system-config/playbooks/roles/gerrit/tasks/main.yaml

369 lines
9.7 KiB
YAML

- name: Sync project-config
include_role:
name: sync-project-config
- name: Ensure /etc/gerrit-compose directory
file:
state: directory
path: /etc/gerrit-compose
mode: 0755
- name: Put docker-compose file in place
template:
src: docker-compose.yaml.j2
dest: /etc/gerrit-compose/docker-compose.yaml
mode: 0644
- name: Clean up old directory
file:
state: absent
path: /etc/gerrit-podman
- name: Create Gerrit Group
group:
name: "{{ gerrit_user_name }}"
gid: "{{ gerrit_id }}"
system: yes
- name: Create Gerrit User
user:
name: "{{ gerrit_user_name }}"
uid: "{{ gerrit_id }}"
comment: Gerrit User
shell: /bin/bash
home: "{{ gerrit_home_dir }}"
group: "{{ gerrit_user_name }}"
create_home: yes
system: yes
- name: Ensure review_site directory exists
file:
state: directory
path: "{{ gerrit_site_dir }}"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0755
- name: Ensure Gerrit volume directories exists
file:
state: directory
path: "{{ gerrit_site_dir }}/{{ item }}"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0755
loop:
- cache
- data
- db
- etc
- etc/its
- git
- hooks
- index
- logs
- tmp
- name: Write Gerrit config file
template:
src: gerrit.config.j2
dest: "{{ gerrit_site_dir }}/etc/gerrit.config"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
- name: Write Gerrit secure config file
template:
src: secure.config.j2
dest: "{{ gerrit_site_dir }}/etc/secure.config"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0600
- name: Write Gerrit replication config
template:
src: replication.config.j2
dest: "{{ gerrit_site_dir }}/etc/replication.config"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
when: gerrit_replication is defined
- name: Write Gerrit JGit config
template:
src: jgit.config.j2
dest: "{{ gerrit_site_dir }}/etc/jgit.config"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
# Server host key for SSH service on port 29418
- name: Write Gerrit SSH host private key
copy:
content: "{{ gerrit_ssh_rsa_key_contents }}"
dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0600
- name: Write Gerrit SSH host public key
copy:
content: "{{ gerrit_ssh_rsa_pubkey_contents }}"
dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
# Private key for openstack-project-creator user
- name: Write Gerrit SSH project private key
copy:
content: "{{ gerrit_project_ssh_rsa_key_contents }}"
dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0600
# Public key for openstack-project-creator user
- name: Write Gerrit SSH project public key
copy:
content: "{{ gerrit_project_ssh_rsa_pubkey_contents }}"
dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key.pub"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
# Private key for welcome message user
- name: Write Welcome SSH private key
copy:
content: "{{ welcome_message_gerrit_ssh_private_key }}"
dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0600
when: welcome_message_gerrit_ssh_private_key is defined
- name: Write Welcome SSH public key
copy:
content: "{{ welcome_message_gerrit_ssh_public_key }}"
dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key.pub"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
when: welcome_message_gerrit_ssh_public_key is defined
- name: Ensure .ssh directory exists
file:
state: directory
path: "{{ gerrit_home_dir }}/.ssh"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0700
# Private RSA A key for gerrit user to connect to other systems,
# such as for replication.
- name: Write Gerrit SSH private RSA A key
copy:
content: "{{ gerrit_replication_ssh_rsa_key_contents }}"
dest: "{{ gerrit_home_dir }}/.ssh/id_rsa"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0600
- name: Write Gerrit SSH public RSA A key
copy:
content: "{{ gerrit_replication_ssh_rsa_pubkey_contents }}"
dest: "{{ gerrit_home_dir }}/.ssh/id_rsa.pub"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
# Private RSA B key for gerrit user to connect to other systems,
# such as for replication.
- name: Write Gerrit SSH private RSA B key
copy:
content: "{{ gerrit_replication_ssh_rsa_B_key_contents }}"
dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0600
- name: Write Gerrit SSH public RSA B key
copy:
content: "{{ gerrit_replication_ssh_rsa_B_pubkey_contents }}"
dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B.pub"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
- name: SSH config to select the appropriate key above for replication
copy:
src: gerrit_ssh_config
dest: "{{ gerrit_home_dir }}/.ssh/config"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0644
