debuginfod: Implement role

Signed-off-by: Morten Linderud <morten@linderud.pw>

playbooks/debuginfod.archlinux.org.yml

+---
+- name: setup debuginfod.archlinux.org
+  hosts: debuginfod.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: firewalld }
+    - { role: wireguard }
+    - { role: hardening }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: certbot }
+    - { role: nginx }
+    - { role: debuginfod }
+    - { role: syncdebug }
+    - { role: prometheus_exporters }
+    - { role: promtail }

roles/debuginfod/defaults/main.yml

+---
+debuginfod_httpd: false
+debuginfod_domain: debuginfod.archlinux.org
+debuginfod_port: 8002
+debuginfod_database: /var/cache/debuginfod/debuginfod.sqlite
+debuginfod_package_paths:
+  - /srv/ftp/pool/packages-debug
+  - /srv/ftp/pool/community-debug

roles/debuginfod/handlers/main.yml

+---
+
+- name: reload debuginfod
+  service: name=debuginfod state=reloaded

roles/debuginfod/tasks/main.yml

+---
+- name: install debuginfod
+  pacman: name=debuginfod state=present
+
+- name: create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ debuginfod_domain }}"]
+  when: debuginfod_domain
+
+- name: configure debuginfod systemd service
+  template: src=debuginfod.service.j2 dest=/usr/lib/systemd/system/debuginfod.service owner=root group=root mode=0644
+  vars:
+    debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
+  notify:
+    - reload debuginfod
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
+  notify:
+    - reload nginx
+  when: debuginfod_domain
+  tags: ['nginx']
+
+- name: start and enable debuginfod
+  service: name=debuginfod enabled=yes state=started

roles/debuginfod/templates/debuginfod.service.j2

+[Unit]
+Description=debuginfod server
+After=network.target network-online.target nss-lookup.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/debuginfod -d {{debuginfod_database}} -p {{debuginfod_port}} -F -Z .tar.zst=zstdcat {{debuginfod_package_path}}
+Restart=on-failure
+DynamicUser=yes
+PrivateDevices=true
+PrivateUsers=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+ReadOnlyPaths={{debuginfod_package_path}}
+CacheDirectory=debuginfod
+
+[Install]
+WantedBy=multi-user.target

roles/debuginfod/templates/nginx.d.conf.j2

+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ debuginfod_domain }};
+
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
+    error_log    /var/log/nginx/{{ debuginfod_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ debuginfod_domain }};
+
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
+    error_log    /var/log/nginx/{{ debuginfod_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ debuginfod_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ debuginfod_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ debuginfod_domain }}/chain.pem;
+
+    location / {
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_pass http://127.0.0.1:8002;
+    }
+}