From 324242e42a5aca30d853f6b5acb41e773a1e2c77 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@vdwaa.nl>
Date: Thu, 13 Feb 2020 23:33:54 +0100
Subject: [PATCH] archweb: add planet functionality related service/timers

---
 playbooks/apollo.yml                          |  2 +-
 roles/archweb/tasks/main.yml                  | 16 ++++++++++++
 .../templates/archweb-planet.service.j2       | 26 +++++++++++++++++++
 .../archweb/templates/archweb-planet.timer.j2 | 10 +++++++
 4 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 roles/archweb/templates/archweb-planet.service.j2
 create mode 100644 roles/archweb/templates/archweb-planet.timer.j2

diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
index 252b6dfe4..b4dcd4162 100644
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -43,7 +43,7 @@
     - { role: uwsgi, tags: ['uwsgi'] }
     - { role: php-fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'], tags: ["php-fpm"] }
     - { role: memcached, tags: ['memcached'] }
-    - { role: archweb, tags: ["archweb"] }
+    - { role: archweb, archweb_planet: true, tags: ["archweb"] }
     - role: security_tracker
       security_tracker_domain: "security.archlinux.org"
       security_tracker_nginx_conf: '/etc/nginx/nginx.d/security-tracker.conf'
diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index 4baa8bcbc..ab72bc39d 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -165,6 +165,18 @@
     - daemon reload
   when: archweb_services or archweb_populate_signoffs
 
+- name: install planet service
+  template: src="archweb-planet.service.j2" dest="/etc/systemd/system/archweb-planet.service" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_planet
+
+- name: install planet timer
+  template: src="archweb-planet.timer.j2" dest="/etc/systemd/system/archweb-planet.timer" owner=root group=root mode=0644
+  notify:
+    - daemon reload
+  when: archweb_planet
+
 - name: install pgp_import service
   template: src="archweb-pgp_import.service.j2" dest="/etc/systemd/system/archweb-pgp_import.service" owner=root group=root mode=0644
   notify:
@@ -273,6 +285,10 @@
   service: name="archweb-populate_signoffs.timer" enabled=yes state=started
   when: archweb_services or archweb_populate_signoffs
 
+- name: start and enable archweb planet timer
+  service: name="archweb-planet.timer" enabled=yes state=started
+  when: archweb_planet
+
 - name: start and enable archweb donor_import timer
   service: name="archweb-donor_import.timer" enabled=yes state=started
   when: archweb_donor_import|bool
diff --git a/roles/archweb/templates/archweb-planet.service.j2 b/roles/archweb/templates/archweb-planet.service.j2
new file mode 100644
index 000000000..d23b7a39a
--- /dev/null
+++ b/roles/archweb/templates/archweb-planet.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=archweb update planet service
+After=network.target
+
+[Service]
+Type=oneshot
+User=archweb
+WorkingDirectory={{ archweb_dir }}
+ExecStart={{ archweb_dir }}/env/bin/python manage.py update_planet -v3
+
+ProtectSystem=full
+PrivateTmp=true
+PrivateDevices=true
+
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+NoNewPrivileges=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/archweb/templates/archweb-planet.timer.j2 b/roles/archweb/templates/archweb-planet.timer.j2
new file mode 100644
index 000000000..7ebd26be5
--- /dev/null
+++ b/roles/archweb/templates/archweb-planet.timer.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=archweb planet timer
+
+[Timer]
+OnUnitActiveSec=60m
+OnBootSec=15min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target
-- 
GitLab