00804542f3
This is still being reviewed and wasn't meant to be pushed out yet
This reverts commit 67844b4504.
355 lines
8.7 KiB
YAML
355 lines
8.7 KiB
YAML
---
|
|
# tasklist for setting up Dist Git
|
|
#
|
|
# This is a bit complex, so I'm dividing it into sections.
|
|
|
|
# -- Common ----------------------------------------------
|
|
# This is very basic stuff that is needed by multiple of the next sections.
|
|
- name: Enable the mod_auth_openidc module on rhel8
|
|
copy:
|
|
dest: /etc/dnf/modules.d/mod_auth_openidc.module
|
|
content: |
|
|
[mod_auth_openidc]
|
|
name=mod_auth_openidc
|
|
stream=2.3
|
|
profiles=
|
|
state=enabled
|
|
|
|
- name: install the needed packages
|
|
package: name={{item}} state=present
|
|
with_items:
|
|
- git
|
|
- httpd
|
|
- mod_ssl
|
|
- mod_auth_gssapi
|
|
- /usr/sbin/semanage
|
|
- mod_auth_openidc
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the mod_auth_openidc configuration
|
|
template: src=auth_openidc.conf dest=/etc/httpd/conf.d/auth_openidc.conf
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the http push configuration
|
|
template: src=httppush.conf dest=/etc/httpd/conf.d/httpush.conf
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Create suexec wrapper directory
|
|
file: path=/var/www/bin state=directory owner=pagure group=packager
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install suexec wrappers
|
|
copy:
|
|
src=suexec-{{item}}.sh
|
|
dest=/var/www/bin/suexec-{{item}}.sh
|
|
owner=pagure
|
|
group=packager
|
|
mode=0755
|
|
with_items:
|
|
- gitolite
|
|
- upload
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Put in git service config
|
|
copy: src=git@.service dest=/etc/systemd/system/git@.service
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the mod_ssl configuration
|
|
copy: src=ssl.conf dest=/etc/httpd/conf.d/ssl.conf
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Letsencrypt for pkgs.stg.fedoraproject.org
|
|
include_role: name=letsencrypt
|
|
vars:
|
|
site_name: pkgs.stg.fedoraproject.org
|
|
when: env == 'staging'
|
|
tags:
|
|
- distgit
|
|
- letsencrypt
|
|
|
|
- name: install the keytab
|
|
copy: src="{{ private }}/files/keytabs/{{env}}/pkgs"
|
|
dest=/etc/httpd.keytab
|
|
owner=apache
|
|
group=apache
|
|
mode=0600
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: allow httpd to access the files on NFS
|
|
seboolean: name=httpd_use_nfs state=yes persistent=yes
|
|
tags:
|
|
- distgit
|
|
|
|
- name: allow httpd to access git user content
|
|
seboolean: name=httpd_read_user_content state=yes persistent=yes
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Secure tmpfs read only
|
|
mount: name=/dev/shm src=tmpfs fstype=tmpfs opts=defaults,size=40G state=present
|
|
tags:
|
|
- distgit
|
|
|
|
# -- Dist Git --------------------------------------------
|
|
# This is the Git setup itself: group, root directory, scripts,...
|
|
- name: install dist-git
|
|
package: name={{item}} state=present
|
|
with_items:
|
|
- dist-git
|
|
- dist-git-selinux
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the dist-git config
|
|
copy: src=dist-git.conf dest=/etc/dist-git/dist-git.conf
|
|
tags:
|
|
- config
|
|
- distgit
|
|
|
|
- name: Make sure apache can access the fedora-messasing ca
|
|
acl:
|
|
path: /etc/pki/rabbitmq/git-hooks.ca
|
|
entity: apache
|
|
etype: group
|
|
permissions: r
|
|
state: present
|
|
tags:
|
|
- distgit
|
|
when: inventory_hostname.startswith('batcave')
|
|
|
|
- name: Make sure apache can access the fedora-messasing crt
|
|
acl:
|
|
path: /etc/pki/rabbitmq/git-hooks.crt
|
|
entity: apache
|
|
etype: group
|
|
permissions: r
|
|
state: present
|
|
tags:
|
|
- distgit
|
|
when: inventory_hostname.startswith('batcave')
|
|
|
|
- name: Make sure apache can access the fedora-messasing key
|
|
acl:
|
|
path: /etc/pki/rabbitmq/git-hooks.key
|
|
entity: apache
|
|
etype: group
|
|
permissions: r
|
|
state: present
|
|
tags:
|
|
- distgit
|
|
when: inventory_hostname.startswith('batcave')
|
|
|
|
- name: create the distgit root directory (/srv/git)
|
|
file: dest=/srv/git state=directory mode=0755
|
|
tags:
|
|
- distgit
|
|
|
|
# These should all map to pkgdb namespaces
|
|
- name: create our namespace directories inside there..
|
|
file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=packager
|
|
with_items:
|
|
- rpms
|
|
- docker
|
|
- modules
|
|
# Except for these two. These namespaces are artificially created in the
|
|
# dist-git pkgdb sync scripts.
|
|
- test-rpms
|
|
- test-modules
|
|
- test-docker
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Install robots.txt files
|
|
copy: src={{item}} dest=/var/www/{{item}}
|
|
with_items:
|
|
- robots-pkgs.txt
|
|
- robots-src.txt
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the DistGit related httpd config
|
|
copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: Symlink pkgs-git-repos-list
|
|
copy: src=repolist.conf dest=/etc/httpd/conf.d/dist-git/repolist.conf
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- distgit
|
|
|
|
- name: schedule the update hook check
|
|
cron: >
|
|
name="check-update-hooks" cron_file="ansible-check-update-hooks"
|
|
minute=0 hour=0 weekday=3
|
|
user=nobody
|
|
job="/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories"
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the two scripts needed for mass-branching
|
|
copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755
|
|
with_items:
|
|
- mass-branching-git.py
|
|
- mass-branching-gitolite.py
|
|
tags:
|
|
- config
|
|
- distgit
|
|
- mass-branching
|
|
|
|
# -- Lookaside Cache -------------------------------------
|
|
# This is the annex to Dist Git, where we host source tarballs.
|
|
- name: install the Lookaside Cache httpd configs
|
|
template: src={{item}} dest=/etc/httpd/conf.d/dist-git/{{item}}
|
|
with_items:
|
|
- lookaside.conf
|
|
- lookaside-upload.conf
|
|
notify:
|
|
- reload httpd
|
|
tags:
|
|
- distgit
|
|
- sslciphers
|
|
|
|
- name: create the Lookaside Cache root directory
|
|
file: dest=/srv/cache/lookaside/pkgs state=directory
|
|
owner=apache group=apache
|
|
tags:
|
|
- distgit
|
|
|
|
- name: set the selinux boolean git_cgi_use_nfs
|
|
seboolean: name=git_cgi_use_nfs persistent=yes state=yes
|
|
tags:
|
|
- distgit
|
|
- config
|
|
- selinux
|
|
|
|
# Not sure why, but fixes https://fedorahosted.org/fedora-infrastructure/ticket/4825
|
|
- name: set the selinux boolean git_system_enable_homedirs
|
|
seboolean: name=git_system_enable_homedirs persistent=yes state=yes
|
|
tags:
|
|
- distgit
|
|
- config
|
|
- selinux
|
|
|
|
- name: check the selinux context of the Lookaside Cache root directory
|
|
command: matchpathcon /srv/cache
|
|
register: lcachecontext
|
|
check_mode: no
|
|
changed_when: false
|
|
tags:
|
|
- config
|
|
- lookaside
|
|
- selinux
|
|
- distgit
|
|
|
|
- name: set the SELinux policy for the Lookaside Cache root directory
|
|
command: semanage fcontext -a -t nfs_t "/srv/cache(/.*)?"
|
|
when: lcachecontext.stdout.find('nfs_t') == -1 and env != "staging"
|
|
tags:
|
|
- config
|
|
- lookaside
|
|
- selinux
|
|
- distgit
|
|
|
|
- name: install the fedora-ca.cert
|
|
copy: src={{private}}/files/fedora-ca.cert dest=/etc/httpd/conf/cacert.pem
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the pkgs cert
|
|
copy: src={{private}}/files/pkgs.fedoraproject.org_key_and_cert.pem
|
|
dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
|
|
owner=apache mode=0400
|
|
when: env != "staging"
|
|
tags:
|
|
- distgit
|
|
|
|
- name: install the pkgs.stg cert
|
|
copy: src={{private}}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem
|
|
dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
|
|
owner=apache mode=0400
|
|
when: env == "staging"
|
|
tags:
|
|
- distgit
|
|
|
|
# Three tasks for handling our selinux policy for upload.cgi
|
|
- name: ensure a directory exists for our SELinux policy
|
|
file: dest=/usr/local/share/selinux/ state=directory
|
|
tags: selinux
|
|
|
|
- name: copy over our custom selinux policy
|
|
copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
|
|
register: selinux_module
|
|
tags: selinux
|
|
|
|
- name: install our custom selinux policy
|
|
command: semodule -i /usr/local/share/selinux/upload_cgi.pp
|
|
when: selinux_module is changed
|
|
tags: selinux
|
|
|
|
- name: copy over our custom nfs selinux policy
|
|
copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
|
|
register: nfs_selinux_module
|
|
tags: selinux
|
|
|
|
- name: install our custom nfs selinux policy
|
|
command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
|
|
when: nfs_selinux_module is changed
|
|
tags: selinux
|
|
|
|
- name: Install another one of our own SELinux policy
|
|
include_role:
|
|
name: selinux/module
|
|
vars:
|
|
policy_file: files/http_policy.te
|
|
policy_name: http_policy
|
|
tags:
|
|
- selinux
|
|
|
|
- name: setup grokmirror for repos
|
|
package: name=python3-grokmirror state=installed
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|
|
|
|
- name: make dir for grokmirror manifest
|
|
file: path=/srv/git/grokmirror state=directory owner=root group=packager mode=2775
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|
|
|
|
- name: set acls for grokmirror
|
|
acl:
|
|
path: /srv/git/grokmirror
|
|
etype: group
|
|
permissions: rwx
|
|
state: present
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|
|
|
|
- name: run initial grokmirror run
|
|
command: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/ creates=/srv/git/grokmirror/manifest.js.gz
|
|
when: env != "staging"
|
|
tags:
|
|
- grokmirror
|
|
- pkgs
|