roles/archweb: Fix configuration step and split the privs module to use new defaults

c62d274d · Giancarlo Razzolini · 1ea3121c · c62d274d · c62d274d
Verified Commit c62d274d authored 8 years ago by Giancarlo Razzolini
--- a/roles/archweb/defaults/main.yml
+++ b/roles/archweb/defaults/main.yml
@@ -12,5 +12,10 @@ archweb_db: 'archweb'
 archweb_db_host: 'localhost'
 archweb_db_site_user: 'archweb'
 archweb_db_services_user: 'archweb_services'
+archweb_db_services_table_objs: 'ALL_IN_SCHEMA'
+archweb_db_services_sequence_objs: 'ALL_IN_SCHEMA'
 archweb_db_dbscripts_user: 'archweb_dbscripts'
+archweb_db_dbscripts_table_objs: 'mirrors_mirrorrsync'
 archweb_db_backup_user: 'archweb_backup'
+archweb_db_backup_table_objs: 'ALL_IN_SCHEMA'
+archweb_db_backup_sequence_objs: 'ALL_IN_SCHEMA'
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -42,6 +42,10 @@
 - name: fix home permissions
  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"

+- name: configure archweb
+  template: src=local_settings.py.j2 dest=/srv/http/archweb/local_settings.py owner=archweb group=archweb mode=0660
+  no_log: true
+
 - name: create archweb db users
  postgresql_user: name={{ item.user }} password={{ item.password }} login_host="{{ archweb_db_host }}" login_password="{{ postgres_users.postgres }}" encrypted=yes
  no_log: true
@@ -55,18 +59,6 @@
  postgresql_db: name="{{ archweb_db }}" login_host="{{ archweb_db_host }}" login_password="{{ postgres_users.postgres }}" owner="{{ archweb_db_site_user }}"
  register: db_created

- name: db privileges for archweb users
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
-                    privs=CONNECT roles="{{ item }}" type=database
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
-                    privs=SELECT roles="{{ item }}" type=table objs=ALL_IN_SCHEMA
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
-                    privs=SELECT roles="{{ item }}" type=sequence objs=ALL_IN_SCHEMA
-  with_items:
-    - "{{ archweb_db_services_user }}"
-    - "{{ archweb_db_dbscripts_user }}"
-    - "{{ archweb_db_backup_user }}"
-
 - name: django syncdb
  django_manage: app_path="{{ archweb_dir }}" command=syncdb virtualenv="{{ archweb_dir }}/env"
  become: true
@@ -79,6 +71,29 @@
  become_user: archweb
  when: archweb_site and (db_created.changed or release.changed)

+- name: db privileges for archweb users
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
+                    privs=CONNECT roles="{{ item }}" type=database
+  with_items:
+    - "{{ archweb_db_services_user }}"
+    - "{{ archweb_db_dbscripts_user }}"
+    - "{{ archweb_db_backup_user }}"
+
+- name: table privileges for archweb users
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
+                    privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
+  with_items:
+    - { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_table_objs }}" }
+    - { user: "{{ archweb_db_dbscripts_user }}", objs: "{{ archweb_db_dbscripts_table_objs }}" }
+    - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" }
+
+- name: sequence privileges for archweb users
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
+                    privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
+  with_items:
+    - { user: "{{ archweb_db_services_user }}", objs: "{{ archweb_db_services_sequence_objs }}" }
+    - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_sequence_objs }}" }
+
 - name: django collectstatic
  django_manage: app_path="{{ archweb_dir }}" command=collectstatic virtualenv="{{ archweb_dir }}/env"
  become: true
@@ -123,10 +138,6 @@
    - daemon reload
  when: archweb_site

- name: configure archweb
-  template: src=local_settings.py.j2 dest=/srv/http/archweb/local_settings.py owner=archweb group=archweb mode=0660
-  no_log: true
-
 - name: deploy archweb
  template: src=archweb.ini.j2 dest=/etc/uwsgi/vassals/archweb.ini owner=archweb group=http mode=0644
  when: archweb_site