Infrastructure/ansible
5
0
Fork 0
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
ansible/roles/distgit/pagure/tasks/main.yml
Kevin Fenzi 07c894ea21 pkgs: drop recursive call to facl setting 
In a0046b5b4b there was a bunch of fixes for ansible lint to the
distgit/pagure roles.

However, it seems like a
recursive: true
was added to the facl call, when it wasn't present before.

I noticed this when my playbook run on pkgs was running for several
hours. ;(

I don't think there's any reason to run this recursively,
as permissions should inherit from the top level one and have always
worked without it.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2025-05-29 15:28:21 -07:00

442 lines
9.2 KiB
YAML
Raw Blame History

---
# Configuration for the pagure webapp
- name: Install needed packages
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- pagure
- pagure-ev
- pagure-logcom
- pagure-milters
- pagure-webhook
- python3-psycopg2
- redis
- python3-libsemanage
- python3-fedora-flask
- python3-flask-oidc
- pagure-dist-git
tags:
- pagure
- packages
- name: Install needed packages
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- pagure-theme-srcfpo
tags:
- pagure
- packages
- name: >-
Set httpd_can_network_connect flag on and keep it persistent across reboots so apache can talk
to redis
ansible.posix.seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
# Set-up Pagure
- name: Create a group pagure we can use
ansible.builtin.group:
name: pagure
tags:
- pagure
- name: Create an user we can run pagure under
ansible.builtin.user:
name: pagure
group: packager
append: yes
tags:
- pagure
# https://pagure.io/pagure/pull-request/5525
- name: Fix the API call with token
ansible.posix.patch:
src: files/api_project.patch
dest: /usr/lib/python3.6/site-packages/pagure/api/project.py
tags:
- pagure
- hotfix
- name: Create the "git" user
ansible.builtin.command:
cmd: useradd --create-home --home-dir=/srv/git/ git
creates: /srv/git/
when: env == 'staging'
tags:
- pagure
- name: Add the git user to the packager group
ansible.builtin.user:
name: git
group: packager
append: yes
when: env == 'staging'
tags:
- pagure
- name: Create the /var/log/pagure folder where to store the logs
ansible.builtin.file:
state: directory
path: /var/log/pagure
owner: pagure
group: packager
mode: u+rwx,g+rwxs,o+rx
tags:
- pagure
- hotfix
# Fix for https://pagure.io/fedora-infrastructure/issue/11957
- name: Set ACL for newly created files in /var/log/pagure
ansible.posix.acl:
path: /var/log/pagure
default: true
etype: group
permissions: "rw"
state: present
tags:
- pagure
- fix_log
- name: Create the /srv/tmp folder where to clone repos
ansible.builtin.file:
state: directory
path: /srv/tmp
owner: pagure
group: pagure
mode: "0775"
tags:
- pagure
- name: Copy sundry pagure configuration
ansible.builtin.template:
src: "{{ item.file }}"
dest: "{{ item.location }}/{{ item.file }}"
owner: pagure
group: postfix
mode: "0640"
with_items:
- file: pagure.cfg
location: /etc/pagure
- file: alembic.ini
location: /etc/pagure
- file: pagure_plugins.cfg
location: /etc/pagure
- file: client_secrets.json
location: /etc/pagure
tags:
- config
- web
- pagure
notify:
- Restart apache
- name: Pagure configuration for the hooks
ansible.builtin.template:
src: "{{ item.file }}"
dest: "{{ item.location }}/{{ item.file }}"
owner: pagure
group: packager
mode: "0640"
with_items:
- file: pagure_hook.cfg
location: /etc/pagure
tags:
- config
- web
- pagure
notify:
- Restart apache
- name: Create the database scheme
ansible.builtin.command: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py
changed_when: "1 != 1"
environment:
PAGURE_CONFIG: /etc/pagure/pagure.cfg
tags:
- web
- pagure
- name: Create all the directories where we store the git repos
ansible.builtin.file:
state: directory
path: "{{ item }}"
owner: root
group: packager
mode: "2775"
with_items:
- /srv/git/repositories/
- /srv/git/repositories/forks
- /srv/git/repositories/requests
- /srv/git/repositories/tickets
tags:
- gitolite
- pagure
- name: Create the remotes folder so pagure can clone remote repos
ansible.builtin.file:
state: directory
path: "{{ item }}"
owner: root
group: packager
mode: "2775"
with_items:
- /srv/git/remotes
tags:
- gitolite
- pagure
# On RHEL 8.8 and newer, git operations fail because of dubious ownership. This should fix it.
- name: Configure git directories as safe
community.general.git_config:
name: safe.directory
scope: system
value: "*"
tags:
- pagure
- name: Install the apache configuration file
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/httpd/conf.d/{{ item }}"
owner: root
group: root
mode: "0644"
with_items:
- z_pagure.conf
tags:
- files
- config
- pagure
notify:
- Restart apache
- name: Install the wsgi file
ansible.builtin.template:
src: "{{ item }}"
dest: "/var/www/{{ item }}"
owner: pagure
group: pagure
mode: "0644"
with_items:
- pagure.wsgi
tags:
- config
- web
- pagure
notify:
- Restart apache
- name: Add default facl so apache can read git repos
ansible.posix.acl:
default: yes
etype: user
entity: apache
permissions: "rx"
name: /srv/git
state: present
register: acl_updates
tags:
- pagure
- name: Override the default pagure_worker.service file to change the user it is run under
ansible.builtin.copy:
src: "{{ item }}.service"
dest: "/etc/systemd/system/{{ item }}.service"
owner: root
group: root
mode: "0755"
with_items:
- pagure_ev
- pagure_logcom
- pagure_webhook
- pagure_worker
notify:
- Reload systemd
tags:
- pagure
- name: Configure SELinux in dist-git/pagure
ansible.builtin.import_tasks: selinux.yml
tags:
- selinux
# Cron job to export extras information from the pagure DB
- name: Install the apache configuration file for /extras
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/httpd/conf.d/{{ item }}"
owner: root
group: root
mode: "0644"
with_items:
- pagure_cron.conf
tags:
- files
- config
- pagure
notify:
- Restart apache
- name: Create the /srv/cache/extras folder for the crons
ansible.builtin.file:
state: directory
path: /srv/cache/extras
owner: apache
group: apache
mode: "0775"
tags:
- pagure
- name: Configure cron job for a hourly pagure_poc
ansible.builtin.cron:
name: pagure-poc
user: root
minute: 0
job: /usr/bin/python3 /usr/libexec/pagure-dist-git/pagure_poc.py /srv/cache/extras
cron_file: pagure-poc
state: present
tags:
- pagure
- name: Configure cron job for a hourly pagure_bz
ansible.builtin.cron:
name: pagure-poc
user: root
minute: 0
job: /usr/bin/python3 /usr/libexec/pagure-dist-git/pagure_bz.py /srv/cache/extras
cron_file: pagure-bz
state: present
tags:
- pagure
- name: Configure cron job for a hourly pagure_owner_alias
ansible.builtin.cron:
name: pagure-poc
user: root
minute: 0
job: /usr/bin/python3 /usr/libexec/pagure-dist-git/pagure_owner_alias.py /srv/cache/extras
cron_file: pagure-owner-alias
state: present
tags:
- pagure
# setup fedora-messaging
- name: Install fedora-messaging as a dependency
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- fedora-messaging
tags:
- pagure
- fedora-messaging
- name: Create the config folder for fedora-messaging
ansible.builtin.file:
path: /etc/fedora-messaging/
owner: root
group: root
mode: "0755"
state: directory
tags:
- pagure
- fedora-messaging
- name: Install the configuration file for fedora-messaging
ansible.builtin.template:
src: fedora-messaging.toml
dest: /etc/fedora-messaging/config.toml
mode: "0644"
tags:
- pagure
- fedora-messaging
- name: Create folder where we'll place the certs
ansible.builtin.file:
path: /etc/pki/rabbitmq/pagurecert/
owner: root
group: root
mode: "0755"
state: directory
tags:
- pagure
- fedora-messaging
- name: Deploy pagure/rabbitmq certificate
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/pki/rabbitmq/pagurecert/{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- src: "{{ private }}/files/rabbitmq/{{ env }}/pki/issued/pagure{{ env_suffix }}.crt"
dest: src.fp.o.crt
owner: pagure
group: packager
mode: "444"
- src: "{{ private }}/files/rabbitmq/{{ env }}/pki/private/pagure{{ env_suffix }}.key"
dest: src.fp.o.key
owner: pagure
group: packager
mode: "440"
- src: "{{ private }}/files/rabbitmq/{{ env }}/ca-combined.crt"
dest: src.fp.o.ca
owner: pagure
group: packager
mode: "444"
tags:
- pagure
- fedora-messaging
# Ensure all the services are up and running
- name: Start and enable httpd, postfix, pagure_milter
ansible.builtin.service:
name: "{{ item }}"
enabled: yes
state: started
with_items:
- httpd
- postfix
- redis
- pagure_ev
- pagure_logcom
# - pagure_milter
- pagure_webhook
- pagure_worker
# - pagure_api_key_expire_mail
# - pagure_api_key_expire_mail.timer
tags:
- pagure
- service
- postfix
- name: Add SAR script for pagure
ansible.builtin.copy:
src: "{{ roles_path }}/pagure/files/pagure_sar.py"
dest: /usr/local/bin/pagure_sar.py
owner: root
mode: "0700"
tags:
- SAR
- GDPR
- pagure
- name: Override the default syslog logrotate file
ansible.builtin.copy:
src: syslog-logrotate
dest: /etc/logrotate.d/syslog
mode: "0644"
tags:
- pagure
- logrotate
Reference in a new issue View git blame Copy permalink