change(aurweb): rework ansible config for 6.0.0

Signed-off-by: Kevin Morris <kevr@0cost.org>

change(aurweb): rework ansible config for 6.0.0
92586d5b · Kevin Morris · Kristian Klausen · 36690639 · 92586d5b · 92586d5b
Commit 92586d5b authored 3 years ago by Kevin Morris Committed by Kristian Klausen 3 years ago
--- a/roles/aurweb/defaults/main.yml
+++ b/roles/aurweb/defaults/main.yml
 ---
+aurweb_asgi_bind: '127.0.0.1:8000'
 aurweb_domain: 'aur.archlinux.org'
 aurweb_repository: 'https://gitlab.archlinux.org/archlinux/aurweb.git'
@@ -18,9 +19,11 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket'
 cgit_socket: '/run/uwsgi/cgit.sock'
 smartgit_socket: '/run/uwsgi/smartgit.sock'
-aurweb_cache: 'memcache'
+aurweb_cache: 'redis'
 aurweb_cache_pkginfo_ttl: '86400'
 aurweb_request_limt: '4000'
 aurweb_window_length: '86400'
 aurweb_memcached_socket: '/run/memcached/aurweb.sock'
 aurweb_memcached_memory: 2048
+aurweb_workers: 4
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -6,20 +6,11 @@
      - asciidoc
      - highlight
      - make
-      - php-memcached
-      - pyalpm
-      - python-alembic
-      - python-bleach
-      - python-markdown
-      - python-mysql-connector
-      - python-pygit2
-      - python-srcinfo
-      - python-fastapi
-      - python-jinja
-      - python-email-validator
-      - python-orjson
      - sudo
      - uwsgi-plugin-cgi
+      - python-poetry
+      - gcc
+      - pkg-config
 - name: install the cgit package
  pacman:
@@ -79,7 +70,7 @@
  no_log: true
 - name: initialize the database
-  command: python -m aurweb.initdb
+  command: poetry run python -m aurweb.initdb
  args:
    chdir: "{{ aurweb_dir }}"
  become: true
@@ -87,7 +78,7 @@
  when: db_created.changed
 - name: run migrations
-  command: alembic upgrade head
+  command: poetry run alembic upgrade head
  args:
    chdir: "{{ aurweb_dir }}"
  environment:
@@ -97,18 +88,43 @@
  when: release.changed or db_created.changed
 - name: Check python module availability
-  command: "python3 -c 'import aurweb'"
+  command: poetry run python3 -c 'import aurweb'
+  args:
+    chdir: "{{ aurweb_dir }}"
+  become: true
+  become_user: "{{ aurweb_user }}"
  ignore_errors: true
  register: aurweb_installed
  tags:
    - skip_ansible_lint
 - name: Install python module
-  command: "python3 setup.py install --install-scripts=/usr/local/bin"
+  command: poetry install
  args:
    chdir: "{{ aurweb_dir }}"
+  become: true
+  become_user: "{{ aurweb_user }}"
  when: release.changed or aurweb_installed.rc != 0
+- name: install custom aurweb-git-auth wrapper script
+  template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
+  when: release.changed
+- name: install custom aurweb-git-serve wrapper script
+  template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
+  when: release.changed
+- name: install custom aurweb-git-update wrapper script
+  template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
+  when: release.changed
+- name: link custom aurweb-git-update wrapper to hooks/update
+  file:
+    src: /usr/local/bin/aurweb-git-update.sh
+    dest: "{{ aurweb_dir }}/aur.git/hooks/update"
+    state: link
+  when: release.changed
 - name: Generate HTML documentation
  make:
    chdir: "{{ aurweb_dir }}/doc"
@@ -136,16 +152,6 @@
 - name: make nginx log dir
  file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
- name: configure php-fpm
-  template:
-    src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf"
-    owner=root group=root mode=0644
-  notify:
-    - restart php-fpm@{{ aurweb_user }}
- name: start and enable systemd socket
-  service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
 - name: install cgit configuration
  template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
@@ -223,15 +229,6 @@
  tags:
    - skip_ansible_lint
- name: create symlink for git hook
-  file:
-    src: "{{ aurweb_git_hook }}"
-    dest: "{{ aurweb_git_dir }}/hooks/update"
-    owner: root
-    group: root
-    mode: 0755
-    state: link
 - name: install AUR systemd service and timers
  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
  with_items:
@@ -239,7 +236,6 @@
    - aurweb-git.timer
    - aurweb-aurblup.service
    - aurweb-aurblup.timer
-    - aurweb-memcached.service
    - aurweb-mkpkglists.service
    - aurweb-mkpkglists.timer
    - aurweb-pkgmaint.service
@@ -250,20 +246,22 @@
    - aurweb-tuvotereminder.timer
    - aurweb-usermaint.service
    - aurweb-usermaint.timer
+    - aurweb.service
+- name: configure sshd
+  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
+  notify:
+    - restart sshd
 - name: start and enable AUR systemd services and timers
-  service: name={{ item }} enabled=yes state=started
+  service: name={{ item }} enabled=yes state=restarted daemon_reload=yes
  with_items:
    - aurweb-git.timer
    - aurweb-aurblup.timer
-    - aurweb-memcached.service
    - aurweb-mkpkglists.timer
    - aurweb-pkgmaint.timer
    - aurweb-popupdate.timer
    - aurweb-tuvotereminder.timer
    - aurweb-usermaint.timer
+    - aurweb.service
- name: configure sshd
+  when: release.changed
-  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
-  notify:
-    - restart sshd
--- a/roles/aurweb/templates/aurweb-pkgmaint.service.j2
+++ b/roles/aurweb/templates/aurweb-pkgmaint.service.j2
@@ -16,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 MemoryDenyWriteExecute=true
 RemoveIPC=true

--- a/roles/aurweb/templates/aurweb-popupdate.service.j2
+++ b/roles/aurweb/templates/aurweb-popupdate.service.j2
@@ -16,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 MemoryDenyWriteExecute=true
 RemoveIPC=true

--- a/roles/aurweb/templates/aurweb-usermaint.service.j2
+++ b/roles/aurweb/templates/aurweb-usermaint.service.j2
@@ -16,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 MemoryDenyWriteExecute=true
 RemoveIPC=true

--- a/roles/aurweb/templates/aurweb.service.j2
+++ b/roles/aurweb/templates/aurweb.service.j2
+[Unit]
+Description=aurweb asgi server
+[Service]
+User={{ aurweb_user }}
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run gunicorn \
+    --log-config {{ aurweb_dir }}/logging.conf \
+    --bind {{ aurweb_asgi_bind }} \
+    --workers {{ aurweb_workers }} \
+    -k uvicorn.workers.UvicornWorker \
+    aurweb.asgi:app
+[Install]
+WantedBy=multi-user.target
--- a/roles/aurweb/templates/aurweb_config.j2
+++ b/roles/aurweb/templates/aurweb_config.j2
 Match User {{ aurweb_user }}
        PasswordAuthentication no
-        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
+        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth.sh "%t" "%k"
        AuthorizedKeysCommandUser {{ aurweb_user }}
        AcceptEnv AUR_OVERWRITE
--- a/roles/aurweb/templates/cgitrc.j2
+++ b/roles/aurweb/templates/cgitrc.j2
 virtual-root=/cgit/
 clone-prefix=https://{{ aurweb_domain }}
 noheader=0
-favicon=/images/favicon.ico
+favicon=/static/images/favicon.ico
 logo=
-css=/css/cgit.css
+css=/static/css/cgit.css
 snapshots=tar.gz
 readme=:README.md
 readme=:README

--- a/roles/aurweb/templates/config.j2
+++ b/roles/aurweb/templates/config.j2
@@ -4,6 +4,7 @@ user = {{ aurweb_db_user }}
 password = {{ vault_aurweb_db_password }}
 [options]
+aurwebdir = {{ aurweb_dir }}
 {% if maintenance is defined and maintenance %}
 enable_maintenance = 1
 maintenance-exceptions = {{ maintenance_remote_machine }}
@@ -16,7 +17,7 @@ cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }}
 aur_location = https://{{ aurweb_domain }}
 git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git
 git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git
-memcache_servers = {{ aurweb_memcached_socket }}:0
+redis_address = redis://localhost
 [ratelimit]
 request_limit = {{ aurweb_request_limt }}
@@ -27,9 +28,13 @@ Ed25519 = SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4
 ECDSA = SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI
 RSA =  SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8
+[auth]
+git-serve-cmd = /usr/local/bin/aurweb-git-serve.sh
 [serve]
 repo-path = {{ aurweb_git_dir }}
 git-shell-cmd = /usr/bin/sh
+git-update-cmd = /usr/local/bin/aurweb-git-update.sh
 ssh-cmdline = ssh {{ aurweb_user }}@{{ aurweb_domain }}
 [update]
@@ -45,3 +50,12 @@ packagesmetafile = {{ aurweb_dir }}/web/html/packages-meta-v1.json.gz
 packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz
 pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
 userfile = {{ aurweb_dir }}/web/html/users.gz
+[notifications]
+notify-cmd = aurweb-notify
+{# An email used for server error notifications. #}
+postmaster = {{ vault_aurweb_postmaster }}
+[fastapi]
+{# TODO: This must be set to a persistent secret key. #}
+session_secret = {{ vault_aurweb_secret }}
--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -71,39 +71,12 @@ server {
        expires 5m;
    }
-    location ~ ^/[^/]+\.php($|/) {
+    location / {
-        fastcgi_pass   aurweb;
+        # Proxy over to aurweb's ASGI application.
-        fastcgi_index  index.php;
+        proxy_pass http://{{ aurweb_asgi_bind }};
-        fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$;
+        proxy_set_header Host $http_host;
-        if (!-f $document_root$fastcgi_script_name) {
+        proxy_set_header X-Forwarded-For $remote_addr;
-            return 404;
+        proxy_set_header X-Forwarded-Proto $scheme;
-        }
+        proxy_set_header X-Forwarded-Ssl on;
-        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-        fastcgi_param  PATH_INFO        $fastcgi_path_info;
-        fastcgi_param  HTTPS            on;
-        include        fastcgi_params;
-        # Cache PHP Requests
-        #fastcgi_cache aur;
-        #fastcgi_cache_valid 200 5m;
-        #add_header X-Cache $upstream_cache_status;
-        # Required for caching to work
-        #fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
-        # Only apply cache when set
-        #fastcgi_cache_bypass $no_cache;
-        #fastcgi_no_cache $no_cache;
-    }
-    # directories for static assets
-    location ~ ^/(?:css|js|images)/ {
-        expires 30d;
-        add_header Pragma public;
-        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
-    }
-    location ~ .* {
-        rewrite ^/(.*)$ /index.php/$1 last;
    }
 }