From 58a81dc2ea748cf769d88b7515a39c6587d37ce2 Mon Sep 17 00:00:00 2001 From: binary Date: Fri, 15 Jan 2021 15:48:42 +0100 Subject: Add nginx and sourcehut role --- roles/srht/meta/main.yml | 11 ++ roles/srht/tasks/main.yml | 92 +++++++++++ roles/srht/templates/config.ini.j2 | 275 +++++++++++++++++++++++++++++++++ roles/srht/templates/hub.srht.conf.j2 | 22 +++ roles/srht/templates/meta.srht.conf.j2 | 22 +++ roles/srht/vars/main.yml | 17 ++ 6 files changed, 439 insertions(+) create mode 100644 roles/srht/meta/main.yml create mode 100644 roles/srht/tasks/main.yml create mode 100644 roles/srht/templates/config.ini.j2 create mode 100644 roles/srht/templates/hub.srht.conf.j2 create mode 100644 roles/srht/templates/meta.srht.conf.j2 create mode 100644 roles/srht/vars/main.yml (limited to 'roles/srht') diff --git a/roles/srht/meta/main.yml b/roles/srht/meta/main.yml new file mode 100644 index 0000000..487e8aa --- /dev/null +++ b/roles/srht/meta/main.yml @@ -0,0 +1,11 @@ + +# httpd ~~ roles/httpd/meta/main.yml +# Meta for httpd + +--- + +dependencies: + - { role: postgres, tags: "dependency" } + - { role: redis, tags: "dependency" } + - { role: nginx, tags: "dependency" } + - { role: git, tags: "dependency" } diff --git a/roles/srht/tasks/main.yml b/roles/srht/tasks/main.yml new file mode 100644 index 0000000..076557f --- /dev/null +++ b/roles/srht/tasks/main.yml @@ -0,0 +1,92 @@ + +# srht ~~ roles/srht/tasks/main.yml +# Srht git server + +--- + +- name: ensure srht repository is enabled + lineinfile: + path: /etc/apk/repositories + regexp: "^https://mirror.sr.ht" + line: "https://mirror.sr.ht/alpine/v3.12/sr.ht" + +- name: ensure signing key for sourcehut repository is installed + shell: | + wget -q -O /etc/apk/keys/alpine@sr.ht.rsa.pub https://mirror.sr.ht/alpine/alpine@sr.ht.rsa.pub + apk update + +- name: ensure sourcehut is installed + package: name="{{ item }}" state=present + loop: "{{ srht_services }}" + +- name: generate srht service key + shell: srht-keygen service | rev | cut -d " " -f 1 | rev + register: srht_key_service + +- name: generate srht network key + shell: srht-keygen network | rev | cut -d " " -f 1 | rev + register: srht_key_network + +- name: generate srht webhook key + shell: srht-keygen webhook | rev | cut -d " " -f 1 | rev + register: srht_key_webhook + +- name: generate srht nginx configuration + template: + src: "{{ item }}.srht.conf.j2" + dest: "/etc/nginx/conf.d/{{ item }}.srht.conf" + owner: "{{ user_root }}" + group: "{{ group_root }}" + mode: 0644 + loop: + - "meta" + - "hub" + +- name: generate srht example configuration + template: + src: config.ini.j2 + dest: /etc/sr.ht/config.example.ini + owner: "{{ user_root }}" + group: "{{ group_root }}" + mode: 0644 + +- name: debug hint for example configuration + debug: + msg: + - srht configuration example at /etc/sr.ht/config.example.ini + - copy and modify it to /etc/sr.ht/config.ini + +- name: create database for srht services + shell: psql -c 'create database "{{ item }}.sr.ht"' + register: result + failed_when: result.rc != 0 and "already exists" not in result.stderr + ignore_errors: true + loop: + - "meta" + - "git" + - "hub" + become: true + become_user: postgres + +- name: init database for srht services + shell: "{{ item }}srht-initdb" + loop: + - "meta" + - "git" + - "hub" + +- name: enable and restart srht services + service: + name: "{{ item }}" + state: restarted + enabled: true + loop: "{{ srht_services }}" + +- name: enable and restart srht api services + service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - "meta.sr.ht-api" + - "git.sr.ht-api" diff --git a/roles/srht/templates/config.ini.j2 b/roles/srht/templates/config.ini.j2 new file mode 100644 index 0000000..e3bca6a --- /dev/null +++ b/roles/srht/templates/config.ini.j2 @@ -0,0 +1,275 @@ + +# srht ~~ /etc/sr.ht/config.ini +# managed by Ansible + +[sr.ht] +# +# The name of your network of sr.ht-based sites +site-name=hacker's hut +# +# The top-level info page for your site +site-info=http://{{ global.domain_name }} +# +# +site-blurb=hack the planet! +# +# If this != production, we add a banner to each page +environment=development +# +# Contact information for the site owners +owner-name={{ global.domain_name }} +owner-email=support@{{ global.domain_name }} +# +# The source code for your fork of sr.ht +source-url=https://git.sr.ht/~sircmpwn/srht +# +# Link to your instance's privacy policy. Uses the sr.ht privacy policy as the +# default, which describes the information collected by the upstream SourceHut +# code. +privacy-policy= +# +# A key used for encrypting session cookies. Use `srht-keygen service` to +# generate the service key. This must be shared between each node of the same +# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use +# different keys. If you configure all of your services with the same +# config.ini, you may use the same service-key for all of them. +service-key={{ srht_key_service.stdout_lines[0] }} +# +# A secret key to encrypt internal messages with. Use `srht-keygen network` to +# generate this key. It must be consistent between all services and nodes. +network-key={{ srht_key_network.stdout_lines[0] }} +# +# The redis host URL. This is used for caching and temporary storage, and must +# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be +# shared between services. It may be shared between services, however, with no +# ill effect, if this better suits your infrastructure. +redis-host=redis://localhost + +[objects] +# +# Configure S3-compatible object storage for services. Optional. +# +# Minio is recommended as a FOSS solution over AWS: https://min.io +s3-upstream= +s3-access-key= +s3-secret-key= + +[mail] +# +# Outgoing SMTP settings +smtp-host= +smtp-port= +smtp-user= +smtp-password= +smtp-from= +# +# Application exceptions are emailed to this address +error-to= +error-from= +# +# You should generate a PGP key to allow users to authenticate emails received +# from your services. Use `gpg --edit-key [key id]` to remove the password from +# your private key, then export it to a file and set pgp-privkey to the path to +# that file. pgp-pubkey should be set to the path to your public key, and +# pgp-key-id should be set to the key ID string. Outgoing emails are signed with +# this PGP key. +pgp-privkey= +pgp-pubkey= +pgp-key-id= + +[webhooks] +# +# base64-encoded Ed25519 key for signing webhook payloads. This should be +# consistent between all services. +# +# Use the `srht-keygen webhook` command to generate this key. Put the private +# key here and distribute the public key to anyone who would want to verify +# webhook payloads from your service. +private-key={{ srht_key_webhook.stdout_lines[0] }} +#public-key={{ srht_key_webhook.stdout_lines[1] }} + +[meta.sr.ht] +# +# URL meta.sr.ht is being served at (protocol://domain) +origin=http://meta.git.{{ global.domain_name }} +# +# Address and port to bind the debug server to +debug-host=0.0.0.0 +debug-port=5000 +# +# Configures the SQLAlchemy connection string for the database. +connection-string=postgresql://postgres@localhost/meta.sr.ht?sslmode=disable +# +# Set to "yes" to automatically run migrations on package upgrade. +migrate-on-upgrade=yes +# +# The redis connection used for the webhooks worker +webhooks=redis://localhost:6379/1?sslmode=disable +# +# If "yes", the user will be sent the stock sourcehut welcome emails after +# signup (requires cron to be configured properly). These are specific to the +# sr.ht instance so you probably want to patch these before enabling this. +welcome-emails=no + +[meta.sr.ht::api] +# +# Maximum complexity of GraphQL queries. The higher this number, the more work +# that API clients can burden the API backend with. Complexity is equal to the +# number of discrete fields which would be returned to the user. 200 is a good +# default. +max-complexity=200 + +# +# The maximum time the API backend will spend processing a single API request. +# +# See https://golang.org/pkg/time/#ParseDuration +max-duration=3s + +# +# Set of IP subnets which are permitted to utilize internal API +# authentication. This should be limited to the subnets from which your +# *.sr.ht services are running. +# +# Comma-separated, CIDR notation. +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + +[meta.sr.ht::settings] +# +# If "no", public registration will not be permitted. +registration=no +# +# Where to redirect new users upon registration +onboarding-redirect=http://example.org +# +# How many invites each user is issued upon registration (only applicable if +# open registration is disabled) +user-invites=5 + +[meta.sr.ht::aliases] +# +# You can add aliases for the client IDs of commonly used OAuth clients here. +# +# Example: +# git.sr.ht=12345 + +[meta.sr.ht::billing] +# +# "yes" to enable the billing system +enabled=no +# +# Get your keys at https://dashboard.stripe.com/account/apikeys +stripe-public-key= +stripe-secret-key= + +[meta.sr.ht::auth] +# +# What authentication method to use. +# builtin: use sr.ht builtin authentication +# unix-pam: use Unix PAM authentication +#auth-method=builtin + +[meta.sr.ht::auth::unix-pam] +# +# The default email domain to assign to newly created users when they first log +# in. +# User's email will be set to @ +email-default-domain=srht.{{ global.domain_name }} +# +# The PAM service to use for logging in. +#service=sshd +# +# Whether to automatically create new users when authentication succeeds but the +# user is not in the database. +create-users=yes +# +# The UNIX group users need to belong to to have access to sourcehut. +# If set, +# only users belonging to this group will be able to log into the site. +# If unset, any user on the system is able to log in if PAM authentication +# succeeds. +user-group= +# +# The UNIX group users need to belong to to have administrator permissions. +# If set, administrator status on the site will be synced with group +# association. Additionally, any user of this group will also be able to access +# sourcehut even if they are not in the group specified in user-group. +# If unset, administrator status can be manually assigned from the web +# interface. +admin-group={{ group_root }} + +[git.sr.ht] +# +# URL git.sr.ht is being served at (protocol://domain) +origin=http://git.{{ global.domain_name }} +# +# Address and port to bind the debug server to +debug-host=0.0.0.0 +debug-port=5001 +# +# Configures the SQLAlchemy connection string for the database. +connection-string=postgresql://postgres@localhost/git.sr.ht?sslmode=disable +# +# Set to "yes" to automatically run migrations on package upgrade. +migrate-on-upgrade=yes +# +# The redis connection used for the webhooks worker +webhooks=redis://localhost:6379/1?sslmode=disable +# +# A post-update script which is installed in every git repo. +post-update-script=/usr/bin/gitsrht-update-hook +# +# git.sr.ht's OAuth client ID and secret for meta.sr.ht +# Register your client at meta.example.org/oauth +oauth-client-id=CHANGEME +oauth-client-secret=CHANGEME +# +# Path to git repositories on disk +repos=/var/lib/git/ +# +# Configure the S3 bucket and prefix for object storage. Leave empty to disable +# object storage. Bucket is required to enable object storage; prefix is +# optional. +s3-bucket= +s3-prefix= +# +# Required for preparing and sending patchsets from git.sr.ht +outgoing-domain= + +[git.sr.ht::api] +# +# Maximum complexity of GraphQL queries. The higher this number, the more work +# that API clients can burden the API backend with. Complexity is equal to the +# number of discrete fields which would be returned to the user. 200 is a good +# default. +max-complexity=200 + +# +# The maximum time the API backend will spend processing a single API request. +# +# See https://golang.org/pkg/time/#ParseDuration +max-duration=3s + +# +# Set of IP subnets which are permitted to utilize internal API +# authentication. This should be limited to the subnets from which your +# *.sr.ht services are running. +# +# Comma-separated, CIDR notation. +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + +[git.sr.ht::dispatch] +# +# The authorized keys hook uses this to dispatch to various handlers +# The format is a program to exec into as the key, and the user to match as the +# value. When someone tries to log in as this user, this program is executed +# and is expected to omit an AuthorizedKeys file. +# +# Uncomment the relevant lines to enable the various sr.ht dispatchers. +/usr/bin/gitsrht-keys=git:git +#/usr/bin/buildsrht-keys=builds:builds + +[hub.sr.ht] +origin=http://git.{{ global.domain_name }} +oauth-client-id=CHANGEME +oauth-client-secret=CHANGEME +connection-string=postgresql://postgres@localhost/hub.sr.ht?sslmode=disable diff --git a/roles/srht/templates/hub.srht.conf.j2 b/roles/srht/templates/hub.srht.conf.j2 new file mode 100644 index 0000000..41775f4 --- /dev/null +++ b/roles/srht/templates/hub.srht.conf.j2 @@ -0,0 +1,22 @@ +server { + listen 80; + server_name git.{{ global.domain_name }}; + client_max_body_size 100M; + + location / { + proxy_pass http://127.0.0.1:{{ srht_hub_port }}; + } + + location /static { + root /usr/lib/python3.8/site-packages/hubsrht; + } + + location /query { + proxy_pass http://127.0.0.1:{{ srht_hub_port }}; + } + + location = /robots.txt { + root /var/www; + } +} + diff --git a/roles/srht/templates/meta.srht.conf.j2 b/roles/srht/templates/meta.srht.conf.j2 new file mode 100644 index 0000000..f5a3a2c --- /dev/null +++ b/roles/srht/templates/meta.srht.conf.j2 @@ -0,0 +1,22 @@ +server { + listen 81; + server_name meta.git.{{ global.domain_name }}; + client_max_body_size 100M; + + location / { + proxy_pass http://127.0.0.1:{{ srht_meta_port }}; + } + + location /static { + root /usr/lib/python3.8/site-packages/metasrht; + } + + location /query { + proxy_pass http://127.0.0.1:{{ srht_meta_api_port }}; + } + + location = /robots.txt { + root /var/www; + } +} + diff --git a/roles/srht/vars/main.yml b/roles/srht/vars/main.yml new file mode 100644 index 0000000..d65e051 --- /dev/null +++ b/roles/srht/vars/main.yml @@ -0,0 +1,17 @@ + +# srht ~~ roles/srht/vars/main.yml +# srht vars + +--- + +srht_services: + - meta.sr.ht + - git.sr.ht + - hub.sr.ht + +srht_meta_port: 5000 +srht_git_port: 5001 +srht_hub_port: 5014 + +srht_meta_api_port: 5100 +srht_git_api_port: 5101 -- cgit v1.2.3