From 0c1c366493ef6f03704508a6f1ed35138c2a78a2 Mon Sep 17 00:00:00 2001 From: Jelle van der Waa Date: Tue, 20 Feb 2018 21:57:49 +0100 Subject: [PATCH 01/42] Introduce AUR role The ansible role for the Arch User Repository. Thanks-to: Eli Schwartz --- playbooks/aur.yml | 10 + roles/aur/defaults/main.yml | 17 ++ roles/aur/files/aurweb-aurblup.service | 9 + roles/aur/files/aurweb-aurblup.timer | 9 + roles/aur/files/aurweb-mkpkglists.service | 9 + roles/aur/files/aurweb-mkpkglists.timer | 9 + roles/aur/files/aurweb-pkgmaint.service | 9 + roles/aur/files/aurweb-pkgmaint.timer | 9 + roles/aur/files/aurweb-popupdate.service | 9 + roles/aur/files/aurweb-popupdate.timer | 9 + roles/aur/files/aurweb-tuvotereminder.service | 9 + roles/aur/files/aurweb-tuvotereminder.timer | 9 + roles/aur/handlers/main.yml | 7 + roles/aur/tasks/main.yml | 172 ++++++++++++++++++ roles/aur/templates/aurweb-git.service.j2 | 9 + roles/aur/templates/aurweb-git.timer.j2 | 8 + roles/aur/templates/config.j2 | 21 +++ roles/aur/templates/nginx.d.conf.j2 | 47 +++++ roles/aur/templates/php-fpm.conf.j2 | 21 +++ 19 files changed, 402 insertions(+) create mode 100644 playbooks/aur.yml create mode 100644 roles/aur/defaults/main.yml create mode 100644 roles/aur/files/aurweb-aurblup.service create mode 100644 roles/aur/files/aurweb-aurblup.timer create mode 100644 roles/aur/files/aurweb-mkpkglists.service create mode 100644 roles/aur/files/aurweb-mkpkglists.timer create mode 100644 roles/aur/files/aurweb-pkgmaint.service create mode 100644 roles/aur/files/aurweb-pkgmaint.timer create mode 100644 roles/aur/files/aurweb-popupdate.service create mode 100644 roles/aur/files/aurweb-popupdate.timer create mode 100644 roles/aur/files/aurweb-tuvotereminder.service create mode 100644 roles/aur/files/aurweb-tuvotereminder.timer create mode 100644 roles/aur/handlers/main.yml create mode 100644 roles/aur/tasks/main.yml create mode 100644 roles/aur/templates/aurweb-git.service.j2 create mode 100644 roles/aur/templates/aurweb-git.timer.j2 create mode 100644 roles/aur/templates/config.j2 create mode 100644 roles/aur/templates/nginx.d.conf.j2 create mode 100644 roles/aur/templates/php-fpm.conf.j2 diff --git a/playbooks/aur.yml b/playbooks/aur.yml new file mode 100644 index 00000000..15f53720 --- /dev/null +++ b/playbooks/aur.yml @@ -0,0 +1,10 @@ +--- + +- name: setup aur server + hosts: 127.0.0.1 + remote_user: root + roles: + - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', tags: ['mariadb'] , configure_zabbix_agent: False} + - { role: nginx, tags: ["nginx"] } + - { role: php-fpm, php_extensions: ['pdo_mysql'], tags: ["php-fpm"] } + - { role: aur, tags: ['aur'] } diff --git a/roles/aur/defaults/main.yml b/roles/aur/defaults/main.yml new file mode 100644 index 00000000..361ab43a --- /dev/null +++ b/roles/aur/defaults/main.yml @@ -0,0 +1,17 @@ +--- + +aurweb_domain: 'www.aur.archlinux.org' +aurweb_repository: 'https://git.archlinux.org/aurweb.git' +aurweb_dir: '/srv/http/aurweb' +aurweb_conf_dir: '/etc/aurweb' +aurweb_git_dir: "{{ aurweb_dir }}/aur.git" +aurweb_git_hook: '/usr/local/bin/aurweb-git-update' +aurweb_version: 'master' + +aurweb_db: 'aur' +aurweb_db_host: 'localhost' +aurweb_db_user: 'aur' +aurweb_db_password: 'aur' + +aurweb_user: 'aurweb' +aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' diff --git a/roles/aur/files/aurweb-aurblup.service b/roles/aur/files/aurweb-aurblup.service new file mode 100644 index 00000000..d3d007c9 --- /dev/null +++ b/roles/aur/files/aurweb-aurblup.service @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb blacklist +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-aurblup diff --git a/roles/aur/files/aurweb-aurblup.timer b/roles/aur/files/aurweb-aurblup.timer new file mode 100644 index 00000000..48db8acc --- /dev/null +++ b/roles/aur/files/aurweb-aurblup.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb blacklist + +[Timer] +OnStartupSec=2h +OnUnitActiveSec=2h + +[Install] +WantedBy=timers.target diff --git a/roles/aur/files/aurweb-mkpkglists.service b/roles/aur/files/aurweb-mkpkglists.service new file mode 100644 index 00000000..b0f6c44d --- /dev/null +++ b/roles/aur/files/aurweb-mkpkglists.service @@ -0,0 +1,9 @@ +[Unit] +Description=Regenerate aurweb package and user lists +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-mkpkglists diff --git a/roles/aur/files/aurweb-mkpkglists.timer b/roles/aur/files/aurweb-mkpkglists.timer new file mode 100644 index 00000000..b1ee108c --- /dev/null +++ b/roles/aur/files/aurweb-mkpkglists.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Regenerate aurweb package and user lists + +[Timer] +OnStartupSec=5m +OnUnitActiveSec=5m + +[Install] +WantedBy=timers.target diff --git a/roles/aur/files/aurweb-pkgmaint.service b/roles/aur/files/aurweb-pkgmaint.service new file mode 100644 index 00000000..83ba2a4c --- /dev/null +++ b/roles/aur/files/aurweb-pkgmaint.service @@ -0,0 +1,9 @@ +[Unit] +Description=Delete old, empty reserved aurweb pkgbases +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-pkgmaint diff --git a/roles/aur/files/aurweb-pkgmaint.timer b/roles/aur/files/aurweb-pkgmaint.timer new file mode 100644 index 00000000..a2975310 --- /dev/null +++ b/roles/aur/files/aurweb-pkgmaint.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Delete old, empty reserved aurweb pkgbases + +[Timer] +OnStartupSec=2h +OnUnitActiveSec=2h + +[Install] +WantedBy=timers.target diff --git a/roles/aur/files/aurweb-popupdate.service b/roles/aur/files/aurweb-popupdate.service new file mode 100644 index 00000000..8850eec8 --- /dev/null +++ b/roles/aur/files/aurweb-popupdate.service @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb per-package popularity counts +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-popupdate diff --git a/roles/aur/files/aurweb-popupdate.timer b/roles/aur/files/aurweb-popupdate.timer new file mode 100644 index 00000000..69805f09 --- /dev/null +++ b/roles/aur/files/aurweb-popupdate.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb per-package popularity counts + +[Timer] +OnStartupSec=2h +OnUnitActiveSec=2h + +[Install] +WantedBy=timers.target diff --git a/roles/aur/files/aurweb-tuvotereminder.service b/roles/aur/files/aurweb-tuvotereminder.service new file mode 100644 index 00000000..b66859f0 --- /dev/null +++ b/roles/aur/files/aurweb-tuvotereminder.service @@ -0,0 +1,9 @@ +[Unit] +Description=Send aurweb TU vote reminder emails +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-tuvotereminder diff --git a/roles/aur/files/aurweb-tuvotereminder.timer b/roles/aur/files/aurweb-tuvotereminder.timer new file mode 100644 index 00000000..c22b99e1 --- /dev/null +++ b/roles/aur/files/aurweb-tuvotereminder.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Send aurweb TU vote reminder emails + +[Timer] +OnStartupSec=12h +OnUnitActiveSec=12h + +[Install] +WantedBy=timers.target diff --git a/roles/aur/handlers/main.yml b/roles/aur/handlers/main.yml new file mode 100644 index 00000000..1793138f --- /dev/null +++ b/roles/aur/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: daemon reload + command: systemctl daemon-reload + +- name: restart php-fpm@aurweb + service: name=php-fpm@{{ aurweb_user }} state=restarted diff --git a/roles/aur/tasks/main.yml b/roles/aur/tasks/main.yml new file mode 100644 index 00000000..d0e3de0f --- /dev/null +++ b/roles/aur/tasks/main.yml @@ -0,0 +1,172 @@ +--- +- name: install required packages + pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,make,asciidoc state=present + +- name: make aur user + user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes + +- name: Create directory + file: path={{ aurweb_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 + +- name: clone aurweb repo + git: > + repo={{ aurweb_repository }} + dest="{{ aurweb_dir }}" + version={{ aurweb_version }} + become: true + become_user: "{{aurweb_user}}" + register: release + +- name: create aur db + mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" encoding=utf8 + register: db_created + +- name: create aur db user + mysql_user: name={{ aurweb_db_user }} password={{ aurweb_db_password }} + login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" + priv="{{ aurweb_db }}.*:ALL" + +- name: enable innodb_large_prefix + mysql_variables: + login_host: "{{ aurweb_db_host }}" + login_password: "{{ mariadb_users.root }}" + variable: innodb_large_prefix + value: 1 + +- name: enable innodb_file_format + mysql_variables: + login_host: "{{ aurweb_db_host }}" + login_password: "{{ mariadb_users.root }}" + variable: innodb_file_format + value: Barracuda + +- name: check if db is imported + shell: mysql -u {{ aurweb_db_user }} -p{{ aurweb_db_password }} -e "SELECT ID FROM Users" {{ aurweb_db }} + ignore_errors: true + register: db_imported + +- name: import aur sql db + mysql_db: + state: import + name: "{{ aurweb_db }}" + login_host: "{{ aurweb_db_host }}" + login_password: "{{ mariadb_users.root }}" + target: "{{ aurweb_dir }}/schema/aur-schema.sql" + when: db_imported.rc != 0 + +- name: create aurweb conf dir + file: path={{ aurweb_conf_dir }} state=directory + +- name: copy aurweb configuration file + copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes + +- name: install custom aurweb configuration + template: src=config.j2 dest={{ aurweb_conf_dir }}/config + +- name: Install python module + shell: "python3 setup.py install --install-scripts=/usr/local/bin" + args: + chdir: "{{ aurweb_dir }}" + +- name: Generate HTML documentation + make: + chdir: "{{ aurweb_dir }}/doc" + become: true + become_user: "{{aurweb_user}}" + +- name: set up nginx + template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/aurweb.conf owner=root group=root mode=644 + notify: reload nginx + tags: ['nginx'] + +- name: make nginx log dir + file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755 + +- name: configure php-fpm + template: + src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf" + owner=root group=root mode=0644 + notify: + - restart php-fpm@{{ aurweb_user }} + +- name: start and enable systemd socket + service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true + +- name: create git repo dir + file: path={{ aurweb_git_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 + +- name: init git directory + command: git init --bare {{ aurweb_git_dir }} + args: + creates: "{{ aurweb_git_dir }}/HEAD" + become: true + become_user: "{{aurweb_user}}" + +- shell: git config --local --get-all transfer.hideRefs + register: git_config + args: + chdir: "{{ aurweb_git_dir }}" + failed_when: git_config.rc == 2 # FIXME: does not work. + +- name: configure git tranfser.hideRefs + command: git config --local transfer.hideRefs '^refs/' + args: + chdir: "{{ aurweb_git_dir }}" + become: true + become_user: "{{aurweb_user}}" + when: git_config.stdout.find('^refs/') == -1 + + +- name: configure git transfer.hideRefs second + command: git config --local --add transfer.hideRefs '!refs/' + args: + chdir: "{{ aurweb_git_dir }}" + become: true + become_user: "{{aurweb_user}}" + when: git_config.stdout.find('!refs/') == -1 + +- name: configure git transfer.hideRefs third + command: git config --local --add transfer.hideRefs '!HEAD' + args: + chdir: "{{ aurweb_git_dir }}" + become: true + become_user: "{{aurweb_user}}" + when: git_config.stdout.find('!HEAD') == -1 + +- name: create symlink for git hook + file: + src: "{{ aurweb_git_hook }}" + dest: "{{ aurweb_git_dir }}/hooks/update" + state: link + +- name: install AUR maintenance services/timers + copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 + with_items: + - aurweb-aurblup.service + - aurweb-aurblup.timer + - aurweb-mkpkglists.service + - aurweb-mkpkglists.timer + - aurweb-pkgmaint.service + - aurweb-pkgmaint.timer + - aurweb-popupdate.service + - aurweb-popupdate.timer + - aurweb-tuvotereminder.service + - aurweb-tuvotereminder.timer + +- name: start and enable AUR maintenance timers + service: name={{ item }} enabled=yes state=started + with_items: + - aurweb-aurblup.timer + - aurweb-mkpkglists.timer + - aurweb-pkgmaint.timer + - aurweb-popupdate.timer + - aurweb-tuvotereminder.timer + +- name: install AUR git gc service/timer + template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 + with_items: + - aurweb-git.service + - aurweb-git.timer + +- name: start and enable AUR git gc timer + service: name=aurweb-git.timer enabled=yes state=started diff --git a/roles/aur/templates/aurweb-git.service.j2 b/roles/aur/templates/aurweb-git.service.j2 new file mode 100644 index 00000000..adbf3a80 --- /dev/null +++ b/roles/aur/templates/aurweb-git.service.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Git gc AUR + +[Service] +Type=Oneshot +User=aur +WorkingDirectory={{ aurweb_git_dir }} +ExecStart=/usr/bin/git gc +Nice=5 diff --git a/roles/aur/templates/aurweb-git.timer.j2 b/roles/aur/templates/aurweb-git.timer.j2 new file mode 100644 index 00000000..f9576609 --- /dev/null +++ b/roles/aur/templates/aurweb-git.timer.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Git gc & repack AUR + +[Timer] +OnCalendar=daily + +[Install] +WantedBy=timers.target diff --git a/roles/aur/templates/config.j2 b/roles/aur/templates/config.j2 new file mode 100644 index 00000000..d5fd1851 --- /dev/null +++ b/roles/aur/templates/config.j2 @@ -0,0 +1,21 @@ +[database] +name = {{ aurweb_db }} +user = {{ aurweb_db_user }} +password = {{ aurweb_db_password }} + +[options] +enable-maintenance = 0 +localedir = {{ aurweb_dir }}/web/locale/ + +[serve] +repo-path = {{ aurweb_git_dir }} +git-shell-cmd = /usr/bin/sh + +[aurblup] +db-path = {{ aurweb_dir }}/aurblup +server = https://mirrors.kernel.org/archlinux/%s/os/x86_64 + +[mkpkglists] +packagesfile = {{ aurweb_dir }}/web/html/packages.gz +pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz +userfile = {{ aurweb_dir }}/web/html/users.gz diff --git a/roles/aur/templates/nginx.d.conf.j2 b/roles/aur/templates/nginx.d.conf.j2 new file mode 100644 index 00000000..3d40cc1e --- /dev/null +++ b/roles/aur/templates/nginx.d.conf.j2 @@ -0,0 +1,47 @@ +upstream aurweb { + server unix://{{aurweb_socket}}; +} + +server { + listen 80; + listen [::]:80; + server_name {{ aurweb_domain }}; + + access_log /var/log/nginx/{{ aurweb_domain }}/access.log main; + error_log /var/log/nginx/{{ aurweb_domain }}/error.log; + + include snippets/letsencrypt.conf; + + location / { + rewrite ^(.*) https://{{ aurweb_domain }}$1 permanent; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ aurweb_domain }}; + + access_log /var/log/nginx/{{ aurweb_domain }}/access.log main; + error_log /var/log/nginx/{{ aurweb_domain }}/error.log; + + ssl_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ aurweb_domain }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/chain.pem; + + root {{ aurweb_dir }}/web/html; + index index.php; + + location ~ ^/[^/]+\.php($|/) { + fastcgi_pass aurweb; + fastcgi_index index.php; + fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + + location ~ .* { + rewrite ^/(.*)$ /index.php/$1 last; + } +} diff --git a/roles/aur/templates/php-fpm.conf.j2 b/roles/aur/templates/php-fpm.conf.j2 new file mode 100644 index 00000000..47f75ec6 --- /dev/null +++ b/roles/aur/templates/php-fpm.conf.j2 @@ -0,0 +1,21 @@ +[global] +error_log = syslog +daemonize = no + +[{{ aurweb_user }}] +listen = {{ aurweb_socket }} +listen.owner = {{ aurweb_user }} +listen.group = http +listen.mode = 0660 + +pm = dynamic +pm.max_children = 80 +pm.start_servers = 20 +pm.min_spare_servers = 10 +pm.max_spare_servers = 20 +pm.max_requests = 2000 + +php_admin_value[open_basedir] = {{aurweb_dir}}:/etc/aurweb/ +php_admin_value[upload_tmp_dir] = {{ aurweb_dir }}/uploads +php_admin_value[session.save_path] = {{ aurweb_dir }}/sessions +env[TMPDIR] = {{ aurweb_dir }}/uploads -- GitLab From 85a8f883aeddf64f1fd9a13b0b62076b78faa66f Mon Sep 17 00:00:00 2001 From: Jelle van der Waa Date: Sun, 2 Dec 2018 21:13:40 +0100 Subject: [PATCH 02/42] install sshd_config --- roles/aur/handlers/main.yml | 3 + roles/aur/tasks/main.yml | 5 ++ roles/aur/templates/sshd_config.j2 | 127 +++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+) create mode 100644 roles/aur/templates/sshd_config.j2 diff --git a/roles/aur/handlers/main.yml b/roles/aur/handlers/main.yml index 1793138f..1ca0c5e5 100644 --- a/roles/aur/handlers/main.yml +++ b/roles/aur/handlers/main.yml @@ -5,3 +5,6 @@ - name: restart php-fpm@aurweb service: name=php-fpm@{{ aurweb_user }} state=restarted + +- name: restart sshd + service: name=sshd state=restarted diff --git a/roles/aur/tasks/main.yml b/roles/aur/tasks/main.yml index d0e3de0f..5d4df8ab 100644 --- a/roles/aur/tasks/main.yml +++ b/roles/aur/tasks/main.yml @@ -170,3 +170,8 @@ - name: start and enable AUR git gc timer service: name=aurweb-git.timer enabled=yes state=started + +- name: configure sshd + template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s' + notify: + - restart sshd diff --git a/roles/aur/templates/sshd_config.j2 b/roles/aur/templates/sshd_config.j2 new file mode 100644 index 00000000..19787d12 --- /dev/null +++ b/roles/aur/templates/sshd_config.j2 @@ -0,0 +1,127 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +LogLevel VERBOSE + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# unlink forwarded sockets; for gpg agent forwarding +StreamLocalBindUnlink yes + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +Match User aur + PasswordAuthentication no + AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" + AuthorizedKeysCommandUser aur + AcceptEnv AUR_OVERWRITE -- GitLab From 850e278b4412c7150b3984587279226c980f209f Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 14:23:15 -0300 Subject: [PATCH 03/42] roles/aurweb: Rename the role to aurweb To make things consistent, rename the role to aurweb. --- roles/aurweb/defaults/main.yml | 17 ++ roles/aurweb/files/aurweb-aurblup.service | 9 + roles/aurweb/files/aurweb-aurblup.timer | 9 + roles/aurweb/files/aurweb-mkpkglists.service | 9 + roles/aurweb/files/aurweb-mkpkglists.timer | 9 + roles/aurweb/files/aurweb-pkgmaint.service | 9 + roles/aurweb/files/aurweb-pkgmaint.timer | 9 + roles/aurweb/files/aurweb-popupdate.service | 9 + roles/aurweb/files/aurweb-popupdate.timer | 9 + .../files/aurweb-tuvotereminder.service | 9 + .../aurweb/files/aurweb-tuvotereminder.timer | 9 + roles/aurweb/handlers/main.yml | 10 + roles/aurweb/tasks/main.yml | 177 ++++++++++++++++++ roles/aurweb/templates/aurweb-git.service.j2 | 9 + roles/aurweb/templates/aurweb-git.timer.j2 | 8 + roles/aurweb/templates/config.j2 | 21 +++ roles/aurweb/templates/nginx.d.conf.j2 | 47 +++++ roles/aurweb/templates/php-fpm.conf.j2 | 21 +++ roles/aurweb/templates/sshd_config.j2 | 127 +++++++++++++ 19 files changed, 527 insertions(+) create mode 100644 roles/aurweb/defaults/main.yml create mode 100644 roles/aurweb/files/aurweb-aurblup.service create mode 100644 roles/aurweb/files/aurweb-aurblup.timer create mode 100644 roles/aurweb/files/aurweb-mkpkglists.service create mode 100644 roles/aurweb/files/aurweb-mkpkglists.timer create mode 100644 roles/aurweb/files/aurweb-pkgmaint.service create mode 100644 roles/aurweb/files/aurweb-pkgmaint.timer create mode 100644 roles/aurweb/files/aurweb-popupdate.service create mode 100644 roles/aurweb/files/aurweb-popupdate.timer create mode 100644 roles/aurweb/files/aurweb-tuvotereminder.service create mode 100644 roles/aurweb/files/aurweb-tuvotereminder.timer create mode 100644 roles/aurweb/handlers/main.yml create mode 100644 roles/aurweb/tasks/main.yml create mode 100644 roles/aurweb/templates/aurweb-git.service.j2 create mode 100644 roles/aurweb/templates/aurweb-git.timer.j2 create mode 100644 roles/aurweb/templates/config.j2 create mode 100644 roles/aurweb/templates/nginx.d.conf.j2 create mode 100644 roles/aurweb/templates/php-fpm.conf.j2 create mode 100644 roles/aurweb/templates/sshd_config.j2 diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml new file mode 100644 index 00000000..603dd010 --- /dev/null +++ b/roles/aurweb/defaults/main.yml @@ -0,0 +1,17 @@ +--- + +aurweb_domain: 'aur.archlinux.org' +aurweb_repository: 'https://git.archlinux.org/aurweb.git' +aurweb_dir: '/srv/http/aurweb' +aurweb_conf_dir: '/etc/aurweb' +aurweb_git_dir: "{{ aurweb_dir }}/aur.git" +aurweb_git_hook: '/usr/local/bin/aurweb-git-update' +aurweb_version: 'live' + +aurweb_db: 'aur' +aurweb_db_host: 'localhost' +aurweb_db_user: 'aur' +aurweb_db_password: 'aur' + +aurweb_user: 'aurweb' +aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' diff --git a/roles/aurweb/files/aurweb-aurblup.service b/roles/aurweb/files/aurweb-aurblup.service new file mode 100644 index 00000000..d3d007c9 --- /dev/null +++ b/roles/aurweb/files/aurweb-aurblup.service @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb blacklist +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-aurblup diff --git a/roles/aurweb/files/aurweb-aurblup.timer b/roles/aurweb/files/aurweb-aurblup.timer new file mode 100644 index 00000000..48db8acc --- /dev/null +++ b/roles/aurweb/files/aurweb-aurblup.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb blacklist + +[Timer] +OnStartupSec=2h +OnUnitActiveSec=2h + +[Install] +WantedBy=timers.target diff --git a/roles/aurweb/files/aurweb-mkpkglists.service b/roles/aurweb/files/aurweb-mkpkglists.service new file mode 100644 index 00000000..b0f6c44d --- /dev/null +++ b/roles/aurweb/files/aurweb-mkpkglists.service @@ -0,0 +1,9 @@ +[Unit] +Description=Regenerate aurweb package and user lists +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-mkpkglists diff --git a/roles/aurweb/files/aurweb-mkpkglists.timer b/roles/aurweb/files/aurweb-mkpkglists.timer new file mode 100644 index 00000000..b1ee108c --- /dev/null +++ b/roles/aurweb/files/aurweb-mkpkglists.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Regenerate aurweb package and user lists + +[Timer] +OnStartupSec=5m +OnUnitActiveSec=5m + +[Install] +WantedBy=timers.target diff --git a/roles/aurweb/files/aurweb-pkgmaint.service b/roles/aurweb/files/aurweb-pkgmaint.service new file mode 100644 index 00000000..83ba2a4c --- /dev/null +++ b/roles/aurweb/files/aurweb-pkgmaint.service @@ -0,0 +1,9 @@ +[Unit] +Description=Delete old, empty reserved aurweb pkgbases +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-pkgmaint diff --git a/roles/aurweb/files/aurweb-pkgmaint.timer b/roles/aurweb/files/aurweb-pkgmaint.timer new file mode 100644 index 00000000..a2975310 --- /dev/null +++ b/roles/aurweb/files/aurweb-pkgmaint.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Delete old, empty reserved aurweb pkgbases + +[Timer] +OnStartupSec=2h +OnUnitActiveSec=2h + +[Install] +WantedBy=timers.target diff --git a/roles/aurweb/files/aurweb-popupdate.service b/roles/aurweb/files/aurweb-popupdate.service new file mode 100644 index 00000000..8850eec8 --- /dev/null +++ b/roles/aurweb/files/aurweb-popupdate.service @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb per-package popularity counts +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-popupdate diff --git a/roles/aurweb/files/aurweb-popupdate.timer b/roles/aurweb/files/aurweb-popupdate.timer new file mode 100644 index 00000000..69805f09 --- /dev/null +++ b/roles/aurweb/files/aurweb-popupdate.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Update aurweb per-package popularity counts + +[Timer] +OnStartupSec=2h +OnUnitActiveSec=2h + +[Install] +WantedBy=timers.target diff --git a/roles/aurweb/files/aurweb-tuvotereminder.service b/roles/aurweb/files/aurweb-tuvotereminder.service new file mode 100644 index 00000000..b66859f0 --- /dev/null +++ b/roles/aurweb/files/aurweb-tuvotereminder.service @@ -0,0 +1,9 @@ +[Unit] +Description=Send aurweb TU vote reminder emails +Requires=mysqld.service +After=mysqld.service + +[Service] +Type=Oneshot +User=aur +ExecStart=/usr/local/bin/aurweb-tuvotereminder diff --git a/roles/aurweb/files/aurweb-tuvotereminder.timer b/roles/aurweb/files/aurweb-tuvotereminder.timer new file mode 100644 index 00000000..c22b99e1 --- /dev/null +++ b/roles/aurweb/files/aurweb-tuvotereminder.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Send aurweb TU vote reminder emails + +[Timer] +OnStartupSec=12h +OnUnitActiveSec=12h + +[Install] +WantedBy=timers.target diff --git a/roles/aurweb/handlers/main.yml b/roles/aurweb/handlers/main.yml new file mode 100644 index 00000000..1ca0c5e5 --- /dev/null +++ b/roles/aurweb/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: daemon reload + command: systemctl daemon-reload + +- name: restart php-fpm@aurweb + service: name=php-fpm@{{ aurweb_user }} state=restarted + +- name: restart sshd + service: name=sshd state=restarted diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml new file mode 100644 index 00000000..5d4df8ab --- /dev/null +++ b/roles/aurweb/tasks/main.yml @@ -0,0 +1,177 @@ +--- +- name: install required packages + pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,make,asciidoc state=present + +- name: make aur user + user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes + +- name: Create directory + file: path={{ aurweb_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 + +- name: clone aurweb repo + git: > + repo={{ aurweb_repository }} + dest="{{ aurweb_dir }}" + version={{ aurweb_version }} + become: true + become_user: "{{aurweb_user}}" + register: release + +- name: create aur db + mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" encoding=utf8 + register: db_created + +- name: create aur db user + mysql_user: name={{ aurweb_db_user }} password={{ aurweb_db_password }} + login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" + priv="{{ aurweb_db }}.*:ALL" + +- name: enable innodb_large_prefix + mysql_variables: + login_host: "{{ aurweb_db_host }}" + login_password: "{{ mariadb_users.root }}" + variable: innodb_large_prefix + value: 1 + +- name: enable innodb_file_format + mysql_variables: + login_host: "{{ aurweb_db_host }}" + login_password: "{{ mariadb_users.root }}" + variable: innodb_file_format + value: Barracuda + +- name: check if db is imported + shell: mysql -u {{ aurweb_db_user }} -p{{ aurweb_db_password }} -e "SELECT ID FROM Users" {{ aurweb_db }} + ignore_errors: true + register: db_imported + +- name: import aur sql db + mysql_db: + state: import + name: "{{ aurweb_db }}" + login_host: "{{ aurweb_db_host }}" + login_password: "{{ mariadb_users.root }}" + target: "{{ aurweb_dir }}/schema/aur-schema.sql" + when: db_imported.rc != 0 + +- name: create aurweb conf dir + file: path={{ aurweb_conf_dir }} state=directory + +- name: copy aurweb configuration file + copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes + +- name: install custom aurweb configuration + template: src=config.j2 dest={{ aurweb_conf_dir }}/config + +- name: Install python module + shell: "python3 setup.py install --install-scripts=/usr/local/bin" + args: + chdir: "{{ aurweb_dir }}" + +- name: Generate HTML documentation + make: + chdir: "{{ aurweb_dir }}/doc" + become: true + become_user: "{{aurweb_user}}" + +- name: set up nginx + template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/aurweb.conf owner=root group=root mode=644 + notify: reload nginx + tags: ['nginx'] + +- name: make nginx log dir + file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755 + +- name: configure php-fpm + template: + src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf" + owner=root group=root mode=0644 + notify: + - restart php-fpm@{{ aurweb_user }} + +- name: start and enable systemd socket + service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true + +- name: create git repo dir + file: path={{ aurweb_git_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 + +- name: init git directory + command: git init --bare {{ aurweb_git_dir }} + args: + creates: "{{ aurweb_git_dir }}/HEAD" + become: true + become_user: "{{aurweb_user}}" + +- shell: git config --local --get-all transfer.hideRefs + register: git_config + args: + chdir: "{{ aurweb_git_dir }}" + failed_when: git_config.rc == 2 # FIXME: does not work. + +- name: configure git tranfser.hideRefs + command: git config --local transfer.hideRefs '^refs/' + args: + chdir: "{{ aurweb_git_dir }}" + become: true + become_user: "{{aurweb_user}}" + when: git_config.stdout.find('^refs/') == -1 + + +- name: configure git transfer.hideRefs second + command: git config --local --add transfer.hideRefs '!refs/' + args: + chdir: "{{ aurweb_git_dir }}" + become: true + become_user: "{{aurweb_user}}" + when: git_config.stdout.find('!refs/') == -1 + +- name: configure git transfer.hideRefs third + command: git config --local --add transfer.hideRefs '!HEAD' + args: + chdir: "{{ aurweb_git_dir }}" + become: true + become_user: "{{aurweb_user}}" + when: git_config.stdout.find('!HEAD') == -1 + +- name: create symlink for git hook + file: + src: "{{ aurweb_git_hook }}" + dest: "{{ aurweb_git_dir }}/hooks/update" + state: link + +- name: install AUR maintenance services/timers + copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 + with_items: + - aurweb-aurblup.service + - aurweb-aurblup.timer + - aurweb-mkpkglists.service + - aurweb-mkpkglists.timer + - aurweb-pkgmaint.service + - aurweb-pkgmaint.timer + - aurweb-popupdate.service + - aurweb-popupdate.timer + - aurweb-tuvotereminder.service + - aurweb-tuvotereminder.timer + +- name: start and enable AUR maintenance timers + service: name={{ item }} enabled=yes state=started + with_items: + - aurweb-aurblup.timer + - aurweb-mkpkglists.timer + - aurweb-pkgmaint.timer + - aurweb-popupdate.timer + - aurweb-tuvotereminder.timer + +- name: install AUR git gc service/timer + template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 + with_items: + - aurweb-git.service + - aurweb-git.timer + +- name: start and enable AUR git gc timer + service: name=aurweb-git.timer enabled=yes state=started + +- name: configure sshd + template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s' + notify: + - restart sshd diff --git a/roles/aurweb/templates/aurweb-git.service.j2 b/roles/aurweb/templates/aurweb-git.service.j2 new file mode 100644 index 00000000..adbf3a80 --- /dev/null +++ b/roles/aurweb/templates/aurweb-git.service.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Git gc AUR + +[Service] +Type=Oneshot +User=aur +WorkingDirectory={{ aurweb_git_dir }} +ExecStart=/usr/bin/git gc +Nice=5 diff --git a/roles/aurweb/templates/aurweb-git.timer.j2 b/roles/aurweb/templates/aurweb-git.timer.j2 new file mode 100644 index 00000000..f9576609 --- /dev/null +++ b/roles/aurweb/templates/aurweb-git.timer.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Git gc & repack AUR + +[Timer] +OnCalendar=daily + +[Install] +WantedBy=timers.target diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2 new file mode 100644 index 00000000..d5fd1851 --- /dev/null +++ b/roles/aurweb/templates/config.j2 @@ -0,0 +1,21 @@ +[database] +name = {{ aurweb_db }} +user = {{ aurweb_db_user }} +password = {{ aurweb_db_password }} + +[options] +enable-maintenance = 0 +localedir = {{ aurweb_dir }}/web/locale/ + +[serve] +repo-path = {{ aurweb_git_dir }} +git-shell-cmd = /usr/bin/sh + +[aurblup] +db-path = {{ aurweb_dir }}/aurblup +server = https://mirrors.kernel.org/archlinux/%s/os/x86_64 + +[mkpkglists] +packagesfile = {{ aurweb_dir }}/web/html/packages.gz +pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz +userfile = {{ aurweb_dir }}/web/html/users.gz diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2 new file mode 100644 index 00000000..3d40cc1e --- /dev/null +++ b/roles/aurweb/templates/nginx.d.conf.j2 @@ -0,0 +1,47 @@ +upstream aurweb { + server unix://{{aurweb_socket}}; +} + +server { + listen 80; + listen [::]:80; + server_name {{ aurweb_domain }}; + + access_log /var/log/nginx/{{ aurweb_domain }}/access.log main; + error_log /var/log/nginx/{{ aurweb_domain }}/error.log; + + include snippets/letsencrypt.conf; + + location / { + rewrite ^(.*) https://{{ aurweb_domain }}$1 permanent; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ aurweb_domain }}; + + access_log /var/log/nginx/{{ aurweb_domain }}/access.log main; + error_log /var/log/nginx/{{ aurweb_domain }}/error.log; + + ssl_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ aurweb_domain }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/chain.pem; + + root {{ aurweb_dir }}/web/html; + index index.php; + + location ~ ^/[^/]+\.php($|/) { + fastcgi_pass aurweb; + fastcgi_index index.php; + fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + + location ~ .* { + rewrite ^/(.*)$ /index.php/$1 last; + } +} diff --git a/roles/aurweb/templates/php-fpm.conf.j2 b/roles/aurweb/templates/php-fpm.conf.j2 new file mode 100644 index 00000000..47f75ec6 --- /dev/null +++ b/roles/aurweb/templates/php-fpm.conf.j2 @@ -0,0 +1,21 @@ +[global] +error_log = syslog +daemonize = no + +[{{ aurweb_user }}] +listen = {{ aurweb_socket }} +listen.owner = {{ aurweb_user }} +listen.group = http +listen.mode = 0660 + +pm = dynamic +pm.max_children = 80 +pm.start_servers = 20 +pm.min_spare_servers = 10 +pm.max_spare_servers = 20 +pm.max_requests = 2000 + +php_admin_value[open_basedir] = {{aurweb_dir}}:/etc/aurweb/ +php_admin_value[upload_tmp_dir] = {{ aurweb_dir }}/uploads +php_admin_value[session.save_path] = {{ aurweb_dir }}/sessions +env[TMPDIR] = {{ aurweb_dir }}/uploads diff --git a/roles/aurweb/templates/sshd_config.j2 b/roles/aurweb/templates/sshd_config.j2 new file mode 100644 index 00000000..19787d12 --- /dev/null +++ b/roles/aurweb/templates/sshd_config.j2 @@ -0,0 +1,127 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +LogLevel VERBOSE + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# unlink forwarded sockets; for gpg agent forwarding +StreamLocalBindUnlink yes + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +Match User aur + PasswordAuthentication no + AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" + AuthorizedKeysCommandUser aur + AcceptEnv AUR_OVERWRITE -- GitLab From f6bf5165cfaeed06f4f411bc4b45fc8bf1aa463d Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 14:24:29 -0300 Subject: [PATCH 04/42] roles/aur: Renamed to aurweb. Renamed to aurweb --- roles/aur/defaults/main.yml | 17 -- roles/aur/files/aurweb-aurblup.service | 9 - roles/aur/files/aurweb-aurblup.timer | 9 - roles/aur/files/aurweb-mkpkglists.service | 9 - roles/aur/files/aurweb-mkpkglists.timer | 9 - roles/aur/files/aurweb-pkgmaint.service | 9 - roles/aur/files/aurweb-pkgmaint.timer | 9 - roles/aur/files/aurweb-popupdate.service | 9 - roles/aur/files/aurweb-popupdate.timer | 9 - roles/aur/files/aurweb-tuvotereminder.service | 9 - roles/aur/files/aurweb-tuvotereminder.timer | 9 - roles/aur/handlers/main.yml | 10 - roles/aur/tasks/main.yml | 177 ------------------ roles/aur/templates/aurweb-git.service.j2 | 9 - roles/aur/templates/aurweb-git.timer.j2 | 8 - roles/aur/templates/config.j2 | 21 --- roles/aur/templates/nginx.d.conf.j2 | 47 ----- roles/aur/templates/php-fpm.conf.j2 | 21 --- roles/aur/templates/sshd_config.j2 | 127 ------------- 19 files changed, 527 deletions(-) delete mode 100644 roles/aur/defaults/main.yml delete mode 100644 roles/aur/files/aurweb-aurblup.service delete mode 100644 roles/aur/files/aurweb-aurblup.timer delete mode 100644 roles/aur/files/aurweb-mkpkglists.service delete mode 100644 roles/aur/files/aurweb-mkpkglists.timer delete mode 100644 roles/aur/files/aurweb-pkgmaint.service delete mode 100644 roles/aur/files/aurweb-pkgmaint.timer delete mode 100644 roles/aur/files/aurweb-popupdate.service delete mode 100644 roles/aur/files/aurweb-popupdate.timer delete mode 100644 roles/aur/files/aurweb-tuvotereminder.service delete mode 100644 roles/aur/files/aurweb-tuvotereminder.timer delete mode 100644 roles/aur/handlers/main.yml delete mode 100644 roles/aur/tasks/main.yml delete mode 100644 roles/aur/templates/aurweb-git.service.j2 delete mode 100644 roles/aur/templates/aurweb-git.timer.j2 delete mode 100644 roles/aur/templates/config.j2 delete mode 100644 roles/aur/templates/nginx.d.conf.j2 delete mode 100644 roles/aur/templates/php-fpm.conf.j2 delete mode 100644 roles/aur/templates/sshd_config.j2 diff --git a/roles/aur/defaults/main.yml b/roles/aur/defaults/main.yml deleted file mode 100644 index 361ab43a..00000000 --- a/roles/aur/defaults/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -aurweb_domain: 'www.aur.archlinux.org' -aurweb_repository: 'https://git.archlinux.org/aurweb.git' -aurweb_dir: '/srv/http/aurweb' -aurweb_conf_dir: '/etc/aurweb' -aurweb_git_dir: "{{ aurweb_dir }}/aur.git" -aurweb_git_hook: '/usr/local/bin/aurweb-git-update' -aurweb_version: 'master' - -aurweb_db: 'aur' -aurweb_db_host: 'localhost' -aurweb_db_user: 'aur' -aurweb_db_password: 'aur' - -aurweb_user: 'aurweb' -aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' diff --git a/roles/aur/files/aurweb-aurblup.service b/roles/aur/files/aurweb-aurblup.service deleted file mode 100644 index d3d007c9..00000000 --- a/roles/aur/files/aurweb-aurblup.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Update aurweb blacklist -Requires=mysqld.service -After=mysqld.service - -[Service] -Type=Oneshot -User=aur -ExecStart=/usr/local/bin/aurweb-aurblup diff --git a/roles/aur/files/aurweb-aurblup.timer b/roles/aur/files/aurweb-aurblup.timer deleted file mode 100644 index 48db8acc..00000000 --- a/roles/aur/files/aurweb-aurblup.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Update aurweb blacklist - -[Timer] -OnStartupSec=2h -OnUnitActiveSec=2h - -[Install] -WantedBy=timers.target diff --git a/roles/aur/files/aurweb-mkpkglists.service b/roles/aur/files/aurweb-mkpkglists.service deleted file mode 100644 index b0f6c44d..00000000 --- a/roles/aur/files/aurweb-mkpkglists.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Regenerate aurweb package and user lists -Requires=mysqld.service -After=mysqld.service - -[Service] -Type=Oneshot -User=aur -ExecStart=/usr/local/bin/aurweb-mkpkglists diff --git a/roles/aur/files/aurweb-mkpkglists.timer b/roles/aur/files/aurweb-mkpkglists.timer deleted file mode 100644 index b1ee108c..00000000 --- a/roles/aur/files/aurweb-mkpkglists.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Regenerate aurweb package and user lists - -[Timer] -OnStartupSec=5m -OnUnitActiveSec=5m - -[Install] -WantedBy=timers.target diff --git a/roles/aur/files/aurweb-pkgmaint.service b/roles/aur/files/aurweb-pkgmaint.service deleted file mode 100644 index 83ba2a4c..00000000 --- a/roles/aur/files/aurweb-pkgmaint.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Delete old, empty reserved aurweb pkgbases -Requires=mysqld.service -After=mysqld.service - -[Service] -Type=Oneshot -User=aur -ExecStart=/usr/local/bin/aurweb-pkgmaint diff --git a/roles/aur/files/aurweb-pkgmaint.timer b/roles/aur/files/aurweb-pkgmaint.timer deleted file mode 100644 index a2975310..00000000 --- a/roles/aur/files/aurweb-pkgmaint.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Delete old, empty reserved aurweb pkgbases - -[Timer] -OnStartupSec=2h -OnUnitActiveSec=2h - -[Install] -WantedBy=timers.target diff --git a/roles/aur/files/aurweb-popupdate.service b/roles/aur/files/aurweb-popupdate.service deleted file mode 100644 index 8850eec8..00000000 --- a/roles/aur/files/aurweb-popupdate.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Update aurweb per-package popularity counts -Requires=mysqld.service -After=mysqld.service - -[Service] -Type=Oneshot -User=aur -ExecStart=/usr/local/bin/aurweb-popupdate diff --git a/roles/aur/files/aurweb-popupdate.timer b/roles/aur/files/aurweb-popupdate.timer deleted file mode 100644 index 69805f09..00000000 --- a/roles/aur/files/aurweb-popupdate.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Update aurweb per-package popularity counts - -[Timer] -OnStartupSec=2h -OnUnitActiveSec=2h - -[Install] -WantedBy=timers.target diff --git a/roles/aur/files/aurweb-tuvotereminder.service b/roles/aur/files/aurweb-tuvotereminder.service deleted file mode 100644 index b66859f0..00000000 --- a/roles/aur/files/aurweb-tuvotereminder.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Send aurweb TU vote reminder emails -Requires=mysqld.service -After=mysqld.service - -[Service] -Type=Oneshot -User=aur -ExecStart=/usr/local/bin/aurweb-tuvotereminder diff --git a/roles/aur/files/aurweb-tuvotereminder.timer b/roles/aur/files/aurweb-tuvotereminder.timer deleted file mode 100644 index c22b99e1..00000000 --- a/roles/aur/files/aurweb-tuvotereminder.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Send aurweb TU vote reminder emails - -[Timer] -OnStartupSec=12h -OnUnitActiveSec=12h - -[Install] -WantedBy=timers.target diff --git a/roles/aur/handlers/main.yml b/roles/aur/handlers/main.yml deleted file mode 100644 index 1ca0c5e5..00000000 --- a/roles/aur/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: daemon reload - command: systemctl daemon-reload - -- name: restart php-fpm@aurweb - service: name=php-fpm@{{ aurweb_user }} state=restarted - -- name: restart sshd - service: name=sshd state=restarted diff --git a/roles/aur/tasks/main.yml b/roles/aur/tasks/main.yml deleted file mode 100644 index 5d4df8ab..00000000 --- a/roles/aur/tasks/main.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- -- name: install required packages - pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,make,asciidoc state=present - -- name: make aur user - user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes - -- name: Create directory - file: path={{ aurweb_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 - -- name: clone aurweb repo - git: > - repo={{ aurweb_repository }} - dest="{{ aurweb_dir }}" - version={{ aurweb_version }} - become: true - become_user: "{{aurweb_user}}" - register: release - -- name: create aur db - mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" encoding=utf8 - register: db_created - -- name: create aur db user - mysql_user: name={{ aurweb_db_user }} password={{ aurweb_db_password }} - login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" - priv="{{ aurweb_db }}.*:ALL" - -- name: enable innodb_large_prefix - mysql_variables: - login_host: "{{ aurweb_db_host }}" - login_password: "{{ mariadb_users.root }}" - variable: innodb_large_prefix - value: 1 - -- name: enable innodb_file_format - mysql_variables: - login_host: "{{ aurweb_db_host }}" - login_password: "{{ mariadb_users.root }}" - variable: innodb_file_format - value: Barracuda - -- name: check if db is imported - shell: mysql -u {{ aurweb_db_user }} -p{{ aurweb_db_password }} -e "SELECT ID FROM Users" {{ aurweb_db }} - ignore_errors: true - register: db_imported - -- name: import aur sql db - mysql_db: - state: import - name: "{{ aurweb_db }}" - login_host: "{{ aurweb_db_host }}" - login_password: "{{ mariadb_users.root }}" - target: "{{ aurweb_dir }}/schema/aur-schema.sql" - when: db_imported.rc != 0 - -- name: create aurweb conf dir - file: path={{ aurweb_conf_dir }} state=directory - -- name: copy aurweb configuration file - copy: src={{ aurweb_dir }}/conf/config.defaults dest={{ aurweb_conf_dir }}/config.defaults remote_src=yes - -- name: install custom aurweb configuration - template: src=config.j2 dest={{ aurweb_conf_dir }}/config - -- name: Install python module - shell: "python3 setup.py install --install-scripts=/usr/local/bin" - args: - chdir: "{{ aurweb_dir }}" - -- name: Generate HTML documentation - make: - chdir: "{{ aurweb_dir }}/doc" - become: true - become_user: "{{aurweb_user}}" - -- name: set up nginx - template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/aurweb.conf owner=root group=root mode=644 - notify: reload nginx - tags: ['nginx'] - -- name: make nginx log dir - file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755 - -- name: configure php-fpm - template: - src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf" - owner=root group=root mode=0644 - notify: - - restart php-fpm@{{ aurweb_user }} - -- name: start and enable systemd socket - service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true - -- name: create git repo dir - file: path={{ aurweb_git_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 - -- name: init git directory - command: git init --bare {{ aurweb_git_dir }} - args: - creates: "{{ aurweb_git_dir }}/HEAD" - become: true - become_user: "{{aurweb_user}}" - -- shell: git config --local --get-all transfer.hideRefs - register: git_config - args: - chdir: "{{ aurweb_git_dir }}" - failed_when: git_config.rc == 2 # FIXME: does not work. - -- name: configure git tranfser.hideRefs - command: git config --local transfer.hideRefs '^refs/' - args: - chdir: "{{ aurweb_git_dir }}" - become: true - become_user: "{{aurweb_user}}" - when: git_config.stdout.find('^refs/') == -1 - - -- name: configure git transfer.hideRefs second - command: git config --local --add transfer.hideRefs '!refs/' - args: - chdir: "{{ aurweb_git_dir }}" - become: true - become_user: "{{aurweb_user}}" - when: git_config.stdout.find('!refs/') == -1 - -- name: configure git transfer.hideRefs third - command: git config --local --add transfer.hideRefs '!HEAD' - args: - chdir: "{{ aurweb_git_dir }}" - become: true - become_user: "{{aurweb_user}}" - when: git_config.stdout.find('!HEAD') == -1 - -- name: create symlink for git hook - file: - src: "{{ aurweb_git_hook }}" - dest: "{{ aurweb_git_dir }}/hooks/update" - state: link - -- name: install AUR maintenance services/timers - copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 - with_items: - - aurweb-aurblup.service - - aurweb-aurblup.timer - - aurweb-mkpkglists.service - - aurweb-mkpkglists.timer - - aurweb-pkgmaint.service - - aurweb-pkgmaint.timer - - aurweb-popupdate.service - - aurweb-popupdate.timer - - aurweb-tuvotereminder.service - - aurweb-tuvotereminder.timer - -- name: start and enable AUR maintenance timers - service: name={{ item }} enabled=yes state=started - with_items: - - aurweb-aurblup.timer - - aurweb-mkpkglists.timer - - aurweb-pkgmaint.timer - - aurweb-popupdate.timer - - aurweb-tuvotereminder.timer - -- name: install AUR git gc service/timer - template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 - with_items: - - aurweb-git.service - - aurweb-git.timer - -- name: start and enable AUR git gc timer - service: name=aurweb-git.timer enabled=yes state=started - -- name: configure sshd - template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s' - notify: - - restart sshd diff --git a/roles/aur/templates/aurweb-git.service.j2 b/roles/aur/templates/aurweb-git.service.j2 deleted file mode 100644 index adbf3a80..00000000 --- a/roles/aur/templates/aurweb-git.service.j2 +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Git gc AUR - -[Service] -Type=Oneshot -User=aur -WorkingDirectory={{ aurweb_git_dir }} -ExecStart=/usr/bin/git gc -Nice=5 diff --git a/roles/aur/templates/aurweb-git.timer.j2 b/roles/aur/templates/aurweb-git.timer.j2 deleted file mode 100644 index f9576609..00000000 --- a/roles/aur/templates/aurweb-git.timer.j2 +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Git gc & repack AUR - -[Timer] -OnCalendar=daily - -[Install] -WantedBy=timers.target diff --git a/roles/aur/templates/config.j2 b/roles/aur/templates/config.j2 deleted file mode 100644 index d5fd1851..00000000 --- a/roles/aur/templates/config.j2 +++ /dev/null @@ -1,21 +0,0 @@ -[database] -name = {{ aurweb_db }} -user = {{ aurweb_db_user }} -password = {{ aurweb_db_password }} - -[options] -enable-maintenance = 0 -localedir = {{ aurweb_dir }}/web/locale/ - -[serve] -repo-path = {{ aurweb_git_dir }} -git-shell-cmd = /usr/bin/sh - -[aurblup] -db-path = {{ aurweb_dir }}/aurblup -server = https://mirrors.kernel.org/archlinux/%s/os/x86_64 - -[mkpkglists] -packagesfile = {{ aurweb_dir }}/web/html/packages.gz -pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz -userfile = {{ aurweb_dir }}/web/html/users.gz diff --git a/roles/aur/templates/nginx.d.conf.j2 b/roles/aur/templates/nginx.d.conf.j2 deleted file mode 100644 index 3d40cc1e..00000000 --- a/roles/aur/templates/nginx.d.conf.j2 +++ /dev/null @@ -1,47 +0,0 @@ -upstream aurweb { - server unix://{{aurweb_socket}}; -} - -server { - listen 80; - listen [::]:80; - server_name {{ aurweb_domain }}; - - access_log /var/log/nginx/{{ aurweb_domain }}/access.log main; - error_log /var/log/nginx/{{ aurweb_domain }}/error.log; - - include snippets/letsencrypt.conf; - - location / { - rewrite ^(.*) https://{{ aurweb_domain }}$1 permanent; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ aurweb_domain }}; - - access_log /var/log/nginx/{{ aurweb_domain }}/access.log main; - error_log /var/log/nginx/{{ aurweb_domain }}/error.log; - - ssl_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ aurweb_domain }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ aurweb_domain }}/chain.pem; - - root {{ aurweb_dir }}/web/html; - index index.php; - - location ~ ^/[^/]+\.php($|/) { - fastcgi_pass aurweb; - fastcgi_index index.php; - fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - include fastcgi_params; - } - - location ~ .* { - rewrite ^/(.*)$ /index.php/$1 last; - } -} diff --git a/roles/aur/templates/php-fpm.conf.j2 b/roles/aur/templates/php-fpm.conf.j2 deleted file mode 100644 index 47f75ec6..00000000 --- a/roles/aur/templates/php-fpm.conf.j2 +++ /dev/null @@ -1,21 +0,0 @@ -[global] -error_log = syslog -daemonize = no - -[{{ aurweb_user }}] -listen = {{ aurweb_socket }} -listen.owner = {{ aurweb_user }} -listen.group = http -listen.mode = 0660 - -pm = dynamic -pm.max_children = 80 -pm.start_servers = 20 -pm.min_spare_servers = 10 -pm.max_spare_servers = 20 -pm.max_requests = 2000 - -php_admin_value[open_basedir] = {{aurweb_dir}}:/etc/aurweb/ -php_admin_value[upload_tmp_dir] = {{ aurweb_dir }}/uploads -php_admin_value[session.save_path] = {{ aurweb_dir }}/sessions -env[TMPDIR] = {{ aurweb_dir }}/uploads diff --git a/roles/aur/templates/sshd_config.j2 b/roles/aur/templates/sshd_config.j2 deleted file mode 100644 index 19787d12..00000000 --- a/roles/aur/templates/sshd_config.j2 +++ /dev/null @@ -1,127 +0,0 @@ -# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -LogLevel VERBOSE - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no # pam does that -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# unlink forwarded sockets; for gpg agent forwarding -StreamLocalBindUnlink yes - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server - -Match User aur - PasswordAuthentication no - AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" - AuthorizedKeysCommandUser aur - AcceptEnv AUR_OVERWRITE -- GitLab From a31b408b4b6a99d86a8755850d8b3ad9555cd6dd Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 18:35:27 -0300 Subject: [PATCH 05/42] roles/aurweb: Improve the defaults file Made some changes to the defaults file to make the installation work. Moved the db password to the vault, added the cache and limits variables and also changed the username back to aur. --- roles/aurweb/defaults/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index 603dd010..b567e700 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -11,7 +11,11 @@ aurweb_version: 'live' aurweb_db: 'aur' aurweb_db_host: 'localhost' aurweb_db_user: 'aur' -aurweb_db_password: 'aur' -aurweb_user: 'aurweb' +aurweb_user: 'aur' aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' + +aurweb_cache: 'apc' +aurweb_cache_pkginfo_ttl: '86400' +aurweb_request_limt: '4000' +aurweb_window_length: '86400' \ No newline at end of file -- GitLab From e421fe967e97796f39c3c1b0379d5d29ad9fc369 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 18:39:11 -0300 Subject: [PATCH 06/42] roles/aurweb: Improve the templates and files. Moved all the systemd files to templates and also made sure every aur user reference is using the variable. Changed the config to use the variables and also changed the sshd config to use the ansible variables. --- .../aurweb-aurblup.service.j2} | 2 +- .../aurweb-aurblup.timer.j2} | 0 roles/aurweb/templates/aurweb-git.service.j2 | 2 +- .../aurweb-mkpkglists.service.j2} | 2 +- .../aurweb-mkpkglists.timer.j2} | 0 .../aurweb-pkgmaint.service.j2} | 2 +- .../aurweb-pkgmaint.timer.j2} | 0 .../aurweb-popupdate.service.j2} | 2 +- .../aurweb-popupdate.timer.j2} | 0 .../aurweb-tuvotereminder.service.j2} | 2 +- .../aurweb-tuvotereminder.timer.j2} | 0 roles/aurweb/templates/config.j2 | 8 +++++++- roles/aurweb/templates/sshd_config.j2 | 4 ++-- 13 files changed, 15 insertions(+), 9 deletions(-) rename roles/aurweb/{files/aurweb-aurblup.service => templates/aurweb-aurblup.service.j2} (86%) rename roles/aurweb/{files/aurweb-aurblup.timer => templates/aurweb-aurblup.timer.j2} (100%) rename roles/aurweb/{files/aurweb-mkpkglists.service => templates/aurweb-mkpkglists.service.j2} (88%) rename roles/aurweb/{files/aurweb-mkpkglists.timer => templates/aurweb-mkpkglists.timer.j2} (100%) rename roles/aurweb/{files/aurweb-pkgmaint.service => templates/aurweb-pkgmaint.service.j2} (88%) rename roles/aurweb/{files/aurweb-pkgmaint.timer => templates/aurweb-pkgmaint.timer.j2} (100%) rename roles/aurweb/{files/aurweb-popupdate.service => templates/aurweb-popupdate.service.j2} (88%) rename roles/aurweb/{files/aurweb-popupdate.timer => templates/aurweb-popupdate.timer.j2} (100%) rename roles/aurweb/{files/aurweb-tuvotereminder.service => templates/aurweb-tuvotereminder.service.j2} (88%) rename roles/aurweb/{files/aurweb-tuvotereminder.timer => templates/aurweb-tuvotereminder.timer.j2} (100%) diff --git a/roles/aurweb/files/aurweb-aurblup.service b/roles/aurweb/templates/aurweb-aurblup.service.j2 similarity index 86% rename from roles/aurweb/files/aurweb-aurblup.service rename to roles/aurweb/templates/aurweb-aurblup.service.j2 index d3d007c9..4d69f29a 100644 --- a/roles/aurweb/files/aurweb-aurblup.service +++ b/roles/aurweb/templates/aurweb-aurblup.service.j2 @@ -5,5 +5,5 @@ After=mysqld.service [Service] Type=Oneshot -User=aur +User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-aurblup diff --git a/roles/aurweb/files/aurweb-aurblup.timer b/roles/aurweb/templates/aurweb-aurblup.timer.j2 similarity index 100% rename from roles/aurweb/files/aurweb-aurblup.timer rename to roles/aurweb/templates/aurweb-aurblup.timer.j2 diff --git a/roles/aurweb/templates/aurweb-git.service.j2 b/roles/aurweb/templates/aurweb-git.service.j2 index adbf3a80..6638355a 100644 --- a/roles/aurweb/templates/aurweb-git.service.j2 +++ b/roles/aurweb/templates/aurweb-git.service.j2 @@ -3,7 +3,7 @@ Description=Git gc AUR [Service] Type=Oneshot -User=aur +User={{ aurweb_user }} WorkingDirectory={{ aurweb_git_dir }} ExecStart=/usr/bin/git gc Nice=5 diff --git a/roles/aurweb/files/aurweb-mkpkglists.service b/roles/aurweb/templates/aurweb-mkpkglists.service.j2 similarity index 88% rename from roles/aurweb/files/aurweb-mkpkglists.service rename to roles/aurweb/templates/aurweb-mkpkglists.service.j2 index b0f6c44d..e04e14e2 100644 --- a/roles/aurweb/files/aurweb-mkpkglists.service +++ b/roles/aurweb/templates/aurweb-mkpkglists.service.j2 @@ -5,5 +5,5 @@ After=mysqld.service [Service] Type=Oneshot -User=aur +User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-mkpkglists diff --git a/roles/aurweb/files/aurweb-mkpkglists.timer b/roles/aurweb/templates/aurweb-mkpkglists.timer.j2 similarity index 100% rename from roles/aurweb/files/aurweb-mkpkglists.timer rename to roles/aurweb/templates/aurweb-mkpkglists.timer.j2 diff --git a/roles/aurweb/files/aurweb-pkgmaint.service b/roles/aurweb/templates/aurweb-pkgmaint.service.j2 similarity index 88% rename from roles/aurweb/files/aurweb-pkgmaint.service rename to roles/aurweb/templates/aurweb-pkgmaint.service.j2 index 83ba2a4c..1f01b525 100644 --- a/roles/aurweb/files/aurweb-pkgmaint.service +++ b/roles/aurweb/templates/aurweb-pkgmaint.service.j2 @@ -5,5 +5,5 @@ After=mysqld.service [Service] Type=Oneshot -User=aur +User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-pkgmaint diff --git a/roles/aurweb/files/aurweb-pkgmaint.timer b/roles/aurweb/templates/aurweb-pkgmaint.timer.j2 similarity index 100% rename from roles/aurweb/files/aurweb-pkgmaint.timer rename to roles/aurweb/templates/aurweb-pkgmaint.timer.j2 diff --git a/roles/aurweb/files/aurweb-popupdate.service b/roles/aurweb/templates/aurweb-popupdate.service.j2 similarity index 88% rename from roles/aurweb/files/aurweb-popupdate.service rename to roles/aurweb/templates/aurweb-popupdate.service.j2 index 8850eec8..438e51b4 100644 --- a/roles/aurweb/files/aurweb-popupdate.service +++ b/roles/aurweb/templates/aurweb-popupdate.service.j2 @@ -5,5 +5,5 @@ After=mysqld.service [Service] Type=Oneshot -User=aur +User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-popupdate diff --git a/roles/aurweb/files/aurweb-popupdate.timer b/roles/aurweb/templates/aurweb-popupdate.timer.j2 similarity index 100% rename from roles/aurweb/files/aurweb-popupdate.timer rename to roles/aurweb/templates/aurweb-popupdate.timer.j2 diff --git a/roles/aurweb/files/aurweb-tuvotereminder.service b/roles/aurweb/templates/aurweb-tuvotereminder.service.j2 similarity index 88% rename from roles/aurweb/files/aurweb-tuvotereminder.service rename to roles/aurweb/templates/aurweb-tuvotereminder.service.j2 index b66859f0..2c433884 100644 --- a/roles/aurweb/files/aurweb-tuvotereminder.service +++ b/roles/aurweb/templates/aurweb-tuvotereminder.service.j2 @@ -5,5 +5,5 @@ After=mysqld.service [Service] Type=Oneshot -User=aur +User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-tuvotereminder diff --git a/roles/aurweb/files/aurweb-tuvotereminder.timer b/roles/aurweb/templates/aurweb-tuvotereminder.timer.j2 similarity index 100% rename from roles/aurweb/files/aurweb-tuvotereminder.timer rename to roles/aurweb/templates/aurweb-tuvotereminder.timer.j2 diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2 index d5fd1851..8691f73b 100644 --- a/roles/aurweb/templates/config.j2 +++ b/roles/aurweb/templates/config.j2 @@ -1,11 +1,17 @@ [database] name = {{ aurweb_db }} user = {{ aurweb_db_user }} -password = {{ aurweb_db_password }} +password = {{ vault_aurweb_db_password }} [options] enable-maintenance = 0 localedir = {{ aurweb_dir }}/web/locale/ +cache = {{ aurweb_cache }} +cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }} + +[ratelimit] +request_limit = {{ aurweb_request_limt }} +window_length = {{ aurweb_window_length }} [serve] repo-path = {{ aurweb_git_dir }} diff --git a/roles/aurweb/templates/sshd_config.j2 b/roles/aurweb/templates/sshd_config.j2 index 19787d12..3d5f2193 100644 --- a/roles/aurweb/templates/sshd_config.j2 +++ b/roles/aurweb/templates/sshd_config.j2 @@ -120,8 +120,8 @@ StreamLocalBindUnlink yes # PermitTTY no # ForceCommand cvs server -Match User aur +Match User {{ aurweb_user }} PasswordAuthentication no AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" - AuthorizedKeysCommandUser aur + AuthorizedKeysCommandUser {{ aurweb_user }} AcceptEnv AUR_OVERWRITE -- GitLab From 19e1825f2243961fb3a0f629f0d33a821b4cbbda Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 18:43:46 -0300 Subject: [PATCH 07/42] roles/aurweb: Fix the handlers file to use the aur user variable. --- roles/aurweb/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aurweb/handlers/main.yml b/roles/aurweb/handlers/main.yml index 1ca0c5e5..5b62cf7c 100644 --- a/roles/aurweb/handlers/main.yml +++ b/roles/aurweb/handlers/main.yml @@ -3,7 +3,7 @@ - name: daemon reload command: systemctl daemon-reload -- name: restart php-fpm@aurweb +- name: restart php-fpm@{{ aurweb_user }} service: name=php-fpm@{{ aurweb_user }} state=restarted - name: restart sshd -- GitLab From 268af91494e6f86ecb9e075c4faed9c424a6e9dc Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 18:50:19 -0300 Subject: [PATCH 08/42] playbooks/aur-dev: Add aur-dev to the hosts file and add change the playbook for dev Changed the playbook to add the missing php modules and add the AUR role. Also set the domain and the git branch variables so the right version of the AUR is installed. --- hosts | 2 ++ playbooks/aur-dev.archlinux.org.yml | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index 8017291c..834ba0a4 100644 --- a/hosts +++ b/hosts @@ -57,6 +57,7 @@ apollo.archlinux.org luna.archlinux.org bbs.archlinux.org bugs.archlinux.org +aur-dev.archlinux.org [postgresql_servers] apollo.archlinux.org @@ -70,6 +71,7 @@ luna.archlinux.org orion.archlinux.org bbs.archlinux.org bugs.archlinux.org +aur-dev.archlinux.org [buildservers] dragon.archlinux.org diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index a024384f..e7dd5b87 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -13,7 +13,8 @@ - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True } - { role: sudo } - - { role: php-fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli'], zend_extensions: ['opcache'] } + - { role: php-fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache']} - { role: borg-client, tags: ["borg"] } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } - { role: fail2ban } + - { role: aurweb, aurweb_domain: 'aur-dev.archlinux.org', aurweb_version: 'pu' } -- GitLab From 1aa9c06a77baf800926ae067d5ab7e098bccc757 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 19:31:24 -0300 Subject: [PATCH 09/42] vault_aurweb: Added a vault for AUR Added a vault that contains the database password for the AUR. --- group_vars/all/vault_aurweb.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 group_vars/all/vault_aurweb.yml diff --git a/group_vars/all/vault_aurweb.yml b/group_vars/all/vault_aurweb.yml new file mode 100644 index 00000000..1d018afc --- /dev/null +++ b/group_vars/all/vault_aurweb.yml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +34656165383465373234346338666332623833393766396535373364656465616133373336643933 +6562653563373436396564343433636131633230396466310a383266356131366561393234353631 +65633262373765353436633639323537313435613234633465636265346331303337393039336433 +3965646462323564610a633139333432653030626332616562623538313663303939653362633331 +31373034646534373765663232336265343738303261363865636664666636313135623336656432 +38386639333737643162633365653731376535316565626563623235326566353466313536386234 +386330353834656439373966356538626664 -- GitLab From 4f7cd2fbcb557100b62f14284e81902d3ef6389d Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 19:32:18 -0300 Subject: [PATCH 10/42] roles/aurweb: Add TU Bylaws repository information to defaults Added the TU bylayws repository path and the wanted version for the TU bylaws repository. --- roles/aurweb/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index b567e700..b7eac984 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -2,11 +2,13 @@ aurweb_domain: 'aur.archlinux.org' aurweb_repository: 'https://git.archlinux.org/aurweb.git' +tubylaws_repository: 'https://git.archlinux.org/tu-bylaws.git' aurweb_dir: '/srv/http/aurweb' aurweb_conf_dir: '/etc/aurweb' aurweb_git_dir: "{{ aurweb_dir }}/aur.git" aurweb_git_hook: '/usr/local/bin/aurweb-git-update' aurweb_version: 'live' +tubylaws_version: 'proposal-117' aurweb_db: 'aur' aurweb_db_host: 'localhost' -- GitLab From 2979791a07551694a8bb2d7658e1b9a2c883b2f6 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 6 Feb 2020 19:34:36 -0300 Subject: [PATCH 11/42] roles/aurweb: Major rework of the tasks file We have reworked the entire tasks file to do an actual AUR installation. --- roles/aurweb/tasks/main.yml | 88 +++++++++++++++++++++---------------- 1 file changed, 50 insertions(+), 38 deletions(-) diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index 5d4df8ab..984e7679 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install required packages - pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,make,asciidoc state=present + pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,pyalpm,make,asciidoc,php-apcu state=present - name: make aur user user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes @@ -17,42 +17,49 @@ become_user: "{{aurweb_user}}" register: release +- name: clone Trusted User documentation repo + git: > + repo={{ tubylaws_repository }} + dest="{{ aurweb_dir }}/tu-bylaws" + version={{ tubylaws_version }} + become: true + become_user: "{{ aurweb_user }}" + register: release + +- name: create necessary directories + file: path={{ aurweb_dir}}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} + with_items: + - 'aurblup' + - 'sessions' + - 'uploads' + - 'web/html/trusted-user' + - name: create aur db - mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" encoding=utf8 + mysql_db: name="{{ aurweb_db }}" login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" encoding=utf8 register: db_created + no_log: true - name: create aur db user - mysql_user: name={{ aurweb_db_user }} password={{ aurweb_db_password }} - login_host="{{ aurweb_db_host }}" login_password="{{ mariadb_users.root }}" + mysql_user: name={{ aurweb_db_user }} password={{ vault_aurweb_db_password }} + login_host="{{ aurweb_db_host }}" login_password="{{ vault_mariadb_users.root }}" priv="{{ aurweb_db }}.*:ALL" - -- name: enable innodb_large_prefix - mysql_variables: - login_host: "{{ aurweb_db_host }}" - login_password: "{{ mariadb_users.root }}" - variable: innodb_large_prefix - value: 1 - -- name: enable innodb_file_format - mysql_variables: - login_host: "{{ aurweb_db_host }}" - login_password: "{{ mariadb_users.root }}" - variable: innodb_file_format - value: Barracuda + no_log: true - name: check if db is imported - shell: mysql -u {{ aurweb_db_user }} -p{{ aurweb_db_password }} -e "SELECT ID FROM Users" {{ aurweb_db }} + shell: mysql -u {{ aurweb_db_user }} -p{{ vault_aurweb_db_password }} -e "SELECT ID FROM Users" {{ aurweb_db }} ignore_errors: true register: db_imported + no_log: true - name: import aur sql db mysql_db: state: import name: "{{ aurweb_db }}" login_host: "{{ aurweb_db_host }}" - login_password: "{{ mariadb_users.root }}" + login_password: "{{ vault_mariadb_users.root }}" target: "{{ aurweb_dir }}/schema/aur-schema.sql" when: db_imported.rc != 0 + no_log: true - name: create aurweb conf dir file: path={{ aurweb_conf_dir }} state=directory @@ -74,6 +81,18 @@ become: true become_user: "{{aurweb_user}}" +- name: Generate Trusted User documentation + make: + chdir: "{{ aurweb_dir }}/tu-bylaws" + become: true + become_user: "{{ aurweb_user }}" + +- name: Install Trusted User documentation + copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes + +- name: Install Trusted User documentation symlink + file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link + - name: set up nginx template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/aurweb.conf owner=root group=root mode=644 notify: reload nginx @@ -116,7 +135,6 @@ become_user: "{{aurweb_user}}" when: git_config.stdout.find('^refs/') == -1 - - name: configure git transfer.hideRefs second command: git config --local --add transfer.hideRefs '!refs/' args: @@ -139,9 +157,11 @@ dest: "{{ aurweb_git_dir }}/hooks/update" state: link -- name: install AUR maintenance services/timers - copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 +- name: install AUR systemd service and timers + template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 with_items: + - aurweb-git.service + - aurweb-git.timer - aurweb-aurblup.service - aurweb-aurblup.timer - aurweb-mkpkglists.service @@ -153,23 +173,15 @@ - aurweb-tuvotereminder.service - aurweb-tuvotereminder.timer -- name: start and enable AUR maintenance timers +- name: start and enable AUR systemd timers service: name={{ item }} enabled=yes state=started with_items: - - aurweb-aurblup.timer - - aurweb-mkpkglists.timer - - aurweb-pkgmaint.timer - - aurweb-popupdate.timer - - aurweb-tuvotereminder.timer - -- name: install AUR git gc service/timer - template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 - with_items: - - aurweb-git.service - - aurweb-git.timer - -- name: start and enable AUR git gc timer - service: name=aurweb-git.timer enabled=yes state=started + - aurweb-git.timer + - aurweb-aurblup.timer + - aurweb-mkpkglists.timer + - aurweb-pkgmaint.timer + - aurweb-popupdate.timer + - aurweb-tuvotereminder.timer - name: configure sshd template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s' -- GitLab From 35d176f616470ae6f358700029fd4894fc9e3b35 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Mon, 10 Feb 2020 09:12:00 -0300 Subject: [PATCH 12/42] roles/aurweb: Add maintenance mode and other changes playboooks/aur-dev: Remove the intl php extension Added maintenance mode to the aurweb role using the AUR internal mode. Also, add the php-apcu-bc package to the list of required packages. Also running the make required to create the translations. --- playbooks/aur-dev.archlinux.org.yml | 2 +- roles/aurweb/defaults/main.yml | 3 ++- roles/aurweb/tasks/main.yml | 21 +++++++++++++++++++-- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index e7dd5b87..b6b3625f 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -13,7 +13,7 @@ - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True } - { role: sudo } - - { role: php-fpm, php_extensions: ['apcu', 'iconv', 'intl', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache']} + - { role: php-fpm, php_extensions: ['apcu', 'iconv', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } - { role: borg-client, tags: ["borg"] } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } - { role: fail2ban } diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index b7eac984..a300bfca 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -7,6 +7,7 @@ aurweb_dir: '/srv/http/aurweb' aurweb_conf_dir: '/etc/aurweb' aurweb_git_dir: "{{ aurweb_dir }}/aur.git" aurweb_git_hook: '/usr/local/bin/aurweb-git-update' +aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf' aurweb_version: 'live' tubylaws_version: 'proposal-117' @@ -20,4 +21,4 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' aurweb_cache: 'apc' aurweb_cache_pkginfo_ttl: '86400' aurweb_request_limt: '4000' -aurweb_window_length: '86400' \ No newline at end of file +aurweb_window_length: '86400' diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index 984e7679..efdab44a 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -1,6 +1,16 @@ --- +- name: run maintenance mode + include_role: + name: maintenance + vars: + service_name: "site" + service_domain: "{{ aurweb_domain }}" + service_alternate_domains: [] + service_nginx_conf: "{{ aurweb_nginx_conf }}" + when: maintenance is defined + - name: install required packages - pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,pyalpm,make,asciidoc,php-apcu state=present + pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,pyalpm,make,asciidoc,php-apcu,php-apcu-bc state=present - name: make aur user user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes @@ -81,6 +91,13 @@ become: true become_user: "{{aurweb_user}}" +- name: Generate Translations + make: + chdir: "{{ aurweb_dir }}/po" + target: "install" + become: true + become_user: "{{aurweb_user}}" + - name: Generate Trusted User documentation make: chdir: "{{ aurweb_dir }}/tu-bylaws" @@ -94,7 +111,7 @@ file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link - name: set up nginx - template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/aurweb.conf owner=root group=root mode=644 + template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=root mode=644 notify: reload nginx tags: ['nginx'] -- GitLab From 43cb1293d179f411c65c901c92370bb543a2866b Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Mon, 10 Feb 2020 11:13:46 -0300 Subject: [PATCH 13/42] common: Add a maintenance_remote_machine variable Add a variable that takes the SSH_CLIENT environment variable to save the ip address of the machine actually running the playbooks. This can be used on maintenance mode to allow in the person running the playbook and let everybody else to see the maintenance page. --- group_vars/all/common.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/group_vars/all/common.yml b/group_vars/all/common.yml index b89dbf0a..56a6bf87 100644 --- a/group_vars/all/common.yml +++ b/group_vars/all/common.yml @@ -6,3 +6,7 @@ ansible_python_interpreter: /usr/bin/python3 zabbix_agent_templates: - Template OS Linux + +# this is used by the maintenance role to get the ip address +# of the machine running the playbook +maintenance_remote_machine: "{{ hostvars[inventory_hostname]['ansible_env'].SSH_CLIENT.split(' ')[0] }}" -- GitLab From 46403950eaa53a000b8a093b0ae47caaec2cc402 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Mon, 10 Feb 2020 11:26:27 -0300 Subject: [PATCH 14/42] roles/aurweb: Remove maintenance role from the tasks and add the maintenance mode to AUR config Since the AUR has its own maintenance mode, there is no need for using the maintenance role, so it was removed. Added a check on the aurweb config file that checks for the maintenance variable and uses the variable for allowing the ip address of the person running the playbook to access the AUR. --- roles/aurweb/tasks/main.yml | 10 ---------- roles/aurweb/templates/config.j2 | 5 +++++ 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index efdab44a..a624bae7 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -1,14 +1,4 @@ --- -- name: run maintenance mode - include_role: - name: maintenance - vars: - service_name: "site" - service_domain: "{{ aurweb_domain }}" - service_alternate_domains: [] - service_nginx_conf: "{{ aurweb_nginx_conf }}" - when: maintenance is defined - - name: install required packages pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,pyalpm,make,asciidoc,php-apcu,php-apcu-bc state=present diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2 index 8691f73b..c096f5d2 100644 --- a/roles/aurweb/templates/config.j2 +++ b/roles/aurweb/templates/config.j2 @@ -4,7 +4,12 @@ user = {{ aurweb_db_user }} password = {{ vault_aurweb_db_password }} [options] +{% if maintenance is defined and maintenance %} +enable_maintenance = 1 +maintenance-exceptions = {{ maintenance_remote_machine }} +{% else %} enable-maintenance = 0 +{% endif %} localedir = {{ aurweb_dir }}/web/locale/ cache = {{ aurweb_cache }} cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }} -- GitLab From 8ef8a1b82e8254702a65dc79be22166324270c73 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 09:53:30 -0300 Subject: [PATCH 15/42] playbooks/aur-dev: Add uwsgi We need to use uwsgi for cgit hosting, so add the uwsgi role to the playbook. --- playbooks/aur-dev.archlinux.org.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index b6b3625f..4096c9ef 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -14,6 +14,7 @@ mariadb_innodb_file_per_table: True } - { role: sudo } - { role: php-fpm, php_extensions: ['apcu', 'iconv', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } + - { role: uwsgi, tags: ["uwsgi"] } - { role: borg-client, tags: ["borg"] } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } - { role: fail2ban } -- GitLab From 850f3b00d0152b99b412c5818cc8bd81eb510c95 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 10:07:16 -0300 Subject: [PATCH 16/42] roles/aurweb: Add the templates for apcu.ini php config and for cgit uwsgi Added the templates for the apcu.ini configuration for php and for the uwsgi config for cgit. --- roles/aurweb/templates/apcu.ini.j2 | 3 +++ roles/aurweb/templates/cgit.ini.j2 | 10 ++++++++++ 2 files changed, 13 insertions(+) create mode 100644 roles/aurweb/templates/apcu.ini.j2 create mode 100644 roles/aurweb/templates/cgit.ini.j2 diff --git a/roles/aurweb/templates/apcu.ini.j2 b/roles/aurweb/templates/apcu.ini.j2 new file mode 100644 index 00000000..3728f454 --- /dev/null +++ b/roles/aurweb/templates/apcu.ini.j2 @@ -0,0 +1,3 @@ +apc.shm_size={{ aurweb_apc_shm_size }} +apc.ttl={{ aurweb_apc_ttl }} +apc.entries_hint={{ aurweb_apc_entries_hint }} diff --git a/roles/aurweb/templates/cgit.ini.j2 b/roles/aurweb/templates/cgit.ini.j2 new file mode 100644 index 00000000..297ab159 --- /dev/null +++ b/roles/aurweb/templates/cgit.ini.j2 @@ -0,0 +1,10 @@ +[uwsgi] +plugins = cgi +socket = /run/uwsgi/cgit.sock +chown-socket = http:http +chmod-socket = 770 +threads = 4 + +cgi = /usr/share/webapps/cgit-aurweb/cgit.cgi +uid = {{ aurweb_user }} +gid = {{ aurweb_user }} -- GitLab From 03ec6a599adcf9354bdce9f6c904edc534bcb379 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 10:10:32 -0300 Subject: [PATCH 17/42] playbooks/aur-dev: Add apc to the php extensions roles/aurweb: Add the apc configuration variables Added the apc to the php extensions on the playbook, instead of adding it on the conf.d directory. Added the apc variables to the defaults file. --- playbooks/aur-dev.archlinux.org.yml | 2 +- roles/aurweb/defaults/main.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index 4096c9ef..4f489501 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -13,7 +13,7 @@ - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True } - { role: sudo } - - { role: php-fpm, php_extensions: ['apcu', 'iconv', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } + - { role: php-fpm, php_extensions: ['apc', 'apcu', 'iconv', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } - { role: uwsgi, tags: ["uwsgi"] } - { role: borg-client, tags: ["borg"] } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index a300bfca..8b484e9a 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -22,3 +22,6 @@ aurweb_cache: 'apc' aurweb_cache_pkginfo_ttl: '86400' aurweb_request_limt: '4000' aurweb_window_length: '86400' +aurweb_apc_shm_size: '1024M' +aurweb_apc_ttl: '1800' +aurweb_apc_entries_hint: '0' -- GitLab From 86eea2fc2fe857ac35263ac54e18844ed9aa0409 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 10:44:26 -0300 Subject: [PATCH 18/42] roles/aurweb: Fix the user on the cgit uwsgi configuration The user for the socket was set incorrectly, fixed it. --- roles/aurweb/templates/cgit.ini.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aurweb/templates/cgit.ini.j2 b/roles/aurweb/templates/cgit.ini.j2 index 297ab159..588aa147 100644 --- a/roles/aurweb/templates/cgit.ini.j2 +++ b/roles/aurweb/templates/cgit.ini.j2 @@ -1,10 +1,10 @@ [uwsgi] plugins = cgi socket = /run/uwsgi/cgit.sock -chown-socket = http:http +chown-socket = {{ aurweb_user }}:http chmod-socket = 770 threads = 4 cgi = /usr/share/webapps/cgit-aurweb/cgit.cgi uid = {{ aurweb_user }} -gid = {{ aurweb_user }} +gid = http -- GitLab From 77d2426e6ace2148a5030543f56ea4cd16bfdf85 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 14:35:45 -0300 Subject: [PATCH 19/42] roles/aurweb: Add the cgitrc template Added the template for the cgitrc configuration file. --- roles/aurweb/templates/cgitrc.j2 | 35 ++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 roles/aurweb/templates/cgitrc.j2 diff --git a/roles/aurweb/templates/cgitrc.j2 b/roles/aurweb/templates/cgitrc.j2 new file mode 100644 index 00000000..9e00369a --- /dev/null +++ b/roles/aurweb/templates/cgitrc.j2 @@ -0,0 +1,35 @@ +virtual-root=/cgit/ +clone-prefix=https://{{ aurweb_domain }} +noheader=0 +favicon=/images/favicon.ico +logo= +css=/css/cgit.css +snapshots=tar.gz +readme=:README.md +readme=:README +enable-index-owner=0 +enable-index-links=1 +enable-switch-form=0 +noplainemail=1 + +cache-root=/var/cache/cgit-aurweb +cache-size=0 +cache-dynamic-ttl=15 +cache-repo-ttl=15 +cache-root-ttl=60 +cache-scanrc-ttl=120 +cache-static-ttl=60 + +root-title=AUR Package Repositories +root-desc=Web interface to the AUR Package Repositories +header={{ aurweb_dir }}/web/template/cgit/header.html +footer={{ aurweb_dir }}/web/template/cgit/footer.html +max-repodesc-length=50 +max-blob-size=2048 +max-stats=year +enable-http-clone=1 +source-filter=/usr/lib/cgit-aurweb/filters/syntax-highlighting.sh + +repo.url=aur.git +repo.path={{ aurweb_dir }}/aur.git +repo.desc=AUR Package Repositories -- GitLab From 11dd3a54688c51288e48d0bb2d7d841b3e17cfe9 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 14:40:08 -0300 Subject: [PATCH 20/42] roles/aurweb: Added a cgit_socket variable Use the cgit_socket variable on the uwsgi template for cgit. --- roles/aurweb/defaults/main.yml | 1 + roles/aurweb/templates/cgit.ini.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index 8b484e9a..1b14b8c3 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -17,6 +17,7 @@ aurweb_db_user: 'aur' aurweb_user: 'aur' aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' +cgit_socket: '/run/uwsgi/cgit.sock' aurweb_cache: 'apc' aurweb_cache_pkginfo_ttl: '86400' diff --git a/roles/aurweb/templates/cgit.ini.j2 b/roles/aurweb/templates/cgit.ini.j2 index 588aa147..0f97caca 100644 --- a/roles/aurweb/templates/cgit.ini.j2 +++ b/roles/aurweb/templates/cgit.ini.j2 @@ -1,6 +1,6 @@ [uwsgi] plugins = cgi -socket = /run/uwsgi/cgit.sock +socket = {{ cgit_socket }} chown-socket = {{ aurweb_user }}:http chmod-socket = 770 threads = 4 -- GitLab From 35e5a8a44eba6d0aaa192210d977033fe9417eb1 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 16:34:14 -0300 Subject: [PATCH 21/42] roles/aurweb: cgit and smartgit changes Added a smartgit_socket option to the defaults. Reworked the tasks package installation to look cleaner and also separated the cgit and git package installations so we can trigger uwsgi reloads on updates. Changed the tubylaws repo update variable to trigger the bylaws changes only when the tubylaws repository change, not the aurweb one. Added tasks to install the apcu configuration, cgit uwsgi ini file, cgit rc file and smartgit uwsgi ini file. Trigger an uwsgi reload in case the cgit-aurweb or git packages change. Also added a few missing options to the aurweb configuration file. Rework the nginx configuration file to use the cgit and smartgit uwsgi services. --- roles/aurweb/defaults/main.yml | 1 + roles/aurweb/tasks/main.yml | 61 ++++++++++++++++++++++++- roles/aurweb/templates/cgit.ini.j2 | 1 + roles/aurweb/templates/config.j2 | 3 ++ roles/aurweb/templates/nginx.d.conf.j2 | 63 ++++++++++++++++++++++---- roles/aurweb/templates/smartgit.ini.j2 | 9 ++++ 6 files changed, 126 insertions(+), 12 deletions(-) create mode 100644 roles/aurweb/templates/smartgit.ini.j2 diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index 1b14b8c3..5072c2ae 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -18,6 +18,7 @@ aurweb_db_user: 'aur' aurweb_user: 'aur' aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' cgit_socket: '/run/uwsgi/cgit.sock' +smartgit_socket: '/run/uwsgi/smartgit.sock' aurweb_cache: 'apc' aurweb_cache_pkginfo_ttl: '86400' diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index a624bae7..860f8510 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -1,6 +1,36 @@ --- - name: install required packages - pacman: name=git,sudo,python-mysql-connector,python-pygit2,python-srcinfo,python-bleach,python-markdown,pyalpm,make,asciidoc,php-apcu,php-apcu-bc state=present + pacman: + state: present + name: + - asciidoc + - git + - highlight + - make + - php-apcu + - php-apcu-bc + - pyalpm + - python-bleach + - python-markdown + - python-mysql-connector + - python-pygit2 + - python-srcinfo + - sudo + - uwsgi-plugin-cgi + +- name: install the cgit package + pacman: + state: present + name: + - cgit-aurweb + register: cgit + +- name: install the git package + pacman: + state: present + name: + - git + register: git - name: make aur user user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes @@ -24,7 +54,7 @@ version={{ tubylaws_version }} become: true become_user: "{{ aurweb_user }}" - register: release + register: tubylaws_release - name: create necessary directories file: path={{ aurweb_dir}}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} @@ -93,12 +123,15 @@ chdir: "{{ aurweb_dir }}/tu-bylaws" become: true become_user: "{{ aurweb_user }}" + when: tubylaws_release.changed - name: Install Trusted User documentation copy: src={{ aurweb_dir }}/tu-bylaws/tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/tu-bylaws.html remote_src=yes + when: tubylaws_release.changed - name: Install Trusted User documentation symlink file: src=tu-bylaws.html dest={{ aurweb_dir }}/web/html/trusted-user/TUbylaws.html state=link + when: tubylaws_release.changed - name: set up nginx template: src=nginx.d.conf.j2 dest={{ aurweb_nginx_conf }} owner=root group=root mode=644 @@ -118,6 +151,30 @@ - name: start and enable systemd socket service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true +- name: install apcu configuration + template: src=apcu.ini.j2 dest=/etc/php/conf.d/apcu.ini + +- name: install cgit configuration + template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" + +- name: configure cgit uwsgi service + template: src=cgit.ini.j2 dest=/etc/uwsgi/vassals/cgit.ini owner={{ aurweb_user }} group=http mode=0644 + +- name: deploy new cgit release + become: true + become_user: "{{ aurweb_user }}" + file: path=/etc/uwsgi/vassals/cgit.ini state=touch + when: cgit.changed + +- name: configure smartgit uwsgi service + template: src=smartgit.ini.j2 dest=/etc/uwsgi/vassals/smartgit.ini owner={{ aurweb_user }} group=http mode=0644 + +- name: deploy new smartgit release + become: true + become_user: "{{ aurweb_user }}" + file: path=/etc/uwsgi/vassals/smartgit.ini state=touch + when: git.changed + - name: create git repo dir file: path={{ aurweb_git_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 diff --git a/roles/aurweb/templates/cgit.ini.j2 b/roles/aurweb/templates/cgit.ini.j2 index 0f97caca..87596c51 100644 --- a/roles/aurweb/templates/cgit.ini.j2 +++ b/roles/aurweb/templates/cgit.ini.j2 @@ -4,6 +4,7 @@ socket = {{ cgit_socket }} chown-socket = {{ aurweb_user }}:http chmod-socket = 770 threads = 4 +daemonize = /var/log/uwsgi/cgit-aurweb.log cgi = /usr/share/webapps/cgit-aurweb/cgit.cgi uid = {{ aurweb_user }} diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2 index c096f5d2..bb6ce2d7 100644 --- a/roles/aurweb/templates/config.j2 +++ b/roles/aurweb/templates/config.j2 @@ -13,6 +13,8 @@ enable-maintenance = 0 localedir = {{ aurweb_dir }}/web/locale/ cache = {{ aurweb_cache }} cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }} +git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git +git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git [ratelimit] request_limit = {{ aurweb_request_limt }} @@ -21,6 +23,7 @@ window_length = {{ aurweb_window_length }} [serve] repo-path = {{ aurweb_git_dir }} git-shell-cmd = /usr/bin/sh +ssh-cmdline = ssh {{ aurweb_user }}@{{ aurweb_domain }} [aurblup] db-path = {{ aurweb_dir }}/aurblup diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2 index 3d40cc1e..152c9204 100644 --- a/roles/aurweb/templates/nginx.d.conf.j2 +++ b/roles/aurweb/templates/nginx.d.conf.j2 @@ -1,5 +1,13 @@ upstream aurweb { - server unix://{{aurweb_socket}}; + server unix://{{ aurweb_socket }}; +} + +upstream cgit { + server unix://{{ cgit_socket }}; +} + +upstream smartgit { + server unix://{{ smartgit_socket }}; } server { @@ -32,16 +40,51 @@ server { root {{ aurweb_dir }}/web/html; index index.php; + location ~ ^/trusted-user/ { + break; + } + + location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" { + include uwsgi_params; + uwsgi_pass smartgit; + uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + uwsgi_param PATH_INFO /aur.git/$3; + uwsgi_param GIT_HTTP_EXPORT_ALL ""; + uwsgi_param GIT_NAMESPACE $1; + uwsgi_param GIT_PROJECT_ROOT {{ aurweb_dir }}; + } + + location ~ ^/cgit { + include uwsgi_params; + rewrite ^/cgit/([^?/]+/[^?]*)?(?:\?(.*))?$ /cgit.cgi?url=$1&$2 last; + uwsgi_modifier1 9; + uwsgi_param CGIT_CONFIG {{ aurweb_conf_dir }}/cgitrc; + uwsgi_pass cgit; + } + location ~ ^/[^/]+\.php($|/) { - fastcgi_pass aurweb; - fastcgi_index index.php; - fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - include fastcgi_params; + fastcgi_pass aurweb; + fastcgi_index index.php; + fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + include fastcgi_params; + + # Cache PHP Requests + #fastcgi_cache aur; + #fastcgi_cache_valid 200 5m; + #add_header X-Cache $upstream_cache_status; + + # Required for caching to work + #fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie"; + + # Only apply cache when set + #fastcgi_cache_bypass $no_cache; + #fastcgi_no_cache $no_cache; } - + location ~ .* { - rewrite ^/(.*)$ /index.php/$1 last; - } + rewrite ^/(.*)$ /index.php/$1 last; + } } diff --git a/roles/aurweb/templates/smartgit.ini.j2 b/roles/aurweb/templates/smartgit.ini.j2 new file mode 100644 index 00000000..f4ff82a7 --- /dev/null +++ b/roles/aurweb/templates/smartgit.ini.j2 @@ -0,0 +1,9 @@ +[uwsgi] +plugins = cgi +socket = {{ smartgit_socket }} +chown-socket = {{ aurweb_user }}:http +threads = 4 +cgi = /usr/lib/git-core/git-http-backend +uid = {{ aurweb_user }} +gid = http +daemonize = /var/log/uwsgi/smartgit-aurweb.log -- GitLab From 3defaded28c5236e44d7ff75452f6e87559fbdb9 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 11 Feb 2020 16:43:59 -0300 Subject: [PATCH 22/42] playbooks/aur: Rename the aur playbook file and add the missing roles The original aur playbook file was missing a lot of the roles that were added for the aur-dev playbook. Add them and renamed the file too. --- playbooks/aur.archlinux.org.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 playbooks/aur.archlinux.org.yml diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml new file mode 100644 index 00000000..dcee7504 --- /dev/null +++ b/playbooks/aur.archlinux.org.yml @@ -0,0 +1,21 @@ +--- + +- name: setup aur.archlinux.org + hosts: aur.archlinux.org + remote_user: root + roles: + - { role: common } + - { role: tools } + - { role: sshd } + - { role: root_ssh } + - { role: certbot } + - { role: nginx } + - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0', + mariadb_innodb_file_per_table: True } + - { role: sudo } + - { role: php-fpm, php_extensions: ['apc', 'apcu', 'iconv', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'], tags: ["php-fpm"] } + - { role: uwsgi, tags: ["uwsgi"] } + - { role: borg-client, tags: ["borg"] } + - { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" } + - { role: fail2ban, tags: ["fail2ban"] } + - { role: aurweb, tags: ["aurweb"] } -- GitLab From 75ea584f70595f11b01f4a3a9c21683b4ab76426 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Wed, 12 Feb 2020 08:07:36 -0300 Subject: [PATCH 23/42] roles/aurweb: Remove git from the list of packages installed Since git is installed on a separate step, remove it from the main list. --- playbooks/aur.yml | 10 ---------- roles/aurweb/tasks/main.yml | 1 - 2 files changed, 11 deletions(-) delete mode 100644 playbooks/aur.yml diff --git a/playbooks/aur.yml b/playbooks/aur.yml deleted file mode 100644 index 15f53720..00000000 --- a/playbooks/aur.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: setup aur server - hosts: 127.0.0.1 - remote_user: root - roles: - - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', tags: ['mariadb'] , configure_zabbix_agent: False} - - { role: nginx, tags: ["nginx"] } - - { role: php-fpm, php_extensions: ['pdo_mysql'], tags: ["php-fpm"] } - - { role: aur, tags: ['aur'] } diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index 860f8510..9ef03f24 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -4,7 +4,6 @@ state: present name: - asciidoc - - git - highlight - make - php-apcu -- GitLab From 751b3cf89a1ee3932feb5381b13e97e351f37b96 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 13 Feb 2020 15:21:40 -0300 Subject: [PATCH 24/42] roles/aurweb: Make the necessary changes to use memcached instead of apcu Add memcached to the playbook and also change the php extensions to use memcached. Removed the apcu options from defatuls and added memcached settings. Added the php-memcached packages to the list of needed packages and also remove the apcu tasks. Added the memcached systemd unit file and enable and start it from the tasks. --- playbooks/aur-dev.archlinux.org.yml | 3 ++- roles/aurweb/defaults/main.yml | 7 +++---- roles/aurweb/tasks/main.yml | 10 ++++----- roles/aurweb/templates/apcu.ini.j2 | 3 --- .../templates/aurweb-memcached.service.j2 | 21 +++++++++++++++++++ 5 files changed, 30 insertions(+), 14 deletions(-) delete mode 100644 roles/aurweb/templates/apcu.ini.j2 create mode 100644 roles/aurweb/templates/aurweb-memcached.service.j2 diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index 4f489501..569e0d05 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -13,7 +13,8 @@ - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True } - { role: sudo } - - { role: php-fpm, php_extensions: ['apc', 'apcu', 'iconv', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } + - { role: php-fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } + - { role: memcached, tags: ['memcached'] } - { role: uwsgi, tags: ["uwsgi"] } - { role: borg-client, tags: ["borg"] } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index 5072c2ae..1d172716 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -20,10 +20,9 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket' cgit_socket: '/run/uwsgi/cgit.sock' smartgit_socket: '/run/uwsgi/smartgit.sock' -aurweb_cache: 'apc' +aurweb_cache: 'memcache' aurweb_cache_pkginfo_ttl: '86400' aurweb_request_limt: '4000' aurweb_window_length: '86400' -aurweb_apc_shm_size: '1024M' -aurweb_apc_ttl: '1800' -aurweb_apc_entries_hint: '0' +aurweb_memcached_host: 'localhost' +aurweb_memcached_memory: 2048 \ No newline at end of file diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index 9ef03f24..19e220ae 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -6,8 +6,7 @@ - asciidoc - highlight - make - - php-apcu - - php-apcu-bc + - php-memcached - pyalpm - python-bleach - python-markdown @@ -150,9 +149,6 @@ - name: start and enable systemd socket service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true -- name: install apcu configuration - template: src=apcu.ini.j2 dest=/etc/php/conf.d/apcu.ini - - name: install cgit configuration template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" @@ -227,6 +223,7 @@ - aurweb-git.timer - aurweb-aurblup.service - aurweb-aurblup.timer + - aurweb-memcached.service - aurweb-mkpkglists.service - aurweb-mkpkglists.timer - aurweb-pkgmaint.service @@ -236,11 +233,12 @@ - aurweb-tuvotereminder.service - aurweb-tuvotereminder.timer -- name: start and enable AUR systemd timers +- name: start and enable AUR systemd services and timers service: name={{ item }} enabled=yes state=started with_items: - aurweb-git.timer - aurweb-aurblup.timer + - aurweb-memcached.service - aurweb-mkpkglists.timer - aurweb-pkgmaint.timer - aurweb-popupdate.timer diff --git a/roles/aurweb/templates/apcu.ini.j2 b/roles/aurweb/templates/apcu.ini.j2 deleted file mode 100644 index 3728f454..00000000 --- a/roles/aurweb/templates/apcu.ini.j2 +++ /dev/null @@ -1,3 +0,0 @@ -apc.shm_size={{ aurweb_apc_shm_size }} -apc.ttl={{ aurweb_apc_ttl }} -apc.entries_hint={{ aurweb_apc_entries_hint }} diff --git a/roles/aurweb/templates/aurweb-memcached.service.j2 b/roles/aurweb/templates/aurweb-memcached.service.j2 new file mode 100644 index 00000000..2db9cf65 --- /dev/null +++ b/roles/aurweb/templates/aurweb-memcached.