From 6430e931d078e49985758c221a30e2f21f292333 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 31 Dec 2021 14:05:49 +0100 Subject: [PATCH] Update to 2021-12-31 14:05 --- README.md | 17 +- roles/bookstack/defaults/main.yml | 2 +- roles/diagrams/defaults/main.yml | 4 +- roles/etherpad/defaults/main.yml | 5 +- roles/etherpad/tasks/install.yml | 21 ++ roles/etherpad/templates/settings.json.j2 | 5 + roles/gitea/defaults/main.yml | 4 +- roles/gitea/tasks/conf.yml | 5 + roles/matrix_element/defaults/main.yml | 4 +- roles/matrix_synapse/defaults/main.yml | 2 +- roles/openxpki/defaults/main.yml | 4 +- roles/pgadmin4/defaults/main.yml | 2 +- roles/pgadmin4/templates/config_local.py.j2 | 2 +- roles/rpm_build_server/README.md | 14 + roles/rpm_build_server/defaults/main.yml | 47 +++ roles/rpm_build_server/files/watcher.pl | 357 ++++++++++++++++++ roles/rpm_build_server/handlers/main.yml | 8 + roles/rpm_build_server/tasks/conf.yml | 58 +++ roles/rpm_build_server/tasks/directories.yml | 18 + roles/rpm_build_server/tasks/facts.yml | 9 + roles/rpm_build_server/tasks/install.yml | 22 ++ roles/rpm_build_server/tasks/main.yml | 9 + roles/rpm_build_server/tasks/requirements.yml | 5 + roles/rpm_build_server/tasks/services.yml | 5 + roles/rpm_build_server/tasks/user.yml | 23 ++ .../templates/build-watcher.service.j2 | 16 + .../rpm_build_server/templates/config.yml.j2 | 52 +++ .../templates/gpg-agent.conf.j2 | 1 + roles/rpm_build_server/templates/gpg.conf.j2 | 2 + .../templates/mock/el7-x86_64.cfg.j2 | 25 ++ .../templates/mock/el8-x86_64.cfg.j2 | 28 ++ .../templates/mock/site-defaults.cfg.j2 | 17 + roles/rpm_build_server/templates/perms.sh.j2 | 9 + roles/rpm_build_server/templates/rpmmacros.j2 | 3 + roles/rpm_build_server/vars/RedHat-8.yml | 18 + roles/unmaintained/wbo/defaults/main.yml | 8 - roles/wbo/defaults/main.yml | 13 + .../{unmaintained => }/wbo/handlers/main.yml | 0 roles/{unmaintained => }/wbo/meta/main.yml | 0 roles/wbo/tasks/directory.yml | 8 + .../tasks/main.yml => wbo/tasks/install.yml} | 25 +- roles/wbo/tasks/iptables.yml | 8 + roles/wbo/tasks/main.yml | 8 + roles/wbo/tasks/services.yml | 6 + roles/wbo/tasks/user.yml | 8 + .../wbo/templates/wbo.service.j2 | 0 46 files changed, 856 insertions(+), 51 deletions(-) create mode 100644 roles/rpm_build_server/README.md create mode 100644 roles/rpm_build_server/defaults/main.yml create mode 100644 roles/rpm_build_server/files/watcher.pl create mode 100644 roles/rpm_build_server/handlers/main.yml create mode 100644 roles/rpm_build_server/tasks/conf.yml create mode 100644 roles/rpm_build_server/tasks/directories.yml create mode 100644 roles/rpm_build_server/tasks/facts.yml create mode 100644 roles/rpm_build_server/tasks/install.yml create mode 100644 roles/rpm_build_server/tasks/main.yml create mode 100644 roles/rpm_build_server/tasks/requirements.yml create mode 100644 roles/rpm_build_server/tasks/services.yml create mode 100644 roles/rpm_build_server/tasks/user.yml create mode 100644 roles/rpm_build_server/templates/build-watcher.service.j2 create mode 100644 roles/rpm_build_server/templates/config.yml.j2 create mode 100644 roles/rpm_build_server/templates/gpg-agent.conf.j2 create mode 100644 roles/rpm_build_server/templates/gpg.conf.j2 create mode 100644 roles/rpm_build_server/templates/mock/el7-x86_64.cfg.j2 create mode 100644 roles/rpm_build_server/templates/mock/el8-x86_64.cfg.j2 create mode 100644 roles/rpm_build_server/templates/mock/site-defaults.cfg.j2 create mode 100644 roles/rpm_build_server/templates/perms.sh.j2 create mode 100644 roles/rpm_build_server/templates/rpmmacros.j2 create mode 100644 roles/rpm_build_server/vars/RedHat-8.yml delete mode 100644 roles/unmaintained/wbo/defaults/main.yml create mode 100644 roles/wbo/defaults/main.yml rename roles/{unmaintained => }/wbo/handlers/main.yml (100%) rename roles/{unmaintained => }/wbo/meta/main.yml (100%) create mode 100644 roles/wbo/tasks/directory.yml rename roles/{unmaintained/wbo/tasks/main.yml => wbo/tasks/install.yml} (50%) create mode 100644 roles/wbo/tasks/iptables.yml create mode 100644 roles/wbo/tasks/main.yml create mode 100644 roles/wbo/tasks/services.yml create mode 100644 roles/wbo/tasks/user.yml rename roles/{unmaintained => }/wbo/templates/wbo.service.j2 (100%) diff --git a/README.md b/README.md index 82c1a54..90689d9 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Here're the steps to make use of this. Note that this is not a complete ansible * Clone the repo ``` -git clone https://git.lapiole.org/fws/ansible-roles.git +git clone https://git.lapiole.org/dani/ansible-roles.git cd ansible-roles ``` @@ -44,7 +44,7 @@ ssh-keygen -t rsa -b 4096 -f ssh/id_rsa useradd -m ansible mkdir ~ansible/.ssh cat <<_EOF > ~ansible/.ssh/authorized_keys -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@fws.fr +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQgTcFNGSnLtuvNg53rdTEjbpwTGlhQj3PJ6Ova0eIPU8uf0ZrdET9guqvI3k1ng1OHNzWk3E+6VyXYW+N/nyLiliXxR4Dyf0DRECz8PSdGd8TnmRHGfNtLg941ndI6XqrZDt9+CLghAjasuRWV1LvWIK5M+z1X/uFAPmLAUDdkx7hC9PNb5M3yBkyRiwfB8OifLvQlWaM9Nr1wZMFvyD/LqZfHuzuv1CD76sZ+7GnHK3gZ4n+LAamQOhJiBqYOoTRMFOCLSIBYnGwuVdmEtC6mlbaw8Vj6umnPpJ3lwEO6IfUnIRz1XIr32kh0qXd6MWV/aHto9uzDlAO1EKm1WI8yjSm2NzUqWc5eelHFfYOQgro1KhoVkh1D39iyQZMblxqO8nuaX5sHK4F9r0/E+hDj8tWhsiocdO+/B7nYuMiDsqUpVVvtiTvk3x5J3FhaTmmA3F0buObjok1ifd1HeE6IORzHzsWFo9TvMpF1CjjOw7FG2vlH6eIvS29/9whzLK= ansible@lapiole.org _EOF chown -R ansible:ansible ~ansible/.ssh/ chmod 700 ~ansible/.ssh/ @@ -88,7 +88,7 @@ This will create a single group **infra** with two hosts in it. It's pretty self-explanatory. First, roles **common** and **backup** will be deployed on every hosts in the infra group. Then, **mysql_server** and **postgresql_server** will be deployed on **db.acme.com**. And roles **nginx**, **letsencrypt** and **lemonldap_ng** will be deployed on host **proxyin.acme.com** * Now, it's time to configure a few things. Configuration is done be assigning values to varibles, and can be done at several levels. - * group_vars/all/vars.yml : variables here will be inherited by every hosts +* group_vars/all/vars.yml : variables here will be inherited by every hosts ``` ansible_become: True trusted_ip: @@ -108,7 +108,7 @@ zabbix_agent_servers: "{{ zabbix_ip }}" zabbix_proxy_encryption: psk zabbix_proxy_server: 'zabbix.example.com' ``` - * group_vars/infra/vars.yml : variables here will be inherited by hosts in the **infra** group +* group_vars/infra/vars.yml : variables here will be inherited by hosts in the **infra** group ``` sshd_src_ip: "{{ trusted_ip }}" postfix_relay_host: '[smtp.example.com]:587' @@ -118,12 +118,11 @@ postfix_relay_pass: "S3cretP@ssw0rd" ssh_users: - name: ansible ssh_keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@fws.fr + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggaRr+WX94ojMdK35qYb8XtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxX/Ml7q9Sdj1t7BrqQqIK3T9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@lapiole.org - name: dani allow_forwarding: True ssh_keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+ -dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== dani@fws.fr + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc9G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QMORxvCdfdsqoeod7jK384NXq+UD24Y/tEgT/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+dX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== dani@lapiole.org # Default database server mysql_server: db.acme.com @@ -136,7 +135,7 @@ letsencrypt_dns_provider: gandi letsencrypt_dns_provider_options: '--api-protocol=rest' letsencrypt_dns_auth_token: "G7BL9RzkZdUI" ``` - * host_vars/proxyin.acme.com/vars.yml : variables here will be inherited only by the host **proxyin.acme.com** +* host_vars/proxyin.acme.com/vars.yml : variables here will be inherited only by the host **proxyin.acme.com** ``` nginx_auto_letsencrypt_cert: True @@ -146,7 +145,7 @@ nginx_default_vhost_extra: csp: >- default-src 'self' 'unsafe-inline' blob:; style-src-elem 'self' 'unsafe-inline' data:; - img-src 'self' data: blob: https://stats.fws.fr; + img-src 'self' data: blob: https://stats.lapiole.org; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://stats.acme.com blob:; font-src 'self' data: proxy: diff --git a/roles/bookstack/defaults/main.yml b/roles/bookstack/defaults/main.yml index d31fd1b..e6ed7dd 100644 --- a/roles/bookstack/defaults/main.yml +++ b/roles/bookstack/defaults/main.yml @@ -19,7 +19,7 @@ bookstack_root_dir: /opt/bookstack_{{ bookstack_id }} # User under which the app will be executed bookstack_php_user: php-bookstack_{{ bookstack_id }} # Version of PHP used -bookstack_php_version: 80 +bookstack_php_version: 81 # Or you can specify here the name of a custom PHP FPM pool. See the httpd_php role # bookstack_php_fpm_pool: custom_bookstack diff --git a/roles/diagrams/defaults/main.yml b/roles/diagrams/defaults/main.yml index e724ab4..6c226e7 100644 --- a/roles/diagrams/defaults/main.yml +++ b/roles/diagrams/defaults/main.yml @@ -1,11 +1,11 @@ --- # Veresion of diagrams to deploy -diagrams_version: 15.9.6 +diagrams_version: 16.1.0 # URL of the WAR file to deploy diagrams_war_url: https://github.com/jgraph/drawio/releases/download/v{{ diagrams_version }}/draw.war # Expected sha1 of the WAR file -diagrams_war_sha1: 54db4de31408d309dfc27ec81a6def55bca15afc +diagrams_war_sha1: ceee75855e8ac9a69d3723c2aa8c414a59d9c565 # root directory of the installation diagrams_root_dir: /opt/diagrams # Should ansible manage upgrades, or just initial install ? diff --git a/roles/etherpad/defaults/main.yml b/roles/etherpad/defaults/main.yml index 822e2e3..a08d4a9 100644 --- a/roles/etherpad/defaults/main.yml +++ b/roles/etherpad/defaults/main.yml @@ -40,8 +40,11 @@ etherpad_theme: colibris # List of plugins to install etherpad_plugins_base: - - adminpads - delete_after_delay - delete_empty_pads etherpad_plugins_extra: [] etherpad_plugins: "{{ etherpad_plugins_base + etherpad_plugins_extra }}" + +# If you add the whiteboard plugin, set the URL +# See https://www.npmjs.com/package/ep_whiteboard +# etherpad_wbo_host: wbo.example.org diff --git a/roles/etherpad/tasks/install.yml b/roles/etherpad/tasks/install.yml index 3143eee..d3c77f2 100644 --- a/roles/etherpad/tasks/install.yml +++ b/roles/etherpad/tasks/install.yml @@ -51,6 +51,27 @@ notify: restart etherpad tags: etherpad +- name: Link plugins + file: src={{ etherpad_root_dir }}/app/src/node_modules/ep_{{ item }} dest={{ etherpad_root_dir }}/app/node_modules/ep_{{ item }} state=link + loop: "{{ etherpad_plugins }}" + notify: restart etherpad + tags: etherpad + +- name: List linked plugins + shell: find {{ etherpad_root_dir }}/app/node_modules/ -type l -maxdepth 1 -mindepth 1 -exec basename "{}" \; + register: etherpad_linked_plugins + changed_when: False + tags: etherpad + +- name: Unlink unmanaged plugins + file: path={{ etherpad_root_dir }}/app/node_modules/{{ item }} state=absent + loop: "{{ etherpad_linked_plugins.stdout_lines }}" + when: + - item | regex_replace('^ep_', '') not in etherpad_plugins + - item != 'ep_etherpad-lite' + notify: restart etherpad + tags: etherpad + - import_tasks: ../includes/webapps_create_mysql_db.yml vars: - db_name: "{{ etherpad_db_name }}" diff --git a/roles/etherpad/templates/settings.json.j2 b/roles/etherpad/templates/settings.json.j2 index be4d430..d06740c 100644 --- a/roles/etherpad/templates/settings.json.j2 +++ b/roles/etherpad/templates/settings.json.j2 @@ -22,6 +22,11 @@ "is_admin" : true } }, +{% if 'whiteboard' in etherpad_plugins and etherpad_wbo_host is defined %} + "ep_draw": { + "host": "{{ etherpad_wbo_host }}" + }, +{% endif %} "ep_delete_after_delay": { "delay" : 2592000, "loop" : true, diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 740d132..a9e19bd 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to install -gitea_version: 1.15.7 +gitea_version: 1.15.9 # URL to the binary gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64 # sha256 of the binary -gitea_bin_sha256: 39b2a3f447a102822216fcc695fafed64dd5745d455ce9bdb15381e80f0f38e5 +gitea_bin_sha256: dbdefbeed7073951ba955cb6c40bd7d9ece7a349c1326ad80c314690ff3616f1 # Handle updates. If set to false, ansible will only install # Gitea and then won't touch an existing installation gitea_manage_upgrade: True diff --git a/roles/gitea/tasks/conf.yml b/roles/gitea/tasks/conf.yml index f3e154b..19692f3 100644 --- a/roles/gitea/tasks/conf.yml +++ b/roles/gitea/tasks/conf.yml @@ -32,3 +32,8 @@ changed_when: False tags: gitea +- name: Regenerate authorized_keys + command: "{{ gitea_root_dir }}/bin/gitea -c {{ gitea_root_dir }}/etc/app.ini admin regenerate keys" + become_user: gitea + when: gitea_install_mode == 'upgrade' + tags: gitea diff --git a/roles/matrix_element/defaults/main.yml b/roles/matrix_element/defaults/main.yml index f2b0d87..d6d2f7c 100644 --- a/roles/matrix_element/defaults/main.yml +++ b/roles/matrix_element/defaults/main.yml @@ -5,9 +5,9 @@ element_id: element # Version to deploy, and expected sha1 -element_version: 1.9.7 +element_version: 1.9.8 # sha1sum of the tar.gz -element_archive_sha1: a99123bce678b0e63380790ce80cafeb4e0d89ec +element_archive_sha1: 2f3099c119253f2c5d248ca7c8af9019dbc55a03 # Where to install element element_root_dir: /opt/matrix/element diff --git a/roles/matrix_synapse/defaults/main.yml b/roles/matrix_synapse/defaults/main.yml index adca8c5..8e7f882 100644 --- a/roles/matrix_synapse/defaults/main.yml +++ b/roles/matrix_synapse/defaults/main.yml @@ -1,7 +1,7 @@ --- # Synapse version to deploy -synapse_version: 1.49.0 +synapse_version: 1.49.2 # Should ansible handle Synapse upgrades ? If false, only initial install will be done synapse_manage_upgrade: True diff --git a/roles/openxpki/defaults/main.yml b/roles/openxpki/defaults/main.yml index ccd811d..f2d22ad 100644 --- a/roles/openxpki/defaults/main.yml +++ b/roles/openxpki/defaults/main.yml @@ -1,8 +1,8 @@ --- -pki_version: '3.16.0' +pki_version: '3.16.1' pki_archive_url: https://github.com/openxpki/openxpki/archive/v{{ pki_version }}.tar.gz -pki_archive_sha1: 9bba585de36b81f70a7a315f8a591e388c516b38 +pki_archive_sha1: 87eb892bcf4d7098e0803e0f03d66f1268d4fcef pki_config_version: '3.16' pki_config_archive_url: https://github.com/openxpki/openxpki-config/archive/v{{ pki_config_version }}.tar.gz diff --git a/roles/pgadmin4/defaults/main.yml b/roles/pgadmin4/defaults/main.yml index f74b743..a9b818f 100644 --- a/roles/pgadmin4/defaults/main.yml +++ b/roles/pgadmin4/defaults/main.yml @@ -10,7 +10,7 @@ pga_src_ip: [] # Root dir where the app will be installed pga_root_dir: /opt/pgadmin4_{{ pga_id }} # Version to deploy -pga_version: '6.2' +pga_version: '6.3' # URL of the wheel pga_pip_url: https://ftp.postgresql.org/pub/pgadmin/pgadmin4/v{{ pga_version }}/pip/pgadmin4-{{ pga_version }}-py3-none-any.whl diff --git a/roles/pgadmin4/templates/config_local.py.j2 b/roles/pgadmin4/templates/config_local.py.j2 index a1f1cac..488303b 100644 --- a/roles/pgadmin4/templates/config_local.py.j2 +++ b/roles/pgadmin4/templates/config_local.py.j2 @@ -35,4 +35,4 @@ OAUTH2_CONFIG=[{ WEBSERVER_AUTO_CREATE_USER=True WEBSERVER_REMOTE_USER='{{ pga_webserver_header }}' {% endif %} - +AUTO_DISCOVER_SERVERS = False diff --git a/roles/rpm_build_server/README.md b/roles/rpm_build_server/README.md new file mode 100644 index 0000000..08912f8 --- /dev/null +++ b/roles/rpm_build_server/README.md @@ -0,0 +1,14 @@ +# RPM Build Server + +# Description +This role will configure an rpm build server + +# Compatibility +The role is testing on the following distributions +* AlmaLinux 8 + +# Settings + +# Installation + +# Upgrades diff --git a/roles/rpm_build_server/defaults/main.yml b/roles/rpm_build_server/defaults/main.yml new file mode 100644 index 0000000..8da020f --- /dev/null +++ b/roles/rpm_build_server/defaults/main.yml @@ -0,0 +1,47 @@ +--- + +rpm_root_dir: /opt/rpm-build +rpm_packager: RPM Builder +# User account under which the buildsys will run +# will be created +rpm_user: rpmbuilder +# Unix group allowed to submit builds +rpm_build_group: rpmbuilders +# Admin email where notifications will be sent +rpm_admin_email: "{{ system_admin_email | default('root@' ~ ansible_domain) }}" +# name of the GPG key used to sign the packages +rpm_gpg_name: RPM Signing Key +rpm_gpg_email: rpms@{{ ansible_domain }} +# optional passphrase for the GPG Key +# rpm_gpg_pass: S3cr3tP@ssPhr4z + +# You can configure remote mirrors to which the local repo will be synced with rsync +# rpm_mirrors: +# - dest: repo@repo.example.org:/opt/repo/rpms/ +# rsync_opts: +# - '--times' +# - '--recursive' +# - '--partial' +# - '--delete-after' +# - '--exclude=archives' + +# A list of rsync options which will be used to sync repo to mirrors +# This is a fallback if rsync_opts is not defined for a mirror +rpm_mirror_rsync_opts: + - '--times' + - '--recursive' + - '--partial' + - '--delete-after' + +# You can use an LDAP server to lookup email address of build +# submitters. The buildsys will first get the username of the uploaded SRPM +# and then lookup into LDAP as configured here for the corresponding email address +# If an email if found, notifications will be sent to the submitter's address +rpm_ldap_servers: "{{ ad_ldap_servers is defined | ternary(ad_ldap_servers | map('regex_replace', '^(.*)', 'ldap://\\1') | list, []) }}" +rpm_ldap_start_tls: True +# rpm_ldap_bind_dn: CN=Build System,OU=Apps,DC=foo,DC=bar +# rpm_ldap_bind_pass: S3cr3t. +rpm_ldap_search_base: "{{ ad_ldap_user_search_base is defined | ternary(ad_ldap_user_search_base, ansible_domain | regex_replace('\\.', ',DC=')) }}" +# The {user} string will be replaced with the username of the submiter of the build +rpm_ldap_search_filter: (&(objectClass=user)(userPrincipalName={user})(mail=*)) +rpm_ldap_email_attr: mail diff --git a/roles/rpm_build_server/files/watcher.pl b/roles/rpm_build_server/files/watcher.pl new file mode 100644 index 0000000..c28c655 --- /dev/null +++ b/roles/rpm_build_server/files/watcher.pl @@ -0,0 +1,357 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Linux::Inotify2; +use YAML::Tiny; +use Getopt::Long; +use File::stat; +use File::Find; +use File::Basename; +use File::Path qw(make_path); +use File::Copy qw(move); +use AnyEvent; +use RPM2; +use Time::HiRes 'time'; +use Email::MIME; +use Email::Sender::Simple qw(sendmail); +use Email::Sender::Transport::Sendmail; +use Net::LDAP; + +# Init an empty conf +my $conf = {}; + +# Disable output buffering +$| = 1; + +# Defaults for command line flags +my $opt = { + config => '../etc/config.yml', + verbose => 0, + quiet => 0 +}; + +# Read some options from the command line +GetOptions ( + 'config=s' => \$opt->{config}, + 'quiet' => \$opt->{quiet}, + 'verbose' => \$opt->{verbose} +); + +# Check if the config file exists, and if so, parse it +# and load it in $conf +if ( -e $opt->{config} ) { + log_verbose( "Reading config file " . $opt->{config} ); + my $yaml = YAML::Tiny->read( $opt->{config} ); + + if ( not $yaml or not $yaml->[0] ) { + die "Config file " . $opt->{config} . " is invalid\n"; + } + $conf = $yaml->[0]; +} else { + # If the config file doesn't exist, just die + die "Config file " . $opt->{config} . " doesn't exist\n"; +} + +# If ldap is configured, we'll use it to lookup email +# addresses of submitters to send them notifications +my $ldap; +my $ldap_msg; +if (defined $conf->{ldap} and defined $conf->{ldap}->{servers}){ + log_verbose("Connecting to " . join(', ', @{$conf->{ldap}->{servers}})); + $ldap = new Net::LDAP($conf->{ldap}->{servers}, + timeout => 10, + ); + if (not defined $ldap){ + log_info("Couldn't connect to any LDAP servers (" . join(',', @{$conf->{ldap}->{servers}}) . ")"); + } else { + if (defined $conf->{ldap}->{start_tls} and $conf->{ldap}->{start_tls}){ + log_verbose("Upgrade LDAP connection using StartTLS"); + $ldap_msg = $ldap->start_tls( + verify => 'require' + ); + if ($ldap_msg->code){ + log_verbose("StartTLS failed : " . $ldap_msg->error); + log_verbose("LDAP support will be disabled"); + $ldap = undef; + } + } + if (defined $conf->{ldap}->{bind_dn} and defined $conf->{ldap}->{bind_pass}){ + log_verbose("Binding as $conf->{ldap}->{bind_dn}"); + $ldap_msg = $ldap->bind( + $conf->{ldap}->{bind_dn}, + password => $conf->{ldap}->{bind_pass} + ); + if ($ldap_msg->code){ + log_verbose("LDAP bind failed : " . $ldap_msg->error); + log_verbose("LDAP support will be disabled"); + $ldap = undef; + } + } else { + log_verbose("Using anonymous bind"); + $ldap_msg = $ldap->bind; + } + } +} else { + log_verbose("No LDAP servers configured"); +} + +my $inotify = new Linux::Inotify2 + or die "Unable to create new inotify object: $!"; + +log_verbose("Searching for folders in $conf->{paths}->{uploads}"); +find({ + wanted => sub { -d and create_watcher($inotify, $File::Find::name); } +}, $conf->{paths}->{uploads}); + +my $cv = AnyEvent->condvar; + +my $poller = AnyEvent->io( + fh => $inotify->fileno, + poll => 'r', + cb => sub { $inotify->poll } +); + +# Receive event signals (inotify signals) +$cv->recv; + +# Print messages only if the verbose flag was given +sub log_verbose { + my $msg = shift; + print $msg . "\n" if ( $opt->{verbose} ); +} + +# Print normal messages +sub log_info { + my $msg = shift; + print $msg . "\n" if ( not $opt->{quiet} ); +} + +# Print error messages +sub log_error { + my $msg = shift; + print $msg . "\n"; +} + +# Create a watcher for a specific directory +sub create_watcher { + my ($inotify, $dir) = @_; + log_verbose("Start watching folder $dir"); + $inotify->watch ($dir, IN_CLOSE_WRITE | IN_MOVED_TO, sub { + my $event = shift; + my $candidate = $event->fullname; + handle_submit($candidate); + }); +} + +# takes the path of an SRPM to rebuild, +# build it with mock, sign the result, update the repo +# and sync to remote mirrors if defined +sub handle_submit { + my $srpm = shift; + if (not -f $srpm){ + log_verbose("$srpm isn't a file, ignoring"); + return; + } + if ($srpm !~ m/src\.rpm$/i){ + log_verbose("New file $srpm isn't an src.rpm file, ignoring"); + return; + } + log_info("New file to process $srpm"); + my $submiter = getpwuid(stat($srpm)->uid); + my $email; + log_info("File submited by $submiter"); + if (defined $ldap){ + $email = user2email($submiter); + if (not defined $email){ + log_verbose("LDAP returned no result"); + } + } + if (defined $email){ + log_verbose("Notifications will be sent to $email"); + } else { + log_verbose("No email address for $submiter, no notification will be sent"); + } + my $src_pkg = RPM2->open_package($srpm); + if (not $src_pkg->is_source_package){ + log_verbose("Couldn't parse $srpm as a valid srpm"); + return; + } + my $target = basename(dirname($srpm)); + if (not defined $conf->{targets}->{$target}){ + log_info("$srpm submited for target $target, but it's not defined in the configuration"); + } + foreach my $arch (@{$conf->{targets}->{$target}}){ + my $job_id = $src_pkg->as_nvre() . '-' . time(); + my $result = $conf->{paths}->{builds} . '/' . $submiter . '/' . $target . '-' . $arch . '/' . $job_id; + log_info("Rebuilding $srpm for $target/$arch in $result (job ID $job_id)"); + make_path($result); + my $mock_msg; + foreach my $out (qx(mock -r $target-$arch --resultdir=$result $srpm 2>&1)){ + chomp $out; + $mock_msg .= $out; + log_info("[$job_id] $out"); + } + if ($? != 0) { + log_info("[$job_id] Build submited by $submiter failed"); + handle_error($job_id, 'Mock build', $mock_msg); + return; + } + my $repo_dir = $conf->{paths}->{repo}; + my $repo_cache_dir = $conf->{paths}->{repo_cache}; + if ($src_pkg->release =~ m/\.(beta|git\.)/){ + $repo_dir .= '/testing'; + $repo_cache_dir .= '/testing'; + } + $repo_dir .= '/' . $target; + $repo_cache_dir .= '/' . $target; + find({ + wanted => sub { + return if (not -f); + return if (not $_ =~ m/\.rpm$/); + my $built_pkg = $_; + log_info("[$job_id] Signing package $built_pkg"); + # Note : the optional passphrase for the gpg key is in rpmmacros + qx(rpm --addsign $built_pkg); + if ($? != 0) { + log_info("[$job_id] Signing failed"); + handle_error($job_id, 'Package signature error', "Command rpm --addsign $built_pkg failed"); + return; + } + # Open the package without checking the signature, as the key might not be present in the + # rpm trusted store + my $pkg = RPM2->open_package($built_pkg, RPM2->_rpmvsf_nosignatures); + my $dest = $repo_dir; + if ($pkg->is_source_package){ + $dest .= '/SRPMS'; + } else { + # the resulting RPM can be noarch, so use this instead of $arch + $dest .= '/' . $pkg->arch; + } + log_info("[$job_id] Moving $built_pkg to the repo $dest"); + make_path($dest); + make_path($repo_cache_dir); + move $built_pkg, $dest . '/' . basename($built_pkg); + } + }, $result); + log_info("[$job_id] Updating repo metadata for $target"); + qx(createrepo --checksum sha -x "*debuginfo*" --update -c $repo_cache_dir $repo_dir); + if ($? != 0) { + log_info("[$job_id] Createrepo failed"); + handle_error( + $job_id, + 'Createrepo error', + "Command createrepo --checksum sha -x \"*debuginfo*\" --update -c $repo_cache_dir $repo_dir" + ); + return; + } + log_info("[$job_id] Building package finished"); + # Now push to mirrors if defined + if (defined $conf->{mirror} and defined $conf->{mirror}->{push}){ + foreach my $mirror (@{$conf->{mirror}->{push}}){ + log_info("[$job_id] syncing repo to $mirror->{dest}"); + my $rsync_cmd = 'rsync '; + if (defined $mirror->{rsync_opts}){ + $rsync_cmd .= join(' ', @{$mirror->{rsync_opts}}); + } else { + $rsync_cmd .= join(' ', @{$conf->{mirror}->{rsync_opts}}); + } + $rsync_cmd .= ' ' . $conf->{paths}->{repo} . '/ ' . $mirror->{dest} . '/'; + log_verbose("[$job_id] Running command $rsync_cmd"); + foreach my $out (qx($rsync_cmd 2>&1)){ + chomp $out; + log_verbose("[$job_id] $out"); + } + if ($? != 0) { + log_info("[$job_id] Syncing to $mirror->{dest} failed"); + handle_error($job_id, 'Mirror update error', "Command $rsync_cmd failed"); + return; + } + } + } + if (defined $email){ + my $body = "Resulting RPM are available in $conf->{paths}->{repo}/$target"; + if (defined $conf->{mirror} and defined $conf->{mirror}->{push}){ + $body .= "\nand have been synced to the following mirror:\n"; + foreach my $mirror (@{$conf->{mirror}->{push}}){ + $body .= "$mirror->{dest}\n"; + } + } + send_notification( + $email, + "Rebuilding " . $src_pkg->as_nvre() . " for $target/$arch succeded", + $body + ); + } + } +} + +# Handle errors. Log it, and notify the admin +sub handle_error { + my $job_id = shift; + my $step = shift; + my $err = shift; + my $dest = shift; + + log_error( $err ); + if ( defined $conf->{notify}->{to} ) { + send_notification( + $conf->{notify}->{to}, + "Error while building $job_id", + "Building $job_id failed at step '$step'. The error was\n$err\n" + ); + } + if ( defined $dest ) { + send_notification( + $dest, + "Error while building $job_id", + "Building $job_id failed at step '$step'. The error was\n$err\n" + ); + } +} + +# Send an email message +sub send_notification { + my $to = shift; + my $subject = shift; + my $body = shift; + my $mail = Email::MIME->create( + header_str => [ + From => $conf->{notify}->{from}, + To => $to, + Subject => $subject + ], + attributes => { + charset => 'utf-8', + encoding => 'base64' + }, + body_str => $body + ); + my $transport = Email::Sender::Transport::Sendmail->new(); + sendmail( $mail, { transport => $transport } ); +} + +# Lookup in LDAP if we can get the email address of a user +sub user2email { + my $user = shift; + if (not defined $ldap or not defined $conf->{ldap}->{search_base} or not defined $conf->{ldap}->{search_filter}){ + return; + } + my $filter = $conf->{ldap}->{search_filter}; + $filter =~ s/\{user\}/$user/g; + log_verbose("Searching in $conf->{ldap}->{search_base} with filter $filter"); + my $results = $ldap->search( + base => $conf->{ldap}->{search_base}, + filter => $filter, + attrs => [ $conf->{ldap}->{email_attr} ] + ); + if ($results->code){ + log_verbose("Error occured while searching in LDAP : " . $results->error); + return; + } + if ($results->count != 1){ + log_verbose("Searching returned " . $results->count . "result(s), while it should have returned 1"); + return; + } + return $results->entry(0)->get_value( $conf->{ldap}->{email_attr} ); +} diff --git a/roles/rpm_build_server/handlers/main.yml b/roles/rpm_build_server/handlers/main.yml new file mode 100644 index 0000000..13c3f4d --- /dev/null +++ b/roles/rpm_build_server/handlers/main.yml @@ -0,0 +1,8 @@ +--- + +- name: reset permissions + command: "{{ rpm_root_dir }}/bin/perms.sh" + +- name: restart build-watcher + service: name=build-watcher state=restarted + diff --git a/roles/rpm_build_server/tasks/conf.yml b/roles/rpm_build_server/tasks/conf.yml new file mode 100644 index 0000000..bbc585a --- /dev/null +++ b/roles/rpm_build_server/tasks/conf.yml @@ -0,0 +1,58 @@ +--- + +- name: Deploy mock config + template: src=mock/{{ item }}.j2 dest=/etc/mock/{{ item }} + loop: + - site-defaults.cfg + - el7-x86_64.cfg + - el8-x86_64.cfg + tags: rpm + +- name: Deploy rpmmacros + template: src=rpmmacros.j2 dest={{ rpm_root_dir }}/.rpmmacros owner={{ rpm_user }} mode=600 + tags: rpm + +- name: Deploy main configuration + template: src=config.yml.j2 dest={{ rpm_root_dir }}/etc/config.yml + notify: restart build-watcher + tags: rpm + +- name: Check if gpg key exists + shell: gpg --list-options show-only-fpr-mbox --list-secret-keys | grep -q "{{ rpm_gpg_email }}" + failed_when: False + changed_when: False + register: rpm_gpg_key_exists + become_user: "{{ rpm_user }}" + tags: rpm + +- name: Flush handlers to set permissions on directories + meta: flush_handlers + tags: rpm + +- when: rpm_gpg_key_exists.rc != 0 + block: + - name: Generate main key + shell: | + gpg --batch \ + --passphrase '{{ rpm_gpg_pass is defined | ternary(rpm_gpg_pass, '') }}' \ + --pinentry-mode loopback \ + --quick-gen-key "{{ rpm_gpg_name }} <{{ rpm_gpg_email }}>" rsa3072 default never + + - name: Get key ID + shell: gpg --list-options show-only-fpr-mbox --list-secret-keys | grep {{ rpm_gpg_email }} | awk '{ print $1 }' + register: rpm_gpg_key_id + changed_when: False + + - name: Add sub key + shell: | + gpg --batch \ + --passphrase '{{ rpm_gpg_pass is defined | ternary(rpm_gpg_pass, '') }}' \ + --pinentry-mode loopback \ + --quick-add-key {{ rpm_gpg_key_id.stdout }} rsa3072 default never \ + + - name: Export public key + shell: gpg --export -a "rpms@lapiole.org" > {{ rpm_root_dir }}/repo/RPM-GPG-KEY + + become_user: "{{ rpm_user }}" + tags: rpm + diff --git a/roles/rpm_build_server/tasks/directories.yml b/roles/rpm_build_server/tasks/directories.yml new file mode 100644 index 0000000..cd4c2f0 --- /dev/null +++ b/roles/rpm_build_server/tasks/directories.yml @@ -0,0 +1,18 @@ +--- + +- name: Create directories + file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: + - dir: "{{ rpm_root_dir }}" + - dir: "{{ rpm_root_dir }}/mock" + - dir: "{{ rpm_root_dir }}/cache" + - dir: "{{ rpm_root_dir }}/cache/mock" + - dir: "{{ rpm_root_dir }}/cache/repo" + - dir: "{{ rpm_root_dir }}/repo" + - dir: "{{ rpm_root_dir }}/bin" + - dir: "{{ rpm_root_dir }}/uploads/el7" + - dir: "{{ rpm_root_dir }}/uploads/el8" + - dir: "{{ rpm_root_dir }}/errors" + - dir: "{{ rpm_root_dir }}/builds" + - dir: "{{ rpm_root_dir }}/etc" + tags: rpm diff --git a/roles/rpm_build_server/tasks/facts.yml b/roles/rpm_build_server/tasks/facts.yml new file mode 100644 index 0000000..6ac9d61 --- /dev/null +++ b/roles/rpm_build_server/tasks/facts.yml @@ -0,0 +1,9 @@ +--- + +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + tags: rpm diff --git a/roles/rpm_build_server/tasks/install.yml b/roles/rpm_build_server/tasks/install.yml new file mode 100644 index 0000000..3c91268 --- /dev/null +++ b/roles/rpm_build_server/tasks/install.yml @@ -0,0 +1,22 @@ +--- + +- name: Deploy permission script + template: src=perms.sh.j2 dest={{ rpm_root_dir }}/bin/perms.sh mode=755 + notify: reset permissions + tags: rpm + +- name: Install watcher daemon + copy: src=watcher.pl dest={{ rpm_root_dir }}/bin/watcher.pl mode=755 + notify: restart build-watcher + tags: rpm + +- name: Deploy systemd unit + template: src=build-watcher.service.j2 dest=/etc/systemd/system/build-watcher.service + notify: restart build-watcher + register: rpm_unit + tags: rpm + +- name: Reload systemd + systemd: daemon_reload=True + when: rpm_unit.changed + tags: rpm diff --git a/roles/rpm_build_server/tasks/main.yml b/roles/rpm_build_server/tasks/main.yml new file mode 100644 index 0000000..7b749d0 --- /dev/null +++ b/roles/rpm_build_server/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- include: facts.yml +- include: requirements.yml +- include: user.yml +- include: directories.yml +- include: install.yml +- include: conf.yml +- include: services.yml diff --git a/roles/rpm_build_server/tasks/requirements.yml b/roles/rpm_build_server/tasks/requirements.yml new file mode 100644 index 0000000..f64a70f --- /dev/null +++ b/roles/rpm_build_server/tasks/requirements.yml @@ -0,0 +1,5 @@ +--- + +- name: Install required packages + package: name={{ rpm_packages }} + tags: rpm diff --git a/roles/rpm_build_server/tasks/services.yml b/roles/rpm_build_server/tasks/services.yml new file mode 100644 index 0000000..1e280b7 --- /dev/null +++ b/roles/rpm_build_server/tasks/services.yml @@ -0,0 +1,5 @@ +--- + +- name: Start and enable the build watcher + service: name=build-watcher state=started enabled=True + tags: rpm diff --git a/roles/rpm_build_server/tasks/user.yml b/roles/rpm_build_server/tasks/user.yml new file mode 100644 index 0000000..4b53ea9 --- /dev/null +++ b/roles/rpm_build_server/tasks/user.yml @@ -0,0 +1,23 @@ +--- + +- name: Create build user + user: + name: "{{ rpm_user }}" + system: True + home: "{{ rpm_root_dir }}" + generate_ssh_key: True + ssh_key_file: .ssh/id_rsa + tags: rpm + +- name: Create builder group + group: + name: "{{ rpm_build_group }}" + tags: rpm + +- name: Add build user to the mock group + user: + name: "{{ rpm_user }}" + append: True + groups: + - mock + tags: rpm diff --git a/roles/rpm_build_server/templates/build-watcher.service.j2 b/roles/rpm_build_server/templates/build-watcher.service.j2 new file mode 100644 index 0000000..c4a1439 --- /dev/null +++ b/roles/rpm_build_server/templates/build-watcher.