rebuilderd: add website to ansible

Ansible the reproducible.archlinux.org website which is as of now still released from jelly's github and will soon be on archlinux's official infra. Signed-off-by: Jelle van der Waa <jelle@archlinux.org>

rebuilderd: add website to ansible
d9688b11 · Jelle van der Waa · 866f399d · d9688b11 · d9688b11 · d9688b11
Verified Commit d9688b11 authored 4 years ago by Jelle van der Waa
--- a/roles/rebuilderd/defaults/main.yml
+++ b/roles/rebuilderd/defaults/main.yml
 rebuilderd_domain: reproducible.archlinux.org
 rebuilderd_nginx_conf: /etc/nginx/nginx.d/rebuilderd.conf
+
+rebuilder_website_release: 0.2
+rebuilder_website_gpg: E499C79F53C96A54E572FEE1C06086337C50773E
+rebuilder_website_tar: /tmp/website-{{ rebuilder_website_release }}.tar.gz
+rebuilder_website_asc: /tmp/website-{{ rebuilder_website_release }}.tar.gz.asc
+rebuilder_website_base: /srv/http/rebuilder
+rebuilder_website_loc: "{{ rebuilder_website_base }}/rebuilder-website-{{ rebuilder_website_release }}"
+rebuilder_website_url: https://github.com/jelly/archlinux-reproducible-status
--- a/roles/rebuilderd/tasks/main.yml
+++ b/roles/rebuilderd/tasks/main.yml
@@ -14,6 +14,36 @@
 - name: make nginx log dir
  file: path=/var/log/nginx/{{ rebuilderd_domain }} state=directory owner=root group=root mode=0755

+- name: make nginx http dir
+  file: path={{ rebuilder_website_base }} state=directory owner=root group=root mode=0755
+
+- name: check latest release
+  stat: path={{ rebuilder_website_loc }}
+  register: rebuilder_release_dir
+
+- name: receive valid signing keys
+  command: /usr/bin/gpg --keyserver pool.sks-keyservers.net --recv "{{ rebuilder_website_gpg }}"
+  when: not rebuilder_release_dir.stat.exists
+
+- name: download latest rebuilderd website tar.gz
+  get_url:
+    url: "{{ rebuilder_website_url }}/releases/download/{{ rebuilder_website_release }}/rebuilder-website-{{ rebuilder_website_release }}.tar.gz"
+    dest: "{{ rebuilder_website_tar }}"
+  when: not rebuilder_release_dir.stat.exists
+
+- name: download latest rebuilderd website tar.gz.asc
+  get_url:
+    url: "{{ rebuilder_website_url }}/releases/download/{{ rebuilder_website_release }}/rebuilder-website-{{ rebuilder_website_release }}.tar.gz.asc"
+    dest: "{{ rebuilder_website_asc }}"
+  when: not rebuilder_release_dir.stat.exists
+
+- name: verify website release
+  command: /usr/bin/gpg --verify {{ rebuilder_website_asc }} {{ rebuilder_website_tar }}
+
+- name: unpack website to /srv
+  unarchive: src={{ rebuilder_website_tar }} dest={{ rebuilder_website_base }} remote_src=yes owner=root group=root mode=0755
+  when: not rebuilder_release_dir.stat.exists
+
 - name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/rebuilderd.conf owner=root group=root mode=0644
  notify:

--- a/roles/rebuilderd/templates/nginx.d.conf.j2
+++ b/roles/rebuilderd/templates/nginx.d.conf.j2
@@ -26,7 +26,18 @@ server {
    ssl_certificate_key  /etc/letsencrypt/live/{{ rebuilderd_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ rebuilderd_domain }}/chain.pem;

-    root /srv/http/repro;
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header Referrer-Policy "same-origin";
+    add_header Feature-Policy "geolocation 'none' ;midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'none'; payment 'none';";
+    add_header Content-Security-Policy "default-src 'self';";
+    add_header X-Content-Type-Options "nosniff" always;
+
+    # Apply HSTS header again, since adding a header removes previous headers
+    add_header Strict-Transport-Security $hsts_header;
+
+    root {{ rebuilder_website_loc }};

    location /api {
 	    proxy_pass http://127.0.0.1:8484;