From 6bf98599e3c857658a74895465f6e408bdedb6e7 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Sat, 17 Mar 2018 12:25:37 +0100
Subject: [PATCH] Add role for user-scripts nfs-api
---
nfs-api/defaults/main.yml | 11 ++++
nfs-api/files/nfsapi.service | 13 ++++
nfs-api/handlers/main.yml | 8 +++
nfs-api/meta/main.yml | 5 ++
nfs-api/tasks/main.yml | 115 +++++++++++++++++++++++++++++++++++
nfs-api/templates/config.py | 7 +++
nfs-api/templates/sudoers | 1 +
7 files changed, 160 insertions(+)
create mode 100644 nfs-api/defaults/main.yml
create mode 100644 nfs-api/files/nfsapi.service
create mode 100644 nfs-api/handlers/main.yml
create mode 100644 nfs-api/meta/main.yml
create mode 100644 nfs-api/tasks/main.yml
create mode 100644 nfs-api/templates/config.py
create mode 100644 nfs-api/templates/sudoers
diff --git a/nfs-api/defaults/main.yml b/nfs-api/defaults/main.yml
new file mode 100644
index 0000000..7ba699c
--- /dev/null
+++ b/nfs-api/defaults/main.yml
@@ -0,0 +1,11 @@
+nfs_api_web_root: /var/www/nfs-api
+nfs_api_user: nfsapi
+nfs_api_group: nfsapi
+nfs_api_homedirs: "/home"
+nfs_api_auth_group: "Domain Admins"
+nfs_api_ad_host: "auth.fsmpi.rwth-aachen.de"
+nfs_api_domain: "FSMPI"
+nfs_api_user_dn: "cn=users,dc=fsmpi,dc=rwth-aachen,dc=de"
+nfs_api_group_dn: "cn=users,dc=fsmpi,dc=rwth-aachen,dc=de"
+nfs_api_ca_cert: "/etc/ssl/certs/rwth_chain.pem"
+nfs_api_mountpoint: /api
diff --git a/nfs-api/files/nfsapi.service b/nfs-api/files/nfsapi.service
new file mode 100644
index 0000000..b9b8882
--- /dev/null
+++ b/nfs-api/files/nfsapi.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=nfsapi
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/nfsapi.ini
+Restart=always
+KillSignal=SIGTERM
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
diff --git a/nfs-api/handlers/main.yml b/nfs-api/handlers/main.yml
new file mode 100644
index 0000000..93d9bdc
--- /dev/null
+++ b/nfs-api/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+# file: samba/nfs-api/handlers/main.yml
+
+- name: reload systemd service files
+ command: systemctl daemon-reload
+
+- name: restart uwsgi for nfsapi
+ systemd: name=nfsapi state=restarted
diff --git a/nfs-api/meta/main.yml b/nfs-api/meta/main.yml
new file mode 100644
index 0000000..ae599ee
--- /dev/null
+++ b/nfs-api/meta/main.yml
@@ -0,0 +1,5 @@
+---
+# file: samba/nfs-api/meta/main.yml
+
+dependencies:
+ - { role: uwsgi-python, uwsgi_name: "nfsapi", uwsgi_user: "{{nfs_api_user}}", uwsgi_group: "{{nfs_api_group}}", uwsgi_path: "{{nfs_api_web_root}}/program", uwsgi_venv: "{{nfs_api_web_root}}/program/venv", uwsgi_home: "{{nfs_api_web_root}}", uwsgi_program: "nfsapi.py", uwsgi_callable: "app", uwsgi_python: 3, uwsgi_options: ["close-on-exec"], uwsgi_mountpoint: "{{nfs_api_mountpoint}}" }
diff --git a/nfs-api/tasks/main.yml b/nfs-api/tasks/main.yml
new file mode 100644
index 0000000..4ff584f
--- /dev/null
+++ b/nfs-api/tasks/main.yml
@@ -0,0 +1,115 @@
