obs: fixes/refactor for devcloud

- new role, obs-bastion for handling firewall and volumes - install OBS from our repositories - refactor systemd-container - correct some files used by OBS Change-Id: Ie4bd548703313a1fff2b0e26e00ff330c71c57ee Reviewed-on: https://review.linaro.org/22736 Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
author: Riku Voipio <riku.voipio@linaro.org> 2017-11-29 16:36:28 +0200
committer: Benjamin Copeland <ben.copeland@linaro.org> 2017-11-29 15:02:56 +0000
commit: b0f24fb214b083d98a686ba210ab1e7d58a2d754 (patch)
tree: 81cad5bf4942967e4634a4746fee174d603f8213
parent: 52cc344cda395f1c39df45abc9353500549e8e43 (diff)
8 files changed, 120 insertions, 65 deletions
diff --git a/host_vars/obs-bastion-us1.linaro.cloud b/host_vars/obs-bastion-us1.linaro.cloud
new file mode 100644
index 00000000..f6cd4ec2
--- /dev/null
+++ b/host_vars/obs-bastion-us1.linaro.cloud
@@ -0,0 +1,4 @@
+obsdata_fstype: ext4
+obsdata_dev: /dev/sdb
+obsbackup_fstype: ext4
+obsbackup_dev: /dev/sdc
diff --git a/roles/obs-bastion/tasks/main.yml b/roles/obs-bastion/tasks/main.yml
new file mode 100644
index 00000000..4cbfef05
--- /dev/null
+++ b/roles/obs-bastion/tasks/main.yml
@@ -0,0 +1,87 @@
+#- name: Reset ufw to defaults
+#  ufw: state=reset
+#  when: firewall_reset is defined
+
+- name: install ufw
+  apt:
+    update_cache: yes
+    name: ufw
+    state: present
+
+- name: Open 5252 for slaves
+  ufw:
+    rule: allow
+    proto: tcp
+    port: 5252
+    src: "{{item}}"
+  with_items: "{{worker_ip}}"
+
+- name: Open 5352 for slaves
+  ufw:
+    rule: allow
+    proto: tcp
+    port: 5352
+    src: "{{item}}"
+  with_items: "{{worker_ip}}"
+
+# Only adds ports does not delete.
+# ufw reset is required for a fresh ufw deploy.
+- name: Open firewall ports
+  ufw:
+    rule: allow
+    proto: tcp
+    port: "{{item}}"
+  with_items:
+    - 22
+    - 80
+    - 443
+
+- name: Enable Firewall
+  ufw:
+    direction: "{{item.direction}}"
+    policy: "{{item.policy}}"
+    logging: off
+    state: enabled
+  with_items:
+    - { direction: 'incoming', policy: 'deny' }
+    - { direction: 'outgoing', policy: 'allow' }
+
+- name: Format obs_data volume
+  filesystem:
+    fstype: "{{obsdata_fstype}}"
+    dev: "{{obsdata_dev}}"
+
+- name: Mount obs_data volume
+  mount:
+    path: /var/lib/machines/obs/srv
+    state: mounted
+    passno: 2
+    fstype: "{{obsdata_fstype}}"
+    src: "{{obsdata_dev}}"
+
+- name: Format obs_backup volume
+  filesystem:
+    fstype: "{{obsbackup_fstype}}"
+    dev: "{{obsbackup_dev}}"
+
+- name: Mount obs_backup volume
+  mount:
+    path: /srv/backups
+    state: mounted
+    passno: 2
+    fstype: "{{obsbackup_fstype}}"
+    src: "{{obsbackup_dev}}"
+
+- name: add obs-backup user
+  user:
+    name: obs-backup
+    home: /srv/backups/obs
+    state: present
+
+- name: Set authorized key took from file
+  authorized_key:
+    user: obs-backup
+    state: present
+    key: "{{lookup('file', '{{secrets_dir}}/files/obs/id_rsa.pub')}}"
+
+
diff --git a/roles/obs/tasks/main.yml b/roles/obs/tasks/main.yml
index 211773ee..18457fe4 100644
--- a/roles/obs/tasks/main.yml
+++ b/roles/obs/tasks/main.yml
@@ -22,6 +22,15 @@
       question: obs-api/mysql/app-password
       value: "{{mysql_password}}"
       vtype: password
+- name: Add OBS apt key
+  apt_key:
+      url: http://obs.linaro.org/linaro-overlay-stretch/Debian_9.0/Release.key
+      state: present
+- name: Add OBS overlay repository
+  apt_repository:
+      repo: deb http://obs.linaro.org/linaro-overlay-stretch/Debian_9.0/ ./
+      state: present
+
 - name: Install OBS
   apt: pkg={{item}} state=installed
   with_items:
@@ -33,7 +42,7 @@
 - name: Rails configuration with rake
   shell: /usr/share/obs/api/script/rake-tasks.sh setup >> /home/obs-admin/install.log 2>&1
   args:
-      creates: /etc/obs/api/config/production.sphinx.conf
+      creates: /srv/obs/configuration.xml
 - name: Enable ldap
   template:
     src: options.yml
@@ -54,6 +63,5 @@
       enabled: yes
       state: started
 
-- {include: sign.yml, tags: [gpg]}
-- {include: ufw.yml, tags: [firewall]}
+- {import_tasks: sign.yml, tags: [gpg]}
 
diff --git a/roles/obs/tasks/sign.yml b/roles/obs/tasks/sign.yml
index 4dbbb880..120a7692 100644
--- a/roles/obs/tasks/sign.yml
+++ b/roles/obs/tasks/sign.yml
@@ -1,9 +1,9 @@
 - name: Copy Secret GPG key
-  copy: src="{{secrets_dir}}/files/gnupg/private.key" dest=/root/private.key
+  copy: src="{{secrets_dir}}/files/obs/private.key" dest=/root/private.key
         mode=0400
 
 - name: Copy public GPG key
-  copy: src="{{secrets_dir}}/files/gnupg/public.key" dest=/etc/obs/public.key
+  copy: src="{{secrets_dir}}/files/obs/public.key" dest=/etc/obs/public.key
         mode=0444
 
 - name: Install support scripts
diff --git a/roles/obs/tasks/ufw.yml b/roles/obs/tasks/ufw.yml
deleted file mode 100644
index 538b2314..00000000
--- a/roles/obs/tasks/ufw.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-#- name: Reset ufw to defaults
-#  ufw: state=reset
-#  when: firewall_reset is defined
-
-- name: Open 5252 for slaves
-  ufw:
-    rule: allow
-    proto: tcp
-    port: 5252
-    src: "{{item}}"
-  with_items: "{{worker_ip}}"
-
-- name: Open 5352 for slaves
-  ufw:
-    rule: allow
-    proto: tcp
-    port: 5352
-    src: "{{item}}"
-  with_items: "{{worker_ip}}"
-
-# Only adds ports does not delete.
-# ufw reset is required for a fresh ufw deploy.
-- name: Open firewall ports
-  ufw:
-    rule: allow
-    proto: tcp
-    port: "{{item}}"
-  with_items:
-    - 22
-    - 80
-    - 443
-    - 2201
-
-- name: Enable Firewall
-  ufw:
-    direction: "{{item.direction}}"
-    policy: "{{item.policy}}"
-    logging: off
-    state: enabled
-  with_items:
-    - { direction: 'incoming', policy: 'deny' }
-    - { direction: 'outgoing', policy: 'allow' }
-
diff --git a/roles/systemd-container/files/container.nspawn b/roles/systemd-container/files/container.nspawn
index 1c1630af..1bce6e78 100644
--- a/roles/systemd-container/files/container.nspawn
+++ b/roles/systemd-container/files/container.nspawn
@@ -1,5 +1,6 @@
 [Exec]
 Boot=on
+PrivateUsers=no
 
