ansible: Add reposerver setup

Author: lberrymage

ansible/main.yaml

@@ -100,6 +100,43 @@
         enabled: yes
         state: started
 
+- name: Set up reposerver
+  hosts: repos
+  become: yes
+  tasks:
+    - name: Create application user
+      ansible.builtin.user:
+        name: reposerver
+        create_home: false
+        password: '!'
+        shell: /usr/sbin/nologin
+        umask: 0077
+    - name: Install application
+      ansible.builtin.copy:
+        src: ./reposerver
+        dest: /opt/reposerver/
+        mode: 755
+    - name: Allow nginx to read static files
+      community.general.sefcontext:
+        target: '/srv/staging.store.accrescent.app(/.*)?'
+        setype: httpd_sys_content_t
+    - name: Create static file directory
+      ansible.builtin.file:
+        path: /srv/staging.store.accrescent.app
+        state: directory
+        owner: reposerver
+        group: reposerver
+        mode: 0755
+    - name: Install systemd service
+      ansible.builtin.copy:
+        src: ./reposerver.service
+        dest: /usr/lib/systemd/system/reposerver.service
+    - name: Enable and start systemd service
+      ansible.builtin.systemd:
+        name: reposerver
+        enabled: yes
+        state: started
+
 - name: Set up nginx
   hosts: all
   become: yes
@@ -135,3 +172,25 @@
       ansible.builtin.systemd:
         name: nginx
         state: reloaded
+
+- name: Set up nginx for reposerver
+  hosts: repos
+  become: yes
+  tasks:
+    - name: Allow nginx proxying
+      ansible.posix.seboolean:
+        name: httpd_can_network_connect
+        persistent: yes
+        state: yes
+    - name: Install root config
+      ansible.builtin.copy:
+        src: nginx/reposerver.conf
+        dest: /etc/nginx/nginx.conf
+    - name: Install security config
+      ansible.builtin.copy:
+        src: nginx/security.conf
+        dest: /etc/nginx/security.conf
+    - name: Reload nginx
+      ansible.builtin.systemd:
+        name: nginx
+        state: reloaded

ansible/nginx/reposerver.conf

@@ -0,0 +1,95 @@
+worker_processes auto;
+worker_rlimit_nofile 16384;
+
+events {
+    worker_connections 4096;
+}
+
+http {
+    include mime.types;
+    default_type application/octet-stream;
+
+    charset utf-8;
+
+    sendfile on;
+    sendfile_max_chunk 512k;
+    tcp_nopush on;
+    keepalive_timeout 3m;
+    server_tokens off;
+    msie_padding off;
+
+    client_max_body_size 1k;
+    client_body_buffer_size 1k;
+    client_header_buffer_size 1k;
+    large_client_header_buffers 4 4k;
+    http2_recv_buffer_size 128k;
+
+    client_body_timeout 30s;
+    client_header_timeout 30s;
+    send_timeout 30s;
+
+    http2_max_concurrent_streams 32;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+    ssl_prefer_server_ciphers on;
+    ssl_conf_command Options PrioritizeChaCha;
+
+    ssl_certificate /etc/letsencrypt/live/staging.store.accrescent.app/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/staging.store.accrescent.app/privkey.pem;
+
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_buffer_size 4k;
+
+    log_format main '$remote_addr - $remote_user [$time_local] '
+                    '"$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent"';
+    access_log syslog:server=unix:/dev/log,nohostname main;
+    error_log syslog:server=unix:/dev/log,nohostname;
+    log_not_found off;
+
+    gzip_proxied any;
+    gzip_vary on;
+
+    if_modified_since before;
+
+    aio threads;
+    aio_write on;
+
+    upstream backend {
+        server [::1]:8080 max_conns=1024 fail_timeout=1s;
+    }
+
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name staging.store.accrescent.app;
+
+        root /var/empty;
+
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name staging.store.accrescent.app;
+
+        include security.conf;
+        gzip_static on;
+
+        location /.well-known/acme-challenge/ {
+            root /srv/certbot;
+        }
+
+        location /api/apps {
+            client_max_body_size 128M;
+            proxy_pass http://backend;
+        }
+
+        location / {
+            root /srv/staging.store.accrescent.app;
+        }
+    }
+}

ansible/reposerver.service

@@ -0,0 +1,36 @@
+[Unit]
+Description=Accrescent repo server
+
+[Service]
+Environment="GIN_MODE=release"
+ExecStart=/opt/reposerver/reposerver
+WorkingDirectory=/srv/staging.store.accrescent.app
+
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/srv/staging.store.accrescent.app
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+UMask=0022
+User=reposerver
+
+[Install]
+WantedBy=multi-user.target