Compare revisions

0ebc955f · 0ebc955f · 0ebc955f · 0ebc955f · 0ebc955f · 0ebc955f
--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -17,7 +17,7 @@
  when: 'archwiki_domain is defined'

 - name: install packages
-  pacman: name=git,php7-intl state=present
+  pacman: name=git,php-intl state=present

 - name: make archwiki user
  user: name="{{ archwiki_user }}" shell=/bin/false home="{{ archwiki_dir }}" createhome=no
@@ -79,16 +79,16 @@

 - name: configure php-fpm
  template:
-    src=php-fpm.conf.j2 dest="/etc/php7/php-fpm.d/{{ archwiki_user }}.conf"
+    src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ archwiki_user }}.conf"
    owner=root group=root mode=0644
  notify:
-    - restart php-fpm7@{{ archwiki_user }}
+    - restart php-fpm@{{ archwiki_user }}

 - name: install archwiki memcached service
  template: src="archwiki-memcached.service.j2" dest="/etc/systemd/system/archwiki-memcached.service" owner=root group=root mode=0644

 - name: start and enable systemd socket
-  service: name=php-fpm7@{{ archwiki_user }}.socket state=started enabled=true
+  service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true

 - name: install systemd services/timers
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644

--- a/roles/archwiki/templates/archwiki-prune-cache.service.j2
+++ b/roles/archwiki/templates/archwiki-prune-cache.service.j2
@@ -5,7 +5,7 @@ Description=Archwiki Prune Cache Service
 Type=oneshot
 User={{ archwiki_user }}
 WorkingDirectory={{ archwiki_dir }}
-ExecStart=/usr/bin/php7 {{ archwiki_dir }}/public/maintenance/pruneFileCache.php -q --agedays 1
+ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/pruneFileCache.php -q --agedays 1

 NoNewPrivileges=yes
 PrivateTmp=yes

--- a/roles/archwiki/templates/archwiki-runjobs-wait.service.j2
+++ b/roles/archwiki/templates/archwiki-runjobs-wait.service.j2
@@ -5,7 +5,7 @@ After=mysqld.service
 [Service]
 User={{ archwiki_user }}
 WorkingDirectory={{ archwiki_dir }}
-ExecStart=/usr/bin/php7 {{ archwiki_dir }}/public/maintenance/runJobs.php -q --wait
+ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/runJobs.php -q --wait
 Restart=on-failure

 NoNewPrivileges=true

--- a/roles/archwiki/templates/archwiki-runjobs.service.j2
+++ b/roles/archwiki/templates/archwiki-runjobs.service.j2
@@ -5,7 +5,7 @@ Description=Archwiki runJobs Service
 Type=oneshot
 User={{ archwiki_user }}
 WorkingDirectory={{ archwiki_dir }}
-ExecStart=/usr/bin/php7 {{ archwiki_dir }}/public/maintenance/runJobs.php -q
+ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/runJobs.php -q

 NoNewPrivileges=true
 ProtectHome=true

--- a/roles/archwiki/templates/nginx.d.conf.j2
+++ b/roles/archwiki/templates/nginx.d.conf.j2
@@ -80,6 +80,11 @@ server {
        return 302 /rest.php/v1/search/title$is_args$args;
    }

+    # Workaround for "Search for pages containing" hard-coded to /w/index.php
+    location ^~ /w/index.php {
+        return 302 /index.php$is_args$args;
+    }
+
    # special case for '/load.php' type URLs to cache css/js in nginx to relieve php-fpm
    location = /load.php {
        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;

--- a/roles/borg_client/tasks/main.yml
+++ b/roles/borg_client/tasks/main.yml
@@ -18,6 +18,9 @@
    BORG_PASSPHRASE: ""
  ignore_errors: true  # This can sometimes fail if a backup is in progress :/
  loop: "{{ backup_hosts }}"
+  tags:
+    - skip_ansible_lint
+

 - name: install convenience scripts
  template: src=borg.j2 dest=/usr/local/bin/borg{{ item['suffix'] }} owner=root group=root mode=0755

--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -107,7 +107,7 @@
  when: enable_zram_swap

 - name: disable zswap to prevent conflict with zram
-  copy: content="w- /sys/module/zswap/parameters/enabled - - - - N" dest=/etc/tmpfiles.d/zram.conf
+  copy: content="w- /sys/module/zswap/parameters/enabled - - - - N" dest=/etc/tmpfiles.d/zram.conf owner=root group=root mode=0644
  register: zramtmpfiles
  when: enable_zram_swap


--- a/roles/dbscripts/defaults/main.yml
+++ b/roles/dbscripts/defaults/main.yml
 ---
-dbscripts_commit: 20211216
+dbscripts_commit: 20220131
 dbscripts_update: true
 dbscripts_pgp_emails: ['jelle@archlinux.org']


--- a/roles/dbscripts/templates/rsyncd.conf.proto.j2
+++ b/roles/dbscripts/templates/rsyncd.conf.proto.j2
@@ -91,6 +91,15 @@ hosts deny = *
 	secrets file = /etc/rsyncd.secrets
 	max connections = 0

+# Debug repositories
+[debug_packages]
+	path = /srv/ftp
+	comment =  debug packages
+	exclude = *
+	include = /*-debug/*** /pool /pool/*-debug/***
+	hosts allow = {{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | join(' ') }} {{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | join(' ') }} {{ hostvars['debuginfod.archlinux.org']['ipv4_address'] }} {{ hostvars['debuginfod.archlinux.org']['ipv6_address'] }}
+	max connections = 0
+
 # Individual repositories
 [core]
 	path = /srv/ftp/core

--- a/roles/debuginfod/defaults/main.yml
+++ b/roles/debuginfod/defaults/main.yml
+---
+debuginfod_httpd: false
+debuginfod_domain: debuginfod.archlinux.org
+debuginfod_port: 8002
+debuginfod_database: /var/cache/debuginfod/debuginfod.sqlite
+debuginfod_package_paths:
+  - /srv/ftp/pool/packages-debug
+  - /srv/ftp/pool/community-debug
--- a/roles/debuginfod/files/archlinux.png
+++ b/roles/debuginfod/files/archlinux.png
--- a/roles/debuginfod/files/index.html
+++ b/roles/debuginfod/files/index.html
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>Debuginfod service - Arch Linux</title>
+  </head>
+  <body>
+    <h1>Debuginfod service - Arch Linux</h1>
+    <img src="archlinux.png">
+
+    <p>This is the <a href="https://sourceware.org/elfutils/Debuginfod.html">debuginfod</a> service for Arch Linux. For more information about it, please refer to <a href="https://wiki.archlinux.org/title/Debuginfod">https://wiki.archlinux.org/title/Debuginfod</a>.</p>
+
+    <p>The following environment variable must be set in your shell to use it:</p>
+    <pre>DEBUGINFOD_URLS="https://debuginfod.archlinux.org"</pre>
+
+    <p>A dashboard can be found on <a href="https://dashboards.archlinux.org/d/U0xac1x7z/debuginfod?orgId=1">https://dashboards.archlinux.org/</a>.</p>
+    <p>List of currently available packages can be found on <a href="/packages">here</a>.</p>
+  </body>
+</html>
--- a/roles/debuginfod/files/packagelist.service
+++ b/roles/debuginfod/files/packagelist.service
+[Unit]
+Description=Synchronize package list
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bash -c "find /srv/ftp/pool/*-debug/ -type f -not -name *.sig > /srv/http/debuginfod/packages"
--- a/roles/debuginfod/files/packagelist.timer
+++ b/roles/debuginfod/files/packagelist.timer
+[Unit]
+Description=Sync package lists every minute
+
+[Timer]
+OnCalendar=minutely
+AccuracySec=1m
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/roles/debuginfod/handlers/main.yml
+++ b/roles/debuginfod/handlers/main.yml
+---
+
+- name: reload debuginfod
+  service: name=debuginfod state=reloaded
--- a/roles/debuginfod/tasks/main.yml
+++ b/roles/debuginfod/tasks/main.yml
+---
+- name: install debuginfod
+  pacman: name=debuginfod state=present
+
+- name: create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ debuginfod_domain }}"]
+  when: debuginfod_domain
+
+- name: configure debuginfod systemd service
+  template: src=debuginfod.service.j2 dest=/usr/lib/systemd/system/debuginfod.service owner=root group=root mode=0644
+  vars:
+    debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
+  notify:
+    - reload debuginfod
+
+- name: create http directory for debuginfod website files
+  file: path=/srv/http/debuginfod state=directory owner=root group=root mode=0755
+
+- name: install website files
+  copy: src={{ item }} dest=/srv/http/debuginfod/{{ item }} owner=root group=root mode=0644
+  loop:
+    - archlinux.png
+    - index.html
+
+- name: install packagelist units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  loop:
+    - packagelist.timer
+    - packagelist.service
+
+- name: start and enable packagelist.timer
+  service: name=packagelist.timer enabled=yes state=started
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
+  notify:
+    - reload nginx
+  when: debuginfod_domain
+  tags: ['nginx']
+
+- name: open debuginfod ipv4 port for monitoring.archlinux.org
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8002 accept"
+  tags:
+    - firewall
+
+- name: start and enable debuginfod
+  service: name=debuginfod enabled=yes state=started
--- a/roles/debuginfod/templates/debuginfod.service.j2
+++ b/roles/debuginfod/templates/debuginfod.service.j2
+[Unit]
+Description=debuginfod server
+After=network.target network-online.target nss-lookup.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/debuginfod -d {{debuginfod_database}} -p {{debuginfod_port}} -F -Z .tar.zst=zstdcat {{debuginfod_package_path}}
+Restart=on-failure
+DynamicUser=yes
+PrivateDevices=true
+PrivateUsers=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+ReadOnlyPaths={{debuginfod_package_path}}
+CacheDirectory=debuginfod
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/debuginfod/templates/nginx.d.conf.j2
+++ b/roles/debuginfod/templates/nginx.d.conf.j2
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ debuginfod_domain }};
+
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
+    error_log    /var/log/nginx/{{ debuginfod_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ debuginfod_domain }};
+
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
+    access_log   /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
+    error_log    /var/log/nginx/{{ debuginfod_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ debuginfod_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ debuginfod_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ debuginfod_domain }}/chain.pem;
+
+    root  /srv/http/debuginfod;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ @debuginfod;
+    }
+
+    location = /packages {
+        default_type "text/plain";
+    }
+
+    location @debuginfod {
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_pass http://127.0.0.1:8002;
+    }
+}
--- a/roles/gluebuddy/files/gluebuddy.service
+++ b/roles/gluebuddy/files/gluebuddy.service
+[Unit]
+Description=gluebuddy service
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+StandardOutput=journal+console
+EnvironmentFile=-/etc/conf.d/gluebuddy
+ExecStart=/usr/local/bin/gluebuddy apply
+
+DynamicUser=true
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectHostname=true
+RestrictRealtime=true
+CapabilityBoundingSet=
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/gluebuddy/files/gluebuddy.timer
+++ b/roles/gluebuddy/files/gluebuddy.timer
+[Unit]
+Description=gluebuddy timer
+
+[Timer]
+OnUnitActiveSec=30min
+OnBootSec=5min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target
No results found