Verified Commit 420d0717 authored by Florian Pritz's avatar Florian Pritz
Browse files

orion: Add gpg WKD directory for pacman

Maintain a web key directory with our gpg keys. The update script is run
automatically whenever the archlinux-keyring package on orion is
upgraded.

https://bugs.archlinux.org/task/63171

Signed-off-by: Florian Pritz's avatarFlorian Pritz <bluewind@xinu.at>
parent 8197db9d
......@@ -28,3 +28,4 @@
- { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources", tags: ['sources'] }
- { role: archive, archive_domain: "archive.archlinux.org", archive_dir: "/srv/archive", tags: ['archive'] }
- { role: hefur, ftp_iso_dir: '/srv/ftp/iso', tags: ['torrenttracker']}
- wkd
---
wkd_user: wkd
wkd_dir: /srv/http/wkd
wkd_home: /home/wkd
wkd_domain: openpgpkey.archlinux.org
#!/bin/bash
set -euo pipefail
workdir="$1"
if [[ -z "$workdir" ]]; then
echo "Error: workdir not set" >&2
exit 1
fi
export GNUPGHOME=/etc/pacman.d/gnupg
mkdir -p "$workdir/openpgpkey/archlinux.org/hu"
for email in $(gpg --list-options show-only-fpr-mbox --list-keys | grep '@archlinux.org' | cut -d' ' -f2); do
wkd_hash="$(/usr/lib/gnupg/gpg-wks-client --print-wkd-hash "$email" | cut -d' ' -f1)"
outfile="$workdir/openpgpkey/archlinux.org/hu/$wkd_hash"
gpg --export "$email" > "$outfile"
# TODO: return error if filesize of $outfile is >= 64kB; https://dev.gnupg.org/T4607#127792
done
---
- name: daemon reload
command: systemctl daemon-reload
- name: run wkd service
service: name=update-wkd.service state=started
---
- name: create wkd user
user: name={{ wkd_user }} shell=/bin/false home={{ wkd_home }}
- name: install wkd update script
copy: src=update-wkd.sh dest=/usr/local/bin/update-wkd.sh owner=root group=root mode=0755
- name: install wkd service
template: src=update-wkd.service.j2 dest=/etc/systemd/system/update-wkd.service owner=root group=root mode=0644
notify:
- daemon reload
- run wkd service
- name: create pacman.d hooks dir
file: state=directory owner=root group=root path=/etc/pacman.d/hooks
- name: install pgp_import hook
template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ wkd_domain }}' creates='/etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem'
- name: create wkd_dir
file: state=directory owner={{ wkd_user }} group={{ wkd_user }} path="{{ wkd_dir }}" mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/wkd.conf owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
- name: make nginx log dir
file: path=/var/log/nginx/{{ wkd_domain }} state=directory owner=root group=root mode=0755
server {
listen 80;
listen [::]:80;
server_name {{ wkd_domain }};
root {{ wkd_dir }};
access_log /var/log/nginx/{{ wkd_domain }}/access.log reduced;
error_log /var/log/nginx/{{ wkd_domain }}/error.log;
include snippets/letsencrypt.conf;
autoindex on;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ wkd_domain }};
root {{ wkd_dir }};
access_log /var/log/nginx/{{ wkd_domain }}/access.log reduced;
error_log /var/log/nginx/{{ wkd_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ wkd_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ wkd_domain }}/chain.pem;
autoindex on;
}
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = archlinux-keyring
[Action]
When = PostTransaction
Exec = /usr/bin/systemctl start update-wkd
[Unit]
Description=Update GPG web key directory
[Service]
Type=oneshot
User={{ wkd_user }}
WorkingDirectory={{ wkd_dir }}
ExecStart=/usr/local/bin/update-wkd.sh "{{ wkd_dir }}/.well-known"
TimeoutStartSec=3600
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
[Install]
WantedBy=multi-user.target
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment