From 58a81dc2ea748cf769d88b7515a39c6587d37ce2 Mon Sep 17 00:00:00 2001 From: binary Date: Fri, 15 Jan 2021 15:48:42 +0100 Subject: Add nginx and sourcehut role --- roles/nginx/tasks/main.yml | 42 +++++ roles/nginx/templates/nginx.conf.j2 | 93 +++++++++++ roles/nginx/vars/main.yml | 9 ++ roles/postgres/tasks/main.yml | 15 ++ roles/srht/meta/main.yml | 11 ++ roles/srht/tasks/main.yml | 92 +++++++++++ roles/srht/templates/config.ini.j2 | 275 +++++++++++++++++++++++++++++++++ roles/srht/templates/hub.srht.conf.j2 | 22 +++ roles/srht/templates/meta.srht.conf.j2 | 22 +++ roles/srht/vars/main.yml | 17 ++ 10 files changed, 598 insertions(+) create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/templates/nginx.conf.j2 create mode 100644 roles/nginx/vars/main.yml create mode 100644 roles/postgres/tasks/main.yml create mode 100644 roles/srht/meta/main.yml create mode 100644 roles/srht/tasks/main.yml create mode 100644 roles/srht/templates/config.ini.j2 create mode 100644 roles/srht/templates/hub.srht.conf.j2 create mode 100644 roles/srht/templates/meta.srht.conf.j2 create mode 100644 roles/srht/vars/main.yml (limited to 'roles') diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..dda2c98 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,42 @@ + +# nginx ~~ roles/nginx/tasks/main.yml +# Linux nginx webserver + +--- + +- name: ensure role is run on linux hosts + fail: + msg: nginx role can only be run on linux host + when: ansible_system != "Linux" + +- name: ensure nginx is installed + package: name=nginx state=present + +- name: ensure nginx group exists + group: name="{{ nginx_group }}" state=present + +- name: ensure nginx user exists + user: name="{{ nginx_user }}" group="{{ nginx_group }}" state=present + +- name: generate nginx configuration + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + owner: "{{ user_root }}" + group: "{{ group_root }}" + mode: 0644 + +- name: ensure nginx sub-configuration directory exists + file: + path: "{{ nginx_subconf_dir }}" + owner: "{{ user_root }}" + group: "{{ group_root }}" + state: directory + mode: 0744 + +- name: enable and restart nginx + service: + name: nginx + state: restarted + enabled: true + diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..8800794 --- /dev/null +++ b/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,93 @@ + +# nginx ~~ /etc/nginx/nginx.conf +# managed by Ansible + +user {{ nginx_user }}; + +# Set number of worker processes automatically based on number of CPU cores. +worker_processes auto; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /var/log/nginx/error.log warn; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 208.67.222.222 208.67.220.220; + + # Don't tell nginx version to clients. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. + client_max_body_size 1m; + + # Timeout for keep-alive connections. Server will close connections after + # this time. + keepalive_timeout 65; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). + sendfile on; + + # Don't buffer data-sends (disable Nagle algorithm). + # Good for sending frequent small bursts of data in real time. + tcp_nodelay on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. + #tcp_nopush on; + + + # Path of the file with Diffie-Hellman parameters for EDH ciphers. + #ssl_dhparam /etc/ssl/nginx/dh2048.pem; + + # Specifies that our cipher suits should be preferred over client ciphers. + ssl_prefer_server_ciphers on; + + # Enables a shared SSL cache with size that can hold around 8000 sessions. + ssl_session_cache shared:SSL:2m; + + + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. + gzip_vary on; + + # Enable checking the existence of precompressed files. + #gzip_static on; + + + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Sets the path, format, and configuration for a buffered log write. + access_log /var/log/nginx/access.log main; + + + # Includes virtual hosts configs. + include {{ nginx_subconf_dir }}/*.conf; +} diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml new file mode 100644 index 0000000..18ecb71 --- /dev/null +++ b/roles/nginx/vars/main.yml @@ -0,0 +1,9 @@ + +# nginx ~~ roles/nginx/vars/main.yml +# Nginx variables + +--- + +nginx_group: nginx +nginx_user: nginx +nginx_subconf_dir: /etc/nginx/conf.d diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml new file mode 100644 index 0000000..e032ff5 --- /dev/null +++ b/roles/postgres/tasks/main.yml @@ -0,0 +1,15 @@ + +# postgres ~~ roles/postgres/tasks/main.yml +# postgresql database server + +--- + +- name: ensure postgres is installed + package: name=postgresql state=present + ignore_errors: true + +- name: enable and restart postgres service + service: + name: postgresql + state: restarted + enabled: true diff --git a/roles/srht/meta/main.yml b/roles/srht/meta/main.yml new file mode 100644 index 0000000..487e8aa --- /dev/null +++ b/roles/srht/meta/main.yml @@ -0,0 +1,11 @@ + +# httpd ~~ roles/httpd/meta/main.yml +# Meta for httpd + +--- + +dependencies: + - { role: postgres, tags: "dependency" } + - { role: redis, tags: "dependency" } + - { role: nginx, tags: "dependency" } + - { role: git, tags: "dependency" } diff --git a/roles/srht/tasks/main.yml b/roles/srht/tasks/main.yml new file mode 100644 index 0000000..076557f --- /dev/null +++ b/roles/srht/tasks/main.yml @@ -0,0 +1,92 @@ + +# srht ~~ roles/srht/tasks/main.yml +# Srht git server + +--- + +- name: ensure srht repository is enabled + lineinfile: + path: /etc/apk/repositories + regexp: "^https://mirror.sr.ht" + line: "https://mirror.sr.ht/alpine/v3.12/sr.ht" + +- name: ensure signing key for sourcehut repository is installed + shell: | + wget -q -O /etc/apk/keys/alpine@sr.ht.rsa.pub https://mirror.sr.ht/alpine/alpine@sr.ht.rsa.pub + apk update + +- name: ensure sourcehut is installed + package: name="{{ item }}" state=present + loop: "{{ srht_services }}" + +- name: generate srht service key + shell: srht-keygen service | rev | cut -d " " -f 1 | rev + register: srht_key_service + +- name: generate srht network key + shell: srht-keygen network | rev | cut -d " " -f 1 | rev + register: srht_key_network + +- name: generate srht webhook key + shell: srht-keygen webhook | rev | cut -d " " -f 1 | rev + register: srht_key_webhook + +- name: generate srht nginx configuration + template: + src: "{{ item }}.srht.conf.j2" + dest: "/etc/nginx/conf.d/{{ item }}.srht.conf" + owner: "{{ user_root }}" + group: "{{ group_root }}" + mode: 0644 + loop: + - "meta" + - "hub" + +- name: generate srht example configuration + template: + src: config.ini.j2 + dest: /etc/sr.ht/config.example.ini + owner: "{{ user_root }}" + group: "{{ group_root }}" + mode: 0644 + +- name: debug hint for example configuration + debug: + msg: + - srht configuration example at /etc/sr.ht/config.example.ini + - copy and modify it to /etc/sr.ht/config.ini + +- name: create database for srht services + shell: psql -c 'create database "{{ item }}.sr.ht"' + register: result + failed_when: result.rc != 0 and "already exists" not in result.stderr + ignore_errors: true + loop: + - "meta" + - "git" + - "hub" + become: true + become_user: postgres + +- name: init database for srht services + shell: "{{ item }}srht-initdb" + loop: + - "meta" + - "git" + - "hub" + +- name: enable and restart srht services + service: + name: "{{ item }}" + state: restarted + enabled: true + loop: "{{ srht_services }}" + +- name: enable and restart srht api services + service: + name: "{{ item }}" + state: restarted + enabled: true + loop: + - "meta.sr.ht-api" + - "git.sr.ht-api" diff --git a/roles/srht/templates/config.ini.j2 b/roles/srht/templates/config.ini.j2 new file mode 100644 index 0000000..e3bca6a --- /dev/null +++ b/roles/srht/templates/config.ini.j2 @@ -0,0 +1,275 @@ + +# srht ~~ /etc/sr.ht/config.ini +# managed by Ansible + +[sr.ht] +# +# The name of your network of sr.ht-based sites +site-name=hacker's hut +# +# The top-level info page for your site +site-info=http://{{ global.domain_name }} +# +# +site-blurb=hack the planet! +# +# If this != production, we add a banner to each page +environment=development +# +# Contact information for the site owners +owner-name={{ global.domain_name }} +owner-email=support@{{ global.domain_name }} +# +# The source code for your fork of sr.ht +source-url=https://git.sr.ht/~sircmpwn/srht +# +# Link to your instance's privacy policy. Uses the sr.ht privacy policy as the +# default, which describes the information collected by the upstream SourceHut +# code. +privacy-policy= +# +# A key used for encrypting session cookies. Use `srht-keygen service` to +# generate the service key. This must be shared between each node of the same +# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use +# different keys. If you configure all of your services with the same +# config.ini, you may use the same service-key for all of them. +service-key={{ srht_key_service.stdout_lines[0] }} +# +# A secret key to encrypt internal messages with. Use `srht-keygen network` to +# generate this key. It must be consistent between all services and nodes. +network-key={{ srht_key_network.stdout_lines[0] }} +# +# The redis host URL. This is used for caching and temporary storage, and must +# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be +# shared between services. It may be shared between services, however, with no +# ill effect, if this better suits your infrastructure. +redis-host=redis://localhost + +[objects] +# +# Configure S3-compatible object storage for services. Optional. +# +# Minio is recommended as a FOSS solution over AWS: https://min.io +s3-upstream= +s3-access-key= +s3-secret-key= + +[mail] +# +# Outgoing SMTP settings +smtp-host= +smtp-port= +smtp-user= +smtp-password= +smtp-from= +# +# Application exceptions are emailed to this address +error-to= +error-from= +# +# You should generate a PGP key to allow users to authenticate emails received +# from your services. Use `gpg --edit-key [key id]` to remove the password from +# your private key, then export it to a file and set pgp-privkey to the path to +# that file. pgp-pubkey should be set to the path to your public key, and +# pgp-key-id should be set to the key ID string. Outgoing emails are signed with +# this PGP key. +pgp-privkey= +pgp-pubkey= +pgp-key-id= + +[webhooks] +# +# base64-encoded Ed25519 key for signing webhook payloads. This should be +# consistent between all services. +# +# Use the `srht-keygen webhook` command to generate this key. Put the private +# key here and distribute the public key to anyone who would want to verify +# webhook payloads from your service. +private-key={{ srht_key_webhook.stdout_lines[0] }} +#public-key={{ srht_key_webhook.stdout_lines[1] }} + +[meta.sr.ht] +# +# URL meta.sr.ht is being served at (protocol://domain) +origin=http://meta.git.{{ global.domain_name }} +# +# Address and port to bind the debug server to +debug-host=0.0.0.0 +debug-port=5000 +# +# Configures the SQLAlchemy connection string for the database. +connection-string=postgresql://postgres@localhost/meta.sr.ht?sslmode=disable +# +# Set to "yes" to automatically run migrations on package upgrade. +migrate-on-upgrade=yes +# +# The redis connection used for the webhooks worker +webhooks=redis://localhost:6379/1?sslmode=disable +# +# If "yes", the user will be sent the stock sourcehut welcome emails after +# signup (requires cron to be configured properly). These are specific to the +# sr.ht instance so you probably want to patch these before enabling this. +welcome-emails=no + +[meta.sr.ht::api] +# +# Maximum complexity of GraphQL queries. The higher this number, the more work +# that API clients can burden the API backend with. Complexity is equal to the +# number of discrete fields which would be returned to the user. 200 is a good +# default. +max-complexity=200 + +# +# The maximum time the API backend will spend processing a single API request. +# +# See https://golang.org/pkg/time/#ParseDuration +max-duration=3s + +# +# Set of IP subnets which are permitted to utilize internal API +# authentication. This should be limited to the subnets from which your +# *.sr.ht services are running. +# +# Comma-separated, CIDR notation. +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + +[meta.sr.ht::settings] +# +# If "no", public registration will not be permitted. +registration=no +# +# Where to redirect new users upon registration +onboarding-redirect=http://example.org +# +# How many invites each user is issued upon registration (only applicable if +# open registration is disabled) +user-invites=5 + +[meta.sr.ht::aliases] +# +# You can add aliases for the client IDs of commonly used OAuth clients here. +# +# Example: +# git.sr.ht=12345 + +[meta.sr.ht::billing] +# +# "yes" to enable the billing system +enabled=no +# +# Get your keys at https://dashboard.stripe.com/account/apikeys +stripe-public-key= +stripe-secret-key= + +[meta.sr.ht::auth] +# +# What authentication method to use. +# builtin: use sr.ht builtin authentication +# unix-pam: use Unix PAM authentication +#auth-method=builtin + +[meta.sr.ht::auth::unix-pam] +# +# The default email domain to assign to newly created users when they first log +# in. +# User's email will be set to @ +email-default-domain=srht.