--- # tasklist for setting up Dist Git # # This is a bit complex, so I'm dividing it into sections. # -- Common ---------------------------------------------- # This is very basic stuff that is needed by multiple of the next sections. - name: Enable the mod_auth_openidc module on rhel8 ansible.builtin.copy: dest: /etc/dnf/modules.d/mod_auth_openidc.module content: | [mod_auth_openidc] name=mod_auth_openidc stream=2.3 profiles= state=enabled - name: Install the needed packages ansible.builtin.package: name={{item}} state=present with_items: - git - httpd - mod_ssl - mod_auth_gssapi - /usr/sbin/semanage - mod_auth_openidc tags: - distgit - name: Install the mod_auth_openidc configuration ansible.builtin.template: src=auth_openidc.conf dest=/etc/httpd/conf.d/auth_openidc.conf notify: - Reload httpd tags: - distgit - name: Install the http push configuration ansible.builtin.template: src=httppush.conf dest=/etc/httpd/conf.d/httpush.conf notify: - Reload httpd tags: - distgit - name: Create suexec wrapper directory ansible.builtin.file: path=/var/www/bin state=directory owner=pagure group=packager tags: - distgit - name: Install suexec wrappers ansible.builtin.copy: src=suexec-{{item}}.sh dest=/var/www/bin/suexec-{{item}}.sh owner=pagure group=packager mode=0755 with_items: - gitolite - upload tags: - distgit - name: Put in git service config ansible.builtin.copy: src=git@.service dest=/etc/systemd/system/git@.service tags: - distgit - name: Install the mod_ssl configuration ansible.builtin.copy: src=ssl.conf dest=/etc/httpd/conf.d/ssl.conf notify: - Reload httpd tags: - distgit - name: Letsencrypt for pkgs.stg.fedoraproject.org include_role: name=letsencrypt vars: site_name: pkgs.stg.fedoraproject.org when: env == 'staging' tags: - distgit - letsencrypt - name: Install the keytab ansible.builtin.copy: src="{{ private }}/files/keytabs/{{env}}/pkgs" dest=/etc/httpd.keytab owner=apache group=apache mode=0600 notify: - Reload httpd tags: - distgit - name: Allow httpd to access the files on NFS seboolean: name=httpd_use_nfs state=yes persistent=yes tags: - distgit - name: Allow httpd to access git user content seboolean: name=httpd_read_user_content state=yes persistent=yes tags: - distgit - name: Secure tmpfs read only mount: name=/dev/shm src=tmpfs fstype=tmpfs opts=defaults,size=40G state=present tags: - distgit # -- SSH # We use a wrapper to let packager ssh in while restricting the command they can # do, this installs that wrapper (which is otherwise configured in sshd_config) - name: Install the ssh_wrapper wrapper script ansible.builtin.copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755 tags: - config - distgit - ssh - basessh # -- Dist Git -------------------------------------------- # This is the Git setup itself: group, root directory, scripts,... - name: Install dist-git ansible.builtin.package: name={{item}} state=present with_items: - dist-git - dist-git-selinux tags: - distgit - name: Install the dist-git config ansible.builtin.copy: src=dist-git.conf dest=/etc/dist-git/dist-git.conf tags: - config - distgit - name: Make sure apache can access the fedora-messaging ca acl: path: /etc/pki/rabbitmq/git-hooks.ca entity: apache etype: group permissions: r state: present tags: - distgit when: inventory_hostname.startswith('batcave') - name: Make sure apache can access the fedora-messaging crt acl: path: /etc/pki/rabbitmq/git-hooks.crt entity: apache etype: group permissions: r state: present tags: - distgit when: inventory_hostname.startswith('batcave') - name: Make sure apache can access the fedora-messaging key acl: path: /etc/pki/rabbitmq/git-hooks.key entity: apache etype: group permissions: r state: present tags: - distgit when: inventory_hostname.startswith('batcave') - name: Create the distgit root directory (/srv/git) ansible.builtin.file: dest=/srv/git state=directory mode=0755 tags: - distgit # These should all map to pkgdb namespaces - name: Create our namespace directories inside there.. ansible.builtin.file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=packager with_items: - rpms - docker - modules # Except for these two. These namespaces are artificially created in the # dist-git pkgdb sync scripts. - test-rpms - test-modules - test-docker tags: - distgit - name: Install robots.txt files ansible.builtin.copy: src={{item}} dest=/var/www/{{item}} with_items: - robots-pkgs.txt - robots-src.txt tags: - distgit - name: Install the DistGit related httpd config