheck.timer" enabled=yes state=started
  when: archweb_services or archweb_mirrorcheck
265
266
267
268

- name: start and enable archweb mirrorresolv timer
  service: name="archweb-mirrorresolv.timer" enabled=yes state=started
  when: archweb_services or archweb_mirrorresolv
269
270
271
272

- name: start and enable archweb populate_signoffs timer
  service: name="archweb-populate_signoffs.timer" enabled=yes state=started
  when: archweb_services or archweb_populate_signoffs
273

274
275
276
277
- name: start and enable archweb planet timer
  service: name="archweb-planet.timer" enabled=yes state=started
  when: archweb_planet

278
279
280
281
- name: start and enable archweb rebulderd update timer
  service: name="archweb-rebuilderd.timer" enabled=yes state=started
  when: archweb_site

282
283
284
285
286
- name: install donation import wrapper script
  template: src=donor_import_wrapper.sh.j2 dest=/usr/local/bin/donor_import_wrapper.sh owner=root group=root mode=0755

- name: install sudoer rights for fetchmail to call archweb django scripts
  template: src=sudoers-fetchmail-archweb.j2 dest=/etc/sudoers.d/fetchmail-archweb owner=root group=root mode=0440
287
288

- name: create retro dir
289
  file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_retro_dir }}"
290
  when: archweb_site|bool
291
292

- name: clone archweb-retro repo
293
294
295
  git:
    repo: "{{ archweb_retro_repository }}"
    dest: "{{ archweb_retro_dir }}"
Jelle van der Waa's avatar
Jelle van der Waa committed
296
    version: "{{ archweb_retro_commit_hash }}"
297
298
  become: true
  become_user: archweb
299
  when: archweb_site|bool