From f4b12d01e9a56a91e6b24095d3d43408292dfb96 Mon Sep 17 00:00:00 2001 From: Markus Katharina Brechtel Date: Fri, 6 Sep 2019 12:45:02 +0000 Subject: [PATCH] automatic signature verification --- defaults/main.yml | 10 +++++---- tasks/deploy.yml | 18 +--------------- tasks/download.yaml | 50 +++++++++++++++++++++++++++++++++++++++++++++ tasks/main.yml | 4 +++- tasks/setup.yaml | 9 ++++++++ 5 files changed, 69 insertions(+), 22 deletions(-) create mode 100644 tasks/download.yaml create mode 100644 tasks/setup.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 135bea9..a76a29b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,10 +3,12 @@ gitea_http_port: 3000 gitea_server_name: "{{ inventory_hostname }}" -gitea_download_version: 1.5.1 -gitea_download_url: https://dl.gitea.io/gitea/{{gitea_download_version}}/gitea-{{gitea_download_version}}-linux-amd64 -#gitea_download_url: https://github.com/go-gitea/gitea/releases/download/v{{gitea_download_version}}/gitea-{{gitea_download_version}}-linux-amd64 -gitea_download_checksum: sha256:ae4f43f73acbd0b61fbca78385a017d7aaed6f7d50f2bff5c3f057acfb46c71a +gitea_download_platform: linux +gitea_download_arch: amd64 +gitea_download_version: 1.9.2 +gitea_download_filename: gitea-{{gitea_download_version}}-{{gitea_download_platform}}-{{gitea_download_arch}} +gitea_download_url: https://dl.gitea.io/gitea/{{gitea_download_version}}/{{gitea_download_filename}} +#gitea_download_url: https://github.com/go-gitea/gitea/releases/download/v{{gitea_download_version}}/{{gitea_download_filename}} gitea_admin_username: testadmin gitea_admin_password: testadmin diff --git a/tasks/deploy.yml b/tasks/deploy.yml index 859c38b..767c79c 100644 --- a/tasks/deploy.yml +++ b/tasks/deploy.yml @@ -1,23 +1,7 @@ --- -- name: debian packages - apt: - pkg: - - ca-certificates - - git - - golang -- name: download gitea - get_url: - url: "{{ gitea_download_url }}" - dest: /usr/local/bin/gitea - checksum: "{{ gitea_download_checksum }}" - notify: - - restart gitea -- name: gitea executable - file: - path: /usr/local/bin/gitea - mode: u=rwx,g=rx,o=rx + # - name: allow gitea executable to bind on privileged port # capabilities: diff --git a/tasks/download.yaml b/tasks/download.yaml new file mode 100644 index 0000000..fbf57ff --- /dev/null +++ b/tasks/download.yaml @@ -0,0 +1,50 @@ +--- + +- name: gitea download dir + file: + path: /opt/gitea + state: directory + +- name: gitea keyring + command: gpg --no-default-keyring --keyring /opt/gitea/keyring.gpg + --keyserver pool.sks-keyservers.net + --recv 7C9E68152594688862D62AF62D9AE806EC1592E2 + register: _gitea_keyring_recv + changed_when: '"import" in _gitea_keyring_recv.stderr' + +- name: gitea checksum + uri: + url: "{{ gitea_download_url }}.sha256" + return_content: true + register: _gitea_checksum + +- name: download gitea signature + get_url: + url: "{{ gitea_download_url }}.asc" + dest: "/opt/gitea/{{ gitea_download_filename }}.asc" + force: true + register: _gitea_download_signature + + +- name: download gitea + get_url: + url: "{{ gitea_download_url }}" + dest: "/opt/gitea/{{ gitea_download_filename }}" + checksum: "sha256:{{_gitea_checksum.content.split(' ')|first}}" + +- name: verify gitea signature + command: gpg --no-default-keyring --keyring /opt/gitea/keyring.gpg + --verify "/opt/gitea/{{ gitea_download_filename }}.asc" + "/opt/gitea/{{ gitea_download_filename }}" + changed_when: false + +- name: gitea executable + file: + path: /opt/gitea/{{ gitea_download_filename }} + mode: u=rwx,g=rx,o=rx + +- name: make gitea binary available on system + file: + src: /opt/gitea/{{ gitea_download_filename }} + dest: /usr/local/bin/gitea + state: link diff --git a/tasks/main.yml b/tasks/main.yml index fa06453..cad3539 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,11 +1,13 @@ --- +- import_tasks: setup.yaml +- import_tasks: download.yaml + - import_tasks: deploy.yml - name: flush handlers meta: flush_handlers - - include_role: name: certificate vars: diff --git a/tasks/setup.yaml b/tasks/setup.yaml new file mode 100644 index 0000000..64033c2 --- /dev/null +++ b/tasks/setup.yaml @@ -0,0 +1,9 @@ +--- + +- name: debian packages + apt: + pkg: + - ca-certificates + - git + - golang + - gnupg