Merge branch 'aurweb-v6.0.0' into 'master'

aurweb: update rollout for >= v6.0.0

See merge request !525
...@@ -98,7 +98,6 @@ ...@@ -98,7 +98,6 @@
[memcached] [memcached]
...@@ -11,8 +11,7 @@ ...@@ -11,8 +11,7 @@
- { role: nginx } - { role: nginx }
- { role: mariadb } - { role: mariadb }
- { role: sudo } - { role: sudo }
- { role: php_fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } - { role: redis }
- { role: memcached }
- { role: uwsgi } - { role: uwsgi }
- { role: borg_client, tags: ["borg"] } - { role: borg_client, tags: ["borg"] }
- { role: postfix_null } - { role: postfix_null }
...@@ -13,8 +13,7 @@ ...@@ -13,8 +13,7 @@
- { role: nginx } - { role: nginx }
- { role: mariadb, mariadb_innodb_buffer_pool_size: '1G' } - { role: mariadb, mariadb_innodb_buffer_pool_size: '1G' }
- { role: sudo } - { role: sudo }
- { role: php_fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } - { role: redis }
- { role: memcached }
- { role: uwsgi } - { role: uwsgi }
- { role: borg_client, tags: ["borg"] } - { role: borg_client, tags: ["borg"] }
- { role: postfix_null } - { role: postfix_null }
--- ---
aurweb_asgi_bind: ''
aurweb_domain: '' aurweb_domain: ''
aurweb_repository: '' aurweb_repository: ''
...@@ -8,6 +9,7 @@ aurweb_git_dir: "{{ aurweb_dir }}/aur.git" ...@@ -8,6 +9,7 @@ aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
aurweb_git_hook: '/usr/local/bin/aurweb-git-update' aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf' aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf'
aurweb_version: 'live' aurweb_version: 'live'
aurweb_pgp_keys: ['0F985B6F99B6686854C44EC3F7E46DED420788F3']
aurweb_db: 'aur' aurweb_db: 'aur'
aurweb_db_host: 'localhost' aurweb_db_host: 'localhost'
...@@ -18,9 +20,11 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' ...@@ -18,9 +20,11 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket'
cgit_socket: '/run/uwsgi/cgit.sock' cgit_socket: '/run/uwsgi/cgit.sock'
smartgit_socket: '/run/uwsgi/smartgit.sock' smartgit_socket: '/run/uwsgi/smartgit.sock'
aurweb_cache: 'memcache' aurweb_cache: 'redis'
aurweb_cache_pkginfo_ttl: '86400' aurweb_cache_pkginfo_ttl: '86400'
aurweb_request_limt: '4000' aurweb_request_limt: '4000'
aurweb_window_length: '86400' aurweb_window_length: '86400'
aurweb_memcached_socket: '/run/memcached/aurweb.sock' aurweb_memcached_socket: '/run/memcached/aurweb.sock'
aurweb_memcached_memory: 2048 aurweb_memcached_memory: 2048
aurweb_workers: 4
...@@ -6,20 +6,11 @@ ...@@ -6,20 +6,11 @@
- asciidoc - asciidoc
- highlight - highlight
- make - make
- php-memcached
- pyalpm
- python-alembic
- python-bleach
- python-markdown
- python-mysql-connector
- python-pygit2
- python-srcinfo
- python-fastapi
- python-jinja
- python-email-validator
- python-orjson
- sudo - sudo
- uwsgi-plugin-cgi - uwsgi-plugin-cgi
- python-poetry
- gcc
- pkg-config
- name: install the cgit package - name: install the cgit package
pacman: pacman:
...@@ -41,11 +32,21 @@ ...@@ -41,11 +32,21 @@
- name: Create directory - name: Create directory
file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775 file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
- name: receive valid signing keys
command: /usr/bin/gpg --keyserver --recv {{ item }}
loop: '{{ aurweb_pgp_keys }}'
become: true
become_user: "{{ aurweb_user }}"
register: gpg
changed_when: "gpg.rc == 0"
- name: clone aurweb repo - name: clone aurweb repo
git: > git: >
repo={{ aurweb_repository }} repo={{ aurweb_repository }}
dest="{{ aurweb_dir }}" dest="{{ aurweb_dir }}"
version={{ aurweb_version }} version={{ aurweb_version }}
verify_commit: true
gpg_whitelist: '{{ aurweb_pgp_keys }}'
become: true become: true
become_user: "{{ aurweb_user }}" become_user: "{{ aurweb_user }}"
register: release register: release
...@@ -79,7 +80,7 @@ ...@@ -79,7 +80,7 @@
no_log: true no_log: true
- name: initialize the database - name: initialize the database
command: python -m aurweb.initdb command: poetry run python -m aurweb.initdb
args: args:
chdir: "{{ aurweb_dir }}" chdir: "{{ aurweb_dir }}"
become: true become: true
...@@ -87,7 +88,7 @@ ...@@ -87,7 +88,7 @@
when: db_created.changed when: db_created.changed
- name: run migrations - name: run migrations
command: alembic upgrade head command: poetry run alembic upgrade head
args: args:
chdir: "{{ aurweb_dir }}" chdir: "{{ aurweb_dir }}"
environment: environment:
...@@ -97,18 +98,43 @@ ...@@ -97,18 +98,43 @@
when: release.changed or db_created.changed when: release.changed or db_created.changed
- name: Check python module availability - name: Check python module availability
command: "python3 -c 'import aurweb'" command: poetry run python3 -c 'import aurweb'
chdir: "{{ aurweb_dir }}"
become: true
become_user: "{{ aurweb_user }}"
ignore_errors: true ignore_errors: true
register: aurweb_installed register: aurweb_installed
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: Install python module - name: Install python module
command: "python3 install --install-scripts=/usr/local/bin" command: poetry install
args: args:
chdir: "{{ aurweb_dir }}" chdir: "{{ aurweb_dir }}"
become: true
become_user: "{{ aurweb_user }}"
when: release.changed or aurweb_installed.rc != 0 when: release.changed or aurweb_installed.rc != 0
- name: install custom aurweb-git-auth wrapper script
template: dest=/usr/local/bin/ owner=root group=root mode=0755
when: release.changed
- name: install custom aurweb-git-serve wrapper script
template: dest=/usr/local/bin/ owner=root group=root mode=0755
when: release.changed
- name: install custom aurweb-git-update wrapper script
template: dest=/usr/local/bin/ owner=root group=root mode=0755
when: release.changed
- name: link custom aurweb-git-update wrapper to hooks/update
src: /usr/local/bin/
dest: "{{ aurweb_dir }}/aur.git/hooks/update"
state: link
when: release.changed
- name: Generate HTML documentation - name: Generate HTML documentation
make: make:
chdir: "{{ aurweb_dir }}/doc" chdir: "{{ aurweb_dir }}/doc"
...@@ -136,16 +162,6 @@ ...@@ -136,16 +162,6 @@
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755 file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
- name: configure php-fpm
src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf"
owner=root group=root mode=0644
- restart php-fpm@{{ aurweb_user }}
- name: start and enable systemd socket
service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
- name: install cgit configuration - name: install cgit configuration
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644 template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
...@@ -223,15 +239,6 @@ ...@@ -223,15 +239,6 @@
tags: tags:
- skip_ansible_lint - skip_ansible_lint
- name: create symlink for git hook
src: "{{ aurweb_git_hook }}"
dest: "{{ aurweb_git_dir }}/hooks/update"
owner: root
group: root
mode: 0755
state: link
- name: install AUR systemd service and timers - name: install AUR systemd service and timers
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items: with_items:
...@@ -239,7 +246,6 @@ ...@@ -239,7 +246,6 @@
- aurweb-git.timer - aurweb-git.timer
- aurweb-aurblup.service - aurweb-aurblup.service
- aurweb-aurblup.timer - aurweb-aurblup.timer
- aurweb-memcached.service
- aurweb-mkpkglists.service - aurweb-mkpkglists.service
- aurweb-mkpkglists.timer - aurweb-mkpkglists.timer
- aurweb-pkgmaint.service - aurweb-pkgmaint.service
...@@ -250,20 +256,22 @@ ...@@ -250,20 +256,22 @@
- aurweb-tuvotereminder.timer - aurweb-tuvotereminder.timer
- aurweb-usermaint.service - aurweb-usermaint.service
- aurweb-usermaint.timer - aurweb-usermaint.timer
- aurweb.service