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=RPM Build watcher service + +[Service] +Type=simple +User={{ rpm_user }} +Group={{ rpm_user }} +ExecStart=/usr/bin/perl {{ rpm_root_dir }}/bin/watcher.pl --config {{ rpm_root_dir }}/etc/config.yml --verbose +WorkingDirectory={{ rpm_root_dir }}/ +Restart=always +ReadWritePaths=/run {{ rpm_root_dir }}/repo {{ rpm_root_dir }}/cache {{ rpm_root_dir }}/builds +PrivateTmp=true + +[Install] +WantedBy=multi-user.target + diff --git a/roles/rpm_build_server/templates/config.yml.j2 b/roles/rpm_build_server/templates/config.yml.j2 new file mode 100644 index 0000000..0a87afb --- /dev/null +++ b/roles/rpm_build_server/templates/config.yml.j2 @@ -0,0 +1,52 @@ +--- + +targets: + el7: + - x86_64 + el8: + - x86_64 + +paths: + repo: {{ rpm_root_dir }}/repo + repo_cache: {{ rpm_root_dir }}/cache/repo + builds: {{ rpm_root_dir }}/builds + uploads: {{ rpm_root_dir }}/uploads + +notify: + from: buildsys@{{ ansible_domain }} + to: {{ rpm_admin_email }} + +{% if rpm_mirrors is defined and rpm_mirrors | length > 0 %} +mirror: + push: +{% for mirror in rpm_mirrors %} + - dest: {{ mirror.dest }} +{% if mirror.rsync_opts is defined %} + rsync_opts: +{% for opt in mirror.rsync_opts %} + - '{{ opt }}' +{% endfor %} +{% endif %} +{% endfor %} + rsync_opts: +{% for opt in rpm_mirror_rsync_opts %} + - '{{ opt }}' +{% endfor %} +{% endif %} + +ldap: +{% if rpm_ldap_servers is defined and rpm_ldap_servers | length > 0 %} + servers: +{% for server in rpm_ldap_servers %} + - {{ server }} +{% endfor %} +{% else %} + servers: [] +{% endif %} + start_tls: {{ rpm_ldap_start_tls | ternary('True', 'False') }} + bind_dn: {{ rpm_ldap_bind_dn }} + bind_pass: {{ rpm_ldap_bind_pass | quote }} + search_base: {{ rpm_ldap_search_base }} + search_filter: {{ rpm_ldap_search_filter }} + email_attr: {{ rpm_ldap_email_attr }} + diff --git a/roles/rpm_build_server/templates/gpg-agent.conf.j2 b/roles/rpm_build_server/templates/gpg-agent.conf.j2 new file mode 100644 index 0000000..d1b6ae3 --- /dev/null +++ b/roles/rpm_build_server/templates/gpg-agent.conf.j2 @@ -0,0 +1 @@ +allow-loopback-pinentry diff --git a/roles/rpm_build_server/templates/gpg.conf.j2 b/roles/rpm_build_server/templates/gpg.conf.j2 new file mode 100644 index 0000000..740fb39 --- /dev/null +++ b/roles/rpm_build_server/templates/gpg.conf.j2 @@ -0,0 +1,2 @@ +use-agent +pinentry-mode loopback diff --git a/roles/rpm_build_server/templates/mock/el7-x86_64.cfg.j2 b/roles/rpm_build_server/templates/mock/el7-x86_64.cfg.j2 new file mode 100644 index 0000000..29115a5 --- /dev/null +++ b/roles/rpm_build_server/templates/mock/el7-x86_64.cfg.j2 @@ -0,0 +1,25 @@ +include('templates/centos-7.tpl') +include('templates/epel-7.tpl') + +config_opts['root'] = 'el7-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['macros']['%rhel'] = '7' +config_opts['macros']['%dist'] = '.el7.dbd' + +config_opts['dnf.conf'] += """ + +[rpmfusion-free-updates] +baseurl = http://download1.rpmfusion.org/free/el/updates/7/x86_64/ +gpgcheck = 1 +gpgkey = https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-el-7 +name = RPM Fusion for EL - Free - Updates + +[dbd] +name=dbd +baseurl=http://rpms.lapiole.org/el7/ +enabled=1 +gpgcheck=1 +gpgkey=https://rpms.lapiole.org/RPM-GPG-KEY + +""" diff --git a/roles/rpm_build_server/templates/mock/el8-x86_64.cfg.j2 b/roles/rpm_build_server/templates/mock/el8-x86_64.cfg.j2 new file mode 100644 index 0000000..9032438 --- /dev/null +++ b/roles/rpm_build_server/templates/mock/el8-x86_64.cfg.j2 @@ -0,0 +1,28 @@ +include('templates/almalinux-8.tpl') +include('templates/epel-8.tpl') + +# Disable use_bootstrap_image until new release +# See https://github.com/rpm-software-management/mock/issues/831 +config_opts['use_bootstrap_image'] = False +config_opts['root'] = 'el8-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['macros']['%rhel'] = '8' +config_opts['macros']['%dist'] = '.el8.dbd' + +config_opts['dnf.conf'] += """ + +[rpmfusion-free-updates] +baseurl = http://download1.rpmfusion.org/free/el/updates/8/x86_64/ +gpgcheck = 1 +gpgkey = https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-el-8 +name = RPM Fusion for EL - Free - Updates + +[dbd] +name=dbd +baseurl=http://rpms.lapiole.org/el8/ +enabled=1 +gpgcheck=1 +gpgkey=https://rpms.lapiole.org/RPM-GPG-KEY + +""" diff --git a/roles/rpm_build_server/templates/mock/site-defaults.cfg.j2 b/roles/rpm_build_server/templates/mock/site-defaults.cfg.j2 new file mode 100644 index 0000000..617714f --- /dev/null +++ b/roles/rpm_build_server/templates/mock/site-defaults.cfg.j2 @@ -0,0 +1,17 @@ +{% if system_proxy is defined and system_proxy != '' %} +config_opts['environment']['http_proxy'] = '{{ system_proxy }}' +config_opts['environment']['https_proxy'] = '{{ system_proxy }}' +{% endif %} +config_opts['createrepo_on_rpms'] = False +config_opts['cleanup_on_failure'] = 1 +config_opts['cleanup_on_success'] = 1 +config_opts['use_bootstrap_image'] = True +config_opts['plugin_conf']['root_cache_opts']['compress_program'] = "zstd" +config_opts['plugin_conf']['root_cache_opts']['extension'] = ".zst" +config_opts['rpmbuild_networking'] = True +config_opts['macros']['%distribution'] = "{{ rpm_packager }}" +config_opts['macros']['%packager'] = "{{ rpm_packager }}" +config_opts['macros']['%vendor'] = "{{ rpm_packager }}" +config_opts['basedir'] = '{{ rpm_root_dir }}/mock' +config_opts['cache_topdir'] = '{{ rpm_root_dir }}/cache/mock' + diff --git a/roles/rpm_build_server/templates/perms.sh.j2 b/roles/rpm_build_server/templates/perms.sh.j2 new file mode 100644 index 0000000..6d4e6ec --- /dev/null +++ b/roles/rpm_build_server/templates/perms.sh.j2 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -eo pipefail + +chown -R {{ rpm_user }} {{ rpm_root_dir }} +chmod 770 {{ rpm_root_dir }} +setfacl -b -k -R {{ rpm_root_dir }} +setfacl -m g:{{ rpm_build_group }}:rX {{ rpm_root_dir }} +setfacl -R -m g:{{ rpm_build_group }}:rwX,d:g:{{ rpm_build_group }}:rwX {{ rpm_root_dir }}/uploads {{ rpm_root_dir }}/builds {{ rpm_root_dir }}/repo diff --git a/roles/rpm_build_server/templates/rpmmacros.j2 b/roles/rpm_build_server/templates/rpmmacros.j2 new file mode 100644 index 0000000..f17deaf --- /dev/null +++ b/roles/rpm_build_server/templates/rpmmacros.j2 @@ -0,0 +1,3 @@ +%_signature gpg +%_gpg_name {{ rpm_gpg_name }} +%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase '{{ (rpm_gpg_pass is defined) | ternary(rpm_gpg_pass, '') }}' --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename} diff --git a/roles/rpm_build_server/vars/RedHat-8.yml b/roles/rpm_build_server/vars/RedHat-8.yml new file mode 100644 index 0000000..411d4b9 --- /dev/null +++ b/roles/rpm_build_server/vars/RedHat-8.yml @@ -0,0 +1,18 @@ +--- + +rpm_packages: + - podman + - mock + - inotify-tools + - zstd + - rsync + - yum-utils + - rpm-sign + - perl-Linux-Inotify2 + - perl-YAML-Tiny + - perl-AnyEvent + - perl-RPM2 + - perl-Time-HiRes + - perl-Email-MIME + - perl-Email-Sender + - perl-LDAP diff --git a/roles/unmaintained/wbo/defaults/main.yml b/roles/unmaintained/wbo/defaults/main.yml deleted file mode 100644 index 6c3ea9e..0000000 --- a/roles/unmaintained/wbo/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -wbo_id: 1 -wbo_port: 8095 -wbo_src_ip: [] -wbo_root_dir: /opt/wbo_{{ wbo_id }} -wbo_git_url: https://github.com/lovasoa/whitebophir.git - diff --git a/roles/wbo/defaults/main.yml b/roles/wbo/defaults/main.yml new file mode 100644 index 0000000..c4dbab7 --- /dev/null +++ b/roles/wbo/defaults/main.yml @@ -0,0 +1,13 @@ +--- + +# Several WBO instances can be installed on the same server +# but should have a uniq ID and bind port +wbo_id: 1 +wbo_port: 8095 +# List of IP/CIDR having access to WBO port (if iptables_manage == True) +wbo_src_ip: [] +# Root dir where WBO will be installed +wbo_root_dir: /opt/wbo_{{ wbo_id }} +# URL of the git repo +wbo_git_url: https://github.com/lovasoa/whitebophir.git + diff --git a/roles/unmaintained/wbo/handlers/main.yml b/roles/wbo/handlers/main.yml similarity index 100% rename from roles/unmaintained/wbo/handlers/main.yml rename to roles/wbo/handlers/main.yml diff --git a/roles/unmaintained/wbo/meta/main.yml b/roles/wbo/meta/main.yml similarity index 100% rename from roles/unmaintained/wbo/meta/main.yml rename to roles/wbo/meta/main.yml diff --git a/roles/wbo/tasks/directory.yml b/roles/wbo/tasks/directory.yml new file mode 100644 index 0000000..44d8fbd --- /dev/null +++ b/roles/wbo/tasks/directory.yml @@ -0,0 +1,8 @@ +--- + +- name: Create needed directories + file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | dedfault(omit) }} + loop: + - dir: "{{ wbo_root_dir }}" + owner: wbo_{{ wbo_id }} + tags: wbo diff --git a/roles/unmaintained/wbo/tasks/main.yml b/roles/wbo/tasks/install.yml similarity index 50% rename from roles/unmaintained/wbo/tasks/main.yml rename to roles/wbo/tasks/install.yml index 3fd836a..7020389 100644 --- a/roles/unmaintained/wbo/tasks/main.yml +++ b/roles/wbo/tasks/install.yml @@ -7,26 +7,20 @@ - git tags: wbo -- import_tasks: ../includes/create_system_user.yml - vars: - - user: wbo_{{ wbo_id }} - - home: "{{ wbo_root_dir }}" - - comment: "Online collaborative Whiteboard {{ wbo_id }}" - tags: wbo - - name: Clone wbo repo git: repo: "{{ wbo_git_url }}" dest: "{{ wbo_root_dir }}/app" force: True notify: restart wbo + become_user: wbo_{{ wbo_id }} register: wbo_git tags: wbo - name: Install wbo - command: npm i - args: - chdir: "{{ wbo_root_dir }}/app" + npm: + path: "{{ wbo_root_dir }}/app" + become_user: wbo_{{ wbo_id }} when: wbo_git.changed tags: wbo @@ -44,14 +38,3 @@ when: wbo_unit.changed tags: wbo -- name: Handle wbo port - iptables_raw: - name: wbo_port_{{ wbo_id }} - state: "{{ (wbo_src_ip | length > 0) | ternary('present','absent') }}" - rules: "-A INPUT -m state --state NEW -p tcp --dport {{ wbo_port }} -s {{ wbo_src_ip | join(',') }} -j ACCEPT" - when: iptables_manage | default(True) - tags: wbo - -- name: Start and enable wbo daemon - service: name=wbo-{{ wbo_id }} state=started enabled=True - tags: wbo diff --git a/roles/wbo/tasks/iptables.yml b/roles/wbo/tasks/iptables.yml new file mode 100644 index 0000000..3c27ed4 --- /dev/null +++ b/roles/wbo/tasks/iptables.yml @@ -0,0 +1,8 @@ +--- + +- name: Handle wbo port + iptables_raw: + name: wbo_port_{{ wbo_id }} + state: "{{ (wbo_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -p tcp --dport {{ wbo_port }} -s {{ wbo_src_ip | join(',') }} -j ACCEPT" + tags: wbo diff --git a/roles/wbo/tasks/main.yml b/roles/wbo/tasks/main.yml new file mode 100644 index 0000000..ab1822c --- /dev/null +++ b/roles/wbo/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- include: user.yml +- include: install.yml +- include: iptables.yml + when: iptables_manage | default(True) +- include: services.yml + diff --git a/roles/wbo/tasks/services.yml b/roles/wbo/tasks/services.yml new file mode 100644 index 0000000..f9b6638 --- /dev/null +++ b/roles/wbo/tasks/services.yml @@ -0,0 +1,6 @@ +--- + +- name: Start and enable wbo daemon + service: name=wbo-{{ wbo_id }} state=started enabled=True + tags: wbo + diff --git a/roles/wbo/tasks/user.yml b/roles/wbo/tasks/user.yml new file mode 100644 index 0000000..caa913d --- /dev/null +++ b/roles/wbo/tasks/user.yml @@ -0,0 +1,8 @@ +--- + +- import_tasks: ../includes/create_system_user.yml + vars: + - user: wbo_{{ wbo_id }} + - home: "{{ wbo_root_dir }}" + - comment: "Online collaborative Whiteboard {{ wbo_id }}" + tags: wbo diff --git a/roles/unmaintained/wbo/templates/wbo.service.j2 b/roles/wbo/templates/wbo.service.j2 similarity index 100% rename from roles/unmaintained/wbo/templates/wbo.service.j2 rename to roles/wbo/templates/wbo.service.j2