fedora-infra_ansible/roles/distgit/pagure/tasks/main.yml

---
# Configuration for the pagure webapp

- name: install needed packages
  package: name={{ item }} state=present
  with_items:
  - pagure
  - pagure-ev
  - pagure-logcom
  - pagure-milters
  - pagure-webhook
  - python3-psycopg2
  - redis
  - python3-libsemanage
  - python3-fedora-flask
  - pagure-dist-git
  tags:
  - pagure
  - packages

- name: install needed packages
  package: name={{ item }} state=present
  with_items:
  - pagure-theme-srcfpo
  tags:
  - pagure
  - packages

- name: >-
    Set httpd_can_network_connect flag on and keep it persistent across reboots so apache can talk
    to redis
  seboolean:
    name: httpd_can_network_connect
    state: yes
    persistent: yes

# Set-up stunnel for the event source server

# - name: install stunnel service definition
#   copy: src=stunnel.service
#         dest=/usr/lib/systemd/system/stunnel.service
#         owner=root group=root mode=0755
#   notify:
#   - reload systemd
#   - restart stunnel
#   tags:
#   - pagure
#   - stunnel

# - name: ensure old stunnel init file is gone
#   file: dest=/etc/init.d/stunnel/stunnel.init state=absent
#   tags:
#   - pagure
#   - stunnel
#   - config

# - name: install stunnel.conf
#   template: src={{ item.file }}
#             dest={{ item.dest }}
#             owner=root group=root mode=0600
#   with_items:
#   - { file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf }
#   notify: restart stunnel
#   tags:
#   - pagure
#   - stunnel
#   - config

# Set-up Pagure

- name: Create a group pagure we can use
  group: name=pagure
  tags:
  - pagure

- name: Create an user we can run pagure under
  user: name=pagure group=packager append=yes
  tags:
  - pagure

- name: Create the "git" user
  command: useradd --create-home --home-dir=/srv/git/  git
           creates=/srv/git/
  when: env == 'staging'
  tags:
  - pagure

- name: Add the git user to the packager group
  user: name=git group=packager append=yes
  when: env == 'staging'
  tags:
  - pagure

- name: create the /var/log/pagure folder where to store the logs
  file: state=directory
               path=/var/log/pagure
               owner=pagure group=packager mode=u+rwx,g+rwxs,o+rx
  tags:
  - pagure
  - hotfix

# Fix for https://pagure.io/fedora-infrastructure/issue/11957
- name: Set ACL for newly created files in /var/log/pagure
  ansible.posix.acl:
    path: /var/log/pagure
    default: true
    etype: group
    permissions: "rw"
    state: present
  tags:
  - pagure
  - fix_log

- name: create the /srv/tmp folder where to clone repos
  file: state=directory
               path=/srv/tmp
               owner=pagure group=pagure mode=0775
  tags:
  - pagure

- name: copy sundry pagure configuration
  template: src={{ item.file }}
            dest={{ item.location }}/{{ item.file }}
            owner=pagure group=postfix mode=0640
  with_items:
  - file: pagure.cfg
    location: /etc/pagure
  - file: alembic.ini
    location: /etc/pagure
  - file: pagure_plugins.cfg
    location: /etc/pagure
  tags:
  - config
  - web
  - pagure
  notify:
  - restart apache

- name: pagure configuration for the hooks
  template: src={{ item.file }}
            dest={{ item.location }}/{{ item.file }}
            owner=pagure group=packager mode=0640
  with_items:
  - file: pagure_hook.cfg
    location: /etc/pagure
  tags:
  - config
  - web
  - pagure
  notify:
  - restart apache

- name: create the database scheme
  command: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py
  changed_when: "1 != 1"
  environment:
    PAGURE_CONFIG: /etc/pagure/pagure.cfg
  tags:
  - web
  - pagure

- name: create all the directories where we store the git repos
  file: state=directory
               path={{ item }}
               owner=root group=packager mode=2775
  with_items:
  - /srv/git/repositories/
  - /srv/git/repositories/forks
  - /srv/git/repositories/requests
  - /srv/git/repositories/tickets
  tags:
  - gitolite
  - pagure

- name: create the remotes folder so pagure can clone remote repos
  file: state=directory
               path={{ item }}
               owner=root group=packager mode=2775
  with_items:
  - /srv/git/remotes
  tags:
  - gitolite
  - pagure

# On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it.
- name: Configure git directories as safe
  git_config:
    name: safe.directory
    scope: system
    value: "*"
  tags:
  - pagure

- name: Install the apache configuration file
  template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
            owner=root group=root mode=0644
  with_items:
  - z_pagure.conf
  tags:
  - files
  - config
  - pagure
  notify:
  - restart apache

- name: Install the wsgi file
  template: src={{ item }}
            dest=/var/www/{{ item }}
            owner=pagure group=pagure mode=0644
  with_items:
  - pagure.wsgi
  tags:
  - config
  - web
  - pagure
  notify:
  - restart apache

