WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-03-20 03:57:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

distgit: fix lint errors in distgit role

Browse Source 
Signed-off-by: Lenka Segura <lsegura@redhat.com>
This commit is contained in:
Lenka Segura
2025-08-11 13:06:25 +02:00
parent 24a706e39f
commit ca10dca26a
1 changed files with 181 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

245
roles/distgit/tasks/main.yml
View File

@@ -14,9 +14,12 @@
stream=2.3
profiles=
state=enabled
mode: '0644'
- name: Install the needed packages
ansible.builtin.package: name={{item}} state=present
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- git
- httpd
@@ -28,31 +31,42 @@
- distgit
- name: Install the mod_auth_openidc configuration
ansible.builtin.template: src=auth_openidc.conf dest=/etc/httpd/conf.d/auth_openidc.conf
ansible.builtin.template:
src: auth_openidc.conf
dest: /etc/httpd/conf.d/auth_openidc.conf
mode: '0644'
notify:
- Reload httpd
tags:
- distgit
- name: Install the http push configuration
ansible.builtin.template: src=httppush.conf dest=/etc/httpd/conf.d/httpush.conf
ansible.builtin.template:
src: httppush.conf
dest: /etc/httpd/conf.d/httpush.conf
mode: '0644'
notify:
- Reload httpd
tags:
- distgit
- name: Create suexec wrapper directory
ansible.builtin.file: path=/var/www/bin state=directory owner=pagure group=packager
ansible.builtin.file:
path: /var/www/bin
state: directory
owner: pagure
group: packager
mode: '0755'
tags:
- distgit
- name: Install suexec wrappers
ansible.builtin.copy:
src=suexec-{{item}}.sh
dest=/var/www/bin/suexec-{{item}}.sh
owner=pagure
group=packager
mode=0755
src: "suexec-{{ item }}.sh"
dest: "/var/www/bin/suexec-{{ item }}.sh"
owner: pagure
group: packager
mode: '0755'
with_items:
- gitolite
- upload
@@ -60,19 +74,26 @@
- distgit
- name: Put in git service config
ansible.builtin.copy: src=git@.service dest=/etc/systemd/system/git@.service
ansible.builtin.copy:
src: git@.service
dest: /etc/systemd/system/git@.service
mode: '0644'
tags:
- distgit
- name: Install the mod_ssl configuration
ansible.builtin.copy: src=ssl.conf dest=/etc/httpd/conf.d/ssl.conf
ansible.builtin.copy:
src: ssl.conf
dest: /etc/httpd/conf.d/ssl.conf
mode: '0644'
notify:
- Reload httpd
tags:
- distgit
- name: Letsencrypt for pkgs.stg.fedoraproject.org
include_role: name=letsencrypt
ansible.builtin.include_role:
name: letsencrypt
vars:
site_name: pkgs.stg.fedoraproject.org
when: env == 'staging'
@@ -81,28 +102,40 @@
- letsencrypt
- name: Install the keytab
ansible.builtin.copy: src="{{ private }}/files/keytabs/{{env}}/pkgs"
dest=/etc/httpd.keytab
owner=apache
group=apache
mode=0600
ansible.builtin.copy:
src: "{{ private }}/files/keytabs/{{ env }}/pkgs"
dest: /etc/httpd.keytab
owner: apache
group: apache
mode: '0600'
notify:
- Reload httpd
tags:
- distgit
- name: Allow httpd to access the files on NFS
seboolean: name=httpd_use_nfs state=yes persistent=yes
ansible.posix.seboolean:
name: httpd_use_nfs
state: yes
persistent: yes
tags:
- distgit
- name: Allow httpd to access git user content
seboolean: name=httpd_read_user_content state=yes persistent=yes
ansible.posix.seboolean:
name: httpd_read_user_content
state: yes
persistent: yes
tags:
- distgit
- name: Secure tmpfs read only
mount: name=/dev/shm src=tmpfs fstype=tmpfs opts=defaults,size=40G state=present
ansible.posix.mount:
name: /dev/shm
src: tmpfs
fstype: tmpfs
opts: defaults,size=40G
state: present
tags:
- distgit
@@ -111,7 +144,10 @@
# do, this installs that wrapper (which is otherwise configured in sshd_config)
- name: Install the ssh_wrapper wrapper script
ansible.builtin.copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755
ansible.builtin.copy:
src: ssh_wrapper
dest: /usr/local/bin/ssh_wrapper
mode: '0755'
tags:
- config
- distgit
@@ -121,7 +157,9 @@
# -- Dist Git --------------------------------------------
# This is the Git setup itself: group, root directory, scripts,...
- name: Install dist-git
ansible.builtin.package: name={{item}} state=present
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- dist-git
- dist-git-selinux
@@ -129,33 +167,42 @@
- distgit
- name: Install the dist-git config
ansible.builtin.copy: src=dist-git.conf dest=/etc/dist-git/dist-git.conf
ansible.builtin.copy:
src: dist-git.conf
dest: /etc/dist-git/dist-git.conf
mode: '0644'
tags:
- config
- distgit
- name: Dploy the Fedora messaging config. file for uploads
ansible.builtin.copy: src=git-hooks-messaging.toml dest=/etc/fedora-messaging/git-hooks-messaging.toml
ansible.builtin.copy:
src: git-hooks-messaging.toml
dest: /etc/fedora-messaging/git-hooks-messaging.toml
mode: '0644'
tags:
- config
- distgit
- name: Deploy the Fedora messaging certificate
ansible.builtin.copy: src={{ item.src }}
dest=/etc/pki/rabbitmq/{{ item.dest }}
owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }}
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/pki/rabbitmq/{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- src: "{{private}}/files/rabbitmq/production/pki/issued/git-hooks.crt"
- src: "{{ private }}/files/rabbitmq/production/pki/issued/git-hooks.crt"
dest: git-hooks.crt
owner: root
group: root
mode: "444"
- src: "{{private}}/files/rabbitmq/production/pki/private/git-hooks.key"
- src: "{{ private }}/files/rabbitmq/production/pki/private/git-hooks.key"
dest: git-hooks.key
owner: root
group: root
mode: "440"
- src: "{{private}}/files/rabbitmq/production/pki/reqs/git-hooks.req"
- src: "{{ private }}/files/rabbitmq/production/pki/reqs/git-hooks.req"
dest: git-hooks.ca
owner: root
group: root
@@ -165,13 +212,20 @@
- fedora-messaging
- name: Create the distgit root directory (/srv/git)
ansible.builtin.file: dest=/srv/git state=directory mode=0755
ansible.builtin.file:
dest: /srv/git
state: directory
mode: '0755'
tags:
- distgit
# These should all map to pkgdb namespaces
- name: Create our namespace directories inside there..
ansible.builtin.file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=packager
ansible.builtin.file:
dest: "/srv/git/repositories/{{ item }}"
state: directory
mode: '2775'
group: packager
with_items:
- rpms
- docker
@@ -185,7 +239,10 @@
- distgit
- name: Install robots.txt files
ansible.builtin.copy: src={{item}} dest=/var/www/{{item}}
ansible.builtin.copy:
src: "{{ item }}"
dest: "/var/www/{{ item }}"
mode: '0644'
with_items:
- robots-pkgs.txt
- robots-src.txt
@@ -193,35 +250,54 @@
- distgit
- name: Install the DistGit related httpd config
ansible.builtin.copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf
ansible.builtin.copy:
src: git-smart-http.conf
dest: /etc/httpd/conf.d/dist-git/git-smart-http.conf
mode: '0644'
notify:
- Reload httpd
tags:
- distgit
- name: Symlink pkgs-git-repos-list
ansible.builtin.copy: src=repolist.conf dest=/etc/httpd/conf.d/dist-git/repolist.conf
ansible.builtin.copy:
src: repolist.conf
dest: /etc/httpd/conf.d/dist-git/repolist.conf
mode: '0644'
notify:
- Reload httpd
tags:
- distgit
- name: Schedule the update hook check
cron: >
name="check-update-hooks" cron_file="ansible-check-update-hooks"
minute=0 hour=0 weekday=3
user=nobody
job="/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories"
ansible.builtin.cron:
name: "check-update-hooks"
cron_file: "ansible-check-update-hooks"
minute: 0
hour: 0
weekday: 3
user: nobody
job: "/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories"
tags:
- distgit
- name: Schedule the script to get retired packages
ansible.builtin.copy: src="retired-packages.cron" dest="/etc/cron.d/retired-packages.cron" mode=644 owner=root group=root
ansible.builtin.copy:
src: "retired-packages.cron"
dest: "/etc/cron.d/retired-packages.cron"
mode: '644'
owner: root
group: root
tags:
- distgit
- name: Install the two scripts needed for mass-branching
ansible.builtin.copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: '0755'
with_items:
