Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
d4fe2fcd
Verified
Commit
d4fe2fcd
authored
Jan 10, 2021
by
Jelle van der Waa
🚧
Browse files
Remove WKD role, replaced by Gitlab Pages
parent
410a66c9
Pipeline
#4503
passed with stage
in 35 seconds
Changes
9
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
playbooks/openpgpkeys.archlinux.org.yml
deleted
100644 → 0
View file @
410a66c9
---
-
name
:
setup openpgpkey server
hosts
:
openpgpkey.archlinux.org
remote_user
:
root
roles
:
-
{
role
:
common
}
-
{
role
:
firewalld
}
-
{
role
:
sshd
}
-
{
role
:
root_ssh
}
-
{
role
:
certbot
}
-
{
role
:
nginx
}
-
{
role
:
wkd
}
-
{
role
:
prometheus_exporters
}
roles/wkd/defaults/main.yml
deleted
100644 → 0
View file @
410a66c9
---
wkd_user
:
wkd
wkd_dir
:
/srv/http/wkd
wkd_home
:
/home/wkd
wkd_domain
:
openpgpkey.archlinux.org
roles/wkd/files/update-wkd.sh
deleted
100644 → 0
View file @
410a66c9
#!/bin/bash
set
-euo
pipefail
workdir
=
"
$1
"
if
[[
-z
"
$workdir
"
]]
;
then
echo
"Error: workdir not set"
>
&2
exit
1
fi
export
GNUPGHOME
=
/etc/pacman.d/gnupg
mkdir
-p
"
$workdir
/openpgpkey/archlinux.org/hu"
# Required file according to https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08#section-4.5
touch
"
$workdir
/openpgpkey/archlinux.org/policy"
gpg
--quiet
--no-permission-warning
--list-options
show-only-fpr-mbox
--list-keys
|
grep
'@archlinux.org'
|
\
while
read
-a
fpr_email
;
do
if
!
grep
-q
"
${
fpr_email
[0]
}
"
/usr/share/pacman/keyrings/archlinux-revoked
;
then
wkd_hash
=
"
$(
/usr/lib/gnupg/gpg-wks-client
--print-wkd-hash
"
${
fpr_email
[1]
}
"
|
cut
-d
' '
-f1
)
"
outfile
=
"
$workdir
/openpgpkey/archlinux.org/hu/
$wkd_hash
"
gpg
--no-permission-warning
--export
--export-options
export-clean,no-export-attributes
"
${
fpr_email
[0]
}
"
>
"
$outfile
"
fi
done
roles/wkd/handlers/main.yml
deleted
100644 → 0
View file @
410a66c9
---
-
name
:
daemon reload
systemd
:
daemon_reload=yes
-
name
:
run wkd service
systemd
:
name=update-wkd.service state=started
roles/wkd/tasks/main.yml
deleted
100644 → 0
View file @
410a66c9
---
-
name
:
create wkd user
user
:
name={{ wkd_user }} shell=/bin/false home={{ wkd_home }}
-
name
:
install wkd update script
copy
:
src=update-wkd.sh dest=/usr/local/bin/update-wkd.sh owner=root group=root mode=0755
-
name
:
install wkd service
template
:
src=update-wkd.service.j2 dest=/etc/systemd/system/update-wkd.service owner=root group=root mode=0644
notify
:
-
daemon reload
-
run wkd service
-
name
:
create pacman.d hooks dir
file
:
state=directory path=/etc/pacman.d/hooks mode=0755 owner=root group=root
-
name
:
install pgp_import hook
template
:
src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644
-
name
:
create ssl cert
include_role
:
name
:
certificate
vars
:
domains
:
[
"
{{
wkd_domain
}}"
]
-
name
:
create wkd_dir
file
:
state=directory owner={{ wkd_user }} group={{ wkd_user }} path="{{ wkd_dir }}" mode=0755
-
name
:
set up nginx
template
:
src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/wkd.conf owner=root group=root mode=644
notify
:
reload nginx
tags
:
[
'
nginx'
]
-
name
:
make nginx log dir
file
:
path=/var/log/nginx/{{ wkd_domain }} state=directory owner=root group=root mode=0755
roles/wkd/templates/nginx.d.conf.j2
deleted
100644 → 0
View file @
410a66c9
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ wkd_domain }};
root {{ wkd_dir }};
access_log /var/log/nginx/{{ wkd_domain }}/access.log reduced;
error_log /var/log/nginx/{{ wkd_domain }}/error.log;
include snippets/letsencrypt.conf;
ssl_certificate /etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ wkd_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ wkd_domain }}/chain.pem;
autoindex on;
}
roles/wkd/templates/update-wkd-pacman-hook.j2
deleted
100644 → 0
View file @
410a66c9
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = archlinux-keyring
[Action]
When = PostTransaction
Exec = /usr/bin/systemctl start update-wkd
roles/wkd/templates/update-wkd.service.j2
deleted
100644 → 0
View file @
410a66c9
[Unit]
Description=Update GPG web key directory
[Service]
Type=oneshot
User={{ wkd_user }}
WorkingDirectory={{ wkd_dir }}
ExecStart=/usr/local/bin/update-wkd.sh "{{ wkd_dir }}/.well-known"
TimeoutStartSec=3600
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
[Install]
WantedBy=multi-user.target
tf-stage1/archlinux.tf
View file @
d4fe2fcd
...
...
@@ -95,11 +95,6 @@ locals {
server_type
=
"cx11"
domain
=
"monitoring"
}
"openpgpkey.archlinux.org"
=
{
server_type
=
"cx11"
domain
=
"openpgpkey"
ttl
=
600
}
"patchwork.archlinux.org"
=
{
server_type
=
"cx11"
domain
=
"patchwork"
...
...
@@ -147,6 +142,7 @@ locals {
archlinux_org_gitlab_pages
=
{
"conf"
=
"60a06a1c02e42b36c3b4919f4d6de6bf"
"whatcanwedofor"
=
"b5f8011047c1610ace52e754b568c834"
"openpgpkey"
=
"7533dfbf3947a5730d9cbcc1e5e63102"
}
# This creates archlinux.org TXT DNS entries
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment