1133e45da3
The current playbook assumes the old digicert ssl cert thats in private. However, we got that in 2020 and it's expired. We switched pagure.io over to letsencrypt a while back. Somehow we didn't change the playbook however, or the change was lost somewhere. :( So, this adds 2 calls to the letsencrypt role to get certs for the prod and staging pagure instances. I think this should do the right thing with placement of files, but more eyes welcome. Without this playbooks runs have the chance of messing up pagure.io certs, so I think we should fix this asap. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
493 lines
11 KiB
YAML
493 lines
11 KiB
YAML
---
|
|
# Configuration for the pagure webapp
|
|
- name: install needed packages
|
|
package: name={{ item }} state=present
|
|
with_items:
|
|
- pagure
|
|
- pagure-ci
|
|
- pagure-ev
|
|
- pagure-loadjson
|
|
- pagure-logcom
|
|
- pagure-milters
|
|
- pagure-webhook
|
|
- pagure-theme-pagureio
|
|
- python3-pagure-messages
|
|
- python3-psycopg2
|
|
- python3-pygments
|
|
- redis
|
|
- python3-libsemanage
|
|
- mod_ssl
|
|
- python3-mod_wsgi
|
|
- stunnel
|
|
# Use haveged to ensure the server keeps some entropy
|
|
- haveged
|
|
tags:
|
|
- pagure
|
|
- packages
|
|
|
|
- name: Initialize postgres if necessary
|
|
command: /usr/bin/postgresql-setup initdb
|
|
creates=/var/lib/pgsql/data
|
|
notify:
|
|
- restart postgresql
|
|
tags:
|
|
- pagure
|
|
|
|
- name: create the pagure DB user
|
|
become_user: postgres
|
|
become: true
|
|
postgresql_user:
|
|
name: "{{ pagure_db_user }}"
|
|
password: "{{ pagure_db_pass }}"
|
|
tags:
|
|
- pagure
|
|
- postgresql
|
|
|
|
- name: create the pagure DB user
|
|
become_user: postgres
|
|
become: true
|
|
postgresql_user:
|
|
name: "{{ pagure_db_admin_user }}"
|
|
password: "{{ pagure_db_admin_pass }}"
|
|
tags:
|
|
- pagure
|
|
- postgresql
|
|
|
|
- name: create the pagure database creation
|
|
become_user: postgres
|
|
become: true
|
|
postgresql_db:
|
|
name: "{{ pagure_db_name }}"
|
|
owner: "{{ pagure_db_user }}"
|
|
encoding: UTF-8
|
|
tags:
|
|
- pagure
|
|
- postgresql
|
|
|
|
- name: Put in robots.txt
|
|
template: src=robots.txt.j2 dest=/var/www/html/robots.txt
|
|
tags:
|
|
- pagure
|
|
|
|
- name: Create the "git" user
|
|
command: useradd --create-home --home-dir=/srv/git/ git
|
|
creates=/srv/git/
|
|
tags:
|
|
- pagure
|
|
|
|
- name: create the /attachments folder
|
|
file: state=directory
|
|
path=/srv/attachments
|
|
owner=git group=git mode=0775
|
|
tags:
|
|
- pagure
|
|
|
|
- name: create the /var/log/pagure folder where to store the logs
|
|
file: state=directory
|
|
path=/var/log/pagure
|
|
owner=git group=git mode=0755
|
|
tags:
|
|
- pagure
|
|
- fix_log
|
|
- hotfix
|
|
|
|
# This now fails when there are broken symlinks. Lets figure out a better way to do this - kevin
|
|
#- name: Adjust owner of /srv/git
|
|
# file: name=/srv/git state=directory recurse=yes owner=git group=git
|
|
# tags:
|
|
# - gitolite
|
|
|
|
- name: create all the directories where we store the git repos
|
|
file: state=directory
|
|
path={{ item }}
|
|
owner=git group=git mode=0775
|
|
with_items:
|
|
- /srv/git/repositories/
|
|
- /srv/git/repositories/forks
|
|
- /srv/git/repositories/docs
|
|
