mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-20 03:57:02 +08:00
a754144f19
This should update all the references we have to https://pagure.io/fedora-infrastructure to the new https://forge.fedoraproject.org/infra/tickets/ area. Do not merge this before the migration on tuesday. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
496 lines
11 KiB
YAML
496 lines
11 KiB
YAML
---
|
|
# tasklist for setting up Dist Git
|
|
#
|
|
# This is a bit complex, so I'm dividing it into sections.
|
|
|
|
# -- Common ----------------------------------------------
|
|
# This is very basic stuff that is needed by multiple of the next sections.
|
|
- name: Enable the mod_auth_openidc module on rhel8
|
|
ansible.builtin.copy:
|
|
dest: /etc/dnf/modules.d/mod_auth_openidc.module
|
|
content: |
|
|
[mod_auth_openidc]
|
|
name=mod_auth_openidc
|
|
stream=2.3
|
|
profiles=
|
|
state=enabled
|
|
mode: '0644'
|
|
|
|
- name: Install the needed packages
|
|
ansible.builtin.package:
|
|
name: "{{ item }}"
|
|
state: present
|
|
with_items:
|
|
- git
|
|
- httpd
|
|
- mod_ssl
|
|
- mod_auth_gssapi
|
|
- /usr/sbin/semanage
|
|
- mod_auth_openidc
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the mod_auth_openidc configuration
|
|
ansible.builtin.template:
|
|
src: auth_openidc.conf
|
|
dest: /etc/httpd/conf.d/auth_openidc.conf
|
|
mode: '0644'
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the http push configuration
|
|
ansible.builtin.template:
|
|
src: httppush.conf
|
|
dest: /etc/httpd/conf.d/httpush.conf
|
|
mode: '0644'
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Create suexec wrapper directory
|
|
ansible.builtin.file:
|
|
path: /var/www/bin
|
|
state: directory
|
|
owner: pagure
|
|
group: packager
|
|
mode: '0755'
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install suexec wrappers
|
|
ansible.builtin.copy:
|
|
src: "suexec-{{ item }}.sh"
|
|
dest: "/var/www/bin/suexec-{{ item }}.sh"
|
|
owner: pagure
|
|
group: packager
|
|
mode: '0755'
|
|
with_items:
|
|
- gitolite
|
|
- upload
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Put in git service config
|
|
ansible.builtin.copy:
|
|
src: git@.service
|
|
dest: /etc/systemd/system/git@.service
|
|
mode: '0644'
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the mod_ssl configuration
|
|
ansible.builtin.copy:
|
|
src: ssl.conf
|
|
dest: /etc/httpd/conf.d/ssl.conf
|
|
mode: '0644'
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Letsencrypt for pkgs.stg.fedoraproject.org
|
|
ansible.builtin.include_role:
|
|
name: letsencrypt
|
|
vars:
|
|
site_name: pkgs.stg.fedoraproject.org
|
|
when: env == 'staging'
|
|
tags:
|
|
- distgit
|
|
- letsencrypt
|
|
|
|
- name: Install the keytab
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/keytabs/{{ env }}/pkgs"
|
|
dest: /etc/httpd.keytab
|
|
owner: apache
|
|
group: apache
|
|
mode: '0600'
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Allow httpd to access the files on NFS
|
|
ansible.posix.seboolean:
|
|
name: httpd_use_nfs
|
|
state: yes
|
|
persistent: yes
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Allow httpd to access git user content
|
|
ansible.posix.seboolean:
|
|
name: httpd_read_user_content
|
|
state: yes
|
|
persistent: yes
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Secure tmpfs read only
|
|
ansible.posix.mount:
|
|
name: /dev/shm
|
|
src: tmpfs
|
|
fstype: tmpfs
|
|
opts: defaults,size=40G
|
|
state: present
|
|
tags:
|
|
- distgit
|
|
|
|
# -- SSH
|
|
# We use a wrapper to let packager ssh in while restricting the command they can
|
|
# do, this installs that wrapper (which is otherwise configured in sshd_config)
|
|
|
|
- name: Install the ssh_wrapper wrapper script
|
|
ansible.builtin.copy:
|
|
src: ssh_wrapper
|
|
dest: /usr/local/bin/ssh_wrapper
|
|
mode: '0755'
|
|
tags:
|
|
- config
|
|
- distgit
|
|
- ssh
|
|
- basessh
|
|
|
|
# -- Dist Git --------------------------------------------
|
|
# This is the Git setup itself: group, root directory, scripts,...
|
|
- name: Install dist-git
|
|
ansible.builtin.package:
|
|
name: "{{ item }}"
|
|
state: present
|
|
with_items:
|
|
- dist-git
|
|
- dist-git-selinux
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the dist-git config
|
|
ansible.builtin.copy:
|
|
src: dist-git.conf
|
|
dest: /etc/dist-git/dist-git.conf
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- distgit
|
|
|
|
- name: Dploy the Fedora messaging config. file for uploads
|
|
ansible.builtin.copy:
|
|
src: git-hooks-messaging.toml
|
|
dest: /etc/fedora-messaging/git-hooks-messaging.toml
|
|
mode: '0644'
|
|
tags:
|
|
- config
|
|
- distgit
|
|
|
|
- name: Deploy the Fedora messaging certificate
|
|
ansible.builtin.copy:
|
|
src: "{{ item.src }}"
|
|
dest: "/etc/pki/rabbitmq/{{ item.dest }}"
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
mode: "{{ item.mode }}"
|
|
with_items:
|
|
- src: "{{ private }}/files/rabbitmq/production/pki/issued/git-hooks.crt"
|
|
dest: git-hooks.crt
|
|
owner: root
|
|
group: root
|
|
mode: "444"
|
|
- src: "{{ private }}/files/rabbitmq/production/pki/private/git-hooks.key"
|
|
dest: git-hooks.key
|
|
owner: root
|
|
group: root
|
|
mode: "440"
|
|
- src: "{{ private }}/files/rabbitmq/production/pki/reqs/git-hooks.req"
|
|
dest: git-hooks.ca
|
|
owner: root
|
|
group: root
|
|
mode: "444"
|
|
tags:
|
|
- distgit
|
|
- fedora-messaging
|
|
|
|
- name: Create the distgit root directory (/srv/git)
|
|
ansible.builtin.file:
|
|
dest: /srv/git
|
|
state: directory
|
|
mode: '0755'
|
|
tags:
|
|
- distgit
|
|
|
|
# These should all map to pkgdb namespaces
|
|
- name: Create our namespace directories inside there..
|
|
ansible.builtin.file:
|
|
dest: "/srv/git/repositories/{{ item }}"
|
|
state: directory
|
|
mode: '2775'
|
|
group: packager
|
|
with_items:
|
|
- rpms
|
|
- docker
|
|
- modules
|
|
# Except for these two. These namespaces are artificially created in the
|
|
# dist-git pkgdb sync scripts.
|
|
- test-rpms
|
|
- test-modules
|
|
- test-docker
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install robots.txt files
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "/var/www/{{ item }}"
|
|
mode: '0644'
|
|
with_items:
|
|
- robots-pkgs.txt
|
|
- robots-src.txt
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the DistGit related httpd config
|
|
ansible.builtin.copy:
|
|
src: git-smart-http.conf
|
|
dest: /etc/httpd/conf.d/dist-git/git-smart-http.conf
|
|
mode: '0644'
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Symlink pkgs-git-repos-list
|
|
ansible.builtin.copy:
|
|
src: repolist.conf
|
|
dest: /etc/httpd/conf.d/dist-git/repolist.conf
|
|
mode: '0644'
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Schedule the update hook check
|
|
ansible.builtin.cron:
|
|
name: "check-update-hooks"
|
|
cron_file: "ansible-check-update-hooks"
|
|
minute: 0
|
|
hour: 0
|
|
weekday: 3
|
|
user: nobody
|
|
job: "/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories"
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Schedule the script to get retired packages
|
|
ansible.builtin.copy:
|
|
src: "retired-packages.cron"
|
|
dest: "/etc/cron.d/retired-packages.cron"
|
|
mode: '644'
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the two scripts needed for mass-branching
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "/usr/local/bin/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
with_items:
|
|
- mass-branching-git.py
|
|
- mass-branching-gitolite.py
|
|
tags:
|
|
- config
|
|
- distgit
|
|
- mass-branching
|
|
|
|
# -- Lookaside Cache -------------------------------------
|
|
# This is the annex to Dist Git, where we host source tarballs.
|
|
- name: Install the Lookaside Cache httpd configs
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "/etc/httpd/conf.d/dist-git/{{ item }}"
|
|
mode: '0644'
|
|
with_items:
|
|
- lookaside.conf
|
|
- lookaside-upload.conf
|
|
notify:
|
|
- Reload httpd
|
|
tags:
|
|
- distgit
|
|
- sslciphers
|
|
|
|
- name: Create the Lookaside Cache root directory
|
|
ansible.builtin.file:
|
|
dest: /srv/cache/lookaside/pkgs
|
|
state: directory
|
|
owner: apache
|
|
group: apache
|
|
mode: '0755'
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Set the selinux boolean git_cgi_use_nfs
|
|
ansible.posix.seboolean:
|
|
name: git_cgi_use_nfs
|
|
persistent: yes
|
|
state: yes
|
|
tags:
|
|
- distgit
|
|
- config
|
|
- selinux
|
|
|
|
# Not sure why, but fixes https://fedorahosted.org/fedora-infrastructure/ticket/4825
|
|
- name: Set the selinux boolean git_system_enable_homedirs
|
|
ansible.posix.seboolean:
|
|
name: git_system_enable_homedirs
|
|
persistent: yes
|
|
state: yes
|
|
tags:
|
|
- distgit
|
|
- config
|
|
- selinux
|
|
|
|
- name: Check the selinux context of the Lookaside Cache root directory
|
|
ansible.builtin.command: matchpathcon /srv/cache
|
|
register: lcachecontext
|
|
check_mode: no
|
|
changed_when: false
|
|
tags:
|
|
- config
|
|
- lookaside
|
|
- selinux
|
|
- distgit
|
|
|
|
- name: Set the SELinux policy for the Lookaside Cache root directory
|
|
ansible.builtin.command: semanage fcontext -a -t nfs_t "/srv/cache(/.*)?"
|
|
when: lcachecontext.stdout.find('nfs_t') == -1 and env != "staging"
|
|
changed_when: true
|
|
tags:
|
|
- config
|
|
- lookaside
|
|
- selinux
|
|
- distgit
|
|
|
|
- name: Install the fedora-ca.cert
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/fedora-ca.cert"
|
|
dest: /etc/httpd/conf/cacert.pem
|
|
mode: '0644'
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the pkgs cert
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/pkgs.fedoraproject.org_key_and_cert.pem"
|
|
dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
|
|
owner: apache
|
|
mode: '0400'
|
|
when: env != "staging"
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install the pkgs.stg cert
|
|
ansible.builtin.copy:
|
|
src: "{{ private }}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem"
|
|
dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
|
|
owner: apache
|
|
mode: '0400'
|
|
when: env == "staging"
|
|
tags:
|
|
- distgit
|
|
|
|
# Three tasks for handling our selinux policy for upload.cgi
|
|
- name: Ensure a directory exists for our SELinux policy
|
|
ansible.builtin.file:
|
|
dest: /usr/local/share/selinux/
|
|
state: directory
|
|
mode: '0755'
|
|
tags: selinux
|
|
|
|
- name: Copy over our custom selinux policy
|
|
ansible.builtin.copy:
|
|
src: upload_cgi.pp
|
|
dest: /usr/local/share/selinux/upload_cgi.pp
|
|
mode: '0644'
|
|
register: selinux_module
|
|
tags: selinux
|
|
|
|
- name: Install our custom selinux policy # noqa no-handler
|
|
ansible.builtin.command: semodule -i /usr/local/share/selinux/upload_cgi.pp
|
|
when: selinux_module is changed
|
|
changed_when: true
|
|
tags: selinux
|
|
|
|
- name: Copy over our custom nfs selinux policy
|
|
ansible.builtin.copy:
|
|
src: cgi-nfs.pp
|
|
dest: /usr/local/share/selinux/cgi-nfs.pp
|
|
mode: '0644'
|
|
register: nfs_selinux_module
|
|
tags: selinux
|
|
|
|
- name: Install our custom nfs selinux policy # noqa no-handler
|
|
ansible.builtin.command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
|
|
when: nfs_selinux_module is changed
|
|
changed_when: true
|
|
tags: selinux
|
|
|
|
- name: Install another one of our own SELinux policy
|
|
ansible.builtin.include_role:
|
|
name: selinux/module
|
|
vars:
|
|
policy_file: files/http_policy.te
|
|
policy_name: http_policy
|
|
tags:
|
|
- selinux
|
|
|
|
- name: Setup grokmirror for repos
|
|
ansible.builtin.package:
|
|
name: python3-grokmirror
|
|
state: installed
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|
|
|
|
- name: Make dir for grokmirror manifest
|
|
ansible.builtin.file:
|
|
path: /srv/git/grokmirror
|
|
state: directory
|
|
owner: root
|
|
group: packager
|
|
mode: '2775'
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|
|
|
|
- name: Set acls for grokmirror
|
|
ansible.posix.acl:
|
|
path: /srv/git/grokmirror
|
|
etype: group
|
|
permissions: rwx
|
|
state: present
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|
|
|
|
- name: Run initial grokmirror run
|
|
ansible.builtin.command:
|
|
cmd: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/
|
|
creates: /srv/git/grokmirror/manifest.js.gz
|
|
when: env != "staging"
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|
|
|
|
# https://forge.fedoraproject.org/infra/tickets/12428
|
|
- name: Hotfix for links to accounts.fpo
|
|
ansible.posix.patch:
|
|
src: files/0001-Fix-link-to-accounts.fpo-for-staging-for-adding-user.patch
|
|
dest: /usr/lib/python3.6/site-packages/pagure/themes/srcfpo/templates/group_info.html
|
|
tags:
|
|
- pagure
|
|
- hotfix
|