From 5b0245acc1b5b1c520db847d70b1b81bafb4d0c2 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 09:16:20 +0000 Subject: Remove old scripts and units --- Makefile | 4 - bins/trove-early-setup | 124 ------------------- .../remove-lorry-controller-from-lorry-crontab | 22 ---- share/releases-repo-migration.sh | 132 --------------------- units/drop-lorry-controller-cronjob.service | 13 -- units/releases-repo-migration.service | 14 --- 6 files changed, 309 deletions(-) delete mode 100755 bins/trove-early-setup delete mode 100755 libexecs/remove-lorry-controller-from-lorry-crontab delete mode 100755 share/releases-repo-migration.sh delete mode 100644 units/drop-lorry-controller-cronjob.service delete mode 100644 units/releases-repo-migration.service diff --git a/Makefile b/Makefile index 3a64344..ba0b752 100644 --- a/Makefile +++ b/Makefile @@ -14,10 +14,6 @@ install: ln -s /home/lorry/tarballs "${DESTDIR}/var/www/htdocs/tarballs" ln -s /home/lorry/lc-status.html "${DESTDIR}/var/www/htdocs/lc-status.html" ln -s /usr/share/lorry-controller/static/ "${DESTDIR}/var/www/htdocs/lc-static" - mkdir -p "${DESTDIR}/usr/bin" - cp bins/* "${DESTDIR}/usr/bin/" - mkdir -p "${DESTDIR}/usr/libexec" - cp libexecs/* "${DESTDIR}/usr/libexec/" mkdir -p "${DESTDIR}/usr/share/trove-setup" cp -r share/* "${DESTDIR}/usr/share/trove-setup/" diff --git a/bins/trove-early-setup b/bins/trove-early-setup deleted file mode 100755 index 5ce2d7a..0000000 --- a/bins/trove-early-setup +++ /dev/null @@ -1,124 +0,0 @@ -#!/usr/bin/make -f -# -# Copyright (C) 2013 Codethink Limited -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# -*- Make -*- - - -all: gitano-configured lorry-configured cache-configured mason-configured nfs-configured cert-generated - -USERS := git lorry cache mason - -# $1 == username to make -define make_user_rules - -/home/$1/.created: - adduser -g "Trove $1 service" -s /bin/bash -D $1 - su -c 'mkdir .ssh; chmod 750 .ssh' - $1 - su -c 'ssh-keygen -t rsa -N "" -q -f .ssh/id_rsa' - $1 - (cat /etc/ssh/ssh_host_*_key.pub | cut -d\ -f1,2 | \ - sed -e's/^/'$(shell hostname)',localhost /' > \ - /home/$1/.ssh/known_hosts) - chown $1:$1 /home/$1/.ssh/known_hosts - chmod 600 /home/$1/.ssh/known_hosts - touch $$@ - -ALL_USER_TARGETS := $$(ALL_USER_TARGETS) /home/$1/.created - -endef - -$(eval $(foreach USER,$(USERS),$(call make_user_rules,$(USER)))) - -/home/git/.git-setup: $(ALL_USER_TARGETS) - su -c 'git config --global user.name "Trove Git Controller"' - git - su -c 'git config --global user.email "git@trove"' - git - touch $@ - -/home/git/.gitano-setup: /home/git/.git-setup - su -c 'gitano-setup /etc/gitano-setup.clod' - git - passwd -u git - touch $@ - -/home/git/.gitano-lorry-setup: /home/git/.gitano-setup - cp /home/lorry/.ssh/id_rsa.pub /tmp/lorry.pub - su -c 'ssh git@localhost as lorry sshkey add trove < /tmp/lorry.pub' - git - rm /tmp/lorry.pub - touch $@ - -.PHONY: gitano-configured -gitano-configured: /home/git/.gitano-setup - -/home/lorry/.lorry-setup: $(ALL_USER_TARGETS) - su -c 'mkdir /home/lorry/bundles /home/lorry/tarballs' - lorry - touch $@ - -/home/lorry/.lorry-controller-setup: /home/lorry/.lorry-setup /home/git/.gitano-lorry-setup - PREFIX=$$(echo "##PREFIX##" | sed -f /etc/trove-setup.sed); \ - su -c "ssh localhost create $${PREFIX}/local-config/lorries" - git; \ - su -c "git clone ssh://localhost/$${PREFIX}/local-config/lorries.git /tmp/lorries" - git; \ - su -c "sed -f /etc/trove-setup.sed < /usr/share/trove-setup/lorry-controller.conf > /tmp/lorries/lorry-controller.conf" - git - su -c "sed -f /etc/trove-setup.sed < /usr/share/trove-setup/README.lorry-controller > /tmp/lorries/README" - git - su -c "mkdir /tmp/lorries/open-source-lorries" - git - su -c "cp /usr/share/trove-setup/open-source-lorries/README /tmp/lorries/open-source-lorries/README" - git - su -c "mkdir /tmp/lorries/closed-source-lorries" - git - su -c "cp /usr/share/trove-setup/closed-source-lorries/README /tmp/lorries/closed-source-lorries/README" - git - su -c "cd /tmp/lorries; git add README lorry-controller.conf open-source-lorries/README closed-source-lorries/README; git commit -m 'Initial configuration'; git push origin master" - git - su -c "rm -rf /tmp/lorries" - git - touch $@ - -.PHONY: lorry-configured -lorry-configured: /home/lorry/.lorry-setup /home/lorry/.lorry-controller-setup - -/home/cache/.cache-setup: $(ALL_USER_TARGETS) - su -c 'mkdir /home/cache/artifacts' - cache - su -c 'mkdir /home/cache/ccache' - cache - echo '/home/cache/ccache *(rw,all_squash,no_subtree_check,anonuid=1002,anongid=1002)' > /etc/exports.cache - touch $@ - -.PHONY: cache-configured -cache-configured: /home/cache/.cache-setup - -/home/git/.mason-setup: /home/git/.gitano-setup $(ALL_USER_TARGETS) - PREFIX=$$(echo "##PREFIX##" | sed -f /etc/trove-setup.sed); \ - su -c "ssh localhost create $${PREFIX}/local-config/mason" - git; \ - su -c "git clone ssh://localhost/$${PREFIX}/local-config/mason.git /tmp/mason-config" - git - su -c "mkdir /tmp/mason-config/ci1" - git - su -c "cp /var/lib/trove-setup/hosts.json.txt /tmp/mason-config/ci1" - git - su -c "cp /var/lib/trove-setup/systems.json.txt /tmp/mason-config/ci1" - git - su -c "cd /tmp/mason-config; git add ci1; git commit -m 'Set initial Mason config'; git push origin master" - git - su -c "rm -fr /tmp/mason-config" - git - su -c 'mkdir /home/mason/jobs' - mason - echo '/home/mason/jobs *(rw,all_squash,no_subtree_check,anonuid=1003,anongid=1003)' > /etc/exports.mason - touch $@ - -.PHONY: mason-configured -mason-configured: /home/git/.mason-setup - -/etc/exports: /home/cache/.cache-setup /home/git/.mason-setup - cat /etc/exports.cache /etc/exports.mason >/etc/exports - -.PHONY: nfs-configured -nfs-configured: /etc/exports - -/home/git/.cert-generated: - mkdir -p /etc/lighttpd/certs - echo -ne '\n\n\n\n\n\n\n' | openssl req -new -x509 \ - -keyout /etc/lighttpd/certs/lighttpd.pem \ - -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes - touch $@ - -.PHONY: cert-generated -cert-generated: /home/git/.cert-generated diff --git a/libexecs/remove-lorry-controller-from-lorry-crontab b/libexecs/remove-lorry-controller-from-lorry-crontab deleted file mode 100755 index 8fc6cf3..0000000 --- a/libexecs/remove-lorry-controller-from-lorry-crontab +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Trove used to run a version of Lorry Controller that wasn't a -# daemon, but instead was invoked once a minute from a crontab owned -# by the lorry user. When we upgrade to a version of Lorry Controller -# that does run as a daemon, we need to disable the cronjob. This -# script does that. -# -# The lorry user crontab may contain other jobs, so we can't just -# willy-nilly delete the whole crontab. Instead, we remove the -# specific line. The line looks like this: -# -# */1 * * * * flock -x -n /home/lorry/lorry-controller-area/lockfile -# -c lorry-controller --work-area=/home/lorry/lorry-controller-area -# --log=syslog --log-level=info --html-file=/home/lorry/lc-status.html -# -# Except, of course, all on one line. - - -crontab -l | -grep -v -e '-c lorry-controller' | -crontab - diff --git a/share/releases-repo-migration.sh b/share/releases-repo-migration.sh deleted file mode 100755 index 654da0c..0000000 --- a/share/releases-repo-migration.sh +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash - -function create_readers_group() -{ - set +e - ( - set -e - ssh localhost group add site-readers \ - 'Users with read access to the site project' - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-readers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-readers $token - fi - return $ret -} - -function create_writers_group() -{ - set +e - ( - set -e - ssh localhost group add site-writers \ - 'Users with write access to the site project' - create_readers_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-writers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-writers $token - fi - return $ret -} - -function create_admins_group() -{ - set +e - ( - set -e - ssh localhost group add site-admins \ - 'Users with admin access to the site project' - create_writers_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-admins 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-admins $token - fi - return $ret -} - -function create_managers_group() -{ - set +e - ( - set -e - ssh localhost group add site-managers \ - 'Users with manager access to the site project' - create_admins_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-managers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-managers $token - fi - return $ret -} - -function link_groups() -{ - set -e - ssh localhost group addgroup site-admins site-managers - ssh localhost group addgroup site-writers site-admins - ssh localhost group addgroup site-readers site-writers -} - -function delete_groups() -{ - token=$(ssh localhost group del site-managers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-managers $token - token=$(ssh localhost group del site-admins 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-admins $token - token=$(ssh localhost group del site-writers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-writers $token - token=$(ssh localhost group del site-readers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-readers $token -} - -function create_groups() -{ - # call managers_group which calls admin_group and so on... - create_managers_group - set +e - ( - set -e - link_groups - ) - local ret="$?" - if [ "$ret" != 0 ]; then - delete_groups - fi -} - -site_groups=$(ssh localhost group list | grep -cE "site-[[:alnum:]]+") -if [ "$site_groups" == 0 ]; then - create_groups -fi -ssh localhost create "##PREFIX##/site/releases" -description="This is a special repository for distributing release binaries -over HTTP. Visit http://##PREFIX##/releases/ to browse content." -ssh localhost config "##PREFIX##/site/releases" \ - set project.description "$description" - -# add a readme to the repository -repo=$(mktemp -d) -git clone ssh://localhost/##PREFIX##/site/releases $repo -cp /usr/share/trove-setup/releases-repo-README $repo/README -cd $repo -git add $repo/README -git commit -m 'Add README' -git push origin master -cd - -rm -Rf $repo diff --git a/units/drop-lorry-controller-cronjob.service b/units/drop-lorry-controller-cronjob.service deleted file mode 100644 index 8cad21f..0000000 --- a/units/drop-lorry-controller-cronjob.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Drop lorry-controller from lorry's crontab -After=basic.target -ConditionPathExists=!/etc/lorry-controller/lorry-controller-removed-from-crontab - -[Service] -Type=oneshot -Restart=no -ExecStart=/usr/libexec/remove-lorry-controller-from-lorry-crontab -ExecStartPost=/bin/touch /etc/lorry-controller/lorry-controller-removed-from-crontab -User=lorry -Group=lorry -PermissionsStartOnly=true diff --git a/units/releases-repo-migration.service b/units/releases-repo-migration.service deleted file mode 100644 index 1e161fb..0000000 --- a/units/releases-repo-migration.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Create the ##PREFIX##/site/releases repository -ConditionPathExists=!/home/git/repos/##PREFIX##/site/releases.git -Requires=network.target -After=network.target -Requires=opensshd.service -After=opensshd.service -Requires=trove-early-setup.service -After=trove-early-setup.service - -[Service] -User=git -ExecStart=/usr/share/trove-setup/releases-repo-migration.sh -Restart=no -- cgit v1.2.1 From 54e3fbd49d10b70d04e03a646a494ec29a49ffc3 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 10:06:13 +0000 Subject: Move gitano skeleton to /usr/share/trove-setup/ --- Makefile | 2 - gitano-admin/global-hooks/post-receive.lua | 105 -------------------- gitano-admin/groups/local-config-admins.conf | 1 - gitano-admin/groups/local-config-managers.conf | 3 - gitano-admin/groups/local-config-readers.conf | 5 - gitano-admin/groups/local-config-writers.conf | 3 - gitano-admin/groups/trove-admin.conf | 1 - gitano-admin/groups/workers.conf | 4 - gitano-admin/rules/adminchecks.lace | 25 ----- gitano-admin/rules/aschecks.lace | 30 ------ gitano-admin/rules/core.lace | 47 --------- gitano-admin/rules/createrepo.lace | 23 ----- gitano-admin/rules/defines.lace | 106 --------------------- gitano-admin/rules/destroyrepo.lace | 20 ---- gitano-admin/rules/other-project.lace | 25 ----- gitano-admin/rules/project.lace | 38 -------- gitano-admin/rules/remoteconfigchecks.lace | 20 ---- gitano-admin/rules/renamerepo.lace | 19 ---- gitano-admin/rules/selfchecks.lace | 15 --- gitano-admin/rules/siteadmin.lace | 32 ------- gitano-admin/rules/trove-project.lace | 29 ------ gitano-admin/users/distbuild/user.conf | 2 - gitano-admin/users/lorry/user.conf | 2 - gitano-admin/users/mason/user.conf | 2 - .../gitano-admin/global-hooks/post-receive.lua | 105 ++++++++++++++++++++ .../gitano-admin/groups/local-config-admins.conf | 1 + .../gitano-admin/groups/local-config-managers.conf | 3 + .../gitano-admin/groups/local-config-readers.conf | 5 + .../gitano-admin/groups/local-config-writers.conf | 3 + .../skel/gitano-admin/groups/trove-admin.conf | 1 + share/gitano/skel/gitano-admin/groups/workers.conf | 4 + .../skel/gitano-admin/rules/adminchecks.lace | 25 +++++ share/gitano/skel/gitano-admin/rules/aschecks.lace | 30 ++++++ share/gitano/skel/gitano-admin/rules/core.lace | 47 +++++++++ .../gitano/skel/gitano-admin/rules/createrepo.lace | 23 +++++ share/gitano/skel/gitano-admin/rules/defines.lace | 106 +++++++++++++++++++++ .../skel/gitano-admin/rules/destroyrepo.lace | 20 ++++ .../skel/gitano-admin/rules/other-project.lace | 25 +++++ share/gitano/skel/gitano-admin/rules/project.lace | 38 ++++++++ .../gitano-admin/rules/remoteconfigchecks.lace | 20 ++++ .../gitano/skel/gitano-admin/rules/renamerepo.lace | 19 ++++ .../gitano/skel/gitano-admin/rules/selfchecks.lace | 15 +++ .../gitano/skel/gitano-admin/rules/siteadmin.lace | 32 +++++++ .../skel/gitano-admin/rules/trove-project.lace | 29 ++++++ .../skel/gitano-admin/users/distbuild/user.conf | 2 + .../gitano/skel/gitano-admin/users/lorry/user.conf | 2 + .../gitano/skel/gitano-admin/users/mason/user.conf | 2 + 47 files changed, 557 insertions(+), 559 deletions(-) delete mode 100644 gitano-admin/global-hooks/post-receive.lua delete mode 100644 gitano-admin/groups/local-config-admins.conf delete mode 100644 gitano-admin/groups/local-config-managers.conf delete mode 100644 gitano-admin/groups/local-config-readers.conf delete mode 100644 gitano-admin/groups/local-config-writers.conf delete mode 100644 gitano-admin/groups/trove-admin.conf delete mode 100644 gitano-admin/groups/workers.conf delete mode 100644 gitano-admin/rules/adminchecks.lace delete mode 100644 gitano-admin/rules/aschecks.lace delete mode 100644 gitano-admin/rules/core.lace delete mode 100644 gitano-admin/rules/createrepo.lace delete mode 100644 gitano-admin/rules/defines.lace delete mode 100644 gitano-admin/rules/destroyrepo.lace delete mode 100644 gitano-admin/rules/other-project.lace delete mode 100644 gitano-admin/rules/project.lace delete mode 100644 gitano-admin/rules/remoteconfigchecks.lace delete mode 100644 gitano-admin/rules/renamerepo.lace delete mode 100644 gitano-admin/rules/selfchecks.lace delete mode 100644 gitano-admin/rules/siteadmin.lace delete mode 100644 gitano-admin/rules/trove-project.lace delete mode 100644 gitano-admin/users/distbuild/user.conf delete mode 100644 gitano-admin/users/lorry/user.conf delete mode 100644 gitano-admin/users/mason/user.conf create mode 100644 share/gitano/skel/gitano-admin/global-hooks/post-receive.lua create mode 100644 share/gitano/skel/gitano-admin/groups/local-config-admins.conf create mode 100644 share/gitano/skel/gitano-admin/groups/local-config-managers.conf create mode 100644 share/gitano/skel/gitano-admin/groups/local-config-readers.conf create mode 100644 share/gitano/skel/gitano-admin/groups/local-config-writers.conf create mode 100644 share/gitano/skel/gitano-admin/groups/trove-admin.conf create mode 100644 share/gitano/skel/gitano-admin/groups/workers.conf create mode 100644 share/gitano/skel/gitano-admin/rules/adminchecks.lace create mode 100644 share/gitano/skel/gitano-admin/rules/aschecks.lace create mode 100644 share/gitano/skel/gitano-admin/rules/core.lace create mode 100644 share/gitano/skel/gitano-admin/rules/createrepo.lace create mode 100644 share/gitano/skel/gitano-admin/rules/defines.lace create mode 100644 share/gitano/skel/gitano-admin/rules/destroyrepo.lace create mode 100644 share/gitano/skel/gitano-admin/rules/other-project.lace create mode 100644 share/gitano/skel/gitano-admin/rules/project.lace create mode 100644 share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace create mode 100644 share/gitano/skel/gitano-admin/rules/renamerepo.lace create mode 100644 share/gitano/skel/gitano-admin/rules/selfchecks.lace create mode 100644 share/gitano/skel/gitano-admin/rules/siteadmin.lace create mode 100644 share/gitano/skel/gitano-admin/rules/trove-project.lace create mode 100644 share/gitano/skel/gitano-admin/users/distbuild/user.conf create mode 100644 share/gitano/skel/gitano-admin/users/lorry/user.conf create mode 100644 share/gitano/skel/gitano-admin/users/mason/user.conf diff --git a/Makefile b/Makefile index ba0b752..0559468 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,4 @@ install: - mkdir -p "${DESTDIR}/usr/share/gitano/skel" - cp -a gitano-admin "${DESTDIR}/usr/share/gitano/skel" mkdir -p "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants" cp units/* "${DESTDIR}/usr/lib/systemd/system" for I in $$(cd units; ls); do \ diff --git a/gitano-admin/global-hooks/post-receive.lua b/gitano-admin/global-hooks/post-receive.lua deleted file mode 100644 index d1b3864..0000000 --- a/gitano-admin/global-hooks/post-receive.lua +++ /dev/null @@ -1,105 +0,0 @@ --- mason-notify.post-receive.lua --- --- Global post-receive hook which notifies Mason of any and all refs updates --- (except refs/gitano/*) which happen. --- --- It notifies Mason *before* passing the updates on to the project hook. --- --- Copyright 2012 Codethink Limited --- --- This is a part of Trove and re-use is limited to Baserock systems only. --- - -local project_hook, repo, updates = ... - -local EMPTY_SHA = ("0"):rep(40) - -local masonhost = "##MASON_HOST##:##MASON_PORT##" -local basepath = "/1.0" -local urlbases = { - "git://##TROVE_HOSTNAME##/", - "ssh://git@##TROVE_HOSTNAME##/", -} - -local notify_mason = false - -for ref in pairs(updates) do - if not ref:match("^refs/gitano/") then - notify_mason = true - end -end - -if notify_mason and repo.name ~= "gitano-admin" then - -- Build the report... - local masoninfo, indent_level = {}, 0 - local function _(...) - masoninfo[#masoninfo+1] = (" "):rep(indent_level) .. table.concat({...}) - end - local function indent() - indent_level = indent_level + 1 - end - local function dedent() - indent_level = indent_level - 1 - end - _ "{" indent() - - _ '"urls": [' indent() - - for i = 1, #urlbases do - local comma = (i==#urlbases) and "" or "," - _(("%q,"):format(urlbases[i] .. repo.name)) - _(("%q%s"):format(urlbases[i] .. repo.name .. ".git", comma)) - end - - dedent() _ "]," - - _ '"changes": [' indent() - - local toreport = {} - for ref, info in pairs(updates) do - if not ref:match("^refs/gitano") then - local action - if info.oldsha == EMPTY_SHA then - action = "create" - elseif info.newsha == EMPTY_SHA then - action = "delete" - else - action = "update" - end - toreport[#toreport+1] = { - ('"ref": %q,'):format(ref), - ('"action": %q,'):format(action), - ('"old": %q,'):format(info.oldsha), - ('"new": %q'):format(info.newsha) - } - end - end - for i = 1, #toreport do - local comma = (i==#toreport) and "" or "," - _ "{" indent() - for __, ent in ipairs(toreport[i]) do - _(ent) - end - dedent() _("}", comma) - end - dedent() _ "]" - - dedent() _ "}" - - -- And finalise the JSON object - _("") - masoninfo = table.concat(masoninfo, "\n") - log.state("Notifying Mason of changes...") - - local code, msg, headers, content = - http.post(masonhost, basepath, "application/json", masoninfo) - if code ~= "200" then - log.state("Notification failed somehow") - end - for line in content:gmatch("([^\r\n]*)\r?\n") do - log.state("Mason: " .. line) - end -end - --- Finally, chain to the project hook -return project_hook(repo, updates) diff --git a/gitano-admin/groups/local-config-admins.conf b/gitano-admin/groups/local-config-admins.conf deleted file mode 100644 index 435a297..0000000 --- a/gitano-admin/groups/local-config-admins.conf +++ /dev/null @@ -1 +0,0 @@ -description "Users who are permitted to administer the local-config project" diff --git a/gitano-admin/groups/local-config-managers.conf b/gitano-admin/groups/local-config-managers.conf deleted file mode 100644 index 711be8f..0000000 --- a/gitano-admin/groups/local-config-managers.conf +++ /dev/null @@ -1,3 +0,0 @@ -description "Users who are permitted to manage the local-config project" - -subgroups["*"] "local-config-admins" diff --git a/gitano-admin/groups/local-config-readers.conf b/gitano-admin/groups/local-config-readers.conf deleted file mode 100644 index 63e6bb3..0000000 --- a/gitano-admin/groups/local-config-readers.conf +++ /dev/null @@ -1,5 +0,0 @@ -description "Users who are permitted to read from the local-config project" - -members["*"] "lorry" - -subgroups["*"] "local-config-writers" diff --git a/gitano-admin/groups/local-config-writers.conf b/gitano-admin/groups/local-config-writers.conf deleted file mode 100644 index 9bbff24..0000000 --- a/gitano-admin/groups/local-config-writers.conf +++ /dev/null @@ -1,3 +0,0 @@ -description "Users who are permitted to write to the local-config project" - -subgroups["*"] "local-config-managers" diff --git a/gitano-admin/groups/trove-admin.conf b/gitano-admin/groups/trove-admin.conf deleted file mode 100644 index e912653..0000000 --- a/gitano-admin/groups/trove-admin.conf +++ /dev/null @@ -1 +0,0 @@ -description "Trove-local administration" diff --git a/gitano-admin/groups/workers.conf b/gitano-admin/groups/workers.conf deleted file mode 100644 index 5586538..0000000 --- a/gitano-admin/groups/workers.conf +++ /dev/null @@ -1,4 +0,0 @@ -description "Workers who have read-access to everything" - -members["*"] "distbuild" -members["*"] "mason" diff --git a/gitano-admin/rules/adminchecks.lace b/gitano-admin/rules/adminchecks.lace deleted file mode 100644 index ffe99a0..0000000 --- a/gitano-admin/rules/adminchecks.lace +++ /dev/null @@ -1,25 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Core project administration rules - -# Called with ref known to be refs/gitano/admin - -# Administrators already got to do anything, so this is for non-admins - -# Non-admin members may not delete the admin ref -deny "Non-administrators may not delete the admin ref" op_deleteref - -# Otherwise, the project's owner is allowed to alter the admin tree -allow "Project owner may alter the admin ref" is_owner repo_is_personal - -# Project admins may alter admin refs -allow "Project admins may alter the admin ref of project repos" repo_is_local_project project_admin - -# Any other opportunities for altering the admin ref must be provided -# by the project's rules diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace deleted file mode 100644 index fc76440..0000000 --- a/gitano-admin/rules/aschecks.lace +++ /dev/null @@ -1,30 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules for when we're running as another user. - -# Only 'deny' things which are not allowed. If you 'allow' then it will allow -# the actual operation, not just fail to deny the fact that it's 'as' someone -# else. - -define as_is_admin as_group gitano-admin - -# trove-admin members are permitted to run sshkey and whoami on behalf -# of others in order to check users and grant access, providing the target -# user is not part of the gitano-admin group. - -define as_is_trove_admin as_group trove-admin -define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self - -# You are permitted to do things 'as' others if and only if the caller is -# either a member of the administration group, or else meets the above -# requirements. -define as_is_ok anyof as_is_admin as_trove_admin_ok - -# Explicitly deny any impersonation operation which does not meet the above. -deny "You may not run things as another user unless you are an admin" !as_is_ok diff --git a/gitano-admin/rules/core.lace b/gitano-admin/rules/core.lace deleted file mode 100644 index dab7cfb..0000000 --- a/gitano-admin/rules/core.lace +++ /dev/null @@ -1,47 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Core ruleset definitions for Trove. - -default deny "Trove ruleset failed to define result. Access denied." - -include global:defines - -# The users in the administration group (gitano-admin) may do anything -# they choose (providing they're not being impersonated). By default -# Only the user created as part of trove-setup has this level of access. -allow "Administrators can do anything" is_admin !if_asanother - -# Now let's decide if we can use 'as' -include global:aschecks if_asanother - -# Operations which are against 'self' get checked next -include global:selfchecks - -# Administration operations (users, groups) next -include global:siteadmin op_is_admin - -# Site-defined rules for repository creation -include global:createrepo op_createrepo - -# Site-defined rules for repository renaming -include global:renamerepo op_renamerepo - -# Site-defined rules for repository destruction -include global:destroyrepo op_destroyrepo - -# Site-defined rules for project repositories, including admin of them -include global:project - -# Now the project rules themselves -include main - -# If you're running your access control somewhat more openly than most, You can -# now uncomment the following and allow git:// access to *everything* which is -# not the admin repository -# allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/gitano-admin/rules/createrepo.lace b/gitano-admin/rules/createrepo.lace deleted file mode 100644 index bf4683e..0000000 --- a/gitano-admin/rules/createrepo.lace +++ /dev/null @@ -1,23 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules related to creating repositories - -# Administrators have already been permitted whatever they like -# so this is for site-wide non-admins. - -##PEOPLE_COMMENT##allow "Personal repo creation is okay" repo_is_personal - -# Allow people in *-admins to create repositories under -allow "Project admins may make project repositories" repo_is_local_project project_admin - -# Allow lorry to create repositories anywhere but the local project root -allow "Lorry may create lorryable repos" is_lorry lorryable_repo - -# Otherwise the default is that non-admins can't create repositories -deny "Repository creation is not permitted." diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace deleted file mode 100644 index 380948a..0000000 --- a/gitano-admin/rules/defines.lace +++ /dev/null @@ -1,106 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012,2013 Codethink Limited -# -# Core definitions for access control - -# Gitano provided definitions first - -# User/group related -define is_admin group gitano-admin -define is_owner owner ${user} -define is_anonymous user gitano/anonymous - -define if_asanother as_user ~. - -# Self-related operations -define op_whoami operation whoami -define op_sshkey operation sshkey -define op_passwd operation passwd -define op_self anyof op_whoami op_sshkey op_passwd - -# Admin-related operations - -## Users -define op_useradd operation useradd -define op_userdel operation userdel -define op_userlist operation userlist -define op_useremail operation useremail -define op_username operation username -define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username - -## Groups -define op_grouplist operation grouplist -define op_groupshow operation groupshow -define op_groupadd operation groupadd -define op_groupdel operation groupdel -define op_groupadduser operation groupadduser -define op_groupdeluser operation groupdeluser -define op_groupaddgroup operation groupaddgroup -define op_groupdelgroup operation groupdelgroup -define op_groupdescription