diff --git a/ansible/group_vars/all/pve.yml b/ansible/group_vars/all/pve.yml index ba8d67c..d12bfff 100644 --- a/ansible/group_vars/all/pve.yml +++ b/ansible/group_vars/all/pve.yml @@ -21,4 +21,6 @@ pve_hosts: renovate: ip: 10.23.1.110 gitea_runner: - ip: 20.23.1.114 + ip: 10.23.1.114 + aurto: + ip: 10.23.1.106 diff --git a/ansible/hosts b/ansible/hosts index 594edbd..94043d8 100644 --- a/ansible/hosts +++ b/ansible/hosts @@ -14,3 +14,4 @@ qbittorrent restic renovate gitea-runner +aurto diff --git a/ansible/main.yml b/ansible/main.yml index 83ce909..9573444 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -135,3 +135,7 @@ - pihole - role: prometheus.prometheus.node_exporter become: true + +- hosts: aurto + roles: + - aurto diff --git a/ansible/roles/aurto/files/nginx.conf b/ansible/roles/aurto/files/nginx.conf new file mode 100644 index 0000000..8b6101e --- /dev/null +++ b/ansible/roles/aurto/files/nginx.conf @@ -0,0 +1,43 @@ +worker_processes auto; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + sendfile on; + tcp_nopush on; + + keepalive_timeout 65; + + server { + listen 80; + + root /var/cache/pacman/aurto; + + auth_basic "Restricted"; + auth_basic_user_file /etc/nginx/.htpasswd; + + # gzip + gzip on; + gzip_types *; + + # IP detection + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Forwarded-For; + + # Kick malicious clients sooner + client_header_timeout 10s; + client_body_timeout 10s; + client_max_body_size 128k; + reset_timedout_connection on; + sendfile_max_chunk 1m; + keepalive_timeout 65; + + # Ensure 403s respond with 404 + error_page 403 /dev/null; + } +} diff --git a/ansible/roles/aurto/handlers/main.yml b/ansible/roles/aurto/handlers/main.yml new file mode 100644 index 0000000..460c29a --- /dev/null +++ b/ansible/roles/aurto/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart nginx + service: + name: nginx + state: restarted + become: true diff --git a/ansible/roles/aurto/tasks/main.yml b/ansible/roles/aurto/tasks/main.yml new file mode 100644 index 0000000..3adee0f --- /dev/null +++ b/ansible/roles/aurto/tasks/main.yml @@ -0,0 +1,44 @@ +- name: Install aurto + package: + name: aurto + become: true + +- name: Create aurto user + user: + name: aurto + system: true + become: true + +- name: Ensure aurto repository has the correct owner + file: + path: /var/cache/pacman/aurto + state: directory + owner: aurto + mode: u=rwX,g=rwX,o=rX + recurse: true + become: true + +- name: Update aurto user + copy: + content: aurto + dest: /usr/lib/aurto/user + mode: "0700" + owner: aurto + become: true + +- name: Ensure trusted users have the correct permissions + file: + dest: /etc/aurto/trusted-users + mode: "0640" + owner: aurto + become: true + +- name: Allow aurto to run required commands as root + ansible.builtin.replace: + path: /etc/sudoers.d/50_aurto_passwordless + regexp: ^%wheel (.+)$ + replace: aurto \1 + become: true + +- name: Configure nginx + include_tasks: nginx.yml diff --git a/ansible/roles/aurto/tasks/nginx.yml b/ansible/roles/aurto/tasks/nginx.yml new file mode 100644 index 0000000..376d338 --- /dev/null +++ b/ansible/roles/aurto/tasks/nginx.yml @@ -0,0 +1,29 @@ +- name: Install nginx + package: + name: nginx + become: true + +- name: Enable nginx + service: + name: nginx + enabled: true + become: true + +- name: Add a user to a password file and ensure permissions are set + community.general.htpasswd: + path: /etc/nginx/.htpasswd + name: aurto + password: aurto + owner: http + group: http + mode: 0600 + become: true + notify: restart nginx + +- name: Nginx config + template: + src: files/nginx.conf + dest: /etc/nginx/nginx.conf + mode: "0600" + become: true + notify: restart nginx