ansible.builtin.copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf notify: - Reload httpd tags: - distgit - name: Symlink pkgs-git-repos-list ansible.builtin.copy: src=repolist.conf dest=/etc/httpd/conf.d/dist-git/repolist.conf notify: - Reload httpd tags: - distgit - name: Schedule the update hook check cron: > name="check-update-hooks" cron_file="ansible-check-update-hooks" minute=0 hour=0 weekday=3 user=nobody job="/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories" tags: - distgit - name: Schedule the script to get retired packages ansible.builtin.copy: src="retired-packages.cron" dest="/etc/cron.d/retired-packages.cron" mode=644 owner=root group=root tags: - distgit - name: Install the two scripts needed for mass-branching ansible.builtin.copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 with_items: - mass-branching-git.py - mass-branching-gitolite.py tags: - config - distgit - mass-branching # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. - name: Install the Lookaside Cache httpd configs ansible.builtin.template: src={{item}} dest=/etc/httpd/conf.d/dist-git/{{item}} with_items: - lookaside.conf - lookaside-upload.conf notify: - Reload httpd tags: - distgit - sslciphers - name: Create the Lookaside Cache root directory ansible.builtin.file: dest=/srv/cache/lookaside/pkgs state=directory owner=apache group=apache tags: - distgit - name: Set the selinux boolean git_cgi_use_nfs seboolean: name=git_cgi_use_nfs persistent=yes state=yes tags: - distgit - config - selinux # Not sure why, but fixes https://fedorahosted.org/fedora-infrastructure/ticket/4825 - name: Set the selinux boolean git_system_enable_homedirs seboolean: name=git_system_enable_homedirs persistent=yes state=yes tags: - distgit - config - selinux - name: Check the selinux context of the Lookaside Cache root directory ansible.builtin.command: matchpathcon /srv/cache register: lcachecontext check_mode: no changed_when: false tags: - config - lookaside - selinux - distgit - name: Set the SELinux policy for the Lookaside Cache root directory ansible.builtin.command: semanage fcontext -a -t nfs_t "/srv/cache(/.*)?" when: lcachecontext.stdout.find('nfs_t') == -1 and env != "staging" tags: - config - lookaside - selinux - distgit - name: Install the fedora-ca.cert ansible.builtin.copy: src={{private}}/files/fedora-ca.cert dest=/etc/httpd/conf/cacert.pem tags: - distgit - name: Install the pkgs cert ansible.builtin.copy: src={{private}}/files/pkgs.fedoraproject.org_key_and_cert.pem dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem owner=apache mode=0400 when: env != "staging" tags: - distgit - name: Install the pkgs.stg cert ansible.builtin.copy: src={{private}}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem owner=apache mode=0400 when: env == "staging" tags: - distgit # Three tasks for handling our selinux policy for upload.cgi - name: Ensure a directory exists for our SELinux policy ansible.builtin.file: dest=/usr/local/share/selinux/ state=directory tags: selinux - name: Copy over our custom selinux policy ansible.builtin.copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp register: selinux_module tags: selinux - name: Install our custom selinux policy ansible.builtin.command: semodule -i /usr/local/share/selinux/upload_cgi.pp when: selinux_module is changed tags: selinux - name: Copy over our custom nfs selinux policy ansible.builtin.copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp register: nfs_selinux_module tags: selinux - name: Install our custom nfs selinux policy ansible.builtin.command: semodule -i /usr/local/share/selinux/cgi-nfs.pp when: nfs_selinux_module is changed tags: selinux - name: Install another one of our own SELinux policy include_role: name: selinux/module vars: policy_file: files/http_policy.te policy_name: http_policy tags: - selinux - name: Setup grokmirror for repos ansible.builtin.package: name=python3-grokmirror state=installed tags: - grokmirror - pkgs - name: Make dir for grokmirror manifest ansible.builtin.file: path=/srv/git/grokmirror state=directory owner=root group=packager mode=2775 tags: - grokmirror - pkgs - name: Set acls for grokmirror acl: path: /srv/git/grokmirror etype: group permissions: rwx state: present tags: - grokmirror - pkgs - name: Run initial grokmirror run ansible.builtin.command: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/ creates=/srv/git/grokmirror/manifest.js.gz when: env != "staging" tags: - grokmirror - pkgs