operation groupdescription -define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription - -## Aggregation of admin ops -define op_is_admin anyof op_user op_group - -# Primary repository-related operations -define op_read operation read -define op_write operation write -define op_createrepo operation createrepo -define op_renamerepo operation renamerepo -define op_destroyrepo operation destroyrepo - -# Remote configuration operations -define op_config_show operation config_show -define op_config_set operation config_set -define op_config_del operation config_del -define op_is_config anyof op_config_show op_config_set op_config_del - -# Reference update related operations -define op_createref operation createref -define op_deleteref operation deleteref -define op_fastforward operation updaterefff -define op_forcedupdate operation updaterefnonff - -# Combinator operations -define op_is_basic anyof op_read op_write -define op_is_update anyof op_fastforward op_forcedupdate -define op_is_normal anyof op_fastforward op_createref op_deleteref - -# Administration -define is_admin_repo repository gitano-admin -define is_gitano_ref ref ~^refs/gitano/ -define is_admin_ref ref refs/gitano/admin - -# -# -# Trove definitions after here -# -# - -define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/ -define ref_is_personal ref ~^refs/heads/##ESC_PREFIX##/${user}/ -define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/ - -define project_reader group ${repository/2}-readers -define project_writer group ${repository/2}-writers -define project_admin group ${repository/2}-admins -define project_manager group ${repository/2}-managers - -define master_ref ref ~^refs/heads/master$ - -define op_is_reffy anyof op_is_normal op_forcedupdate - -define trove_site_admin group trove-admin -define target_group_gitano_admin targetgroup gitano-admin - -define is_lorry user lorry -define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ -define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo - -define is_worker group workers diff --git a/gitano-admin/rules/destroyrepo.lace b/gitano-admin/rules/destroyrepo.lace deleted file mode 100644 index 6e6b446..0000000 --- a/gitano-admin/rules/destroyrepo.lace +++ /dev/null @@ -1,20 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules related to the destroying of repositories - -# Owners may destroy personal repositories -allow "You may destroy your own repositories" is_owner repo_is_personal - -# Project admins may destroy repos inside their projects -allow "Project admins may destroy project repos" repo_is_local_project project_admin - -# Allow lorry to destroy repositories anywhere but the local project root -allow "Lorry may destroy lorryable repos" is_lorry lorryable_repo - -deny "You may not destroy repositories you do not own" diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace deleted file mode 100644 index 7bc80cc..0000000 --- a/gitano-admin/rules/other-project.lace +++ /dev/null @@ -1,25 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012,2013 Codethink Limited -# -# Rules for any repository not under ##PREFIX## - -# This is, by default, /baserock/ and /delta/ - -# There are two classes of accessors here. Lorry and Others -allow "Anyone may read here" op_read -allow "Anyone may write here" op_write !is_anonymous - -# Lorry can do anything reffy which is not inside the local refs -allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref - -# Noone can rewind/rebase outside of their personal refs -deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal - -# Everyone else can do reffy things inside refs/heads/##PREFIX## -allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref - diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace deleted file mode 100644 index aa5e1e2..0000000 --- a/gitano-admin/rules/project.lace +++ /dev/null @@ -1,38 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Core project administration rules - -# Admins already got allowed, so this is for non-admin users only -allow "Owners can always read and write" op_is_basic is_owner repo_is_personal - -# Any non-gitano-admin repo is readable to the lorry user and the worker group -allow "Lorry may read" op_read is_lorry lorryable_repo -allow "Workers may read" op_read !is_admin_repo is_worker - -# Force /baserock and /delta to always be anon-readable which means git:// will -# work. This is part of the core ruleset for Baserock because /baserock/ and -# /delta/ are always open source. -define is_baserock_repo repository ~^baserock/ -define is_delta_repo repository ~^delta/ -define is_opensource_repo anyof is_baserock_repo is_delta_repo - -allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo - -# Project remote-configuration rules (set-head etc) -include global:remoteconfigchecks op_is_config - -# Okay, if we're altering the admin ref, in we go -include global:adminchecks is_admin_ref - -# Now we're into branch operations. -# Owners of personal repositories can do any reffy operation -allow "Owners can create refs" op_is_reffy is_owner repo_is_personal - -include global:trove-project repo_is_local_project -include global:other-project lorryable_repo diff --git a/gitano-admin/rules/remoteconfigchecks.lace b/gitano-admin/rules/remoteconfigchecks.lace deleted file mode 100644 index 6f88f5f..0000000 --- a/gitano-admin/rules/remoteconfigchecks.lace +++ /dev/null @@ -1,20 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Remote config checks - -# Owners may do any remote admin operation they choose -allow "Owners may remote-admin their repositories" is_owner repo_is_personal - -# *-admins may remote-admin their project's repositories -allow "Project admins may admin project repos" repo_is_local_project project_admin - -# lorry may remote-admin lorryable repositories -allow "Lorry may admin lorry repos" is_lorry lorryable_repo - -deny "You may not configure this repository remotely" diff --git a/gitano-admin/rules/renamerepo.lace b/gitano-admin/rules/renamerepo.lace deleted file mode 100644 index e4a51be..0000000 --- a/gitano-admin/rules/renamerepo.lace +++ /dev/null @@ -1,19 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules related to renaming repositories - -# Owners may rename their own repositories -allow "Owners may rename repositories" op_renamerepo repo_is_personal is_owner - -# Project admins may rename repos provided they're admin of source *and* target -# Since the rename operation checks 'create' for the target, we can just -# check the source here -allow "Admins may rename project repositories" op_renamerepo repo_is_local_project project_admin - -deny "You may not rename a repository you do not own" diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace deleted file mode 100644 index 83ef778..0000000 --- a/gitano-admin/rules/selfchecks.lace +++ /dev/null @@ -1,15 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Checks against self-like operations. - -allow "You may ask who you are" op_whoami - -allow "You may manage your own ssh keys" op_sshkey - -allow "You may change your own password" op_passwd diff --git a/gitano-admin/rules/siteadmin.lace b/gitano-admin/rules/siteadmin.lace deleted file mode 100644 index 06c71bb..0000000 --- a/gitano-admin/rules/siteadmin.lace +++ /dev/null @@ -1,32 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Site administration rules - -# You must explicitly allow site administration here for anyone who -# has the rights to do site admin but isn't an administrator. - -# trove_site_admin is a predicate which matches members of the trove-admin -# group (The site-wide user/group administration group which is not the full -# administration group) -allow "Trove Site Admins can manage users" trove_site_admin op_user -allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin - -# XXX-managers members are permitted to edit XXX-* groups -define trove_may_admin_target_group group ${targetgroup/prefix}-managers -define target_group_has_hyphen targetgroup ~%- -allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group - -# Anyone is permitted to look at the people in trove-admin and *-managers -define trove_target_group_is_trove_admin targetgroup trove-admin -define trove_target_group_is_project_managers targetgroup ~^.+-managers$ -define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers -allow "Anyone may see admin groups" op_groupshow trove_show_target_ok - -# Otherwise we always deny site administration -deny "You may not perform site administration" diff --git a/gitano-admin/rules/trove-project.lace b/gitano-admin/rules/trove-project.lace deleted file mode 100644 index 383ba98..0000000 --- a/gitano-admin/rules/trove-project.lace +++ /dev/null @@ -1,29 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012,2013 Codethink Limited -# -# Rules for ##PREFIX##/... repositories - -# Reading the repository -allow "Project readers may read" op_read project_reader -deny "This repository is not for you" op_read - -# Basic writes to the repo -allow "Project writers may write" op_write project_writer -deny "This repository is not for you" op_write - -# Ref based rules for the repo -deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !ref_is_personal - -## Master -allow "Master may be created" op_createref master_ref -allow "Master may be altered" op_is_update master_ref -deny "Master may not be deleted" op_deleteref master_ref - -## Anything else. -allow "Project writers may alter any refs" op_is_reffy !master_ref project_writer - diff --git a/gitano-admin/users/distbuild/user.conf b/gitano-admin/users/distbuild/user.conf deleted file mode 100644 index 62ac3f5..0000000 --- a/gitano-admin/users/distbuild/user.conf +++ /dev/null @@ -1,2 +0,0 @@ -email_address "distbuild@##TROVE_HOSTNAME##" -real_name "Baserock Distributed Build Service" diff --git a/gitano-admin/users/lorry/user.conf b/gitano-admin/users/lorry/user.conf deleted file mode 100644 index f21fac7..0000000 --- a/gitano-admin/users/lorry/user.conf +++ /dev/null @@ -1,2 +0,0 @@ -email_address "lorry@##TROVE_HOSTNAME##" -real_name "Source Code Lorry Service" diff --git a/gitano-admin/users/mason/user.conf b/gitano-admin/users/mason/user.conf deleted file mode 100644 index 639de4e..0000000 --- a/gitano-admin/users/mason/user.conf +++ /dev/null @@ -1,2 +0,0 @@ -email_address "mason@##TROVE_HOSTNAME##" -real_name "Baserock Continuous Integration Service" diff --git a/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua new file mode 100644 index 0000000..d1b3864 --- /dev/null +++ b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua @@ -0,0 +1,105 @@ +-- mason-notify.post-receive.lua +-- +-- Global post-receive hook which notifies Mason of any and all refs updates +-- (except refs/gitano/*) which happen. +-- +-- It notifies Mason *before* passing the updates on to the project hook. +-- +-- Copyright 2012 Codethink Limited +-- +-- This is a part of Trove and re-use is limited to Baserock systems only. +-- + +local project_hook, repo, updates = ... + +local EMPTY_SHA = ("0"):rep(40) + +local masonhost = "##MASON_HOST##:##MASON_PORT##" +local basepath = "/1.0" +local urlbases = { + "git://##TROVE_HOSTNAME##/", + "ssh://git@##TROVE_HOSTNAME##/", +} + +local notify_mason = false + +for ref in pairs(updates) do + if not ref:match("^refs/gitano/") then + notify_mason = true + end +end + +if notify_mason and repo.name ~= "gitano-admin" then + -- Build the report... + local masoninfo, indent_level = {}, 0 + local function _(...) + masoninfo[#masoninfo+1] = (" "):rep(indent_level) .. table.concat({...}) + end + local function indent() + indent_level = indent_level + 1 + end + local function dedent() + indent_level = indent_level - 1 + end + _ "{" indent() + + _ '"urls": [' indent() + + for i = 1, #urlbases do + local comma = (i==#urlbases) and "" or "," + _(("%q,"):format(urlbases[i] .. repo.name)) + _(("%q%s"):format(urlbases[i] .. repo.name .. ".git", comma)) + end + + dedent() _ "]," + + _ '"changes": [' indent() + + local toreport = {} + for ref, info in pairs(updates) do + if not ref:match("^refs/gitano") then + local action + if info.oldsha == EMPTY_SHA then + action = "create" + elseif info.newsha == EMPTY_SHA then + action = "delete" + else + action = "update" + end + toreport[#toreport+1] = { + ('"ref": %q,'):format(ref), + ('"action": %q,'):format(action), + ('"old": %q,'):format(info.oldsha), + ('"new": %q'):format(info.newsha) + } + end + end + for i = 1, #toreport do + local comma = (i==#toreport) and "" or "," + _ "{" indent() + for __, ent in ipairs(toreport[i]) do + _(ent) + end + dedent() _("}", comma) + end + dedent() _ "]" + + dedent() _ "}" + + -- And finalise the JSON object + _("") + masoninfo = table.concat(masoninfo, "\n") + log.state("Notifying Mason of changes...") + + local code, msg, headers, content = + http.post(masonhost, basepath, "application/json", masoninfo) + if code ~= "200" then + log.state("Notification failed somehow") + end + for line in content:gmatch("([^\r\n]*)\r?\n") do + log.state("Mason: " .. line) + end +end + +-- Finally, chain to the project hook +return project_hook(repo, updates) diff --git a/share/gitano/skel/gitano-admin/groups/local-config-admins.conf b/share/gitano/skel/gitano-admin/groups/local-config-admins.conf new file mode 100644 index 0000000..435a297 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-admins.conf @@ -0,0 +1 @@ +description "Users who are permitted to administer the local-config project" diff --git a/share/gitano/skel/gitano-admin/groups/local-config-managers.conf b/share/gitano/skel/gitano-admin/groups/local-config-managers.conf new file mode 100644 index 0000000..711be8f --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-managers.conf @@ -0,0 +1,3 @@ +description "Users who are permitted to manage the local-config project" + +subgroups["*"] "local-config-admins" diff --git a/share/gitano/skel/gitano-admin/groups/local-config-readers.conf b/share/gitano/skel/gitano-admin/groups/local-config-readers.conf new file mode 100644 index 0000000..63e6bb3 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-readers.conf @@ -0,0 +1,5 @@ +description "Users who are permitted to read from the local-config project" + +members["*"] "lorry" + +subgroups["*"] "local-config-writers" diff --git a/share/gitano/skel/gitano-admin/groups/local-config-writers.conf b/share/gitano/skel/gitano-admin/groups/local-config-writers.conf new file mode 100644 index 0000000..9bbff24 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-writers.conf @@ -0,0 +1,3 @@ +description "Users who are permitted to write to the local-config project" + +subgroups["*"] "local-config-managers" diff --git a/share/gitano/skel/gitano-admin/groups/trove-admin.conf b/share/gitano/skel/gitano-admin/groups/trove-admin.conf new file mode 100644 index 0000000..e912653 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/trove-admin.conf @@ -0,0 +1 @@ +description "Trove-local administration" diff --git a/share/gitano/skel/gitano-admin/groups/workers.conf b/share/gitano/skel/gitano-admin/groups/workers.conf new file mode 100644 index 0000000..5586538 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/workers.conf @@ -0,0 +1,4 @@ +description "Workers who have read-access to everything" + +members["*"] "distbuild" +members["*"] "mason" diff --git a/share/gitano/skel/gitano-admin/rules/adminchecks.lace b/share/gitano/skel/gitano-admin/rules/adminchecks.lace new file mode 100644 index 0000000..ffe99a0 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/adminchecks.lace @@ -0,0 +1,25 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Called with ref known to be refs/gitano/admin + +# Administrators already got to do anything, so this is for non-admins + +# Non-admin members may not delete the admin ref +deny "Non-administrators may not delete the admin ref" op_deleteref + +# Otherwise, the project's owner is allowed to alter the admin tree +allow "Project owner may alter the admin ref" is_owner repo_is_personal + +# Project admins may alter admin refs +allow "Project admins may alter the admin ref of project repos" repo_is_local_project project_admin + +# Any other opportunities for altering the admin ref must be provided +# by the project's rules diff --git a/share/gitano/skel/gitano-admin/rules/aschecks.lace b/share/gitano/skel/gitano-admin/rules/aschecks.lace new file mode 100644 index 0000000..fc76440 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/aschecks.lace @@ -0,0 +1,30 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules for when we're running as another user. + +# Only 'deny' things which are not allowed. If you 'allow' then it will allow +# the actual operation, not just fail to deny the fact that it's 'as' someone +# else. + +define as_is_admin as_group gitano-admin + +# trove-admin members are permitted to run sshkey and whoami on behalf +# of others in order to check users and grant access, providing the target +# user is not part of the gitano-admin group. + +define as_is_trove_admin as_group trove-admin +define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self + +# You are permitted to do things 'as' others if and only if the caller is +# either a member of the administration group, or else meets the above +# requirements. +define as_is_ok anyof as_is_admin as_trove_admin_ok + +# Explicitly deny any impersonation operation which does not meet the above. +deny "You may not run things as another user unless you are an admin" !as_is_ok diff --git a/share/gitano/skel/gitano-admin/rules/core.lace b/share/gitano/skel/gitano-admin/rules/core.lace new file mode 100644 index 0000000..dab7cfb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/core.lace @@ -0,0 +1,47 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core ruleset definitions for Trove. + +default deny "Trove ruleset failed to define result. Access denied." + +include global:defines + +# The users in the administration group (gitano-admin) may do anything +# they choose (providing they're not being impersonated). By default +# Only the user created as part of trove-setup has this level of access. +allow "Administrators can do anything" is_admin !if_asanother + +# Now let's decide if we can use 'as' +include global:aschecks if_asanother + +# Operations which are against 'self' get checked next +include global:selfchecks + +# Administration operations (users, groups) next +include global:siteadmin op_is_admin + +# Site-defined rules for repository creation +include global:createrepo op_createrepo + +# Site-defined rules for repository renaming +include global:renamerepo op_renamerepo + +# Site-defined rules for repository destruction +include global:destroyrepo op_destroyrepo + +# Site-defined rules for project repositories, including admin of them +include global:project + +# Now the project rules themselves +include main + +# If you're running your access control somewhat more openly than most, You can +# now uncomment the following and allow git:// access to *everything* which is +# not the admin repository +# allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/share/gitano/skel/gitano-admin/rules/createrepo.lace b/share/gitano/skel/gitano-admin/rules/createrepo.lace new file mode 100644 index 0000000..bf4683e --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/createrepo.lace @@ -0,0 +1,23 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to creating repositories + +# Administrators have already been permitted whatever they like +# so this is for site-wide non-admins. + +##PEOPLE_COMMENT##allow "Personal repo creation is okay" repo_is_personal + +# Allow people in *-admins to create repositories under +allow "Project admins may make project repositories" repo_is_local_project project_admin + +# Allow lorry to create repositories anywhere but the local project root +allow "Lorry may create lorryable repos" is_lorry lorryable_repo + +# Otherwise the default is that non-admins can't create repositories +deny "Repository creation is not permitted." diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace new file mode 100644 index 0000000..380948a --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/defines.lace @@ -0,0 +1,106 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Core definitions for access control + +# Gitano provided definitions first + +# User/group related +define is_admin group gitano-admin +define is_owner owner ${user} +define is_anonymous user gitano/anonymous + +define if_asanother as_user ~. + +# Self-related operations +define op_whoami operation whoami +define op_sshkey operation sshkey +define op_passwd operation passwd +define op_self anyof op_whoami op_sshkey op_passwd + +# Admin-related operations + +## Users +define op_useradd operation useradd +define op_userdel operation userdel +define op_userlist operation userlist +define op_useremail operation useremail +define op_username operation username +define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username + +## Groups +define op_grouplist operation grouplist +define op_groupshow operation groupshow +define op_groupadd operation groupadd +define op_groupdel operation groupdel +define op_groupadduser operation groupadduser +define op_groupdeluser operation groupdeluser +define op_groupaddgroup operation groupaddgroup +define op_groupdelgroup operation groupdelgroup +define op_groupdescription operation groupdescription +define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription + +## Aggregation of admin ops +define op_is_admin anyof op_user op_group + +# Primary repository-related operations +define op_read operation read +define op_write operation write +define op_createrepo operation createrepo +define op_renamerepo operation renamerepo +define op_destroyrepo operation destroyrepo + +# Remote configuration operations +define op_config_show operation config_show +define op_config_set operation config_set +define op_config_del operation config_del +define op_is_config anyof op_config_show op_config_set op_config_del + +# Reference update related operations +define op_createref operation createref +define op_deleteref operation deleteref +define op_fastforward operation updaterefff +define op_forcedupdate operation updaterefnonff + +# Combinator operations +define op_is_basic anyof op_read op_write +define op_is_update anyof op_fastforward op_forcedupdate +define op_is_normal anyof op_fastforward op_createref op_deleteref + +# Administration +define is_admin_repo repository gitano-admin +define is_gitano_ref ref ~^refs/gitano/ +define is_admin_ref ref refs/gitano/admin + +# +# +# Trove definitions after here +# +# + +define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/ +define ref_is_personal ref ~^refs/heads/##ESC_PREFIX##/${user}/ +define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/ + +define project_reader group ${repository/2}-readers +define project_writer group ${repository/2}-writers +define project_admin group ${repository/2}-admins +define project_manager group ${repository/2}-managers + +define master_ref ref ~^refs/heads/master$ + +define op_is_reffy anyof op_is_normal op_forcedupdate + +define trove_site_admin group trove-admin +define target_group_gitano_admin targetgroup gitano-admin + +define is_lorry user lorry +define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ +define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo + +define is_worker group workers diff --git a/share/gitano/skel/gitano-admin/rules/destroyrepo.lace b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace new file mode 100644 index 0000000..6e6b446 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace @@ -0,0 +1,20 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to the destroying of repositories + +# Owners may destroy personal repositories +allow "You may destroy your own repositories" is_owner repo_is_personal + +# Project admins may destroy repos inside their projects +allow "Project admins may destroy project repos" repo_is_local_project project_admin + +# Allow lorry to destroy repositories anywhere but the local project root +allow "Lorry may destroy lorryable repos" is_lorry lorryable_repo + +deny "You may not destroy repositories you do not own" diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace new file mode 100644 index 0000000..7bc80cc --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/other-project.lace @@ -0,0 +1,25 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Rules for any repository not under ##PREFIX## + +# This is, by default, /baserock/ and /delta/ + +# There are two classes of accessors here. Lorry and Others +allow "Anyone may read here" op_read +allow "Anyone may write here" op_write !is_anonymous + +# Lorry can do anything reffy which is not inside the local refs +allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref + +# Noone can rewind/rebase outside of their personal refs +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal + +# Everyone else can do reffy things inside refs/heads/##PREFIX## +allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref + diff --git a/share/gitano/skel/gitano-admin/rules/project.lace b/share/gitano/skel/gitano-admin/rules/project.lace new file mode 100644 index 0000000..aa5e1e2 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/project.lace @@ -0,0 +1,38 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Admins already got allowed, so this is for non-admin users only +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal + +# Any non-gitano-admin repo is readable to the lorry user and the worker group +allow "Lorry may read" op_read is_lorry lorryable_repo +allow "Workers may read" op_read !is_admin_repo is_worker + +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo + +# Project remote-configuration rules (set-head etc) +include global:remoteconfigchecks op_is_config + +# Okay, if we're altering the admin ref, in we go +include global:adminchecks is_admin_ref + +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal + +include global:trove-project repo_is_local_project +include global:other-project lorryable_repo diff --git a/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace new file mode 100644 index 0000000..6f88f5f --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace @@ -0,0 +1,20 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Remote config checks + +# Owners may do any remote admin operation they choose +allow "Owners may remote-admin their repositories" is_owner repo_is_personal + +# *-admins may remote-admin their project's repositories +allow "Project admins may admin project repos" repo_is_local_project project_admin + +# lorry may remote-admin lorryable repositories +allow "Lorry may admin lorry repos" is_lorry lorryable_repo + +deny "You may not configure this repository remotely" diff --git a/share/gitano/skel/gitano-admin/rules/renamerepo.lace b/share/gitano/skel/gitano-admin/rules/renamerepo.lace new file mode 100644 index 0000000..e4a51be --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/renamerepo.lace @@ -0,0 +1,19 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to renaming repositories + +# Owners may rename their own repositories +allow "Owners may rename repositories" op_renamerepo repo_is_personal is_owner + +# Project admins may rename repos provided they're admin of source *and* target +# Since the rename operation checks 'create' for the target, we can just +# check the source here +allow "Admins may rename project repositories" op_renamerepo repo_is_local_project project_admin + +deny "You may not rename a repository you do not own" diff --git a/share/gitano/skel/gitano-admin/rules/selfchecks.lace b/share/gitano/skel/gitano-admin/rules/selfchecks.lace new file mode 100644 index 0000000..83ef778 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/selfchecks.lace @@ -0,0 +1,15 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Checks against self-like operations. + +allow "You may ask who you are" op_whoami + +allow "You may manage your own ssh keys" op_sshkey + +allow "You may change your own password" op_passwd diff --git a/share/gitano/skel/gitano-admin/rules/siteadmin.lace b/share/gitano/skel/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..06c71bb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,32 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't an administrator. + +# trove_site_admin is a predicate which matches members of the trove-admin +# group (The site-wide user/group administration group which is not the full +# administration group) +allow "Trove Site Admins can manage users" trove_site_admin op_user +allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin + +# XXX-managers members are permitted to edit XXX-* groups +define trove_may_admin_target_group group ${targetgroup/prefix}-managers +define target_group_has_hyphen targetgroup ~%- +allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group + +# Anyone is permitted to look at the people in trove-admin and *-managers +define trove_target_group_is_trove_admin targetgroup trove-admin +define trove_target_group_is_project_managers targetgroup ~^.+-managers$ +define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers +allow "Anyone may see admin groups" op_groupshow trove_show_target_ok + +# Otherwise we always deny site administration +deny "You may not perform site administration" diff --git a/share/gitano/skel/gitano-admin/rules/trove-project.lace b/share/gitano/skel/gitano-admin/rules/trove-project.lace new file mode 100644 index 0000000..383ba98 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/trove-project.lace @@ -0,0 +1,29 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Rules for ##PREFIX##/... repositories + +# Reading the repository +allow "Project readers may read" op_read project_reader +deny "This repository is not for you" op_read + +# Basic writes to the repo +allow "Project writers may write" op_write project_writer +deny "This repository is not for you" op_write + +# Ref based rules for the repo +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !ref_is_personal + +## Master +allow "Master may be created" op_createref master_ref +allow "Master may be altered" op_is_update master_ref +deny "Master may not be deleted" op_deleteref master_ref + +## Anything else. +allow "Project writers may alter any refs" op_is_reffy !master_ref project_writer + diff --git a/share/gitano/skel/gitano-admin/users/distbuild/user.conf b/share/gitano/skel/gitano-admin/users/distbuild/user.conf new file mode 100644 index 0000000..62ac3f5 --- /dev/null +++ b/share/gitano/skel/gitano-admin/users/distbuild/user.conf @@ -0,0 +1,2 @@ +email_address "distbuild@##TROVE_HOSTNAME##" +real_name "Baserock Distributed Build Service" diff --git a/share/gitano/skel/gitano-admin/users/lorry/user.conf b/share/gitano/skel/gitano-admin/users/lorry/user.conf new file mode 100644 index 0000000..f21fac7 --- /dev/null +++ b/share/gitano/skel/gitano-admin/users/lorry/user.conf @@ -0,0 +1,2 @@ +email_address "lorry@##TROVE_HOSTNAME##" +real_name "Source Code Lorry Service" diff --git a/share/gitano/skel/gitano-admin/users/mason/user.conf b/share/gitano/skel/gitano-admin/users/mason/user.conf new file mode 100644 index 0000000..639de4e --- /dev/null +++ b/share/gitano/skel/gitano-admin/users/mason/user.conf @@ -0,0 +1,2 @@ +email_address "mason@##TROVE_HOSTNAME##" +real_name "Baserock Continuous Integration Service" -- cgit v1.2.1 From 65e9bbd177c49a7e0f102574d7731a13599a0d91 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 13:18:55 +0000 Subject: Move template files from /etc to shares/trove-setup/etc --- etc/cgitrc | 26 -------------------------- etc/gitano-setup.clod | 18 ------------------ etc/lorry.conf | 11 ----------- share/etc/cgitrc | 26 ++++++++++++++++++++++++++ share/etc/gitano-setup.clod | 18 ++++++++++++++++++ share/etc/lorry.conf | 11 +++++++++++ 6 files changed, 55 insertions(+), 55 deletions(-) delete mode 100644 etc/cgitrc delete mode 100644 etc/gitano-setup.clod delete mode 100644 etc/lorry.conf create mode 100644 share/etc/cgitrc create mode 100644 share/etc/gitano-setup.clod create mode 100644 share/etc/lorry.conf diff --git a/etc/cgitrc b/etc/cgitrc deleted file mode 100644 index c526e17..0000000 --- a/etc/cgitrc +++ /dev/null @@ -1,26 +0,0 @@ -clone-prefix=git://##TROVE_HOSTNAME## http://##TROVE_HOSTNAME##/git https://##TROVE_HOSTNAME##/git ssh://git@##TROVE_HOSTNAME## -strict-export=git-daemon-export-ok - -css=/cgit/cgit.css -logo=/trove.png - -head-include=/etc/cgit-trove-head.inc -footer=/etc/cgit-trove-footer.inc - -enable-index-links=1 -root-title=##TROVE_TITLE## Git Repositories -root-desc=Baserock Trove -- For ##TROVE_COMPANY## -snapshots=tar.gz -enable-commit-graph=1 -enable-log-filecount=1 -enable-log-linecount=1 - -mimetype.gif=image/gif -mimetype.html=text/html -mimetype.jpg=image/jpeg -mimetype.jpeg=image/jpeg -mimetype.pdf=application/pdf -mimetype.png=image/png -mimetype.svg=image/svg+xml - -scan-path=/home/git/repos/ diff --git a/etc/gitano-setup.clod b/etc/gitano-setup.clod deleted file mode 100644 index b63aeb6..0000000 --- a/etc/gitano-setup.clod +++ /dev/null @@ -1,18 +0,0 @@ --- Configuration for gitano-setup - -paths.home "/home/git" -paths.ssh "/home/git/.ssh" -paths.pubkey "/home/git/.ssh/id_rsa.pub" -paths.repos "/home/git/repos" - -admin.username "trove" -admin.realname "Trove Instance Administrator" -admin.email "trove@trove-instance" -admin.keyname "trove" - -site.name "##TROVE_TITLE## for ##TROVE_COMPANY##" -log.prefix "##TROVE_LOG_PREFIX##" - -use.htpasswd "yes" - -setup.batch = true diff --git a/etc/lorry.conf b/etc/lorry.conf deleted file mode 100644 index 16552cb..0000000 --- a/etc/lorry.conf +++ /dev/null @@ -1,11 +0,0 @@ -[config] -mirror-base-url-push = ssh://git@localhost -mirror-base-url-fetch = git://##TROVE_HOSTNAME## -bundle = never -bundle-dest = /home/lorry/bundles -tarball = always -tarball-dest = /home/lorry/tarballs -working-area = /home/lorry/working-area -verbose = yes -log = /dev/stdout -log-level = debug diff --git a/share/etc/cgitrc b/share/etc/cgitrc new file mode 100644 index 0000000..c526e17 --- /dev/null +++ b/share/etc/cgitrc @@ -0,0 +1,26 @@ +clone-prefix=git://##TROVE_HOSTNAME## http://##TROVE_HOSTNAME##/git https://##TROVE_HOSTNAME##/git ssh://git@##TROVE_HOSTNAME## +strict-export=git-daemon-export-ok + +css=/cgit/cgit.css +logo=/trove.png + +head-include=/etc/cgit-trove-head.inc +footer=/etc/cgit-trove-footer.inc + +enable-index-links=1 +root-title=##TROVE_TITLE## Git Repositories +root-desc=Baserock Trove -- For ##TROVE_COMPANY## +snapshots=tar.gz +enable-commit-graph=1 +enable-log-filecount=1 +enable-log-linecount=1 + +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +scan-path=/home/git/repos/ diff --git a/share/etc/gitano-setup.clod b/share/etc/gitano-setup.clod new file mode 100644 index 0000000..b63aeb6 --- /dev/null +++ b/share/etc/gitano-setup.clod @@ -0,0 +1,18 @@ +-- Configuration for gitano-setup + +paths.home "/home/git" +paths.ssh "/home/git/.ssh" +paths.pubkey "/home/git/.ssh/id_rsa.pub" +paths.repos "/home/git/repos" + +admin.username "trove" +admin.realname "Trove Instance Administrator" +admin.email "trove@trove-instance" +admin.keyname "trove" + +site.name "##TROVE_TITLE## for ##TROVE_COMPANY##" +log.prefix "##TROVE_LOG_PREFIX##" + +use.htpasswd "yes" + +setup.batch = true diff --git a/share/etc/lorry.conf b/share/etc/lorry.conf new file mode 100644 index 0000000..16552cb --- /dev/null +++ b/share/etc/lorry.conf @@ -0,0 +1,11 @@ +[config] +mirror-base-url-push = ssh://git@localhost +mirror-base-url-fetch = git://##TROVE_HOSTNAME## +bundle = never +bundle-dest = /home/lorry/bundles +tarball = always +tarball-dest = /home/lorry/tarballs +working-area = /home/lorry/working-area +verbose = yes +log = /dev/stdout +log-level = debug -- cgit v1.2.1 From a1391120ed267bc0b809482cb7282ea032b3cfca Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 13:34:14 +0000 Subject: Change placeholders to jinja placeholders --- share/README.lorry-controller | 2 +- share/etc/cgitrc | 6 +++--- share/etc/gitano-setup.clod | 4 ++-- share/etc/lorry.conf | 2 +- share/gitano/skel/gitano-admin/global-hooks/post-receive.lua | 6 +++--- share/gitano/skel/gitano-admin/rules/createrepo.lace | 2 +- share/gitano/skel/gitano-admin/rules/defines.lace | 8 ++++---- share/gitano/skel/gitano-admin/rules/other-project.lace | 6 +++--- share/gitano/skel/gitano-admin/rules/trove-project.lace | 2 +- share/gitano/skel/gitano-admin/users/distbuild/user.conf | 2 +- share/gitano/skel/gitano-admin/users/lorry/user.conf | 2 +- share/gitano/skel/gitano-admin/users/mason/user.conf | 2 +- share/lorry-controller.conf | 8 ++++---- share/releases-repo-README | 4 ++-- 14 files changed, 28 insertions(+), 28 deletions(-) diff --git a/share/README.lorry-controller b/share/README.lorry-controller index 1c70617..3bd0a90 100644 --- a/share/README.lorry-controller +++ b/share/README.lorry-controller @@ -14,5 +14,5 @@ scenarios regarding adding external software to your Trove before attempting to add any additional configuration to this repository. Remember, the Lorry tool is not permitted to manage repositories inside your -prefix which is ##PREFIX##. +prefix which is {{ TROVE_ID }}. diff --git a/share/etc/cgitrc b/share/etc/cgitrc index c526e17..28540dd 100644 --- a/share/etc/cgitrc +++ b/share/etc/cgitrc @@ -1,4 +1,4 @@ -clone-prefix=git://##TROVE_HOSTNAME## http://##TROVE_HOSTNAME##/git https://##TROVE_HOSTNAME##/git ssh://git@##TROVE_HOSTNAME## +clone-prefix=git://{{ TROVE_HOSTNAME }} http://{{ TROVE_HOSTNAME }}/git https://{{ TROVE_HOSTNAME }}/git ssh://git@{{ TROVE_HOSTNAME }} strict-export=git-daemon-export-ok css=/cgit/cgit.css @@ -8,8 +8,8 @@ head-include=/etc/cgit-trove-head.inc footer=/etc/cgit-trove-footer.inc enable-index-links=1 -root-title=##TROVE_TITLE## Git Repositories -root-desc=Baserock Trove -- For ##TROVE_COMPANY## +root-title={{ TROVE_ID }} Git Repositories +root-desc=Baserock Trove -- For {{ TROVE_COMPANY }} snapshots=tar.gz enable-commit-graph=1 enable-log-filecount=1 diff --git a/share/etc/gitano-setup.clod b/share/etc/gitano-setup.clod index b63aeb6..6139c4e 100644 --- a/share/etc/gitano-setup.clod +++ b/share/etc/gitano-setup.clod @@ -10,8 +10,8 @@ admin.realname "Trove Instance Administrator" admin.email "trove@trove-instance" admin.keyname "trove" -site.name "##TROVE_TITLE## for ##TROVE_COMPANY##" -log.prefix "##TROVE_LOG_PREFIX##" +site.name "{{ TROVE_ID }} for {{ TROVE_COMPANY }}" +log.prefix "{{ TROVE_ID }}" use.htpasswd "yes" diff --git a/share/etc/lorry.conf b/share/etc/lorry.conf index 16552cb..cc94e8d 100644 --- a/share/etc/lorry.conf +++ b/share/etc/lorry.conf @@ -1,6 +1,6 @@ [config] mirror-base-url-push = ssh://git@localhost -mirror-base-url-fetch = git://##TROVE_HOSTNAME## +mirror-base-url-fetch = git://{{ TROVE_HOSTNAME }} bundle = never bundle-dest = /home/lorry/bundles tarball = always diff --git a/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua index d1b3864..c7ab051 100644 --- a/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua +++ b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua @@ -14,11 +14,11 @@ local project_hook, repo, updates = ... local EMPTY_SHA = ("0"):rep(40) -local masonhost = "##MASON_HOST##:##MASON_PORT##" +local masonhost = "{{ MASON_ID }}:{{ MASON_PORT }}" local basepath = "/1.0" local urlbases = { - "git://##TROVE_HOSTNAME##/", - "ssh://git@##TROVE_HOSTNAME##/", + "git://{{ TROVE_HOSTNAME }}/", + "ssh://git@{{ TROVE_HOSTNAME }}/", } local notify_mason = false diff --git a/share/gitano/skel/gitano-admin/rules/createrepo.lace b/share/gitano/skel/gitano-admin/rules/createrepo.lace index bf4683e..a07a744 100644 --- a/share/gitano/skel/gitano-admin/rules/createrepo.lace +++ b/share/gitano/skel/gitano-admin/rules/createrepo.lace @@ -11,7 +11,7 @@ # Administrators have already been permitted whatever they like # so this is for site-wide non-admins. -##PEOPLE_COMMENT##allow "Personal repo creation is okay" repo_is_personal +{{ PEOPLE_COMMENT }}allow "Personal repo creation is okay" repo_is_personal # Allow people in *-admins to create repositories under allow "Project admins may make project repositories" repo_is_local_project project_admin diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace index 380948a..466ac6f 100644 --- a/share/gitano/skel/gitano-admin/rules/defines.lace +++ b/share/gitano/skel/gitano-admin/rules/defines.lace @@ -83,9 +83,9 @@ define is_admin_ref ref refs/gitano/admin # # -define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/ -define ref_is_personal ref ~^refs/heads/##ESC_PREFIX##/${user}/ -define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/ +define repo_is_personal repository ~^{{ ESC_PERSONAL_PREFIX }}/${user}/ +define ref_is_personal ref ~^refs/heads/{{ ESC_PREFIX }}/${user}/ +define repo_is_local_project repository ~^{{ ESC_PREFIX }}/[^/]+/ define project_reader group ${repository/2}-readers define project_writer group ${repository/2}-writers @@ -100,7 +100,7 @@ define trove_site_admin group trove-admin define target_group_gitano_admin targetgroup gitano-admin define is_lorry user lorry -define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ +define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/ define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo define is_worker group workers diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace index 7bc80cc..e5f05be 100644 --- a/share/gitano/skel/gitano-admin/rules/other-project.lace +++ b/share/gitano/skel/gitano-admin/rules/other-project.lace @@ -6,7 +6,7 @@ # # Copyright 2012,2013 Codethink Limited # -# Rules for any repository not under ##PREFIX## +# Rules for any repository not under {{ TROVE_ID }} # This is, by default, /baserock/ and /delta/ @@ -15,11 +15,11 @@ allow "Anyone may read here" op_read allow "Anyone may write here" op_write !is_anonymous # Lorry can do anything reffy which is not inside the local refs -allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref +allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref # Noone can rewind/rebase outside of their personal refs deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal -# Everyone else can do reffy things inside refs/heads/##PREFIX## +# Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }} allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref diff --git a/share/gitano/skel/gitano-admin/rules/trove-project.lace b/share/gitano/skel/gitano-admin/rules/trove-project.lace index 383ba98..c13b307 100644 --- a/share/gitano/skel/gitano-admin/rules/trove-project.lace +++ b/share/gitano/skel/gitano-admin/rules/trove-project.lace @@ -6,7 +6,7 @@ # # Copyright 2012,2013 Codethink Limited # -# Rules for ##PREFIX##/... repositories +# Rules for {{ TROVE_ID }}/... repositories # Reading the repository allow "Project readers may read" op_read project_reader diff --git a/share/gitano/skel/gitano-admin/users/distbuild/user.conf b/share/gitano/skel/gitano-admin/users/distbuild/user.conf index 62ac3f5..6954826 100644 --- a/share/gitano/skel/gitano-admin/users/distbuild/user.conf +++ b/share/gitano/skel/gitano-admin/users/distbuild/user.conf @@ -1,2 +1,2 @@ -email_address "distbuild@##TROVE_HOSTNAME##" +email_address "distbuild@{{ TROVE_HOSTNAME }}" real_name "Baserock Distributed Build Service" diff --git a/share/gitano/skel/gitano-admin/users/lorry/user.conf b/share/gitano/skel/gitano-admin/users/lorry/user.conf index f21fac7..d00b635 100644 --- a/share/gitano/skel/gitano-admin/users/lorry/user.conf +++ b/share/gitano/skel/gitano-admin/users/lorry/user.conf @@ -1,2 +1,2 @@ -email_address "lorry@##TROVE_HOSTNAME##" +email_address "lorry@{{ TROVE_HOSTNAME }}" real_name "Source Code Lorry Service" diff --git a/share/gitano/skel/gitano-admin/users/mason/user.conf b/share/gitano/skel/gitano-admin/users/mason/user.conf index 639de4e..3139295 100644 --- a/share/gitano/skel/gitano-admin/users/mason/user.conf +++ b/share/gitano/skel/gitano-admin/users/mason/user.conf @@ -1,2 +1,2 @@ -email_address "mason@##TROVE_HOSTNAME##" +email_address "mason@{{ TROVE_HOSTNAME }}" real_name "Baserock Continuous Integration Service" diff --git a/share/lorry-controller.conf b/share/lorry-controller.conf index bdbbbd5..0c90cc4 100644 --- a/share/lorry-controller.conf +++ b/share/lorry-controller.conf @@ -1,9 +1,9 @@ [ { "type": "trove", - "uuid": "##PREFIX##/initial", + "uuid": "{{ TROVE_ID }}/initial", "serial": 1, - "trovehost": "##UPSTREAM_TROVE##", + "trovehost": "{{ UPSTREAM_TROVE }}", "protocol": "ssh", "ls-interval": "4H", "interval": "2H", @@ -21,7 +21,7 @@ }, { "type": "lorries", - "uuid": "##PREFIX##/open-source-lorries", + "uuid": "{{ TROVE_ID }}/open-source-lorries", "serial": 1, "interval": "6H", "create": "always", @@ -35,7 +35,7 @@ }, { "type": "lorries", - "uuid": "##PREFIX##/closed-source-lorries", + "uuid": "{{ TROVE_ID }}/closed-source-lorries", "serial": 1, "interval": "6H", "create": "always", diff --git a/share/releases-repo-README b/share/releases-repo-README index d3f872b..69ee875 100644 --- a/share/releases-repo-README +++ b/share/releases-repo-README @@ -2,10 +2,10 @@ site/releases repository ------------------------ This is a special repository for distributing release binaries over HTTP. -Visit http://##PREFIX##/releases/ to browse content. +Visit http://{{ TROVE_ID }}/releases/ to browse content. To add a release to this repository, you need to be a member of the Gitano group site-writers. With the correct permissions, you can push releases to the repository by doing: - rsync $RELEASE git@##PREFIX##:##PREFIX##/site/releases + rsync $RELEASE git@{{ TROVE_HOSTNAME }}:{{ TROVE_ID }}/site/releases -- cgit v1.2.1 From 200ac0a9b1240966465188bb518f592826a301f0 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Fri, 27 Jun 2014 16:39:10 +0000 Subject: Do not enable the units when installing. They aren't eligible to be started until they are configured, and Ansible handles both the initial start, and configuring them to start automatically on next boot. --- Makefile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 0559468..52e3106 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,7 @@ install: mkdir -p "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants" cp units/* "${DESTDIR}/usr/lib/systemd/system" - for I in $$(cd units; ls); do \ - ln -sf ../$$I "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/$$I"; \ - done + ln -sf ../trove-setup.service "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/trove-setup.service" cp -r etc "${DESTDIR}" mkdir -p "${DESTDIR}/var/www/htdocs" cp http-assets/* "${DESTDIR}/var/www/htdocs" -- cgit v1.2.1 From 607ad9d64080ca9e1721baa8bf306ec9127bf970 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Wed, 9 Jul 2014 08:40:37 +0000 Subject: Add 'Install' section to the units --- units/git-daemon.service | 3 +++ units/lighttpd-git.service | 3 +++ units/lighttpd-morph-cache.service | 3 +++ 3 files changed, 9 insertions(+) diff --git a/units/git-daemon.service b/units/git-daemon.service index f6869c3..330169c 100644 --- a/units/git-daemon.service +++ b/units/git-daemon.service @@ -1,3 +1,6 @@ +[Install] +WantedBy=multi-user.target + [Unit] Description=Git Daemon for Trove After=network.target diff --git a/units/lighttpd-git.service b/units/lighttpd-git.service index b2f6315..94c67a4 100644 --- a/units/lighttpd-git.service +++ b/units/lighttpd-git.service @@ -1,3 +1,6 @@ +[Install] +WantedBy=multi-user.target + [Unit] Description=Lighttpd Web Server After=network.target diff --git a/units/lighttpd-morph-cache.service b/units/lighttpd-morph-cache.service index cedd071..c7f76e9 100644 --- a/units/lighttpd-morph-cache.service +++ b/units/lighttpd-morph-cache.service @@ -1,3 +1,6 @@ +[Install] +WantedBy=multi-user.target + [Unit] Description=Lighttpd Web Server After=network.target -- cgit v1.2.1 From 49ddac4e61b6dca7e4b794cf639b0a1b3d86db00 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Jun 2014 13:51:14 +0000 Subject: Add new resources needed to configure the lorry-controller They where generated in trove.configure before. --- share/etc/lorry-controller/minion.conf | 6 ++++++ share/etc/lorry-controller/webapp.conf | 12 ++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 share/etc/lorry-controller/minion.conf create mode 100644 share/etc/lorry-controller/webapp.conf diff --git a/share/etc/lorry-controller/minion.conf b/share/etc/lorry-controller/minion.conf new file mode 100644 index 0000000..99abdba --- /dev/null +++ b/share/etc/lorry-controller/minion.conf @@ -0,0 +1,6 @@ +[config] +log = syslog +log-level = debug +webapp-host = localhost +webapp-port = 12765 +webapp-timeout = 3600 diff --git a/share/etc/lorry-controller/webapp.conf b/share/etc/lorry-controller/webapp.conf new file mode 100644 index 0000000..2e9df0d --- /dev/null +++ b/share/etc/lorry-controller/webapp.conf @@ -0,0 +1,12 @@ +[config] +log = /home/lorry/webapp.log +log-max = 100M +log-keep = 10 +log-level = debug +statedb = /home/lorry/webapp.db +configuration-directory = /home/lorry/confgit +status-html = /home/lorry/lc-status.html +wsgi = yes +debug-port = 12765 +templates = /usr/share/lorry-controller/templates +confgit-url = ssh://git@localhost/{{ TROVE_ID }}/local-config/lorries -- cgit v1.2.1 From e6bf7b4b32d477352cf45b4b0abb6993d524f78a Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Wed, 18 Jun 2014 10:16:41 +0000 Subject: Add Ansible scripts --- ansible/hosts | 1 + ansible/roles/trove-setup/tasks/backups.yml | 16 ++++ ansible/roles/trove-setup/tasks/cache-setup.yml | 19 +++++ ansible/roles/trove-setup/tasks/check.yml | 73 +++++++++++++++++ ansible/roles/trove-setup/tasks/git.yml | 8 ++ .../roles/trove-setup/tasks/gitano-admin-setup.yml | 39 +++++++++ .../roles/trove-setup/tasks/gitano-lorry-setup.yml | 18 +++++ .../roles/trove-setup/tasks/gitano-mason-setup.yml | 16 ++++ ansible/roles/trove-setup/tasks/gitano-setup.yml | 45 +++++++++++ .../trove-setup/tasks/gitano-worker-setup.yml | 18 +++++ ansible/roles/trove-setup/tasks/hostname.yml | 26 ++++++ .../roles/trove-setup/tasks/known-hosts-setup.yml | 7 ++ ansible/roles/trove-setup/tasks/lighttpd.yml | 42 ++++++++++ .../trove-setup/tasks/lorry-controller-setup.yml | 92 ++++++++++++++++++++++ ansible/roles/trove-setup/tasks/lorry-setup.yml | 20 +++++ ansible/roles/trove-setup/tasks/main.yml | 18 +++++ ansible/roles/trove-setup/tasks/minions.yml | 20 +++++ ansible/roles/trove-setup/tasks/releases.yml | 30 +++++++ ansible/roles/trove-setup/tasks/site-groups.yml | 88 +++++++++++++++++++++ ansible/roles/trove-setup/tasks/users.yml | 38 +++++++++ ansible/trove-setup.yml | 6 ++ 21 files changed, 640 insertions(+) create mode 100644 ansible/hosts create mode 100644 ansible/roles/trove-setup/tasks/backups.yml create mode 100644 ansible/roles/trove-setup/tasks/cache-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/check.yml create mode 100644 ansible/roles/trove-setup/tasks/git.yml create mode 100644 ansible/roles/trove-setup/tasks/gitano-admin-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/gitano-lorry-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/gitano-mason-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/gitano-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/gitano-worker-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/hostname.yml create mode 100644 ansible/roles/trove-setup/tasks/known-hosts-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/lighttpd.yml create mode 100644 ansible/roles/trove-setup/tasks/lorry-controller-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/lorry-setup.yml create mode 100644 ansible/roles/trove-setup/tasks/main.yml create mode 100644 ansible/roles/trove-setup/tasks/minions.yml create mode 100644 ansible/roles/trove-setup/tasks/releases.yml create mode 100644 ansible/roles/trove-setup/tasks/site-groups.yml create mode 100644 ansible/roles/trove-setup/tasks/users.yml create mode 100644 ansible/trove-setup.yml diff --git a/ansible/hosts b/ansible/hosts new file mode 100644 index 0000000..5b97818 --- /dev/null +++ b/ansible/hosts @@ -0,0 +1 @@ +localhost ansible_connection=local diff --git a/ansible/roles/trove-setup/tasks/backups.yml b/ansible/roles/trove-setup/tasks/backups.yml new file mode 100644 index 0000000..65a1466 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/backups.yml @@ -0,0 +1,16 @@ +# Depends on: +# - check.yml +--- +- name: Create the backups user if TROVE_BACKUP_KEYS is defined + user: name=backup comment="Backup user" shell=/bin/sh home=/root/backup-user-home group=root uid=0 non_unique=yes + when: TROVE_BACKUP_KEYS is defined + +- name: Creates the .ssh directory to the backups user if TROVE_BACKUP_KEYS is defined + file: path=/root/backup-user-home/.ssh state=directory + when: TROVE_BACKUP_KEYS is defined + +- name: Copy the TROVE_BACKUP_KEYS if defined to authorized_keys of the backup user + shell: | + cat {{ TROVE_BACKUP_KEYS }} >> /root/backup-user-home/.ssh/authorized_keys + creates=/root/backup-user-home/.ssh/authorized_keys + when: TROVE_BACKUP_KEYS is defined diff --git a/ansible/roles/trove-setup/tasks/cache-setup.yml b/ansible/roles/trove-setup/tasks/cache-setup.yml new file mode 100644 index 0000000..162dacc --- /dev/null +++ b/ansible/roles/trove-setup/tasks/cache-setup.yml @@ -0,0 +1,19 @@ +# Depends on: +# - users.yml +--- +- name: Create artifacts and ccache folder for the cache user + file: path=/home/cache/{{ item }} state=directory owner=cache group=cache + with_items: + - artifacts + - ccache +- name: Create /etc/exports.d folder + file: path=/etc/exports.d state=directory +- name: Create /etc/exports.d/cache.exports + shell: | + echo '/home/cache/ccache *(rw,all_squash,no_subtree_check,anonuid=1002,anongid=1002)' > /etc/exports.d/cache.exports + creates=/etc/exports.d/cache.exports + register: cache_exports + +- name: Update nfs exports + shell: exportfs -av + when: cache_exports|changed diff --git a/ansible/roles/trove-setup/tasks/check.yml b/ansible/roles/trove-setup/tasks/check.yml new file mode 100644 index 0000000..d873030 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/check.yml @@ -0,0 +1,73 @@ +--- +- fail: msg='TROVE_ID is mandatory' + when: TROVE_ID is not defined + +- fail: msg='TROVE_COMPANY is mandatory' + when: TROVE_COMPANY is not defined + +- fail: msg='TROVE_ADMIN_USER is mandatory' + when: TROVE_ADMIN_USER is not defined + +- fail: msg='TROVE_ADMIN_EMAIL is mandatory' + when: TROVE_ADMIN_EMAIL is not defined + +- fail: msg='TROVE_ADMIN_NAME is mandatory' + when: TROVE_ADMIN_NAME is not defined + +- fail: msg='LORRY_SSH_KEY is mandatory' + when: LORRY_SSH_KEY is not defined + +- fail: msg='LORRY_SSH_PUBKEY is mandatory' + when: LORRY_SSH_PUBKEY is not defined + +- fail: msg='TROVE_ADMIN_SSH_PUBKEY is mandatory' + when: TROVE_ADMIN_SSH_PUBKEY is not defined + +- fail: msg='WORKER_SSH_PUBKEY is mandatory' + when: WORKER_SSH_PUBKEY is not defined + +- fail: msg='UPSTREAM_TROVE is mandatory' + when: UPSTREAM_TROVE is not defined + +- set_fact: TROVE_HOSTNAME={{ TROVE_ID }} + when: TROVE_HOSTNAME is not defined + +- set_fact: LORRY_CONTROLLER_MINIONS=4 + when: LORRY_CONTROLLER_MINIONS is not defined + +- set_fact: MASON_ID='' + when: MASON_ID is not defined + +- set_fact: MASON_PORT='18755' + when: MASON_PORT is not defined + +- name: Calculate ESC_PREFIX + shell: echo -n {{ TROVE_ID|quote }} | perl -pe 's/([-+\(\).%*?