aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/nginx/tasks/main.yml42
-rw-r--r--roles/nginx/templates/nginx.conf.j293
-rw-r--r--roles/nginx/vars/main.yml9
-rw-r--r--roles/postgres/tasks/main.yml15
-rw-r--r--roles/srht/meta/main.yml11
-rw-r--r--roles/srht/tasks/main.yml92
-rw-r--r--roles/srht/templates/config.ini.j2275
-rw-r--r--roles/srht/templates/hub.srht.conf.j222
-rw-r--r--roles/srht/templates/meta.srht.conf.j222
-rw-r--r--roles/srht/vars/main.yml17
10 files changed, 598 insertions, 0 deletions
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..dda2c98
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,42 @@
+
+# nginx ~~ roles/nginx/tasks/main.yml
+# Linux nginx webserver
+
+---
+
+- name: ensure role is run on linux hosts
+ fail:
+ msg: nginx role can only be run on linux host
+ when: ansible_system != "Linux"
+
+- name: ensure nginx is installed
+ package: name=nginx state=present
+
+- name: ensure nginx group exists
+ group: name="{{ nginx_group }}" state=present
+
+- name: ensure nginx user exists
+ user: name="{{ nginx_user }}" group="{{ nginx_group }}" state=present
+
+- name: generate nginx configuration
+ template:
+ src: nginx.conf.j2
+ dest: /etc/nginx/nginx.conf
+ owner: "{{ user_root }}"
+ group: "{{ group_root }}"
+ mode: 0644
+
+- name: ensure nginx sub-configuration directory exists
+ file:
+ path: "{{ nginx_subconf_dir }}"
+ owner: "{{ user_root }}"
+ group: "{{ group_root }}"
+ state: directory
+ mode: 0744
+
+- name: enable and restart nginx
+ service:
+ name: nginx
+ state: restarted
+ enabled: true
+
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
new file mode 100644
index 0000000..8800794
--- /dev/null
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -0,0 +1,93 @@
+
+# nginx ~~ /etc/nginx/nginx.conf
+# managed by Ansible
+
+user {{ nginx_user }};
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /var/log/nginx/error.log warn;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+
+events {
+ # The maximum number of simultaneous connections that can be opened by
+ # a worker process.
+ worker_connections 1024;
+}
+
+http {
+ # Includes mapping of file name extensions to MIME types of responses
+ # and defines the default type.
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ # Name servers used to resolve names of upstream servers into addresses.
+ # It's also needed when using tcpsocket and udpsocket in Lua modules.
+ #resolver 208.67.222.222 208.67.220.220;
+
+ # Don't tell nginx version to clients.
+ server_tokens off;
+
+ # Specifies the maximum accepted body size of a client request, as
+ # indicated by the request header Content-Length. If the stated content
+ # length is greater than this size, then the client receives the HTTP
+ # error code 413. Set to 0 to disable.
+ client_max_body_size 1m;
+
+ # Timeout for keep-alive connections. Server will close connections after
+ # this time.
+ keepalive_timeout 65;
+
+ # Sendfile copies data between one FD and other from within the kernel,
+ # which is more efficient than read() + write().
+ sendfile on;
+
+ # Don't buffer data-sends (disable Nagle algorithm).
+ # Good for sending frequent small bursts of data in real time.
+ tcp_nodelay on;
+
+ # Causes nginx to attempt to send its HTTP response head in one packet,
+ # instead of using partial frames.
+ #tcp_nopush on;
+
+
+ # Path of the file with Diffie-Hellman parameters for EDH ciphers.
+ #ssl_dhparam /etc/ssl/nginx/dh2048.pem;
+
+ # Specifies that our cipher suits should be preferred over client ciphers.
+ ssl_prefer_server_ciphers on;
+
+ # Enables a shared SSL cache with size that can hold around 8000 sessions.
+ ssl_session_cache shared:SSL:2m;
+
+
+ # Enable gzipping of responses.
+ #gzip on;
+
+ # Set the Vary HTTP header as defined in the RFC 2616.
+ gzip_vary on;
+
+ # Enable checking the existence of precompressed files.
+ #gzip_static on;
+
+
+ # Specifies the main log format.
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ # Sets the path, format, and configuration for a buffered log write.
+ access_log /var/log/nginx/access.log main;
+
+
+ # Includes virtual hosts configs.
+ include {{ nginx_subconf_dir }}/*.conf;
+}
diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml
new file mode 100644
index 0000000..18ecb71
--- /dev/null
+++ b/roles/nginx/vars/main.yml
@@ -0,0 +1,9 @@
+
+# nginx ~~ roles/nginx/vars/main.yml
+# Nginx variables
+
+---
+
+nginx_group: nginx
+nginx_user: nginx
+nginx_subconf_dir: /etc/nginx/conf.d
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
new file mode 100644
index 0000000..e032ff5
--- /dev/null
+++ b/roles/postgres/tasks/main.yml
@@ -0,0 +1,15 @@
+
+# postgres ~~ roles/postgres/tasks/main.yml
+# postgresql database server
+
+---
+
+- name: ensure postgres is installed
+ package: name=postgresql state=present
+ ignore_errors: true
+
+- name: enable and restart postgres service
+ service:
+ name: postgresql
+ state: restarted
+ enabled: true
diff --git a/roles/srht/meta/main.yml b/roles/srht/meta/main.yml
new file mode 100644
index 0000000..487e8aa
--- /dev/null
+++ b/roles/srht/meta/main.yml
@@ -0,0 +1,11 @@
+
+# httpd ~~ roles/httpd/meta/main.yml
+# Meta for httpd
+
+---
+
+dependencies:
+ - { role: postgres, tags: "dependency" }
+ - { role: redis, tags: "dependency" }
+ - { role: nginx, tags: "dependency" }
+ - { role: git, tags: "dependency" }
diff --git a/roles/srht/tasks/main.yml b/roles/srht/tasks/main.yml
new file mode 100644
index 0000000..076557f
--- /dev/null
+++ b/roles/srht/tasks/main.yml
@@ -0,0 +1,92 @@
+
+# srht ~~ roles/srht/tasks/main.yml
+# Srht git server
+
+---
+
+- name: ensure srht repository is enabled
+ lineinfile:
+ path: /etc/apk/repositories
+ regexp: "^https://mirror.sr.ht"
+ line: "https://mirror.sr.ht/alpine/v3.12/sr.ht"
+
+- name: ensure signing key for sourcehut repository is installed
+ shell: |
+ wget -q -O /etc/apk/keys/alpine@sr.ht.rsa.pub https://mirror.sr.ht/alpine/alpine@sr.ht.rsa.pub
+ apk update
+
+- name: ensure sourcehut is installed
+ package: name="{{ item }}" state=present
+ loop: "{{ srht_services }}"
+
+- name: generate srht service key
+ shell: srht-keygen service | rev | cut -d " " -f 1 | rev
+ register: srht_key_service
+
+- name: generate srht network key
+ shell: srht-keygen network | rev | cut -d " " -f 1 | rev
+ register: srht_key_network
+
+- name: generate srht webhook key
+ shell: srht-keygen webhook | rev | cut -d " " -f 1 | rev
+ register: srht_key_webhook
+
+- name: generate srht nginx configuration
+ template:
+ src: "{{ item }}.srht.conf.j2"
+ dest: "/etc/nginx/conf.d/{{ item }}.srht.conf"
+ owner: "{{ user_root }}"
+ group: "{{ group_root }}"
+ mode: 0644
+ loop:
+ - "meta"
+ - "hub"
+
+- name: generate srht example configuration
+ template:
+ src: config.ini.j2
+ dest: /etc/sr.ht/config.example.ini
+ owner: "{{ user_root }}"
+ group: "{{ group_root }}"
+ mode: 0644
+
+- name: debug hint for example configuration
+ debug:
+ msg:
+ - srht configuration example at /etc/sr.ht/config.example.ini
+ - copy and modify it to /etc/sr.ht/config.ini
+
+- name: create database for srht services
+ shell: psql -c 'create database "{{ item }}.sr.ht"'
+ register: result
+ failed_when: result.rc != 0 and "already exists" not in result.stderr
+ ignore_errors: true
+ loop:
+ - "meta"
+ - "git"
+ - "hub"
+ become: true
+ become_user: postgres
+
+- name: init database for srht services
+ shell: "{{ item }}srht-initdb"
+ loop:
+ - "meta"
+ - "git"
+ - "hub"
+
+- name: enable and restart srht services
+ service:
+ name: "{{ item }}"
+ state: restarted
+ enabled: true
+ loop: "{{ srht_services }}"
+
+- name: enable and restart srht api services
+ service:
+ name: "{{ item }}"
+ state: restarted
+ enabled: true
+ loop:
+ - "meta.sr.ht-api"
+ - "git.sr.ht-api"
diff --git a/roles/srht/templates/config.ini.j2 b/roles/srht/templates/config.ini.j2
new file mode 100644
index 0000000..e3bca6a
--- /dev/null
+++ b/roles/srht/templates/config.ini.j2
@@ -0,0 +1,275 @@
+
+# srht ~~ /etc/sr.ht/config.ini
+# managed by Ansible
+
+[sr.ht]
+#
+# The name of your network of sr.ht-based sites
+site-name=hacker's hut
+#
+# The top-level info page for your site
+site-info=http://{{ global.domain_name }}
+#
+#
+site-blurb=hack the planet!
+#
+# If this != production, we add a banner to each page
+environment=development
+#
+# Contact information for the site owners
+owner-name={{ global.domain_name }}
+owner-email=support@{{ global.domain_name }}
+#
+# The source code for your fork of sr.ht
+source-url=https://git.sr.ht/~sircmpwn/srht
+#
+# Link to your instance's privacy policy. Uses the sr.ht privacy policy as the
+# default, which describes the information collected by the upstream SourceHut
+# code.
+privacy-policy=
+#
+# A key used for encrypting session cookies. Use `srht-keygen service` to
+# generate the service key. This must be shared between each node of the same
+# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
+# different keys. If you configure all of your services with the same
+# config.ini, you may use the same service-key for all of them.
+service-key={{ srht_key_service.stdout_lines[0] }}
+#
+# A secret key to encrypt internal messages with. Use `srht-keygen network` to
+# generate this key. It must be consistent between all services and nodes.
+network-key={{ srht_key_network.stdout_lines[0] }}
+#
+# The redis host URL. This is used for caching and temporary storage, and must
+# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
+# shared between services. It may be shared between services, however, with no
+# ill effect, if this better suits your infrastructure.
+redis-host=redis://localhost
+
+[objects]
+#
+# Configure S3-compatible object storage for services. Optional.
+#
+# Minio is recommended as a FOSS solution over AWS: https://min.io
+s3-upstream=
+s3-access-key=
+s3-secret-key=
+
+[mail]
+#
+# Outgoing SMTP settings
+smtp-host=
+smtp-port=
+smtp-user=
+smtp-password=
+smtp-from=
+#
+# Application exceptions are emailed to this address
+error-to=
+error-from=
+#
+# You should generate a PGP key to allow users to authenticate emails received
+# from your services. Use `gpg --edit-key [key id]` to remove the password from
+# your private key, then export it to a file and set pgp-privkey to the path to
+# that file. pgp-pubkey should be set to the path to your public key, and
+# pgp-key-id should be set to the key ID string. Outgoing emails are signed with
+# this PGP key.
+pgp-privkey=
+pgp-pubkey=
+pgp-key-id=
+
+[webhooks]
+#
+# base64-encoded Ed25519 key for signing webhook payloads. This should be
+# consistent between all services.
+#
+# Use the `srht-keygen webhook` command to generate this key. Put the private
+# key here and distribute the public key to anyone who would want to verify
+# webhook payloads from your service.
+private-key={{ srht_key_webhook.stdout_lines[0] }}
+#public-key={{ srht_key_webhook.stdout_lines[1] }}
+
+[meta.sr.ht]
+#
+# URL meta.sr.ht is being served at (protocol://domain)
+origin=http://meta.git.{{ global.domain_name }}
+#
+# Address and port to bind the debug server to
+debug-host=0.0.0.0
+debug-port=5000
+#
+# Configures the SQLAlchemy connection string for the database.
+connection-string=postgresql://postgres@localhost/meta.sr.ht?sslmode=disable
+#
+# Set to "yes" to automatically run migrations on package upgrade.
+migrate-on-upgrade=yes
+#
+# The redis connection used for the webhooks worker
+webhooks=redis://localhost:6379/1?sslmode=disable
+#
+# If "yes", the user will be sent the stock sourcehut welcome emails after
+# signup (requires cron to be configured properly). These are specific to the
+# sr.ht instance so you probably want to patch these before enabling this.
+welcome-emails=no
+
+[meta.sr.ht::api]
+#
+# Maximum complexity of GraphQL queries. The higher this number, the more work
+# that API clients can burden the API backend with. Complexity is equal to the
+# number of discrete fields which would be returned to the user. 200 is a good
+# default.
+max-complexity=200
+
+#
+# The maximum time the API backend will spend processing a single API request.
+#
+# See https://golang.org/pkg/time/#ParseDuration
+max-duration=3s
+
+#
+# Set of IP subnets which are permitted to utilize internal API
+# authentication. This should be limited to the subnets from which your
+# *.sr.ht services are running.
+#
+# Comma-separated, CIDR notation.
+internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
+
+[meta.sr.ht::settings]
+#
+# If "no", public registration will not be permitted.
+registration=no
+#
+# Where to redirect new users upon registration
+onboarding-redirect=http://example.org
+#
+# How many invites each user is issued upon registration (only applicable if
+# open registration is disabled)
+user-invites=5
+
+[meta.sr.ht::aliases]
+#
+# You can add aliases for the client IDs of commonly used OAuth clients here.
+#
+# Example:
+# git.sr.ht=12345
+
+[meta.sr.ht::billing]
+#
+# "yes" to enable the billing system
+enabled=no
+#
+# Get your keys at https://dashboard.stripe.com/account/apikeys
+stripe-public-key=
+stripe-secret-key=
+
+[meta.sr.ht::auth]
+#
+# What authentication method to use.
+# builtin: use sr.ht builtin authentication
+# unix-pam: use Unix PAM authentication
+#auth-method=builtin
+
+[meta.sr.ht::auth::unix-pam]
+#
+# The default email domain to assign to newly created users when they first log
+# in.
+# User's email will be set to <username>@<email-default-domain>
+email-default-domain=srht.{{ global.domain_name }}
+#
+# The PAM service to use for logging in.
+#service=sshd
+#
+# Whether to automatically create new users when authentication succeeds but the
+# user is not in the database.
+create-users=yes
+#
+# The UNIX group users need to belong to to have access to sourcehut.
+# If set,
+# only users belonging to this group will be able to log into the site.
+# If unset, any user on the system is able to log in if PAM authentication
+# succeeds.
+user-group=
+#
+# The UNIX group users need to belong to to have administrator permissions.
+# If set, administrator status on the site will be synced with group
+# association. Additionally, any user of this group will also be able to access
+# sourcehut even if they are not in the group specified in user-group.
+# If unset, administrator status can be manually assigned from the web
+# interface.
+admin-group={{ group_root }}
+
+[git.sr.ht]
+#
+# URL git.sr.ht is being served at (protocol://domain)
+origin=http://git.{{ global.domain_name }}
+#
+# Address and port to bind the debug server to
+debug-host=0.0.0.0
+debug-port=5001
+#
+# Configures the SQLAlchemy connection string for the database.
+connection-string=postgresql://postgres@localhost/git.sr.ht?sslmode=disable
+#
+# Set to "yes" to automatically run migrations on package upgrade.
+migrate-on-upgrade=yes
+#
+# The redis connection used for the webhooks worker
+webhooks=redis://localhost:6379/1?sslmode=disable
+#
+# A post-update script which is installed in every git repo.
+post-update-script=/usr/bin/gitsrht-update-hook
+#
+# git.sr.ht's OAuth client ID and secret for meta.sr.ht
+# Register your client at meta.example.org/oauth
+oauth-client-id=CHANGEME
+oauth-client-secret=CHANGEME
+#
+# Path to git repositories on disk
+repos=/var/lib/git/
+#
+# Configure the S3 bucket and prefix for object storage. Leave empty to disable
+# object storage. Bucket is required to enable object storage; prefix is
+# optional.
+s3-bucket=
+s3-prefix=
+#
+# Required for preparing and sending patchsets from git.sr.ht
+outgoing-domain=
+
+[git.sr.ht::api]
+#
+# Maximum complexity of GraphQL queries. The higher this number, the more work
+# that API clients can burden the API backend with. Complexity is equal to the
+# number of discrete fields which would be returned to the user. 200 is a good
+# default.
+max-complexity=200
+
+#
+# The maximum time the API backend will spend processing a single API request.
+#
+# See https://golang.org/pkg/time/#ParseDuration
+max-duration=3s
+
+#
+# Set of IP subnets which are permitted to utilize internal API
+# authentication. This should be limited to the subnets from which your
+# *.sr.ht services are running.
+#
+# Comma-separated, CIDR notation.
+internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
+
+[git.sr.ht::dispatch]
+#
+# The authorized keys hook uses this to dispatch to various handlers
+# The format is a program to exec into as the key, and the user to match as the
+# value. When someone tries to log in as this user, this program is executed
+# and is expected to omit an AuthorizedKeys file.
+#
+# Uncomment the relevant lines to enable the various sr.ht dispatchers.
+/usr/bin/gitsrht-keys=git:git
+#/usr/bin/buildsrht-keys=builds:builds
+
+[hub.sr.ht]
+origin=http://git.{{ global.domain_name }}
+oauth-client-id=CHANGEME
+oauth-client-secret=CHANGEME
+connection-string=postgresql://postgres@localhost/hub.sr.ht?sslmode=disable
diff --git a/roles/srht/templates/hub.srht.conf.j2 b/roles/srht/templates/hub.srht.conf.j2
new file mode 100644
index 0000000..41775f4
--- /dev/null
+++ b/roles/srht/templates/hub.srht.conf.j2
@@ -0,0 +1,22 @@
+server {
+ listen 80;
+ server_name git.{{ global.domain_name }};
+ client_max_body_size 100M;
+
+ location / {
+ proxy_pass http://127.0.0.1:{{ srht_hub_port }};
+ }
+
+ location /static {
+ root /usr/lib/python3.8/site-packages/hubsrht;
+ }
+
+ location /query {
+ proxy_pass http://127.0.0.1:{{ srht_hub_port }};
+ }
+
+ location = /robots.txt {
+ root /var/www;
+ }
+}
+
diff --git a/roles/srht/templates/meta.srht.conf.j2 b/roles/srht/templates/meta.srht.conf.j2
new file mode 100644
index 0000000..f5a3a2c
--- /dev/null
+++ b/roles/srht/templates/meta.srht.conf.j2
@@ -0,0 +1,22 @@
+server {
+ listen 81;
+ server_name meta.git.{{ global.domain_name }};
+ client_max_body_size 100M;
+
+ location / {
+ proxy_pass http://127.0.0.1:{{ srht_meta_port }};
+ }
+
+ location /static {
+ root /usr/lib/python3.8/site-packages/metasrht;
+ }
+
+ location /query {
+ proxy_pass http://127.0.0.1:{{ srht_meta_api_port }};
+ }
+
+ location = /robots.txt {
+ root /var/www;
+ }
+}
+
diff --git a/roles/srht/vars/main.yml b/roles/srht/vars/main.yml
new file mode 100644
index 0000000..d65e051
--- /dev/null
+++ b/roles/srht/vars/main.yml
@@ -0,0 +1,17 @@
+
+# srht ~~ roles/srht/vars/main.yml
+# srht vars
+
+---
+
+srht_services:
+ - meta.sr.ht
+ - git.sr.ht
+ - hub.sr.ht
+
+srht_meta_port: 5000
+srht_git_port: 5001
+srht_hub_port: 5014
+
+srht_meta_api_port: 5100
+srht_git_api_port: 5101
remember that computers suck.