summaryrefslogtreecommitdiffstats
path: root/roles/local_deploy
diff options
context:
space:
mode:
authorMichael Scherer <misc@zarb.org>2014-12-16 17:11:22 +0100
committerMichael Scherer <misc@zarb.org>2014-12-16 17:11:22 +0100
commit938bf3c804ef28e3a68e8d3eddc6cb97c03ee3b2 (patch)
tree3bcf196c3244146ac5bb352777c51cafa217eaa5 /roles/local_deploy
parente9b939228d5a6e41652963615e7a4cebd671fece (diff)
Use sudo to deploy and run ansible as a regular user
Diffstat (limited to 'roles/local_deploy')
-rw-r--r--roles/local_deploy/files/ansible_run.sudoers1
-rw-r--r--roles/local_deploy/files/extract_wrapper.sh4
-rw-r--r--roles/local_deploy/files/post-receive.private.sh2
-rw-r--r--roles/local_deploy/files/post-receive.public.sh5
-rw-r--r--roles/local_deploy/tasks/main.yml8
-rw-r--r--roles/local_deploy/templates/extract.sudoers1
6 files changed, 18 insertions, 3 deletions
diff --git a/roles/local_deploy/files/ansible_run.sudoers b/roles/local_deploy/files/ansible_run.sudoers
new file mode 100644
index 0000000..ea995ab
--- /dev/null
+++ b/roles/local_deploy/files/ansible_run.sudoers
@@ -0,0 +1 @@
+%admins ALL=(ALL) NOPASSWD: /usr/local/bin/ansible_run.sh
diff --git a/roles/local_deploy/files/extract_wrapper.sh b/roles/local_deploy/files/extract_wrapper.sh
new file mode 100644
index 0000000..240fb71
--- /dev/null
+++ b/roles/local_deploy/files/extract_wrapper.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+export GIT_DIR=$1
+GIT_WORK_TREE=/etc/ansible/ git checkout -q -f
+
diff --git a/roles/local_deploy/files/post-receive.private.sh b/roles/local_deploy/files/post-receive.private.sh
index e6d6abb..527c520 100644
--- a/roles/local_deploy/files/post-receive.private.sh
+++ b/roles/local_deploy/files/post-receive.private.sh
@@ -1,2 +1,2 @@
#!/bin/sh
-GIT_WORK_TREE=/etc/ansible/ git checkout -q -f
+sudo /usr/local/bin/extract_wrapper.sh
diff --git a/roles/local_deploy/files/post-receive.public.sh b/roles/local_deploy/files/post-receive.public.sh
index ce4da28..adcfa80 100644
--- a/roles/local_deploy/files/post-receive.public.sh
+++ b/roles/local_deploy/files/post-receive.public.sh
@@ -1,4 +1,5 @@
#!/bin/sh
-GIT_WORK_TREE=/etc/ansible/ git checkout -q -f
+sudo /usr/local/bin/extract_wrapper.sh $GIT_DIR
+#GIT_WORK_TREE=/etc/ansible/ git checkout -q -f
# run ansible
-/usr/local/bin/ansible_run.sh
+sudo /usr/local/bin/ansible_run.sh
diff --git a/roles/local_deploy/tasks/main.yml b/roles/local_deploy/tasks/main.yml
index 22d0b03..9215d53 100644
--- a/roles/local_deploy/tasks/main.yml
+++ b/roles/local_deploy/tasks/main.yml
@@ -8,8 +8,16 @@
- public
- private
+- template: src=extract.sudoers dest=/etc/sudoers.d/extract_{{ item }}
+ with_items:
+ - public
+ - private
+
- copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755
with_items:
- ansible_run.sh
+ - extract_wrapper.sh
+
+- copy: src=ansible_run.sudoers dest=/etc/sudoers.d/ansible_run
- cron: name="ansible run" job="/usr/local/bin/ansible_run.sh" minute=*/30
diff --git a/roles/local_deploy/templates/extract.sudoers b/roles/local_deploy/templates/extract.sudoers
new file mode 100644
index 0000000..37cda43
--- /dev/null
+++ b/roles/local_deploy/templates/extract.sudoers
@@ -0,0 +1 @@
+%admins ALL=(ALL) NOPASSWD: /usr/local/bin/extract_wrapper.sh {{ git_repositories_dir }}/{{ item }}