^$\[\]])/%$1/g' + register: var_esc_prefix + changed_when: False + +- set_fact: ESC_PREFIX={{ var_esc_prefix.stdout }} + +- set_fact: ESC_PERSONAL_PREFIX='people' + +- set_fact: PEOPLE_COMMENT='#' + +- name: Check if the ssh keys are valid + shell: ssh-keygen -l -f {{ item }} + with_items: + - '{{ TROVE_ADMIN_SSH_PUBKEY }}' + - '{{ LORRY_SSH_PUBKEY }}' + - '{{ WORKER_SSH_PUBKEY }}' + changed_when: False + +- name: Check if the ssh keys are unique + shell: | + cat {{ TROVE_ADMIN_SSH_PUBKEY|quote}} \ + {{ LORRY_SSH_PUBKEY|quote }} \ + {{ WORKER_SSH_PUBKEY|quote }} \ + | cut -d ' ' -f 1,2 | sort -u | wc -l + changed_when: False + register: number_ssh_keys + +- fail: msg="The ssh keys MUST be different" + when: number_ssh_keys.stdout != '3' diff --git a/ansible/roles/trove-setup/tasks/git.yml b/ansible/roles/trove-setup/tasks/git.yml new file mode 100644 index 0000000..2e6b1fa --- /dev/null +++ b/ansible/roles/trove-setup/tasks/git.yml @@ -0,0 +1,8 @@ +# Depends on: +# - users.yml +--- +- name: Configure Git user.name and usr.email + shell: | + su git -c 'git config --global user.name "Trove Git Controller"' + su git -c 'git config --global user.email "git@trove"' + creates=/home/git/.gitconfig diff --git a/ansible/roles/trove-setup/tasks/gitano-admin-setup.yml b/ansible/roles/trove-setup/tasks/gitano-admin-setup.yml new file mode 100644 index 0000000..c4c3eb2 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-admin-setup.yml @@ -0,0 +1,39 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if the admin user is configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost user' | grep '^'{{ TROVE_ADMIN_USER|regex_replace('(\\W)', '\\\\\\1')|quote}}':' + register: gitano_admin_user + changed_when: False + ignore_errors: True +# If the admin user doesn't exist +- name: Create the admin user + shell: su git -c 'ssh git@localhost user add '{{ TROVE_ADMIN_USER|quote|quote|quote}}' '{{ TROVE_ADMIN_EMAIL|quote|quote|quote }}' '{{ TROVE_ADMIN_NAME|quote|quote|quote }} + when: gitano_admin_user|failed + +- name: Check if admin user is in trove-admin group in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as '{{ TROVE_ADMIN_USER|quote|quote|quote }}' whoami' | grep 'trove-admin. Trove-local administration' + register: gitano_admin_group + changed_when: False + ignore_errors: True +# If the admin user is not in the trove-admin group +- name: Add the admin user to the trove-admin group in gitano + shell: su git -c 'ssh git@localhost group adduser trove-admin '{{ TROVE_ADMIN_USER|quote|quote|quote }} + when: gitano_admin_group|failed + +- name: Check if admin user has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as '{{ TROVE_ADMIN_USER|quote|quote|quote }}' sshkey' 2>&1 | grep WARNING + register: gitano_admin_key + changed_when: False + ignore_errors: True +# If admin user doesn't have an sshkey configured +- name: Create /home/git/keys/ to store sshkeys + file: path=/home/git/keys state=directory owner=git group=git + when: gitano_admin_key|success +- name: Copy the TROVE_ADMIN_SSH_PUBKEY to /home/git/keys/admin.key.pub + copy: src={{ TROVE_ADMIN_SSH_PUBKEY }} dest=/home/git/keys/admin.key.pub mode=0644 + when: gitano_admin_key|success + +- name: Add /home/git/keys/admin.key.pub ssh key to the admin user in gitano. + shell: su git -c 'ssh git@localhost as '{{ TROVE_ADMIN_USER|quote|quote|quote}}' sshkey add default < /home/git/keys/admin.key.pub' + when: gitano_admin_key|success diff --git a/ansible/roles/trove-setup/tasks/gitano-lorry-setup.yml b/ansible/roles/trove-setup/tasks/gitano-lorry-setup.yml new file mode 100644 index 0000000..d52927a --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-lorry-setup.yml @@ -0,0 +1,18 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if lorry has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as lorry sshkey' 2>&1 | grep WARNING + register: gitano_lorry_key + changed_when: False + ignore_errors: True +# If lorry user doesn't have an sshkey configured +- name: Create /home/git/keys folder to store ssh keys + file: path=/home/git/keys state=directory owner=git group=git + when: gitano_lorry_key|success +- name: Copy LORRY_SSH_PUBKEY to /home/git/keys/lorry.key.pub + copy: src={{ LORRY_SSH_PUBKEY }} dest=/home/git/keys/lorry.key.pub mode=0644 + when: gitano_lorry_key|success +- name: Add to the gitano lorry user the /home/git/keys/lorry.key.pub + shell: su git -c 'ssh git@localhost as lorry sshkey add trove < /home/git/keys/lorry.key.pub' + when: gitano_lorry_key|success diff --git a/ansible/roles/trove-setup/tasks/gitano-mason-setup.yml b/ansible/roles/trove-setup/tasks/gitano-mason-setup.yml new file mode 100644 index 0000000..8439078 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-mason-setup.yml @@ -0,0 +1,16 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if mason has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as mason sshkey' 2>&1 | grep WARNING + register: gitano_mason_key + changed_when: False + ignore_errors: True + +# If distbuild user doesn't have an sshkey configured +- file: path=/home/git/keys state=directory owner=git group=git + when: gitano_mason_key|success +- copy: src={{ MASON_SSH_PUBKEY }} dest=/home/git/keys/mason.key.pub mode=0644 + when: gitano_mason_key|success +- shell: su git -c 'ssh git@localhost as mason sshkey add trove < /home/git/keys/mason.key.pub' + when: gitano_mason_key|success diff --git a/ansible/roles/trove-setup/tasks/gitano-setup.yml b/ansible/roles/trove-setup/tasks/gitano-setup.yml new file mode 100644 index 0000000..0fd3ba5 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-setup.yml @@ -0,0 +1,45 @@ +# Depends on: +# - git.yml +--- +# Before configuring Gitano, it's necessary to modify the placeholders +# of the skeleton template of Gitano with the values of /etc/trove/trove.conf. +# Ansible does not provide an efficient way to do this. Its template module +# is not able to run recursively over directories, and is not able to create +# the directories needed. +# +# The solution implemented consists in create the directories first and then +# using the template module in all the files. This could be possible to +# implement using the 'with_lines' option combinated with the 'find' command. +# +# Create the directories +- name: Create the directories needed for the Gitano skeleton. + file: path=/etc/{{ item }} state=directory + with_lines: + - (cd /usr/share/trove-setup && find gitano -type d) +# Copy all the files to the right place and fill the templates whenever possible +- name: Create the Gitano skeleton using the templates + template: src=/usr/share/trove-setup/{{ item }} dest=/etc/{{ item }} + with_lines: + - (cd /usr/share/trove-setup && find gitano -type f) + +# Configure gitano +- name: Configure Gitano with /etc/gitano-setup.clod + shell: | + su git -c 'gitano-setup /etc/gitano-setup.clod' + creates=/home/git/repos/gitano-admin.git + +- name: Unlock the password of the git user (This task can fail) + shell: busybox passwd -u git + register: passwd_result + changed_when: passwd_result|success + ignore_errors: True + +# Now that /home/git/repos exists, we can enable the git-daemon service +- name: Enable the git-daemon.service + service: name=git-daemon.service enabled=yes + register: git_daemon_service + +# Now we can start the service without rebooting the system +- name: Restart git-daemon.service + service: name=git-daemon state=restarted + when: git_daemon_service|changed diff --git a/ansible/roles/trove-setup/tasks/gitano-worker-setup.yml b/ansible/roles/trove-setup/tasks/gitano-worker-setup.yml new file mode 100644 index 0000000..e0510e4 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/gitano-worker-setup.yml @@ -0,0 +1,18 @@ +# Depends on: +# - gitano-setup.yml +--- +- name: Check if worker has a sshkey configured in gitano (This task can fail) + shell: su git -c 'ssh git@localhost as distbuild sshkey' 2>&1 | grep WARNING + register: gitano_worker_key + changed_when: False + ignore_errors: True +# If distbuild user doesn't have an sshkey configured +- name: Create /home/git/keys/ to store ssh keys + file: path=/home/git/keys state=directory owner=git group=git + when: gitano_worker_key|success +- name: Copy WORKER_SSH_PUBKEY to /home/git/keys/worker.key.pub + copy: src={{ WORKER_SSH_PUBKEY }} dest=/home/git/keys/worker.key.pub mode=0644 + when: gitano_worker_key|success +- name: Add /home/git/keys/worker.key.pub to the distbuild user in Gitano + shell: su git -c 'ssh git@localhost as distbuild sshkey add trove < /home/git/keys/worker.key.pub' + when: gitano_worker_key|success diff --git a/ansible/roles/trove-setup/tasks/hostname.yml b/ansible/roles/trove-setup/tasks/hostname.yml new file mode 100644 index 0000000..f4a11e2 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/hostname.yml @@ -0,0 +1,26 @@ +# Depends on: +# - check.yml +--- +- name: Check the /etc/hostname and compare it with HOSTNAME (This task can fail) + shell: su -c '[ "$(cat /etc/hostname)" == '{{ HOSTNAME|quote|quote }}' ]' + register: hostname_file + ignore_errors: True + changed_when: False + when: HOSTNAME is defined + +# If /etc/hostname doesn't match with HOSTNAME +- name: Rewrite /etc/hostname with HOSTNAME + shell: echo {{ HOSTNAME|quote }} > /etc/hostname + when: hostname_file|failed + +- name: Check the actual hostname with `hostname` and compare it with HOSTNAME (This task can fail) + shell: sh -c '[ "$(hostname)" == '{{ HOSTNAME|quote|quote }}' ]' + register: actual_hostname + ignore_errors: True + changed_when: False + when: HOSTNAME is defined + +# If `hostname` doesn't match with HOSTNAME +- name: Change the hostname to HOSTNAME + shell: hostname {{ HOSTNAME|quote }} + when: actual_hostname|failed diff --git a/ansible/roles/trove-setup/tasks/known-hosts-setup.yml b/ansible/roles/trove-setup/tasks/known-hosts-setup.yml new file mode 100644 index 0000000..6e988e0 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/known-hosts-setup.yml @@ -0,0 +1,7 @@ +# Depends on: +# - check.yml +--- +- name: Add localhost and UPSTREAM_TROVE to /etc/ssh/ssh_known_hosts + shell: | + ssh-keyscan localhost {{ UPSTREAM_TROVE|quote }} > /etc/ssh/ssh_known_hosts + creates=/etc/ssh/ssh_known_hosts diff --git a/ansible/roles/trove-setup/tasks/lighttpd.yml b/ansible/roles/trove-setup/tasks/lighttpd.yml new file mode 100644 index 0000000..7a530e7 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/lighttpd.yml @@ -0,0 +1,42 @@ +--- +- name: Create /etc/lighttpd/certs directory + file: path=/etc/lighttpd/certs state=directory +- name: Create certificates for lighttpd in /etc/lighttpd/certs/lighttpd.pem + shell: | + yes '' | openssl req -new -x509 \ + -keyout /etc/lighttpd/certs/lighttpd.pem \ + -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes + creates=/etc/lighttpd/certs/lighttpd.pem + register: lighttpd_certs +- name: Create /var/run/lighttpd for cache user + file: path=/var/run/lighttpd state=directory owner=cache group=cache + register: lighttpd_folder + +# Now that the lighttpd certificates and the /var/run/lighttpd exist, we can +# enable the lighttpd-git service +- name: Enable lighttpd-git service + service: name=lighttpd-git.service enabled=yes + register: lighttpd_git_service + +# Now we can start the service without rebooting the system +- name: Restart the lighttpd-git service + service: name=lighttpd-git state=restarted + when: lighttpd_git_service|changed + +# Once the service lighttpd-git is running it's possible to do the same +# with the following services: +# - lighttpd-morph-cache +# - lighttpd-lorry-controller-webapp +- name: Enable lighttpd-morph-cache service + service: name=lighttpd-morph-cache.service enabled=yes + register: lighttpd_morph_cache_service +- name: Restart the lighttpd-morph-cache service + service: name=lighttpd-morph-cache state=restarted + when: lighttpd_morph_cache_service|changed + +- name: Enable the lighttpd-lorry-controller-webapp service + service: name=lighttpd-lorry-controller-webapp.service enabled=yes + register: lighttpd_lorry_controller_webapp_service +- name: Restart the lighttpd-lorry-controller-webapp service + service: name=lighttpd-lorry-controller-webapp state=restarted + when: lighttpd_lorry_controller_webapp_service|changed diff --git a/ansible/roles/trove-setup/tasks/lorry-controller-setup.yml b/ansible/roles/trove-setup/tasks/lorry-controller-setup.yml new file mode 100644 index 0000000..06fab96 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/lorry-controller-setup.yml @@ -0,0 +1,92 @@ +# Depends on: +# - gitano-setup.yml +# - lighttpd.yml +--- +- name: Create the TROVE_ID/local-config/lorries repository + shell: | + su git -c 'ssh localhost create '{{ TROVE_ID|quote|quote|quote }}'/local-config/lorries' + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/local-config/lorries.git +- name: Create a temporary folder to copy templates + shell: su git -c 'mktemp -d' + register: lorry_controller_templates + +- name: Create the configuration files of lorry-controller using templates + template: src=/usr/share/trove-setup/{{ item }} dest={{ lorry_controller_templates.stdout }}/{{ item }} owner=git group=git mode=0644 + with_items: + - lorry-controller.conf + - README.lorry-controller +- name: Create a temporary folder to copy the lorry-controller repository + shell: su git -c 'mktemp -d' + register: lorry_controller_repository + +- name: Configure the lorry-controller + shell: | + su git -c 'git clone ssh://localhost/'{{ TROVE_ID|quote|quote }}'/local-config/lorries.git '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries' + su git -c 'cp '{{ lorry_controller_templates.stdout|quote|quote }}'/lorry-controller.conf '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/lorry-controller.conf' + su git -c 'cp '{{ lorry_controller_templates.stdout|quote|quote }}'/README.lorry-controller '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/README' + su git -c 'mkdir '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/open-source-lorries' + su git -c 'cp /usr/share/trove-setup/open-source-lorries/README '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/open-source-lorries/README' + su git -c 'mkdir '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/closed-source-lorries' + su git -c 'cp /usr/share/trove-setup/closed-source-lorries/README '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries/closed-source-lorries/README' + su git -c 'cd '{{ lorry_controller_repository.stdout|quote|quote }}'/lorries; git add README lorry-controller.conf open-source-lorries/README closed-source-lorries/README; git commit -m "Initial configuration"; git push origin master' + su git -c 'rm -rf '{{ lorry_controller_repository.stdout|quote|quote }} + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/local-config/lorries.git/refs/heads/master + +# Migration: Remove the old lorry-controller cronjob if exists +- name: Look for lorry-controller old cronjob (This task can fail) + shell: su lorry -c 'crontab -l | grep -e "-c lorry-controller"' + register: lorry_controller_cronjob + changed_when: False + ignore_errors: True + +- name: Remove the old lorry-controller cronjob + shell: su lorry -c '/usr/libexec/remove-lorry-controller-from-lorry-crontab' + when: lorry_controller_cronjob|success + + +# Now that the lorry-controller is configured we can enable the following +# services and timers, and also start them +# - lorry-controller-status +# - lorry-controller-readconf +# - lorry-controller-ls-troves +- name: Enable lorry-controller-status service + service: name=lorry-controller-status.service enabled=yes + register: lorry_controller_status_service +- name: Start lorry-controller-status service + service: name=lorry-controller-status.service state=restarted + when: lorry_controller_status_service|changed + +- name: Enable lorry-controller-readconf service + service: name=lorry-controller-readconf.service enabled=yes + register: lorry_controller_readconf_service +- name: Start lorry-controller-readconf service + service: name=lorry-controller-readconf.service state=restarted + when: lorry_controller_readconf_service|changed + +- name: Enable lorry-controller-ls-troves service + service: name=lorry-controller-ls-troves.service enabled=yes + register: lorry_controller_ls_troves_service +- name: Start lorry-controller-ls-troves service + service: name=lorry-controller-ls-troves.service state=restarted + when: lorry_controller_ls_troves_service|changed + +- name: Enable lorry-controller-status timer + service: name=lorry-controller-status.timer enabled=yes + register: lorry_controller_status_timer +- name: Start lorry-controller-status timer + service: name=lorry-controller-status.timer state=restarted + when: lorry_controller_status_timer|changed + +- name: Enable lorry-controller-readconf timer + service: name=lorry-controller-readconf.timer enabled=yes + register: lorry_controller_readconf_timer +- name: Start lorry-controller-readconf timer + service: name=lorry-controller-readconf.timer state=restarted + when: lorry_controller_readconf_timer|changed + +- name: Enable lorry-controller-ls-troves timer + service: name=lorry-controller-ls-troves.timer enabled=yes + register: lorry_controller_ls_troves_timer +- name: Start lorry-controller-ls-troves timer + service: name=lorry-controller-ls-troves.timer state=restarted + when: lorry_controller_ls_troves_timer|changed diff --git a/ansible/roles/trove-setup/tasks/lorry-setup.yml b/ansible/roles/trove-setup/tasks/lorry-setup.yml new file mode 100644 index 0000000..c50b49d --- /dev/null +++ b/ansible/roles/trove-setup/tasks/lorry-setup.yml @@ -0,0 +1,20 @@ +# Depends on: +# - users.yml +--- +- name: Create bundles and tarballs folder for the lorry user + file: path=/home/lorry/{{ item }} state=directory owner=lorry group=lorry + with_items: + - bundles + - tarballs +# Following the same strategy as explained in gitano-setup.yml, use +# templates recursively over directories. +# Create the directories needed to copy the files +- name: Create directories needed in /etc for the lorry configuration + file: path=/etc/{{ item }} state=directory + with_lines: + - (cd /usr/share/trove-setup/etc && find -type d) +# Copy all the files to the right place and fill the templates whenever possible +- name: Add the configuration needed for lorry in /etc using templates + template: src=/usr/share/trove-setup/etc/{{ item }} dest=/etc/{{ item }} + with_lines: + - (cd /usr/share/trove-setup/etc && find -type f) diff --git a/ansible/roles/trove-setup/tasks/main.yml b/ansible/roles/trove-setup/tasks/main.yml new file mode 100644 index 0000000..35fd807 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- include: check.yml +- include: hostname.yml +- include: known-hosts-setup.yml +- include: users.yml +- include: cache-setup.yml +- include: lighttpd.yml +- include: lorry-setup.yml +- include: git.yml +- include: gitano-setup.yml +- include: lorry-controller-setup.yml +- include: minions.yml +- include: site-groups.yml +- include: releases.yml +- include: gitano-worker-setup.yml +- include: gitano-lorry-setup.yml +- include: gitano-admin-setup.yml +- include: backups.yml diff --git a/ansible/roles/trove-setup/tasks/minions.yml b/ansible/roles/trove-setup/tasks/minions.yml new file mode 100644 index 0000000..a5b3d8d --- /dev/null +++ b/ansible/roles/trove-setup/tasks/minions.yml @@ -0,0 +1,20 @@ +# Depends on: +# - lorry-controller-setup.yml +--- +# This is a workaround because the service module and the current +# systemd version doesn't work well enough with template units. +# +# It ALWAYS runs `systemctl enable` for all the minions to be +# created, but it only reports that the status of the task has changed +# when in the stderr output is the string "ln -s" (which means the +# unit has been enabled). +- name: Enable as many MINIONS as specified in LORRY_CONTROLLER_MINIONS + shell: systemctl enable lorry-controller-minion@{{ item }}.service + with_sequence: count={{ LORRY_CONTROLLER_MINIONS }} + changed_when: "'ln -s' in minions_creation.stderr" + register: minions_creation + +- name: Start the all the MINIONS created (if any) + service: name=lorry-controller-minion@{{ item.item }} state=restarted + with_items: minions_creation.results + when: item|changed diff --git a/ansible/roles/trove-setup/tasks/releases.yml b/ansible/roles/trove-setup/tasks/releases.yml new file mode 100644 index 0000000..bcb031e --- /dev/null +++ b/ansible/roles/trove-setup/tasks/releases.yml @@ -0,0 +1,30 @@ +# Depends on: +# - site-groups.yml +--- +- name: Create the releases repository + shell: | + su git -c 'ssh localhost create '{{ TROVE_ID|quote|quote|quote }}'/site/releases' + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/site/releases.git + +- name: Create temporary folder to copy templates + shell: su git -c 'mktemp -d' + register: releases_templates +- name: Create the files needed for the releases repository + template: src=/usr/share/trove-setup/releases-repo-README dest={{ releases_templates.stdout }}/releases-repo-README owner=git group=git mode=0644 + +- name: Create temporary folder to clone the releases repository + shell: su git -c 'mktemp -d' + register: releases_repository +- name: Configure the releases repository + shell: | + su git -c 'git clone ssh://localhost/'{{ TROVE_ID|quote|quote }}'/site/releases.git '{{ releases_repository.stdout|quote|quote }}'/releases' + su git -c 'cp '{{ releases_templates.stdout|quote|quote }}'/releases-repo-README '{{ releases_repository.stdout|quote|quote }}'/releases/README' + su git -c 'cd '{{ releases_repository.stdout|quote|quote }}'/releases; git add README; git commit -m "Add README"; git push origin master' + su -c "rm -Rf {{ releases_repository.stdout|quote|quote }}" + creates=/home/git/repos/{{ TROVE_ID|regex_replace('(\\W)', '\\\\\\1')}}/site/releases.git/refs/heads/master + +- name: Link the releases repository to enable the access throught browser + file: | + src=/home/git/repos/{{ TROVE_ID }}/site/releases.git/rsync + dest=/var/www/htdocs/releases state=link + force=yes diff --git a/ansible/roles/trove-setup/tasks/site-groups.yml b/ansible/roles/trove-setup/tasks/site-groups.yml new file mode 100644 index 0000000..e4aff14 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/site-groups.yml @@ -0,0 +1,88 @@ +# Depends on: +# - gitano-setup.yml +--- +# First of all check if the site groups are created. +- name: Check for site groups (This task can fail) + shell: su git -c 'ssh git@localhost group list' | grep '^'{{ item.name|quote }}':' + changed_when: False + ignore_errors: True + with_items: + - { name: 'site-readers', description: 'Users with read access to the site project' } + - { name: 'site-writers', description: 'Users with write access to the site project' } + - { name: 'site-admins', description: 'Users with admin access to the site project' } + - { name: 'site-managers', description: 'Users with manager access to the site project' } + register: gitano_groups +# Iterate over the results of the previous check, and create the sites needed. +# In this task we are using the list of results of the previous task +# - item is the result of the execution of one of the elements of +# the list of the previous task. +# - item.item is the item of the previous task being executed when +# the result (stored in item) was taken. +# +# For example, the task: (From http://docs.ansible.com/playbooks_loops.html#using-register-with-a-loop) +# +# - shell: echo "{{ item }}" +# with_items: +# - one +# - two +# register: echo +# +# Would register in the variable "echo": +# +# { +# "changed": true, +# "msg": "All items completed", +# "results": [ +# { +# "changed": true, +# "cmd": "echo \"one\" ", +# "delta": "0:00:00.003110", +# "end": "2013-12-19 12:00:05.187153", +# "invocation": { +# "module_args": "echo \"one\"", +# "module_name": "shell" +# }, +# "item": "one", +# "rc": 0, +# "start": "2013-12-19 12:00:05.184043", +# "stderr": "", +# "stdout": "one" +# }, +# { +# "changed": true, +# "cmd": "echo \"two\" ", +# "delta": "0:00:00.002920", +# "end": "2013-12-19 12:00:05.245502", +# "invocation": { +# "module_args": "echo \"two\"", +# "module_name": "shell" +# }, +# "item": "two", +# "rc": 0, +# "start": "2013-12-19 12:00:05.242582", +# "stderr": "", +# "stdout": "two" +# } +# ] +# } + +- name: Create the site groups needed. + shell: su git -c 'ssh git@localhost group add '{{ item.item.name|quote|quote|quote }}' '{{ item.item.description|quote|quote|quote }} + when: item|failed + with_items: gitano_groups.results + +# When the groups are created, check if they are linked. +- name: Check for linked groups (This task can fail) + shell: su git -c 'ssh git@localhost group show '{{ item.name|quote|quote|quote }} | grep '^ \[] '{{ item.super_group|quote }} + changed_when: False + ignore_errors: True + with_items: + - { name: 'site-readers', super_group: 'site-writers' } + - { name: 'site-writers', super_group: 'site-admins' } + - { name: 'site-admins', super_group: 'site-managers' } + register: gitano_linked_groups + +# Link the groups that weren't linked following the same strategy as for the groups +- shell: su git -c 'ssh git@localhost group addgroup '{{ item.item.name|quote|quote|quote }}' '{{ item.item.super_group|quote|quote|quote }} + when: item|failed + with_items: gitano_linked_groups.results diff --git a/ansible/roles/trove-setup/tasks/users.yml b/ansible/roles/trove-setup/tasks/users.yml new file mode 100644 index 0000000..c1ab866 --- /dev/null +++ b/ansible/roles/trove-setup/tasks/users.yml @@ -0,0 +1,38 @@ +# Depends on: +# - check.yml +--- +- name: Create the lorry user without generating sshkeys. + user: name=lorry comment="Trove lorry service" shell=/bin/bash +- name: Create the /home/lorry/.ssh folder + file: path=/home/lorry/.ssh state=directory owner=lorry group=lorry mode=0700 + +- name: Create users (git, cache, mason) and ssh keys for them. + user: name={{ item }} comment="Trove {{ item }} service" shell=/bin/bash generate_ssh_key=yes + with_items: + - git + - cache + - mason +- name: Create known_hosts for all the users + shell: | + cat /etc/ssh/ssh_host_*_key.pub | cut -d\ -f1,2 | \ + sed -e's/^/'{{ TROVE_HOSTNAME|regex_replace('(\\W)', '\\\\\\1')|quote }}',localhost /' > \ + /home/{{ item }}/.ssh/known_hosts + chown {{ item }}:{{ item }} /home/{{ item }}/.ssh/known_hosts + chmod 600 /home/{{ item }}/.ssh/known_hosts + creates=/home/{{ item }}/.ssh/known_hosts + with_items: + - git + - cache + - mason + - lorry + +- name: Copy the lorry ssh private key + copy: | + src={{ LORRY_SSH_KEY }} + dest=/home/lorry/.ssh/id_rsa + owner=lorry group=lorry mode=600 +- name: Copy the lorry ssh public key + copy: | + src={{ LORRY_SSH_PUBKEY }} + dest=/home/lorry/.ssh/id_rsa.pub + owner=lorry group=lorry mode=644 diff --git a/ansible/trove-setup.yml b/ansible/trove-setup.yml new file mode 100644 index 0000000..0ab7f0e --- /dev/null +++ b/ansible/trove-setup.yml @@ -0,0 +1,6 @@ +--- +- hosts: localhost + vars_files: + - "/etc/trove/trove.conf" + roles: + - trove-setup -- cgit v1.2.1 From 24cad9837ea25784243e0c485b9fe954f9a8a5a8 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Wed, 18 Jun 2014 11:53:27 +0000 Subject: Install Ansible scripts and create a unit to run them --- Makefile | 2 ++ units/trove-setup.service | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 units/trove-setup.service diff --git a/Makefile b/Makefile index 52e3106..134436b 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,6 @@ install: + mkdir -p "${DESTDIR}/usr/lib/trove-setup/ansible" + cp -r ansible/* "${DESTDIR}/usr/lib/trove-setup/ansible" mkdir -p "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants" cp units/* "${DESTDIR}/usr/lib/systemd/system" ln -sf ../trove-setup.service "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/trove-setup.service" diff --git a/units/trove-setup.service b/units/trove-setup.service new file mode 100644 index 0000000..3b923a2 --- /dev/null +++ b/units/trove-setup.service @@ -0,0 +1,16 @@ +[Unit] +Description=Run trove-setup Ansible scripts +Requires=network.target +After=network.target +Requires=opensshd.service +After=opensshd.service + +# If there's a shared /var subvolume, it must be mounted before this +# unit runs. +Requires=local-fs.target +After=local-fs.target + +ConditionPathExists=/etc/trove/trove.conf + +[Service] +ExecStart=/usr/bin/ansible-playbook -v -i /usr/lib/trove-setup/ansible/hosts /usr/lib/trove-setup/ansible/trove-setup.yml -- cgit v1.2.1 From d349c9a35d3d53ebfc9f26df373e84fa5986a1b6 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Thu, 19 Jun 2014 10:35:18 +0000 Subject: Update skel path of gitano --- share/etc/gitano-setup.clod | 1 + 1 file changed, 1 insertion(+) diff --git a/share/etc/gitano-setup.clod b/share/etc/gitano-setup.clod index 6139c4e..511479f 100644 --- a/share/etc/gitano-setup.clod +++ b/share/etc/gitano-setup.clod @@ -4,6 +4,7 @@ paths.home "/home/git" paths.ssh "/home/git/.ssh" paths.pubkey "/home/git/.ssh/id_rsa.pub" paths.repos "/home/git/repos" +paths.skel "/etc/gitano/skel/gitano-admin" admin.username "trove" admin.realname "Trove Instance Administrator" -- cgit v1.2.1