From 938bf3c804ef28e3a68e8d3eddc6cb97c03ee3b2 Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Tue, 16 Dec 2014 17:11:22 +0100 Subject: Use sudo to deploy and run ansible as a regular user --- roles/local_deploy/files/ansible_run.sudoers | 1 + roles/local_deploy/files/extract_wrapper.sh | 4 ++++ roles/local_deploy/files/post-receive.private.sh | 2 +- roles/local_deploy/files/post-receive.public.sh | 5 +++-- roles/local_deploy/tasks/main.yml | 8 ++++++++ roles/local_deploy/templates/extract.sudoers | 1 + 6 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 roles/local_deploy/files/ansible_run.sudoers create mode 100644 roles/local_deploy/files/extract_wrapper.sh create mode 100644 roles/local_deploy/templates/extract.sudoers (limited to 'roles/local_deploy') diff --git a/roles/local_deploy/files/ansible_run.sudoers b/roles/local_deploy/files/ansible_run.sudoers new file mode 100644 index 0000000..ea995ab --- /dev/null +++ b/roles/local_deploy/files/ansible_run.sudoers @@ -0,0 +1 @@ +%admins ALL=(ALL) NOPASSWD: /usr/local/bin/ansible_run.sh diff --git a/roles/local_deploy/files/extract_wrapper.sh b/roles/local_deploy/files/extract_wrapper.sh new file mode 100644 index 0000000..240fb71 --- /dev/null +++ b/roles/local_deploy/files/extract_wrapper.sh @@ -0,0 +1,4 @@ +#!/bin/bash +export GIT_DIR=$1 +GIT_WORK_TREE=/etc/ansible/ git checkout -q -f + diff --git a/roles/local_deploy/files/post-receive.private.sh b/roles/local_deploy/files/post-receive.private.sh index e6d6abb..527c520 100644 --- a/roles/local_deploy/files/post-receive.private.sh +++ b/roles/local_deploy/files/post-receive.private.sh @@ -1,2 +1,2 @@ #!/bin/sh -GIT_WORK_TREE=/etc/ansible/ git checkout -q -f +sudo /usr/local/bin/extract_wrapper.sh diff --git a/roles/local_deploy/files/post-receive.public.sh b/roles/local_deploy/files/post-receive.public.sh index ce4da28..adcfa80 100644 --- a/roles/local_deploy/files/post-receive.public.sh +++ b/roles/local_deploy/files/post-receive.public.sh @@ -1,4 +1,5 @@ #!/bin/sh -GIT_WORK_TREE=/etc/ansible/ git checkout -q -f +sudo /usr/local/bin/extract_wrapper.sh $GIT_DIR +#GIT_WORK_TREE=/etc/ansible/ git checkout -q -f # run ansible -/usr/local/bin/ansible_run.sh +sudo /usr/local/bin/ansible_run.sh diff --git a/roles/local_deploy/tasks/main.yml b/roles/local_deploy/tasks/main.yml index 22d0b03..9215d53 100644 --- a/roles/local_deploy/tasks/main.yml +++ b/roles/local_deploy/tasks/main.yml @@ -8,8 +8,16 @@ - public - private +- template: src=extract.sudoers dest=/etc/sudoers.d/extract_{{ item }} + with_items: + - public + - private + - copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 with_items: - ansible_run.sh + - extract_wrapper.sh + +- copy: src=ansible_run.sudoers dest=/etc/sudoers.d/ansible_run - cron: name="ansible run" job="/usr/local/bin/ansible_run.sh" minute=*/30 diff --git a/roles/local_deploy/templates/extract.sudoers b/roles/local_deploy/templates/extract.sudoers new file mode 100644 index 0000000..37cda43 --- /dev/null +++ b/roles/local_deploy/templates/extract.sudoers @@ -0,0 +1 @@ +%admins ALL=(ALL) NOPASSWD: /usr/local/bin/extract_wrapper.sh {{ git_repositories_dir }}/{{ item }} -- cgit