mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-02-02 20:59:02 +08:00
a754144f19
This should update all the references we have to https://pagure.io/fedora-infrastructure to the new https://forge.fedoraproject.org/infra/tickets/ area. Do not merge this before the migration on tuesday. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
311 lines
8.1 KiB
YAML
311 lines
8.1 KiB
YAML
---
|
|
#
|
|
# Install packages needed for fedora people
|
|
#
|
|
- name: Install packages needed for fedora people
|
|
ansible.builtin.package: name={{ item }} state=present
|
|
with_items:
|
|
- cvs
|
|
- git
|
|
- mercurial
|
|
- lftp
|
|
- quota
|
|
- nano
|
|
- tree # requested in ticket 5148
|
|
- mod_ssl
|
|
- tar # requested in https://forge.fedoraproject.org/infra/tickets/12638
|
|
tags:
|
|
- packages
|
|
- people
|
|
|
|
- name: Install main httpd config
|
|
ansible.builtin.template: src=people.conf dest=/etc/httpd/conf.d/people.conf
|
|
tags:
|
|
- people
|
|
- sslciphers
|
|
|
|
- name: Install httpd config
|
|
ansible.builtin.copy: src={{item}} dest=/etc/httpd/conf.d/{{item}}
|
|
with_items:
|
|
- cgit.conf
|
|
- ssl.conf
|
|
- userdir.conf
|
|
tags:
|
|
- people
|
|
|
|
- name: Allow README in directory listing
|
|
ansible.builtin.replace:
|
|
path: /etc/httpd/conf.d/autoindex.conf
|
|
regexp: "(README[*])"
|
|
replace: ""
|
|
tags:
|
|
- people
|
|
|
|
|
|
- name: Install haveged for entropy
|
|
ansible.builtin.package: name=haveged state=present
|
|
tags:
|
|
- httpd
|
|
- httpd/proxy
|
|
|
|
- name: Set haveged running/enabled
|
|
service: name=haveged enabled=yes state=started
|
|
tags:
|
|
- service
|
|
- httpd
|
|
- httpd/proxy
|
|
|
|
- name: Empty default welcome.conf
|
|
ansible.builtin.copy: dest=/etc/httpd/conf.d/welcome.conf content=""
|
|
tags:
|
|
- people
|
|
|
|
- name: Start httpd
|
|
service: name="httpd" state=started
|
|
tags:
|
|
- people
|
|
|
|
- name: Set selinux booleans needed for people
|
|
seboolean: name={{ item }} state=true persistent=true
|
|
with_items:
|
|
- httpd_enable_homedirs
|
|
- git_cgi_enable_homedirs
|
|
- git_system_enable_homedirs
|
|
- antivirus_can_scan_system
|
|
- httpd_read_user_content
|
|
tags:
|
|
- people
|
|
|
|
- name: Check the selinux context of the users home git dirs
|
|
ansible.builtin.command: matchpathcon "/home/fedora/someone/public_git"
|
|
register: gitcontext
|
|
check_mode: no
|
|
changed_when: false
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Set the SELinux policy for the users home git dirs
|
|
ansible.builtin.command: semanage fcontext -a -t git_user_content_t "/home/fedora/(.*)/public_git(.*)"
|
|
when: gitcontext.stdout.find('git_user_content_t') == -1
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Check the selinux context of the project dirs
|
|
ansible.builtin.command: matchpathcon "/project"
|
|
register: gitcontext
|
|
check_mode: no
|
|
changed_when: false
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Set the SELinux policy for the project dirs
|
|
ansible.builtin.command: semanage fcontext -a -t httpd_sys_content_t "/project(.*)"
|
|
when: gitcontext.stdout.find('httpd_sys_content_t') == -1
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Check the selinux context of the web dir
|
|
ansible.builtin.command: matchpathcon "/srv/web"
|
|
register: gitcontext
|
|
check_mode: no
|
|
changed_when: false
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Set the SELinux policy for the web dir
|
|
ansible.builtin.command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
|
|
when: gitcontext.stdout.find('httpd_sys_content_t') == -1
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Check the selinux context of the people dir
|
|
ansible.builtin.command: matchpathcon "/srv/people"
|
|
register: gitcontext
|
|
check_mode: no
|
|
changed_when: false
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Set the SELinux policy for the web dir
|
|
ansible.builtin.command: semanage fcontext -a -t httpd_sys_content_t "/srv/people(/.*)?"
|
|
when: gitcontext.stdout.find('httpd_sys_content_t') == -1
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
# This is a file context alias, to let ansible know that /home and /srv/home
|
|
# are equal as far as contexts are concerned.
|
|
- name: Check the selinux context alias of the home dir
|
|
ansible.builtin.command: matchpathcon "/srv/home"
|
|
register: gitcontext
|
|
check_mode: no
|
|
changed_when: false
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
- name: Set the SELinux policy alias for the home dir
|
|
ansible.builtin.command: semanage fcontext -a -e /home /srv/home
|
|
when: gitcontext.stdout.find('home_root_t') == -1
|
|
tags:
|
|
- config
|
|
- selinux
|
|
|
|
# On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it.
|
|
- name: Configure git directories as safe
|
|
git_config:
|
|
name: safe.directory
|
|
scope: system
|
|
value: "*"
|
|
tags:
|
|
- config
|
|
- git
|
|
|
|
#
|
|
# This sets the default, it's safe to always run.
|
|
# Default quota for users is 2gb
|
|
#
|
|
- name: Set default xfs quotas on /srv
|
|
ansible.builtin.command: xfs_quota -x -c 'limit bsoft=2g bhard=2g -d' /srv
|
|
check_mode: no
|
|
register: xfs_quotaoutput
|
|
changed_when: "xfs_quotaoutput.rc != 0"
|
|
tags:
