mila-iqia · btravouillon · Jan 27, 2025 · May 15, 2023 · Sep 18, 2023 · May 21, 2024
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -20,9 +20,11 @@ cvmfs_stratum1_http_ports:
 cvmfs_localproxy_http_ports:
   - 3128
 
-cvmfs_stratum1_apache_port: 8008
+cvmfs_stratum1_apache_port: "{{ cvmfs_stratum1_squid_enabled | ternary(8008, 80) }}"
 cvmfs_stratum1_cache_mem: 128 # MB
 
+cvmfs_stratum1_squid_enabled: true
+
 # Stratum 1 snapshot cron job timing, hash keys correspond to the cron module options:
 #   https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html
 #
@@ -124,6 +126,19 @@ cvmfs_geoip_db_update_day: "{{ 28 | random(seed=inventory_hostname) }}"
 #   3. this points to a cert bundle that contains CA certs for your Stratum 0 (the default here is valid for EL).
 # cvmfs_x509_cert_bundle: /etc/pki/tls/cert.pem
 
+# The role will deploy a PolicyKit rule that allows unprivileged users to manage the services in cvmfs_manage_units if
+# either of the following two options are set.
+
+# Either a list of usernames, or set to a boolean true to automatically use the 'owner's in cvmfs_repositories
+#cvmfs_manage_units_users: ...
+
+# A group name
+#cvmfs_manage_units_group: ...
+
+# The list of units that can be managed by users in the above group
+cvmfs_manage_units:
+  - squid.service
+
 #
 # Galaxy-specific stuff follows
 #
@@ -160,7 +175,7 @@ galaxy_cvmfs_config_repo:
     client_options: []
 # Defaults for galaxyproject.org repos
 galaxy_cvmfs_keys:
-  # This will become the key for all repos, currently cvmfs-config and singularity
+  # This will become the key for all repos, currently cvmfs-config, singularity, and test
   - path: /etc/cvmfs/keys/galaxyproject.org/galaxyproject.org.pub
     key: |
       -----BEGIN PUBLIC KEY-----
@@ -172,17 +187,6 @@ galaxy_cvmfs_keys:
       mAG1ceyBFowj/r3iJTa+Jcif2uAmZxg+cHkZG5KzATykF82UH1ojUzREMMDcPJi2
       dQIDAQAB
       -----END PUBLIC KEY-----
-  - path: /etc/cvmfs/keys/galaxyproject.org/test.galaxyproject.org.pub
-    key: |
-      -----BEGIN PUBLIC KEY-----
-      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtfc5SSX9ALcrukWYcxkI
-      mkLhlkJa5tCP1oZNWFA7GfE4xQW2vcKE5qmbZqhYVfdiy+FHPnhWPJp577hekD2F
-      vMITbApdZ0265AjRC0+EKKxpMF8zZ0q71vCFxvdK0c3DtT/3LmqKrr2wimtJZjQN
-      UAZcQG2ykzeHzFZ46w74IO0o8Fv/w2XEbYI0QqbNFv+0hcp5SruFqaaLsRZdd6Bn
-      3iSylgVRQ5b+h1LfB/EuEpSmH1sDozZ4tU0fpbrBSknK76aad1o/cvWY1X87ToUV
-      helU0HE2Rw/u9EqJDvPFTbUmad3MtspkqbG5Eo7lI+ktzbcD7UTsQ/7noIXIQ5dD
-      PwIDAQAB
-      -----END PUBLIC KEY-----
   - path: /etc/cvmfs/keys/galaxyproject.org/data.galaxyproject.org.pub
     key: |
       -----BEGIN PUBLIC KEY-----
@@ -205,28 +209,6 @@ galaxy_cvmfs_keys:
       torRYcoFZICTZqY9e/KsadHUeZnH3RvfMypH5oS1POzsFszoSxBhZIBkZbG3/f9Y
       OQIDAQAB
       -----END PUBLIC KEY-----
-  - path: /etc/cvmfs/keys/galaxyproject.org/sandbox.galaxyproject.org.pub
-    key: |
-      -----BEGIN PUBLIC KEY-----
-      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jHnrwsxMUkMZDAj9GMt
-      WNCFFrNVejTTbyklk+52yyXgVgRWo1qN+5lh6W2UL/b2v9pOEzRVPZBQvNNwKo6P
-      e+5p2JBVJ5yv7tpegEnHaRYw6yoHlWLzeSfiu8/yNp2s3jzK52zdLE9rZu7KlXH3
-      EiY2LbU8wa0oah8BlvqWoHlWm78IQbbgK3Q0KmsXpvpjjhYkRWh/TL7KRmwT0b+C
-      WDNbviUi62sBl1SWQ95kcsfqfviU94DKGWRWDYngnYRV5PZVLuUw8Egix6lW2Sj0
-      l5LILRbaIyXiTsFqXfK1dtjAOmZMkX4wuBch13y9FhMCIRvBDWYQuyxugSC101Ur
-      YwIDAQAB
-      -----END PUBLIC KEY-----
-  - path: /etc/cvmfs/keys/galaxyproject.org/usegalaxy.galaxyproject.org.pub
-    key: |
-      -----BEGIN PUBLIC KEY-----
-      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsqb8HIG5T/juOmVpByIE
-      UfboKj7S2LbnWCZdCAoA9EfQfsxi/p3iWu1j9/0iJjf4yKs+pI6mJL/t+txB9fM5
-      EYdYJv/awH7W4A47e8/CR25HzoM9PjxbssRbHSGWLrDBPHUcyQh7gZGqJYdXIyeS
-      DrgPoftn04xuLQvmPWbi8Ng14c+Kn8947PxZ5hVOmApEd4gzkHI0qFfC7dTN/rTh
-      KdC5mWONdRmmSDM4OmgJl7wdzE5pUTA+H1GagESxG4Cm/7EN9ZnVgWdb/sgVTxHG
-      e3odhIy/hV82RHkaW456/jhd8tD8LHpY8jdM/rWvwrBgI7WntqSijOUe2a6uC7S1
-      sQIDAQAB
-      -----END PUBLIC KEY-----
 
 galaxy_cvmfs_server_urls:
   - domain: galaxyproject.org

diff --git a/files/cvmfs_remount_sync.el_9 b/files/cvmfs_remount_sync.el_9
diff --git a/files/cvmfs_wipecache.el_9 b/files/cvmfs_wipecache.el_9
diff --git a/tasks/stratum1.yml b/tasks/stratum1.yml
@@ -28,6 +28,7 @@
   ansible.builtin.include_tasks: squid.yml
   vars:
     _cvmfs_squid_conf_src: "{{ cvmfs_squid_conf_src | default('stratum1_squid.conf.j2') }}"
+  when: cvmfs_stratum1_squid_enabled
 
 - name: Include firewall tasks
   ansible.builtin.include_tasks: firewall.yml
@@ -38,6 +39,7 @@
 - name: Install GeoIP API key
   ansible.builtin.copy:
     content: |
+      CVMFS_GEO_ACCOUNT_ID="{{ cvmfs_geo_account_id }}"
       CVMFS_GEO_LICENSE_KEY="{{ cvmfs_geo_license_key }}"
     mode: 0400
     dest: /etc/cvmfs/server.local
@@ -135,4 +137,4 @@
     src: 01-manage-units.rules.j2
     dest: /etc/polkit-1/rules.d/01-manage-units.rules
     mode: 0644
-  when: cvmfs_manage_units_group is defined
+  when: cvmfs_manage_units_users is defined or cvmfs_manage_units_group is defined
diff --git a/tasks/stratumN.yml b/tasks/stratumN.yml
@@ -1,6 +1,6 @@
 ---
 - name: Create /srv filesystem
-  community.general.system.filesystem:
+  community.general.filesystem:
     dev: "{{ cvmfs_srv_device }}"
     force: false
     fstype: "{{ cvmfs_srv_fstype | default('ext4') }}"

diff --git a/templates/01-manage-units.rules.j2 b/templates/01-manage-units.rules.j2
@@ -2,14 +2,23 @@
  * This file is managed by Ansible.  ALL CHANGES WILL BE OVERWRITTEN.
  */
 
-/* Allow users in the docker group to manage units. Way more control than we
- * would like to give, but the "unit" and "verb" action variables (used with
- * action.lookup()) were not added to systemd until 226, so unless RedHat
- * backports them, we are SOL.
- */
+// Allow CVMFS repo owners to manage related services
 polkit.addRule(function(action, subject) {
+    var allowedUnits = {{ cvmfs_manage_units | to_json }};
+{% if cvmfs_manage_units_users is defined and cvmfs_manage_units_users is true %}
+    var allowedUsers = {{ cvmfs_repositories | map(attribute='owner') | unique | to_json }};
+{% elif cvmfs_manage_units_users is defined %}
+    var allowedUsers = {{ cvmfs_manage_units_users | to_json }};
+{% endif %}
     if (action.id == "org.freedesktop.systemd1.manage-units" &&
+        allowedUnits.includes(action.lookup("unit")) &&
+{% if cvmfs_manage_units_users is defined and cvmfs_manage_units_group is defined %}
+        (allowedUsers.includes(subject.user) || subject.isInGroup("{{ cvmfs_manage_units_group }}"))) {
+{% elif cvmfs_manage_units_users is defined %}
+        allowedUsers.includes(subject.user)) {
+{% elif cvmfs_manage_units_group is defined %}
         subject.isInGroup("{{ cvmfs_manage_units_group }}")) {
+{% endif %}
         return polkit.Result.YES;
     }
 });
diff --git a/templates/localproxy_squid.conf.j2 b/templates/localproxy_squid.conf.j2
@@ -7,9 +7,9 @@ http_access allow all
 
 always_direct allow all
 
-# {% if cvmfs_localproxy_cache_dir is defined %}
-# cache_dir ufs {{ cvmfs_localproxy_cache_dir.dir }} {{ cvmfs_localproxy_cache_dir.size }} 16 256
-# {% endif %}
+{% if cvmfs_localproxy_cache_dir is defined %}
+cache_dir ufs {{ cvmfs_localproxy_cache_dir.dir }} {{ cvmfs_localproxy_cache_dir.size }} 16 256
+{% endif %}
 
 cache_mem {{ cvmfs_localproxy_cache_mem }} MB