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Aurweb Memcached Daemon +After=network.target + +[Service] +User={{ aurweb_user }} +Group=memcached +ExecStart=/usr/bin/memcached -l {{ aurweb_memcached_host }} -m {{ aurweb_memcached_memory }} -o modern +Restart=always +NoNewPrivileges=yes +PrivateTmp=yes +ProtectHome=true +PrivateDevices=yes +ProtectSystem=full +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +MemoryDenyWriteExecute=yes + +[Install] +WantedBy=multi-user.target -- GitLab From 69ad9c76c7719b14769f93599fb2556368c62375 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 13 Feb 2020 15:26:28 -0300 Subject: [PATCH 25/42] playbooks/aur: Sync with the aur-dev playbook Add the aur-dev changes to the aur playbook. --- playbooks/aur.archlinux.org.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml index dcee7504..b3166dd7 100644 --- a/playbooks/aur.archlinux.org.yml +++ b/playbooks/aur.archlinux.org.yml @@ -13,7 +13,8 @@ - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True } - { role: sudo } - - { role: php-fpm, php_extensions: ['apc', 'apcu', 'iconv', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'], tags: ["php-fpm"] } + - { role: php-fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'], tags: ["php-fpm"] } + - { role: memcached, tags: ['memcached'] } - { role: uwsgi, tags: ["uwsgi"] } - { role: borg-client, tags: ["borg"] } - { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" } -- GitLab From 6c489c9bfc2d4d6354945a2dbb3a806466186813 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 13 Feb 2020 15:41:30 -0300 Subject: [PATCH 26/42] roles/aurweb: Add the missing pieces to make smartgit work with uwsgi Added the uwsgi_modifier1 option to nginx as described on [0] and also change the chmod option on the socket to allow nginx to connect to it. [0] https://gist.github.com/janoliver/85b682227bd9fcb8942885e60208bd76 --- roles/aurweb/templates/nginx.d.conf.j2 | 1 + roles/aurweb/templates/smartgit.ini.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2 index 152c9204..cae22b1e 100644 --- a/roles/aurweb/templates/nginx.d.conf.j2 +++ b/roles/aurweb/templates/nginx.d.conf.j2 @@ -47,6 +47,7 @@ server { location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" { include uwsgi_params; uwsgi_pass smartgit; + uwsgi_modifier1 9; uwsgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; uwsgi_param PATH_INFO /aur.git/$3; uwsgi_param GIT_HTTP_EXPORT_ALL ""; diff --git a/roles/aurweb/templates/smartgit.ini.j2 b/roles/aurweb/templates/smartgit.ini.j2 index f4ff82a7..aaf94348 100644 --- a/roles/aurweb/templates/smartgit.ini.j2 +++ b/roles/aurweb/templates/smartgit.ini.j2 @@ -2,6 +2,7 @@ plugins = cgi socket = {{ smartgit_socket }} chown-socket = {{ aurweb_user }}:http +chmod-socket = 770 threads = 4 cgi = /usr/lib/git-core/git-http-backend uid = {{ aurweb_user }} -- GitLab From e70ab6ce45acd4a790a845b5fa91ded8831a78f3 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Mon, 17 Feb 2020 14:01:25 -0300 Subject: [PATCH 27/42] roles/aurweb: Change aurweb role to support sshd includes Added support for the aurweb role to the new openssh include mechanism, that's baked into our sshd role. --- playbooks/aur-dev.archlinux.org.yml | 2 +- roles/aurweb/tasks/main.yml | 2 +- roles/aurweb/templates/aurweb_config.j2 | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 roles/aurweb/templates/aurweb_config.j2 diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index 569e0d05..adf4e69b 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -6,7 +6,7 @@ roles: - { role: common } - { role: tools } - - { role: sshd } + - { role: sshd, sshd_enable_includes: true } - { role: root_ssh } - { role: certbot } - { role: nginx } diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index 19e220ae..cba246d6 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -245,6 +245,6 @@ - aurweb-tuvotereminder.timer - name: configure sshd - template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s' + template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s' notify: - restart sshd diff --git a/roles/aurweb/templates/aurweb_config.j2 b/roles/aurweb/templates/aurweb_config.j2 new file mode 100644 index 00000000..371524a3 --- /dev/null +++ b/roles/aurweb/templates/aurweb_config.j2 @@ -0,0 +1,5 @@ +Match User {{ aurweb_user }} + PasswordAuthentication no + AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" + AuthorizedKeysCommandUser {{ aurweb_user }} + AcceptEnv AUR_OVERWRITE -- GitLab From 68d7682cdd7c96984cc930ebc527982feba4356c Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 18 Feb 2020 07:12:23 -0300 Subject: [PATCH 28/42] roles/aurweb: Delete the sshd_config leftover file Since we are using Include, remove the sshd_config file. --- roles/aurweb/templates/sshd_config.j2 | 127 -------------------------- 1 file changed, 127 deletions(-) delete mode 100644 roles/aurweb/templates/sshd_config.j2 diff --git a/roles/aurweb/templates/sshd_config.j2 b/roles/aurweb/templates/sshd_config.j2 deleted file mode 100644 index 3d5f2193..00000000 --- a/roles/aurweb/templates/sshd_config.j2 +++ /dev/null @@ -1,127 +0,0 @@ -# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -LogLevel VERBOSE - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no # pam does that -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# unlink forwarded sockets; for gpg agent forwarding -StreamLocalBindUnlink yes - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server - -Match User {{ aurweb_user }} - PasswordAuthentication no - AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" - AuthorizedKeysCommandUser {{ aurweb_user }} - AcceptEnv AUR_OVERWRITE -- GitLab From 5a7dc13b81a8ab30073690fc4c86e6c8cc4070e2 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 27 Feb 2020 18:44:53 -0300 Subject: [PATCH 29/42] vault_aurweb: Change aurweb db password --- group_vars/all/vault_aurweb.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/group_vars/all/vault_aurweb.yml b/group_vars/all/vault_aurweb.yml index 1d018afc..92e0c12b 100644 --- a/group_vars/all/vault_aurweb.yml +++ b/group_vars/all/vault_aurweb.yml @@ -1,8 +1,8 @@ $ANSIBLE_VAULT;1.1;AES256 -34656165383465373234346338666332623833393766396535373364656465616133373336643933 -6562653563373436396564343433636131633230396466310a383266356131366561393234353631 -65633262373765353436633639323537313435613234633465636265346331303337393039336433 -3965646462323564610a633139333432653030626332616562623538313663303939653362633331 -31373034646534373765663232336265343738303261363865636664666636313135623336656432 -38386639333737643162633365653731376535316565626563623235326566353466313536386234 -386330353834656439373966356538626664 +66613036313336393231313839303731346131383434303632626336653231383532333236663031 +6431643637346238646633353039356430363533643332380a303836626635366261383064393339 +32383263356566373061363961623864663038666230306239666562333336343963336631306438 +3638663363323565300a343665383330323837643135653439623733396636616639636364646430 +61653538623662366636396132313031326632313162373063363562353932613136663166663238 +61393464343264306434396462613739613763366333353339343966343137386130636565623836 +313730336638643830386635306261346163 -- GitLab From 68ac0ae15836e16476ce30e3900e16cc6e1a3a95 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Tue, 21 Jul 2020 10:58:56 -0300 Subject: [PATCH 30/42] wip/aur: Fix linting issues The wip/aur branch was not checked for linting issues. Some of them were fixed, but, particularly the git commands for setting the AUR repo, were skipped, because the git module does not necessarily cover all the needs. Might be worth taking a look about it on the future. --- roles/aurweb/handlers/main.yml | 3 ++- roles/aurweb/tasks/main.yml | 46 +++++++++++++++++++++------------- 2 files changed, 31 insertions(+), 18 deletions(-) diff --git a/roles/aurweb/handlers/main.yml b/roles/aurweb/handlers/main.yml index 5b62cf7c..e4e6493d 100644 --- a/roles/aurweb/handlers/main.yml +++ b/roles/aurweb/handlers/main.yml @@ -1,7 +1,8 @@ --- - name: daemon reload - command: systemctl daemon-reload + systemd: + daemon-reload: yes - name: restart php-fpm@{{ aurweb_user }} service: name=php-fpm@{{ aurweb_user }} state=restarted diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index cba246d6..11ebe22d 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -34,7 +34,7 @@ user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes - name: Create directory - file: path={{ aurweb_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 + file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775 - name: clone aurweb repo git: > @@ -42,7 +42,7 @@ dest="{{ aurweb_dir }}" version={{ aurweb_version }} become: true - become_user: "{{aurweb_user}}" + become_user: "{{ aurweb_user }}" register: release - name: clone Trusted User documentation repo @@ -55,7 +55,7 @@ register: tubylaws_release - name: create necessary directories - file: path={{ aurweb_dir}}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} + file: path={{ aurweb_dir }}/{{ item }} state=directory owner={{ aurweb_user }} group={{ aurweb_user }} with_items: - 'aurblup' - 'sessions' @@ -73,11 +73,11 @@ priv="{{ aurweb_db }}.*:ALL" no_log: true -- name: check if db is imported - shell: mysql -u {{ aurweb_db_user }} -p{{ vault_aurweb_db_password }} -e "SELECT ID FROM Users" {{ aurweb_db }} - ignore_errors: true +- name: check if db exists + mysql_db: + name: "{{ aurweb_db }}" + state: present register: db_imported - no_log: true - name: import aur sql db mysql_db: @@ -86,7 +86,7 @@ login_host: "{{ aurweb_db_host }}" login_password: "{{ vault_mariadb_users.root }}" target: "{{ aurweb_dir }}/schema/aur-schema.sql" - when: db_imported.rc != 0 + when: db_imported.changed no_log: true - name: create aurweb conf dir @@ -99,22 +99,23 @@ template: src=config.j2 dest={{ aurweb_conf_dir }}/config - name: Install python module - shell: "python3 setup.py install --install-scripts=/usr/local/bin" + command: "python3 setup.py install --install-scripts=/usr/local/bin" args: chdir: "{{ aurweb_dir }}" + creates: /usr/local/bin/aurweb-* - name: Generate HTML documentation make: chdir: "{{ aurweb_dir }}/doc" become: true - become_user: "{{aurweb_user}}" + become_user: "{{ aurweb_user }}" - name: Generate Translations make: chdir: "{{ aurweb_dir }}/po" target: "install" become: true - become_user: "{{aurweb_user}}" + become_user: "{{ aurweb_user }}" - name: Generate Trusted User documentation make: @@ -171,44 +172,55 @@ when: git.changed - name: create git repo dir - file: path={{ aurweb_git_dir }} state=directory owner={{aurweb_user}} group=http mode=0775 + file: path={{ aurweb_git_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775 - name: init git directory command: git init --bare {{ aurweb_git_dir }} args: creates: "{{ aurweb_git_dir }}/HEAD" become: true - become_user: "{{aurweb_user}}" + become_user: "{{ aurweb_user }}" + tags: + - skip_ansible_lint -- shell: git config --local --get-all transfer.hideRefs +- name: save hideRefs setting on var + command: git config --local --get-all transfer.hideRefs register: git_config args: chdir: "{{ aurweb_git_dir }}" failed_when: git_config.rc == 2 # FIXME: does not work. + tags: + - skip_ansible_lint - name: configure git tranfser.hideRefs command: git config --local transfer.hideRefs '^refs/' args: chdir: "{{ aurweb_git_dir }}" become: true - become_user: "{{aurweb_user}}" + become_user: "{{ aurweb_user }}" when: git_config.stdout.find('^refs/') == -1 + tags: + - skip_ansible_lint - name: configure git transfer.hideRefs second command: git config --local --add transfer.hideRefs '!refs/' args: chdir: "{{ aurweb_git_dir }}" become: true - become_user: "{{aurweb_user}}" + become_user: "{{ aurweb_user }}" when: git_config.stdout.find('!refs/') == -1 + tags: + - skip_ansible_lint - name: configure git transfer.hideRefs third command: git config --local --add transfer.hideRefs '!HEAD' args: chdir: "{{ aurweb_git_dir }}" become: true - become_user: "{{aurweb_user}}" + become_user: "{{ aurweb_user }}" when: git_config.stdout.find('!HEAD') == -1 + tags: + - skip_ansible_lint - name: create symlink for git hook file: -- GitLab From c8098e0b271c08c1857c4ace877bee9404d49179 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Wed, 22 Jul 2020 11:12:30 -0300 Subject: [PATCH 31/42] roles/aurweb: Change URL to point to gitlab Change the URL's of the aurweb project and the tu-bylaws project to point to gitlab instead of git.archlinux.org. --- roles/aurweb/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index 1d172716..835f963d 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -1,8 +1,8 @@ --- aurweb_domain: 'aur.archlinux.org' -aurweb_repository: 'https://git.archlinux.org/aurweb.git' -tubylaws_repository: 'https://git.archlinux.org/tu-bylaws.git' +aurweb_repository: 'https://gitlab.archlinux.org/archlinux/aurweb.git' +tubylaws_repository: 'https://gitlab.archlinux.org/archlinux/tu-bylaws.git' aurweb_dir: '/srv/http/aurweb' aurweb_conf_dir: '/etc/aurweb' aurweb_git_dir: "{{ aurweb_dir }}/aur.git" -- GitLab From c7963acb815606ac9a73557c8e7cebfa4d2e285e Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Wed, 22 Jul 2020 11:31:16 -0300 Subject: [PATCH 32/42] roles/aurweb: Change tasks to work with the new DB method Added python-alembic to the package list and also running initdb.py for creating the tables when the database is created and alembic update when there's changes to the code. --- roles/aurweb/tasks/main.yml | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml index 11ebe22d..69aa39b4 100644 --- a/roles/aurweb/tasks/main.yml +++ b/roles/aurweb/tasks/main.yml @@ -8,6 +8,7 @@ - make - php-memcached - pyalpm + - python-alembic - python-bleach - python-markdown - python-mysql-connector @@ -73,21 +74,21 @@ priv="{{ aurweb_db }}.