|
|
- people
|
|
- peoplequotas
|
|
|
|
#
|
|
# This sets quotas for people who requested more than default
|
|
# It's also safe to aways run.
|
|
#
|
|
- name: Set quotas for people who have more set
|
|
ansible.builtin.command: >-
|
|
xfs_quota -x -c 'limit bsoft={{ item.quota }} bhard={{ item.quota }} {{ item.user }}' /srv
|
|
with_items:
|
|
- {user: adamwill, quota: 8g}
|
|
- {user: apache, quota: 1000g}
|
|
- {user: ausil, quota: 10g}
|
|
- {user: bollocks, quota: 12g}
|
|
- {user: bpeck, quota: 4g}
|
|
- {user: dmalcolm, quota: 10g}
|
|
- {user: dmarlin, quota: 5g}
|
|
- {user: duffy, quota: 10g}
|
|
- {user: dustymabe, quota: 20g}
|
|
- {user: dwalsh, quota: 5g}
|
|
- {user: hadess, quota: 5g}
|
|
- {user: imcleod, quota: 15g}
|
|
- {user: jdulaney, quota: 5g}
|
|
- {user: jforbes, quota: 5g}
|
|
- {user: jibecfed, quota: 10g}
|
|
- {user: jnovy, quota: 5g}
|
|
- {user: kalev, quota: 5g}
|
|
- {user: kashyapc, quota: 5g}
|
|
- {user: lupinix, quota: 8g}
|
|
- {user: mimccune, quota: 3g}
|
|
- {user: nb, quota: 5g}
|
|
- {user: ngompa, quota: 10g}
|
|
- {user: nobody, quota: 1000g}
|
|
- {user: npmccallum, quota: 5g}
|
|
- {user: otaylor, quota: 5g}
|
|
- {user: parasense, quota: 5g}
|
|
- {user: pingou, quota: 15g}
|
|
- {user: planet-user, quota: 1000g}
|
|
- {user: puiterwijk, quota: 4g}
|
|
- {user: ppisar, quota: 4g}
|
|
- {user: pulpadmin, quota: 10g}
|
|
- {user: sapnetweavergatewayonfedora, quota: 5g}
|
|
- {user: slagle, quota: 7g}
|
|
- {user: spot, quota: 15g}
|
|
- {user: spstarr, quota: 4g}
|
|
- {user: svashisht, quota: 20g}
|
|
- {user: tflink, quota: 10g}
|
|
- {user: thunderbirdtr, quota: 3g}
|
|
- {user: zbyszek, quota: 20g}
|
|
- {user: zpericic, quota: 5g}
|
|
check_mode: no
|
|
register: xfs_quotaoutput
|
|
changed_when: "xfs_quotaoutput.rc != 0"
|
|
tags:
|
|
- people
|
|
- peoplequotas
|
|
|
|
- name: Create repos directory
|
|
ansible.builtin.file: path=/project/repos state=directory owner=root group=fedora-contributor mode=0775
|
|
tags:
|
|
- people
|
|
|
|
- name: Create repos link
|
|
ansible.builtin.file: state=link src=/project/repos dest=/srv/repos
|
|
tags:
|
|
- people
|
|
|
|
- name: Create groups link
|
|
ansible.builtin.file: state=link src=/project dest=/srv/groups
|
|
tags:
|
|
- people
|
|
|
|
- name: Setup script to grab download stats for some groups.
|
|
ansible.builtin.copy: src=grab-daily-logs.sh dest=/usr/local/bin/grab-daily-logs.sh mode=0755
|
|
tags:
|
|
- people
|
|
|
|
- name: Setup cron job to gather download stats
|
|
ansible.builtin.copy: src=grab-daily-logs.cron dest=/etc/cron.daily/grab-daily-logs mode=0755
|
|
tags:
|
|
- people
|
|
|
|
- name: Copy robots.txt for fedorapeople.org
|
|
ansible.builtin.copy: src=robots.txt dest=/srv/people/site/robots.txt
|
|
tags:
|
|
- people
|
|
|
|
- name: Copy static files to make main fedorapeople.org index page
|
|
ansible.builtin.copy: src=static/ dest=/srv/people/site/static
|
|
tags:
|
|
- people
|
|
|
|
- name: Copy static files for user pages
|
|
ansible.builtin.copy: src=userdefs/ dest=/srv/people/site/userdefs
|
|
tags:
|
|
- people
|
|
|
|
- name: Setup script to make main fedorapeople.org index page
|
|
ansible.builtin.copy: src=make-people-page.py dest=/usr/local/bin/make-people-page.py mode=755
|
|
tags:
|
|
- people
|
|
|
|
- name: Setup script check for broken planet confs
|
|
ansible.builtin.copy: src=check-broken-planet.py dest=/usr/local/bin/check-broken-planet.py mode=755
|
|
tags:
|
|
- people
|
|
|
|
- name: Setup cron to run make fedorapeople.org main index page
|
|
ansible.builtin.copy: src=make-people-page.cron dest=/etc/cron.d/make-people-page.cron mode=644
|
|
tags:
|
|
- people
|
|
|
|
- name: Setup cron to run the check for broken planet confs
|
|
ansible.builtin.copy: src=check-broken-planet.cron dest=/etc/cron.d/check-broken-planet.cron mode=644
|
|
tags:
|
|
- people
|
|
|
|
- name: Copy SSSd configuration
|
|
ansible.builtin.template:
|
|
src: sssd.conf
|
|
dest: /etc/sssd/sssd.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
tags:
|
|
- ipa/client
|
|
- config
|
|
notify:
|
|
- Restart sssd
|