pubkeys/maximbaz.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaUCbqSmlz6qt5bRhtu5vW+/j0QL3hQJNH41pfT3c7yI4FoVVfM6ddFbsdWzKZRoS16Orr1yvEokWGE80oIrtV8EVq0UQUhVFg67LD9xb0MmRpeOGHjzjX55CKiDUwXY/NMhPrwjYmiKAK0YfADd6oOPNKfKJnAVIHRkO1ZfeOS6pdYgux7O0cuJr1EfU/mp4249yrA9fM4fibVtuJs/aPSn9bxk0Vq8cYdB8jdaoG2IxK/84kxCZ2KYlWNcFKrLeJHX8JiWcqK8GBh+Z6p/KzmLec/2Cz9hzYSXHp2oA/afxmFm9raiwFFmgs877JO2qku9re4Wia3k03yvLL/R+y08cKljXKp4+Ft3/cIItEWP/Rzdm1xjdD74HRciFXwZABoYs7gjt0gR0hOQ76jO7Y/XeaN0PXionoV+rUIbI/sy9DGUV/wP6+uGLiK/VO/fLCVNx3Yfyb/72sI3EcSejq+A6og8cGWn1NJs3JnxHnJavb4LKJiOe7AgLO/F8NXr68/2FK+mHLN/vKkRk0zMFxPzgi9ZeLor86Bkmr9cAAYXn7Gge+JCHM25sZb4akfnbWINEO9Btgo66yCe1+5OmIvyuYHcjcxSFdbDgkGKqT7MUHrFLnrhJNNHijUZ9dNng6uYC3aBjPK1zhfxz7CaYCRu/VB9ezWgsJRD00iP8mzw==
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrS8858Xqs+RsxNpVNKdpCAYdbTtel1G28MQBVyIQe8

roles/aurweb/defaults/main.yml

 ---
+aurweb_asgi_bind: '127.0.0.1:8000'
 
 aurweb_domain: 'aur.archlinux.org'
 aurweb_repository: 'https://gitlab.archlinux.org/archlinux/aurweb.git'
@@ -8,6 +9,7 @@ aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
 aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
 aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf'
 aurweb_version: 'live'
+aurweb_pgp_keys: ['0F985B6F99B6686854C44EC3F7E46DED420788F3']
 
 aurweb_db: 'aur'
 aurweb_db_host: 'localhost'
@@ -18,9 +20,11 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket'
 cgit_socket: '/run/uwsgi/cgit.sock'
 smartgit_socket: '/run/uwsgi/smartgit.sock'
 
-aurweb_cache: 'memcache'
+aurweb_cache: 'redis'
 aurweb_cache_pkginfo_ttl: '86400'
 aurweb_request_limt: '4000'
 aurweb_window_length: '86400'
 aurweb_memcached_socket: '/run/memcached/aurweb.sock'
 aurweb_memcached_memory: 2048
+
+aurweb_workers: 4

roles/aurweb/tasks/main.yml

@@ -6,20 +6,11 @@
       - asciidoc
       - highlight
       - make
-      - php-memcached
-      - pyalpm
-      - python-alembic
-      - python-bleach
-      - python-markdown
-      - python-mysql-connector
-      - python-pygit2
-      - python-srcinfo
-      - python-fastapi
-      - python-jinja
-      - python-email-validator
-      - python-orjson
       - sudo
       - uwsgi-plugin-cgi
+      - python-poetry
+      - gcc
+      - pkg-config
 
 - name: install the cgit package
   pacman:
@@ -41,11 +32,21 @@
 - name: Create directory
   file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
 
+- name: receive valid signing keys
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
+  loop: '{{ aurweb_pgp_keys }}'
+  become: true
+  become_user: "{{ aurweb_user }}"
+  register: gpg
+  changed_when: "gpg.rc == 0"
+
 - name: clone aurweb repo
   git: >
     repo={{ aurweb_repository }}
     dest="{{ aurweb_dir }}"
     version={{ aurweb_version }}
+    verify_commit: true
+    gpg_whitelist: '{{ aurweb_pgp_keys }}'
   become: true
   become_user: "{{ aurweb_user }}"
   register: release
@@ -79,7 +80,7 @@
   no_log: true
 
 - name: initialize the database
-  command: python -m aurweb.initdb
+  command: poetry run python -m aurweb.initdb
   args:
     chdir: "{{ aurweb_dir }}"
   become: true
@@ -87,7 +88,7 @@
   when: db_created.changed
 
 - name: run migrations
-  command: alembic upgrade head
+  command: poetry run alembic upgrade head
   args:
     chdir: "{{ aurweb_dir }}"
   environment:
@@ -97,18 +98,43 @@
   when: release.changed or db_created.changed
 
 - name: Check python module availability
-  command: "python3 -c 'import aurweb'"
+  command: poetry run python3 -c 'import aurweb'
+  args:
+    chdir: "{{ aurweb_dir }}"
+  become: true
+  become_user: "{{ aurweb_user }}"
   ignore_errors: true
   register: aurweb_installed
   tags:
     - skip_ansible_lint
 
 - name: Install python module
-  command: "python3 setup.py install --install-scripts=/usr/local/bin"
+  command: poetry install
   args:
     chdir: "{{ aurweb_dir }}"
+  become: true
+  become_user: "{{ aurweb_user }}"
   when: release.changed or aurweb_installed.rc != 0
 
+- name: install custom aurweb-git-auth wrapper script
+  template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
+  when: release.changed
+
+- name: install custom aurweb-git-serve wrapper script
+  template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
+  when: release.changed
+
+- name: install custom aurweb-git-update wrapper script
+  template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
+  when: release.changed
+
+- name: link custom aurweb-git-update wrapper to hooks/update
+  file:
+    src: /usr/local/bin/aurweb-git-update.sh
+    dest: "{{ aurweb_dir }}/aur.git/hooks/update"
+    state: link
+  when: release.changed
+
 - name: Generate HTML documentation
   make:
     chdir: "{{ aurweb_dir }}/doc"
@@ -136,16 +162,6 @@
 - name: make nginx log dir
   file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
 
-- name: configure php-fpm
-  template:
-    src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf"
-    owner=root group=root mode=0644
-  notify:
-    - restart php-fpm@{{ aurweb_user }}
-
-- name: start and enable systemd socket
-  service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
-
 - name: install cgit configuration
   template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
 
@@ -223,15 +239,6 @@
   tags:
     - skip_ansible_lint
 
-- name: create symlink for git hook
-  file:
-    src: "{{ aurweb_git_hook }}"
-    dest: "{{ aurweb_git_dir }}/hooks/update"
-    owner: root
-    group: root
-    mode: 0755
-    state: link
-
 - name: install AUR systemd service and timers
   template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   with_items:
@@ -239,7 +246,6 @@
     - aurweb-git.timer
     - aurweb-aurblup.service
     - aurweb-aurblup.timer
-    - aurweb-memcached.service
     - aurweb-mkpkglists.service
     - aurweb-mkpkglists.timer
     - aurweb-pkgmaint.service
@@ -250,20 +256,22 @@
     - aurweb-tuvotereminder.timer
     - aurweb-usermaint.service
     - aurweb-usermaint.timer
+    - aurweb.service
+
+- name: configure sshd
+  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
+  notify:
+    - restart sshd
 
 - name: start and enable AUR systemd services and timers
-  service: name={{ item }} enabled=yes state=started
+  service: name={{ item }} enabled=yes state=restarted daemon_reload=yes
   with_items:
     - aurweb-git.timer
     - aurweb-aurblup.timer
-    - aurweb-memcached.service
     - aurweb-mkpkglists.timer
     - aurweb-pkgmaint.timer
     - aurweb-popupdate.timer
     - aurweb-tuvotereminder.timer
     - aurweb-usermaint.timer
-
-- name: configure sshd
-  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
-  notify:
-    - restart sshd
+    - aurweb.service
+  when: release.changed

roles/aurweb/templates/aurweb-aurblup.service.j2

@@ -6,7 +6,8 @@ After=mysqld.service
 [Service]
 Type=oneshot
 User={{ aurweb_user }}
-ExecStart=/usr/local/bin/aurweb-aurblup
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run aurweb-aurblup
 