{{ global.domain_name }} +# +# The PAM service to use for logging in. +#service=sshd +# +# Whether to automatically create new users when authentication succeeds but the +# user is not in the database. +create-users=yes +# +# The UNIX group users need to belong to to have access to sourcehut. +# If set, +# only users belonging to this group will be able to log into the site. +# If unset, any user on the system is able to log in if PAM authentication +# succeeds. +user-group= +# +# The UNIX group users need to belong to to have administrator permissions. +# If set, administrator status on the site will be synced with group +# association. Additionally, any user of this group will also be able to access +# sourcehut even if they are not in the group specified in user-group. +# If unset, administrator status can be manually assigned from the web +# interface. +admin-group={{ group_root }} + +[git.sr.ht] +# +# URL git.sr.ht is being served at (protocol://domain) +origin=http://git.{{ global.domain_name }} +# +# Address and port to bind the debug server to +debug-host=0.0.0.0 +debug-port=5001 +# +# Configures the SQLAlchemy connection string for the database. +connection-string=postgresql://postgres@localhost/git.sr.ht?sslmode=disable +# +# Set to "yes" to automatically run migrations on package upgrade. +migrate-on-upgrade=yes +# +# The redis connection used for the webhooks worker +webhooks=redis://localhost:6379/1?sslmode=disable +# +# A post-update script which is installed in every git repo. +post-update-script=/usr/bin/gitsrht-update-hook +# +# git.sr.ht's OAuth client ID and secret for meta.sr.ht +# Register your client at meta.example.org/oauth +oauth-client-id=CHANGEME +oauth-client-secret=CHANGEME +# +# Path to git repositories on disk +repos=/var/lib/git/ +# +# Configure the S3 bucket and prefix for object storage. Leave empty to disable +# object storage. Bucket is required to enable object storage; prefix is +# optional. +s3-bucket= +s3-prefix= +# +# Required for preparing and sending patchsets from git.sr.ht +outgoing-domain= + +[git.sr.ht::api] +# +# Maximum complexity of GraphQL queries. The higher this number, the more work +# that API clients can burden the API backend with. Complexity is equal to the +# number of discrete fields which would be returned to the user. 200 is a good +# default. +max-complexity=200 + +# +# The maximum time the API backend will spend processing a single API request. +# +# See https://golang.org/pkg/time/#ParseDuration +max-duration=3s + +# +# Set of IP subnets which are permitted to utilize internal API +# authentication. This should be limited to the subnets from which your +# *.sr.ht services are running. +# +# Comma-separated, CIDR notation. +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + +[git.sr.ht::dispatch] +# +# The authorized keys hook uses this to dispatch to various handlers +# The format is a program to exec into as the key, and the user to match as the +# value. When someone tries to log in as this user, this program is executed +# and is expected to omit an AuthorizedKeys file. +# +# Uncomment the relevant lines to enable the various sr.ht dispatchers. +/usr/bin/gitsrht-keys=git:git +#/usr/bin/buildsrht-keys=builds:builds + +[hub.sr.ht] +origin=http://git.{{ global.domain_name }} +oauth-client-id=CHANGEME +oauth-client-secret=CHANGEME +connection-string=postgresql://postgres@localhost/hub.sr.ht?sslmode=disable diff --git a/roles/srht/templates/hub.srht.conf.j2 b/roles/srht/templates/hub.srht.conf.j2 new file mode 100644 index 0000000..41775f4 --- /dev/null +++ b/roles/srht/templates/hub.srht.conf.j2 @@ -0,0 +1,22 @@ +server { + listen 80; + server_name git.{{ global.domain_name }}; + client_max_body_size 100M; + + location / { + proxy_pass http://127.0.0.1:{{ srht_hub_port }}; + } + + location /static { + root /usr/lib/python3.8/site-packages/hubsrht; + } + + location /query { + proxy_pass http://127.0.0.1:{{ srht_hub_port }}; + } + + location = /robots.txt { + root /var/www; + } +} + diff --git a/roles/srht/templates/meta.srht.conf.j2 b/roles/srht/templates/meta.srht.conf.j2 new file mode 100644 index 0000000..f5a3a2c --- /dev/null +++ b/roles/srht/templates/meta.srht.conf.j2 @@ -0,0 +1,22 @@ +server { + listen 81; + server_name meta.git.{{ global.domain_name }}; + client_max_body_size 100M; + + location / { + proxy_pass http://127.0.0.1:{{ srht_meta_port }}; + } + + location /static { + root /usr/lib/python3.8/site-packages/metasrht; + } + + location /query { + proxy_pass http://127.0.0.1:{{ srht_meta_api_port }}; + } + + location = /robots.txt { + root /var/www; + } +} + diff --git a/roles/srht/vars/main.yml b/roles/srht/vars/main.yml new file mode 100644 index 0000000..d65e051 --- /dev/null +++ b/roles/srht/vars/main.yml @@ -0,0 +1,17 @@ + +# srht ~~ roles/srht/vars/main.yml +# srht vars + +--- + +srht_services: + - meta.sr.ht + - git.sr.ht + - hub.sr.ht + +srht_meta_port: 5000 +srht_git_port: 5001 +srht_hub_port: 5014 + +srht_meta_api_port: 5100 +srht_git_api_port: 5101 -- cgit v1.2.3