diff --git a/roles/pagure/handlers/main.yml b/roles/pagure/handlers/main.yml index 850dfa874b..e10fdd4871 100644 --- a/roles/pagure/handlers/main.yml +++ b/roles/pagure/handlers/main.yml @@ -1,3 +1,5 @@ --- - name: Restart pagure_milter - service: name=pagure_milter state=restarted + ansible.builtin.service: + name: pagure_milter + state: restarted diff --git a/roles/pagure/tasks/main.yml b/roles/pagure/tasks/main.yml index 58c2ab3730..412236763e 100644 --- a/roles/pagure/tasks/main.yml +++ b/roles/pagure/tasks/main.yml @@ -1,7 +1,9 @@ --- # Configuration for the pagure webapp - name: Install needed packages - ansible.builtin.package: name={{ item }} state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - pagure - pagure-ci @@ -27,8 +29,9 @@ - packages - name: Initialize postgres if necessary - ansible.builtin.command: /usr/bin/postgresql-setup initdb - creates=/var/lib/pgsql/data + ansible.builtin.command: + cmd: /usr/bin/postgresql-setup initdb + creates: /var/lib/pgsql/data notify: - Restart postgresql tags: @@ -37,7 +40,7 @@ - name: Create the pagure DB user become_user: postgres become: true - postgresql_user: + community.postgresql.postgresql_user: name: "{{ pagure_db_user }}" password: "{{ pagure_db_pass }}" tags: @@ -48,7 +51,7 @@ - name: Create the pagure DB user become_user: postgres become: true - postgresql_user: + community.postgresql.postgresql_user: name: "{{ pagure_db_admin_user }}" password: "{{ pagure_db_admin_pass }}" tags: @@ -59,7 +62,7 @@ - name: Create the pagure database creation become_user: postgres become: true - postgresql_db: + community.postgresql.postgresql_db: name: "{{ pagure_db_name }}" owner: "{{ pagure_db_user }}" encoding: UTF-8 @@ -71,7 +74,7 @@ - name: Create the pagure DB user become_user: postgres become: true - postgresql_user: + community.postgresql.postgresql_user: name: "{{ pagure_stg_db_user }}" password: "{{ pagure_stg_db_pass }}" tags: @@ -82,7 +85,7 @@ - name: Create the pagure DB user become_user: postgres become: true - postgresql_user: + community.postgresql.postgresql_user: name: "{{ pagure_stg_db_admin_user }}" password: "{{ pagure_stg_db_admin_pass }}" tags: @@ -93,7 +96,7 @@ - name: Create the pagure database creation become_user: postgres become: true - postgresql_db: + community.postgresql.postgresql_db: name: "{{ pagure_stg_db_name }}" owner: "{{ pagure_stg_db_user }}" encoding: UTF-8 @@ -103,27 +106,39 @@ when: env == 'pagure-staging' - name: Put in robots.txt - ansible.builtin.template: src=robots.txt.j2 dest=/var/www/html/robots.txt + ansible.builtin.template: + src: robots.txt.j2 + dest: /var/www/html/robots.txt + owner: root + group: root + mode: '0644' tags: - pagure - name: Create the "git" user - ansible.builtin.command: useradd --create-home --home-dir=/srv/git/ git - creates=/srv/git/ + ansible.builtin.command: + cmd: useradd --create-home --home-dir=/srv/git/ git + creates: /srv/git/ tags: - pagure - name: Create the /attachments folder - ansible.builtin.file: state=directory - path=/srv/attachments - owner=git group=git mode=0775 + ansible.builtin.file: + state: directory + path: /srv/attachments + owner: git + group: git + mode: '0775' tags: - pagure - name: Create the /var/log/pagure folder where to store the logs - ansible.builtin.file: state=directory - path=/var/log/pagure - owner=git group=git mode=0775 + ansible.builtin.file: + state: directory + path: /var/log/pagure + owner: git + group: git + mode: '0775' tags: - pagure - fix_log @@ -148,9 +163,12 @@ # - gitolite - name: Create all the directories where we store the git repos - ansible.builtin.file: state=directory - path={{ item }} - owner=git group=git mode=0775 + ansible.builtin.file: + state: directory + path: "{{ item }}" + owner: git + group: git + mode: '0775' with_items: - /srv/git/repositories/ - /srv/git/repositories/forks @@ -162,15 +180,18 @@ - pagure - name: Create the /srv/tmp folder where to clone repos - ansible.builtin.file: state=directory - path=/srv/tmp - owner=git group=git mode=0775 + ansible.builtin.file: + state: directory + path: /srv/tmp + owner: git + group: git + mode: '0775' tags: - pagure # On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it. - name: Configure git directories as safe - git_config: + community.general.git_config: name: safe.directory scope: system value: "*" @@ -180,7 +201,7 @@ # Set things up for the mirroring feature - name: Create the `paguremirroring` group - group: + ansible.builtin.group: name: paguremirroring state: present tags: @@ -188,7 +209,7 @@ - mirror - name: Create the `paguremirroring` user - user: + ansible.builtin.user: name: paguremirroring group: paguremirroring groups: paguremirroring,git @@ -201,7 +222,12 @@ # Set-up postfix and the milter for postfix - name: Add the /etc/aliases file - ansible.builtin.copy: src=aliases