diff --git a/roles/git_auto_update/defaults/main.yml b/roles/git_auto_update/defaults/main.yml new file mode 100644 index 0000000..883eb20 --- /dev/null +++ b/roles/git_auto_update/defaults/main.yml @@ -0,0 +1,13 @@ +--- + +# repo: git@example.com:name/repo.git +# dest: /example/repository +owner: root +group: root +mode: "u=rwx,g=rx" +name: "{{ dest | basename }}" +tag_prefix: "release-" +gpg_fingerprint: 73D09948B2392D688A45DC8393E1BD26F6B02FB7 +cron_name: "Auto update repository {{ name }}" +update_script_path: "{{ update_scripts_directory }}/{{ name }}" +#reload_command: "systemctl restart {{ name }}" diff --git a/roles/git_auto_update/meta/main.yml b/roles/git_auto_update/meta/main.yml new file mode 100644 index 0000000..cf5427b --- /dev/null +++ b/roles/git_auto_update/meta/main.yml @@ -0,0 +1,3 @@ +--- + +allow_duplicates: yes diff --git a/roles/git_auto_update/tasks/main.yml b/roles/git_auto_update/tasks/main.yml new file mode 100644 index 0000000..b3026e8 --- /dev/null +++ b/roles/git_auto_update/tasks/main.yml @@ -0,0 +1,30 @@ +--- + +- name: Install auto update script for {{ name }} + template: + src: "update.sh" + dest: "{{ update_script_path }}" + owner: root + group: root + mode: "u=rwx,g=rx,o=r" + +- name: Create repository directory for {{ name }} + file: + path: "{{ dest }}" + state: directory + owner: "{{ owner }}" + group: "{{ group }}" + mode: "{{ mode }}" + +- name: Clone repository to {{ dest }} + command: "{{ update_script_path }}" + args: + creates: "{{ dest }}/.git" + +- name: Enable auto update of {{ name }} + cron: + hour: 2 + minute: 0 + job: "{{ update_script_path }}" + name: "{{ cron_name }}" + state: present diff --git a/roles/git_auto_update/templates/update.sh b/roles/git_auto_update/templates/update.sh new file mode 100644 index 0000000..8dac868 --- /dev/null +++ b/roles/git_auto_update/templates/update.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +readonly REPO="{{ repo }}"; +readonly DEST="{{ dest }}"; +readonly DEST_USER="{{ owner }}"; +readonly DEST_GROUP="{{ group }}"; +readonly PREFIX="{{ tag_prefix }}"; +readonly GPG_FINGERPRINT="{{ gpg_fingerprint }}"; + +set -e; + +cd "$DEST"; + +if [ ! -d .git ]; then + git clone "$REPO" "$DEST"; +fi + +gpg --quiet --keyserver eu.pool.sks-keyservers.net --recv "$GPG_FINGERPRINT"; + +git fetch --tags > /dev/null; +TAG=$(git tag --list | grep "^$PREFIX" | sort -r | head -n 1); +if git verify-tag --raw "$TAG" 2>&1 | grep " VALIDSIG $GPG_FINGERPRINT " > /dev/null; then + git checkout -q "$TAG"; + chown -R "$DEST_USER:$DEST_GROUP" .; + {{ reload_command | default('') }} +else + echo "Invalid or missing signature for $TAG" >&2; + exit 1; +fi