allow notifier theme to be checked out from secure repo

7b8575f7 · Fred Smith · 3ac4a019 · 7b8575f7 · 7b8575f7 · 7b8575f7
Commit 7b8575f7 authored Sep 11, 2014 by Fred Smith
Showing with 29 additions and 2 deletions

playbooks/roles/notifier/defaults/main.yml
+3 -0

playbooks/roles/notifier/tasks/deploy.yml
+22 -2

playbooks/roles/notifier/templates/git_ssh_auth.sh.j2
+2 -0

playbooks/roles/notifier/templates/git_ssh_noauth.sh.j2
+2 -0

No files found.
--- a/playbooks/roles/notifier/defaults/main.yml
+++ b/playbooks/roles/notifier/defaults/main.yml
@@ -16,6 +16,9 @@ NOTIFIER_DIGEST_TASK_INTERVAL: "1440"
 NOTIFIER_THEME_NAME: ""
 NOTIFIER_THEME_REPO: ""
 NOTIFIER_THEME_VERSION: "master"
+notifier_git_ssh:  "/tmp/notifier_git_ssh.sh"
+NOTIFIER_GIT_IDENTITY: !!null
+notifier_git_identity: "{{ NOTIFIER_HOME }}/notifier-git-identity"

 NOTIFIER_DIGEST_EMAIL_SENDER: "notifications@example.com"
 NOTIFIER_DIGEST_EMAIL_SUBJECT: "Daily Discussion Digest"

--- a/playbooks/roles/notifier/tasks/deploy.yml
+++ b/playbooks/roles/notifier/tasks/deploy.yml
@@ -11,6 +11,25 @@
    - restart notifier-scheduler
    - restart notifier-celery-workers

+# Optional auth for git
+- name: create ssh script for git (not authenticated)
+  template: >
+    src=git_ssh_noauth.sh.j2 dest={{ notifier_git_ssh }}
+    owner={{ NOTIFIER_USER }} mode=750
+  when: not NOTIFIER_USE_GIT_IDENTITY
+
+- name: create ssh script for git (authenticated)
+  template: >
+    src=git_ssh_auth.sh.j2 dest={{ notifier_git_ssh }}
+    owner={{ NOTIFIER_USER }} mode=750
+  when: NOTIFIER_USE_GIT_IDENTITY
+
+- name: install read-only ssh key
+  copy: >
+    content="{{ NOTIFIER_GIT_IDENTITY }}" dest={{ notifier_git_identity }}
+    force=yes owner={{ NOTIFIER_USER }} mode=0600
+  when: NOTIFIER_USE_GIT_IDENTITY
+
 - name: checkout theme
  git: >
    dest={{ NOTIFIER_CODE_DIR }}/{{NOTIFIER_THEME_NAME}}
@@ -20,12 +39,13 @@
  when: NOTIFIER_THEME_NAME != ''
  sudo_user: "{{ NOTIFIER_USER }}"
  environment:
-    GIT_SSH: "{{ NOTIFIER_GIT_SSH }}"
+    GIT_SSH: "{{ notifier_git_ssh }}"

 - name: write notifier local settings
  template: >
    src=settings_local.py.j2
-    dest={{ NOTIFIER_CODE_DIR }}/settings_local.py
+    dest={{ NOTIFIER_CODE_DIR }}/notifier/settings_local.py
+    mode=0555
  when: NOTIFIER_THEME_NAME != ''
  notify:
    - restart notifier-celery-workers

--- a/playbooks/roles/notifier/templates/git_ssh_auth.sh.j2
+++ b/playbooks/roles/notifier/templates/git_ssh_auth.sh.j2
+#!/bin/sh
+exec /usr/bin/ssh -o StrictHostKeyChecking=no -i {{ notifier_git_identity }} "$@"
--- a/playbooks/roles/notifier/templates/git_ssh_noauth.sh.j2
+++ b/playbooks/roles/notifier/templates/git_ssh_noauth.sh.j2
+#!/bin/sh
+exec /usr/bin/ssh -o StrictHostKeyChecking=no "$@"