- mass-branching-git.py
- mass-branching-gitolite.py
@@ -233,7 +309,10 @@
# -- Lookaside Cache -------------------------------------
# This is the annex to Dist Git, where we host source tarballs.
- name: Install the Lookaside Cache httpd configs
ansible.builtin.template: src={{item}} dest=/etc/httpd/conf.d/dist-git/{{item}}
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/httpd/conf.d/dist-git/{{ item }}"
mode: '0644'
with_items:
- lookaside.conf
- lookaside-upload.conf
@@ -244,13 +323,20 @@
- sslciphers
- name: Create the Lookaside Cache root directory
ansible.builtin.file: dest=/srv/cache/lookaside/pkgs state=directory
owner=apache group=apache
ansible.builtin.file:
dest: /srv/cache/lookaside/pkgs
state: directory
owner: apache
group: apache
mode: '0755'
tags:
- distgit
- name: Set the selinux boolean git_cgi_use_nfs
seboolean: name=git_cgi_use_nfs persistent=yes state=yes
ansible.posix.seboolean:
name: git_cgi_use_nfs
persistent: yes
state: yes
tags:
- distgit
- config
@@ -258,7 +344,10 @@
# Not sure why, but fixes https://fedorahosted.org/fedora-infrastructure/ticket/4825
- name: Set the selinux boolean git_system_enable_homedirs
seboolean: name=git_system_enable_homedirs persistent=yes state=yes
ansible.posix.seboolean:
name: git_system_enable_homedirs
persistent: yes
state: yes
tags:
- distgit
- config
@@ -278,6 +367,7 @@
- name: Set the SELinux policy for the Lookaside Cache root directory
ansible.builtin.command: semanage fcontext -a -t nfs_t "/srv/cache(/.*)?"
when: lcachecontext.stdout.find('nfs_t') == -1 and env != "staging"
changed_when: true
tags:
- config
- lookaside
@@ -285,53 +375,71 @@
- distgit
- name: Install the fedora-ca.cert
ansible.builtin.copy: src={{private}}/files/fedora-ca.cert dest=/etc/httpd/conf/cacert.pem
ansible.builtin.copy:
src: "{{ private }}/files/fedora-ca.cert"
dest: /etc/httpd/conf/cacert.pem
mode: '0644'
tags:
- distgit
- name: Install the pkgs cert
ansible.builtin.copy: src={{private}}/files/pkgs.fedoraproject.org_key_and_cert.pem
dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
owner=apache mode=0400
ansible.builtin.copy:
src: "{{ private }}/files/pkgs.fedoraproject.org_key_and_cert.pem"
dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
owner: apache
mode: '0400'
when: env != "staging"
tags:
- distgit
- name: Install the pkgs.stg cert
ansible.builtin.copy: src={{private}}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem
dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
owner=apache mode=0400
ansible.builtin.copy:
src: "{{ private }}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem"
dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
owner: apache
mode: '0400'
when: env == "staging"
tags:
- distgit
# Three tasks for handling our selinux policy for upload.cgi
- name: Ensure a directory exists for our SELinux policy
ansible.builtin.file: dest=/usr/local/share/selinux/ state=directory
ansible.builtin.file:
dest: /usr/local/share/selinux/
state: directory
mode: '0755'
tags: selinux
- name: Copy over our custom selinux policy
ansible.builtin.copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
ansible.builtin.copy:
src: upload_cgi.pp
dest: /usr/local/share/selinux/upload_cgi.pp
mode: '0644'
register: selinux_module
tags: selinux
- name: Install our custom selinux policy
- name: Install our custom selinux policy # noqa no-handler
ansible.builtin.command: semodule -i /usr/local/share/selinux/upload_cgi.pp
when: selinux_module is changed
changed_when: true
tags: selinux
- name: Copy over our custom nfs selinux policy
ansible.builtin.copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
ansible.builtin.copy:
src: cgi-nfs.pp
dest: /usr/local/share/selinux/cgi-nfs.pp
mode: '0644'
register: nfs_selinux_module
tags: selinux
- name: Install our custom nfs selinux policy
- name: Install our custom nfs selinux policy # noqa no-handler
ansible.builtin.command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
when: nfs_selinux_module is changed
changed_when: true
tags: selinux
- name: Install another one of our own SELinux policy
include_role:
ansible.builtin.include_role:
name: selinux/module
vars:
policy_file: files/http_policy.te
@@ -340,19 +448,26 @@
- selinux
- name: Setup grokmirror for repos
ansible.builtin.package: name=python3-grokmirror state=installed
ansible.builtin.package:
name: python3-grokmirror
state: installed
tags:
- grokmirror
- pkgs
- name: Make dir for grokmirror manifest
ansible.builtin.file: path=/srv/git/grokmirror state=directory owner=root group=packager mode=2775
ansible.builtin.file:
path: /srv/git/grokmirror
state: directory
owner: root
group: packager
mode: '2775'
tags:
- grokmirror
- pkgs
- name: Set acls for grokmirror
acl:
ansible.posix.acl:
path: /srv/git/grokmirror
etype: group
permissions: rwx
@@ -362,7 +477,9 @@
- pkgs
- name: Run initial grokmirror run
ansible.builtin.command: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/ creates=/srv/git/grokmirror/manifest.js.gz
ansible.builtin.command:
cmd: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/
creates: /srv/git/grokmirror/manifest.js.gz
when: env != "staging"
tags:
- grokmirror