system-config/playbooks/roles/gerrit/tasks/main.yaml

# TODO(mordred) We should do *something* where this could use a zuul cloned
# copy of project-config instead. This is needed not just for things like
# manage-projects (which could be run completely differently and non-locally)
# but also for things like notify-impact, which is currently run by a gerrit
# hook inside of the container via jeepyb.
- name: Clone project-config repo
  git:
    repo: https://opendev.org/openstack/project-config
    dest: /opt/project-config
    force: yes

- name: Ensure /etc/gerrit-compose directory
  file:
    state: directory
    path: /etc/gerrit-compose
    mode: 0755

- name: Put docker-compose file in place
  template:
    src: docker-compose.yaml.j2
    dest: /etc/gerrit-compose/docker-compose.yaml
    mode: 0644

- name: Clean up old directory
  file:
    state: absent
    path: /etc/gerrit-podman

- name: Create Gerrit Group
  group:
    name: "{{ gerrit_user_name }}"
    gid: "{{ gerrit_id }}"
    system: yes

- name: Create Gerrit User
  user:
    name: "{{ gerrit_user_name }}"
    uid: "{{ gerrit_id }}"
    comment: Gerrit User
    shell: /bin/bash
    home: "{{ gerrit_home_dir }}"
    group: "{{ gerrit_user_name }}"
    create_home: yes
    system: yes

- name: Ensure review_site directory exists
  file:
    state: directory
    path: "{{ gerrit_site_dir }}"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0755

- name: Ensure Gerrit volume directories exists
  file:
    state: directory
    path: "{{ gerrit_site_dir }}/{{ item }}"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0755
  loop:
    - etc
    - git
    - index
    - cache
    - static
    - hooks
    - tmp
    - logs

- name: Write Gerrit config file
  template:
    src: gerrit.config
    dest: "{{ gerrit_site_dir }}/etc/gerrit.config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

- name: Write Gerrit secure config file
  template:
    src: secure.config
    dest: "{{ gerrit_site_dir }}/etc/secure.config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit replication config
  template:
    src: replication.config.j2
    dest: "{{ gerrit_site_dir }}/etc/replication.config"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
  when: gerrit_replication is defined

# Server host key for SSH service on port 29418
- name: Write Gerrit SSH host private key
  copy:
    content: "{{ gerrit_ssh_rsa_key_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit SSH host public key
  copy:
    content: "{{ gerrit_ssh_rsa_pubkey_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Private key for openstack-project-creator user
- name: Write Gerrit SSH project private key
  copy:
    content: "{{ gerrit_project_ssh_rsa_key_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

# Public key for openstack-project-creator user
- name: Write Gerrit SSH project public key
  copy:
    content: "{{ gerrit_project_ssh_rsa_pubkey_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Private key for welcome message user
- name: Write Welcome SSH private key
  copy:
    content: "{{ welcome_message_gerrit_ssh_private_key }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600
  when: welcome_message_gerrit_ssh_private_key is defined

- name: Write Welcome SSH public key
  copy:
    content: "{{ welcome_message_gerrit_ssh_public_key }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644
  when: welcome_message_gerrit_ssh_public_key is defined

- name: Ensure .ssh directory exists
  file:
    state: directory
    path: "{{ gerrit_home_dir }}/.ssh"
    mode: 0700

# Private key for gerrit user to connect to other systems,
# such as for replication.
- name: Write Gerrit SSH private key
  copy:
    content: "{{ gerrit_replication_ssh_rsa_key_contents }}"
    dest: "{{ gerrit_home_dir }}/.ssh/id_rsa"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit SSH public key
  copy:
    content: "{{ gerrit_replication_ssh_rsa_pubkey_contents }}"
    dest: "{{ gerrit_home_dir }}/.ssh/id_rsa.pub"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0644

# Make the directory even if we don't have creds to make
# bind mounting in the docker-compose file simple.
- name: Ensure launchpadlib directory exists
  file:
    state: directory
    path: "{{ gerrit_home_dir }}/.launchpadlib"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0775

- name: Write Launchpad creds file
  template:
    src: infra_lp_creds.j2
    dest: "{{ gerrit_home_dir }}/.launchpadlib/creds"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0600
  when: lp_access_token is defined

- name: Copy static hooks
  copy:
    src: "hooks/{{ item }}"
    dest: "{{ gerrit_site_dir }}/hooks/{{ item }}"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0555
  loop:
    - change-merged
    - change-abandoned

- name: Copy notify-impact yaml file
  copy:
    src: "{{ gerrit_project_config_base }}/gerrit/notify_impact.yaml"
    dest: "{{ gerrit_site_dir }}/hooks/notify_impact.yaml"
    remote_src: yes
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0444

- name: Install patchset-created hook
  template:
    src: patchset-created.j2
    dest: "{{ gerrit_site_dir }}/hooks/patchset-created"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: 0555

# TODO(mordred) These things should really go into the image instead.
- name: Copy static and etc
  copy:
    src: "{{ item }}"
    dest: "{{ gerrit_site_dir }}/{{ item }}"
    owner: "{{ gerrit_user_name }}"
    group: "{{ gerrit_user_name }}"
    mode: preserve
  loop:
    - static/hideci.js
    - static/robots.txt
    - static/system-cla.html
    - static/usg-cla.html
    - etc/GerritSite.css
    - etc/GerritSiteHeader.html

- name: Write jeepyb utility scripts
  template:
    src: "{{ item }}.j2"
    dest: "/usr/local/bin/{{ item }}"
    owner: root
    group: root
    mode: 0755
  loop:
    - manage-projects
    - track-upstream

- name: Install apache2
  apt:
    name:
      - apache2
      - apache2-utils
    state: present

- name: Apache modules
  apache2_module:
    state: present
    name: "{{ item }}"
  loop:
    - rewrite
    - proxy
    - proxy_http
    - ssl
    - headers

- name: Copy apache config
  template:
    src: gerrit.vhost.j2
    dest: /etc/apache2/sites-enabled/000-default.conf
    owner: root
    group: root
    mode: 0644
  notify: gerrit Reload apache2

- name: Copy redirect config
  template:
    src: redirect.vhost.j2
    dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
    owner: root
    group: root
    mode: 0644
  when: gerrit_redirect_vhost is defined
  notify: gerrit Reload apache2

- name: Install docker-compose
  package:
    name:
      - docker-compose
    state: present

- name: Start gerrit
  include_tasks: start.yaml