Commit 194bc84b authored by Morten Linderud's avatar Morten Linderud 🏄 Committed by Kristian Klausen
Browse files

debuginfod: Implement role


Signed-off-by: Morten Linderud's avatarMorten Linderud <morten@linderud.pw>
parent 85bb8f0e
---
- name: setup debuginfod.archlinux.org
hosts: debuginfod.archlinux.org
remote_user: root
roles:
- { role: common }
- { role: firewalld }
- { role: wireguard }
- { role: hardening }
- { role: sshd }
- { role: root_ssh }
- { role: certbot }
- { role: nginx }
- { role: debuginfod }
- { role: syncdebug }
- { role: prometheus_exporters }
- { role: promtail }
---
debuginfod_httpd: false
debuginfod_domain: debuginfod.archlinux.org
debuginfod_port: 8002
debuginfod_database: /var/cache/debuginfod/debuginfod.sqlite
debuginfod_package_paths:
- /srv/ftp/pool/packages-debug
- /srv/ftp/pool/community-debug
---
- name: reload debuginfod
service: name=debuginfod state=reloaded
---
- name: install debuginfod
pacman: name=debuginfod state=present
- name: create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ debuginfod_domain }}"]
when: debuginfod_domain
- name: configure debuginfod systemd service
template: src=debuginfod.service.j2 dest=/usr/lib/systemd/system/debuginfod.service owner=root group=root mode=0644
vars:
debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
notify:
- reload debuginfod
- name: make nginx log dir
file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
notify:
- reload nginx
when: debuginfod_domain
tags: ['nginx']
- name: start and enable debuginfod
service: name=debuginfod enabled=yes state=started
[Unit]
Description=debuginfod server
After=network.target network-online.target nss-lookup.target
[Service]
Type=simple
ExecStart=/usr/bin/debuginfod -d {{debuginfod_database}} -p {{debuginfod_port}} -F -Z .tar.zst=zstdcat {{debuginfod_package_path}}
Restart=on-failure
DynamicUser=yes
PrivateDevices=true
PrivateUsers=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
ReadOnlyPaths={{debuginfod_package_path}}
CacheDirectory=debuginfod
[Install]
WantedBy=multi-user.target
server {
listen 80;
listen [::]:80;
server_name {{ debuginfod_domain }};
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ debuginfod_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ debuginfod_domain }};
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ debuginfod_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ debuginfod_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ debuginfod_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ debuginfod_domain }}/chain.pem;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:8002;
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment