- name: Sync project-config include_role: name: sync-project-config - name: Ensure /etc/gerrit-compose directory file: state: directory path: /etc/gerrit-compose mode: 0755 - name: Put docker-compose file in place template: src: docker-compose.yaml.j2 dest: /etc/gerrit-compose/docker-compose.yaml mode: 0644 - name: Clean up old directory file: state: absent path: /etc/gerrit-podman - name: Create Gerrit Group group: name: "{{ gerrit_user_name }}" gid: "{{ gerrit_id }}" system: yes - name: Create Gerrit User user: name: "{{ gerrit_user_name }}" uid: "{{ gerrit_id }}" comment: Gerrit User shell: /bin/bash home: "{{ gerrit_home_dir }}" group: "{{ gerrit_user_name }}" create_home: yes system: yes - name: Ensure review_site directory exists file: state: directory path: "{{ gerrit_site_dir }}" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0755 - name: Ensure Gerrit volume directories exists file: state: directory path: "{{ gerrit_site_dir }}/{{ item }}" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0755 loop: - cache - data - db - etc - etc/its - git - hooks - index - logs - tmp - name: Write Gerrit config file template: src: gerrit.config.j2 dest: "{{ gerrit_site_dir }}/etc/gerrit.config" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 - name: Write Gerrit secure config file template: src: secure.config.j2 dest: "{{ gerrit_site_dir }}/etc/secure.config" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0600 - name: Write Gerrit replication config template: src: replication.config.j2 dest: "{{ gerrit_site_dir }}/etc/replication.config" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 when: gerrit_replication is defined - name: Write Gerrit JGit config template: src: jgit.config.j2 dest: "{{ gerrit_site_dir }}/etc/jgit.config" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 # Server host key for SSH service on port 29418 - name: Write Gerrit SSH host private key copy: content: "{{ gerrit_ssh_rsa_key_contents }}" dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0600 - name: Write Gerrit SSH host public key copy: content: "{{ gerrit_ssh_rsa_pubkey_contents }}" dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 # Private key for openstack-project-creator user - name: Write Gerrit SSH project private key copy: content: "{{ gerrit_project_ssh_rsa_key_contents }}" dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0600 # Public key for openstack-project-creator user - name: Write Gerrit SSH project public key copy: content: "{{ gerrit_project_ssh_rsa_pubkey_contents }}" dest: "{{ gerrit_site_dir }}/etc/ssh_project_rsa_key.pub" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 # Private key for welcome message user - name: Write Welcome SSH private key copy: content: "{{ welcome_message_gerrit_ssh_private_key }}" dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0600 when: welcome_message_gerrit_ssh_private_key is defined - name: Write Welcome SSH public key copy: content: "{{ welcome_message_gerrit_ssh_public_key }}" dest: "{{ gerrit_site_dir }}/etc/ssh_welcome_rsa_key.pub" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 when: welcome_message_gerrit_ssh_public_key is defined - name: Ensure .ssh directory exists file: state: directory path: "{{ gerrit_home_dir }}/.ssh" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0700 # Private RSA A key for gerrit user to connect to other systems, # such as for replication. - name: Write Gerrit SSH private RSA A key copy: content: "{{ gerrit_replication_ssh_rsa_key_contents }}" dest: "{{ gerrit_home_dir }}/.ssh/id_rsa" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0600 - name: Write Gerrit SSH public RSA A key copy: content: "{{ gerrit_replication_ssh_rsa_pubkey_contents }}" dest: "{{ gerrit_home_dir }}/.ssh/id_rsa.pub" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 # Private RSA B key for gerrit user to connect to other systems, # such as for replication. - name: Write Gerrit SSH private RSA B key copy: content: "{{ gerrit_replication_ssh_rsa_B_key_contents }}" dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0600 - name: Write Gerrit SSH public RSA B key copy: content: "{{ gerrit_replication_ssh_rsa_B_pubkey_contents }}" dest: "{{ gerrit_home_dir }}/.ssh/replication_id_rsa_B.pub" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 - name: SSH config to select the appropriate key above for replication copy: src: gerrit_ssh_config dest: "{{ gerrit_home_dir }}/.ssh/config" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0644 # Make the directory even if we don't have creds to make # bind mounting in the docker-compose file simple. - name: Ensure launchpadlib directory exists file: state: directory path: "{{ gerrit_home_dir }}/.launchpadlib" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0775 # The hook scripts below use update-bug (provided by jeepyb) and this # authentication file. - name: Write Launchpad creds file template: src: infra_lp_creds.j2 dest: "{{ gerrit_home_dir }}/.launchpadlib/creds" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0600 - name: Copy static hooks copy: src: "hooks/{{ item }}" dest: "{{ gerrit_site_dir }}/hooks/{{ item }}" owner: "{{ gerrit_user_name }}" group: "{{ gerrit_user_name }}" mode: 0555 loop: - change-merged - change-abandoned - patchset-created - name: Write ITS plugin configuration file copy: src: its/actions.config dest: '{{ gerrit_site_dir }}/etc/its/actions.config' owner: '{{ gerrit_user_name }}' group: '{{ gerrit_user_name }}' mode: 0644 - name: Write Gitiles plugin configuration file copy: src: gitiles.config dest: '{{ gerrit_site_dir }}/etc/gitiles.config' owner: '{{ gerrit_user_name }}' group: '{{ gerrit_user_name }}' mode: 0644 - name: Write manage-projects script template: src: "manage-projects.j2" dest: "/usr/local/bin/manage-projects" owner: root group: root mode: 0755 - name: Write projects.ini template: src: projects.ini.j2 dest: /home/gerrit2/projects.ini owner: gerrit2 group: gerrit2 mode: 0600 - name: Accept own own hostkey for root known_hosts: state: present key: '{{ item.value }}' name: '{{ item.key }}' loop: '{{ gerrit_known_hosts_keys | dict2items }}' when: gerrit_known_hosts_keys is defined - name: Accept own own hostkey for gerrit2 known_hosts: state: present key: '{{ item.value }}' name: '{{ item.key }}' path: '/home/gerrit2/.ssh/known_hosts' loop: '{{ gerrit_known_hosts_keys | dict2items }}' when: gerrit_known_hosts_keys is defined - name: Install apache2 apt: name: - apache2 - apache2-utils state: present - name: Apache modules apache2_module: state: present name: "{{ item }}" loop: - rewrite - proxy - proxy_http - ssl - headers - name: Copy apache config template: src: gerrit.vhost.j2 dest: /etc/apache2/sites-enabled/000-default.conf owner: root group: root mode: 0644 notify: gerrit Reload apache2 - name: Copy redirect config template: src: redirect.vhost.j2 dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf" owner: root group: root mode: 0644 when: gerrit_redirect_vhost is defined notify: gerrit Reload apache2 # NOTE(ianw) This deliberately does not set owner/group/mode, as the # mariadb container chowns this directory to be owned by a # container-internal user and drops root privileges. We don't want to # reset this from outside the container. - name: Setup reviewdb directory for mariadb file: state: directory path: /home/gerrit2/reviewdb - name: Set up root mariadb conf file template: src: root.my.cnf.mariadb_container.j2 dest: /root/.gerrit_db.cnf mode: 0400 - name: Start gerrit include_tasks: start.yaml - name: Set up cron job to optmize git repos cron: name: optmize-git-repos state: present user: gerrit2 job: 'find /home/gerrit2/review_site/git/ -type d -name "*.git" -print -exec git --git-dir="{}" gc \;' minute: 17 hour: 4 # Gerrit rotates their own logs, but doesn't clean them out # Delete logs older than a month - name: Set up cron job to clean old gerrit logs cron: name: clear-gerrit-logs state: present user: gerrit2 job: 'find /home/gerrit2/review_site/logs/*.gz -mtime +30 -exec rm -f {} \;' minute: 1 hour: 6 - name: Setup db backups include_tasks: backup.yaml # This is handy to have for inspecting the firewall's connection tracking. - name: Install conntrack package: name: conntrack state: present