# Make the directory even if we don't have creds to make
# bind mounting in the docker-compose file simple.
- name: Ensure launchpadlib directory exists
file:
state: directory
path: "{{ gerrit_home_dir }}/.launchpadlib"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0775
# The hook scripts below use update-bug (provided by jeepyb) and this
# authentication file.
- name: Write Launchpad creds file
template:
src: infra_lp_creds.j2
dest: "{{ gerrit_home_dir }}/.launchpadlib/creds"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0600
- name: Copy static hooks
copy:
src: "hooks/{{ item }}"
dest: "{{ gerrit_site_dir }}/hooks/{{ item }}"
owner: "{{ gerrit_user_name }}"
group: "{{ gerrit_user_name }}"
mode: 0555
loop:
- change-merged
- change-abandoned
- patchset-created
- name: Write ITS plugin configuration file
copy:
src: its/actions.config
dest: '{{ gerrit_site_dir }}/etc/its/actions.config'
owner: '{{ gerrit_user_name }}'
group: '{{ gerrit_user_name }}'
mode: 0644
- name: Write Gitiles plugin configuration file
copy:
src: gitiles.config
dest: '{{ gerrit_site_dir }}/etc/gitiles.config'
owner: '{{ gerrit_user_name }}'
group: '{{ gerrit_user_name }}'
mode: 0644
- name: Write manage-projects script
template:
src: "manage-projects.j2"
dest: "/usr/local/bin/manage-projects"
owner: root
group: root
mode: 0755
- name: Write projects.ini
template:
src: projects.ini.j2
dest: /home/gerrit2/projects.ini
owner: gerrit2
group: gerrit2
mode: 0600
- name: Accept own own hostkey for root
known_hosts:
state: present
key: '{{ item.value }}'
name: '{{ item.key }}'
loop: '{{ gerrit_known_hosts_keys | dict2items }}'
when: gerrit_known_hosts_keys is defined
- name: Accept own own hostkey for gerrit2
known_hosts:
state: present
key: '{{ item.value }}'
name: '{{ item.key }}'
path: '/home/gerrit2/.ssh/known_hosts'
loop: '{{ gerrit_known_hosts_keys | dict2items }}'
when: gerrit_known_hosts_keys is defined
- name: Install apache2
apt:
name:
- apache2
- apache2-utils
state: present
- name: Apache modules
apache2_module:
state: present
name: "{{ item }}"
loop:
- rewrite
- proxy
- proxy_http
- ssl
- headers
- name: Copy apache config
template:
src: gerrit.vhost.j2
dest: /etc/apache2/sites-enabled/000-default.conf
owner: root
group: root
mode: 0644
notify: gerrit Reload apache2
- name: Copy redirect config
template:
src: redirect.vhost.j2
dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
owner: root
group: root
mode: 0644
when: gerrit_redirect_vhost is defined
notify: gerrit Reload apache2
# NOTE(ianw) This deliberately does not set owner/group/mode, as the
# mariadb container chowns this directory to be owned by a
# container-internal user and drops root privileges. We don't want to
# reset this from outside the container.
- name: Setup reviewdb directory for mariadb
file:
state: directory
path: /home/gerrit2/reviewdb
- name: Set up root mariadb conf file
template:
src: root.my.cnf.mariadb_container.j2
dest: /root/.gerrit_db.cnf
mode: 0400
- name: Start gerrit
include_tasks: start.yaml
- name: Set up cron job to optmize git repos
cron:
name: optmize-git-repos
state: present
user: gerrit2
job: 'find /home/gerrit2/review_site/git/ -type d -name "*.git" -print -exec git --git-dir="{}" gc \;'
minute: 17
hour: 4
# Gerrit rotates their own logs, but doesn't clean them out
# Delete logs older than a month
- name: Set up cron job to clean old gerrit logs
cron:
name: clear-gerrit-logs
state: present
user: gerrit2
job: 'find /home/gerrit2/review_site/logs/*.gz -mtime +30 -exec rm -f {} \;'
minute: 1
hour: 6
- name: Setup db backups
include_tasks: backup.yaml
# This is handy to have for inspecting the firewall's connection tracking.
- name: Install conntrack
package:
name: conntrack
state: present