+---
+# samba/nfs-api/tasks/main.yml
+
+- name: ensure the deploy key is available
+ copy:
+ src: "{{ nfs_api_deploy_key }}"
+ dest: /root/.ssh/nfsapi
+ owner: root
+ group: root
+ mode: 0600
+ tags:
+ - user-scripts
+ - nfsapi
+ - webservices
+
+# https://github.com/ansible/ansible/issues/27699
+- name: ensure fucking git module is able to clone
+ command: mount -o remount,exec /tmp
+ tags:
+ - userscripts
+ - nfsapi
+ - webservices
+
+- name: ensure we have the program
+ git:
+ repo: git@git.fsmpi.rwth-aachen.de:infra/user-scripts.git
+ dest: "{{ nfs_api_web_root }}/program"
+ accept_hostkey: True # TODO remove this
+ key_file: /root/.ssh/nfsapi
+ notify:
+ - restart uwsgi for nfsapi
+ tags:
+ - userscripts
+ - nfsapi
+ - webservices
+
+- name: ensure fucking git module is not able to clone anymore
+ command: mount -o remount,noexec /tmp
+ tags:
+ - userscripts
+ - nfsapi
+ - webservices
+
+- name: ensure we have a virtualenv
+ pip:
+ requirements: "{{ nfs_api_web_root }}/program/requirements-nfs.txt"
+ virtualenv: "{{ nfs_api_web_root }}/program/venv"
+ virtualenv_python: python3
+ notify:
+ - restart uwsgi for nfsapi
+ tags:
+ - userscripts
+ - nfsapi
+ - webservices
+
+- name: ensure we have our config
+ template:
+ src: config.py
+ dest: "{{nfs_api_web_root}}/program/config.py"
+ owner: root
+ group: nfsapi
+ mode: 0640
+ notify:
+ - restart uwsgi for nfsapi
+ tags:
+ - userscripts
+ - nfsapi
+ - webservices
+
+- name: ensure nfsapi can create homedirs
+ template:
+ src: sudoers
+ dest: /etc/sudoers.d/nfsapi
+ owner: root
+ group: root
+ mode: 0440
+ tags:
+ - sudo
+ - usercripts
+ - nfsapi
+ - webservices
+
+- name: check the sudo config
+ command: visudo -q -c -f /etc/sudoers
+ changed_when: no
+ tags:
+ - sudo
+ - userscripts
+ - nfsapi
+ - webservices
+
+- name: ensure we have a unit file
+ copy:
+ src: nfsapi.service
+ dest: /etc/systemd/system/nfsapi.service
+ owner: root
+ group: root
+ mode: 0644
+ notify:
+ - reload systemd service files
+ - restart uwsgi for nfsapi
+ tags:
+ - userscripts
+ - nfsapi
+ - webservices
+
+- meta: flush_handlers
+
+- name: ensure the service is enabled
+ systemd: name=nfsapi enabled=yes
+ tags:
+ - userscripts
+ - nfsapi
+ - webservices
+
diff --git a/nfs-api/templates/config.py b/nfs-api/templates/config.py
new file mode 100644
index 0000000..b123ef8
--- /dev/null
+++ b/nfs-api/templates/config.py
@@ -0,0 +1,7 @@
+HOMEDIRS = '{{nfs_api_homedirs}}'
+AUTH_GROUP = '{{nfs_api_auth_group}}'
+AD_HOST = '{{nfs_api_ad_host}}'
+AD_DOMAIN = '{{nfs_api_domain}}'
+AD_USER_DN = '{{nfs_api_user_dn}}'
+AD_GROUP_DN = '{{nfs_api_group_dn}}'
+AD_CA_CERT = '{{nfs_api_ca_cert}}'
diff --git a/nfs-api/templates/sudoers b/nfs-api/templates/sudoers
new file mode 100644
index 0000000..c74ae0a
--- /dev/null
+++ b/nfs-api/templates/sudoers
@@ -0,0 +1 @@
+{{nfs_api_user}} ALL=NOPASSWD: {{nfs_api_web_root}}/program/create-homedir.py
--
GitLab