system-config/playbooks/roles/gerrit/tasks/main.yaml

- name: Sync project-config
  include_role:
    name: sync-project-config

- name: Ensure /etc/gerrit-compose directory
  file:
    state: directory
    path: /etc/gerrit-compose
    mode: 0755

- name: Put docker-compose file in place
  template:
    src: docker-compose.yaml.j2
    dest: /etc/gerrit-compose/docker-compose.yaml
    mode: 0644

- name: Clean up old directory
  file:
    state: absent
    path: /etc/gerrit-podman

- name: Create Gerrit Group
  group:
    name: "{{ gerrit_user_name }}"
    gid: "{{ gerrit_id }}"
    system: yes

- name: Create Gerrit User
  user:
    name: "{{ gerrit_user_name }}"
    uid: "{{ gerrit_id }}"
    comment: Gerrit User
    shell: /bin/bash
    home: "{{ gerrit_home_dir }}"
    group: "{{ gerrit_user_name }}"
    create_home: yes
    system: yes

- name: Ensure review_site directory exists
  file:
    state: directory
    path: "{{ gerrit_site_dir }}"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0755

- name: Ensure Gerrit volume directories exists
  file:
    state: directory
    path: "{{ gerrit_site_dir }}/{{ item }}"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0755
  loop:
    - cache
    - data
    - db
    - etc
    - etc/its
    - git
    - hooks
    - index
    - logs
    - tmp

- name: Write Gerrit config file
  template:
    src: gerrit.config.j2
    dest: "{{ gerrit_site_dir }}/etc/gerrit.config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

- name: Write Gerrit secure config file
  template:
    src: secure.config.j2
    dest: "{{ gerrit_site_dir }}/etc/secure.config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit replication config
  template:
    src: replication.config.j2
    dest: "{{ gerrit_site_dir }}/etc/replication.config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644
  when: gerrit_replication is defined

- name: Write Gerrit JGit config
  template:
    src: jgit.config.j2
    dest: "{{ gerrit_site_dir }}/etc/jgit.config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Server host key for SSH service on port 29418
- name: Write Gerrit SSH host private key
  copy:
    content: "{{ gerrit_ssh_rsa_key_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit SSH host public key
  copy:
    content: "{{ gerrit_ssh_rsa_pubkey_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Private key for openstack-project-creator user
- name: Write Gerrit SSH project private key
  copy:
    content: "{{ gerrit_project_ssh_rsa_key_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

# Public key for openstack-project-creator user
- name: Write Gerrit SSH project public key
  copy:
    content: "{{ gerrit_project_ssh_rsa_pubkey_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Private key for welcome message user
- name: Write Welcome SSH private key
  copy:
    content: "{{ welcome_message_gerrit_ssh_private_key }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600
  when: welcome_message_gerrit_ssh_private_key is defined

- name: Write Welcome SSH public key
  copy:
    content: "{{ welcome_message_gerrit_ssh_public_key }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644
  when: welcome_message_gerrit_ssh_public_key is defined

- name: Ensure .ssh directory exists
  file:
    state: directory
    path: "{{ gerrit_home_dir }}/.ssh"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0700

# Private RSA A key for gerrit user to connect to other systems,
# such as for replication.
- name: Write Gerrit SSH private RSA A key
  copy:
    content: "{{ gerrit_replication_ssh_rsa_key_contents }}"
    dest: "{{ gerrit_home_dir }}/.ssh/id_rsa"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit SSH public RSA A key
  copy:
    content: "{{ gerrit_replication_ssh_rsa_pubkey_contents }}"
    dest: "{{ gerrit_home_dir }}/.ssh/id_rsa.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Private RSA B key for gerrit user to connect to other systems,
# such as for replication.
- name: Write Gerrit SSH private RSA B key
  copy:
    content: "{{ gerrit_replication_ssh_rsa_B_key_contents }}"
    dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit SSH public RSA B key
  copy:
    content: "{{ gerrit_replication_ssh_rsa_B_pubkey_contents }}"
    dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

- name: SSH config to select the appropriate key above for replication
  template:
    src: gerrit_ssh_config.j2
    dest: "{{ gerrit_home_dir }}/.ssh/config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Make the directory even if we don't have creds to make
# bind mounting in the docker-compose file simple.
- name: Ensure launchpadlib directory exists
  file:
    state: directory
    path: "{{ gerrit_home_dir }}/.launchpadlib"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0775

# The hook scripts below use update-bug (provided by jeepyb) and this
# authentication file.
- name: Write Launchpad creds file
  template:
    src: infra_lp_creds.j2
    dest: "{{ gerrit_home_dir }}/.launchpadlib/creds"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Copy static hooks
  copy:
    src: "hooks/{{ item }}"
    dest: "{{ gerrit_site_dir }}/hooks/{{ item }}"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0555
  loop:
    - change-merged
    - change-abandoned
    - patchset-created

- name: Write ITS plugin configuration file
  copy:
    src: its/actions.config
    dest: '{{ gerrit_site_dir }}/etc/its/actions.config'
    owner: '{{ gerrit_user_name }}'
    group: '{{ gerrit_user_name }}'
    mode: 0644

- name: Write Gitiles plugin configuration file
  copy:
    src: gitiles.config
    dest: '{{ gerrit_site_dir }}/etc/gitiles.config'
    owner: '{{ gerrit_user_name }}'
    group: '{{ gerrit_user_name }}'
    mode: 0644

- name: Write manage-projects script
  template:
    src: "manage-projects.j2"
    dest: "/usr/local/bin/manage-projects"
    owner: root
    group: root
    mode: 0755

- name: Write projects.ini
  template:
    src: projects.ini.j2
    dest: /home/gerrit2/projects.ini
    owner: gerrit2
    group: gerrit2
    mode: 0600

- name: Accept own own hostkey for root
  known_hosts:
    state: present
    key: '{{ item.value }}'
    name: '{{ item.key }}'
  loop: '{{ gerrit_known_hosts_keys | dict2items }}'
  when: gerrit_known_hosts_keys is defined

- name: Accept own own hostkey for gerrit2
  known_hosts:
    state: present
    key: '{{ item.value }}'
    name: '{{ item.key }}'
    path: '/home/gerrit2/.ssh/known_hosts'
  loop: '{{ gerrit_known_hosts_keys | dict2items }}'
  when: gerrit_known_hosts_keys is defined

- name: Install apache2
  apt:
    name:
      - apache2
      - apache2-utils
    state: present

- name: Apache modules
  apache2_module:
    state: present
    name: "{{ item }}"
  loop:
    - rewrite
    - proxy
    - proxy_http
    - ssl
    - headers

- name: Copy apache config
  template:
    src: gerrit.vhost.j2
    dest: /etc/apache2/sites-enabled/000-default.conf
    owner: root
    group: root
    mode: 0644
  notify: gerrit Reload apache2

- name: Copy redirect config
  template:
    src: redirect.vhost.j2
    dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
    owner: root
    group: root
    mode: 0644
  when: gerrit_redirect_vhost is defined
  notify: gerrit Reload apache2

# NOTE(ianw) This deliberately does not set owner/group/mode, as the
# mariadb container chowns this directory to be owned by a
# container-internal user and drops root privileges.  We don't want to
# reset this from outside the container.
- name: Setup reviewdb directory for mariadb
  file:
    state: directory
    path: /home/gerrit2/reviewdb

- name: Set up root mariadb conf file
  template:
    src: root.my.cnf.mariadb_container.j2
    dest: /root/.gerrit_db.cnf
    mode: 0400

- name: Start gerrit
  include_tasks: start.yaml

- name: Set up cron job to optmize git repos
  cron:
    name: optmize-git-repos
    state: present
    user: gerrit2
    job: 'find /home/gerrit2/review_site/git/ -type d -name "*.git" -print -exec git --git-dir="{}" gc \;'
    minute: 17
    hour: 4

# Gerrit rotates their own logs, but doesn't clean them out
# Delete logs older than a month
- name: Set up cron job to clean old gerrit logs
  cron:
    name: clear-gerrit-logs
    state: present
    user: gerrit2
    job: 'find /home/gerrit2/review_site/logs/*.gz -mtime +30 -exec rm -f {} \;'
    minute: 1
    hour: 6

- name: Setup db backups
  include_tasks: backup.yaml

# This is handy to have for inspecting the firewall's connection tracking.
- name: Install conntrack
  package:
    name: conntrack
    state: present