orion: Add gpg WKD directory for pacman

Maintain a web key directory with our gpg keys. The update script is run automatically whenever the archlinux-keyring package on orion is upgraded. https://bugs.archlinux.org/task/63171 Signed-off-by: Florian Pritz <bluewind@xinu.at>

orion: Add gpg WKD directory for pacman
Maintain a web key directory with our gpg keys. The update script is run automatically whenever the archlinux-keyring package on orion is upgraded. https://bugs.archlinux.org/task/63171 Signed-off-by: Florian Pritz <bluewind@xinu.at>
420d0717 · Florian Pritz · 8197db9d · 420d0717 · 420d0717 · 420d0717
Verified Commit 420d0717 authored Aug 04, 2019 by Florian Pritz
--- a/playbooks/orion.yml
+++ b/playbooks/orion.yml
@@ -28,3 +28,4 @@
    - { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources", tags: ['sources'] }
    - { role: archive, archive_domain: "archive.archlinux.org", archive_dir: "/srv/archive", tags: ['archive'] }
    - { role: hefur, ftp_iso_dir: '/srv/ftp/iso', tags: ['torrenttracker']}
+    - wkd
--- a/roles/wkd/defaults/main.yml
+++ b/roles/wkd/defaults/main.yml
+---
+
+wkd_user: wkd
+wkd_dir: /srv/http/wkd
+wkd_home: /home/wkd
+wkd_domain: openpgpkey.archlinux.org
--- a/roles/wkd/files/update-wkd.sh
+++ b/roles/wkd/files/update-wkd.sh
+#!/bin/bash
+
+set -euo pipefail
+
+workdir="$1"
+
+if [[ -z "$workdir" ]]; then
+	echo "Error: workdir not set" >&2
+	exit 1
+fi
+
+export GNUPGHOME=/etc/pacman.d/gnupg
+
+mkdir -p "$workdir/openpgpkey/archlinux.org/hu"
+
+for email in $(gpg --list-options show-only-fpr-mbox --list-keys | grep '@archlinux.org' | cut -d' ' -f2); do
+	wkd_hash="$(/usr/lib/gnupg/gpg-wks-client --print-wkd-hash "$email" | cut -d' ' -f1)"
+	outfile="$workdir/openpgpkey/archlinux.org/hu/$wkd_hash"
+	gpg --export "$email" > "$outfile"
+
+	# TODO: return error if filesize of $outfile is >= 64kB; https://dev.gnupg.org/T4607#127792
+done
--- a/roles/wkd/handlers/main.yml
+++ b/roles/wkd/handlers/main.yml
+---
+
+- name: daemon reload
+  command: systemctl daemon-reload
+
+- name: run wkd service
+  service: name=update-wkd.service state=started
--- a/roles/wkd/tasks/main.yml
+++ b/roles/wkd/tasks/main.yml
+---
+
+- name: create wkd user
+  user: name={{ wkd_user }} shell=/bin/false home={{ wkd_home }}
+
+- name: install wkd update script
+  copy: src=update-wkd.sh dest=/usr/local/bin/update-wkd.sh owner=root group=root mode=0755
+
+- name: install wkd service
+  template: src=update-wkd.service.j2 dest=/etc/systemd/system/update-wkd.service owner=root group=root mode=0644
+  notify:
+    - daemon reload
+    - run wkd service
+
+- name: create pacman.d hooks dir
+  file: state=directory owner=root group=root path=/etc/pacman.d/hooks
+
+- name: install pgp_import hook
+  template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644
+
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ wkd_domain }}' creates='/etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem'
+
+- name: create wkd_dir
+  file: state=directory owner={{ wkd_user }} group={{ wkd_user }} path="{{ wkd_dir }}" mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/wkd.conf owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ wkd_domain }} state=directory owner=root group=root mode=0755
--- a/roles/wkd/templates/nginx.d.conf.j2
+++ b/roles/wkd/templates/nginx.d.conf.j2
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ wkd_domain }};
+    root         {{ wkd_dir }};
+
+    access_log   /var/log/nginx/{{ wkd_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ wkd_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    autoindex on;
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ wkd_domain }};
+    root         {{ wkd_dir }};
+
+    access_log   /var/log/nginx/{{ wkd_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ wkd_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ wkd_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ wkd_domain }}/chain.pem;
+
+    autoindex on;
+}
--- a/roles/wkd/templates/update-wkd-pacman-hook.j2
+++ b/roles/wkd/templates/update-wkd-pacman-hook.j2
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Type = Package
+Target = archlinux-keyring
+
+[Action]
+When = PostTransaction
+Exec = /usr/bin/systemctl start update-wkd
--- a/roles/wkd/templates/update-wkd.service.j2
+++ b/roles/wkd/templates/update-wkd.service.j2
+[Unit]
+Description=Update GPG web key directory
+
+[Service]
+Type=oneshot
+User={{ wkd_user }}
+WorkingDirectory={{ wkd_dir }}
+ExecStart=/usr/local/bin/update-wkd.sh "{{ wkd_dir }}/.well-known"
+TimeoutStartSec=3600
+
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+
+[Install]
+WantedBy=multi-user.target