You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

172 lines
3.8 KiB

---
- name: apt-get install git
apt:
name: git
state: present
- name: apt-get install virtualenv
apt:
name: virtualenv
state: present
- name: apt-get install python-pip
apt:
name: python-pip
state: present
- name: pip install setuptools
pip:
name: setuptools
- name: pip install docker
pip:
name: docker
- name: chown debian /srv
file:
path: /srv
owner: debian
- name: git clone https://github.com/freedomofpress/securedrop
git:
repo: "{{ packages_securedrop_repo }}"
force: yes
dest: /srv/securedrop
become: False
- name: Allow debian user to use docker without sudo
user:
name: debian
groups: docker
- name: reset ssh connection to be in the docker group
# ugly hack in replacement to
# meta: reset_connection
# The later fails in this way:
# https://github.com/ansible/ansible/issues/27520#issuecomment-321966784
local_action:
module: file
path: "~/.ansible/cp/{{ ansible_host }}-{{ ansible_port }}-{{ ansible_user }}"
state: absent
become: False
- name: apt-get install haveged
apt:
name: haveged
state: present
- name: GPG key creation batch
copy:
dest: /tmp/batch
content: |
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 4096
Subkey-Type: ELG-E
Subkey-Length: 4096
Name-Real: SecureDrop test packages
Name-Comment: with no passphrase
Name-Email: contact@securedrop.club
Expire-Date: 0
%no-protection
%commit
- name: create GPG key
shell: |
gpg --batch --generate-key /tmp/batch
args:
creates: /home/debian/.gnupg/trustdb.gpg
become: False
- name: /var/www/html is owned by debian
file:
path: /var/www/html
state: directory
owner: debian
- name: /var/www/html/conf is owned by debian
file:
path: /var/www/html/conf
state: directory
owner: debian
- name: expose the public GPG key
shell: |
gpg --export --armor > /var/www/html/key.asc
args:
creates: /var/www/html/key.asc
become: False
- name: Copy index.html
template:
src: index.html
dest: /var/www/html/index.html
owner: debian
mode: "0644"
- name: per branch directory for packages
file:
path: "/var/www/html/{{ item }}/conf"
recurse: yes
state: directory
owner: debian
with_items: "{{ packages_branches }}"
- name: reprepro configuration
copy:
dest: "/var/www/html/{{ item }}/conf/distributions"
content: |
Origin: Debian
Label: SecureDrop
Suite: stable
Codename: trusty
Architectures: amd64 source
Components: main
Description: SecureDrop
SignWith: yes
with_items: "{{ packages_branches }}"
- name: Copy update-packages.sh
template:
src: update-packages.sh.j2
dest: /srv/update-packages.sh
owner: debian
mode: "0755"
- name: Copy crontab
template:
src: crontab
dest: /srv/crontab
owner: debian
mode: "0600"
register: crontab
- name: update-packages.sh log file
file:
path: /var/log/update-packages.log
state: touch
owner: debian
- name: install /etc/logrotate.d/packages-logrotate
copy:
src: packages-logrotate
dest: /etc/logrotate.d/packages-logrotate
- name: Activate crontab
shell: crontab /srv/crontab
when: crontab|changed
become: False
- name: start https-portal
docker_container:
name: https-portal
image: steveltn/https-portal:1.2.4
restart_policy: always
ports:
- '80:80'
- '443:443'
env:
DOMAINS: '{{ packages_vhost_fqdn }} -> http://{{ packages_vhost_fqdn }}:8080'
STAGE: "{% if with_fake_LE is undefined %}production{% else %}staging{% endif %}"
SERVER_NAMES_HASH_BUCKET_SIZE: 128
state: "{% if with_https is defined and with_https == true %}started{% else %}absent{% endif %}"