*:ALL" no_log: true -- name: check if db exists - mysql_db: - name: "{{ aurweb_db }}" - state: present - register: db_imported - -- name: import aur sql db - mysql_db: - state: import - name: "{{ aurweb_db }}" - login_host: "{{ aurweb_db_host }}" - login_password: "{{ vault_mariadb_users.root }}" - target: "{{ aurweb_dir }}/schema/aur-schema.sql" - when: db_imported.changed - no_log: true +- name: initialize the database + command: python aurweb/initdb.py + args: + chdir: "{{ aurweb_dir }}" + become: true + become_user: "{{ aurweb_user }}" + when: db_created.changed + +- name: run migrations + command: alembic upgrade head + args: + chdir: "{{ aurweb_dir }}" + become: true + become_user: "{{ aurweb_user }}" + when: release.changed or db_created.changed - name: create aurweb conf dir file: path={{ aurweb_conf_dir }} state=directory -- GitLab From 2bb914bac6ee4e7a1f0c5abca2e1aa8208e8629a Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Wed, 22 Jul 2020 14:58:10 -0300 Subject: [PATCH 33/42] tf-stage1: Add the server for aur.archlinux.org Added the server for the aur.archlinux.org migration. Used a CPX31 server, since AUR requires a bit more resources. --- tf-stage1/archlinux.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf index 5d99cbd9..e2a7c7ee 100644 --- a/tf-stage1/archlinux.tf +++ b/tf-stage1/archlinux.tf @@ -163,6 +163,21 @@ resource "hcloud_server" "bugs" { } } +resource "hcloud_rdns" "aur" { + server_id = hcloud_server.aur.id + ip_address = hcloud_server.aur.ipv4_address + dns_ptr = "aur.archlinux.org" +} + +resource "hcloud_server" "aur" { + name = "aur.archlinux.org" + image = data.hcloud_image.archlinux.id + server_type = "cpx31" + lifecycle { + ignore_changes = [image] + } +} + resource "hcloud_rdns" "aur-dev" { server_id = hcloud_server.aur-dev.id ip_address = hcloud_server.aur-dev.ipv4_address -- GitLab From 19c16c48d4cdb72c8a9c2057450162de7de50212 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Wed, 22 Jul 2020 15:01:57 -0300 Subject: [PATCH 34/42] hosts: Add aur.archlinux.org to the hosts file. --- hosts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts b/hosts index 834ba0a4..052883fc 100644 --- a/hosts +++ b/hosts @@ -40,6 +40,7 @@ phrik.archlinux.org bbs.archlinux.org homedir.archlinux.org bugs.archlinux.org +aur.archlinux.org aur-dev.archlinux.org gitlab.archlinux.org accounts.archlinux.org @@ -57,6 +58,7 @@ apollo.archlinux.org luna.archlinux.org bbs.archlinux.org bugs.archlinux.org +aur.archlinux.org aur-dev.archlinux.org [postgresql_servers] @@ -71,6 +73,7 @@ luna.archlinux.org orion.archlinux.org bbs.archlinux.org bugs.archlinux.org +aur.archlinux.org aur-dev.archlinux.org [buildservers] -- GitLab From f7c3847e65bf5febfce0a98bd145cbf8db2f87d1 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 23 Jul 2020 11:56:11 -0300 Subject: [PATCH 35/42] playbooks: Remove tags from AUR playbooks and sync aur/aur-dev Removed tags from playbooks, since they are auto-generated and also synced the aur.archlinux.org playbook with aur-dev.archlinux.org one. --- playbooks/aur-dev.archlinux.org.yml | 6 +++--- playbooks/aur.archlinux.org.yml | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index adf4e69b..05af864f 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -14,9 +14,9 @@ mariadb_innodb_file_per_table: True } - { role: sudo } - { role: php-fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } - - { role: memcached, tags: ['memcached'] } - - { role: uwsgi, tags: ["uwsgi"] } - - { role: borg-client, tags: ["borg"] } + - { role: memcached } + - { role: uwsgi } + - { role: borg-client } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } - { role: fail2ban } - { role: aurweb, aurweb_domain: 'aur-dev.archlinux.org', aurweb_version: 'pu' } diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml index b3166dd7..3d08846b 100644 --- a/playbooks/aur.archlinux.org.yml +++ b/playbooks/aur.archlinux.org.yml @@ -6,17 +6,17 @@ roles: - { role: common } - { role: tools } - - { role: sshd } + - { role: sshd, sshd_enable_includes: true } - { role: root_ssh } - { role: certbot } - { role: nginx } - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True } - { role: sudo } - - { role: php-fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'], tags: ["php-fpm"] } - - { role: memcached, tags: ['memcached'] } - - { role: uwsgi, tags: ["uwsgi"] } - - { role: borg-client, tags: ["borg"] } - - { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" } - - { role: fail2ban, tags: ["fail2ban"] } - - { role: aurweb, tags: ["aurweb"] } + - { role: php-fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } + - { role: memcached } + - { role: uwsgi } + - { role: borg-client } + - { role: postfix, postfix_relayhost: "orion.archlinux.org" } + - { role: fail2ban } + - { role: aurweb } -- GitLab From 9f3d64228d2e5bb319a8550ed71a1d57eae981a6 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 23 Jul 2020 13:29:21 -0300 Subject: [PATCH 36/42] playbooks: Add back the borg tag Added the borg tag again, since it's useful for running borg related tasks. --- playbooks/aur-dev.archlinux.org.yml | 2 +- playbooks/aur.archlinux.org.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml index 05af864f..304855b4 100644 --- a/playbooks/aur-dev.archlinux.org.yml +++ b/playbooks/aur-dev.archlinux.org.yml @@ -16,7 +16,7 @@ - { role: php-fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } - { role: memcached } - { role: uwsgi } - - { role: borg-client } + - { role: borg-client, tags: ["borg"] } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } - { role: fail2ban } - { role: aurweb, aurweb_domain: 'aur-dev.archlinux.org', aurweb_version: 'pu' } diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml index 3d08846b..bb0f9da6 100644 --- a/playbooks/aur.archlinux.org.yml +++ b/playbooks/aur.archlinux.org.yml @@ -16,7 +16,7 @@ - { role: php-fpm, php_extensions: ['iconv', 'memcached', 'mysqli', 'pdo_mysql'], zend_extensions: ['opcache'] } - { role: memcached } - { role: uwsgi } - - { role: borg-client } + - { role: borg-client, tags: ["borg"] } - { role: postfix, postfix_relayhost: "orion.archlinux.org" } - { role: fail2ban } - { role: aurweb } -- GitLab From 32589f4637aae3c1dd3a4d592e97fac59c81dbcf Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 23 Jul 2020 13:50:02 -0300 Subject: [PATCH 37/42] roles/aurweb: Randomize that start time of the aurweb-git service Added RandomizedDelaySec to make the aurweb-git.service to start on a different time than the borg backup, so the machine does not hammered by both running at the same time. --- roles/aurweb/templates/aurweb-git.timer.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aurweb/templates/aurweb-git.timer.j2 b/roles/aurweb/templates/aurweb-git.timer.j2 index f9576609..1448d8c3 100644 --- a/roles/aurweb/templates/aurweb-git.timer.j2 +++ b/roles/aurweb/templates/aurweb-git.timer.j2 @@ -3,6 +3,7 @@ Description=Git gc & repack AUR [Timer] OnCalendar=daily +RandomizedDelaySec=1h [Install] WantedBy=timers.target -- GitLab From 0d12e7290eab078c3231bebe8d60e62e741eb837 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 23 Jul 2020 15:23:20 -0300 Subject: [PATCH 38/42] roles/aurweb: Switch to using a socket for memcached For security reasons, switch to using a socket for memcached on aurweb. --- roles/aurweb/defaults/main.yml | 2 +- roles/aurweb/templates/aurweb-memcached.service.j2 | 2 +- roles/aurweb/templates/config.j2 | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml index 835f963d..d35d66da 100644 --- a/roles/aurweb/defaults/main.yml +++ b/roles/aurweb/defaults/main.yml @@ -24,5 +24,5 @@ aurweb_cache: 'memcache' aurweb_cache_pkginfo_ttl: '86400' aurweb_request_limt: '4000' aurweb_window_length: '86400' -aurweb_memcached_host: 'localhost' +aurweb_memcached_socket: '/run/memcached/aurweb.sock' aurweb_memcached_memory: 2048 \ No newline at end of file diff --git a/roles/aurweb/templates/aurweb-memcached.service.j2 b/roles/aurweb/templates/aurweb-memcached.service.j2 index 2db9cf65..8971030b 100644 --- a/roles/aurweb/templates/aurweb-memcached.service.j2 +++ b/roles/aurweb/templates/aurweb-memcached.service.j2 @@ -5,7 +5,7 @@ After=network.target [Service] User={{ aurweb_user }} Group=memcached -ExecStart=/usr/bin/memcached -l {{ aurweb_memcached_host }} -m {{ aurweb_memcached_memory }} -o modern +ExecStart=/usr/bin/memcached -s {{ aurweb_memcached_socket }} -m {{ aurweb_memcached_memory }} -o modern Restart=always NoNewPrivileges=yes PrivateTmp=yes diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2 index bb6ce2d7..a79ea7f3 100644 --- a/roles/aurweb/templates/config.j2 +++ b/roles/aurweb/templates/config.j2 @@ -15,6 +15,7 @@ cache = {{ aurweb_cache }} cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }} git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git +memcache_servers = {{ aurweb_memcached_socket }}:0 [ratelimit] request_limit = {{ aurweb_request_limt }} -- GitLab From c2b464e780c9ddc7ea145e98663cbd8d1d044ab8 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Fri, 24 Jul 2020 08:33:54 -0300 Subject: [PATCH 39/42] host_vars: Add the vars for aur.archlinux.org and change the README Added the missing host_vars file for aur.archlinux.org and changed the README to reflect it's move. --- README.md | 7 +++++-- host_vars/aur.archlinux.org | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 host_vars/aur.archlinux.org diff --git a/README.md b/README.md index e037e0db..1639bea6 100644 --- a/README.md +++ b/README.md @@ -159,7 +159,6 @@ The following steps should be used to update our managed servers: #### Services - - aur (aur.archlinux.org) - mailman - projects (projects.archlinux.org) @@ -167,10 +166,14 @@ The following steps should be used to update our managed servers: #### Services - wiki (wiki.archlinux.org) - - bugs (bugs.archlinux.org) - archweb - patchwork +## aur.archlinux.org + +#### Services + - aurweb + ## bugs.archlinux.org #### Services diff --git a/host_vars/aur.archlinux.org b/host_vars/aur.archlinux.org new file mode 100644 index 00000000..978e6a09 --- /dev/null +++ b/host_vars/aur.archlinux.org @@ -0,0 +1,14 @@ +--- +filesystem: btrfs +zabbix_agent_templates: + - Template OS Linux + - Template App Borg Backup + - Template App HTTP Service + - Template App HTTPS Service + - Template App MySQL + - Template App Nginx + +fail2ban_jails: + sshd: true + postfix: false + dovecot: false -- GitLab From 3d850c1ecf3cd851507be88a0ded5c5eb2e913af Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Fri, 24 Jul 2020 11:51:54 -0300 Subject: [PATCH 40/42] roles/aurweb: Fix a typo on the Type for each aurweb service When installing the units, systemd was ignoring the Type of the unit due to the capital O. Change it for the proper type. --- roles/aurweb/templates/aurweb-aurblup.service.j2 | 2 +- roles/aurweb/templates/aurweb-git.service.j2 | 2 +- roles/aurweb/templates/aurweb-mkpkglists.service.j2 | 2 +- roles/aurweb/templates/aurweb-pkgmaint.service.j2 | 2 +- roles/aurweb/templates/aurweb-popupdate.service.j2 | 2 +- roles/aurweb/templates/aurweb-tuvotereminder.service.j2 | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/aurweb/templates/aurweb-aurblup.service.j2 b/roles/aurweb/templates/aurweb-aurblup.service.j2 index 4d69f29a..91d252b2 100644 --- a/roles/aurweb/templates/aurweb-aurblup.service.j2 +++ b/roles/aurweb/templates/aurweb-aurblup.service.j2 @@ -4,6 +4,6 @@ Requires=mysqld.service After=mysqld.service [Service] -Type=Oneshot +Type=oneshot User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-aurblup diff --git a/roles/aurweb/templates/aurweb-git.service.j2 b/roles/aurweb/templates/aurweb-git.service.j2 index 6638355a..8fb3f47b 100644 --- a/roles/aurweb/templates/aurweb-git.service.j2 +++ b/roles/aurweb/templates/aurweb-git.service.j2 @@ -2,7 +2,7 @@ Description=Git gc AUR [Service] -Type=Oneshot +Type=oneshot User={{ aurweb_user }} WorkingDirectory={{ aurweb_git_dir }} ExecStart=/usr/bin/git gc diff --git a/roles/aurweb/templates/aurweb-mkpkglists.service.j2 b/roles/aurweb/templates/aurweb-mkpkglists.service.j2 index e04e14e2..b3a6c14c 100644 --- a/roles/aurweb/templates/aurweb-mkpkglists.service.j2 +++ b/roles/aurweb/templates/aurweb-mkpkglists.service.j2 @@ -4,6 +4,6 @@ Requires=mysqld.service After=mysqld.service [Service] -Type=Oneshot +Type=oneshot User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-mkpkglists diff --git a/roles/aurweb/templates/aurweb-pkgmaint.service.j2 b/roles/aurweb/templates/aurweb-pkgmaint.service.j2 index 1f01b525..1cc78a54 100644 --- a/roles/aurweb/templates/aurweb-pkgmaint.service.j2 +++ b/roles/aurweb/templates/aurweb-pkgmaint.service.j2 @@ -4,6 +4,6 @@ Requires=mysqld.service After=mysqld.service [Service] -Type=Oneshot +Type=oneshot User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-pkgmaint diff --git a/roles/aurweb/templates/aurweb-popupdate.service.j2 b/roles/aurweb/templates/aurweb-popupdate.service.j2 index 438e51b4..be913016 100644 --- a/roles/aurweb/templates/aurweb-popupdate.service.j2 +++ b/roles/aurweb/templates/aurweb-popupdate.service.j2 @@ -4,6 +4,6 @@ Requires=mysqld.service After=mysqld.service [Service] -Type=Oneshot +Type=oneshot User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-popupdate diff --git a/roles/aurweb/templates/aurweb-tuvotereminder.service.j2 b/roles/aurweb/templates/aurweb-tuvotereminder.service.j2 index 2c433884..6ee53801 100644 --- a/roles/aurweb/templates/aurweb-tuvotereminder.service.j2 +++ b/roles/aurweb/templates/aurweb-tuvotereminder.service.j2 @@ -4,6 +4,6 @@ Requires=mysqld.service After=mysqld.service [Service] -Type=Oneshot +Type=oneshot User={{ aurweb_user }} ExecStart=/usr/local/bin/aurweb-tuvotereminder -- GitLab From 811fcdd7a59a26419f697566d54a35398cd26513 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Fri, 24 Jul 2020 12:12:51 -0300 Subject: [PATCH 41/42] roles/postfwd: Disable the email limits for the aur Since the AUR is high email traffic, apply the same rule as for luna, and add the sasl_username for aur to the no limits list. --- roles/postfwd/templates/postfwd.cf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/postfwd/templates/postfwd.cf.j2 b/roles/postfwd/templates/postfwd.cf.j2 index 4f097677..6e4ee99f 100644 --- a/roles/postfwd/templates/postfwd.cf.j2 +++ b/roles/postfwd/templates/postfwd.cf.j2 @@ -13,6 +13,7 @@ # luna is handling mailman and other services that distribute a lot of mail. &&NO_RATE_LIMIT_USERS { sasl_username=luna + sasl_username=aur; }; id=NoRateLimit; protocol_state==END-OF-MESSAGE; -- GitLab From bd59c027abf411e4487a71abdcee176da0209806 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Fri, 24 Jul 2020 14:06:44 -0300 Subject: [PATCH 42/42] terraform: Scale down the size of the AUR After some consideration, we are going to start with a smaller server size for the AUR and increase if necessary. --- tf-stage1/archlinux.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf index e2a7c7ee..92b4609b 100644 --- a/tf-stage1/archlinux.tf +++ b/tf-stage1/archlinux.tf @@ -172,7 +172,7 @@ resource "hcloud_rdns" "aur" { resource "hcloud_server" "aur" { name = "aur.archlinux.org" image = data.hcloud_image.archlinux.id - server_type = "cpx31" + server_type = "cx31" lifecycle { ignore_changes = [image] } -- GitLab