- /srv/git/repositories/tickets
|
|
- /srv/git/repositories/requests
|
|
- /srv/git/remotes
|
|
tags:
|
|
- pagure
|
|
|
|
- name: create the /srv/tmp folder where to clone repos
|
|
file: state=directory
|
|
path=/srv/tmp
|
|
owner=git group=git mode=0775
|
|
tags:
|
|
- pagure
|
|
|
|
# Set things up for the mirroring feature
|
|
|
|
- name: create the `paguremirroring` group
|
|
group:
|
|
name: paguremirroring
|
|
state: present
|
|
tags:
|
|
- pagure
|
|
- mirror
|
|
|
|
- name: create the `paguremirroring` user
|
|
user:
|
|
name: paguremirroring
|
|
group: paguremirroring
|
|
groups: paguremirroring,git
|
|
shell: /bin/nologin
|
|
home: /srv/mirror
|
|
tags:
|
|
- pagure
|
|
- mirror
|
|
|
|
# Set-up postfix and the milter for postfix
|
|
|
|
- name: Add the /etc/aliases file
|
|
copy: src=aliases dest=/etc/aliases owner=root mode=644
|
|
tags:
|
|
- config
|
|
- pagure
|
|
- postfix
|
|
notify:
|
|
- restart postfix
|
|
- restart pagure_milter
|
|
|
|
# Override pagure_ev systemd service file
|
|
|
|
- name: install pagure_ev service definition
|
|
copy: src=pagure_ev.service
|
|
dest=/usr/lib/systemd/system/pagure_ev.service
|
|
owner=root group=root mode=0644
|
|
notify:
|
|
- reload systemd
|
|
- restart pagure_ev
|
|
tags:
|
|
- pagure
|
|
- pagure_ev
|
|
|
|
# Set-up stunnel for the event source server
|
|
|
|
- name: install stunnel service definition
|
|
copy: src=stunnel.service
|
|
dest=/usr/lib/systemd/system/stunnel.service
|
|
owner=root group=root mode=0644
|
|
notify:
|
|
- reload systemd
|
|
- restart stunnel
|
|
tags:
|
|
- pagure
|
|
- stunnel
|
|
|
|
- name: ensure old stunnel init file is gone
|
|
file: dest=/etc/init.d/stunnel/stunnel.init state=absent
|
|
tags:
|
|
- pagure
|
|
- stunnel
|
|
- config
|
|
|
|
- name: make a bundle file of the cert and intermediate for stunnel
|
|
shell: cat /etc/pki/tls/certs/pagure.io.cert /etc/pki/tls/certs/pagure.io.intermediate.cert > /etc/pki/tls/certs/pagure.io.bundle.cert creates=/etc/pki/tls/certs/pagure.io.bundle.cert
|
|
tags:
|
|
- pagure
|
|
- stunnel
|
|
- config
|
|
when: env != 'pagure-staging'
|
|
|
|
- name: make a bundle file of the cert and intermediate for stunnel (stg)
|
|
shell: cat /etc/pki/tls/certs/stg.pagure.io.cert /etc/pki/tls/certs/stg.pagure.io.intermediate.cert > /etc/pki/tls/certs/stg.pagure.io.bundle.cert creates=/etc/pki/tls/certs/stg.pagure.io.bundle.cert
|
|
tags:
|
|
- pagure
|
|
- stunnel
|
|
- config
|
|
when: env == 'pagure-staging'
|
|
|
|
- name: install stunnel.conf
|
|
template: src={{ item.file }}
|
|
dest={{ item.dest }}
|
|
owner=root group=root mode=0600
|
|
with_items:
|
|
- { file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf }
|
|
notify: restart stunnel
|
|
tags:
|
|
- pagure
|
|
- stunnel
|
|
- config
|
|
|
|
- name: Add the different service files for the different services
|
|
copy: src={{ item }}.service
|
|
dest=/etc/systemd/system/{{ item }}.service
|
|
owner=root group=root mode=0755
|
|
with_items:
|
|
- pagure_fast_worker
|
|
- pagure_medium_worker
|
|
- pagure_slow_worker
|
|
- pagure_mirror
|
|
notify:
|
|
- reload systemd
|
|
tags:
|
|
- pagure
|
|
|
|
# setup fedora-messaging
|
|
|
|
- name: install fedora-messaging as a dependency
|
|
package: name={{ item }} state=present
|
|
with_items:
|
|
- python3-fedora-messaging
|
|
tags:
|
|
- pagure
|
|
- fedora-messaging
|
|
|
|
- name: create the config folder for fedora-messaging
|
|
file: path=/etc/fedora-messaging/ owner=root group=root mode=0755 state=directory
|
|
tags:
|
|
- pagure
|
|
- fedora-messaging
|
|
|
|
- name: install the configuration file for fedora-messaging
|
|
template:
|
|
src=fedora-messaging.toml
|
|
dest=/etc/fedora-messaging/config.toml
|
|
tags:
|
|
- pagure
|
|
- fedora-messaging
|
|
|
|
- name: create folder where we'll place the certs
|
|
file: path=/etc/pki/rabbitmq/pagurecert/ owner=root group=root mode=0755 state=directory
|
|
tags:
|
|
- pagure
|
|
- fedora-messaging
|
|
|
|
- name: deploy pagure/rabbitmq certificate
|
|
copy: src={{ item.src }}
|
|
dest=/etc/pki/rabbitmq/pagurecert/{{ item.dest }}
|
|
owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }}
|
|
when: env == 'pagure-staging'
|
|
with_items:
|
|
- src: "{{private}}/files/rabbitmq/staging/pki/issued/pagure.stg.crt"
|
|
dest: pagure.crt
|
|
owner: git
|
|
group: root
|
|
mode: "444"
|
|
- src: "{{private}}/files/rabbitmq/staging/pki/private/pagure.stg.key"
|
|
dest: pagure.key
|
|
owner: git
|
|
group: root
|
|
mode: "440"
|
|
- src: "{{private}}/files/rabbitmq/staging/pki/ca.crt"
|
|
dest: pagure.ca
|
|
owner: git
|
|
group: root
|
|
mode: "444"
|
|
tags:
|
|
- pagure
|
|
- fedora-messaging
|
|
|
|
- name: deploy pagure/rabbitmq certificate
|
|
copy: src={{ item.src }}
|
|
dest=/etc/pki/rabbitmq/pagurecert/{{ item.dest }}
|
|
owner={{ item.owner }} group={{ item.group}} mode={{ item.mode }}
|
|
when: env != 'pagure-staging'
|
|
with_items:
|
|
- src: "{{private}}/files/rabbitmq/production/pki/issued/pagure.crt"
|
|
dest: pagure.crt
|
|
owner: git
|
|
group: root
|
|
mode: "444"
|
|
- src: "{{private}}/files/rabbitmq/production/pki/private/pagure.key"
|
|
dest: pagure.key
|
|
owner: git
|
|
group: root
|
|
mode: "440"
|
|
- src: "{{private}}/files/rabbitmq/production/pki/ca.crt"
|
|
dest: pagure.ca
|
|
owner: git
|
|
group: root
|
|
mode: "444"
|
|
tags:
|
|
- pagure
|
|
- fedora-messaging
|
|
|
|
|
|
# Set-up Pagure
|
|
|
|
- name: create the folders used for releases and archives
|
|
file: state=directory
|
|
path={{ item }}
|
|
owner=git group=git mode=0775
|
|
with_items:
|
|
- /var/www/releases
|
|
- /var/www/archives
|
|
tags:
|
|
- pagure
|
|
- web
|
|
|
|
- name: copy sundry pagure configuration
|
|
template: src={{ item.file }}
|
|
dest={{ item.location }}/{{ item.file }}
|
|
owner=git group=postfix mode=0640
|
|
with_items:
|
|
- { file: pagure.cfg, location: /etc/pagure }
|
|
- { file: alembic.ini, location: /etc/pagure }
|
|
tags:
|
|
- config
|
|
- web
|
|
- pagure
|
|
notify:
|
|
- restart apache
|
|
|
|
- name: create the database scheme
|
|
command: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py
|
|
changed_when: "1 != 1"
|
|
environment:
|
|
PAGURE_CONFIG: /etc/pagure/pagure.cfg
|
|
tags:
|
|
- web
|
|
- pagure
|
|
|
|
- name: Install the configuration file to activate https
|
|
template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
|
|
owner=root group=root mode=0644
|
|
with_items:
|
|
- 0_pagure.conf
|
|
- securityheaders.conf
|
|
tags:
|
|
- files
|
|
- config
|
|
- pagure
|
|
- sslciphers
|
|
notify:
|
|
- restart apache
|
|
|
|
- name: Install the wsgi file
|
|
template: src={{ item }}
|
|
dest=/var/www/{{ item }}
|
|
owner=git group=git mode=0644
|
|
with_items:
|
|
- pagure.wsgi
|
|
- docs_pagure.wsgi
|
|
tags:
|
|
- config
|
|
- web
|
|
- pagure
|
|
notify:
|
|
- restart apache
|
|
|
|
- name: let paguremirroring read the pagure config
|
|
command: /usr/bin/setfacl -m user:paguremirroring:rx /etc/pagure/pagure.cfg
|
|
tags:
|
|
- pagure
|
|
- mirror
|
|
|
|
- name: Add default facl so apache can read git repos
|
|
acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present
|
|
register: acl_updates
|
|
tags:
|
|
- pagure
|
|
|
|
- name: Manually fix current default ACLs since Ansible doesnt know recursive acls
|
|
when: acl_updates.changed
|
|
command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git
|
|
tags:
|
|
- pagure
|
|
|
|
- name: Manually fix current ACLs since Ansible doesnt know recursive acls
|
|
when: acl_updates.changed
|
|
command: /usr/bin/setfacl -Rm user:apache:rx /srv/git
|
|
tags:
|
|
- pagure
|
|
|
|
- import_tasks: selinux.yml
|
|
tags:
|
|
- selinux
|
|
- pagure
|
|
|
|
# Hotfix(es)
|
|
|
|
- name: Install the python3-only version of the stream_server so it works
|
|
copy: src=pagure_stream_server.py
|
|
dest=/usr/libexec/pagure-ev/pagure_stream_server.py
|
|
owner=root mode=0755
|
|
tags:
|
|
- pagure
|
|
- hotfix
|
|
notify:
|
|
- restart pagure_ev
|
|
|
|
# Ensure all the services are up and running
|
|
|
|
- name: Start and enable httpd, postfix, pagure_milter
|
|
service: name={{ item }} enabled=yes state=started
|
|
with_items:
|
|
- httpd
|
|
- postfix
|
|
- stunnel
|
|
- redis
|
|
- pagure_ev
|
|
- pagure_ci
|
|
- pagure_loadjson
|
|
- pagure_logcom
|
|
- pagure_milter
|
|
- pagure_webhook
|
|
- pagure_worker
|
|
- pagure_gitolite_worker
|
|
- pagure_fast_worker
|
|
- pagure_medium_worker
|
|
- pagure_slow_worker
|
|
- pagure_mirror
|
|
# - pagure_api_key_expire_mail
|
|
# - pagure_api_key_expire_mail.timer
|
|
- pagure_mirror_project_in
|
|
- pagure_mirror_project_in.timer
|
|
# - fedmsg-relay
|
|
- haveged
|
|
ignore_errors: true
|
|
tags:
|
|
- pagure
|
|
- service
|
|
- postfix
|
|
|
|
- name: setup logrotate to our needs
|
|
copy: src="{{ files }}/httpd/httpd.logrotate" dest=/etc/logrotate.d/httpd
|
|
tags:
|
|
- config
|
|
- apache
|
|
|
|
- name: Add SAR script for pagure
|
|
copy: src=pagure_sar.py dest=/usr/local/bin/pagure_sar.py owner=git mode=0700
|
|
tags:
|
|
- SAR
|
|
- GDPR
|
|
- pagure
|
|
|
|
- name: override the default syslog logrotate file
|
|
copy: src=syslog-logrotate dest=/etc/logrotate.d/syslog
|
|
tags:
|
|
- pagure
|
|
- logrotate
|
|
|
|
- name: Letsencrypt for stg.pagure.io
|
|
include_role: name=letsencrypt
|
|
vars:
|
|
site_name: stg.pagure.io
|
|
server_aliases:
|
|
- releases.stg.pagure.org
|
|
- docs.stg.pagure.org
|
|
- stg.pagure.org
|
|
when: env == 'pagure-staging'
|
|
tags:
|
|
- pagure
|
|
- letsencrypt
|
|
|
|
- name: Letsencrypt for pagure.io
|
|
include_role: name=letsencrypt
|
|
vars:
|
|
site_name: pagure.io
|
|
server_aliases:
|
|
- releases.pagure.org
|
|
- docs.pagure.org
|
|
- pagure.org
|
|
- www.pagure.io
|
|
- lists.pagure.io
|
|
when: env != 'pagure-staging'
|
|
tags:
|
|
- pagure
|
|
- letsencrypt
|