Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Remove infinote from ansible

Browse source 
Signed-off-by: Clement Verna <cverna@tutanota.com>
This commit is contained in:
Clement Verna 2019-09-03 21:02:04 +02:00 committed by Pierre-Yves Chibon
parent 564c358b09
commit 8287cfd75a
17 changed files with 6 additions and 422 deletions
Download patch file Download diff file Expand all files Collapse all files

3
inventory/backups
View file

@ -1,5 +1,5 @@
#
# This is the list of clients we backup with rdiff-backup.
# This is the list of clients we backup with rdiff-backup.
#
[backup_clients]
db01.phx2.fedoraproject.org
@ -8,7 +8,6 @@ db-datanommer02.phx2.fedoraproject.org
db-fas01.phx2.fedoraproject.org
batcave01.phx2.fedoraproject.org
ci-cc-rdu01.fedoraproject.org
infinote.fedoraproject.org
pagure01.fedoraproject.org
people02.fedoraproject.org
pkgs02.phx2.fedoraproject.org

41
inventory/group_vars/infinote
View file

@ -1,41 +0,0 @@
---
# Define resources for this group of hosts here.
lvm_size: 20000
mem_size: 4096
num_cpus: 2
# for systems that do not match the above - specify the same parameter in
# the host_vars/$hostname file
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
]
tcp_ports: [80, 443, 6523, 9418]
fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-veteran
freezes: false
git_port: 9418
git_server: /usr/libexec/git-core/git-daemon
git_server_args: --export-all --syslog --inetd --verbose
git_basepath: /srv/web
git_daemon_user: nobody
# For the MOTD
csi_security_category: Low
csi_primary_contact: Fedora admins - admin@fedoraproject.org
csi_purpose: Run the 'infinote' backend for gobby
csi_relationship: |
There are a few things running here:
- infinote server for gobby
- cgit server to serve gobby content
- web server
- This host relies on: Nothing
- Things that rely on this host: Nothing

7
inventory/inventory
View file

@ -997,8 +997,8 @@ value
[fedmsg_ircs_stg:children]
value_stg
# This group is for "instances" we have in inventory but do not
# want to monitor in nagios because they don't really exist as
# This group is for "instances" we have in inventory but do not
# want to monitor in nagios because they don't really exist as
# hosts you can monitor.
[nixnagios]
# This is the centos-ci relay hosts as fedmsg sees it
@ -1284,9 +1284,6 @@ pagure01.fedoraproject.org
[pagure_stg]
pagure-stg01.fedoraproject.org
[infinote]
infinote.fedoraproject.org
[gnome_backups]
gnome-backups01.phx2.fedoraproject.org

1
master.yml
View file

@ -48,7 +48,6 @@
- import_playbook: /srv/web/infra/ansible/playbooks/groups/freshmaker.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/github2fedmsg.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/gnome-backups.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/infinote.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipa.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/kerneltest.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/keyserver.yml

45
playbooks/groups/infinote.yml
View file

@ -1,45 +0,0 @@
# create a new infinote server
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=infinote"
- name: make the boxen be real for real
hosts: infinote
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios_client
- hosts
- fas_client
- sudo
- collectd/base
- openvpn/client
- cgit/base
- cgit/clean_lock_cron
- cgit/make_pkgs_list
- git/server
- role: apache
- role: httpd/mod_ssl
- infinote
- role: letsencrypt
site_name: 'infinote.fedoraproject.org'
certbot_addhost: 'infinote.fedoraproject.org'
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
- name: tweak ssl key
file: path=/etc/pki/tls/private/infinote.fedoraproject.org.key group=infinote mode=640
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

7
playbooks/include/proxies-websites.yml
View file

@ -58,7 +58,6 @@
- localhost
- www.fedoraproject.org
- hotspot-nocache.fedoraproject.org
- infinote.fedoraproject.org
# This is for all the other domains we own
# that redirect to https://fedoraproject.org
@ -478,7 +477,7 @@
sslonly: true
server_aliases: [transtats.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
tags:
tags:
- transtats
- role: httpd/website
@ -1051,8 +1050,8 @@
#
# We setup this site for old ols papers
# This used to be on fedorapeople.org, but a new 'ols' user showed up, so
# that no longer works.
# This used to be on fedorapeople.org, but a new 'ols' user showed up, so
# that no longer works.
#
- role: httpd/website
site_name: ols.fedoraproject.org

75
roles/cgit/base/files/cgitrc.infinote
View file

@ -1,75 +0,0 @@
#
# See cgitrc(5) or /usr/share/doc/cgit-*/cgitrc.5.html for details
#
# Enable caching of up to 1000 output entries
cache-size=1000
# Specify some default clone prefixes
clone-prefix=https://infinote.fedoraproject.org/
# Specify the css url
css=/cgit-data/cgit.css
# Show extra links for each repository on the index page
enable-index-links=1
# Enable ASCII art commit history graph on the log pages
enable-commit-graph=1
# Show number of affected files per commit on the log pages
enable-log-filecount=1
# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1
# Add a cgit favicon
#favicon=/favicon.ico
# Use a custom logo
logo=/cgit-data/cgit.png
# Enable statistics per week, month and quarter
max-stats=quarter
# Set the title and heading of the repository index page
root-title=Fedora Project infinote document changes
# Set a subheading for the repository index page
#root-desc=tracking the foobar development
# Include some more info about this site on the index page
#root-readme=/var/www/html/about.html
# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz tar.xz zip
##
## List of common mimetypes
##
mimetype.gif=image/gif
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml
# Enable syntax highlighting (requires the highlight package)
#source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh
#email-filter=lua:/usr/libexec/cgit/filters/email-libravatar-korg.lua
##
## List of repositories.
## PS: Any repositories listed when section is unset will not be
## displayed under a section heading
## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos')
## and included like this:
repo.name=infinote
repo.url=infinote
repo.path=/srv/web/infinote/.git/
repo.owner=infinote
repo.desc=Fedoraproject infinote git backing store

5
roles/cgit/base/tasks/main.yml
View file

@ -43,11 +43,6 @@
when: inventory_hostname.startswith('batcave')
tags: cgit
- name: put cgitrc in place for infinote
copy: src=cgitrc.infinote dest=/etc/cgitrc owner=root mode=0644
when: inventory_hostname.startswith('infinote')
tags: cgit
#- name: install the libravatar filter
# copy: src=email-libravatar-korg.lua dest=/usr/libexec/cgit/filters/email-libravatar-korg.lua owner=root group=root mode=0755
# tags: cgit

1
roles/cgit/make_pkgs_list/files/cgit-projects-infinote
View file

@ -1 +0,0 @@
infinote.git

5
roles/cgit/make_pkgs_list/tasks/main.yml
View file

@ -31,11 +31,6 @@
when: inventory_hostname.startswith('batcave')
tags: cgit
- name: install the file for infinote
copy: src=cgit-projects-infinote dest=/etc/cgit-projects-infinote mode=0644
when: inventory_hostname.startswith('infinote')
tags: cgit
- name: install the cron job
cron: >
name="make-cgit-pkgs-list" cron_file="ansible-make-cgit-pkgs-list"

3
roles/infinote/files/gitconfig
View file

@ -1,3 +0,0 @@
[user]
email = nobody@fedoraproject.org
name = infinote

4
roles/infinote/files/infinoted-git-commit
View file

@ -1,4 +0,0 @@
#!/bin/bash
cd /srv/web/infinote
git add . >/dev/null
git commit -a --author="infinote <nobody@fedoraproject.org>" -m "Automated Commit of $1" >/dev/null

13
roles/infinote/files/infinoted.service
View file

@ -1,13 +0,0 @@
[Unit]
Description=infinoted server
After=network.target
Documentation=https://github.com/gobby/libinfinity
[Service]
ExecStart=/usr/bin/infinoted-0.6
User=infinote
Group=infinote
Type=simple
[Install]
WantedBy=multi-user.target

2
roles/infinote/handlers/main.yml
View file

@ -1,2 +0,0 @@
- name: restart infinoted
service: name=infinoted state=restarted

95
roles/infinote/tasks/main.yml
View file

@ -1,95 +0,0 @@
#
# This role sets up the various packages and scripts needed for a infinote server
#
#
# make directory for nfs mounts to live in
#
- name: create an infinoted user
user: name=infinote state=present home=/home/infinote createhome=yes shell=/sbin/nologin
tags:
- infinote
- config
- name: Setup basic git config for infinote user
copy: src=gitconfig dest=/home/infinote/.gitconfig
tags:
- infinote
- config
- name: Setup basic apache config
template: src=infinote.fedoraproject.org.conf dest=/etc/httpd/conf.d/infinote.fedoraproject.org.conf
tags:
- infinote
- config
- name: create /srv/web for web content
file: dest=/srv/web state=directory mode=755 owner=infinote group=infinote
tags:
- infinote
- config
- name: check the selinux context of /srv/web
command: matchpathcon /srv/web
register: webdir
check_mode: no
changed_when: "1 != 1"
tags:
- infinote
- config
- selinux
- httpd
- httpd/website
- name: /srv/web selinux context
command: semanage fcontext -a -t git_content_t "/srv/web(/.*)?"
when: webdir.stdout.find('git_content_t') == -1
tags:
- infinote
- config
- selinux
- httpd
- httpd/website
- name: create /srv/infinote for infinote content
file: dest=/srv/infinote state=directory mode=755 owner=infinote group=infinote
tags:
- infinote
- config
- name: install packages needed
package: name={{ item }} state=present
with_items:
- infinoted
tags:
- infinote
- config
- name: add systemd unit file to start infinote daemon
copy: src=infinoted.service dest=/etc/systemd/system/infinoted.service
notify: reload systemd
tags:
- infinote
- config
- name: enable infinoted
service: name=infinoted state=started enabled=true
tags:
- infinote
- config
- name: add config file for infinoted
template: src=infinoted.conf dest=/etc/xdg/infinoted.conf
notify: restart infinoted
tags:
- infinote
- config
- name: add git commit script for infinote
copy: src=infinoted-git-commit dest=/usr/local/bin/infinoted-git-commit mode=0755
tags:
- infinote
- config

98
roles/infinote/templates/infinote.fedoraproject.org.conf
View file

@ -1,98 +0,0 @@
Listen 443
<VirtualHost *:80>
ServerName infinote.fedoraproject.org
ServerAdmin webmaster@fedoraproject.org
TraceEnable Off
# enable git smart http cloning.
SetEnv GIT_PROJECT_ROOT /srv/web/infra/
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
/usr/libexec/git-core/git-http-backend/$1
#
# redirect everyone to use https
#
# We can't do this until virt-install can handle https
RewriteEngine on
RewriteRule ^/\.well-known/(.*) "http://fedoraproject.org/\.well-known/$1" [L,R=301,NE]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
# robots location
Alias /robots.txt /srv/web/robots.txt.infinote
DocumentRoot /srv/web
<Directory /srv/web>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# Needed for cgit cgi
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<Directory "/usr/share/cgit">
AllowOverride None
Options None
Require all granted
</Directory>
<Directory "/usr/libexec/git-core">
AllowOverride None
Options None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName infinote.fedoraproject.org
ServerAdmin webmaster@fedoraproject.org
# enable git smart http cloning.
SetEnv GIT_PROJECT_ROOT /srv/web/infra/
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
/usr/libexec/git-core/git-http-backend/$1
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/infinote.fedoraproject.org.cert
SSLCertificateKeyFile /etc/pki/tls/private/infinote.fedoraproject.org.key
SSLCertificateChainFile /etc/pki/tls/certs/infinote.fedoraproject.org.intermediate.cert
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLHonorCipherOrder On
# https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
# If you change the protocols or cipher suites, you should probably update
# modules/squid/files/squid.conf-el6 too, to keep it in sync.
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# robots location
Alias /robots.txt /srv/web/robots.txt.lockbox01
DocumentRoot /srv/web
<Directory /srv/web>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>

23
roles/infinote/templates/infinoted.conf
View file

@ -1,23 +0,0 @@
[infinoted]
certificate-file=/etc/pki/tls/certs/infinote.fedoraproject.org.cert
key-file=/etc/pki/tls/private/infinote.fedoraproject.org.key
certificate-chain=/etc/pki/tls/certs/infinote.fedoraproject.org.intermediate.cert
port=6523
security-policy=require-tls
root-directory=/srv/infinote
plugins=note-text;autosave;directory-sync;logging
[autosave]
interval=60
[directory-sync]
directory=/srv/web/infinote
interval=60
hook=/usr/local/bin/infinoted-git-commit
[logging]
log-connections=true
log-connection-errors=true
log-session-errors=true
log-session-request-extra=true