 ReadWritePaths={{ aurweb_dir }}
 NoNewPrivileges=true

roles/aurweb/templates/aurweb-git-auth.sh.j2

+#!/bin/bash
+cd "{{ aurweb_dir }}"
+exec poetry run aurweb-git-auth "$@"

roles/aurweb/templates/aurweb-git-serve.sh.j2

+#!/bin/bash
+cd "{{ aurweb_dir }}"
+exec poetry run aurweb-git-serve "$@"

roles/aurweb/templates/aurweb-git-update.sh.j2

+#!/bin/bash
+cd "{{ aurweb_dir }}"
+exec poetry run aurweb-git-update "$@"

roles/aurweb/templates/aurweb-mkpkglists.service.j2

@@ -6,7 +6,8 @@ After=mysqld.service
 [Service]
 Type=oneshot
 User={{ aurweb_user }}
-ExecStart=/usr/local/bin/aurweb-mkpkglists --extended
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run aurweb-mkpkglists --extended
 
 NoNewPrivileges=true
 LockPersonality=true

roles/aurweb/templates/aurweb-pkgmaint.service.j2

@@ -6,7 +6,8 @@ After=mysqld.service
 [Service]
 Type=oneshot
 User={{ aurweb_user }}
-ExecStart=/usr/local/bin/aurweb-pkgmaint
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run aurweb-pkgmaint
 
 NoNewPrivileges=true
 LockPersonality=true
@@ -15,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 
 MemoryDenyWriteExecute=true
 RemoveIPC=true

roles/aurweb/templates/aurweb-popupdate.service.j2

@@ -6,7 +6,8 @@ After=mysqld.service
 [Service]
 Type=oneshot
 User={{ aurweb_user }}
-ExecStart=/usr/local/bin/aurweb-popupdate
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run aurweb-popupdate
 
 NoNewPrivileges=true
 LockPersonality=true
@@ -15,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 
 MemoryDenyWriteExecute=true
 RemoveIPC=true

roles/aurweb/templates/aurweb-tuvotereminder.service.j2

@@ -6,7 +6,8 @@ After=mysqld.service
 [Service]
 Type=oneshot
 User={{ aurweb_user }}
-ExecStart=/usr/local/bin/aurweb-tuvotereminder
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run aurweb-tuvotereminder
 
 NoNewPrivileges=true
 LockPersonality=true

roles/aurweb/templates/aurweb-usermaint.service.j2

@@ -6,7 +6,8 @@ After=mysqld.service
 [Service]
 Type=oneshot
 User={{ aurweb_user }}
-ExecStart=/usr/local/bin/aurweb-usermaint
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run aurweb-usermaint
 
 NoNewPrivileges=true
 LockPersonality=true
@@ -15,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 
 MemoryDenyWriteExecute=true
 RemoveIPC=true

roles/aurweb/templates/aurweb.service.j2

+[Unit]
+Description=aurweb asgi server
+
+[Service]
+User={{ aurweb_user }}
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run gunicorn \
+    --log-config {{ aurweb_dir }}/logging.conf \
+    --bind {{ aurweb_asgi_bind }} \
+    --workers {{ aurweb_workers }} \
+    -k uvicorn.workers.UvicornWorker \
+    aurweb.asgi:app
+
+[Install]
+WantedBy=multi-user.target

roles/aurweb/templates/aurweb_config.j2

 Match User {{ aurweb_user }}
         PasswordAuthentication no
-        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
+        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth.sh "%t" "%k"
         AuthorizedKeysCommandUser {{ aurweb_user }}
         AcceptEnv AUR_OVERWRITE

roles/aurweb/templates/cgitrc.j2

 virtual-root=/cgit/
 clone-prefix=https://{{ aurweb_domain }}
 noheader=0
-favicon=/images/favicon.ico
+favicon=/static/images/favicon.ico
 logo=
-css=/css/cgit.css
+css=/static/css/cgit.css
 snapshots=tar.gz
 readme=:README.md
 readme=:README

roles/aurweb/templates/config.j2

@@ -4,6 +4,7 @@ user = {{ aurweb_db_user }}
 password = {{ vault_aurweb_db_password }}
 
 [options]
+aurwebdir = {{ aurweb_dir }}
 {% if maintenance is defined and maintenance %}
 enable_maintenance = 1
 maintenance-exceptions = {{ maintenance_remote_machine }}
@@ -16,7 +17,7 @@ cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }}
 aur_location = https://{{ aurweb_domain }}
 git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git
 git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git
-memcache_servers = {{ aurweb_memcached_socket }}:0
+redis_address = redis://localhost
 
 [ratelimit]
 request_limit = {{ aurweb_request_limt }}
@@ -27,9 +28,13 @@ Ed25519 = SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4
 ECDSA = SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI
 RSA =  SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8
 
+[auth]
+git-serve-cmd = /usr/local/bin/aurweb-git-serve.sh
+
 [serve]
 repo-path = {{ aurweb_git_dir }}
 git-shell-cmd = /usr/bin/sh
+git-update-cmd = /usr/local/bin/aurweb-git-update.sh
 ssh-cmdline = ssh {{ aurweb_user }}@{{ aurweb_domain }}
 
 [update]
@@ -45,3 +50,11 @@ packagesmetafile = {{ aurweb_dir }}/web/html/packages-meta-v1.json.gz
 packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz
 pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
 userfile = {{ aurweb_dir }}/web/html/users.gz
+
+[notifications]
+notify-cmd = aurweb-notify
+{# An email used for server error notifications. #}
+postmaster = {{ vault_aurweb_postmaster }}
+
+[fastapi]
+session_secret = {{ vault_aurweb_secret }}

roles/aurweb/templates/nginx.d.conf.j2

@@ -71,39 +71,12 @@ server {
         expires 5m;
     }
 
-    location ~ ^/[^/]+\.php($|/) {
-        fastcgi_pass   aurweb;
-        fastcgi_index  index.php;
-        fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$;
-        if (!-f $document_root$fastcgi_script_name) {
-            return 404;
-        }
-        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-        fastcgi_param  PATH_INFO        $fastcgi_path_info;
-        fastcgi_param  HTTPS            on;
-        include        fastcgi_params;
-
-        # Cache PHP Requests
-        #fastcgi_cache aur;
-        #fastcgi_cache_valid 200 5m;
-        #add_header X-Cache $upstream_cache_status;
-
-        # Required for caching to work
-        #fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
-
-        # Only apply cache when set
-        #fastcgi_cache_bypass $no_cache;
-        #fastcgi_no_cache $no_cache;
-    }
-
-    # directories for static assets
-    location ~ ^/(?:css|js|images)/ {
-        expires 30d;
-        add_header Pragma public;
-        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
-    }
-
-    location ~ .* {
-        rewrite ^/(.*)$ /index.php/$1 last;
+    location / {
+        # Proxy over to aurweb's ASGI application.
+        proxy_pass http://{{ aurweb_asgi_bind }};
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Ssl on;
     }
 }

roles/borg_client/tasks/main.yml

@@ -56,10 +56,6 @@
   file: path={{ mysql_backup_dir }} state=directory owner=root group=root mode=0755
   when: mysql_backup_dir is defined
 
-- name: install gitlab backup script
-  template: src=backup-gitlab.sh.j2 dest=/usr/local/bin/backup-gitlab.sh owner=root group=root mode=0755
-  when: inventory_hostname == "gitlab.archlinux.org"
-
 - name: install systemd services for backup
   template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   with_items:

roles/borg_client/templates/backup-gitlab.sh.j2

-#!/bin/bash
-#
-# Script to backup Gitlab running in a Docker container
-#
-# https://docs.gitlab.com/omnibus/settings/backups.html#creating-backups-for-gitlab-instances-in-docker-containers
-#
-
-backupdir="{{ gitlab_backupdir }}"
-
-echo "emptying backup directory ${backupdir}"
-
-# Verify that the gitlab_backupdir in ansible was defined, otherwise we will rm /* and remove the previous backup
-rm -r "${backupdir:?backup dir unset}/"*
-
-docker exec gitlab gitlab-backup create STRATEGY=copy SKIP=tar GZIP_RSYNCABLE=yes

roles/borg_client/templates/borg-backup.service.j2

 [Unit]
 Description=Borg backup
 
-{% if inventory_hostname == "gitlab.archlinux.org" %}
-# The ordering relation defined below is important for the GitLab backups
-# because the offsite backup reuses the tarballs from this service's run.
-{% endif %}
 Wants=borg-backup-offsite.service
 Before=borg-backup-offsite.service