diff options
63 files changed, 716 insertions, 343 deletions
@@ -1,11 +1,9 @@ install: - mkdir -p "${DESTDIR}/usr/share/gitano/skel" - cp -a gitano-admin "${DESTDIR}/usr/share/gitano/skel" + mkdir -p "${DESTDIR}/usr/lib/trove-setup/ansible" + cp -r ansible/* "${DESTDIR}/usr/lib/trove-setup/ansible" mkdir -p "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants" cp units/* "${DESTDIR}/usr/lib/systemd/system" - for I in $$(cd units; ls); do \ - ln -sf ../$$I "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/$$I"; \ - done + ln -sf ../trove-setup.service "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/trove-setup.service" cp -r etc "${DESTDIR}" mkdir -p "${DESTDIR}/var/www/htdocs" cp http-assets/* "${DESTDIR}/var/www/htdocs" @@ -14,10 +12,6 @@ install: ln -s /home/lorry/tarballs "${DESTDIR}/var/www/htdocs/tarballs" ln -s /home/lorry/lc-status.html "${DESTDIR}/var/www/htdocs/lc-status.html" ln -s /usr/share/lorry-controller/static/ "${DESTDIR}/var/www/htdocs/lc-static" - mkdir -p "${DESTDIR}/usr/bin" - cp bins/* "${DESTDIR}/usr/bin/" - mkdir -p "${DESTDIR}/usr/libexec" - cp libexecs/* "${DESTDIR}/usr/libexec/" mkdir -p "${DESTDIR}/usr/share/trove-setup" cp -r share/* "${DESTDIR}/usr/share/trove-setup/" diff --git a/ansible/hosts b/ansible/hosts new file mode 100644 index 0000000..5b97818 --- /dev/null +++ b/ansible/hosts @@ -0,0 +1 @@ +localhost ansible_connection=local diff --git a/ansible/roles/trove-setup/tasks/backups.yml b/ansible/roles/trove-setup/tasks/backups.yml new file mode 100644 index 0000000..65a1466 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/backups.yml @@ -0,0 +1,16 @@ +# Depends on: +# - check.yml +--- +- name: Create the backups user if TROVE_BACKUP_KEYS is defined + user: name=backup comment="Backup user" shell=/bin/sh home=/root/backup-user-home group=root uid=0 non_unique=yes + when: TROVE_BACKUP_KEYS is defined + +- name: Creates the .ssh directory to the backups user if TROVE_BACKUP_KEYS is defined + file: path=/root/backup-user-home/.ssh state=directory + when: TROVE_BACKUP_KEYS is defined + +- name: Copy the TROVE_BACKUP_KEYS if defined to authorized_keys of the backup user + shell: | + cat {{ TROVE_BACKUP_KEYS }} >> /root/backup-user-home/.ssh/authorized_keys + creates=/root/backup-user-home/.ssh/authorized_keys + when: TROVE_BACKUP_KEYS is defined diff --git a/ansible/roles/trove-setup/tasks/cache-setup.yml b/ansible/roles/trove-setup/tasks/cache-setup.yml new file mode 100644 index 0000000..162dacc --- /dev/null +++ b/ansible/roles/trove-setup/tasks/cache-setup.yml @@ -0,0 +1,19 @@ +# Depends on: +# - users.yml +--- +- name: Create artifacts and ccache folder for the cache user + file: path=/home/cache/{{ item }} state=directory owner=cache group=cache + with_items: + - artifacts + - ccache +- name: Create /etc/exports.d folder + file: path=/etc/exports.d state=directory +- name: Create /etc/exports.d/cache.exports + shell: | + echo '/home/cache/ccache *(rw,all_squash,no_subtree_check,anonuid=1002,anongid=1002)' > /etc/exports.d/cache.exports + creates=/etc/exports.d/cache.exports + register: cache_exports + +- name: Update nfs exports + shell: exportfs -av + when: cache_exports|changed diff --git a/ansible/roles/trove-setup/tasks/check.yml b/ansible/roles/trove-setup/tasks/check.yml new file mode 100644 index 0000000..d873030 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/check.yml @@ -0,0 +1,73 @@ +--- +- fail: msg='TROVE_ID is mandatory' + when: TROVE_ID is not defined + +- fail: msg='TROVE_COMPANY is mandatory' + when: TROVE_COMPANY is not defined + +- fail: msg='TROVE_ADMIN_USER is mandatory' + when: TROVE_ADMIN_USER is not defined + +- fail: msg='TROVE_ADMIN_EMAIL is mandatory' + when: TROVE_ADMIN_EMAIL is not defined + +- fail: msg='TROVE_ADMIN_NAME is mandatory' + when: TROVE_ADMIN_NAME is not defined + +- fail: msg='LORRY_SSH_KEY is mandatory' + when: LORRY_SSH_KEY is not defined + +- fail: msg='LORRY_SSH_PUBKEY is mandatory' + when: LORRY_SSH_PUBKEY is not defined + +- fail: msg='TROVE_ADMIN_SSH_PUBKEY is mandatory' + when: TROVE_ADMIN_SSH_PUBKEY is not defined + +- fail: msg='WORKER_SSH_PUBKEY is mandatory' + when: WORKER_SSH_PUBKEY is not defined + +- fail: msg='UPSTREAM_TROVE is mandatory' + when: UPSTREAM_TROVE is not defined + +- set_fact: TROVE_HOSTNAME={{ TROVE_ID }} + when: TROVE_HOSTNAME is not defined + +- set_fact: LORRY_CONTROLLER_MINIONS=4 + when: LORRY_CONTROLLER_MINIONS is not defined + +- set_fact: MASON_ID='' + when: MASON_ID is not defined + +- set_fact: MASON_PORT='18755' + when: MASON_PORT is not defined + +- name: Calculate ESC_PREFIX + shell: echo -n {{ TROVE_ID|quote }} | perl -pe 's/([-+\(\).%*?^$\[\]])/%$1/g' + register: var_esc_prefix + changed_when: False + +- set_fact: ESC_PREFIX={{ var_esc_prefix.stdout }} + +- set_fact: ESC_PERSONAL_PREFIX='people' + +- set_fact: PEOPLE_COMMENT='#' + +- name: Check if the ssh keys are valid + shell: ssh-keygen -l -f {{ item }} + with_items: + - '{{ TROVE_ADMIN_SSH_PUBKEY }}' + - '{{ LORRY_SSH_PUBKEY }}' + - '{{ WORKER_SSH_PUBKEY }}' + changed_when: False + +- name: Check if the ssh keys are unique + shell: | + cat {{ TROVE_ADMIN_SSH_PUBKEY|quote}} \ + {{ LORRY_SSH_PUBKEY|quote }} \ + {{ WORKER_SSH_PUBKEY|quote }} \ + | cut -d ' ' -f 1,2 | sort -u | wc -l + changed_when: False + register: number_ssh_keys + +- fail: msg="The ssh keys MUST be different" + when: number_ssh_keys.stdout != '3' diff --git a/ansible/roles/trove-setup/tasks/git.yml b/ansible/roles/trove-setup/tasks/git.yml new file mode 100644 index 0000000..2e6b1fa --- /dev/null +++ b/ansible/roles/trove-setup/tasks/git.yml @@ -0,0 +1,8 @@ +# Depends on: +# - users.yml +--- +- name: Configure Git user.name and usr.email + shell: | + su git -c 'git config --global user.name "Trove Git Controller"' + su git -c 'git config --global user.email "git@trove"' + creates=/home/git/.gitconfig diff --git a/ansible/roles/trove-setup/tasks/gitano-admin-setup.yml b/ansible/roles/trove-setup/tasks/gitano-admin-setup.yml new file mode 100644 index 0000000..c4c3eb2 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-admin-setup.yml @@ -0,0 +1,39 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if the admin user is configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost user' | grep '^'{{ TROVE_ADMIN_USER|regex_replace('(\\W)', '\\\\\\1')|quote}}':' + register: gitano_admin_user + changed_when: False + ignore_errors: True +# If the admin user doesn't exist +- name: Create the admin user + shell: su git -c 'ssh git@localhost user add '{{ TROVE_ADMIN_USER|quote|quote|quote}}' '{{ TROVE_ADMIN_EMAIL|quote|quote|quote }}' '{{ TROVE_ADMIN_NAME|quote|quote|quote }} + when: gitano_admin_user|failed + +- name: Check if admin user is in trove-admin group in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as '{{ TROVE_ADMIN_USER|quote|quote|quote }}' whoami' | grep 'trove-admin. Trove-local administration' + register: gitano_admin_group + changed_when: False + ignore_errors: True +# If the admin user is not in the trove-admin group +- name: Add the admin user to the trove-admin group in gitano + shell: su git -c 'ssh git@localhost group adduser trove-admin '{{ TROVE_ADMIN_USER|quote|quote|quote }} + when: gitano_admin_group|failed + +- name: Check if admin user has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as '{{ TROVE_ADMIN_USER|quote|quote|quote }}' sshkey' 2>&1 | grep WARNING + register: gitano_admin_key + changed_when: False + ignore_errors: True +# If admin user doesn't have an sshkey configured +- name: Create /home/git/keys/ to store sshkeys + file: path=/home/git/keys state=directory owner=git group=git + when: gitano_admin_key|success +- name: Copy the TROVE_ADMIN_SSH_PUBKEY to /home/git/keys/admin.key.pub + copy: src={{ TROVE_ADMIN_SSH_PUBKEY }} dest=/home/git/keys/admin.key.pub mode=0644 + when: gitano_admin_key|success + +- name: Add /home/git/keys/admin.key.pub ssh key to the admin user in gitano. + shell: su git -c 'ssh git@localhost as '{{ TROVE_ADMIN_USER|quote|quote|quote}}' sshkey add default < /home/git/keys/admin.key.pub' + when: gitano_admin_key|success diff --git a/ansible/roles/trove-setup/tasks/gitano-lorry-setup.yml b/ansible/roles/trove-setup/tasks/gitano-lorry-setup.yml new file mode 100644 index 0000000..d52927a --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-lorry-setup.yml @@ -0,0 +1,18 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if lorry has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as lorry sshkey' 2>&1 | grep WARNING + register: gitano_lorry_key + changed_when: False + ignore_errors: True +# If lorry user doesn't have an sshkey configured +- name: Create /home/git/keys folder to store ssh keys + file: path=/home/git/keys state=directory owner=git group=git + when: gitano_lorry_key|success +- name: Copy LORRY_SSH_PUBKEY to /home/git/keys/lorry.key.pub + copy: src={{ LORRY_SSH_PUBKEY }} dest=/home/git/keys/lorry.key.pub mode=0644 + when: gitano_lorry_key|success +- name: Add to the gitano lorry user the /home/git/keys/lorry.key.pub + shell: su git -c 'ssh git@localhost as lorry sshkey add trove < /home/git/keys/lorry.key.pub' + when: gitano_lorry_key|success diff --git a/ansible/roles/trove-setup/tasks/gitano-mason-setup.yml b/ansible/roles/trove-setup/tasks/gitano-mason-setup.yml new file mode 100644 index 0000000..8439078 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-mason-setup.yml @@ -0,0 +1,16 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if mason has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as mason sshkey' 2>&1 | grep WARNING + register: gitano_mason_key + changed_when: False + ignore_errors: True + +# If distbuild user doesn't have an sshkey configured +- file: path=/home/git/keys state=directory owner=git group=git + when: gitano_mason_key|success +- copy: src={{ MASON_SSH_PUBKEY }} dest=/home/git/keys/mason.key.pub mode=0644 + when: gitano_mason_key|success +- shell: su git -c 'ssh git@localhost as mason sshkey add trove < /home/git/keys/mason.key.pub' + when: gitano_mason_key|success diff --git a/ansible/roles/trove-setup/tasks/gitano-setup.yml b/ansible/roles/trove-setup/tasks/gitano-setup.yml new file mode 100644 index 0000000..0fd3ba5 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-setup.yml @@ -0,0 +1,45 @@ +# Depends on: +# - git.yml +--- +# Before configuring Gitano, it's necessary to modify the placeholders +# of the skeleton template of Gitano with the values of /etc/trove/trove.conf. +# Ansible does not provide an efficient way to do this. Its template module +# is not able to run recursively over directories, and is not able to create +# the directories needed. +# +# The solution implemented consists in create the directories first and then +# using the template module in all the files. This could be possible to +# implement using the 'with_lines' option combinated with the 'find' command. +# +# Create the directories +- name: Create the directories needed for the Gitano skeleton. + file: path=/etc/{{ item }} state=directory + with_lines: + - (cd /usr/share/trove-setup && find gitano -type d) +# Copy all the files to the right place and fill the templates whenever possible +- name: Create the Gitano skeleton using the templates + template: src=/usr/share/trove-setup/{{ item }} dest=/etc/{{ item }} + with_lines: + - (cd /usr/share/trove-setup && find gitano -type f) + +# Configure gitano +- name: Configure Gitano with /etc/gitano-setup.clod + shell: | + su git -c 'gitano-setup /etc/gitano-setup.clod' + creates=/home/git/repos/gitano-admin.git + +- name: Unlock the password of the git user (This task can fail) + shell: busybox passwd -u git + register: passwd_result + changed_when: passwd_result|success + ignore_errors: True + +# Now that /home/git/repos exists, we can enable the git-daemon service +- name: Enable the git-daemon.service + service: name=git-daemon.service enabled=yes + register: git_daemon_service + +# Now we can start the service without rebooting the system +- name: Restart git-daemon.service + service: name=git-daemon state=restarted + when: git_daemon_service|changed diff --git a/ansible/roles/trove-setup/tasks/gitano-worker-setup.yml b/ansible/roles/trove-setup/tasks/gitano-worker-setup.yml new file mode 100644 index 0000000..e0510e4 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-worker-setup.yml @@ -0,0 +1,18 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if worker has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as distbuild sshkey' 2>&1 | grep WARNING + register: gitano_worker_key + changed_when: False + ignore_errors: True +# If distbuild user doesn't have an sshkey configured +- name: Create /home/git/keys/ to store ssh keys + file: path=/home/git/keys state=directory owner=git group=git + when: gitano_worker_key|success +- name: Copy WORKER_SSH_PUBKEY to /home/git/keys/worker.key.pub + copy: src={{ WORKER_SSH_PUBKEY }} dest=/home/git/keys/worker.key.pub mode=0644 + when: gitano_worker_key|success +- name: Add /home/git/keys/worker.key.pub to the distbuild user in Gitano + shell: su git -c 'ssh git@localhost as distbuild sshkey add trove < /home/git/keys/worker.key.pub' + when: gitano_worker_key|success diff --git a/ansible/roles/trove-setup/tasks/hostname.yml b/ansible/roles/trove-setup/tasks/hostname.yml new file mode 100644 index 0000000..f4a11e2 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/hostname.yml @@ -0,0 +1,26 @@ +# Depends on: +# - check.yml +--- +- name: Check the /etc/hostname and compare it with HOSTNAME (This task can fail) + shell: su -c '[ "$(cat /etc/hostname)" == '{{ HOSTNAME|quote|quote }}' ]' + register: hostname_file + ignore_errors: True + changed_when: False + when: HOSTNAME is defined + +# If /etc/hostname doesn't match with HOSTNAME +- name: Rewrite /etc/hostname with HOSTNAME + shell: echo {{ HOSTNAME|quote }} > /etc/hostname + when: hostname_file|failed + +- name: Check the actual hostname with `hostname` and compare it with HOSTNAME (This task can fail) + shell: sh -c '[ "$(hostname)" == '{{ HOSTNAME|quote|quote }}' ]' + register: actual_hostname + ignore_errors: True + changed_when: False + when: HOSTNAME is defined + +# If `hostname` doesn't match with HOSTNAME +- name: Change the hostname to HOSTNAME + shell: hostname {{ HOSTNAME|quote }} + when: actual_hostname|failed diff --git a/ansible/roles/trove-setup/tasks/known-hosts-setup.yml b/ansible/roles/trove-setup/tasks/known-hosts-setup.yml new file mode 100644 index 0000000..6e988e0 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/known-hosts-setup.yml @@ -0,0 +1,7 @@ +# Depends on: +# - check.yml +--- +- name: Add localhost and UPSTREAM_TROVE to /etc/ssh/ssh_known_hosts + shell: | + ssh-keyscan localhost {{ UPSTREAM_TROVE|quote }} > /etc/ssh/ssh_known_hosts + creates=/etc/ssh/ssh_known_hosts diff --git a/ansible/roles/trove-setup/tasks/lighttpd.yml b/ansible/roles/trove-setup/tasks/lighttpd.yml new file mode 100644 index 0000000..7a530e7 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/lighttpd.yml @@ -0,0 +1,42 @@ +--- +- name: Create /etc/lighttpd/certs directory + file: path=/etc/lighttpd/certs state=directory +- name: Create certificates for lighttpd in /etc/lighttpd/certs/lighttpd.pem + shell: | + yes '' | openssl req -new -x509 \ + -keyout /etc/lighttpd/certs/lighttpd.pem \ + -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes + creates=/etc/lighttpd/certs/lighttpd.pem + register: lighttpd_certs +- name: Create /var/run/lighttpd for cache user + file: path=/var/run/lighttpd state=directory owner=cache group=cache + register: lighttpd_folder + +# Now that the lighttpd certificates and the /var/run/lighttpd exist, we can +# enable the lighttpd-git service +- name: Enable lighttpd-git service + service: name=lighttpd-git.service enabled=yes + register: lighttpd_git_service + +# Now we can start the service without rebooting the system +- name: Restart the lighttpd-git service + service: name=lighttpd-git state=restarted + when: lighttpd_git_service|changed + +# Once the service lighttpd-git is running it's possible to do the same +# with the following services: +# - lighttpd-morph-cache +# - lighttpd-lorry-controller-webapp +- name: Enable lighttpd-morph-cache service + service: name=lighttpd-morph-cache.service enabled=yes + register: lighttpd_morph_cache_service +- name: Restart the lighttpd-morph-cache service + service: name=lighttpd-morph-cache state=restarted + when: lighttpd_morph_cache_service|changed + +- name: Enable the lighttpd-lorry-controller-webapp service + service: name=lighttpd-lorry-controller-webapp.service enabled=yes + register: lighttpd_lorry_controller_webapp_service +- name: Restart the lighttpd-lorry-controller-webapp service + service: name=lighttpd-lorry-controller-webapp state=restarted + when: lighttpd_lorry_controller_webapp_service|changed diff --git a/ansible/roles/trove-setup/tasks/lorry-controller-setup.yml b/ansible/roles/trove-setup/tasks/lorry-controller-setup.yml new file mode 100644 index 0000000..06fab96 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/lorry-controller-setup.yml @@ -0,0 +1,92 @@ +# Depends on: +# - gitano-setup.yml +# - lighttpd.yml +--- +- name: Create the TROVE_ID/local-config/lorries repository + shell: | + su git -c 'ssh localhost create '{{ TROVE_ID|quote|quote|quote }}'/local-config/lorries' + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/local-config/lorries.git +- name: Create a temporary folder to copy templates + shell: su git -c 'mktemp -d' + register: lorry_controller_templates + +- name: Create the configuration files of lorry-controller using templates + template: src=/usr/share/trove-setup/{{ item }} dest={{ lorry_controller_templates.stdout }}/{{ item }} owner=git group=git mode=0644 + with_items: + - lorry-controller.conf + - README.lorry-controller +- name: Create a temporary folder to copy the lorry-controller repository + shell: su git -c 'mktemp -d' + register: lorry_controller_repository + +- name: Configure the lorry-controller + shell: | + su git -c 'git clone ssh://localhost/'{{ TROVE_ID|quote|quote }}'/local-config/lorries.git '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries' + su git -c 'cp '{{ lorry_controller_templates.stdout|quote|quote }}'/lorry-controller.conf '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/lorry-controller.conf' + su git -c 'cp '{{ lorry_controller_templates.stdout|quote|quote }}'/README.lorry-controller '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/README' + su git -c 'mkdir '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/open-source-lorries' + su git -c 'cp /usr/share/trove-setup/open-source-lorries/README '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/open-source-lorries/README' + su git -c 'mkdir '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/closed-source-lorries' + su git -c 'cp /usr/share/trove-setup/closed-source-lorries/README '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/closed-source-lorries/README' + su git -c 'cd '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries; git add README lorry-controller.conf open-source-lorries/README closed-source-lorries/README; git commit -m "Initial configuration"; git push origin master' + su git -c 'rm -rf '{{ lorry_controller_repository.stdout|quote|quote }} + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/local-config/lorries.git/refs/heads/master + +# Migration: Remove the old lorry-controller cronjob if exists +- name: Look for lorry-controller old cronjob (This task can fail) + shell: su lorry -c 'crontab -l | grep -e "-c lorry-controller"' + register: lorry_controller_cronjob + changed_when: False + ignore_errors: True + +- name: Remove the old lorry-controller cronjob + shell: su lorry -c '/usr/libexec/remove-lorry-controller-from-lorry-crontab' + when: lorry_controller_cronjob|success + + +# Now that the lorry-controller is configured we can enable the following +# services and timers, and also start them +# - lorry-controller-status +# - lorry-controller-readconf +# - lorry-controller-ls-troves +- name: Enable lorry-controller-status service + service: name=lorry-controller-status.service enabled=yes + register: lorry_controller_status_service +- name: Start lorry-controller-status service + service: name=lorry-controller-status.service state=restarted + when: lorry_controller_status_service|changed + +- name: Enable lorry-controller-readconf service + service: name=lorry-controller-readconf.service enabled=yes + register: lorry_controller_readconf_service +- name: Start lorry-controller-readconf service + service: name=lorry-controller-readconf.service state=restarted + when: lorry_controller_readconf_service|changed + +- name: Enable lorry-controller-ls-troves service + service: name=lorry-controller-ls-troves.service enabled=yes + register: lorry_controller_ls_troves_service +- name: Start lorry-controller-ls-troves service + service: name=lorry-controller-ls-troves.service state=restarted + when: lorry_controller_ls_troves_service|changed + +- name: Enable lorry-controller-status timer + service: name=lorry-controller-status.timer enabled=yes + register: lorry_controller_status_timer +- name: Start lorry-controller-status timer + service: name=lorry-controller-status.timer state=restarted + when: lorry_controller_status_timer|changed + +- name: Enable lorry-controller-readconf timer + service: name=lorry-controller-readconf.timer enabled=yes + register: lorry_controller_readconf_timer +- name: Start lorry-controller-readconf timer + service: name=lorry-controller-readconf.timer state=restarted + when: lorry_controller_readconf_timer|changed + +- name: Enable lorry-controller-ls-troves timer + service: name=lorry-controller-ls-troves.timer enabled=yes + register: lorry_controller_ls_troves_timer +- name: Start lorry-controller-ls-troves timer + service: name=lorry-controller-ls-troves.timer state=restarted + when: lorry_controller_ls_troves_timer|changed diff --git a/ansible/roles/trove-setup/tasks/lorry-setup.yml b/ansible/roles/trove-setup/tasks/lorry-setup.yml new file mode 100644 index 0000000..c50b49d --- /dev/null +++ b/ansible/roles/trove-setup/tasks/lorry-setup.yml @@ -0,0 +1,20 @@ +# Depends on: +# - users.yml +--- +- name: Create bundles and tarballs folder for the lorry user + file: path=/home/lorry/{{ item }} state=directory owner=lorry group=lorry + with_items: + - bundles + - tarballs +# Following the same strategy as explained in gitano-setup.yml, use +# templates recursively over directories. +# Create the directories needed to copy the files +- name: Create directories needed in /etc for the lorry configuration + file: path=/etc/{{ item }} state=directory + with_lines: + - (cd /usr/share/trove-setup/etc && find -type d) +# Copy all the files to the right place and fill the templates whenever possible +- name: Add the configuration needed for lorry in /etc using templates + template: src=/usr/share/trove-setup/etc/{{ item }} dest=/etc/{{ item }} + with_lines: + - (cd /usr/share/trove-setup/etc && find -type f) diff --git a/ansible/roles/trove-setup/tasks/main.yml b/ansible/roles/trove-setup/tasks/main.yml new file mode 100644 index 0000000..35fd807 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- include: check.yml +- include: hostname.yml +- include: known-hosts-setup.yml +- include: users.yml +- include: cache-setup.yml +- include: lighttpd.yml +- include: lorry-setup.yml +- include: git.yml +- include: gitano-setup.yml +- include: lorry-controller-setup.yml +- include: minions.yml +- include: site-groups.yml +- include: releases.yml +- include: gitano-worker-setup.yml +- include: gitano-lorry-setup.yml +- include: gitano-admin-setup.yml +- include: backups.yml diff --git a/ansible/roles/trove-setup/tasks/minions.yml b/ansible/roles/trove-setup/tasks/minions.yml new file mode 100644 index 0000000..a5b3d8d --- /dev/null +++ b/ansible/roles/trove-setup/tasks/minions.yml @@ -0,0 +1,20 @@ +# Depends on: +# - lorry-controller-setup.yml +--- +# This is a workaround because the service module and the current +# systemd version doesn't work well enough with template units. +# +# It ALWAYS runs `systemctl enable` for all the minions to be +# created, but it only reports that the status of the task has changed +# when in the stderr output is the string "ln -s" (which means the +# unit has been enabled). +- name: Enable as many MINIONS as specified in LORRY_CONTROLLER_MINIONS + shell: systemctl enable lorry-controller-minion@{{ item }}.service + with_sequence: count={{ LORRY_CONTROLLER_MINIONS }} + changed_when: "'ln -s' in minions_creation.stderr" + register: minions_creation + +- name: Start the all the MINIONS created (if any) + service: name=lorry-controller-minion@{{ item.item }} state=restarted + with_items: minions_creation.results + when: item|changed diff --git a/ansible/roles/trove-setup/tasks/releases.yml b/ansible/roles/trove-setup/tasks/releases.yml new file mode 100644 index 0000000..bcb031e --- /dev/null +++ b/ansible/roles/trove-setup/tasks/releases.yml @@ -0,0 +1,30 @@ +# Depends on: +# - site-groups.yml +--- +- name: Create the releases repository + shell: | + su git -c 'ssh localhost create '{{ TROVE_ID|quote|quote|quote }}'/site/releases' + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/site/releases.git + +- name: Create temporary folder to copy templates + shell: su git -c 'mktemp -d' + register: releases_templates +- name: Create the files needed for the releases repository + template: src=/usr/share/trove-setup/releases-repo-README dest={{ releases_templates.stdout }}/releases-repo-README owner=git group=git mode=0644 + +- name: Create temporary folder to clone the releases repository + shell: su git -c 'mktemp -d' + register: releases_repository +- name: Configure the releases repository + shell: | + su git -c 'git clone ssh://localhost/'{{ TROVE_ID|quote|quote }}'/site/releases.git '{{ releases_repository.stdout|quote|quote }}'/releases' + su git -c 'cp '{{ releases_templates.stdout|quote|quote }}'/releases-repo-README '{{ releases_repository.stdout|quote|quote }}'/releases/README' + su git -c 'cd '{{ releases_repository.stdout|quote|quote }}'/releases; git add README; git commit -m "Add README"; git push origin master' + su -c "rm -Rf {{ releases_repository.stdout|quote|quote }}" + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/site/releases.git/refs/heads/master + +- name: Link the releases repository to enable the access throught browser + file: | + src=/home/git/repos/{{ TROVE_ID }}/site/releases.git/rsync + dest=/var/www/htdocs/releases state=link + force=yes diff --git a/ansible/roles/trove-setup/tasks/site-groups.yml b/ansible/roles/trove-setup/tasks/site-groups.yml new file mode 100644 index 0000000..e4aff14 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/site-groups.yml @@ -0,0 +1,88 @@ +# Depends on: +# - gitano-setup.yml +--- +# First of all check if the site groups are created. +- name: Check for site groups (This task can fail) + shell: su git -c 'ssh git@localhost group list' | grep '^'{{ item.name|quote }}':' + changed_when: False + ignore_errors: True + with_items: + - { name: 'site-readers', description: 'Users with read access to the site project' } + - { name: 'site-writers', description: 'Users with write access to the site project' } + - { name: 'site-admins', description: 'Users with admin access to the site project' } + - { name: 'site-managers', description: 'Users with manager access to the site project' } + register: gitano_groups +# Iterate over the results of the previous check, and create the sites needed. +# In this task we are using the list of results of the previous task +# - item is the result of the execution of one of the elements of +# the list of the previous task. +# - item.item is the item of the previous task being executed when +# the result (stored in item) was taken. +# +# For example, the task: (From http://docs.ansible.com/playbooks_loops.html#using-register-with-a-loop) +# +# - shell: echo "{{ item }}" +# with_items: +# - one +# - two +# register: echo +# +# Would register in the variable "echo": +# +# { +# "changed": true, +# "msg": "All items completed", +# "results": [ +# { +# "changed": true, +# "cmd": "echo \"one\" ", +# "delta": "0:00:00.003110", +# "end": "2013-12-19 12:00:05.187153", +# "invocation": { +# "module_args": "echo \"one\"", +# "module_name": "shell" +# }, +# "item": "one", +# "rc": 0, +# "start": "2013-12-19 12:00:05.184043", +# "stderr": "", +# "stdout": "one" +# }, +# { +# "changed": true, +# "cmd": "echo \"two\" ", +# "delta": "0:00:00.002920", +# "end": "2013-12-19 12:00:05.245502", +# "invocation": { +# "module_args": "echo \"two\"", +# "module_name": "shell" +# }, +# "item": "two", +# "rc": 0, +# "start": "2013-12-19 12:00:05.242582", +# "stderr": "", +# "stdout": "two" +# } +# ] +# } + +- name: Create the site groups needed. + shell: su git -c 'ssh git@localhost group add '{{ item.item.name|quote|quote|quote }}' '{{ item.item.description|quote|quote|quote }} + when: item|failed + with_items: gitano_groups.results + +# When the groups are created, check if they are linked. +- name: Check for linked groups (This task can fail) + shell: su git -c 'ssh git@localhost group show '{{ item.name|quote|quote|quote }} | grep '^ \[] '{{ item.super_group|quote }} + changed_when: False + ignore_errors: True + with_items: + - { name: 'site-readers', super_group: 'site-writers' } + - { name: 'site-writers', super_group: 'site-admins' } + - { name: 'site-admins', super_group: 'site-managers' } + register: gitano_linked_groups + +# Link the groups that weren't linked following the same strategy as for the groups +- shell: su git -c 'ssh git@localhost group addgroup '{{ item.item.name|quote|quote|quote }}' '{{ item.item.super_group|quote|quote|quote }} + when: item|failed + with_items: gitano_linked_groups.results diff --git a/ansible/roles/trove-setup/tasks/users.yml b/ansible/roles/trove-setup/tasks/users.yml new file mode 100644 index 0000000..c1ab866 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/users.yml @@ -0,0 +1,38 @@ +# Depends on: +# - check.yml +--- +- name: Create the lorry user without generating sshkeys. + user: name=lorry comment="Trove lorry service" shell=/bin/bash +- name: Create the /home/lorry/.ssh folder + file: path=/home/lorry/.ssh state=directory owner=lorry group=lorry mode=0700 + +- name: Create users (git, cache, mason) and ssh keys for them. + user: name={{ item }} comment="Trove {{ item }} service" shell=/bin/bash generate_ssh_key=yes + with_items: + - git + - cache + - mason +- name: Create known_hosts for all the users + shell: | + cat /etc/ssh/ssh_host_*_key.pub | cut -d\ -f1,2 | \ + sed -e's/^/'{{ TROVE_HOSTNAME|regex_replace('(\\W)', '\\\\\\1')|quote }}',localhost /' > \ + /home/{{ item }}/.ssh/known_hosts + chown {{ item }}:{{ item }} /home/{{ item }}/.ssh/known_hosts + chmod 600 /home/{{ item }}/.ssh/known_hosts + creates=/home/{{ item }}/.ssh/known_hosts + with_items: + - git + - cache + - mason + - lorry + +- name: Copy the lorry ssh private key + copy: | + src={{ LORRY_SSH_KEY }} + dest=/home/lorry/.ssh/id_rsa + owner=lorry group=lorry mode=600 +- name: Copy the lorry ssh public key + copy: | + src={{ LORRY_SSH_PUBKEY }} + dest=/home/lorry/.ssh/id_rsa.pub + owner=lorry group=lorry mode=644 diff --git a/ansible/trove-setup.yml b/ansible/trove-setup.yml new file mode 100644 index 0000000..0ab7f0e --- /dev/null +++ b/ansible/trove-setup.yml @@ -0,0 +1,6 @@ +--- +- hosts: localhost + vars_files: + - "/etc/trove/trove.conf" + roles: + - trove-setup diff --git a/bins/trove-early-setup b/bins/trove-early-setup deleted file mode 100755 index 5ce2d7a..0000000 --- a/bins/trove-early-setup +++ /dev/null @@ -1,124 +0,0 @@ -#!/usr/bin/make -f -# -# Copyright (C) 2013 Codethink Limited -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# -*- Make -*- - - -all: gitano-configured lorry-configured cache-configured mason-configured nfs-configured cert-generated - -USERS := git lorry cache mason - -# $1 == username to make -define make_user_rules - -/home/$1/.created: - adduser -g "Trove $1 service" -s /bin/bash -D $1 - su -c 'mkdir .ssh; chmod 750 .ssh' - $1 - su -c 'ssh-keygen -t rsa -N "" -q -f .ssh/id_rsa' - $1 - (cat /etc/ssh/ssh_host_*_key.pub | cut -d\ -f1,2 | \ - sed -e's/^/'$(shell hostname)',localhost /' > \ - /home/$1/.ssh/known_hosts) - chown $1:$1 /home/$1/.ssh/known_hosts - chmod 600 /home/$1/.ssh/known_hosts - touch $$@ - -ALL_USER_TARGETS := $$(ALL_USER_TARGETS) /home/$1/.created - -endef - -$(eval $(foreach USER,$(USERS),$(call make_user_rules,$(USER)))) - -/home/git/.git-setup: $(ALL_USER_TARGETS) - su -c 'git config --global user.name "Trove Git Controller"' - git - su -c 'git config --global user.email "git@trove"' - git - touch $@ - -/home/git/.gitano-setup: /home/git/.git-setup - su -c 'gitano-setup /etc/gitano-setup.clod' - git - passwd -u git - touch $@ - -/home/git/.gitano-lorry-setup: /home/git/.gitano-setup - cp /home/lorry/.ssh/id_rsa.pub /tmp/lorry.pub - su -c 'ssh git@localhost as lorry sshkey add trove < /tmp/lorry.pub' - git - rm /tmp/lorry.pub - touch $@ - -.PHONY: gitano-configured -gitano-configured: /home/git/.gitano-setup - -/home/lorry/.lorry-setup: $(ALL_USER_TARGETS) - su -c 'mkdir /home/lorry/bundles /home/lorry/tarballs' - lorry - touch $@ - -/home/lorry/.lorry-controller-setup: /home/lorry/.lorry-setup /home/git/.gitano-lorry-setup - PREFIX=$$(echo "##PREFIX##" | sed -f /etc/trove-setup.sed); \ - su -c "ssh localhost create $${PREFIX}/local-config/lorries" - git; \ - su -c "git clone ssh://localhost/$${PREFIX}/local-config/lorries.git /tmp/lorries" - git; \ - su -c "sed -f /etc/trove-setup.sed < /usr/share/trove-setup/lorry-controller.conf > /tmp/lorries/lorry-controller.conf" - git - su -c "sed -f /etc/trove-setup.sed < /usr/share/trove-setup/README.lorry-controller > /tmp/lorries/README" - git - su -c "mkdir /tmp/lorries/open-source-lorries" - git - su -c "cp /usr/share/trove-setup/open-source-lorries/README /tmp/lorries/open-source-lorries/README" - git - su -c "mkdir /tmp/lorries/closed-source-lorries" - git - su -c "cp /usr/share/trove-setup/closed-source-lorries/README /tmp/lorries/closed-source-lorries/README" - git - su -c "cd /tmp/lorries; git add README lorry-controller.conf open-source-lorries/README closed-source-lorries/README; git commit -m 'Initial configuration'; git push origin master" - git - su -c "rm -rf /tmp/lorries" - git - touch $@ - -.PHONY: lorry-configured -lorry-configured: /home/lorry/.lorry-setup /home/lorry/.lorry-controller-setup - -/home/cache/.cache-setup: $(ALL_USER_TARGETS) - su -c 'mkdir /home/cache/artifacts' - cache - su -c 'mkdir /home/cache/ccache' - cache - echo '/home/cache/ccache *(rw,all_squash,no_subtree_check,anonuid=1002,anongid=1002)' > /etc/exports.cache - touch $@ - -.PHONY: cache-configured -cache-configured: /home/cache/.cache-setup - -/home/git/.mason-setup: /home/git/.gitano-setup $(ALL_USER_TARGETS) - PREFIX=$$(echo "##PREFIX##" | sed -f /etc/trove-setup.sed); \ - su -c "ssh localhost create $${PREFIX}/local-config/mason" - git; \ - su -c "git clone ssh://localhost/$${PREFIX}/local-config/mason.git /tmp/mason-config" - git - su -c "mkdir /tmp/mason-config/ci1" - git - su -c "cp /var/lib/trove-setup/hosts.json.txt /tmp/mason-config/ci1" - git - su -c "cp /var/lib/trove-setup/systems.json.txt /tmp/mason-config/ci1" - git - su -c "cd /tmp/mason-config; git add ci1; git commit -m 'Set initial Mason config'; git push origin master" - git - su -c "rm -fr /tmp/mason-config" - git - su -c 'mkdir /home/mason/jobs' - mason - echo '/home/mason/jobs *(rw,all_squash,no_subtree_check,anonuid=1003,anongid=1003)' > /etc/exports.mason - touch $@ - -.PHONY: mason-configured -mason-configured: /home/git/.mason-setup - -/etc/exports: /home/cache/.cache-setup /home/git/.mason-setup - cat /etc/exports.cache /etc/exports.mason >/etc/exports - -.PHONY: nfs-configured -nfs-configured: /etc/exports - -/home/git/.cert-generated: - mkdir -p /etc/lighttpd/certs - echo -ne '\n\n\n\n\n\n\n' | openssl req -new -x509 \ - -keyout /etc/lighttpd/certs/lighttpd.pem \ - -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes - touch $@ - -.PHONY: cert-generated -cert-generated: /home/git/.cert-generated diff --git a/gitano-admin/users/lorry/user.conf b/gitano-admin/users/lorry/user.conf deleted file mode 100644 index f21fac7..0000000 --- a/gitano-admin/users/lorry/user.conf +++ /dev/null @@ -1,2 +0,0 @@ -email_address "lorry@##TROVE_HOSTNAME##" -real_name "Source Code Lorry Service" diff --git a/libexecs/remove-lorry-controller-from-lorry-crontab b/libexecs/remove-lorry-controller-from-lorry-crontab deleted file mode 100755 index 8fc6cf3..0000000 --- a/libexecs/remove-lorry-controller-from-lorry-crontab +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Trove used to run a version of Lorry Controller that wasn't a -# daemon, but instead was invoked once a minute from a crontab owned -# by the lorry user. When we upgrade to a version of Lorry Controller -# that does run as a daemon, we need to disable the cronjob. This -# script does that. -# -# The lorry user crontab may contain other jobs, so we can't just -# willy-nilly delete the whole crontab. Instead, we remove the -# specific line. The line looks like this: -# -# */1 * * * * flock -x -n /home/lorry/lorry-controller-area/lockfile -# -c lorry-controller --work-area=/home/lorry/lorry-controller-area -# --log=syslog --log-level=info --html-file=/home/lorry/lc-status.html -# -# Except, of course, all on one line. - - -crontab -l | -grep -v -e '-c lorry-controller' | -crontab - diff --git a/share/README.lorry-controller b/share/README.lorry-controller index 1c70617..3bd0a90 100644 --- a/share/README.lorry-controller +++ b/share/README.lorry-controller @@ -14,5 +14,5 @@ scenarios regarding adding external software to your Trove before attempting to add any additional configuration to this repository. Remember, the Lorry tool is not permitted to manage repositories inside your -prefix which is ##PREFIX##. +prefix which is {{ TROVE_ID }}. diff --git a/etc/cgitrc b/share/etc/cgitrc index c526e17..28540dd 100644 --- a/etc/cgitrc +++ b/share/etc/cgitrc @@ -1,4 +1,4 @@ -clone-prefix=git://##TROVE_HOSTNAME## http://##TROVE_HOSTNAME##/git https://##TROVE_HOSTNAME##/git ssh://git@##TROVE_HOSTNAME## +clone-prefix=git://{{ TROVE_HOSTNAME }} http://{{ TROVE_HOSTNAME }}/git https://{{ TROVE_HOSTNAME }}/git ssh://git@{{ TROVE_HOSTNAME }} strict-export=git-daemon-export-ok css=/cgit/cgit.css @@ -8,8 +8,8 @@ head-include=/etc/cgit-trove-head.inc footer=/etc/cgit-trove-footer.inc enable-index-links=1 -root-title=##TROVE_TITLE## Git Repositories -root-desc=Baserock Trove -- For ##TROVE_COMPANY## +root-title={{ TROVE_ID }} Git Repositories +root-desc=Baserock Trove -- For {{ TROVE_COMPANY }} snapshots=tar.gz enable-commit-graph=1 enable-log-filecount=1 diff --git a/etc/gitano-setup.clod b/share/etc/gitano-setup.clod index b63aeb6..511479f 100644 --- a/etc/gitano-setup.clod +++ b/share/etc/gitano-setup.clod @@ -4,14 +4,15 @@ paths.home "/home/git" paths.ssh "/home/git/.ssh" paths.pubkey "/home/git/.ssh/id_rsa.pub" paths.repos "/home/git/repos" +paths.skel "/etc/gitano/skel/gitano-admin" admin.username "trove" admin.realname "Trove Instance Administrator" admin.email "trove@trove-instance" admin.keyname "trove" -site.name "##TROVE_TITLE## for ##TROVE_COMPANY##" -log.prefix "##TROVE_LOG_PREFIX##" +site.name "{{ TROVE_ID }} for {{ TROVE_COMPANY }}" +log.prefix "{{ TROVE_ID }}" use.htpasswd "yes" diff --git a/share/etc/lorry-controller/minion.conf b/share/etc/lorry-controller/minion.conf new file mode 100644 index 0000000..99abdba --- /dev/null +++ b/share/etc/lorry-controller/minion.conf @@ -0,0 +1,6 @@ +[config] +log = syslog +log-level = debug +webapp-host = localhost +webapp-port = 12765 +webapp-timeout = 3600 diff --git a/share/etc/lorry-controller/webapp.conf b/share/etc/lorry-controller/webapp.conf new file mode 100644 index 0000000..2e9df0d --- /dev/null +++ b/share/etc/lorry-controller/webapp.conf @@ -0,0 +1,12 @@ +[config] +log = /home/lorry/webapp.log +log-max = 100M +log-keep = 10 +log-level = debug +statedb = /home/lorry/webapp.db +configuration-directory = /home/lorry/confgit +status-html = /home/lorry/lc-status.html +wsgi = yes +debug-port = 12765 +templates = /usr/share/lorry-controller/templates +confgit-url = ssh://git@localhost/{{ TROVE_ID }}/local-config/lorries diff --git a/etc/lorry.conf b/share/etc/lorry.conf index 16552cb..cc94e8d 100644 --- a/etc/lorry.conf +++ b/share/etc/lorry.conf @@ -1,6 +1,6 @@ [config] mirror-base-url-push = ssh://git@localhost -mirror-base-url-fetch = git://##TROVE_HOSTNAME## +mirror-base-url-fetch = git://{{ TROVE_HOSTNAME }} bundle = never bundle-dest = /home/lorry/bundles tarball = always diff --git a/gitano-admin/global-hooks/post-receive.lua b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua index d1b3864..c7ab051 100644 --- a/gitano-admin/global-hooks/post-receive.lua +++ b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua @@ -14,11 +14,11 @@ local project_hook, repo, updates = ... local EMPTY_SHA = ("0"):rep(40) -local masonhost = "##MASON_HOST##:##MASON_PORT##" +local masonhost = "{{ MASON_ID }}:{{ MASON_PORT }}" local basepath = "/1.0" local urlbases = { - "git://##TROVE_HOSTNAME##/", - "ssh://git@##TROVE_HOSTNAME##/", + "git://{{ TROVE_HOSTNAME }}/", + "ssh://git@{{ TROVE_HOSTNAME }}/", } local notify_mason = false diff --git a/gitano-admin/groups/local-config-admins.conf b/share/gitano/skel/gitano-admin/groups/local-config-admins.conf index 435a297..435a297 100644 --- a/gitano-admin/groups/local-config-admins.conf +++ b/share/gitano/skel/gitano-admin/groups/local-config-admins.conf diff --git a/gitano-admin/groups/local-config-managers.conf b/share/gitano/skel/gitano-admin/groups/local-config-managers.conf index 711be8f..711be8f 100644 --- a/gitano-admin/groups/local-config-managers.conf +++ b/share/gitano/skel/gitano-admin/groups/local-config-managers.conf diff --git a/gitano-admin/groups/local-config-readers.conf b/share/gitano/skel/gitano-admin/groups/local-config-readers.conf index 63e6bb3..63e6bb3 100644 --- a/gitano-admin/groups/local-config-readers.conf +++ b/share/gitano/skel/gitano-admin/groups/local-config-readers.conf diff --git a/gitano-admin/groups/local-config-writers.conf b/share/gitano/skel/gitano-admin/groups/local-config-writers.conf index 9bbff24..9bbff24 100644 --- a/gitano-admin/groups/local-config-writers.conf +++ b/share/gitano/skel/gitano-admin/groups/local-config-writers.conf diff --git a/gitano-admin/groups/trove-admin.conf b/share/gitano/skel/gitano-admin/groups/trove-admin.conf index e912653..e912653 100644 --- a/gitano-admin/groups/trove-admin.conf +++ b/share/gitano/skel/gitano-admin/groups/trove-admin.conf diff --git a/gitano-admin/groups/workers.conf b/share/gitano/skel/gitano-admin/groups/workers.conf index 5586538..5586538 100644 --- a/gitano-admin/groups/workers.conf +++ b/share/gitano/skel/gitano-admin/groups/workers.conf diff --git a/gitano-admin/rules/adminchecks.lace b/share/gitano/skel/gitano-admin/rules/adminchecks.lace index ffe99a0..ffe99a0 100644 --- a/gitano-admin/rules/adminchecks.lace +++ b/share/gitano/skel/gitano-admin/rules/adminchecks.lace diff --git a/gitano-admin/rules/aschecks.lace b/share/gitano/skel/gitano-admin/rules/aschecks.lace index fc76440..fc76440 100644 --- a/gitano-admin/rules/aschecks.lace +++ b/share/gitano/skel/gitano-admin/rules/aschecks.lace diff --git a/gitano-admin/rules/core.lace b/share/gitano/skel/gitano-admin/rules/core.lace index dab7cfb..dab7cfb 100644 --- a/gitano-admin/rules/core.lace +++ b/share/gitano/skel/gitano-admin/rules/core.lace diff --git a/gitano-admin/rules/createrepo.lace b/share/gitano/skel/gitano-admin/rules/createrepo.lace index bf4683e..a07a744 100644 --- a/gitano-admin/rules/createrepo.lace +++ b/share/gitano/skel/gitano-admin/rules/createrepo.lace @@ -11,7 +11,7 @@ # Administrators have already been permitted whatever they like # so this is for site-wide non-admins. -##PEOPLE_COMMENT##allow "Personal repo creation is okay" repo_is_personal +{{ PEOPLE_COMMENT }}allow "Personal repo creation is okay" repo_is_personal # Allow people in *-admins to create repositories under <foo> allow "Project admins may make project repositories" repo_is_local_project project_admin diff --git a/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace index 380948a..466ac6f 100644 --- a/gitano-admin/rules/defines.lace +++ b/share/gitano/skel/gitano-admin/rules/defines.lace @@ -83,9 +83,9 @@ define is_admin_ref ref refs/gitano/admin # # -define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/ -define ref_is_personal ref ~^refs/heads/##ESC_PREFIX##/${user}/ -define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/ +define repo_is_personal repository ~^{{ ESC_PERSONAL_PREFIX }}/${user}/ +define ref_is_personal ref ~^refs/heads/{{ ESC_PREFIX }}/${user}/ +define repo_is_local_project repository ~^{{ ESC_PREFIX }}/[^/]+/ define project_reader group ${repository/2}-readers define project_writer group ${repository/2}-writers @@ -100,7 +100,7 @@ define trove_site_admin group trove-admin define target_group_gitano_admin targetgroup gitano-admin define is_lorry user lorry -define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ +define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/ define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo define is_worker group workers diff --git a/gitano-admin/rules/destroyrepo.lace b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace index 6e6b446..6e6b446 100644 --- a/gitano-admin/rules/destroyrepo.lace +++ b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace diff --git a/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace index 7bc80cc..e5f05be 100644 --- a/gitano-admin/rules/other-project.lace +++ b/share/gitano/skel/gitano-admin/rules/other-project.lace @@ -6,7 +6,7 @@ # # Copyright 2012,2013 Codethink Limited # -# Rules for any repository not under ##PREFIX## +# Rules for any repository not under {{ TROVE_ID }} # This is, by default, /baserock/ and /delta/ @@ -15,11 +15,11 @@ allow "Anyone may read here" op_read allow "Anyone may write here" op_write !is_anonymous # Lorry can do anything reffy which is not inside the local refs -allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref +allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref # Noone can rewind/rebase outside of their personal refs deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal -# Everyone else can do reffy things inside refs/heads/##PREFIX## +# Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }} allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref diff --git a/gitano-admin/rules/project.lace b/share/gitano/skel/gitano-admin/rules/project.lace index aa5e1e2..aa5e1e2 100644 --- a/gitano-admin/rules/project.lace +++ b/share/gitano/skel/gitano-admin/rules/project.lace diff --git a/gitano-admin/rules/remoteconfigchecks.lace b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace index 6f88f5f..6f88f5f 100644 --- a/gitano-admin/rules/remoteconfigchecks.lace +++ b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace diff --git a/gitano-admin/rules/renamerepo.lace b/share/gitano/skel/gitano-admin/rules/renamerepo.lace index e4a51be..e4a51be 100644 --- a/gitano-admin/rules/renamerepo.lace +++ b/share/gitano/skel/gitano-admin/rules/renamerepo.lace diff --git a/gitano-admin/rules/selfchecks.lace b/share/gitano/skel/gitano-admin/rules/selfchecks.lace index 83ef778..83ef778 100644 --- a/gitano-admin/rules/selfchecks.lace +++ b/share/gitano/skel/gitano-admin/rules/selfchecks.lace diff --git a/gitano-admin/rules/siteadmin.lace b/share/gitano/skel/gitano-admin/rules/siteadmin.lace index 06c71bb..06c71bb 100644 --- a/gitano-admin/rules/siteadmin.lace +++ b/share/gitano/skel/gitano-admin/rules/siteadmin.lace diff --git a/gitano-admin/rules/trove-project.lace b/share/gitano/skel/gitano-admin/rules/trove-project.lace index 383ba98..c13b307 100644 --- a/gitano-admin/rules/trove-project.lace +++ b/share/gitano/skel/gitano-admin/rules/trove-project.lace @@ -6,7 +6,7 @@ # # Copyright 2012,2013 Codethink Limited # -# Rules for ##PREFIX##/... repositories +# Rules for {{ TROVE_ID }}/... repositories # Reading the repository allow "Project readers may read" op_read project_reader diff --git a/gitano-admin/users/distbuild/user.conf b/share/gitano/skel/gitano-admin/users/distbuild/user.conf index 62ac3f5..6954826 100644 --- a/gitano-admin/users/distbuild/user.conf +++ b/share/gitano/skel/gitano-admin/users/distbuild/user.conf @@ -1,2 +1,2 @@ -email_address "distbuild@##TROVE_HOSTNAME##" +email_address "distbuild@{{ TROVE_HOSTNAME }}" real_name "Baserock Distributed Build Service" diff --git a/share/gitano/skel/gitano-admin/users/lorry/user.conf b/share/gitano/skel/gitano-admin/users/lorry/user.conf new file mode 100644 index 0000000..d00b635 --- /dev/null +++ b/share/gitano/skel/gitano-admin/users/lorry/user.conf @@ -0,0 +1,2 @@ +email_address "lorry@{{ TROVE_HOSTNAME }}" +real_name "Source Code Lorry Service" diff --git a/gitano-admin/users/mason/user.conf b/share/gitano/skel/gitano-admin/users/mason/user.conf index 639de4e..3139295 100644 --- a/gitano-admin/users/mason/user.conf +++ b/share/gitano/skel/gitano-admin/users/mason/user.conf @@ -1,2 +1,2 @@ -email_address "mason@##TROVE_HOSTNAME##" +email_address "mason@{{ TROVE_HOSTNAME }}" real_name "Baserock Continuous Integration Service" diff --git a/share/lorry-controller.conf b/share/lorry-controller.conf index bdbbbd5..0c90cc4 100644 --- a/share/lorry-controller.conf +++ b/share/lorry-controller.conf @@ -1,9 +1,9 @@ [ { "type": "trove", - "uuid": "##PREFIX##/initial", + "uuid": "{{ TROVE_ID }}/initial", "serial": 1, - "trovehost": "##UPSTREAM_TROVE##", + "trovehost": "{{ UPSTREAM_TROVE }}", "protocol": "ssh", "ls-interval": "4H", "interval": "2H", @@ -21,7 +21,7 @@ }, { "type": "lorries", - "uuid": "##PREFIX##/open-source-lorries", + "uuid": "{{ TROVE_ID }}/open-source-lorries", "serial": 1, "interval": "6H", "create": "always", @@ -35,7 +35,7 @@ }, { "type": "lorries", - "uuid": "##PREFIX##/closed-source-lorries", + "uuid": "{{ TROVE_ID }}/closed-source-lorries", "serial": 1, "interval": "6H", "create": "always", diff --git a/share/releases-repo-README b/share/releases-repo-README index d3f872b..69ee875 100644 --- a/share/releases-repo-README +++ b/share/releases-repo-README @@ -2,10 +2,10 @@ site/releases repository ------------------------ This is a special repository for distributing release binaries over HTTP. -Visit http://##PREFIX##/releases/ to browse content. +Visit http://{{ TROVE_ID }}/releases/ to browse content. To add a release to this repository, you need to be a member of the Gitano group site-writers. With the correct permissions, you can push releases to the repository by doing: - rsync $RELEASE git@##PREFIX##:##PREFIX##/site/releases + rsync $RELEASE git@{{ TROVE_HOSTNAME }}:{{ TROVE_ID }}/site/releases diff --git a/share/releases-repo-migration.sh b/share/releases-repo-migration.sh deleted file mode 100755 index 654da0c..0000000 --- a/share/releases-repo-migration.sh +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash - -function create_readers_group() -{ - set +e - ( - set -e - ssh localhost group add site-readers \ - 'Users with read access to the site project' - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-readers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-readers $token - fi - return $ret -} - -function create_writers_group() -{ - set +e - ( - set -e - ssh localhost group add site-writers \ - 'Users with write access to the site project' - create_readers_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-writers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-writers $token - fi - return $ret -} - -function create_admins_group() -{ - set +e - ( - set -e - ssh localhost group add site-admins \ - 'Users with admin access to the site project' - create_writers_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-admins 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-admins $token - fi - return $ret -} - -function create_managers_group() -{ - set +e - ( - set -e - ssh localhost group add site-managers \ - 'Users with manager access to the site project' - create_admins_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-managers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-managers $token - fi - return $ret -} - -function link_groups() -{ - set -e - ssh localhost group addgroup site-admins site-managers - ssh localhost group addgroup site-writers site-admins - ssh localhost group addgroup site-readers site-writers -} - -function delete_groups() -{ - token=$(ssh localhost group del site-managers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-managers $token - token=$(ssh localhost group del site-admins 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-admins $token - token=$(ssh localhost group del site-writers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-writers $token - token=$(ssh localhost group del site-readers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-readers $token -} - -function create_groups() -{ - # call managers_group which calls admin_group and so on... - create_managers_group - set +e - ( - set -e - link_groups - ) - local ret="$?" - if [ "$ret" != 0 ]; then - delete_groups - fi -} - -site_groups=$(ssh localhost group list | grep -cE "site-[[:alnum:]]+") -if [ "$site_groups" == 0 ]; then - create_groups -fi -ssh localhost create "##PREFIX##/site/releases" -description="This is a special repository for distributing release binaries -over HTTP. Visit http://##PREFIX##/releases/ to browse content." -ssh localhost config "##PREFIX##/site/releases" \ - set project.description "$description" - -# add a readme to the repository -repo=$(mktemp -d) -git clone ssh://localhost/##PREFIX##/site/releases $repo -cp /usr/share/trove-setup/releases-repo-README $repo/README -cd $repo -git add $repo/README -git commit -m 'Add README' -git push origin master -cd - -rm -Rf $repo diff --git a/units/drop-lorry-controller-cronjob.service b/units/drop-lorry-controller-cronjob.service deleted file mode 100644 index 8cad21f..0000000 --- a/units/drop-lorry-controller-cronjob.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Drop lorry-controller from lorry's crontab -After=basic.target -ConditionPathExists=!/etc/lorry-controller/lorry-controller-removed-from-crontab - -[Service] -Type=oneshot -Restart=no -ExecStart=/usr/libexec/remove-lorry-controller-from-lorry-crontab -ExecStartPost=/bin/touch /etc/lorry-controller/lorry-controller-removed-from-crontab -User=lorry -Group=lorry -PermissionsStartOnly=true diff --git a/units/git-daemon.service b/units/git-daemon.service index f6869c3..330169c 100644 --- a/units/git-daemon.service +++ b/units/git-daemon.service @@ -1,3 +1,6 @@ +[Install] +WantedBy=multi-user.target + [Unit] Description=Git Daemon for Trove After=network.target diff --git a/units/lighttpd-git.service b/units/lighttpd-git.service index b2f6315..94c67a4 100644 --- a/units/lighttpd-git.service +++ b/units/lighttpd-git.service @@ -1,3 +1,6 @@ +[Install] +WantedBy=multi-user.target + [Unit] Description=Lighttpd Web Server After=network.target diff --git a/units/lighttpd-morph-cache.service b/units/lighttpd-morph-cache.service index cedd071..c7f76e9 100644 --- a/units/lighttpd-morph-cache.service +++ b/units/lighttpd-morph-cache.service @@ -1,3 +1,6 @@ +[Install] +WantedBy=multi-user.target + [Unit] Description=Lighttpd Web Server After=network.target diff --git a/units/releases-repo-migration.service b/units/releases-repo-migration.service deleted file mode 100644 index 1e161fb..0000000 --- a/units/releases-repo-migration.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Create the ##PREFIX##/site/releases repository -ConditionPathExists=!/home/git/repos/##PREFIX##/site/releases.git -Requires=network.target -After=network.target -Requires=opensshd.service -After=opensshd.service -Requires=trove-early-setup.service -After=trove-early-setup.service - -[Service] -User=git -ExecStart=/usr/share/trove-setup/releases-repo-migration.sh -Restart=no diff --git a/units/trove-setup.service b/units/trove-setup.service new file mode 100644 index 0000000..3b923a2 --- /dev/null +++ b/units/trove-setup.service @@ -0,0 +1,16 @@ +[Unit] +Description=Run trove-setup Ansible scripts +Requires=network.target +After=network.target +Requires=opensshd.service +After=opensshd.service + +# If there's a shared /var subvolume, it must be mounted before this +# unit runs. +Requires=local-fs.target +After=local-fs.target + +ConditionPathExists=/etc/trove/trove.conf + +[Service] +ExecStart=/usr/bin/ansible-playbook -v -i /usr/lib/trove-setup/ansible/hosts /usr/lib/trove-setup/ansible/trove-setup.yml |