Verified Commit 850e278b authored by Giancarlo Razzolini's avatar Giancarlo Razzolini
Browse files

roles/aurweb: Rename the role to aurweb

To make things consistent, rename the role to aurweb.
parent 85a8f883
---
aurweb_domain: 'aur.archlinux.org'
aurweb_repository: 'https://git.archlinux.org/aurweb.git'
aurweb_dir: '/srv/http/aurweb'
aurweb_conf_dir: '/etc/aurweb'
aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
aurweb_version: 'live'
aurweb_db: 'aur'
aurweb_db_host: 'localhost'
aurweb_db_user: 'aur'
aurweb_db_password: 'aur'
aurweb_user: 'aurweb'
aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket'
[Unit]
Description=Update aurweb blacklist
Requires=mysqld.service
After=mysqld.service
[Service]
Type=Oneshot
User=aur
ExecStart=/usr/local/bin/aurweb-aurblup
[Unit]
Description=Update aurweb blacklist
[Timer]
OnStartupSec=2h
OnUnitActiveSec=2h
[Install]
WantedBy=timers.target
[Unit]
Description=Regenerate aurweb package and user lists
Requires=mysqld.service
After=mysqld.service
[Service]
Type=Oneshot
User=aur
ExecStart=/usr/local/bin/aurweb-mkpkglists
[Unit]
Description=Regenerate aurweb package and user lists
[Timer]
OnStartupSec=5m
OnUnitActiveSec=5m
[Install]
WantedBy=timers.target
[Unit]
Description=Delete old, empty reserved aurweb pkgbases
Requires=mysqld.service
After=mysqld.service
[Service]
Type=Oneshot
User=aur
ExecStart=/usr/local/bin/aurweb-pkgmaint
[Unit]
Description=Delete old, empty reserved aurweb pkgbases
[Timer]
OnStartupSec=2h
OnUnitActiveSec=2h
[Install]
WantedBy=timers.target
[Unit]
Description=Update aurweb per-package popularity counts
Requires=mysqld.service
After=mysqld.service
[Service]
Type=Oneshot
User=aur
ExecStart=/usr/local/bin/aurweb-popupdate
[Unit]
Description=Update aurweb per-package popularity counts
[Timer]
OnStartupSec=2h
OnUnitActiveSec=2h
[Install]
WantedBy=timers.target
[Unit]
Description=Send aurweb TU vote reminder emails
Requires=mysqld.service
After=mysqld.service
[Service]
Type=Oneshot
User=aur
ExecStart=/usr/local/bin/aurweb-tuvotereminder
[Unit]
Description=Send aurweb TU vote reminder emails
[Timer]
OnStartupSec=12h
OnUnitActiveSec=12h
[Install]
WantedBy=timers.target
---
- name: daemon reload
command: systemctl daemon-reload
- name: restart php-fpm@aurweb
service: name=php-fpm@{{ aurweb_user }} state=restarted
- name: restart sshd
service: name=sshd state=restarted
---
- name: install required packages
pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,make,asciidoc state=present
- name: make aur user
user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes
- name: Create directory
file: path={{ aurweb_dir }} state=directory owner={{aurweb_user}} group=http mode=0775
- name: clone aurweb repo
git: >
repo={{ aurweb_repository }}
dest="{{ aurweb_dir }}"
version={{ aurweb_version }}
become: true
become_user: "{{aurweb_user}}"
register: release
- name: create aur db
mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" encoding=utf8
register: db_created
- name: create aur db user
mysql_user: name={{ aurweb_db_user }} password={{ aurweb_db_password }}
login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}"
priv="{{ aurweb_db }}.*:ALL"
- name: enable innodb_large_prefix
mysql_variables:
login_host: "{{ aurweb_db_host }}"
login_password: "{{ mariadb_users.root }}"
variable: innodb_large_prefix
value: 1
- name: enable innodb_file_format
mysql_variables:
login_host: "{{ aurweb_db_host }}"
login_password: "{{ mariadb_users.root }}"
variable: innodb_file_format
value: Barracuda
- name: check if db is imported
shell: mysql -u {{ aurweb_db_user }} -p{{ aurweb_db_password }} -e "SELECT ID FROM Users" {{ aurweb_db }}
ignore_errors: true
register: db_imported
- name: import aur sql db
mysql_db:
state: import
name: "{{ aurweb_db }}"
login_host: "{{ aurweb_db_host }}"
login_password: "{{ mariadb_users.root }}"
target: "{{ aurweb_dir }}/schema/aur-schema.sql"
when: db_imported.rc != 0
- name: create aurweb conf dir
file: path={{ aurweb_conf_dir }} state=directory
- name: copy aurweb configuration file
copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes
- name: install custom aurweb configuration
template: src=config.j2 dest={{ aurweb_conf_dir }}/config
- name: Install python module
shell: "python3 setup.py install --install-scripts=/usr/local/bin"
args:
chdir: "{{ aurweb_dir }}"
- name: Generate HTML documentation
make:
chdir: "{{ aurweb_dir }}/doc"
become: true
become_user: "{{aurweb_user}}"
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/aurweb.conf owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
- name: make nginx log dir
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
- name: configure php-fpm
template:
src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf"
owner=root group=root mode=0644
notify:
- restart php-fpm@{{ aurweb_user }}
- name: start and enable systemd socket
service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
- name: create git repo dir
file: path={{ aurweb_git_dir }} state=directory owner={{aurweb_user}} group=http mode=0775
- name: init git directory
command: git init --bare {{ aurweb_git_dir }}
args:
creates: "{{ aurweb_git_dir }}/HEAD"
become: true
become_user: "{{aurweb_user}}"
- shell: git config --local --get-all transfer.hideRefs
register: git_config
args:
chdir: "{{ aurweb_git_dir }}"
failed_when: git_config.rc == 2 # FIXME: does not work.
- name: configure git tranfser.hideRefs
command: git config --local transfer.hideRefs '^refs/'
args:
chdir: "{{ aurweb_git_dir }}"
become: true
become_user: "{{aurweb_user}}"
when: git_config.stdout.find('^refs/') == -1
- name: configure git transfer.hideRefs second
command: git config --local --add transfer.hideRefs '!refs/'
args:
chdir: "{{ aurweb_git_dir }}"
become: true
become_user: "{{aurweb_user}}"
when: git_config.stdout.find('!refs/') == -1
- name: configure git transfer.hideRefs third
command: git config --local --add transfer.hideRefs '!HEAD'
args:
chdir: "{{ aurweb_git_dir }}"
become: true
become_user: "{{aurweb_user}}"
when: git_config.stdout.find('!HEAD') == -1
- name: create symlink for git hook
file:
src: "{{ aurweb_git_hook }}"
dest: "{{ aurweb_git_dir }}/hooks/update"
state: link
- name: install AUR maintenance services/timers
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- aurweb-aurblup.service
- aurweb-aurblup.timer
- aurweb-mkpkglists.service
- aurweb-mkpkglists.timer
- aurweb-pkgmaint.service
- aurweb-pkgmaint.timer
- aurweb-popupdate.service
- aurweb-popupdate.timer
- aurweb-tuvotereminder.service
- aurweb-tuvotereminder.timer
- name: start and enable AUR maintenance timers
service: name={{ item }} enabled=yes state=started
with_items:
- aurweb-aurblup.timer
- aurweb-mkpkglists.timer
- aurweb-pkgmaint.timer
- aurweb-popupdate.timer
- aurweb-tuvotereminder.timer
- name: install AUR git gc service/timer
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- aurweb-git.service
- aurweb-git.timer
- name: start and enable AUR git gc timer
service: name=aurweb-git.timer enabled=yes state=started
- name: configure sshd
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s'
notify:
- restart sshd
[Unit]
Description=Git gc AUR
[Service]
Type=Oneshot
User=aur
WorkingDirectory={{ aurweb_git_dir }}
ExecStart=/usr/bin/git gc
Nice=5
[Unit]
Description=Git gc & repack AUR
[Timer]
OnCalendar=daily
[Install]
WantedBy=timers.target
[database]
name = {{ aurweb_db }}
user = {{ aurweb_db_user }}
password = {{ aurweb_db_password }}
[options]
enable-maintenance = 0
localedir = {{ aurweb_dir }}/web/locale/
[serve]
repo-path = {{ aurweb_git_dir }}
git-shell-cmd = /usr/bin/sh
[aurblup]
db-path = {{ aurweb_dir }}/aurblup
server = https://mirrors.kernel.org/archlinux/%s/os/x86_64
[mkpkglists]
packagesfile = {{ aurweb_dir }}/web/html/packages.gz
pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
userfile = {{ aurweb_dir }}/web/html/users.gz
upstream aurweb {
server unix://{{aurweb_socket}};
}
server {
listen 80;
listen [::]:80;
server_name {{ aurweb_domain }};
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
rewrite ^(.*) https://{{ aurweb_domain }}$1 permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ aurweb_domain }};
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
error_log /var/log/nginx/{{ aurweb_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ aurweb_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/chain.pem;
root {{ aurweb_dir }}/web/html;
index index.php;
location ~ ^/[^/]+\.php($|/) {
fastcgi_pass aurweb;
fastcgi_index index.php;
fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
}
location ~ .* {
rewrite ^/(.*)$ /index.php/$1 last;
}
}
[global]
error_log = syslog
daemonize = no
[{{ aurweb_user }}]
listen = {{ aurweb_socket }}
listen.owner = {{ aurweb_user }}
listen.group = http
listen.mode = 0660
pm = dynamic
pm.max_children = 80
pm.start_servers = 20
pm.min_spare_servers = 10
pm.max_spare_servers = 20
pm.max_requests = 2000
php_admin_value[open_basedir] = {{aurweb_dir}}:/etc/aurweb/
php_admin_value[upload_tmp_dir] = {{ aurweb_dir }}/uploads
php_admin_value[session.save_path] = {{ aurweb_dir }}/sessions
env[TMPDIR] = {{ aurweb_dir }}/uploads
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# unlink forwarded sockets; for gpg agent forwarding
StreamLocalBindUnlink yes
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match User aur
PasswordAuthentication no
AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
AuthorizedKeysCommandUser aur
AcceptEnv AUR_OVERWRITE
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment