opendev/system-config
Code Issues Proposed changes
1bee6ec357
system-config/playbooks/roles/lodgeit/tasks/main.yaml
Clark Boylan e5081581d4 Switch lodgeit to run under a dedicated user 
This updates the lodgeit paste service to run under a dedicated user. We
defer on updating the image to do this as we should coordinate with
vexxhost on how that will impact them. This should be fine though as
gerritbot updates proved we can run it this way.

Change-Id: I44d3c53a01be475db1bfa17200da0a4800f85628
2021-11-19 09:11:38 -08:00

131 lines
2.9 KiB
YAML
Raw Blame History

- name: Create lodgeit group
group:
name: "lodgeit"
gid: "10100"
system: yes
- name: Create lodgeit user
user:
name: "lodgeit"
group: "lodgeit"
uid: "10100"
home: "/var/lib/lodgeit"
create_home: yes
shell: /bin/bash
system: yes
- name: Ensure /etc/lodgeit-compose directory
file:
state: directory
path: /etc/lodgeit-compose
mode: 0755
- name: Put docker-compose file in place
template:
src: docker-compose.yaml.j2
dest: /etc/lodgeit-compose/docker-compose.yaml
mode: 0644
- name: Setup mariadb container
block:
# NOTE(clarkb) This deliberately does not set owner/group/mode, as the
# mariadb container chowns this directory to be owned by a
# container-internal user and drops root privileges. We don't want to
# reset this from outside the container.
- name: Setup db directory
file:
state: directory
path: /var/lib/lodgeit/mariadb
- name: Set up root mariadb conf file
template:
src: root.my.cnf.mariadb_container.j2
dest: /root/.lodgeit_db.cnf
mode: 0400
- name: Install apache2
apt:
name:
- apache2
- apache2-utils
state: present
- name: Apache modules
apache2_module:
state: present
name: "{{ item }}"
loop:
- rewrite
- proxy
- proxy_http
- ssl
- headers
- name: Copy apache config
template:
src: paste.vhost.j2
dest: /etc/apache2/sites-enabled/000-default.conf
owner: root
group: root
mode: 0644
notify: paste Reload apache2
- name: Create www dir
file:
state: directory
path: /var/lib/lodgeit/www
owner: root
group: root
mode: 0755
- name: Create assets dir
file:
state: directory
path: /var/lib/lodgeit/www/assets
owner: root
group: root
mode: 0755
- name: Install OpenDev logo
copy:
src: opendev.svg
dest: /var/lib/lodgeit/www/assets/opendev.svg
owner: root
group: root
mode: 0644
- name: Install robots.txt
copy:
src: robots.txt
dest: /var/lib/lodgeit/www/robots.txt
owner: root
group: root
mode: 0644
- name: Run docker-compose pull
shell:
cmd: docker-compose pull
chdir: /etc/lodgeit-compose/
- name: Run docker-compose up
shell:
cmd: "docker-compose up -d"
chdir: /etc/lodgeit-compose/
- name: Run docker prune to cleanup unneeded images
shell:
cmd: docker image prune -f
- name: Create backup streaming config dir
file:
path: /etc/borg-streams
state: directory
- name: Setup container mariadb backup jobs
block:
- name: Create mariadb streaming file
copy:
content: >-
/usr/local/bin/docker-compose -f /etc/lodgeit-compose/docker-compose.yaml exec -T mariadb
bash -c '/usr/bin/mysqldump --all-databases --skip-extended-insert --single-transaction -uroot -p"$MYSQL_ROOT_PASSWORD"'
dest: /etc/borg-streams/mariadb
View Git Blame Copy Permalink