diff options
author | jaseg <code@jaseg.net> | 2019-06-26 16:41:45 +0900 |
---|---|---|
committer | jaseg <git@jaseg.net> | 2019-06-26 16:41:45 +0900 |
commit | 297cfc071e2d3e68dd137139db2c0a2c48611443 (patch) | |
tree | ecf4b7b8f00fe06d4ba4b87ed6deb5e49dba909b /setup_secure_download.yml | |
parent | a2d4afc7dfe278dacc64b5177ff993267c909685 (diff) | |
download | infra-297cfc071e2d3e68dd137139db2c0a2c48611443.tar.gz infra-297cfc071e2d3e68dd137139db2c0a2c48611443.tar.bz2 infra-297cfc071e2d3e68dd137139db2c0a2c48611443.zip |
Misc changes. Move up to fedora 30, add gerbolyze, secure download
Diffstat (limited to 'setup_secure_download.yml')
-rw-r--r-- | setup_secure_download.yml | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/setup_secure_download.yml b/setup_secure_download.yml new file mode 100644 index 0000000..aa94a53 --- /dev/null +++ b/setup_secure_download.yml @@ -0,0 +1,57 @@ +--- +- name: Set local facts + set_fact: + secure_download_dir: /var/cache/secure_download + +- name: Copy webapp sources + synchronize: + # FIXME: make this path configurable + src: ~/secure_download/ + dest: /var/lib/secure_download/ + group: no + owner: no + +- name: Create secure download worker user and group + user: + name: uwsgi-secure-download + create_home: no + group: uwsgi + password: '!' + shell: /sbin/nologin + system: yes + +- name: Template webapp config + template: + src: secure_download.cfg.j2 + dest: /var/lib/secure_download/secure_download_prod.cfg + owner: uwsgi-secure-download + group: root + mode: 0660 + +- name: Copy uwsgi config + copy: + src: uwsgi-secure-download.ini + dest: /etc/uwsgi.d/secure-download.ini + owner: uwsgi-secure-download + group: uwsgi + mode: 440 + +- name: Enable uwsgi systemd socket + systemd: + daemon-reload: yes + name: uwsgi-app@secure-download.socket + enabled: yes + +- name: Copy server dir tmpfiles.d config + template: + src: tmpfiles-secure-download.conf.j2 + dest: /etc/tmpfiles.d/secure-download.conf + owner: root + group: root + mode: 0644 + register: sec_dl_tmpfiles_config + +- name: Kick systemd tmpfiles service to create serve dir + command: systemd-tmpfiles --create + when: sec_dl_tmpfiles_config is changed + |