From f97f618d0cc4a2cc2cb79bacb6186cfdeb469b01 Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Mon, 20 Jan 2025 14:58:01 +0100
Subject: [PATCH 1/3] aurweb: Skip commit validation if we are not on prod

This makes it so that you don't need to be in the list of trusted GPG
keys `aurweb_pgp_keys` in order to start a test instance for the AUR. I
think `aurweb_pgp_keys` should only be for people wanting to deploy this
to production.
---
 roles/aurweb/tasks/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 5576bd83d..af669fd57 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -63,7 +63,7 @@
     repo={{ aurweb_repository }}
     dest="{{ aurweb_dir }}"
     version={{ aurweb_version }}
-    verify_commit=true
+    verify_commit="{{ aurweb_environment_type == 'prod' }}"
     gpg_allowlist='{{ aurweb_pgp_keys }}'
   become: true
   become_user: "{{ aurweb_user }}"
@@ -85,7 +85,7 @@
     repo={{ aurweb_repository }}
     dest="{{ aurweb_dir }}"
     version={{ aurweb_version }}
-    verify_commit=true
+    verify_commit="{{ aurweb_environment_type == 'prod' }}"
     gpg_allowlist='{{ aurweb_pgp_keys }}'
   become: true
   become_user: "{{ aurweb_user }}"
-- 
GitLab


From c8223cb362c898813fe51ac3a5e5385c1968b1e4 Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Mon, 20 Jan 2025 15:50:20 +0100
Subject: [PATCH 2/3] aurweb: Do not try to set up tracing on non-prod
 deployments

It will fail since we do not connect aur-dev instances to monitoring.
---
 roles/aurweb/templates/config.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2
index 8568cd430..85c6dcca1 100644
--- a/roles/aurweb/templates/config.j2
+++ b/roles/aurweb/templates/config.j2
@@ -78,5 +78,7 @@ error-token = {{ vault_aurweb_error_token }}
 [fastapi]
 session_secret = {{ vault_aurweb_secret }}
 
+{% if aurweb_environment_type == "prod" %}
 [tracing]
 otlp_endpoint = http://{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}:4318/v1/traces
+{% endif %}
-- 
GitLab


From 58cdb25ea56012849e7693c5a9d890f28963e057 Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Mon, 10 Feb 2025 00:23:13 +0100
Subject: [PATCH 3/3] aurweb: Do not guard metrics endpoints in aur-dev

The sandbox deployments do not have access to the vault and so we can't have them use
it.
---
 roles/aurweb/templates/nginx.d.conf.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2
index 58715f12e..7ad03b8cd 100644
--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -129,9 +129,11 @@ server {
     }
 
     location = /rpc/metrics {
+{% if aurweb_environment_type == 'prod' %}
         if ($http_authorization != "Bearer {{ vault_goaurrpc_metrics_token }}") {
             return 403;
         }
+{% endif %}
 
         proxy_pass http://127.0.0.1:10666/metrics;
         proxy_set_header X-Forwarded-For $remote_addr;
@@ -151,9 +153,11 @@ server {
     }
 
     location = /metrics {
+{% if aurweb_environment_type == 'prod' %}
         if ($http_authorization != "Bearer {{ vault_aurweb_metrics_token }}") {
             return 403;
         }
+{% endif %}
 
 {{ self.asgi_proxy() }}
     }
-- 
GitLab