Remove WKD role, replaced by Gitlab Pages

playbooks/openpgpkeys.archlinux.org.yml

----
-
-- name: setup openpgpkey server
-  hosts: openpgpkey.archlinux.org
-  remote_user: root
-  roles:
-    - { role: common }
-    - { role: firewalld }
-    - { role: sshd }
-    - { role: root_ssh }
-    - { role: certbot }
-    - { role: nginx }
-    - { role: wkd }
-    - { role: prometheus_exporters }

roles/wkd/defaults/main.yml

----
-
-wkd_user: wkd
-wkd_dir: /srv/http/wkd
-wkd_home: /home/wkd
-wkd_domain: openpgpkey.archlinux.org

roles/wkd/files/update-wkd.sh

-#!/bin/bash
-
-set -euo pipefail
-
-workdir="$1"
-
-if [[ -z "$workdir" ]]; then
-	echo "Error: workdir not set" >&2
-	exit 1
-fi
-
-export GNUPGHOME=/etc/pacman.d/gnupg
-
-mkdir -p "$workdir/openpgpkey/archlinux.org/hu"
-
-# Required file according to https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08#section-4.5
-touch "$workdir/openpgpkey/archlinux.org/policy"
-
-gpg --quiet --no-permission-warning --list-options show-only-fpr-mbox --list-keys | grep '@archlinux.org' | \
-while read -a fpr_email; do
-	if ! grep -q "${fpr_email[0]}" /usr/share/pacman/keyrings/archlinux-revoked; then
-		wkd_hash="$(/usr/lib/gnupg/gpg-wks-client --print-wkd-hash "${fpr_email[1]}" | cut -d' ' -f1)"
-		outfile="$workdir/openpgpkey/archlinux.org/hu/$wkd_hash"
-		gpg --no-permission-warning --export --export-options export-clean,no-export-attributes "${fpr_email[0]}" > "$outfile"
-	fi
-done

roles/wkd/handlers/main.yml

----
-
-- name: daemon reload
-  systemd: daemon_reload=yes
-
-- name: run wkd service
-  systemd: name=update-wkd.service state=started

roles/wkd/tasks/main.yml

----
-
-- name: create wkd user
-  user: name={{ wkd_user }} shell=/bin/false home={{ wkd_home }}
-
-- name: install wkd update script
-  copy: src=update-wkd.sh dest=/usr/local/bin/update-wkd.sh owner=root group=root mode=0755
-
-- name: install wkd service
-  template: src=update-wkd.service.j2 dest=/etc/systemd/system/update-wkd.service owner=root group=root mode=0644
-  notify:
-    - daemon reload
-    - run wkd service
-
-- name: create pacman.d hooks dir
-  file: state=directory path=/etc/pacman.d/hooks mode=0755 owner=root group=root
-
-- name: install pgp_import hook
-  template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644
-
-- name: create ssl cert
-  include_role:
-    name: certificate
-  vars:
-    domains: ["{{ wkd_domain }}"]
-
-- name: create wkd_dir
-  file: state=directory owner={{ wkd_user }} group={{ wkd_user }} path="{{ wkd_dir }}" mode=0755
-
-- name: set up nginx
-  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/wkd.conf owner=root group=root mode=644
-  notify: reload nginx
-  tags: ['nginx']
-
-- name: make nginx log dir
-  file: path=/var/log/nginx/{{ wkd_domain }} state=directory owner=root group=root mode=0755

roles/wkd/templates/nginx.d.conf.j2

-server {
-    listen       80;
-    listen       [::]:80;
-    listen       443 ssl http2;
-    listen       [::]:443 ssl http2;
-    server_name  {{ wkd_domain }};
-    root         {{ wkd_dir }};
-
-    access_log   /var/log/nginx/{{ wkd_domain }}/access.log reduced;
-    error_log    /var/log/nginx/{{ wkd_domain }}/error.log;
-
-    include snippets/letsencrypt.conf;
-
-    ssl_certificate      /etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ wkd_domain }}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ wkd_domain }}/chain.pem;
-
-    autoindex on;
-}

roles/wkd/templates/update-wkd-pacman-hook.j2

-[Trigger]
-Operation = Install
-Operation = Upgrade
-Type = Package
-Target = archlinux-keyring
-
-[Action]
-When = PostTransaction
-Exec = /usr/bin/systemctl start update-wkd

roles/wkd/templates/update-wkd.service.j2

-[Unit]
-Description=Update GPG web key directory
-
-[Service]
-Type=oneshot
-User={{ wkd_user }}
-WorkingDirectory={{ wkd_dir }}
-ExecStart=/usr/local/bin/update-wkd.sh "{{ wkd_dir }}/.well-known"
-TimeoutStartSec=3600
-
-NoNewPrivileges=yes
-ProtectSystem=full
-ProtectHome=true
-PrivateTmp=true
-PrivateDevices=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-
-[Install]
-WantedBy=multi-user.target

tf-stage1/archlinux.tf

@@ -95,11 +95,6 @@ locals {
       server_type = "cx11"
       domain      = "monitoring"
     }
-    "openpgpkey.archlinux.org" = {
-      server_type = "cx11"
-      domain      = "openpgpkey"
-      ttl         = 600
-    }
     "patchwork.archlinux.org" = {
       server_type = "cx11"
       domain      = "patchwork"
@@ -147,6 +142,7 @@ locals {
   archlinux_org_gitlab_pages = {
     "conf"           = "60a06a1c02e42b36c3b4919f4d6de6bf"
     "whatcanwedofor" = "b5f8011047c1610ace52e754b568c834"
+    "openpgpkey"     = "7533dfbf3947a5730d9cbcc1e5e63102"
   }
 
   # This creates archlinux.org TXT DNS entries