Update to 2021-12-31 14:05

README.md

@@ -25,7 +25,7 @@ Here're the steps to make use of this. Note that this is not a complete ansible
 
 * Clone the repo
 ```
-git clone https://git.lapiole.org/fws/ansible-roles.git
+git clone https://git.lapiole.org/dani/ansible-roles.git
 cd ansible-roles
 ```
 
@@ -44,7 +44,7 @@ ssh-keygen -t rsa -b 4096 -f ssh/id_rsa
 useradd -m ansible
 mkdir ~ansible/.ssh
 cat <<_EOF > ~ansible/.ssh/authorized_keys
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@fws.fr
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQgTcFNGSnLtuvNg53rdTEjbpwTGlhQj3PJ6Ova0eIPU8uf0ZrdET9guqvI3k1ng1OHNzWk3E+6VyXYW+N/nyLiliXxR4Dyf0DRECz8PSdGd8TnmRHGfNtLg941ndI6XqrZDt9+CLghAjasuRWV1LvWIK5M+z1X/uFAPmLAUDdkx7hC9PNb5M3yBkyRiwfB8OifLvQlWaM9Nr1wZMFvyD/LqZfHuzuv1CD76sZ+7GnHK3gZ4n+LAamQOhJiBqYOoTRMFOCLSIBYnGwuVdmEtC6mlbaw8Vj6umnPpJ3lwEO6IfUnIRz1XIr32kh0qXd6MWV/aHto9uzDlAO1EKm1WI8yjSm2NzUqWc5eelHFfYOQgro1KhoVkh1D39iyQZMblxqO8nuaX5sHK4F9r0/E+hDj8tWhsiocdO+/B7nYuMiDsqUpVVvtiTvk3x5J3FhaTmmA3F0buObjok1ifd1HeE6IORzHzsWFo9TvMpF1CjjOw7FG2vlH6eIvS29/9whzLK= ansible@lapiole.org
 _EOF
 chown -R ansible:ansible ~ansible/.ssh/
 chmod 700 ~ansible/.ssh/
@@ -88,7 +88,7 @@ This will create a single group **infra** with two hosts in it.
 It's pretty self-explanatory. First, roles **common** and **backup** will be deployed on every hosts in the infra group. Then, **mysql_server** and **postgresql_server** will be deployed on **db.acme.com**. And roles **nginx**, **letsencrypt** and **lemonldap_ng** will be deployed on host **proxyin.acme.com**
 
 * Now, it's time to configure a few things. Configuration is done be assigning values to varibles, and can be done at several levels.
-    * group_vars/all/vars.yml : variables here will be inherited by every hosts
+* group_vars/all/vars.yml : variables here will be inherited by every hosts
 ```
 ansible_become: True
 trusted_ip:
@@ -108,7 +108,7 @@ zabbix_agent_servers: "{{ zabbix_ip }}"
 zabbix_proxy_encryption: psk
 zabbix_proxy_server: 'zabbix.example.com'
 ```
-    * group_vars/infra/vars.yml : variables here will be inherited by hosts in the **infra** group
+* group_vars/infra/vars.yml : variables here will be inherited by hosts in the **infra** group
 ```
 sshd_src_ip: "{{ trusted_ip }}"
 postfix_relay_host: '[smtp.example.com]:587'
@@ -118,12 +118,11 @@ postfix_relay_pass: "S3cretP@ssw0rd"
 ssh_users:
   - name: ansible
     ssh_keys:
-      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@fws.fr
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggaRr+WX94ojMdK35qYb8XtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxX/Ml7q9Sdj1t7BrqQqIK3T9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@lapiole.org
   - name: dani
     allow_forwarding: True
     ssh_keys:
-      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc9G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QMORxvCdfdsqoeod7jK384NXq+UD24Y/tEgT/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+dX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== dani@lapiole.org
-dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== dani@fws.fr
 
 # Default database server
 mysql_server: db.acme.com
@@ -136,7 +135,7 @@ letsencrypt_dns_provider: gandi
 letsencrypt_dns_provider_options: '--api-protocol=rest'
 letsencrypt_dns_auth_token: "G7BL9RzkZdUI"
 ```
-    * host_vars/proxyin.acme.com/vars.yml : variables here will be inherited only by the host **proxyin.acme.com**
+* host_vars/proxyin.acme.com/vars.yml : variables here will be inherited only by the host **proxyin.acme.com**
 ```
 nginx_auto_letsencrypt_cert: True
 
@@ -146,7 +145,7 @@ nginx_default_vhost_extra:
   csp: >-
     default-src 'self' 'unsafe-inline' blob:;
     style-src-elem 'self' 'unsafe-inline' data:;
-    img-src 'self' data: blob: https://stats.fws.fr;
+    img-src 'self' data: blob: https://stats.lapiole.org;
     script-src 'self' 'unsafe-inline' 'unsafe-eval' https://stats.acme.com blob:;
     font-src 'self' data:
   proxy:

roles/bookstack/defaults/main.yml

@@ -19,7 +19,7 @@ bookstack_root_dir: /opt/bookstack_{{ bookstack_id }}
 # User under which the app will be executed
 bookstack_php_user: php-bookstack_{{ bookstack_id }}
 # Version of PHP used
-bookstack_php_version: 80
+bookstack_php_version: 81
 # Or you can specify here the name of a custom PHP FPM pool. See the httpd_php role
 # bookstack_php_fpm_pool: custom_bookstack
 

roles/diagrams/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Veresion of diagrams to deploy
-diagrams_version: 15.9.6
+diagrams_version: 16.1.0
 # URL of the WAR file to deploy
 diagrams_war_url: https://github.com/jgraph/drawio/releases/download/v{{ diagrams_version }}/draw.war
 # Expected sha1 of the WAR file
-diagrams_war_sha1: 54db4de31408d309dfc27ec81a6def55bca15afc
+diagrams_war_sha1: ceee75855e8ac9a69d3723c2aa8c414a59d9c565
 # root directory of the installation
 diagrams_root_dir: /opt/diagrams
 # Should ansible manage upgrades, or just initial install ?

roles/etherpad/defaults/main.yml

@@ -40,8 +40,11 @@ etherpad_theme: colibris
 
 # List of plugins to install
 etherpad_plugins_base:
-  - adminpads
   - delete_after_delay
   - delete_empty_pads
 etherpad_plugins_extra: []
 etherpad_plugins: "{{ etherpad_plugins_base + etherpad_plugins_extra }}"
+
+# If you add the whiteboard plugin, set the URL
+# See https://www.npmjs.com/package/ep_whiteboard
+# etherpad_wbo_host: wbo.example.org

roles/etherpad/tasks/install.yml

@@ -51,6 +51,27 @@
   notify: restart etherpad
   tags: etherpad
 
+- name: Link plugins
+  file: src={{ etherpad_root_dir }}/app/src/node_modules/ep_{{ item }} dest={{ etherpad_root_dir }}/app/node_modules/ep_{{ item }} state=link
+  loop: "{{ etherpad_plugins }}"
+  notify: restart etherpad
+  tags: etherpad
+
+- name: List linked plugins
+  shell: find {{ etherpad_root_dir }}/app/node_modules/ -type l -maxdepth 1 -mindepth 1 -exec basename "{}" \;
+  register: etherpad_linked_plugins
+  changed_when: False
+  tags: etherpad
+
+- name: Unlink unmanaged plugins
+  file: path={{ etherpad_root_dir }}/app/node_modules/{{ item }} state=absent
+  loop: "{{ etherpad_linked_plugins.stdout_lines }}"
+  when:
+    - item | regex_replace('^ep_', '') not in etherpad_plugins
+    - item != 'ep_etherpad-lite'
+  notify: restart etherpad
+  tags: etherpad
+
 - import_tasks: ../includes/webapps_create_mysql_db.yml
   vars:
     - db_name: "{{ etherpad_db_name }}"

roles/etherpad/templates/settings.json.j2

@@ -22,6 +22,11 @@
       "is_admin" : true
     }
   },
+{% if 'whiteboard' in etherpad_plugins and etherpad_wbo_host is defined %}
+  "ep_draw": {
+    "host": "{{ etherpad_wbo_host }}"
+  },
+{% endif %}
   "ep_delete_after_delay": {
     "delay" : 2592000,
     "loop" : true,

roles/gitea/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Version to install
-gitea_version: 1.15.7
+gitea_version: 1.15.9
 # URL to the binary
 gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
 # sha256 of the binary
-gitea_bin_sha256: 39b2a3f447a102822216fcc695fafed64dd5745d455ce9bdb15381e80f0f38e5
+gitea_bin_sha256: dbdefbeed7073951ba955cb6c40bd7d9ece7a349c1326ad80c314690ff3616f1
 # Handle updates. If set to false, ansible will only install
 # Gitea and then won't touch an existing installation
 gitea_manage_upgrade: True

roles/gitea/tasks/conf.yml

@@ -32,3 +32,8 @@
   changed_when: False
   tags: gitea
 
+- name: Regenerate authorized_keys
+  command: "{{ gitea_root_dir }}/bin/gitea -c {{ gitea_root_dir }}/etc/app.ini admin regenerate keys"
+  become_user: gitea
+  when: gitea_install_mode == 'upgrade'
+  tags: gitea

roles/matrix_element/defaults/main.yml

@@ -5,9 +5,9 @@
 element_id: element
 
 # Version to deploy, and expected sha1
-element_version: 1.9.7
+element_version: 1.9.8
 # sha1sum of the tar.gz
-element_archive_sha1: a99123bce678b0e63380790ce80cafeb4e0d89ec
+element_archive_sha1: 2f3099c119253f2c5d248ca7c8af9019dbc55a03
 
 # Where to install element
 element_root_dir: /opt/matrix/element

roles/matrix_synapse/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 
 # Synapse version to deploy
-synapse_version: 1.49.0
+synapse_version: 1.49.2
 
 # Should ansible handle Synapse upgrades ? If false, only initial install will be done
 synapse_manage_upgrade: True

roles/openxpki/defaults/main.yml

@@ -1,8 +1,8 @@
 ---
 
-pki_version: '3.16.0'
+pki_version: '3.16.1'
 pki_archive_url: https://github.com/openxpki/openxpki/archive/v{{ pki_version }}.tar.gz
-pki_archive_sha1: 9bba585de36b81f70a7a315f8a591e388c516b38
+pki_archive_sha1: 87eb892bcf4d7098e0803e0f03d66f1268d4fcef
 
 pki_config_version: '3.16'
 pki_config_archive_url: https://github.com/openxpki/openxpki-config/archive/v{{ pki_config_version }}.tar.gz

roles/pgadmin4/defaults/main.yml

@@ -10,7 +10,7 @@ pga_src_ip: []
 # Root dir where the app will be installed
 pga_root_dir: /opt/pgadmin4_{{ pga_id }}
 # Version to deploy
-pga_version: '6.2'
+pga_version: '6.3'
 # URL of the wheel
 pga_pip_url: https://ftp.postgresql.org/pub/pgadmin/pgadmin4/v{{ pga_version }}/pip/pgadmin4-{{ pga_version }}-py3-none-any.whl
 

roles/pgadmin4/templates/config_local.py.j2

@@ -35,4 +35,4 @@ OAUTH2_CONFIG=[{
 WEBSERVER_AUTO_CREATE_USER=True
 WEBSERVER_REMOTE_USER='{{ pga_webserver_header }}'
 {% endif %}
-
+AUTO_DISCOVER_SERVERS = False

roles/rpm_build_server/README.md

@@ -0,0 +1,14 @@
+# RPM Build Server
+
+# Description
+This role will configure an rpm build server
+
+# Compatibility
+The role is testing on the following distributions
+* AlmaLinux 8
+
+# Settings
+
+# Installation
+
+# Upgrades

roles/rpm_build_server/defaults/main.yml

@@ -0,0 +1,47 @@
+---
+
+rpm_root_dir: /opt/rpm-build
+rpm_packager: RPM Builder <rpms@{{ ansible_domain }}>
+# User account under which the buildsys will run
+# will be created
+rpm_user: rpmbuilder
+# Unix group allowed to submit builds
+rpm_build_group: rpmbuilders
+# Admin email where notifications will be sent
+rpm_admin_email: "{{ system_admin_email | default('root@' ~ ansible_domain) }}"
+# name of the GPG key used to sign the packages
+rpm_gpg_name: RPM Signing Key
+rpm_gpg_email: rpms@{{ ansible_domain }}
+# optional passphrase for the GPG Key
+# rpm_gpg_pass: S3cr3tP@ssPhr4z
+
+# You can configure remote mirrors to which the local repo will be synced with rsync
+# rpm_mirrors:
+#   - dest: repo@repo.example.org:/opt/repo/rpms/
+#     rsync_opts:
+#       - '--times'
+#       - '--recursive'
+#       - '--partial'
+#       - '--delete-after'
+#       - '--exclude=archives'
+
+# A list of rsync options which will be used to sync repo to mirrors
+# This is a fallback if rsync_opts is not defined for a mirror
+rpm_mirror_rsync_opts:
+  - '--times'
+  - '--recursive'
+  - '--partial'
+  - '--delete-after'
+
+# You can use an LDAP server to lookup email address of build
+# submitters. The buildsys will first get the username of the uploaded SRPM
+# and then lookup into LDAP as configured here for the corresponding email address
+# If an email if found, notifications will be sent to the submitter's address
+rpm_ldap_servers: "{{ ad_ldap_servers is defined | ternary(ad_ldap_servers | map('regex_replace', '^(.*)', 'ldap://\\1') | list, []) }}"
+rpm_ldap_start_tls: True
+# rpm_ldap_bind_dn: CN=Build System,OU=Apps,DC=foo,DC=bar
+# rpm_ldap_bind_pass: S3cr3t.
+rpm_ldap_search_base: "{{ ad_ldap_user_search_base is defined | ternary(ad_ldap_user_search_base, ansible_domain | regex_replace('\\.', ',DC=')) }}"
+# The {user} string will be replaced with the username of the submiter of the build
+rpm_ldap_search_filter: (&(objectClass=user)(userPrincipalName={user})(mail=*))
+rpm_ldap_email_attr: mail

roles/rpm_build_server/files/watcher.pl

@@ -0,0 +1,357 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Linux::Inotify2;
+use YAML::Tiny;
+use Getopt::Long;
+use File::stat;
+use File::Find;
+use File::Basename;
+use File::Path qw(make_path);
+use File::Copy qw(move);
+use AnyEvent;
+use RPM2;
+use Time::HiRes 'time';
+use Email::MIME;
+use Email::Sender::Simple qw(sendmail);
+use Email::Sender::Transport::Sendmail;
+use Net::LDAP;
+
+# Init an empty conf
+my $conf = {};
+
+# Disable output buffering
+$| = 1;
+
+# Defaults for command line flags
+my $opt = {
+  config  => '../etc/config.yml',
+  verbose => 0,
+  quiet   => 0
+};
+
+# Read some options from the command line
+GetOptions (
+  'config=s' => \$opt->{config},
+  'quiet'    => \$opt->{quiet},
+  'verbose'  => \$opt->{verbose}
+);
+
+# Check if the config file exists, and if so, parse it
+# and load it in $conf
+if ( -e $opt->{config} ) {
+  log_verbose( "Reading config file " . $opt->{config} );
+  my $yaml = YAML::Tiny->read( $opt->{config} );
+
+  if ( not $yaml or not $yaml->[0] ) {
+    die "Config file " . $opt->{config} . " is invalid\n";
+  }
+  $conf = $yaml->[0];
+} else {
+  # If the config file doesn't exist, just die
+  die "Config file " . $opt->{config} . " doesn't exist\n";
+}
+
+# If ldap is configured, we'll use it to lookup email
+# addresses of submitters to send them notifications
+my $ldap;
+my $ldap_msg;
+if (defined $conf->{ldap} and defined $conf->{ldap}->{servers}){
+  log_verbose("Connecting to " . join(', ', @{$conf->{ldap}->{servers}}));
+  $ldap = new Net::LDAP($conf->{ldap}->{servers},
+    timeout => 10,
+  );
+  if (not defined $ldap){
+    log_info("Couldn't connect to any LDAP servers (" . join(',', @{$conf->{ldap}->{servers}}) . ")");
+  } else {
+    if (defined $conf->{ldap}->{start_tls} and $conf->{ldap}->{start_tls}){
+      log_verbose("Upgrade LDAP connection using StartTLS");
+      $ldap_msg = $ldap->start_tls(
+        verify => 'require'
+      );
+      if ($ldap_msg->code){
+        log_verbose("StartTLS failed : " . $ldap_msg->error);
+        log_verbose("LDAP support will be disabled");
+        $ldap = undef;
+      }
+    }
+    if (defined $conf->{ldap}->{bind_dn} and defined $conf->{ldap}->{bind_pass}){
+      log_verbose("Binding as $conf->{ldap}->{bind_dn}");
+      $ldap_msg = $ldap->bind(
+        $conf->{ldap}->{bind_dn},
+        password => $conf->{ldap}->{bind_pass}
+      );
+      if ($ldap_msg->code){
+        log_verbose("LDAP bind failed : " . $ldap_msg->error);
+        log_verbose("LDAP support will be disabled");
+        $ldap = undef;
+      }
+    } else {
+      log_verbose("Using anonymous bind");
+      $ldap_msg = $ldap->bind;
+    }
+  }
+} else {
+  log_verbose("No LDAP servers configured");
+}
+
+my $inotify = new Linux::Inotify2
+   or die "Unable to create new inotify object: $!";
+
+log_verbose("Searching for folders in $conf->{paths}->{uploads}");
+find({
+  wanted => sub { -d and create_watcher($inotify, $File::Find::name); }
+}, $conf->{paths}->{uploads});
+
+my $cv = AnyEvent->condvar;
+
+my $poller = AnyEvent->io(
+  fh   => $inotify->fileno,
+  poll => 'r',
+  cb   => sub { $inotify->poll }
+);
+
+# Receive event signals (inotify signals)
+$cv->recv;
+
+# Print messages only if the verbose flag was given
+sub log_verbose {
+  my $msg = shift;
+  print $msg . "\n" if ( $opt->{verbose} );
+}
+
+# Print normal messages
+sub log_info {
+  my $msg = shift;
+  print $msg . "\n" if ( not $opt->{quiet} );
+}
+
+# Print error messages
+sub log_error {
+  my $msg = shift;
+  print $msg . "\n";
+}
+
+# Create a watcher for a specific directory
+sub create_watcher {
+  my ($inotify, $dir) = @_;
+  log_verbose("Start watching folder $dir");
+  $inotify->watch ($dir, IN_CLOSE_WRITE | IN_MOVED_TO, sub {
+    my $event = shift;
+    my $candidate = $event->fullname;
+    handle_submit($candidate);
+  });
+}
+
+# takes the path of an SRPM to rebuild,
+# build it with mock, sign the result, update the repo
+# and sync to remote mirrors if defined
+sub handle_submit {
+  my $srpm = shift;
+  if (not -f $srpm){
+    log_verbose("$srpm isn't a file, ignoring");
+    return;
+  }
+  if ($srpm !~ m/src\.rpm$/i){
+    log_verbose("New file $srpm isn't an src.rpm file, ignoring");
+    return;
+  }
+  log_info("New file to process $srpm");
+  my $submiter = getpwuid(stat($srpm)->uid);
+  my $email;
+  log_info("File submited by $submiter");
+  if (defined $ldap){
+    $email = user2email($submiter);
+    if (not defined $email){
+      log_verbose("LDAP returned no result");
+    }
+  }
+  if (defined $email){
+    log_verbose("Notifications will be sent to $email");
+  } else {
+    log_verbose("No email address for $submiter, no notification will be sent");
+  }
+  my $src_pkg = RPM2->open_package($srpm);
+  if (not $src_pkg->is_source_package){
+    log_verbose("Couldn't parse $srpm as a valid srpm");
+    return;
+  }
+  my $target = basename(dirname($srpm));
+  if (not defined $conf->{targets}->{$target}){
+    log_info("$srpm submited for target $target, but it's not defined in the configuration");
+  }
+  foreach my $arch (@{$conf->{targets}->{$target}}){
+    my $job_id = $src_pkg->as_nvre() . '-' . time();
+    my $result = $conf->{paths}->{builds} . '/' . $submiter . '/' . $target . '-' . $arch . '/' . $job_id;
+    log_info("Rebuilding $srpm for $target/$arch in $result (job ID $job_id)");
+    make_path($result);
+    my $mock_msg;
+    foreach my $out (qx(mock -r $target-$arch --resultdir=$result $srpm 2>&1)){
+      chomp $out;
+      $mock_msg .= $out;
+      log_info("[$job_id] $out");
+    }
+    if ($? != 0) {
+      log_info("[$job_id] Build submited by $submiter failed");
+      handle_error($job_id, 'Mock build', $mock_msg);
+      return;
+    }
+    my $repo_dir = $conf->{paths}->{repo};
+    my $repo_cache_dir = $conf->{paths}->{repo_cache};
+    if ($src_pkg->release =~ m/\.(beta|git\.)/){
+      $repo_dir .= '/testing';
+      $repo_cache_dir .= '/testing';
+    }
+    $repo_dir .= '/' . $target;
+    $repo_cache_dir .= '/' . $target;
+    find({
+      wanted => sub {
+        return if (not -f);
+        return if (not $_ =~ m/\.rpm$/);
+        my $built_pkg = $_;
+        log_info("[$job_id] Signing package $built_pkg");
+        # Note : the optional passphrase for the gpg key is in rpmmacros
+        qx(rpm --addsign $built_pkg);
+        if ($? != 0) {
+          log_info("[$job_id] Signing failed");
+          handle_error($job_id, 'Package signature error', "Command rpm --addsign $built_pkg failed");
+          return;
+        }
+        # Open the package without checking the signature, as the key might not be present in the
+        # rpm trusted store
+        my $pkg = RPM2->open_package($built_pkg, RPM2->_rpmvsf_nosignatures);
+        my $dest = $repo_dir;
+        if ($pkg->is_source_package){
+          $dest .= '/SRPMS';
+        } else {
+          # the resulting RPM can be noarch, so use this instead of $arch
+          $dest .= '/' . $pkg->arch;
+        }
+        log_info("[$job_id] Moving $built_pkg to the repo $dest");
+        make_path($dest);
+        make_path($repo_cache_dir);
+        move $built_pkg, $dest . '/' . basename($built_pkg);
+      }
+    }, $result);
+    log_info("[$job_id] Updating repo metadata for $target");
+    qx(createrepo --checksum sha -x "*debuginfo*" --update -c $repo_cache_dir $repo_dir);
+    if ($? != 0) {
+      log_info("[$job_id] Createrepo failed");
+      handle_error(
+        $job_id,
+        'Createrepo error',
+        "Command createrepo --checksum sha -x \"*debuginfo*\" --update -c $repo_cache_dir $repo_dir"
+      );
+      return;
+    }
+    log_info("[$job_id] Building package finished");
+    # Now push to mirrors if defined
+    if (defined $conf->{mirror} and defined $conf->{mirror}->{push}){
+      foreach my $mirror (@{$conf->{mirror}->{push}}){
+        log_info("[$job_id] syncing repo to $mirror->{dest}");
+        my $rsync_cmd = 'rsync ';
+        if (defined $mirror->{rsync_opts}){
+          $rsync_cmd .= join(' ', @{$mirror->{rsync_opts}});
+        } else {
+          $rsync_cmd .= join(' ', @{$conf->{mirror}->{rsync_opts}});
+        }
+        $rsync_cmd .= ' ' . $conf->{paths}->{repo} . '/ ' . $mirror->{dest} . '/';
+        log_verbose("[$job_id] Running command $rsync_cmd");
+        foreach my $out (qx($rsync_cmd 2>&1)){
+          chomp $out;
+          log_verbose("[$job_id] $out");
+        }
+        if ($? != 0) {
+          log_info("[$job_id] Syncing to $mirror->{dest} failed");
+          handle_error($job_id, 'Mirror update error', "Command $rsync_cmd failed");
+          return;
+        }
+      }
+    }
+    if (defined $email){
+      my $body = "Resulting RPM are available in $conf->{paths}->{repo}/$target";
+      if (defined $conf->{mirror} and defined $conf->{mirror}->{push}){
+        $body .= "\nand have been synced to the following mirror:\n";
+        foreach my $mirror (@{$conf->{mirror}->{push}}){
+          $body .= "$mirror->{dest}\n";
+        }
+      }
+      send_notification(
+        $email,
+        "Rebuilding " . $src_pkg->as_nvre() . " for $target/$arch succeded",
+        $body
+      );
+    }
+  }
+}
+
+# Handle errors. Log it, and notify the admin
+sub handle_error {
+  my $job_id = shift;
+  my $step   = shift;
+  my $err    = shift;
+  my $dest   = shift;
+
+  log_error( $err );
+  if ( defined $conf->{notify}->{to} ) {
+    send_notification(
+      $conf->{notify}->{to},
+      "Error while building $job_id",
+      "Building $job_id failed at step '$step'. The error was\n$err\n"
+    );
+  }
+  if ( defined $dest ) {
+    send_notification(
+      $dest,
+      "Error while building $job_id",
+      "Building $job_id failed at step '$step'. The error was\n$err\n"
+    );
+  }
+}
+
+# Send an email message
+sub send_notification {
+  my $to = shift;
+  my $subject = shift;
+  my $body = shift;
+  my $mail   = Email::MIME->create(  
+    header_str => [
+      From    => $conf->{notify}->{from},
+      To      => $to,
+      Subject => $subject
+    ],
+    attributes => {
+      charset  => 'utf-8',
+      encoding => 'base64'
+    },
+    body_str => $body
+  );
+  my $transport = Email::Sender::Transport::Sendmail->new();
+  sendmail( $mail, { transport => $transport } );
+}
+
+# Lookup in LDAP if we can get the email address of a user
+sub user2email {
+  my $user = shift;
+  if (not defined $ldap or not defined $conf->{ldap}->{search_base} or not defined $conf->{ldap}->{search_filter}){
+    return;
+  }
+  my $filter = $conf->{ldap}->{search_filter};
+  $filter =~ s/\{user\}/$user/g;
+  log_verbose("Searching in $conf->{ldap}->{search_base} with filter $filter");
+  my $results = $ldap->search(
+    base   => $conf->{ldap}->{search_base},
+    filter => $filter,
+    attrs  => [ $conf->{ldap}->{email_attr} ]
+  );
+  if ($results->code){
+    log_verbose("Error occured while searching in LDAP : " . $results->error);
+    return;
+  }
+  if ($results->count != 1){
+    log_verbose("Searching returned " . $results->count . "result(s), while it should have returned 1");
+    return;
+  }
+  return $results->entry(0)->get_value( $conf->{ldap}->{email_attr} );
+}

roles/rpm_build_server/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: reset permissions
+  command: "{{ rpm_root_dir }}/bin/perms.sh"
+
+- name: restart build-watcher
+  service: name=build-watcher state=restarted
+

roles/rpm_build_server/tasks/conf.yml

@@ -0,0 +1,58 @@
+---
+
+- name: Deploy mock config
+  template: src=mock/{{ item }}.j2 dest=/etc/mock/{{ item }}
+  loop:
+    - site-defaults.cfg
+    - el7-x86_64.cfg
+    - el8-x86_64.cfg
+  tags: rpm
+
+- name: Deploy rpmmacros
+  template: src=rpmmacros.j2 dest={{ rpm_root_dir }}/.rpmmacros owner={{ rpm_user }} mode=600
+  tags: rpm
+
+- name: Deploy main configuration
+  template: src=config.yml.j2 dest={{ rpm_root_dir }}/etc/config.yml
+  notify: restart build-watcher
+  tags: rpm
+
+- name: Check if gpg key exists
+  shell: gpg --list-options show-only-fpr-mbox --list-secret-keys | grep -q "{{ rpm_gpg_email }}"
+  failed_when: False
+  changed_when: False
+  register: rpm_gpg_key_exists
+  become_user: "{{ rpm_user }}"
+  tags: rpm
+
+- name: Flush handlers to set permissions on directories
+  meta: flush_handlers
+  tags: rpm
+
+- when: rpm_gpg_key_exists.rc != 0
+  block:
+    - name: Generate main key
+      shell: |
+        gpg --batch \
+          --passphrase '{{ rpm_gpg_pass is defined | ternary(rpm_gpg_pass, '') }}' \
+          --pinentry-mode loopback \
+          --quick-gen-key "{{ rpm_gpg_name }} <{{ rpm_gpg_email }}>" rsa3072 default never
+
+    - name: Get key ID
+      shell: gpg --list-options show-only-fpr-mbox --list-secret-keys | grep {{ rpm_gpg_email }} | awk '{ print $1 }'
+      register: rpm_gpg_key_id
+      changed_when: False
+
+    - name: Add sub key
+      shell: |
+        gpg --batch \
+          --passphrase '{{ rpm_gpg_pass is defined | ternary(rpm_gpg_pass, '') }}' \
+          --pinentry-mode loopback \
+          --quick-add-key {{ rpm_gpg_key_id.stdout }} rsa3072 default never \
+
+    - name: Export public key
+      shell: gpg --export -a "rpms@lapiole.org" > {{ rpm_root_dir }}/repo/RPM-GPG-KEY
+
+  become_user: "{{ rpm_user }}"
+  tags: rpm
+

roles/rpm_build_server/tasks/directories.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ rpm_root_dir }}"
+    - dir: "{{ rpm_root_dir }}/mock"
+    - dir: "{{ rpm_root_dir }}/cache"
+    - dir: "{{ rpm_root_dir }}/cache/mock"
+    - dir: "{{ rpm_root_dir }}/cache/repo"
+    - dir: "{{ rpm_root_dir }}/repo"
+    - dir: "{{ rpm_root_dir }}/bin"
+    - dir: "{{ rpm_root_dir }}/uploads/el7"
+    - dir: "{{ rpm_root_dir }}/uploads/el8"
+    - dir: "{{ rpm_root_dir }}/errors"
+    - dir: "{{ rpm_root_dir }}/builds"
+    - dir: "{{ rpm_root_dir }}/etc"
+  tags: rpm

roles/rpm_build_server/tasks/facts.yml

@@ -0,0 +1,9 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: rpm

roles/rpm_build_server/tasks/install.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Deploy permission script
+  template: src=perms.sh.j2 dest={{ rpm_root_dir }}/bin/perms.sh mode=755
+  notify: reset permissions
+  tags: rpm
+
+- name: Install watcher daemon
+  copy: src=watcher.pl dest={{ rpm_root_dir }}/bin/watcher.pl mode=755
+  notify: restart build-watcher
+  tags: rpm
+
+- name: Deploy systemd unit
+  template: src=build-watcher.service.j2 dest=/etc/systemd/system/build-watcher.service
+  notify: restart build-watcher
+  register: rpm_unit
+  tags: rpm
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: rpm_unit.changed
+  tags: rpm

roles/rpm_build_server/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- include: facts.yml
+- include: requirements.yml
+- include: user.yml
+- include: directories.yml
+- include: install.yml
+- include: conf.yml
+- include: services.yml

roles/rpm_build_server/tasks/requirements.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Install required packages
+  package: name={{ rpm_packages }}
+  tags: rpm

roles/rpm_build_server/tasks/services.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable the build watcher
+  service: name=build-watcher state=started enabled=True
+  tags: rpm

roles/rpm_build_server/tasks/user.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Create build user
+  user:
+    name: "{{ rpm_user }}"
+    system: True
+    home: "{{ rpm_root_dir }}"
+    generate_ssh_key: True
+    ssh_key_file: .ssh/id_rsa
+  tags: rpm
+
+- name: Create builder group
+  group:
+    name: "{{ rpm_build_group }}"
+  tags: rpm
+
+- name: Add build user to the mock group
+  user:
+    name: "{{ rpm_user }}"
+    append: True
+    groups:
+      - mock
+  tags: rpm

roles/rpm_build_server/templates/build-watcher.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=RPM Build watcher service
+
+[Service]
+Type=simple
+User={{ rpm_user }}
+Group={{ rpm_user }}
+ExecStart=/usr/bin/perl {{ rpm_root_dir }}/bin/watcher.pl --config {{ rpm_root_dir }}/etc/config.yml --verbose
+WorkingDirectory={{ rpm_root_dir }}/
+Restart=always
+ReadWritePaths=/run {{ rpm_root_dir }}/repo {{ rpm_root_dir }}/cache {{ rpm_root_dir }}/builds
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+

roles/rpm_build_server/templates/config.yml.j2

@@ -0,0 +1,52 @@
+---
+
+targets:
+  el7:
+    - x86_64
+  el8:
+    - x86_64
+
+paths:
+  repo: {{ rpm_root_dir }}/repo
+  repo_cache: {{ rpm_root_dir }}/cache/repo
+  builds: {{ rpm_root_dir }}/builds
+  uploads: {{ rpm_root_dir }}/uploads
+
+notify:
+  from: buildsys@{{ ansible_domain }}
+  to: {{ rpm_admin_email }}
+
+{% if rpm_mirrors is defined and rpm_mirrors | length > 0 %}
+mirror:
+  push:
+{% for mirror in rpm_mirrors %}
+    - dest: {{ mirror.dest }}
+{% if mirror.rsync_opts is defined %}
+      rsync_opts:
+{% for opt in mirror.rsync_opts %}
+        - '{{ opt }}'
+{% endfor %}
+{% endif %}
+{% endfor %}
+  rsync_opts:
+{% for opt in rpm_mirror_rsync_opts %}
+    - '{{ opt }}'
+{% endfor %}
+{% endif %}
+
+ldap:
+{% if rpm_ldap_servers is defined and rpm_ldap_servers | length > 0 %}
+  servers:
+{% for server in rpm_ldap_servers %}
+    - {{ server }}
+{% endfor %}
+{% else %}
+  servers: []
+{% endif %}
+  start_tls: {{ rpm_ldap_start_tls | ternary('True', 'False') }}
+  bind_dn: {{ rpm_ldap_bind_dn }}
+  bind_pass: {{ rpm_ldap_bind_pass | quote }}
+  search_base: {{ rpm_ldap_search_base }}
+  search_filter: {{ rpm_ldap_search_filter }}
+  email_attr: {{ rpm_ldap_email_attr }}
+

roles/rpm_build_server/templates/gpg-agent.conf.j2

@@ -0,0 +1 @@
+allow-loopback-pinentry

roles/rpm_build_server/templates/gpg.conf.j2

@@ -0,0 +1,2 @@
+use-agent
+pinentry-mode loopback

roles/rpm_build_server/templates/mock/el7-x86_64.cfg.j2

@@ -0,0 +1,25 @@
+include('templates/centos-7.tpl')
+include('templates/epel-7.tpl')
+
+config_opts['root'] = 'el7-x86_64'
+config_opts['target_arch'] = 'x86_64'
+config_opts['legal_host_arches'] = ('x86_64',)
+config_opts['macros']['%rhel'] = '7'
+config_opts['macros']['%dist'] = '.el7.dbd'
+
+config_opts['dnf.conf'] += """
+
+[rpmfusion-free-updates]
+baseurl = http://download1.rpmfusion.org/free/el/updates/7/x86_64/
+gpgcheck = 1
+gpgkey = https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-el-7
+name = RPM Fusion for EL - Free - Updates
+
+[dbd]
+name=dbd
+baseurl=http://rpms.lapiole.org/el7/
+enabled=1
+gpgcheck=1
+gpgkey=https://rpms.lapiole.org/RPM-GPG-KEY
+
+"""

roles/rpm_build_server/templates/mock/el8-x86_64.cfg.j2

@@ -0,0 +1,28 @@
+include('templates/almalinux-8.tpl')
+include('templates/epel-8.tpl')
+
+# Disable use_bootstrap_image until new release
+# See https://github.com/rpm-software-management/mock/issues/831
+config_opts['use_bootstrap_image'] = False
+config_opts['root'] = 'el8-x86_64'
+config_opts['target_arch'] = 'x86_64'
+config_opts['legal_host_arches'] = ('x86_64',)
+config_opts['macros']['%rhel'] = '8'
+config_opts['macros']['%dist'] = '.el8.dbd'
+
+config_opts['dnf.conf'] += """
+
+[rpmfusion-free-updates]
+baseurl = http://download1.rpmfusion.org/free/el/updates/8/x86_64/
+gpgcheck = 1
+gpgkey = https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-el-8
+name = RPM Fusion for EL - Free - Updates
+
+[dbd]
+name=dbd
+baseurl=http://rpms.lapiole.org/el8/
+enabled=1
+gpgcheck=1
+gpgkey=https://rpms.lapiole.org/RPM-GPG-KEY
+
+"""

roles/rpm_build_server/templates/mock/site-defaults.cfg.j2

@@ -0,0 +1,17 @@
+{% if system_proxy is defined and system_proxy != '' %}
+config_opts['environment']['http_proxy'] = '{{ system_proxy }}'
+config_opts['environment']['https_proxy'] = '{{ system_proxy }}'
+{% endif %}
+config_opts['createrepo_on_rpms'] = False
+config_opts['cleanup_on_failure'] = 1
+config_opts['cleanup_on_success'] = 1
+config_opts['use_bootstrap_image'] = True
+config_opts['plugin_conf']['root_cache_opts']['compress_program'] = "zstd"
+config_opts['plugin_conf']['root_cache_opts']['extension'] = ".zst"
+config_opts['rpmbuild_networking'] = True
+config_opts['macros']['%distribution'] = "{{ rpm_packager }}"
+config_opts['macros']['%packager'] = "{{ rpm_packager }}"
+config_opts['macros']['%vendor'] = "{{ rpm_packager }}"
+config_opts['basedir'] = '{{ rpm_root_dir }}/mock'
+config_opts['cache_topdir'] = '{{ rpm_root_dir }}/cache/mock'
+

roles/rpm_build_server/templates/perms.sh.j2

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -eo pipefail
+
+chown -R {{ rpm_user }} {{ rpm_root_dir }}
+chmod 770 {{ rpm_root_dir }}
+setfacl -b -k -R {{ rpm_root_dir }}
+setfacl -m g:{{ rpm_build_group }}:rX {{ rpm_root_dir }}
+setfacl -R -m g:{{ rpm_build_group }}:rwX,d:g:{{ rpm_build_group }}:rwX {{ rpm_root_dir }}/uploads {{ rpm_root_dir }}/builds {{ rpm_root_dir }}/repo

roles/rpm_build_server/templates/rpmmacros.j2

@@ -0,0 +1,3 @@
+%_signature gpg
+%_gpg_name {{ rpm_gpg_name }}
+%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase '{{ (rpm_gpg_pass is defined) | ternary(rpm_gpg_pass, '') }}' --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}

roles/rpm_build_server/vars/RedHat-8.yml

@@ -0,0 +1,18 @@
+---
+
+rpm_packages:
+  - podman
+  - mock
+  - inotify-tools
+  - zstd
+  - rsync
+  - yum-utils
+  - rpm-sign
+  - perl-Linux-Inotify2
+  - perl-YAML-Tiny
+  - perl-AnyEvent
+  - perl-RPM2
+  - perl-Time-HiRes
+  - perl-Email-MIME
+  - perl-Email-Sender
+  - perl-LDAP

roles/unmaintained/wbo/defaults/main.yml

@@ -1,8 +0,0 @@
----
-
-wbo_id: 1
-wbo_port: 8095
-wbo_src_ip: []
-wbo_root_dir: /opt/wbo_{{ wbo_id }}
-wbo_git_url: https://github.com/lovasoa/whitebophir.git
-

roles/wbo/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+
+# Several WBO instances can be installed on the same server
+# but should have a uniq ID and bind port
+wbo_id: 1
+wbo_port: 8095
+# List of IP/CIDR having access to WBO port (if iptables_manage == True)
+wbo_src_ip: []
+# Root dir where WBO will be installed
+wbo_root_dir: /opt/wbo_{{ wbo_id }}
+# URL of the git repo
+wbo_git_url: https://github.com/lovasoa/whitebophir.git
+

roles/wbo/tasks/directory.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | dedfault(omit) }}
+  loop:
+    - dir: "{{ wbo_root_dir }}"
+      owner: wbo_{{ wbo_id }}
+  tags: wbo

roles/wbo/tasks/install.yml

@@ -7,26 +7,20 @@
       - git
   tags: wbo
 
-- import_tasks: ../includes/create_system_user.yml
-  vars:
-    - user: wbo_{{ wbo_id }}
-    - home: "{{ wbo_root_dir }}"
-    - comment: "Online collaborative Whiteboard {{ wbo_id }}"
-  tags: wbo
-
 - name: Clone wbo repo
   git:
     repo: "{{ wbo_git_url }}"
     dest: "{{ wbo_root_dir }}/app"
     force: True
   notify: restart wbo
+  become_user: wbo_{{ wbo_id }}
   register: wbo_git
   tags: wbo
 
 - name: Install wbo
-  command: npm i
+  npm:
-  args:
+    path: "{{ wbo_root_dir }}/app"
-    chdir: "{{ wbo_root_dir }}/app"
+  become_user: wbo_{{ wbo_id }}
   when: wbo_git.changed
   tags: wbo
 
@@ -44,14 +38,3 @@
   when: wbo_unit.changed
   tags: wbo
 
-- name: Handle wbo port
-  iptables_raw:
-    name: wbo_port_{{ wbo_id }}
-    state: "{{ (wbo_src_ip | length > 0) | ternary('present','absent') }}"
-    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ wbo_port }} -s {{ wbo_src_ip | join(',') }} -j ACCEPT"
-  when: iptables_manage | default(True)
-  tags: wbo
-
-- name: Start and enable wbo daemon
-  service: name=wbo-{{ wbo_id }} state=started enabled=True
-  tags: wbo

roles/wbo/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Handle wbo port
+  iptables_raw:
+    name: wbo_port_{{ wbo_id }}
+    state: "{{ (wbo_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ wbo_port }} -s {{ wbo_src_ip | join(',') }} -j ACCEPT"
+  tags: wbo

roles/wbo/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- include: user.yml
+- include: install.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+

roles/wbo/tasks/services.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable wbo daemon
+  service: name=wbo-{{ wbo_id }} state=started enabled=True
+  tags: wbo
+

roles/wbo/tasks/user.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/create_system_user.yml
+  vars:
+    - user: wbo_{{ wbo_id }}
+    - home: "{{ wbo_root_dir }}"
+    - comment: "Online collaborative Whiteboard {{ wbo_id }}"
+  tags: wbo