dest=/etc/aliases owner=root mode=644 + ansible.builtin.copy: + src: aliases + dest: /etc/aliases + owner: root + group: root + mode: '0644' tags: - config - pagure @@ -213,9 +239,12 @@ # Override pagure_ev systemd service file - name: Install pagure_ev service definition - ansible.builtin.copy: src=pagure_ev.service - dest=/usr/lib/systemd/system/pagure_ev.service - owner=root group=root mode=0644 + ansible.builtin.copy: + src: pagure_ev.service + dest: /usr/lib/systemd/system/pagure_ev.service + owner: root + group: root + mode: '0644' notify: - Reload systemd - Restart pagure_ev @@ -226,9 +255,12 @@ # Set-up stunnel for the event source server - name: Install stunnel service definition - ansible.builtin.copy: src=stunnel.service - dest=/usr/lib/systemd/system/stunnel.service - owner=root group=root mode=0644 + ansible.builtin.copy: + src: stunnel.service + dest: /usr/lib/systemd/system/stunnel.service + owner: root + group: root + mode: '0644' notify: - Reload systemd - Restart stunnel @@ -237,9 +269,12 @@ - stunnel - name: Install stunnel.conf - ansible.builtin.template: src={{ item.file }} - dest={{ item.dest }} - owner=root group=root mode=0600 + ansible.builtin.template: + src: "{{ item.file }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: '0600' with_items: - {file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf} notify: Restart stunnel @@ -249,9 +284,12 @@ - config - name: Add the different service files for the different services - ansible.builtin.copy: src={{ item }}.service - dest=/etc/systemd/system/{{ item }}.service - owner=root group=root mode=0755 + ansible.builtin.copy: + src: "{{ item }}.service" + dest: "/etc/systemd/system/{{ item }}.service" + owner: root + group: root + mode: '0755' with_items: - pagure_fast_worker - pagure_medium_worker @@ -265,7 +303,9 @@ # setup fedora-messaging - name: Install fedora-messaging as a dependency - ansible.builtin.package: name={{ item }} state=present + ansible.builtin.package: + name: "{{ item }}" + state: present with_items: - python3-fedora-messaging tags: @@ -273,29 +313,45 @@ - fedora-messaging - name: Create the config folder for fedora-messaging - ansible.builtin.file: path=/etc/fedora-messaging/ owner=root group=root mode=0755 state=directory + ansible.builtin.file: + path: /etc/fedora-messaging/ + owner: root + group: root + mode: '0755' + state: directory tags: - pagure - fedora-messaging - name: Install the configuration file for fedora-messaging ansible.builtin.template: - src=fedora-messaging.toml - dest=/etc/fedora-messaging/config.toml + src: fedora-messaging.toml + dest: /etc/fedora-messaging/config.toml + owner: root + group: root + mode: '0644' tags: - pagure - fedora-messaging - name: Create folder where we'll place the certs - ansible.builtin.file: path=/etc/pki/rabbitmq/pagurecert/ owner=root group=root mode=0755 state=directory + ansible.builtin.file: + path: /etc/pki/rabbitmq/pagurecert/ + owner: root + group: root + mode: '0755' + state: directory tags: - pagure - fedora-messaging - name: Deploy pagure/rabbitmq certificate - ansible.builtin.copy: src={{ item.src }} - dest=/etc/pki/rabbitmq/pagurecert/{{ item.dest }} - owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }} + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "/etc/pki/rabbitmq/pagurecert/{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" when: env == 'pagure-staging' with_items: - src: "{{private}}/files/rabbitmq/staging/pki/issued/pagure.stg.crt" @@ -318,9 +374,12 @@ - fedora-messaging - name: Deploy pagure/rabbitmq certificate - ansible.builtin.copy: src={{ item.src }} - dest=/etc/pki/rabbitmq/pagurecert/{{ item.dest }} - owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }} + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "/etc/pki/rabbitmq/pagurecert/{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" when: env != 'pagure-staging' with_items: - src: "{{private}}/files/rabbitmq/production/pki/issued/pagure.crt" @@ -346,9 +405,12 @@ # Set-up Pagure - name: Create the folders used for releases and archives - ansible.builtin.file: state=directory - path={{ item }} - owner=git group=git mode=0775 + ansible.builtin.file: + state: directory + path: "{{ item }}" + owner: git + group: git + mode: '0775' with_items: - /var/www/releases - /var/www/archives @@ -357,9 +419,12 @@ - web - name: Copy sundry pagure configuration - ansible.builtin.template: src={{ item.file }} - dest={{ item.location }}/{{ item.file }} - owner=git group=postfix mode=0640 + ansible.builtin.template: + src: "{{ item.file }}" + dest: "{{ item.location }}/{{ item.file }}" + owner: git + group: postfix + mode: '0640' with_items: - {file: pagure.cfg, location: /etc/pagure} - {file: alembic.ini, location: /etc/pagure} @@ -371,9 +436,12 @@ - Restart apache - name: Install client_secrets for ipsilon - ansible.builtin.template: src=client_secrets.json - dest=/etc/pagure - owner=git group=postfix mode=0640 + ansible.builtin.template: + src: client_secrets.json + dest: /etc/pagure + owner: git + group: postfix + mode: '0640' tags: - config - web @@ -381,7 +449,8 @@ - name: Create the database scheme - ansible.builtin.command: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py + ansible.builtin.command: + cmd: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py changed_when: "1 != 1" environment: PAGURE_CONFIG: /etc/pagure/pagure.cfg @@ -390,8 +459,12 @@ - pagure - name: Install the configuration file to activate https - ansible.builtin.template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} - owner=root group=root mode=0644 + ansible.builtin.template: + src: "{{ item }}" + dest: "/etc/httpd/conf.d/{{ item }}" + owner: root + group: root + mode: '0644' with_items: - 0_pagure.conf - securityheaders.conf @@ -404,9 +477,12 @@ - Restart apache - name: Install the wsgi file - ansible.builtin.template: src={{ item }} - dest=/var/www/{{ item }} - owner=git group=git mode=0644 + ansible.builtin.template: + src: "{{ item }}" + dest: "/var/www/{{ item }}" + owner: git + group: git + mode: '0644' with_items: - pagure.wsgi - docs_pagure.wsgi @@ -418,30 +494,43 @@ - Restart apache - name: Let paguremirroring read the pagure config - ansible.builtin.command: /usr/bin/setfacl -m user:paguremirroring:rx /etc/pagure/pagure.cfg + ansible.builtin.command: + cmd: /usr/bin/setfacl -m user:paguremirroring:rx /etc/pagure/pagure.cfg + changed_when: false tags: - pagure - mirror - name: Add default facl so apache can read git repos - acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present + ansible.posix.acl: + default: yes + etype: user + entity: apache + permissions: "rx" + name: /srv/git + state: present register: acl_updates tags: - pagure -- name: Manually fix current default ACLs since Ansible doesnt know recursive acls +- name: Manually fix current default ACLs since Ansible doesnt know recursive acls # noqa no-handler when: acl_updates.changed ansible.builtin.command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git + changed_when: true tags: - pagure -- name: Manually fix current ACLs since Ansible doesnt know recursive acls +- name: Manually fix current ACLs since Ansible doesnt know recursive acls # noqa no-handler when: acl_updates.changed ansible.builtin.command: /usr/bin/setfacl -Rm user:apache:rx /srv/git + changed_when: true tags: - pagure -- import_tasks: selinux.yml +# Import SELinux configuration tasks + +- name: Import SELinux configuration tasks + ansible.builtin.import_tasks: selinux.yml tags: - selinux - pagure @@ -449,9 +538,12 @@ # Hotfix(es) - name: Install the python3-only version of the stream_server so it works - ansible.builtin.copy: src=pagure_stream_server.py - dest=/usr/libexec/pagure-ev/pagure_stream_server.py - owner=root mode=0755 + ansible.builtin.copy: + src: pagure_stream_server.py + dest: /usr/libexec/pagure-ev/pagure_stream_server.py + owner: root + group: root + mode: '0755' tags: - pagure - hotfix @@ -461,7 +553,10 @@ # Ensure all the services are up and running - name: Start and enable httpd, postfix, pagure_milter - service: name={{ item }} enabled=yes state=started + ansible.builtin.service: + name: "{{ item }}" + enabled: yes + state: started with_items: - httpd - postfix @@ -484,33 +579,49 @@ - pagure_mirror_project_in - pagure_mirror_project_in.timer - haveged - ignore_errors: true + failed_when: result.rc != 0 tags: - pagure - service - postfix - name: Setup logrotate to our needs - ansible.builtin.template: src="{{ files }}/httpd/httpd.logrotate.j2" dest=/etc/logrotate.d/httpd + ansible.builtin.template: + src: "{{ files }}/httpd/httpd.logrotate.j2" + dest: /etc/logrotate.d/httpd + owner: root + group: root + mode: '0644' tags: - config - apache - name: Add SAR script for pagure - ansible.builtin.copy: src=pagure_sar.py dest=/usr/local/bin/pagure_sar.py owner=git mode=0700 + ansible.builtin.copy: + src: pagure_sar.py + dest: /usr/local/bin/pagure_sar.py + owner: git + group: git + mode: '0700' tags: - SAR - GDPR - pagure - name: Override the default syslog logrotate file - ansible.builtin.copy: src=syslog-logrotate dest=/etc/logrotate.d/syslog + ansible.builtin.copy: + src: syslog-logrotate + dest: /etc/logrotate.d/syslog + owner: root + group: root + mode: '0644' tags: - pagure - logrotate - name: Letsencrypt for stg.pagure.io - include_role: name=letsencrypt + ansible.builtin.include_role: + name: letsencrypt vars: site_name: stg.pagure.io server_aliases: @@ -523,7 +634,8 @@ - letsencrypt - name: Letsencrypt for pagure.io - include_role: name=letsencrypt + ansible.builtin.include_role: + name: letsencrypt vars: site_name: pagure.io server_aliases: