From 92586d5b605ca7c15ecb38aac3d055ee00b46cd9 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Sun, 16 Jan 2022 21:13:05 -0800
Subject: [PATCH] change(aurweb): rework ansible config for 6.0.0
Signed-off-by: Kevin Morris <kevr@0cost.org>
---
roles/aurweb/defaults/main.yml | 5 +-
roles/aurweb/tasks/main.yml | 84 +++++++++----------
.../templates/aurweb-pkgmaint.service.j2 | 2 +-
.../templates/aurweb-popupdate.service.j2 | 2 +-
.../templates/aurweb-usermaint.service.j2 | 2 +-
roles/aurweb/templates/aurweb.service.j2 | 15 ++++
roles/aurweb/templates/aurweb_config.j2 | 2 +-
roles/aurweb/templates/cgitrc.j2 | 4 +-
roles/aurweb/templates/config.j2 | 16 +++-
roles/aurweb/templates/nginx.d.conf.j2 | 41 ++-------
10 files changed, 88 insertions(+), 85 deletions(-)
create mode 100644 roles/aurweb/templates/aurweb.service.j2
diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml
index 70c342bf4..b4e2669a5 100644
--- a/roles/aurweb/defaults/main.yml
+++ b/roles/aurweb/defaults/main.yml
@@ -1,4 +1,5 @@
---
+aurweb_asgi_bind: '127.0.0.1:8000'
aurweb_domain: 'aur.archlinux.org'
aurweb_repository: 'https://gitlab.archlinux.org/archlinux/aurweb.git'
@@ -18,9 +19,11 @@ aurweb_socket: '/run/php-fpm/{{aurweb_user}}.socket'
cgit_socket: '/run/uwsgi/cgit.sock'
smartgit_socket: '/run/uwsgi/smartgit.sock'
-aurweb_cache: 'memcache'
+aurweb_cache: 'redis'
aurweb_cache_pkginfo_ttl: '86400'
aurweb_request_limt: '4000'
aurweb_window_length: '86400'
aurweb_memcached_socket: '/run/memcached/aurweb.sock'
aurweb_memcached_memory: 2048
+
+aurweb_workers: 4
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index f86c2a15b..01c637afe 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -6,20 +6,11 @@
- asciidoc
- highlight
- make
- - php-memcached
- - pyalpm
- - python-alembic
- - python-bleach
- - python-markdown
- - python-mysql-connector
- - python-pygit2
- - python-srcinfo
- - python-fastapi
- - python-jinja
- - python-email-validator
- - python-orjson
- sudo
- uwsgi-plugin-cgi
+ - python-poetry
+ - gcc
+ - pkg-config
- name: install the cgit package
pacman:
@@ -79,7 +70,7 @@
no_log: true
- name: initialize the database
- command: python -m aurweb.initdb
+ command: poetry run python -m aurweb.initdb
args:
chdir: "{{ aurweb_dir }}"
become: true
@@ -87,7 +78,7 @@
when: db_created.changed
- name: run migrations
- command: alembic upgrade head
+ command: poetry run alembic upgrade head
args:
chdir: "{{ aurweb_dir }}"
environment:
@@ -97,18 +88,43 @@
when: release.changed or db_created.changed
- name: Check python module availability
- command: "python3 -c 'import aurweb'"
+ command: poetry run python3 -c 'import aurweb'
+ args:
+ chdir: "{{ aurweb_dir }}"
+ become: true
+ become_user: "{{ aurweb_user }}"
ignore_errors: true
register: aurweb_installed
tags:
- skip_ansible_lint
- name: Install python module
- command: "python3 setup.py install --install-scripts=/usr/local/bin"
+ command: poetry install
args:
chdir: "{{ aurweb_dir }}"
+ become: true
+ become_user: "{{ aurweb_user }}"
when: release.changed or aurweb_installed.rc != 0
+- name: install custom aurweb-git-auth wrapper script
+ template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
+ when: release.changed
+
+- name: install custom aurweb-git-serve wrapper script
+ template: src=aurweb-git-serve.sh.j2 dest=/usr/local/bin/aurweb-git-serve.sh owner=root group=root mode=0755
+ when: release.changed
+
+- name: install custom aurweb-git-update wrapper script
+ template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
+ when: release.changed
+
+- name: link custom aurweb-git-update wrapper to hooks/update
+ file:
+ src: /usr/local/bin/aurweb-git-update.sh
+ dest: "{{ aurweb_dir }}/aur.git/hooks/update"
+ state: link
+ when: release.changed
+
- name: Generate HTML documentation
make:
chdir: "{{ aurweb_dir }}/doc"
@@ -136,16 +152,6 @@
- name: make nginx log dir
file: path=/var/log/nginx/{{ aurweb_domain }} state=directory owner=root group=root mode=0755
-- name: configure php-fpm
- template:
- src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ aurweb_user }}.conf"
- owner=root group=root mode=0644
- notify:
- - restart php-fpm@{{ aurweb_user }}
-
-- name: start and enable systemd socket
- service: name=php-fpm@{{ aurweb_user }}.socket state=started enabled=true
-
- name: install cgit configuration
template: src=cgitrc.j2 dest="{{ aurweb_conf_dir }}/cgitrc" owner=root group=root mode=0644
@@ -223,15 +229,6 @@
tags:
- skip_ansible_lint
-- name: create symlink for git hook
- file:
- src: "{{ aurweb_git_hook }}"
- dest: "{{ aurweb_git_dir }}/hooks/update"
- owner: root
- group: root
- mode: 0755
- state: link
-
- name: install AUR systemd service and timers
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
@@ -239,7 +236,6 @@
- aurweb-git.timer
- aurweb-aurblup.service
- aurweb-aurblup.timer
- - aurweb-memcached.service
- aurweb-mkpkglists.service
- aurweb-mkpkglists.timer
- aurweb-pkgmaint.service
@@ -250,20 +246,22 @@
- aurweb-tuvotereminder.timer
- aurweb-usermaint.service
- aurweb-usermaint.timer
+ - aurweb.service
+
+- name: configure sshd
+ template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
+ notify:
+ - restart sshd
- name: start and enable AUR systemd services and timers
- service: name={{ item }} enabled=yes state=started
+ service: name={{ item }} enabled=yes state=restarted daemon_reload=yes
with_items:
- aurweb-git.timer
- aurweb-aurblup.timer
- - aurweb-memcached.service
- aurweb-mkpkglists.timer
- aurweb-pkgmaint.timer
- aurweb-popupdate.timer
- aurweb-tuvotereminder.timer
- aurweb-usermaint.timer
-
-- name: configure sshd
- template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
- notify:
- - restart sshd
+ - aurweb.service
+ when: release.changed
diff --git a/roles/aurweb/templates/aurweb-pkgmaint.service.j2 b/roles/aurweb/templates/aurweb-pkgmaint.service.j2
index 7db71c195..805cc9cea 100644
--- a/roles/aurweb/templates/aurweb-pkgmaint.service.j2
+++ b/roles/aurweb/templates/aurweb-pkgmaint.service.j2
@@ -16,7 +16,7 @@ CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
MemoryDenyWriteExecute=true
RemoveIPC=true
diff --git a/roles/aurweb/templates/aurweb-popupdate.service.j2 b/roles/aurweb/templates/aurweb-popupdate.service.j2
index 346c13b01..273594bdb 100644
--- a/roles/aurweb/templates/aurweb-popupdate.service.j2
+++ b/roles/aurweb/templates/aurweb-popupdate.service.j2
@@ -16,7 +16,7 @@ CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
MemoryDenyWriteExecute=true
RemoveIPC=true
diff --git a/roles/aurweb/templates/aurweb-usermaint.service.j2 b/roles/aurweb/templates/aurweb-usermaint.service.j2
index 46dd3c3bf..e3fbfab14 100644
--- a/roles/aurweb/templates/aurweb-usermaint.service.j2
+++ b/roles/aurweb/templates/aurweb-usermaint.service.j2
@@ -16,7 +16,7 @@ CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
-ProtectHome=true
+ProtectHome=read-only
MemoryDenyWriteExecute=true
RemoveIPC=true
diff --git a/roles/aurweb/templates/aurweb.service.j2 b/roles/aurweb/templates/aurweb.service.j2
new file mode 100644
index 000000000..8cfc96c78
--- /dev/null
+++ b/roles/aurweb/templates/aurweb.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=aurweb asgi server
+
+[Service]
+User={{ aurweb_user }}
+WorkingDirectory={{ aurweb_dir }}
+ExecStart=/usr/bin/poetry run gunicorn \
+ --log-config {{ aurweb_dir }}/logging.conf \
+ --bind {{ aurweb_asgi_bind }} \
+ --workers {{ aurweb_workers }} \
+ -k uvicorn.workers.UvicornWorker \
+ aurweb.asgi:app
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/aurweb/templates/aurweb_config.j2 b/roles/aurweb/templates/aurweb_config.j2
index 371524a3b..11c29538c 100644
--- a/roles/aurweb/templates/aurweb_config.j2
+++ b/roles/aurweb/templates/aurweb_config.j2
@@ -1,5 +1,5 @@
Match User {{ aurweb_user }}
PasswordAuthentication no
- AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
+ AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth.sh "%t" "%k"
AuthorizedKeysCommandUser {{ aurweb_user }}
AcceptEnv AUR_OVERWRITE
diff --git a/roles/aurweb/templates/cgitrc.j2 b/roles/aurweb/templates/cgitrc.j2
index 9e00369a7..e65d12971 100644
--- a/roles/aurweb/templates/cgitrc.j2
+++ b/roles/aurweb/templates/cgitrc.j2
@@ -1,9 +1,9 @@
virtual-root=/cgit/
clone-prefix=https://{{ aurweb_domain }}
noheader=0
-favicon=/images/favicon.ico
+favicon=/static/images/favicon.ico
logo=
-css=/css/cgit.css
+css=/static/css/cgit.css
snapshots=tar.gz
readme=:README.md
readme=:README
diff --git a/roles/aurweb/templates/config.j2 b/roles/aurweb/templates/config.j2
index 40760dae0..4a15f2047 100644
--- a/roles/aurweb/templates/config.j2
+++ b/roles/aurweb/templates/config.j2
@@ -4,6 +4,7 @@ user = {{ aurweb_db_user }}
password = {{ vault_aurweb_db_password }}
[options]
+aurwebdir = {{ aurweb_dir }}
{% if maintenance is defined and maintenance %}
enable_maintenance = 1
maintenance-exceptions = {{ maintenance_remote_machine }}
@@ -16,7 +17,7 @@ cache_pkginfo_ttl = {{ aurweb_cache_pkginfo_ttl }}
aur_location = https://{{ aurweb_domain }}
git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git
git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git
-memcache_servers = {{ aurweb_memcached_socket }}:0
+redis_address = redis://localhost
[ratelimit]
request_limit = {{ aurweb_request_limt }}
@@ -27,9 +28,13 @@ Ed25519 = SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4
ECDSA = SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI
RSA = SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8
+[auth]
+git-serve-cmd = /usr/local/bin/aurweb-git-serve.sh
+
[serve]
repo-path = {{ aurweb_git_dir }}
git-shell-cmd = /usr/bin/sh
+git-update-cmd = /usr/local/bin/aurweb-git-update.sh
ssh-cmdline = ssh {{ aurweb_user }}@{{ aurweb_domain }}
[update]
@@ -45,3 +50,12 @@ packagesmetafile = {{ aurweb_dir }}/web/html/packages-meta-v1.json.gz
packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz
pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
userfile = {{ aurweb_dir }}/web/html/users.gz
+
+[notifications]
+notify-cmd = aurweb-notify
+{# An email used for server error notifications. #}
+postmaster = {{ vault_aurweb_postmaster }}
+
+[fastapi]
+{# TODO: This must be set to a persistent secret key. #}
+session_secret = {{ vault_aurweb_secret }}
diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2
index 542bb98bd..f89bf618d 100644
--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -71,39 +71,12 @@ server {
expires 5m;
}
- location ~ ^/[^/]+\.php($|/) {
- fastcgi_pass aurweb;
- fastcgi_index index.php;
- fastcgi_split_path_info ^(/[^/]+\.php)(/.*)$;
- if (!-f $document_root$fastcgi_script_name) {
- return 404;
- }
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- include fastcgi_params;
-
- # Cache PHP Requests
- #fastcgi_cache aur;
- #fastcgi_cache_valid 200 5m;
- #add_header X-Cache $upstream_cache_status;
-
- # Required for caching to work
- #fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
-
- # Only apply cache when set
- #fastcgi_cache_bypass $no_cache;
- #fastcgi_no_cache $no_cache;
- }
-
- # directories for static assets
- location ~ ^/(?:css|js|images)/ {
- expires 30d;
- add_header Pragma public;
- add_header Cache-Control "public, must-revalidate, proxy-revalidate";
- }
-
- location ~ .* {
- rewrite ^/(.*)$ /index.php/$1 last;
+ location / {
+ # Proxy over to aurweb's ASGI application.
+ proxy_pass http://{{ aurweb_asgi_bind }};
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Ssl on;
}
}
--
GitLab