c11b8403b6
This came up as something that was missing while we bootstrapped a new gerrit server. The rsa hostkey is managed but none of the three ecdsa keys or the ed25519 key is. Fix that by managing these keys in the same manner we manager the RSA key. Change-Id: Iaf58543b6833273ca45fa5c359dc88eaf64d7a03
422 lines
11 KiB
YAML
422 lines
11 KiB
YAML
- name: Sync project-config
|
|
include_role:
|
|
name: sync-project-config
|
|
|
|
- name: Ensure /etc/gerrit-compose directory
|
|
file:
|
|
state: directory
|
|
path: /etc/gerrit-compose
|
|
mode: 0755
|
|
|
|
- name: Put docker-compose file in place
|
|
template:
|
|
src: docker-compose.yaml.j2
|
|
dest: /etc/gerrit-compose/docker-compose.yaml
|
|
mode: 0644
|
|
|
|
- name: Clean up old directory
|
|
file:
|
|
state: absent
|
|
path: /etc/gerrit-podman
|
|
|
|
- name: Create Gerrit Group
|
|
group:
|
|
name: "{{ gerrit_user_name }}"
|
|
gid: "{{ gerrit_id }}"
|
|
system: yes
|
|
|
|
- name: Create Gerrit User
|
|
user:
|
|
name: "{{ gerrit_user_name }}"
|
|
uid: "{{ gerrit_id }}"
|
|
comment: Gerrit User
|
|
shell: /bin/bash
|
|
home: "{{ gerrit_home_dir }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
create_home: yes
|
|
system: yes
|
|
|
|
- name: Ensure review_site directory exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_site_dir }}"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0755
|
|
|
|
- name: Ensure Gerrit volume directories exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_site_dir }}/{{ item }}"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0755
|
|
loop:
|
|
- cache
|
|
- data
|
|
- db
|
|
- etc
|
|
- etc/its
|
|
- git
|
|
- hooks
|
|
- index
|
|
- logs
|
|
- tmp
|
|
|
|
- name: Write Gerrit config file
|
|
template:
|
|
src: gerrit.config.j2
|
|
dest: "{{ gerrit_site_dir }}/etc/gerrit.config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gerrit secure config file
|
|
template:
|
|
src: secure.config.j2
|
|
dest: "{{ gerrit_site_dir }}/etc/secure.config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit replication config
|
|
template:
|
|
src: replication.config.j2
|
|
dest: "{{ gerrit_site_dir }}/etc/replication.config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
when: gerrit_replication is defined
|
|
|
|
- name: Write Gerrit JGit config
|
|
template:
|
|
src: jgit.config.j2
|
|
dest: "{{ gerrit_site_dir }}/etc/jgit.config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Server host keys for SSH service on port 29418
|
|
- name: Write Gerrit SSH RSA host private key
|
|
copy:
|
|
content: "{{ gerrit_ssh_rsa_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH RSA host public key
|
|
copy:
|
|
content: "{{ gerrit_ssh_rsa_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gerrit SSH ECDSA host private key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ecdsa_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH ECDSA host public key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ecdsa_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gerrit SSH ECDSA 384 host private key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ecdsa_384_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_384_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH ECDSA 384 host public key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ecdsa_384_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_384_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gerrit SSH ECDSA 521 host private key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ecdsa_521_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_521_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH ECDSA 521 host public key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ecdsa_521_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_521_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gerrit SSH ED25519 host private key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ed25519_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ed25519_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH ED25519 host public key
|
|
copy:
|
|
content: "{{ gerrit_ssh_ed25519_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_host_ed25519_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Private key for openstack-project-creator user
|
|
- name: Write Gerrit SSH project private key
|
|
copy:
|
|
content: "{{ gerrit_project_ssh_rsa_key_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
# Public key for openstack-project-creator user
|
|
- name: Write Gerrit SSH project public key
|
|
copy:
|
|
content: "{{ gerrit_project_ssh_rsa_pubkey_contents }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Private key for welcome message user
|
|
- name: Write Welcome SSH private key
|
|
copy:
|
|
content: "{{ welcome_message_gerrit_ssh_private_key }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
when: welcome_message_gerrit_ssh_private_key is defined
|
|
|
|
- name: Write Welcome SSH public key
|
|
copy:
|
|
content: "{{ welcome_message_gerrit_ssh_public_key }}"
|
|
dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
when: welcome_message_gerrit_ssh_public_key is defined
|
|
|
|
- name: Ensure .ssh directory exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_home_dir }}/.ssh"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0700
|
|
|
|
# Private RSA A key for gerrit user to connect to other systems,
|
|
# such as for replication.
|
|
- name: Write Gerrit SSH private RSA A key
|
|
copy:
|
|
content: "{{ gerrit_replication_ssh_rsa_key_contents }}"
|
|
dest: "{{ gerrit_home_dir }}/.ssh/id_rsa"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH public RSA A key
|
|
copy:
|
|
content: "{{ gerrit_replication_ssh_rsa_pubkey_contents }}"
|
|
dest: "{{ gerrit_home_dir }}/.ssh/id_rsa.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Private RSA B key for gerrit user to connect to other systems,
|
|
# such as for replication.
|
|
- name: Write Gerrit SSH private RSA B key
|
|
copy:
|
|
content: "{{ gerrit_replication_ssh_rsa_B_key_contents }}"
|
|
dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Write Gerrit SSH public RSA B key
|
|
copy:
|
|
content: "{{ gerrit_replication_ssh_rsa_B_pubkey_contents }}"
|
|
dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B.pub"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
- name: SSH config to select the appropriate key above for replication
|
|
copy:
|
|
src: gerrit_ssh_config
|
|
dest: "{{ gerrit_home_dir }}/.ssh/config"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0644
|
|
|
|
# Make the directory even if we don't have creds to make
|
|
# bind mounting in the docker-compose file simple.
|
|
- name: Ensure launchpadlib directory exists
|
|
file:
|
|
state: directory
|
|
path: "{{ gerrit_home_dir }}/.launchpadlib"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0775
|
|
|
|
# The hook scripts below use update-bug (provided by jeepyb) and this
|
|
# authentication file.
|
|
- name: Write Launchpad creds file
|
|
template:
|
|
src: infra_lp_creds.j2
|
|
dest: "{{ gerrit_home_dir }}/.launchpadlib/creds"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0600
|
|
|
|
- name: Copy static hooks
|
|
copy:
|
|
src: "hooks/{{ item }}"
|
|
dest: "{{ gerrit_site_dir }}/hooks/{{ item }}"
|
|
owner: "{{ gerrit_user_name }}"
|
|
group: "{{ gerrit_user_name }}"
|
|
mode: 0555
|
|
loop:
|
|
- change-merged
|
|
- change-abandoned
|
|
- patchset-created
|
|
|
|
- name: Write ITS plugin configuration file
|
|
copy:
|
|
src: its/actions.config
|
|
dest: '{{ gerrit_site_dir }}/etc/its/actions.config'
|
|
owner: '{{ gerrit_user_name }}'
|
|
group: '{{ gerrit_user_name }}'
|
|
mode: 0644
|
|
|
|
- name: Write Gitiles plugin configuration file
|
|
copy:
|
|
src: gitiles.config
|
|
dest: '{{ gerrit_site_dir }}/etc/gitiles.config'
|
|
owner: '{{ gerrit_user_name }}'
|
|
group: '{{ gerrit_user_name }}'
|
|
mode: 0644
|
|
|
|
- name: Write manage-projects script
|
|
template:
|
|
src: "manage-projects.j2"
|
|
dest: "/usr/local/bin/manage-projects"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
|
|
- name: Write projects.ini
|
|
template:
|
|
src: projects.ini.j2
|
|
dest: /home/gerrit2/projects.ini
|
|
owner: gerrit2
|
|
group: gerrit2
|
|
mode: 0600
|
|
|
|
- name: Accept own own hostkey for root
|
|
known_hosts:
|
|
state: present
|
|
key: '{{ item.value }}'
|
|
name: '{{ item.key }}'
|
|
loop: '{{ gerrit_known_hosts_keys | dict2items }}'
|
|
when: gerrit_known_hosts_keys is defined
|
|
|
|
- name: Accept own own hostkey for gerrit2
|
|
known_hosts:
|
|
state: present
|
|
key: '{{ item.value }}'
|
|
name: '{{ item.key }}'
|
|
path: '/home/gerrit2/.ssh/known_hosts'
|
|
loop: '{{ gerrit_known_hosts_keys | dict2items }}'
|
|
when: gerrit_known_hosts_keys is defined
|
|
|
|
- name: Install apache2
|
|
apt:
|
|
name:
|
|
- apache2
|
|
- apache2-utils
|
|
state: present
|
|
|
|
- name: Apache modules
|
|
apache2_module:
|
|
state: present
|
|
name: "{{ item }}"
|
|
loop:
|
|
- rewrite
|
|
- proxy
|
|
- proxy_http
|
|
- ssl
|
|
- headers
|
|
|
|
- name: Copy apache config
|
|
template:
|
|
src: gerrit.vhost.j2
|
|
dest: /etc/apache2/sites-enabled/000-default.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
notify: gerrit Reload apache2
|
|
|
|
- name: Copy redirect config
|
|
template:
|
|
src: redirect.vhost.j2
|
|
dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
when: gerrit_redirect_vhost is defined
|
|
notify: gerrit Reload apache2
|
|
|
|
# NOTE(ianw) This deliberately does not set owner/group/mode, as the
|
|
# mariadb container chowns this directory to be owned by a
|
|
# container-internal user and drops root privileges. We don't want to
|
|
# reset this from outside the container.
|
|
- name: Setup reviewdb directory for mariadb
|
|
file:
|
|
state: directory
|
|
path: /home/gerrit2/reviewdb
|
|
|
|
- name: Set up root mariadb conf file
|
|
template:
|
|
src: root.my.cnf.mariadb_container.j2
|
|
dest: /root/.gerrit_db.cnf
|
|
mode: 0400
|
|
|
|
- name: Start gerrit
|
|
include_tasks: start.yaml
|
|
|
|
- name: Set up cron job to optmize git repos
|
|
cron:
|
|
name: optmize-git-repos
|
|
state: present
|
|
user: gerrit2
|
|
job: 'find /home/gerrit2/review_site/git/ -type d -name "*.git" -print -exec git --git-dir="{}" gc \;'
|
|
minute: 17
|
|
hour: 4
|
|
|
|
- name: Setup db backups
|
|
include_tasks: backup.yaml
|
|
|
|
# This is handy to have for inspecting the firewall's connection tracking.
|
|
- name: Install conntrack
|
|
package:
|
|
name: conntrack
|
|
state: present
|