WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-06-27 23:57:02 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a36c5a7a16ea1fa5f706be6b1db6551f652a4d87
fedora-infra_ansible/roles/pagure/tasks/main.yml
Kevin Fenzi a754144f19 Update infra pagure.io links to forge.fp.o (WIP) 
This should update all the references we have to
https://pagure.io/fedora-infrastructure to the
new https://forge.fedoraproject.org/infra/tickets/ area.

Do not merge this before the migration on tuesday.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-01-20 14:39:40 -08:00

694 lines
15 KiB
YAML
Raw Blame History

---
# Configuration for the pagure webapp
- name: Install needed packages
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- pagure
- pagure-ci
- pagure-ev
- pagure-loadjson
- pagure-logcom
- pagure-milters
- pagure-webhook
- pagure-theme-pagureio
- python3-flask-oidc
- python3-pagure-messages
- python3-psycopg2
- python3-pygments
- redis
- python3-libsemanage
- mod_ssl
- python3-mod_wsgi
- stunnel
- python3-httplib2
# Use haveged to ensure the server keeps some entropy
- haveged
tags:
- pagure
- packages
- name: Initialize postgres if necessary
ansible.builtin.command:
cmd: /usr/bin/postgresql-setup initdb
creates: /var/lib/pgsql/data
notify:
- Restart postgresql
tags:
- pagure
- name: Create the pagure DB user
become_user: postgres
become: true
community.postgresql.postgresql_user:
name: "{{ pagure_db_user }}"
password: "{{ pagure_db_pass }}"
tags:
- pagure
- postgresql
when: env != 'pagure-staging'
- name: Create the pagure DB user
become_user: postgres
become: true
community.postgresql.postgresql_user:
name: "{{ pagure_db_admin_user }}"
password: "{{ pagure_db_admin_pass }}"
tags:
- pagure
- postgresql
when: env != 'pagure-staging'
- name: Create the pagure database creation
become_user: postgres
become: true
community.postgresql.postgresql_db:
name: "{{ pagure_db_name }}"
owner: "{{ pagure_db_user }}"
encoding: UTF-8
tags:
- pagure
- postgresql
when: env != 'pagure-staging'
- name: Create the pagure DB user
become_user: postgres
become: true
community.postgresql.postgresql_user:
name: "{{ pagure_stg_db_user }}"
password: "{{ pagure_stg_db_pass }}"
tags:
- pagure
- postgresql
when: env == 'pagure-staging'
- name: Create the pagure DB user
become_user: postgres
become: true
community.postgresql.postgresql_user:
name: "{{ pagure_stg_db_admin_user }}"
password: "{{ pagure_stg_db_admin_pass }}"
tags:
- pagure
- postgresql
when: env == 'pagure-staging'
- name: Create the pagure database creation
become_user: postgres
become: true
community.postgresql.postgresql_db:
name: "{{ pagure_stg_db_name }}"
owner: "{{ pagure_stg_db_user }}"
encoding: UTF-8
tags:
- pagure
- postgresql
when: env == 'pagure-staging'
- name: Put in robots.txt
ansible.builtin.template:
src: robots.txt.j2
dest: /var/www/html/robots.txt
owner: root
group: root
mode: '0644'
tags:
- pagure
# https://forge.fedoraproject.org/infra/tickets/12428
- name: Hotfix for links to accounts.fpo
ansible.posix.patch:
src: files/hotfix/0001-Fix-link-to-accounts.fpo-for-staging-for-adding-user.patch
dest: /usr/lib/python3.6/site-packages/pagure/themes/srcfpo/templates/group_info.html
tags:
- pagure
- hotfix
when: inventory_hostname.startswith('pkgs')
- name: Create the "git" user
ansible.builtin.command:
cmd: useradd --create-home --home-dir=/srv/git/ git
creates: /srv/git/
tags:
- pagure
- name: Create the /attachments folder
ansible.builtin.file:
state: directory
path: /srv/attachments
owner: git
group: git
mode: '0775'
tags:
- pagure
- name: Create the /var/log/pagure folder where to store the logs
ansible.builtin.file:
state: directory
path: /var/log/pagure
owner: git
group: git
mode: '0775'
tags:
- pagure
- fix_log
- hotfix
# Fix for https://forge.fedoraproject.org/infra/tickets/11957
- name: Set ACL for newly created files in /var/log/pagure
ansible.posix.acl:
path: /var/log/pagure
default: true
etype: group
permissions: "rw"
state: present
tags:
- pagure
- fix_log
# This now fails when there are broken symlinks. Lets figure out a better way to do this - kevin
# - name: Adjust owner of /srv/git
# ansible.builtin.file: name=/srv/git state=directory recurse=yes owner=git group=git
# tags:
# - gitolite
- name: Create all the directories where we store the git repos
ansible.builtin.file:
state: directory
path: "{{ item }}"
owner: git
group: git
mode: '0775'
with_items:
- /srv/git/repositories/
- /srv/git/repositories/forks
- /srv/git/repositories/docs
- /srv/git/repositories/tickets
- /srv/git/repositories/requests
- /srv/git/remotes
tags:
- pagure
- name: Create the /srv/tmp folder where to clone repos
ansible.builtin.file:
state: directory
path: /srv/tmp
owner: git
group: git
mode: '0775'
tags:
- pagure
# On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it.
- name: Configure git directories as safe
community.general.git_config:
name: safe.directory
scope: system
value: "*"
tags:
- pagure
# Set things up for the mirroring feature
- name: Create the `paguremirroring` group
ansible.builtin.group:
name: paguremirroring
state: present
tags:
- pagure
- mirror
- name: Create the `paguremirroring` user
ansible.builtin.user:
name: paguremirroring
group: paguremirroring
groups: paguremirroring,git
shell: /bin/nologin
home: /srv/mirror
tags:
- pagure
- mirror
# Set-up postfix and the milter for postfix
- name: Add the /etc/aliases file
ansible.builtin.copy:
src: aliases
dest: /etc/aliases
owner: root
group: root
mode: '0644'
tags:
- config
- pagure
- postfix
notify:
- Restart postfix
- Restart pagure_milter
# Override pagure_ev systemd service file
- name: Install pagure_ev service definition
ansible.builtin.copy:
src: pagure_ev.service
dest: /usr/lib/systemd/system/pagure_ev.service
owner: root
group: root
mode: '0644'
notify:
- Reload systemd
- Restart pagure_ev
tags:
- pagure
- pagure_ev
# Set-up stunnel for the event source server
- name: Install stunnel service definition
ansible.builtin.copy:
src: stunnel.service
dest: /usr/lib/systemd/system/stunnel.service
owner: root
group: root
mode: '0644'
notify:
- Reload systemd
- Restart stunnel
tags:
- pagure
- stunnel
- name: Install stunnel.conf
ansible.builtin.template:
src: "{{ item.file }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: '0600'
with_items:
- {file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf}
notify: Restart stunnel
tags:
- pagure
- stunnel
- config
- name: Add the different service files for the different services
ansible.builtin.copy:
src: "{{ item }}.service"
dest: "/etc/systemd/system/{{ item }}.service"
owner: root
group: root
mode: '0755'
with_items:
- pagure_fast_worker
- pagure_medium_worker
- pagure_slow_worker
- pagure_mirror
notify:
- Reload systemd
tags:
- pagure
# setup fedora-messaging
- name: Install fedora-messaging as a dependency
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- python3-fedora-messaging
tags:
- pagure
- fedora-messaging
- name: Create the config folder for fedora-messaging
ansible.builtin.file:
path: /etc/fedora-messaging/
owner: root
group: root
mode: '0755'
state: directory
tags:
- pagure
- fedora-messaging
- name: Install the configuration file for fedora-messaging
ansible.builtin.template:
src: fedora-messaging.toml
dest: /etc/fedora-messaging/config.toml
owner: root
group: root
mode: '0644'
tags:
- pagure
- fedora-messaging
- name: Create folder where we'll place the certs
ansible.builtin.file:
path: /etc/pki/rabbitmq/pagurecert/
owner: root
group: root
mode: '0755'
state: directory
tags:
- pagure
- fedora-messaging
- name: Deploy pagure/rabbitmq certificate
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/pki/rabbitmq/pagurecert/{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
when: env == 'pagure-staging'
with_items:
- src: "{{private}}/files/rabbitmq/staging/pki/issued/pagure.stg.crt"
dest: pagure.crt
owner: git
group: root
mode: "444"
- src: "{{private}}/files/rabbitmq/staging/pki/private/pagure.stg.key"
dest: pagure.key
owner: git
group: root
mode: "440"
- src: "{{private}}/files/rabbitmq/staging/ca-combined.crt"
dest: pagure.ca
owner: git
group: root
mode: "444"
tags:
- pagure
- fedora-messaging
- name: Deploy pagure/rabbitmq certificate
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/pki/rabbitmq/pagurecert/{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
when: env != 'pagure-staging'
with_items:
- src: "{{private}}/files/rabbitmq/production/pki/issued/pagure.crt"
dest: pagure.crt
owner: git
group: root
mode: "444"
- src: "{{private}}/files/rabbitmq/production/pki/private/pagure.key"
dest: pagure.key
owner: git
group: root
mode: "440"
- src: "{{private}}/files/rabbitmq/production/ca-combined.crt"
dest: pagure.ca
owner: git
group: root
mode: "444"
tags:
- pagure
- fedora-messaging
# Set-up Pagure
- name: Create the folders used for releases and archives
ansible.builtin.file:
state: directory
path: "{{ item }}"
owner: git
group: git
mode: '0775'
with_items:
- /var/www/releases
- /var/www/archives
tags:
- pagure
- web
- name: Copy sundry pagure configuration
ansible.builtin.template:
src: "{{ item.file }}"
dest: "{{ item.location }}/{{ item.file }}"
owner: git
group: postfix
mode: '0640'
with_items:
- {file: pagure.cfg, location: /etc/pagure}
- {file: alembic.ini, location: /etc/pagure}
tags:
- config
- web
- pagure
notify:
- Restart apache
- name: Install client_secrets for ipsilon
ansible.builtin.template:
src: client_secrets.json
dest: /etc/pagure
owner: git
group: postfix
mode: '0640'
tags:
- config
- web
- pagure
- name: Create the database scheme
ansible.builtin.command:
cmd: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py
changed_when: "1 != 1"
environment:
PAGURE_CONFIG: /etc/pagure/pagure.cfg
tags:
- web
- pagure
- name: Install the configuration file to activate https
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/httpd/conf.d/{{ item }}"
owner: root
group: root
mode: '0644'
with_items:
- 0_pagure.conf
- securityheaders.conf
tags:
- files
- config
- pagure
- sslciphers
notify:
- Restart apache
- name: Install the wsgi file
ansible.builtin.template:
src: "{{ item }}"
dest: "/var/www/{{ item }}"
owner: git
group: git
mode: '0644'
with_items:
- pagure.wsgi
- docs_pagure.wsgi
tags:
- config
- web
- pagure
notify:
- Restart apache
- name: Let paguremirroring read the pagure config
ansible.builtin.command:
cmd: /usr/bin/setfacl -m user:paguremirroring:rx /etc/pagure/pagure.cfg
changed_when: false
tags:
- pagure
- mirror
- name: Add default facl so apache can read git repos
ansible.posix.acl:
default: yes
etype: user
entity: apache
permissions: "rx"
name: /srv/git
state: present
register: acl_updates
tags:
- pagure
- name: Manually fix current default ACLs since Ansible doesnt know recursive acls # noqa no-handler
when: acl_updates.changed
ansible.builtin.command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git
