Verified Commit d4fe2fcd authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Remove WKD role, replaced by Gitlab Pages

parent 410a66c9
Pipeline #4503 passed with stage
in 35 seconds
---
- name: setup openpgpkey server
hosts: openpgpkey.archlinux.org
remote_user: root
roles:
- { role: common }
- { role: firewalld }
- { role: sshd }
- { role: root_ssh }
- { role: certbot }
- { role: nginx }
- { role: wkd }
- { role: prometheus_exporters }
---
wkd_user: wkd
wkd_dir: /srv/http/wkd
wkd_home: /home/wkd
wkd_domain: openpgpkey.archlinux.org
#!/bin/bash
set -euo pipefail
workdir="$1"
if [[ -z "$workdir" ]]; then
echo "Error: workdir not set" >&2
exit 1
fi
export GNUPGHOME=/etc/pacman.d/gnupg
mkdir -p "$workdir/openpgpkey/archlinux.org/hu"
# Required file according to https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08#section-4.5
touch "$workdir/openpgpkey/archlinux.org/policy"
gpg --quiet --no-permission-warning --list-options show-only-fpr-mbox --list-keys | grep '@archlinux.org' | \
while read -a fpr_email; do
if ! grep -q "${fpr_email[0]}" /usr/share/pacman/keyrings/archlinux-revoked; then
wkd_hash="$(/usr/lib/gnupg/gpg-wks-client --print-wkd-hash "${fpr_email[1]}" | cut -d' ' -f1)"
outfile="$workdir/openpgpkey/archlinux.org/hu/$wkd_hash"
gpg --no-permission-warning --export --export-options export-clean,no-export-attributes "${fpr_email[0]}" > "$outfile"
fi
done
---
- name: daemon reload
systemd: daemon_reload=yes
- name: run wkd service
systemd: name=update-wkd.service state=started
---
- name: create wkd user
user: name={{ wkd_user }} shell=/bin/false home={{ wkd_home }}
- name: install wkd update script
copy: src=update-wkd.sh dest=/usr/local/bin/update-wkd.sh owner=root group=root mode=0755
- name: install wkd service
template: src=update-wkd.service.j2 dest=/etc/systemd/system/update-wkd.service owner=root group=root mode=0644
notify:
- daemon reload
- run wkd service
- name: create pacman.d hooks dir
file: state=directory path=/etc/pacman.d/hooks mode=0755 owner=root group=root
- name: install pgp_import hook
template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644
- name: create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ wkd_domain }}"]
- name: create wkd_dir
file: state=directory owner={{ wkd_user }} group={{ wkd_user }} path="{{ wkd_dir }}" mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/wkd.conf owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
- name: make nginx log dir
file: path=/var/log/nginx/{{ wkd_domain }} state=directory owner=root group=root mode=0755
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ wkd_domain }};
root {{ wkd_dir }};
access_log /var/log/nginx/{{ wkd_domain }}/access.log reduced;
error_log /var/log/nginx/{{ wkd_domain }}/error.log;
include snippets/letsencrypt.conf;
ssl_certificate /etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ wkd_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ wkd_domain }}/chain.pem;
autoindex on;
}
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = archlinux-keyring
[Action]
When = PostTransaction
Exec = /usr/bin/systemctl start update-wkd
[Unit]
Description=Update GPG web key directory
[Service]
Type=oneshot
User={{ wkd_user }}
WorkingDirectory={{ wkd_dir }}
ExecStart=/usr/local/bin/update-wkd.sh "{{ wkd_dir }}/.well-known"
TimeoutStartSec=3600
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
[Install]
WantedBy=multi-user.target
......@@ -95,11 +95,6 @@ locals {
server_type = "cx11"
domain = "monitoring"
}
"openpgpkey.archlinux.org" = {
server_type = "cx11"
domain = "openpgpkey"
ttl = 600
}
"patchwork.archlinux.org" = {
server_type = "cx11"
domain = "patchwork"
......@@ -147,6 +142,7 @@ locals {
archlinux_org_gitlab_pages = {
"conf" = "60a06a1c02e42b36c3b4919f4d6de6bf"
"whatcanwedofor" = "b5f8011047c1610ace52e754b568c834"
"openpgpkey" = "7533dfbf3947a5730d9cbcc1e5e63102"
}
# This creates archlinux.org TXT DNS entries
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment