From eb69bf3a0c3a19d58d6ebeb7886e08a8cf299c21 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Mon, 26 Sep 2022 11:51:01 -0700
Subject: [PATCH] aurweb: release 6.1.7 - git archives

This commit brings in four new routes to nginx:
- /archives/metadata.git
- /archives/users.git
- /archives/pkgbases.git
- /archives/pkgnames.git

See https://gitlab.archlinux.org/archlinux/aurweb/-/blob/master/doc/git-archive.md

For now, we will be updating the repositories once every 10 minutes.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Co-signed by:  Kevin Morris <kevr@0cost.org>
---
 roles/aurweb/defaults/main.yml                |  2 +-
 roles/aurweb/tasks/main.yml                   |  5 +++
 .../templates/aurweb-git-archive.service.j2   | 40 +++++++++++++++++++
 .../templates/aurweb-git-archive.timer.j2     | 13 ++++++
 roles/aurweb/templates/config.j2              | 10 +++++
 roles/aurweb/templates/nginx.d.conf.j2        | 26 ++++++++++++
 6 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 roles/aurweb/templates/aurweb-git-archive.service.j2
 create mode 100644 roles/aurweb/templates/aurweb-git-archive.timer.j2

diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml
index c7fe0c27f..3a5d346f6 100644
--- a/roles/aurweb/defaults/main.yml
+++ b/roles/aurweb/defaults/main.yml
@@ -8,7 +8,7 @@ aurweb_conf_dir: '/etc/aurweb'
 aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
 aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
 aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf'
-aurweb_version: 'v6.1.4'
+aurweb_version: 'v6.1.7'
 aurweb_pgp_keys: ['0F985B6F99B6686854C44EC3F7E46DED420788F3', 'DB650286BD9EAE39890D3FE6FE3DC1668CB24956']
 
 aurweb_db: 'aur'
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 957ddb77a..1264f0c11 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -74,6 +74,8 @@
   with_items:
     - aurweb-git.service
     - aurweb-git.timer
+    - aurweb-git-archive.service
+    - aurweb-git-archive.timer
     - aurweb-aurblup.service
     - aurweb-aurblup.timer
     - aurweb-mkpkglists.service
@@ -95,6 +97,7 @@
   service: name={{ item }} enabled=yes state=stopped
   with_items:
     - aurweb-git.timer
+    - aurweb-git-archive.timer
     - aurweb-aurblup.timer
     - aurweb-mkpkglists.timer
     - aurweb-pkgmaint.timer
@@ -305,8 +308,10 @@
   service: name={{ item }} enabled=yes state=started daemon_reload=yes
   with_items:
     - aurweb-git.timer
+    - aurweb-git-archive.timer
     - aurweb-aurblup.timer
     - aurweb-mkpkglists.timer
+    - aurweb-git-archive.timer
     - aurweb-pkgmaint.timer
     - aurweb-popupdate.timer
     - aurweb-tuvotereminder.timer
diff --git a/roles/aurweb/templates/aurweb-git-archive.service.j2 b/roles/aurweb/templates/aurweb-git-archive.service.j2
new file mode 100644
index 000000000..aff4f8a5d
--- /dev/null
+++ b/roles/aurweb/templates/aurweb-git-archive.service.j2
@@ -0,0 +1,40 @@
+[Unit]
+Description=Generate and update Git Archive repositories
+Requires=mysqld.service
+After=mysqld.service
+
+[Service]
+Type=oneshot
+User={{ aurweb_user }}
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run aurweb-git-archive --spec metadata
+ExecStart=/usr/bin/poetry run aurweb-git-archive --spec users
+ExecStart=/usr/bin/poetry run aurweb-git-archive --spec pkgbases
+ExecStart=/usr/bin/poetry run aurweb-git-archive --spec pkgnames
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+ReadWritePaths={{ aurweb_dir }}
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_UNIX
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native
diff --git a/roles/aurweb/templates/aurweb-git-archive.timer.j2 b/roles/aurweb/templates/aurweb-git-archive.timer.j2
new file mode 100644
index 000000000..b4d95de0f
--- /dev/null
+++ b/roles/aurweb/templates/aurweb-git-archive.timer.j2
@@ -0,0 +1,13 @@
+[Unit]
+Description=Generate and update Git Archive repositories
+
+[Timer]
+# This is set to 10m intervals as of 09/26/2022. We'll be keeping
+# aurweb-mkpkglists around for two months after v6.1.5 deployment.
+# At that time (two months after deploy), this should be changed
+# to 5m intervals and aurweb-mkpkglists should be removed from use.
+OnStartupSec=10m
+OnUnitActiveSec=10m
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2
index 3544fe1ab..5079f041b 100644
--- a/roles/aurweb/templates/config.j2
+++ b/roles/aurweb/templates/config.j2
@@ -51,6 +51,16 @@ packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz
 pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
 userfile = {{ aurweb_dir }}/web/html/users.gz
 
+[git-archive]
+; One week in seconds
+popularity-interval = 604800
+
+; Git Archive repository locations
+metadata-repo = {{ aurweb_dir }}/metadata.git
+users-repo = {{ aurweb_dir }}/users.git
+pkgbases-repo = {{ aurweb_dir }}/pkgbases.git
+pkgnames-repo = {{ aurweb_dir }}/pkgnames.git
+
 [notifications]
 notify-cmd = aurweb-notify
 {# Gitlab project and token used for traceback reports. #}
diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2
index 891bd7534..6369d5db1 100644
--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -51,6 +51,32 @@ server {
 	    return 301 https://tu-bylaws.aur.archlinux.org;
     }
 
+    #
+    # smartgit location for Git Archive repositories
+    # Should be shallow-cloned:
+    # `git clone --depth=1 https://aur_location/archives/metadata.git`
+    #
+    # Routes:
+    # - /archives/metadata.git
+    # - /archives/users.git
+    # - /archives/pkgbases.git
+    # - /archives/pkgnames.git
+    #
+    location ~ "^/archives/(metadata|users|pkgbases|pkgnames)(\.git)/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))" {
+        include      uwsgi_params;
+        uwsgi_pass   smartgit;
+        uwsgi_modifier1 9;
+        uwsgi_param  SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+        uwsgi_param  PATH_INFO /$1.git/$3;
+        uwsgi_param  GIT_HTTP_EXPORT_ALL "";
+        uwsgi_param  GIT_PROJECT_ROOT {{ aurweb_dir }};
+    }
+
+    #
+    # smartgit location for AUR package git repository
+    # Clone packages:
+    # `git clone https://aur_location/pkgname.git`
+    #
     location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
 	limit_req zone=aurwebgitlimit burst=900 nodelay;
         include      uwsgi_params;
-- 
GitLab