Added roles/git_auto_update

5 years ago · f20776e1bd
parent 2b63f1a248
commit f20776e1bd
4 changed files with 75 additions and 0 deletions
--- a/roles/git_auto_update/defaults/main.yml
+++ b/roles/git_auto_update/defaults/main.yml
@ -0,0 +1,13 @@
+---
+
+# repo: git@example.com:name/repo.git
+# dest: /example/repository
+owner: root
+group: root
+mode: "u=rwx,g=rx"
+name: "{{ dest | basename }}"
+tag_prefix: "release-"
+gpg_fingerprint: 73D09948B2392D688A45DC8393E1BD26F6B02FB7
+cron_name: "Auto update repository {{ name }}"
+update_script_path: "{{ update_scripts_directory }}/{{ name }}"
+#reload_command: "systemctl restart {{ name }}"
--- a/roles/git_auto_update/meta/main.yml
+++ b/roles/git_auto_update/meta/main.yml
@ -0,0 +1,3 @@
+---
+
+allow_duplicates: yes
--- a/roles/git_auto_update/tasks/main.yml
+++ b/roles/git_auto_update/tasks/main.yml
@ -0,0 +1,30 @@
+---
+
+- name: Install auto update script for {{ name }}
+  template:
+    src: "update.sh"
+    dest: "{{ update_script_path }}"
+    owner: root
+    group: root
+    mode: "u=rwx,g=rx,o=r"
+
+- name: Create repository directory for {{ name }}
+  file:
+    path: "{{ dest }}"
+    state: directory
+    owner: "{{ owner }}"
+    group: "{{ group }}"
+    mode: "{{ mode }}"
+
+- name: Clone repository to {{ dest }}
+  command: "{{ update_script_path }}"
+  args:
+    creates: "{{ dest }}/.git"
+
+- name: Enable auto update of {{ name }}
+  cron:
+    hour: 2
+    minute: 0
+    job: "{{ update_script_path }}"
+    name: "{{ cron_name }}"
+    state: present
--- a/roles/git_auto_update/templates/update.sh
+++ b/roles/git_auto_update/templates/update.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+
+readonly REPO="{{ repo }}";
+readonly DEST="{{ dest }}";
+readonly DEST_USER="{{ owner }}";
+readonly DEST_GROUP="{{ group }}";
+readonly PREFIX="{{ tag_prefix }}";
+readonly GPG_FINGERPRINT="{{ gpg_fingerprint }}";
+
+set -e;
+
+cd "$DEST";
+
+if [ ! -d .git ]; then
+  git clone "$REPO" "$DEST";
+fi
+
+gpg --quiet --keyserver eu.pool.sks-keyservers.net --recv "$GPG_FINGERPRINT";
+
+git fetch --tags > /dev/null;
+TAG=$(git tag --list | grep "^$PREFIX" | sort -r | head -n 1);
+if git verify-tag --raw "$TAG" 2>&1 | grep " VALIDSIG $GPG_FINGERPRINT " > /dev/null; then
+  git checkout -q "$TAG";
+  chown -R "$DEST_USER:$DEST_GROUP" .;
+  {{ reload_command | default('') }}
+else
+  echo "Invalid or missing signature for $TAG" >&2;
+  exit 1;
+fi