- name: configure sshd
template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
- restart sshd
- name: start and enable AUR systemd services and timers - name: start and enable AUR systemd services and timers
service: name={{ item }} enabled=yes state=started service: name={{ item }} enabled=yes state=restarted daemon_reload=yes
with_items: with_items:
- aurweb-git.timer - aurweb-git.timer
- aurweb-aurblup.timer - aurweb-aurblup.timer
- aurweb-memcached.service
- aurweb-mkpkglists.timer - aurweb-mkpkglists.timer
- aurweb-pkgmaint.timer - aurweb-pkgmaint.timer
- aurweb-popupdate.timer - aurweb-popupdate.timer
- aurweb-tuvotereminder.timer - aurweb-tuvotereminder.timer
- aurweb-usermaint.timer - aurweb-usermaint.timer
- aurweb.service
- name: configure sshd when: release.changed
template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
- restart sshd
...@@ -6,7 +6,8 @@ After=mysqld.service ...@@ -6,7 +6,8 @@ After=mysqld.service
[Service] [Service]
Type=oneshot Type=oneshot
User={{ aurweb_user }} User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-aurblup WorkingDirectory={{ aurweb_dir }}
ExecStart=/usr/bin/poetry run aurweb-aurblup
ReadWritePaths={{ aurweb_dir }} ReadWritePaths={{ aurweb_dir }}
NoNewPrivileges=true NoNewPrivileges=true
cd "{{ aurweb_dir }}"
exec poetry run aurweb-git-auth "$@"
cd "{{ aurweb_dir }}"
exec poetry run aurweb-git-serve "$@"
cd "{{ aurweb_dir }}"
exec poetry run aurweb-git-update "$@"
...@@ -6,7 +6,8 @@ After=mysqld.service ...@@ -6,7 +6,8 @@ After=mysqld.service
[Service] [Service]
Type=oneshot Type=oneshot
User={{ aurweb_user }} User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-mkpkglists --extended WorkingDirectory={{ aurweb_dir }}
ExecStart=/usr/bin/poetry run aurweb-mkpkglists --extended
NoNewPrivileges=true NoNewPrivileges=true
LockPersonality=true LockPersonality=true
...@@ -6,7 +6,8 @@ After=mysqld.service ...@@ -6,7 +6,8 @@ After=mysqld.service
[Service] [Service]
Type=oneshot Type=oneshot
User={{ aurweb_user }} User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-pkgmaint WorkingDirectory={{ aurweb_dir }}
ExecStart=/usr/bin/poetry run aurweb-pkgmaint
NoNewPrivileges=true NoNewPrivileges=true
LockPersonality=true LockPersonality=true
...@@ -15,7 +16,7 @@ CapabilityBoundingSet= ...@@ -15,7 +16,7 @@ CapabilityBoundingSet=
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
ProtectSystem=strict ProtectSystem=strict
ProtectHome=true ProtectHome=read-only
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
RemoveIPC=true RemoveIPC=true
...@@ -6,7 +6,8 @@ After=mysqld.service ...@@ -6,7 +6,8 @@ After=mysqld.service
[Service] [Service]
Type=oneshot Type=oneshot
User={{ aurweb_user }} User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-popupdate WorkingDirectory={{ aurweb_dir }}
ExecStart=/usr/bin/poetry run aurweb-popupdate
NoNewPrivileges=true NoNewPrivileges=true
LockPersonality=true LockPersonality=true
...@@ -15,7 +16,7 @@ CapabilityBoundingSet= ...@@ -15,7 +16,7 @@ CapabilityBoundingSet=
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
ProtectSystem=strict ProtectSystem=strict
ProtectHome=true ProtectHome=read-only
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
RemoveIPC=true RemoveIPC=true
...@@ -6,7 +6,8 @@ After=mysqld.service ...@@ -6,7 +6,8 @@ After=mysqld.service
[Service] [Service]
Type=oneshot Type=oneshot
User={{ aurweb_user }} User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-tuvotereminder WorkingDirectory={{ aurweb_dir }}
ExecStart=/usr/bin/poetry run aurweb-tuvotereminder
NoNewPrivileges=true NoNewPrivileges=true
LockPersonality=true LockPersonality=true
...@@ -6,7 +6,8 @@ After=mysqld.service ...@@ -6,7 +6,8 @@ After=mysqld.service
[Service] [Service]
Type=oneshot Type=oneshot
User={{ aurweb_user }} User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-usermaint WorkingDirectory={{ aurweb_dir }}
ExecStart=/usr/bin/poetry run aurweb-usermaint
NoNewPrivileges=true NoNewPrivileges=true
LockPersonality=true LockPersonality=true
...@@ -15,7 +16,7 @@ CapabilityBoundingSet= ...@@ -15,7 +16,7 @@ CapabilityBoundingSet=
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
ProtectSystem=strict ProtectSystem=strict
ProtectHome=true ProtectHome=read-only
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
RemoveIPC=true RemoveIPC=true
Description=aurweb asgi server
User={{ aurweb_user }}
WorkingDirectory={{ aurweb_dir }}
ExecStart=/usr/bin/poetry run gunicorn \
--log-config {{ aurweb_dir }}/logging.conf \
--bind {{ aurweb_asgi_bind }} \
--workers {{ aurweb_workers }} \
-k uvicorn.workers.UvicornWorker \
Match User {{ aurweb_user }} Match User {{ aurweb_user }}
PasswordAuthentication no PasswordAuthentication no
AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" AuthorizedKeysCommand /usr/local/bin/ "%t" "%k"
AuthorizedKeysCommandUser {{ aurweb_user }} AuthorizedKeysCommandUser {{ aurweb_user }}
virtual-root=/cgit/ virtual-root=/cgit/
clone-prefix=https://{{ aurweb_domain }} clone-prefix=https://{{ aurweb_domain }}
noheader=0 noheader=0
favicon=/images/favicon.ico favicon=/static/images/favicon.ico
logo= logo=
css=/css/cgit.css css=/static/css/cgit.css
snapshots=tar.gz snapshots=tar.gz
readme=:README readme=:README
...@@ -4,6 +4,7 @@ user = {{ aurweb_db_user }} ...@@ -4,6 +4,7 @@ user = {{ aurweb_db_user }}
password = {{ vault_aurweb_db_password }} password = {{ vault_aurweb_db_password }}
[options] [options]
aurwebdir = {{ aurweb_dir }}
{% if maintenance is defined and maintenance %} {% if maintenance is defined and maintenance %}
enable_maintenance = 1 enable_maintenance = 1
maintenance-exceptions = {{ maintenance_remote_machine }} maintenance-exceptions = {{ maintenance_remote_machine }}
...@@ -16,7 +17,7 @@ cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }} ...@@ -16,7 +17,7 @@ cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }}
aur_location = https://{{ aurweb_domain }} aur_location = https://{{ aurweb_domain }}
git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git
git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git
memcache_servers = {{ aurweb_memcached_socket }}:0 redis_address = redis://localhost
[ratelimit] [ratelimit]
request_limit = {{ aurweb_request_limt }} request_limit = {{ aurweb_request_limt }}
...@@ -27,9 +28,13 @@ Ed25519 = SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 ...@@ -27,9 +28,13 @@ Ed25519 = SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4
ECDSA = SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI ECDSA = SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI
RSA = SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 RSA = SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8
git-serve-cmd = /usr/local/bin/
[serve] [serve]
repo-path = {{ aurweb_git_dir }} repo-path = {{ aurweb_git_dir }}
git-shell-cmd = /usr/bin/sh git-shell-cmd = /usr/bin/sh
git-update-cmd = /usr/local/bin/
ssh-cmdline = ssh {{ aurweb_user }}@{{ aurweb_domain }} ssh-cmdline = ssh {{ aurweb_user }}@{{ aurweb_domain }}
[update] [update]
...@@ -45,3 +50,11 @@ packagesmetafile = {{ aurweb_dir }}/web/html/packages-meta-v1.json.gz ...@@ -45,3 +50,11 @@ packagesmetafile = {{ aurweb_dir }}/web/html/packages-meta-v1.json.gz
packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz
pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
userfile = {{ aurweb_dir }}/web/html/users.gz userfile = {{ aurweb_dir }}/web/html/users.gz
notify-cmd = aurweb-notify
{# An email used for server error notifications. #}
postmaster = {{ vault_aurweb_postmaster }}
session_secret = {{ vault_aurweb_secret }}
