--- # tasklist for setting up Dist Git # # This is a bit complex, so I'm dividing it into sections. # -- Common ---------------------------------------------- # This is very basic stuff that is needed by multiple of the next sections. - name: Enable the mod_auth_openidc module on rhel8 ansible.builtin.copy: dest: /etc/dnf/modules.d/mod_auth_openidc.module content: | [mod_auth_openidc] name=mod_auth_openidc stream=2.3 profiles= state=enabled mode: '0644' - name: Install the needed packages ansible.builtin.package: name: "{{ item }}" state: present with_items: - git - httpd - mod_ssl - mod_auth_gssapi - /usr/sbin/semanage - mod_auth_openidc tags: - distgit - name: Install the mod_auth_openidc configuration ansible.builtin.template: src: auth_openidc.conf dest: /etc/httpd/conf.d/auth_openidc.conf mode: '0644' notify: - Reload httpd tags: - distgit - name: Install the http push configuration ansible.builtin.template: src: httppush.conf dest: /etc/httpd/conf.d/httpush.conf mode: '0644' notify: - Reload httpd tags: - distgit - name: Create suexec wrapper directory ansible.builtin.file: path: /var/www/bin state: directory owner: pagure group: packager mode: '0755' tags: - distgit - name: Install suexec wrappers ansible.builtin.copy: src: "suexec-{{ item }}.sh" dest: "/var/www/bin/suexec-{{ item }}.sh" owner: pagure group: packager mode: '0755' with_items: - gitolite - upload tags: - distgit - name: Put in git service config ansible.builtin.copy: src: git@.service dest: /etc/systemd/system/git@.service mode: '0644' tags: - distgit - name: Install the mod_ssl configuration ansible.builtin.copy: src: ssl.conf dest: /etc/httpd/conf.d/ssl.conf mode: '0644' notify: - Reload httpd tags: - distgit - name: Letsencrypt for pkgs.stg.fedoraproject.org ansible.builtin.include_role: name: letsencrypt vars: site_name: pkgs.stg.fedoraproject.org when: env == 'staging' tags: - distgit - letsencrypt - name: Install the keytab ansible.builtin.copy: src: "{{ private }}/files/keytabs/{{ env }}/pkgs" dest: /etc/httpd.keytab owner: apache group: apache mode: '0600' notify: - Reload httpd tags: - distgit - name: Allow httpd to access the files on NFS ansible.posix.seboolean: name: httpd_use_nfs state: yes persistent: yes tags: - distgit - name: Allow httpd to access git user content ansible.posix.seboolean: name: httpd_read_user_content state: yes persistent: yes tags: - distgit - name: Secure tmpfs read only ansible.posix.mount: name: /dev/shm src: tmpfs fstype: tmpfs opts: defaults,size=40G state: present tags: - distgit # -- SSH # We use a wrapper to let packager ssh in while restricting the command they can # do, this installs that wrapper (which is otherwise configured in sshd_config) - name: Install the ssh_wrapper wrapper script ansible.builtin.copy: src: ssh_wrapper dest: /usr/local/bin/ssh_wrapper mode: '0755' tags: - config - distgit - ssh - basessh # -- Dist Git -------------------------------------------- # This is the Git setup itself: group, root directory, scripts,... - name: Install dist-git ansible.builtin.package: name: "{{ item }}" state: present with_items: - dist-git - dist-git-selinux tags: - distgit - name: Install the dist-git config ansible.builtin.copy: src: dist-git.conf dest: /etc/dist-git/dist-git.conf mode: '0644' tags: - config - distgit - name: Dploy the Fedora messaging config. file for uploads ansible.builtin.copy: src: git-hooks-messaging.toml dest: /etc/fedora-messaging/git-hooks-messaging.toml mode: '0644' tags: - config - distgit - name: Deploy the Fedora messaging certificate ansible.builtin.copy: src: "{{ item.src }}" dest: "/etc/pki/rabbitmq/{{ item.dest }}" owner: "{{ item.owner }}" group: "{{ item.group }}" mode: "{{ item.mode }}" with_items: - src: "{{ private }}/files/rabbitmq/production/pki/issued/git-hooks.crt" dest: git-hooks.crt owner: root group: root mode: "444" - src: "{{ private }}/files/rabbitmq/production/pki/private/git-hooks.key" dest: git-hooks.key owner: root group: root mode: "440" - src: "{{ private }}/files/rabbitmq/production/pki/reqs/git-hooks.req" dest: git-hooks.ca owner: root group: root mode: "444" tags: - distgit - fedora-messaging - name: Create the distgit root directory (/srv/git) ansible.builtin.file: dest: /srv/git state: directory mode: '0755' tags: - distgit # These should all map to pkgdb namespaces - name: Create our namespace directories inside there.. ansible.builtin.file: dest: "/srv/git/repositories/{{ item }}" state: directory mode: '2775' group: packager with_items: - rpms - docker - modules # Except for these two. These namespaces are artificially created in the # dist-git pkgdb sync scripts. - test-rpms - test-modules - test-docker tags: - distgit - name: Install robots.txt files ansible.builtin.copy: src: "{{ item }}" dest: "/var/www/{{ item }}" mode: '0644' with_items: - robots-pkgs.txt - robots-src.txt tags: - distgit - name: Install the DistGit related httpd config ansible.builtin.copy: src: git-smart-http.conf dest: /etc/httpd/conf.d/dist-git/git-smart-http.conf mode: '0644' notify: - Reload httpd tags: - distgit - name: Symlink pkgs-git-repos-list ansible.builtin.copy: src: repolist.conf dest: /etc/httpd/conf.d/dist-git/repolist.conf mode: '0644' notify: - Reload httpd tags: - distgit - name: Schedule the update hook check ansible.builtin.cron: name: "check-update-hooks" cron_file: "ansible-check-update-hooks" minute: 0 hour: 0 weekday: 3 user: nobody job: "/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories" tags: - distgit - name: Schedule the script to get retired packages ansible.builtin.copy: src: "retired-packages.cron" dest: "/etc/cron.d/retired-packages.cron" mode: '644' owner: root group: root tags: - distgit - name: Install the two scripts needed for mass-branching ansible.builtin.copy: src: "{{ item }}" dest: "/usr/local/bin/{{ item }}" owner: root group: root mode: '0755' with_items: - mass-branching-git.py - mass-branching-gitolite.py tags: - config - distgit - mass-branching # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. - name: Install the Lookaside Cache httpd configs ansible.builtin.template: src: "{{ item }}" dest: "/etc/httpd/conf.d/dist-git/{{ item }}" mode: '0644' with_items: - lookaside.conf - lookaside-upload.conf notify: - Reload httpd tags: - distgit - sslciphers - name: Create the Lookaside Cache root directory ansible.builtin.file: dest: /srv/cache/lookaside/pkgs state: directory owner: apache group: apache mode: '0755' tags: - distgit - name: Set the selinux boolean git_cgi_use_nfs ansible.posix.seboolean: name: git_cgi_use_nfs persistent: yes state: yes tags: - distgit - config - selinux # Not sure why, but fixes https://fedorahosted.org/fedora-infrastructure/ticket/4825 - name: Set the selinux boolean git_system_enable_homedirs ansible.posix.seboolean: name: git_system_enable_homedirs persistent: yes state: yes tags: - distgit - config - selinux - name: Check the selinux context of the Lookaside Cache root directory ansible.builtin.command: matchpathcon /srv/cache register: lcachecontext check_mode: no changed_when: false tags: - config - lookaside - selinux - distgit - name: Set the SELinux policy for the Lookaside Cache root directory ansible.builtin.command: semanage fcontext -a -t nfs_t "/srv/cache(/.*)?" when: lcachecontext.stdout.find('nfs_t') == -1 and env != "staging" changed_when: true tags: - config - lookaside - selinux - distgit - name: Install the fedora-ca.cert ansible.builtin.copy: src: "{{ private }}/files/fedora-ca.cert" dest: /etc/httpd/conf/cacert.pem mode: '0644' tags: - distgit - name: Install the pkgs cert ansible.builtin.copy: src: "{{ private }}/files/pkgs.fedoraproject.org_key_and_cert.pem" dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem owner: apache mode: '0400' when: env != "staging" tags: - distgit - name: Install the pkgs.stg cert ansible.builtin.copy: src: "{{ private }}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem" dest: /etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem owner: apache mode: '0400' when: env == "staging" tags: - distgit # Three tasks for handling our selinux policy for upload.cgi - name: Ensure a directory exists for our SELinux policy ansible.builtin.file: dest: /usr/local/share/selinux/ state: directory mode: '0755' tags: selinux - name: Copy over our custom selinux policy ansible.builtin.copy: src: upload_cgi.pp dest: /usr/local/share/selinux/upload_cgi.pp mode: '0644' register: selinux_module tags: selinux - name: Install our custom selinux policy # noqa no-handler ansible.builtin.command: semodule -i /usr/local/share/selinux/upload_cgi.pp when: selinux_module is changed changed_when: true tags: selinux - name: Copy over our custom nfs selinux policy ansible.builtin.copy: src: cgi-nfs.pp dest: /usr/local/share/selinux/cgi-nfs.pp mode: '0644' register: nfs_selinux_module tags: selinux - name: Install our custom nfs selinux policy # noqa no-handler ansible.builtin.command: semodule -i /usr/local/share/selinux/cgi-nfs.pp when: nfs_selinux_module is changed changed_when: true tags: selinux - name: Install another one of our own SELinux policy ansible.builtin.include_role: name: selinux/module vars: policy_file: files/http_policy.te policy_name: http_policy tags: - selinux - name: Setup grokmirror for repos ansible.builtin.package: name: python3-grokmirror state: installed tags: - grokmirror - pkgs - name: Make dir for grokmirror manifest ansible.builtin.file: path: /srv/git/grokmirror state: directory owner: root group: packager mode: '2775' tags: - grokmirror - pkgs - name: Set acls for grokmirror ansible.posix.acl: path: /srv/git/grokmirror etype: group permissions: rwx state: present tags: - grokmirror - pkgs - name: Run initial grokmirror run ansible.builtin.command: cmd: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/ creates: /srv/git/grokmirror/manifest.js.gz when: env != "staging" tags: - grokmirror - pkgs # https://forge.fedoraproject.org/infra/tickets/12428 - name: Hotfix for links to accounts.fpo ansible.posix.patch: src: files/0001-Fix-link-to-accounts.fpo-for-staging-for-adding-user.patch dest: /usr/lib/python3.6/site-packages/pagure/themes/srcfpo/templates/group_info.html tags: - pagure - hotfix