 [Network]
 VirtualEthernet=no
diff --git a/roles/systemd-container/tasks/base-container.yml b/roles/systemd-container/tasks/base-container.yml
index a22b1a85..b1bc24bd 100644
--- a/roles/systemd-container/tasks/base-container.yml
+++ b/roles/systemd-container/tasks/base-container.yml
@@ -6,21 +6,24 @@
   tags:
       - update
 - name: Create Debian Stretch container
-  command: debootstrap --include=openssh-server,dbus,python,sudo stretch /var/lib/machines/debian http://deb.debian.org/debian
+  command: debootstrap --include=openssh-server,dbus,python,sudo stretch /var/lib/machines/{{container_name}}/ http://deb.debian.org/debian
   args:
-      creates: /var/lib/machines/debian
-- name: Add admin user in container
-  command: chroot /var/lib/machines/debian useradd -m obs-admin
+      creates: /var/lib/machines/{{container_name}}/etc/apt/sources.list
+- name: Add user in container
+  command: chroot /var/lib/machines/{{container_name}}/ useradd -m {{container_user}}
   args:
-      creates: /var/lib/machines/debian/home/obs-admin
+      creates: /var/lib/machines/{{container_name}}/home/{{container_user}}
 - name: Make ssh dir
   file:
-      path: /var/lib/machines/debian/home/obs-admin/.ssh
+      path: /var/lib/machines/{{container_name}}/home/{{container_user}}/.ssh
       state: directory
       mode: 0700
-- name: Copy ssh key
-  copy: content="{{ssh_pub_key}}" dest=/var/lib/machines/debian/home/obs-admin/.ssh/authorized_keys
+- name: Copy ssh authorized keys
+  copy:
+      src: /home/debian/.ssh/authorized_keys
+      dest: /var/lib/machines/{{container_name}}/home/{{container_user}}/.ssh/authorized_keys
+      remote_src: yes
 - name: verify .ssh permissions
-  command: chroot /var/lib/machines/debian chown -R obs-admin:obs-admin /home/obs-admin/.ssh
+  command: chroot /var/lib/machines/{{container_name}} chown -R {{container_user}}:{{container_user}} /home/{{container_user}}/.ssh
 - name: add admin escalation rights
-  copy: src=sudoers dest=/var/lib/machines/debian/etc/sudoers.d/obs-admin mode=0440
+  copy: src=sudoers dest=/var/lib/machines/{{container_name}}/etc/sudoers.d/{{container_user}} mode=0440
diff --git a/roles/systemd-container/tasks/main.yml b/roles/systemd-container/tasks/main.yml
index cd809506..f304b544 100644
--- a/roles/systemd-container/tasks/main.yml
+++ b/roles/systemd-container/tasks/main.yml
@@ -1,9 +1,4 @@
-- include: base-container.yml
-
-- name: Copy base stretch container
-  command: cp -a /var/lib/machines/debian /var/lib/machines/{{container_name}}
-  args:
-      creates: /var/lib/machines/{{container_name}}
+- import_tasks: base-container.yml
 
 - name: Set hostname to "{{container_name}}"
   copy:
@@ -14,7 +9,7 @@
   lineinfile:
       dest: /var/lib/machines/{{container_name}}/etc/hosts
       regexp: '^127\.0\.0\.2'
-      line: 127.0.0.2 "{{container_name}}" "{{container_name}}".linaro.org
+      line: 127.0.0.2 {{container_name}}
       owner: root
       group: root
       mode: 0644
author	Riku Voipio <riku.voipio@linaro.org>	2017-11-29 16:36:28 +0200
committer	Benjamin Copeland <ben.copeland@linaro.org>	2017-11-29 15:02:56 +0000
commit	b0f24fb214b083d98a686ba210ab1e7d58a2d754 (patch)
tree	81cad5bf4942967e4634a4746fee174d603f8213
parent	52cc344cda395f1c39df45abc9353500549e8e43 (diff)