change(aurweb): rework ansible config for 6.0.0

Signed-off-by: Kevin Morris <kevr@0cost.org>

roles/aurweb/defaults/main.yml

 ---
+aurweb_asgi_bind: '127.0.0.1:8000'
 
 aurweb_domain: 'aur.archlinux.org'
 aurweb_repository: 'https://gitlab.archlinux.org/archlinux/aurweb.git'
@@ -18,9 +19,11 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket'
 cgit_socket: '/run/uwsgi/cgit.sock'
 smartgit_socket: '/run/uwsgi/smartgit.sock'
 
-aurweb_cache: 'memcache'
+aurweb_cache: 'redis'
 aurweb_cache_pkginfo_ttl: '86400'
 aurweb_request_limt: '4000'
 aurweb_window_length: '86400'
 aurweb_memcached_socket: '/run/memcached/aurweb.sock'
 aurweb_memcached_memory: 2048
+
+aurweb_workers: 4

roles/aurweb/tasks/main.yml

@@ -6,20 +6,11 @@
       - asciidoc
       - highlight
       - make
-      - php-memcached
-      - pyalpm
-      - python-alembic
-      - python-bleach
-      - python-markdown
-      - python-mysql-connector
-      - python-pygit2
-      - python-srcinfo
-      - python-fastapi
-      - python-jinja
-      - python-email-validator
-      - python-orjson
       - sudo
       - uwsgi-plugin-cgi
+      - python-poetry
+      - gcc
+      - pkg-config
 
 - name: install the cgit package
   pacman:
@@ -79,7 +70,7 @@
   no_log: true
 
 - name: initialize the database
-  command: python -m aurweb.initdb
+  command: poetry run python -m aurweb.initdb
   args:
     chdir: "{{ aurweb_dir }}"
   become: true
@@ -87,7 +78,7 @@
   when: db_created.changed
 
 - name: run migrations
-  command: alembic upgrade head
+  command: poetry run alembic upgrade head
   args:
     chdir: "{{ aurweb_dir }}"
   environment:
@@ -97,18 +88,43 @@
   when: release.changed or db_created.changed
 
 - name: Check python module availability
-  command: "python3 -c 'import aurweb'"
+  command: poetry run python3 -c 'import aurweb'
+  args:
+    chdir: "{{ aurweb_dir }}"
+  become: true
+  become_user: "{{ aurweb_user }}"
   ignore_errors: true
   register: aurweb_installed
   tags:
     - skip_ansible_lint
 
 - name: Install python module
-  command: "python3 setup.py install --install-scripts=/usr/local/bin"
+  command: poetry install
   args:
     chdir: "{{ aurweb_dir }}"
+  become: true
+  become_user: "{{ aurweb_user }}"
   when: release.changed or aurweb_installed.rc != 0
 
+- name: install custom aurweb-git-auth wrapper script
+  template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
+  when: release.changed
+
+- name: install custom aurweb-git-serve wrapper script
+  template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
+  when: release.changed
+
+- name: install custom aurweb-git-update wrapper script
+  template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
+  when: release.changed
+
+- name: link custom aurweb-git-update wrapper to hooks/update
+  file:
+    src: /usr/local/bin/aurweb-git-update.sh
+    dest: "{{ aurweb_dir }}/aur.git/hooks/update"
+    state: link
+  when: release.changed
+
 - name: Generate HTML documentation
   make:
     chdir: "{{ aurweb_dir }}/doc"
@@ -136,16 +152,6 @@
 - name: make nginx log dir
   file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
 
-- name: configure php-fpm
-  template:
-    src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf"
-    owner=root group=root mode=0644
-  notify:
-    - restart php-fpm@{{ aurweb_user }}
-
-- name: start and enable systemd socket
-  service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
-
 - name: install cgit configuration
   template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
 
@@ -223,15 +229,6 @@
   tags:
     - skip_ansible_lint
 
-- name: create symlink for git hook
-  file:
-    src: "{{ aurweb_git_hook }}"
-    dest: "{{ aurweb_git_dir }}/hooks/update"
-    owner: root
-    group: root
-    mode: 0755
-    state: link
-
 - name: install AUR systemd service and timers
   template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   with_items:
@@ -239,7 +236,6 @@
     - aurweb-git.timer
     - aurweb-aurblup.service
     - aurweb-aurblup.timer
-    - aurweb-memcached.service
     - aurweb-mkpkglists.service
     - aurweb-mkpkglists.timer
     - aurweb-pkgmaint.service
@@ -250,20 +246,22 @@
     - aurweb-tuvotereminder.timer
     - aurweb-usermaint.service
     - aurweb-usermaint.timer
+    - aurweb.service
+
+- name: configure sshd
+  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
+  notify:
+    - restart sshd
 
 - name: start and enable AUR systemd services and timers
-  service: name={{ item }} enabled=yes state=started
+  service: name={{ item }} enabled=yes state=restarted daemon_reload=yes
   with_items:
     - aurweb-git.timer
     - aurweb-aurblup.timer
-    - aurweb-memcached.service
     - aurweb-mkpkglists.timer
     - aurweb-pkgmaint.timer
     - aurweb-popupdate.timer
     - aurweb-tuvotereminder.timer
     - aurweb-usermaint.timer
-
-- name: configure sshd
-  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
-  notify:
-    - restart sshd
+    - aurweb.service
+  when: release.changed

roles/aurweb/templates/aurweb-pkgmaint.service.j2

@@ -16,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 
 MemoryDenyWriteExecute=true
 RemoveIPC=true

roles/aurweb/templates/aurweb-popupdate.service.j2

@@ -16,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 
 MemoryDenyWriteExecute=true
 RemoveIPC=true

roles/aurweb/templates/aurweb-usermaint.service.j2

@@ -16,7 +16,7 @@ CapabilityBoundingSet=
 PrivateDevices=true
 PrivateTmp=true
 ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
 
 MemoryDenyWriteExecute=true
 RemoveIPC=true

roles/aurweb/templates/aurweb.service.j2

+[Unit]
+Description=aurweb asgi server
+
+[Service]
+User={{ aurweb_user }}
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run gunicorn \
+    --log-config {{ aurweb_dir }}/logging.conf \
+    --bind {{ aurweb_asgi_bind }} \
+    --workers {{ aurweb_workers }} \
+    -k uvicorn.workers.UvicornWorker \
+    aurweb.asgi:app
+
+[Install]
+WantedBy=multi-user.target

roles/aurweb/templates/aurweb_config.j2

 Match User {{ aurweb_user }}
         PasswordAuthentication no
-        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
+        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth.sh "%t" "%k"
         AuthorizedKeysCommandUser {{ aurweb_user }}
         AcceptEnv AUR_OVERWRITE

roles/aurweb/templates/cgitrc.j2

 virtual-root=/cgit/
 clone-prefix=https://{{ aurweb_domain }}
 noheader=0
-favicon=/images/favicon.ico
+favicon=/static/images/favicon.ico
 logo=
-css=/css/cgit.css
+css=/static/css/cgit.css
 snapshots=tar.gz
 readme=:README.md
 readme=:README

roles/aurweb/templates/config.j2

@@ -4,6 +4,7 @@ user = {{ aurweb_db_user }}
 password = {{ vault_aurweb_db_password }}
 
 [options]
+aurwebdir = {{ aurweb_dir }}
 {% if maintenance is defined and maintenance %}
 enable_maintenance = 1
 maintenance-exceptions = {{ maintenance_remote_machine }}
@@ -16,7 +17,7 @@ cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }}
 aur_location = https://{{ aurweb_domain }}
 git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git
 git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git
-memcache_servers = {{ aurweb_memcached_socket }}:0
+redis_address = redis://localhost
 
 [ratelimit]
 request_limit = {{ aurweb_request_limt }}
@@ -27,9 +28,13 @@ Ed25519 = SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4
 ECDSA = SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI
 RSA =  SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8
 
+[auth]
+git-serve-cmd = /usr/local/bin/aurweb-git-serve.sh
+
 [serve]
 repo-path = {{ aurweb_git_dir }}
 git-shell-cmd = /usr/bin/sh
+git-update-cmd = /usr/local/bin/aurweb-git-update.sh
 ssh-cmdline = ssh {{ aurweb_user }}@{{ aurweb_domain }}
 
 [update]
@@ -45,3 +50,12 @@ packagesmetafile = {{ aurweb_dir }}/web/html/packages-meta-v1.json.gz
 packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz
 pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
 userfile = {{ aurweb_dir }}/web/html/users.gz
+
+[notifications]
+notify-cmd = aurweb-notify
+{# An email used for server error notifications. #}
+postmaster = {{ vault_aurweb_postmaster }}
+
+[fastapi]
+{# TODO: This must be set to a persistent secret key. #}
+session_secret = {{ vault_aurweb_secret }}

roles/aurweb/templates/nginx.d.conf.j2

@@ -71,39 +71,12 @@ server {
         expires 5m;
     }
 
-    location ~ ^/[^/]+\.php($|/) {
-        fastcgi_pass   aurweb;
-        fastcgi_index  index.php;
-        fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$;
-        if (!-f $document_root$fastcgi_script_name) {
-            return 404;
-        }
-        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-        fastcgi_param  PATH_INFO        $fastcgi_path_info;
-        fastcgi_param  HTTPS            on;
-        include        fastcgi_params;
-
-        # Cache PHP Requests
-        #fastcgi_cache aur;
-        #fastcgi_cache_valid 200 5m;
-        #add_header X-Cache $upstream_cache_status;
-
-        # Required for caching to work
-        #fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
-
-        # Only apply cache when set
-        #fastcgi_cache_bypass $no_cache;
-        #fastcgi_no_cache $no_cache;
-    }
-
-    # directories for static assets
-    location ~ ^/(?:css|js|images)/ {
-        expires 30d;
-        add_header Pragma public;
-        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
-    }
-
-    location ~ .* {
-        rewrite ^/(.*)$ /index.php/$1 last;
+    location / {
+        # Proxy over to aurweb's ASGI application.
+        proxy_pass http://{{ aurweb_asgi_bind }};
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Ssl on;
     }
 }