Commit 6bf98599 authored by Robin Sonnabend's avatar Robin Sonnabend

Add role for user-scripts nfs-api

parent 05c1849e
nfs_api_web_root: /var/www/nfs-api
nfs_api_user: nfsapi
nfs_api_group: nfsapi
nfs_api_homedirs: "/home"
nfs_api_auth_group: "Domain Admins"
nfs_api_ad_host: "auth.fsmpi.rwth-aachen.de"
nfs_api_domain: "FSMPI"
nfs_api_user_dn: "cn=users,dc=fsmpi,dc=rwth-aachen,dc=de"
nfs_api_group_dn: "cn=users,dc=fsmpi,dc=rwth-aachen,dc=de"
nfs_api_ca_cert: "/etc/ssl/certs/rwth_chain.pem"
nfs_api_mountpoint: /api
[Unit]
Description=nfsapi
After=network.target
[Service]
ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/nfsapi.ini
Restart=always
KillSignal=SIGTERM
Type=notify
NotifyAccess=all
[Install]
WantedBy=multi-user.target
---
# file: samba/nfs-api/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart uwsgi for nfsapi
systemd: name=nfsapi state=restarted
---
# file: samba/nfs-api/meta/main.yml
dependencies:
- { role: uwsgi-python, uwsgi_name: "nfsapi", uwsgi_user: "{{nfs_api_user}}", uwsgi_group: "{{nfs_api_group}}", uwsgi_path: "{{nfs_api_web_root}}/program", uwsgi_venv: "{{nfs_api_web_root}}/program/venv", uwsgi_home: "{{nfs_api_web_root}}", uwsgi_program: "nfsapi.py", uwsgi_callable: "app", uwsgi_python: 3, uwsgi_options: ["close-on-exec"], uwsgi_mountpoint: "{{nfs_api_mountpoint}}" }
---
# samba/nfs-api/tasks/main.yml
- name: ensure the deploy key is available
copy:
src: "{{ nfs_api_deploy_key }}"
dest: /root/.ssh/nfsapi
owner: root
group: root
mode: 0600
tags:
- user-scripts
- nfsapi
- webservices
# https://github.com/ansible/ansible/issues/27699
- name: ensure fucking git module is able to clone
command: mount -o remount,exec /tmp
tags:
- userscripts
- nfsapi
- webservices
- name: ensure we have the program
git:
repo: git@git.fsmpi.rwth-aachen.de:infra/user-scripts.git
dest: "{{ nfs_api_web_root }}/program"
accept_hostkey: True # TODO remove this
key_file: /root/.ssh/nfsapi
notify:
- restart uwsgi for nfsapi
tags:
- userscripts
- nfsapi
- webservices
- name: ensure fucking git module is not able to clone anymore
command: mount -o remount,noexec /tmp
tags:
- userscripts
- nfsapi
- webservices
- name: ensure we have a virtualenv
pip:
requirements: "{{ nfs_api_web_root }}/program/requirements-nfs.txt"
virtualenv: "{{ nfs_api_web_root }}/program/venv"
virtualenv_python: python3
notify:
- restart uwsgi for nfsapi
tags:
- userscripts
- nfsapi
- webservices
- name: ensure we have our config
template:
src: config.py
dest: "{{nfs_api_web_root}}/program/config.py"
owner: root
group: nfsapi
mode: 0640
notify:
- restart uwsgi for nfsapi
tags:
- userscripts
- nfsapi
- webservices
- name: ensure nfsapi can create homedirs
template:
src: sudoers
dest: /etc/sudoers.d/nfsapi
owner: root
group: root
mode: 0440
tags:
- sudo
- usercripts
- nfsapi
- webservices
- name: check the sudo config
command: visudo -q -c -f /etc/sudoers
changed_when: no
tags:
- sudo
- userscripts
- nfsapi
- webservices
- name: ensure we have a unit file
copy:
src: nfsapi.service
dest: /etc/systemd/system/nfsapi.service
owner: root
group: root
mode: 0644
notify:
- reload systemd service files
- restart uwsgi for nfsapi
tags:
- userscripts
- nfsapi
- webservices
- meta: flush_handlers
- name: ensure the service is enabled
systemd: name=nfsapi enabled=yes
tags:
- userscripts
- nfsapi
- webservices
HOMEDIRS = '{{nfs_api_homedirs}}'
AUTH_GROUP = '{{nfs_api_auth_group}}'
AD_HOST = '{{nfs_api_ad_host}}'
AD_DOMAIN = '{{nfs_api_domain}}'
AD_USER_DN = '{{nfs_api_user_dn}}'
AD_GROUP_DN = '{{nfs_api_group_dn}}'
AD_CA_CERT = '{{nfs_api_ca_cert}}'
{{nfs_api_user}} ALL=NOPASSWD: {{nfs_api_web_root}}/program/create-homedir.py
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment