shithub Public

Watch 1 Fork 0 Star 0
YAML · 5366 bytes Raw Blame History
1 ---
2 # SPDX-License-Identifier: AGPL-3.0-or-later
3 #
4 # shithubd app role: installs the binary, env files, systemd units.
5 # Binary is built locally and uploaded — no in-place compile on prod.
6
7 - name: Repo + temp dirs on the block volume
8 file:
9 path: "{{ item }}"
10 state: directory
11 owner: "{{ shithub_user }}"
12 group: "{{ shithub_group }}"
13 mode: "0750"
14 loop:
15 - "{{ shithub_data_root }}/repos"
16 - "{{ shithub_data_root }}/tmp"
17 - /var/lib/shithub/binaries
18
19 - name: Upload shithubd binary (built by `make deploy` locally)
20 copy:
21 src: "{{ playbook_dir }}/../../bin/shithubd"
22 dest: "/usr/local/bin/shithubd"
23 mode: "0755"
24 owner: root
25 group: root
26
27 - name: Archive a versioned copy under /var/lib/shithub/binaries (rollback path)
28 shell: cp /usr/local/bin/shithubd /var/lib/shithub/binaries/shithubd-$(date +%Y%m%d-%H%M%S)
29 args:
30 creates: /var/lib/shithub/binaries/shithubd-{{ ansible_date_time.iso8601_basic_short }}
31
32 - name: Config dir — ensure /etc/shithub exists
33 # 0750 with shithub group: shithub user has full RW; group members
34 # (shithub-worker AND `git` for the SSH-shell wrapper) can traverse
35 # + read group-readable files inside.
36 file:
37 path: /etc/shithub
38 state: directory
39 owner: "{{ shithub_user }}"
40 group: "{{ shithub_group }}"
41 mode: "0750"
42
43 - name: Runtime object storage config is complete when enabled
44 assert:
45 that:
46 - (s3_endpoint | default("") | string | length) > 0
47 - (s3_bucket | default("") | string | length) > 0
48 - (s3_access_key_id | default("") | string | length) > 0
49 - (s3_secret_access_key | default("") | string | length) > 0
50 fail_msg: >-
51 Runtime object storage is partially configured. Set s3_endpoint,
52 s3_bucket, s3_access_key_id, and s3_secret_access_key for the
53 DigitalOcean Spaces bucket, or leave all s3_* variables unset to
54 disable avatar uploads.
55 when: >
56 (s3_endpoint | default("") | string | length) > 0 or
57 (s3_bucket | default("") | string | length) > 0 or
58 (s3_access_key_id | default("") | string | length) > 0 or
59 (s3_secret_access_key | default("") | string | length) > 0
60
61 - name: Web env file (0640 — group-readable for ssh-shell wrapper)
62 # The git user (running ssh-shell via the AKC's forced command)
63 # is in the shithub group and needs to source this file via the
64 # /var/lib/git/git-shell-commands/shithubd wrapper. 0640 with
65 # group=shithub gives exactly that and nothing more.
66 template:
67 src: web.env.j2
68 dest: /etc/shithub/web.env
69 owner: "{{ shithub_user }}"
70 group: "{{ shithub_group }}"
71 mode: "0640"
72 notify: restart shithubd-web
73
74 - name: Worker env file (0600 — secrets)
75 template:
76 src: worker.env.j2
77 dest: /etc/shithub/worker.env
78 owner: "{{ shithub_user }}"
79 group: "{{ shithub_group }}"
80 mode: "0600"
81 notify: restart shithubd-worker
82
83 - name: Storage check — repos root and runtime object bucket
84 shell: |
85 set -a
86 . /etc/shithub/web.env
87 set +a
88 /usr/local/bin/shithubd storage check
89 args:
90 executable: /bin/bash
91 become_user: "{{ shithub_user }}"
92 changed_when: false
93 when: not ansible_check_mode
94
95 - name: systemd unit — web
96 copy:
97 src: "{{ playbook_dir }}/../systemd/shithubd-web.service"
98 dest: /etc/systemd/system/shithubd-web.service
99 mode: "0644"
100 notify: [daemon-reload, restart shithubd-web]
101
102 - name: systemd unit — worker
103 copy:
104 src: "{{ playbook_dir }}/../systemd/shithubd-worker.service"
105 dest: /etc/systemd/system/shithubd-worker.service
106 mode: "0644"
107 notify: [daemon-reload, restart shithubd-worker]
108
109 - name: systemd unit — cron service + timer
110 copy:
111 src: "{{ playbook_dir }}/../systemd/{{ item }}"
112 dest: "/etc/systemd/system/{{ item }}"
113 mode: "0644"
114 loop:
115 - shithubd-cron.service
116 - shithubd-cron.timer
117 notify: [daemon-reload, enable shithubd-cron]
118
119 - name: sshd_config — render with AKC line for git-over-SSH
120 template:
121 src: "{{ playbook_dir }}/../sshd_config.j2"
122 dest: /etc/ssh/sshd_config
123 mode: "0644"
124 notify: restart sshd
125
126 # AKC wrapper. sshd doesn't source EnvironmentFile= for AKC commands,
127 # so this script sources /etc/shithub/web.env (for SHITHUB_DATABASE_URL)
128 # before exec'ing the real shithubd ssh-authkeys.
129 - name: AKC wrapper — install /usr/local/bin/shithub-ssh-authkeys
130 copy:
131 src: shithub-ssh-authkeys
132 dest: /usr/local/bin/shithub-ssh-authkeys
133 mode: "0755"
134 owner: root
135 group: root
136
137 # git-shell-commands wrapper for the AKC's forced ssh-shell command.
138 # git-shell only allows its three built-in commands plus entries
139 # under ~git/git-shell-commands/. Symlinking the bare `shithubd`
140 # binary in there isn't enough — the wrapper also sources web.env so
141 # ssh-shell (running as the git user) can read DATABASE_URL.
142 - name: git-shell-commands dir
143 file:
144 path: /var/lib/git/git-shell-commands
145 state: directory
146 owner: git
147 group: git
148 mode: "0755"
149
150 - name: git-shell-commands shithubd wrapper
151 copy:
152 src: git-shell-commands-shithubd
153 dest: /var/lib/git/git-shell-commands/shithubd
154 owner: git
155 group: git
156 mode: "0755"
157
158 - name: Enable + start shithubd-web
159 systemd: { name: shithubd-web, state: started, enabled: yes }
160
161 - name: Enable + start shithubd-worker
162 systemd: { name: shithubd-worker, state: started, enabled: yes }
163