ansible: Add reposerver setup

lberrymage · lberrymage · commit fdcafce3cc74 · 2022-12-06T14:18:39.000-07:00
diff --git a/ansible/main.yaml b/ansible/main.yaml
@@ -100,6 +100,43 @@
         enabled: yes
         state: started
 
+- name: Set up reposerver
+  hosts: repos
+  become: yes
+  tasks:
+    - name: Create application user
+      ansible.builtin.user:
+        name: reposerver
+        create_home: false
+        password: '!'
+        shell: /usr/sbin/nologin
+        umask: 0077
+    - name: Install application
+      ansible.builtin.copy:
+        src: ./reposerver
+        dest: /opt/reposerver/
+        mode: 755
+    - name: Allow nginx to read static files
+      community.general.sefcontext:
+        target: '/srv/staging.store.accrescent.app(/.*)?'
+        setype: httpd_sys_content_t
+    - name: Create static file directory
+      ansible.builtin.file:
+        path: /srv/staging.store.accrescent.app
+        state: directory
+        owner: reposerver
+        group: reposerver
+        mode: 0755
+    - name: Install systemd service
+      ansible.builtin.copy:
+        src: ./reposerver.service
+        dest: /usr/lib/systemd/system/reposerver.service
+    - name: Enable and start systemd service
+      ansible.builtin.systemd:
+        name: reposerver
+        enabled: yes
+        state: started
+
 - name: Set up nginx
   hosts: all
   become: yes
@@ -135,3 +172,25 @@
       ansible.builtin.systemd:
         name: nginx
         state: reloaded
+
+- name: Set up nginx for reposerver
+  hosts: repos
+  become: yes
+  tasks:
+    - name: Allow nginx proxying
+      ansible.posix.seboolean:
+        name: httpd_can_network_connect
+        persistent: yes
+        state: yes
+    - name: Install root config
+      ansible.builtin.copy:
+        src: nginx/reposerver.conf
+        dest: /etc/nginx/nginx.conf
+    - name: Install security config
+      ansible.builtin.copy:
+        src: nginx/security.conf
+        dest: /etc/nginx/security.conf
+    - name: Reload nginx
+      ansible.builtin.systemd:
+        name: nginx
+        state: reloaded
diff --git a/ansible/reposerver.service b/ansible/reposerver.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Accrescent repo server
+
+[Service]
+Environment="GIN_MODE=release"
+ExecStart=/opt/reposerver/reposerver
+WorkingDirectory=/srv/staging.store.accrescent.app
+
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/srv/staging.store.accrescent.app
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+UMask=0022
+User=reposerver
+
+[Install]
+WantedBy=multi-user.target