- name: Add default facl so apache can read git repos
  acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present
  register: acl_updates
  tags:
  - pagure

- name: Manually fix current default ACLs since Ansible doesnt know recursive acls
  when: acl_updates.changed
  command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git
  tags:
  - pagure

- name: Manually fix current ACLs since Ansible doesnt know recursive acls
  when: acl_updates.changed
  command: /usr/bin/setfacl -Rm user:apache:rx /srv/git
  tags:
  - pagure

- name: Override the default pagure_worker.service file to change the user it is run under
  copy: src={{ item }}.service
        dest=/etc/systemd/system/{{ item }}.service
        owner=root group=root mode=0755
  with_items:
  - pagure_ev
  - pagure_logcom
  - pagure_webhook
  - pagure_worker
  notify:
  - reload systemd
  tags:
  - pagure

# Configure SELinux in dist-git/pagure

- import_tasks: selinux.yml
  tags:
  - selinux

# Cron job to export extras information from the pagure DB
- name: Install the apache configuration file for /extras
  copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
             owner=root group=root mode=0644
  with_items:
  - pagure_cron.conf
  tags:
  - files
  - config
  - pagure
  notify:
  - restart apache

- name: create the /srv/cache/extras folder for the crons
  file: state=directory
               path=/srv/cache/extras
               owner=apache group=apache mode=0775
  tags:
  - pagure

- name: Configure cron job for a hourly pagure_poc
  cron:
    name: pagure-poc
    user: root
    minute: 0
    job: /usr/bin/python3 /usr/libexec/pagure-dist-git/pagure_poc.py /srv/cache/extras
    cron_file: pagure-poc
    state: present
  tags:
  - pagure

- name: Configure cron job for a hourly pagure_bz
  cron:
    name: pagure-poc
    user: root
    minute: 0
    job: /usr/bin/python3 /usr/libexec/pagure-dist-git/pagure_bz.py /srv/cache/extras
    cron_file: pagure-bz
    state: present
  tags:
  - pagure

- name: Configure cron job for a hourly pagure_owner_alias
  cron:
    name: pagure-poc
    user: root
    minute: 0
    job: /usr/bin/python3 /usr/libexec/pagure-dist-git/pagure_owner_alias.py /srv/cache/extras
    cron_file: pagure-owner-alias
    state: present
  tags:
  - pagure

# setup fedora-messaging

- name: install fedora-messaging as a dependency
  package: name={{ item }} state=present
  with_items:
  - fedora-messaging
  tags:
  - pagure
  - fedora-messaging

- name: create the config folder for fedora-messaging
  file: path=/etc/fedora-messaging/ owner=root group=root mode=0755 state=directory
  tags:
  - pagure
  - fedora-messaging

- name: install the configuration file for fedora-messaging
  template:
    src=fedora-messaging.toml
    dest=/etc/fedora-messaging/config.toml
  tags:
  - pagure
  - fedora-messaging

- name: create folder where we'll place the certs
  file: path=/etc/pki/rabbitmq/pagurecert/ owner=root group=root mode=0755 state=directory
  tags:
  - pagure
  - fedora-messaging

- name: deploy pagure/rabbitmq certificate
  copy: src={{ item.src }}
        dest=/etc/pki/rabbitmq/pagurecert/{{ item.dest }}
        owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }}
  with_items:
    - src: "{{private}}/files/rabbitmq/{{env}}/pki/issued/pagure{{ env_suffix }}.crt"
      dest: src.fp.o.crt
      owner: pagure
      group: packager
      mode: "444"
    - src: "{{private}}/files/rabbitmq/{{env}}/pki/private/pagure{{ env_suffix }}.key"
      dest: src.fp.o.key
      owner: pagure
      group: packager
      mode: "440"
    - src: "{{private}}/files/rabbitmq/{{env}}/pki/ca.crt"
      dest: src.fp.o.ca
      owner: pagure
      group: packager
      mode: "444"
  tags:
  - pagure
  - fedora-messaging


# Ensure all the services are up and running

- name: Start and enable httpd, postfix, pagure_milter
  service: name={{ item }} enabled=yes state=started
  with_items:
  - httpd
  - postfix
  #  - stunnel
  - redis
  - pagure_ev
  - pagure_logcom
  #  - pagure_milter
  - pagure_webhook
  - pagure_worker
  #  - pagure_api_key_expire_mail
  #  - pagure_api_key_expire_mail.timer
  tags:
  - pagure
  - service
  - postfix

- name: Add SAR script for pagure
  copy: src={{ roles_path }}/pagure/files/pagure_sar.py
        dest=/usr/local/bin/pagure_sar.py
        owner=root mode=0700
  tags:
  - SAR
  - GDPR
  - pagure

- name: override the default syslog logrotate file
  copy: src=syslog-logrotate dest=/etc/logrotate.d/syslog
  tags:
  - pagure
  - logrotate