changed_when: true
tags:
- pagure
- name: Manually fix current ACLs since Ansible doesnt know recursive acls # noqa no-handler
when: acl_updates.changed
ansible.builtin.command: /usr/bin/setfacl -Rm user:apache:rx /srv/git
changed_when: true
tags:
- pagure
# Import SELinux configuration tasks
- name: Import SELinux configuration tasks
ansible.builtin.import_tasks: selinux.yml
tags:
- selinux
- pagure
# Hotfix(es)
- name: Install the python3-only version of the stream_server so it works
ansible.builtin.copy:
src: pagure_stream_server.py
dest: /usr/libexec/pagure-ev/pagure_stream_server.py
owner: root
group: root
mode: '0755'
tags:
- pagure
- hotfix
notify:
- Restart pagure_ev
# Ensure all the services are up and running
- name: Start and enable httpd, postfix, pagure_milter
ansible.builtin.service:
name: "{{ item }}"
enabled: yes
state: started
with_items:
- httpd
- postfix
- stunnel
- redis
- pagure_ev
- pagure_ci
- pagure_loadjson
- pagure_logcom
- pagure_milter
- pagure_webhook
- pagure_worker
- pagure_gitolite_worker
- pagure_fast_worker
- pagure_medium_worker
- pagure_slow_worker
- pagure_mirror
# - pagure_api_key_expire_mail
# - pagure_api_key_expire_mail.timer
- pagure_mirror_project_in
- pagure_mirror_project_in.timer
- haveged
# Lint change: revert c5ca51336411fe034c738fc166bc6ba9a22056ba
ignore_errors: true
# result.rc doesn't exist, also I don't think this does the same thing?
# failed_when: result.rc != 0
tags:
- pagure
- service
- postfix
- name: Setup logrotate to our needs
ansible.builtin.template:
src: "{{ files }}/httpd/httpd.logrotate.j2"
dest: /etc/logrotate.d/httpd
owner: root
group: root
mode: '0644'
tags:
- config
- apache
- name: Add SAR script for pagure
ansible.builtin.copy:
src: pagure_sar.py
dest: /usr/local/bin/pagure_sar.py
owner: git
group: git
mode: '0700'
tags:
- SAR
- GDPR
- pagure
- name: Remove the default syslog logrotate file
ansible.builtin.file: dest=/etc/logrotate.d/syslog state=absent
tags:
- pagure
- logrotate
- name: Add out rsyslog logrotate file
ansible.builtin.copy:
src: rsyslog-logrotate
dest: /etc/logrotate.d/rsyslog
owner: root
group: root
mode: '0644'
tags:
- pagure
- logrotate
- name: Letsencrypt for stg.pagure.io
ansible.builtin.include_role:
name: letsencrypt
vars:
site_name: stg.pagure.io
server_aliases:
- releases.stg.pagure.org
- docs.stg.pagure.org
- stg.pagure.org
when: env == 'pagure-staging'
tags:
- pagure
- letsencrypt
- name: Letsencrypt for pagure.io
ansible.builtin.include_role:
name: letsencrypt
vars:
site_name: pagure.io
server_aliases:
- releases.pagure.org
- docs.pagure.org
- pagure.org
- www.pagure.io
- lists.pagure.io
when: env != 'pagure-staging'
tags:
- pagure
- letsencrypt
# httplib2 0.10.3, as available in EL8, hardcodes TLSv1. The next version
# (0.11.0) chooses the TLS version that is supported by both client and server.
# That variable is only available since Python 3.5+, but EL8 has Python 3.6, so
# we're good to patch. The alternative would be for EL8 to update httplib2 to
# at least version 0.11.0.
- name: Patch httplib2 to not hardcode TLSv1, which is not accepted by Ipsilon
ansible.builtin.replace:
path: /usr/lib/python3.6/site-packages/httplib2/__init__.py
regexp: 'ssl\.PROTOCOL_TLSv1'
replace: 'ssl.PROTOCOL_TLS'
tags:
- pagure
- hotfix
# Zabbix monitoring of the Pagure cert
# TODO this should probably be done on certgetter, via discovery...
- name: Include Zabbix cert monitoring for Pagure
ansible.builtin.include_tasks: monitoring.yml
tags:
- zabbix_agent
- zabbix_api
- pagure
Reference in New Issue View Git Blame Copy Permalink