Verified Commit d9688b11 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

rebuilderd: add website to ansible



Ansible the reproducible.archlinux.org website which is as of now still
released from jelly's github and will soon be on archlinux's official
infra.
Signed-off-by: Jelle van der Waa's avatarJelle van der Waa <jelle@archlinux.org>
parent 866f399d
Pipeline #73 failed with stage
in 1 minute and 13 seconds
rebuilderd_domain: reproducible.archlinux.org
rebuilderd_nginx_conf: /etc/nginx/nginx.d/rebuilderd.conf
rebuilder_website_release: 0.2
rebuilder_website_gpg: E499C79F53C96A54E572FEE1C06086337C50773E
rebuilder_website_tar: /tmp/website-{{ rebuilder_website_release }}.tar.gz
rebuilder_website_asc: /tmp/website-{{ rebuilder_website_release }}.tar.gz.asc
rebuilder_website_base: /srv/http/rebuilder
rebuilder_website_loc: "{{ rebuilder_website_base }}/rebuilder-website-{{ rebuilder_website_release }}"
rebuilder_website_url: https://github.com/jelly/archlinux-reproducible-status
......@@ -14,6 +14,36 @@
- name: make nginx log dir
file: path=/var/log/nginx/{{ rebuilderd_domain }} state=directory owner=root group=root mode=0755
- name: make nginx http dir
file: path={{ rebuilder_website_base }} state=directory owner=root group=root mode=0755
- name: check latest release
stat: path={{ rebuilder_website_loc }}
register: rebuilder_release_dir
- name: receive valid signing keys
command: /usr/bin/gpg --keyserver pool.sks-keyservers.net --recv "{{ rebuilder_website_gpg }}"
when: not rebuilder_release_dir.stat.exists
- name: download latest rebuilderd website tar.gz
get_url:
url: "{{ rebuilder_website_url }}/releases/download/{{ rebuilder_website_release }}/rebuilder-website-{{ rebuilder_website_release }}.tar.gz"
dest: "{{ rebuilder_website_tar }}"
when: not rebuilder_release_dir.stat.exists
- name: download latest rebuilderd website tar.gz.asc
get_url:
url: "{{ rebuilder_website_url }}/releases/download/{{ rebuilder_website_release }}/rebuilder-website-{{ rebuilder_website_release }}.tar.gz.asc"
dest: "{{ rebuilder_website_asc }}"
when: not rebuilder_release_dir.stat.exists
- name: verify website release
command: /usr/bin/gpg --verify {{ rebuilder_website_asc }} {{ rebuilder_website_tar }}
- name: unpack website to /srv
unarchive: src={{ rebuilder_website_tar }} dest={{ rebuilder_website_base }} remote_src=yes owner=root group=root mode=0755
when: not rebuilder_release_dir.stat.exists
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/rebuilderd.conf owner=root group=root mode=0644
notify:
......
......@@ -26,7 +26,18 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ rebuilderd_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ rebuilderd_domain }}/chain.pem;
root /srv/http/repro;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header Referrer-Policy "same-origin";
add_header Feature-Policy "geolocation 'none' ;midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'none'; payment 'none';";
add_header Content-Security-Policy "default-src 'self';";
add_header X-Content-Type-Options "nosniff" always;
# Apply HSTS header again, since adding a header removes previous headers
add_header Strict-Transport-Security $hsts_header;
root {{ rebuilder_website_loc }};
location /api {
proxy_pass http://127.0.0.1:8484;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment