From acd72b25025d37cdf797cde95a5ae46cd9db3788 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Fri, 31 Mar 2017 14:38:27 +0200 Subject: [PATCH] Use the unsafe_writes parameter instead of prefix_path Related to: https://github.com/debops/ansible-persistent_paths/pull/6 --- defaults/main.yml | 14 -------------- docs/getting-started.rst | 25 ++++++++++++++++--------- docs/includes/all.rst | 1 + docs/includes/role.rst | 1 + tasks/main.yml | 29 +++++++++++++++++++++++------ 5 files changed, 41 insertions(+), 29 deletions(-) create mode 100644 docs/includes/role.rst diff --git a/defaults/main.yml b/defaults/main.yml index 9f51afb..5d459a1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -159,20 +159,6 @@ tinc__systemd: '{{ True if (ansible_service_mgr|d("unknown") == "systemd") else False }}' - # ]]] -# .. envvar:: tinc__persistent_prefix_path [[[ -# -# Directory path prefix which should be used for writing/updating of files made -# persistent by :envvar:`tinc__persistent_paths__dependent_paths`. -tinc__persistent_prefix_path: '{{ ansible_local.persistent_paths.storage_path|d("") - if (ansible_local|d() and - ansible_local.tinc|d() and - ansible_local.tinc.enabled|d() | bool and - ansible_local.persistent_paths|d() and - ansible_local.persistent_paths.enabled|d() | bool and - ansible_local.persistent_paths.write_to_storage_path|d() | bool) - else "" }}' - # ]]] # .. envvar:: tinc__vcs_ignore_patterns [[[ # diff --git a/docs/getting-started.rst b/docs/getting-started.rst index 4222cc3..b880dab 100644 --- a/docs/getting-started.rst +++ b/docs/getting-started.rst @@ -207,25 +207,32 @@ debops.persistent_paths_ support -------------------------------- In case the host in question happens to be a TemplateBasedVM on `Qubes OS`_ or -another system where persistence is not the default, it should absent in -``debops_service_tinc`` and instead be added to -``debops_service_tinc_persistent_paths`` so that the changes can be made -persistently: +another system where persistence is not the default, it should be absent in +``debops_service_tinc`` and instead be added to the +``debops_service_tinc_persistent_paths`` Ansible inventory group +so that the changes can be made persistent: .. code:: ini [debops_service_tinc_persistent_paths] hostname -Note that the :envvar:`tinc__user` (``tinc-vpn`` by default) created by the role is not made persistent because making -:file:`/etc/passwd` and related files persistent might interfere with template -changes. +Note that the :envvar:`tinc__user` (``tinc-vpn`` by default) created by the +role is not made persistent because making :file:`/etc/passwd` and related +files persistent might interfere with template changes. You will need to ensure that the user exists by one of the following ways: * Create the user in the template using :command:`useradd --system tinc-vpn --comment 'tinc VPN service' --home-dir '/etc/tinc' --shell '/bin/false'` * Running the above command on start in the TemplateBasedVM -* Run the role against your template with the role configured in such a way that it only - creates the user. Note that this is normally `discouraged `_. +* Run the role against your template with the role configured in such a way + that it only creates the user. + Note that this is normally `discouraged on Qubes OS `_. Besides that, the :envvar:`tinc__base_packages` are expected to be present (typically installed in the TemplateVM). + +Also note that you will need to set ``core__unsafe_writes`` to ``True`` when you +attempt to update the configuration on a system that uses bind mounts for +persistence. You can set ``core__unsafe_writes`` directly in your inventory +without the need to run the ``debops.core`` role for this special case. +Refer to `Templating or updating persistent files`_ for details. diff --git a/docs/includes/all.rst b/docs/includes/all.rst index 73b2598..73ca1fe 100644 --- a/docs/includes/all.rst +++ b/docs/includes/all.rst @@ -1 +1,2 @@ .. include:: includes/global.rst +.. include:: includes/role.rst diff --git a/docs/includes/role.rst b/docs/includes/role.rst new file mode 100644 index 0000000..987fc3f --- /dev/null +++ b/docs/includes/role.rst @@ -0,0 +1 @@ +.. _Templating or updating persistent files: https://docs.debops.org/en/latest/ansible/roles/ansible-persistent_paths/docs/guides.html#templating-or-updating-persistent-files diff --git a/tasks/main.yml b/tasks/main.yml index 11c247e..7e4354e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -60,6 +60,8 @@ owner: 'root' group: 'root' mode: '0644' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' notify: [ 'Reload tinc' ] - name: Disable tinc networks in systemd if requested @@ -95,6 +97,8 @@ owner: 'root' group: 'root' mode: '0644' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' with_dict: '{{ tinc__combined_networks }}' when: item.value.state|d('present') != 'absent' and item.value.tinc_options|d() notify: [ 'Reload tinc' ] @@ -111,6 +115,8 @@ owner: 'root' group: '{{ tinc__group }}' mode: '0750' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' with_dict: '{{ tinc__combined_networks }}' when: (item.value.state|d('present') != 'absent' and item.value.generate_tinc_up|d(True)|bool) @@ -121,6 +127,8 @@ owner: 'root' group: '{{ tinc__group }}' mode: '0750' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' with_dict: '{{ tinc__combined_networks }}' when: (item.value.state|d('present') != 'absent' and item.value.generate_tinc_up|d(True)|bool) @@ -131,6 +139,8 @@ owner: 'root' group: 'root' mode: '0644' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' # RSA key management [[[1 @@ -141,6 +151,8 @@ owner: 'root' group: 'root' mode: '0644' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' - name: Initialize RSA key pairs shell: yes | tincd -n {{ item.value.name | d(item.key) }} -K {{ item.value.rsa_key_length | d(tinc__rsa_key_length) }} @@ -165,6 +177,8 @@ owner: 'root' group: 'root' mode: '0640' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' with_dict: '{{ tinc__combined_networks }}' when: item.value.state|d('present') != 'absent' @@ -243,6 +257,8 @@ owner: 'root' group: 'root' mode: '0644' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' with_dict: '{{ tinc__combined_networks }}' when: tinc__systemd|bool and item.value.state|d('present') != 'absent' notify: [ 'Reload tinc' ] @@ -254,6 +270,8 @@ owner: 'root' group: 'root' mode: '0755' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' when: tinc__systemd | bool - name: Clean up old systemd configuration @@ -264,10 +282,12 @@ - name: Configure systemd unit files template: src: 'etc/systemd/system/{{ item }}.j2' - dest: '{{ tinc__persistent_prefix_path + "/" + item }}' + dest: '/etc/systemd/system/{{ item }}' owner: 'root' group: 'root' mode: '0644' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' with_items: [ 'tinc.service', 'tinc@.service' ] register: tinc__register_systemd when: tinc__systemd | bool @@ -293,11 +313,6 @@ # Ansible facts [[[1 -# Note that for ``debops.persistent_paths`` on Qubes OS to work correctly, the -# facts need to be generated at the end of the (first) role playbook run. Note -# this if it might be necessary to move this to a separate env role. Not sure -# yet how this could be handled to cover both cases. - - name: Make sure Ansible fact directory exists file: path: '/etc/ansible/facts.d' @@ -313,6 +328,8 @@ owner: 'root' group: 'root' mode: '0644' + unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d() + and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}' register: tinc__register_facts - name: Reload facts if they were modified