Add aurto server for AUR caching

ansible/group_vars/all/pve.yml

@@ -21,4 +21,6 @@ pve_hosts:
   renovate:
     ip: 10.23.1.110
   gitea_runner:
-    ip: 20.23.1.114
+    ip: 10.23.1.114
+  aurto:
+    ip: 10.23.1.106

ansible/hosts

@@ -14,3 +14,4 @@ qbittorrent
 restic
 renovate
 gitea-runner
+aurto

ansible/main.yml

@@ -135,3 +135,7 @@
     - pihole
     - role: prometheus.prometheus.node_exporter
       become: true
+
+- hosts: aurto
+  roles:
+    - aurto

ansible/roles/aurto/files/nginx.conf

@@ -0,0 +1,43 @@
+worker_processes  auto;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    server {
+        listen 80;
+
+        root /var/cache/pacman/aurto;
+
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/.htpasswd;
+
+        # gzip
+        gzip on;
+        gzip_types *;
+
+        # IP detection
+        set_real_ip_from  0.0.0.0/0;
+        real_ip_header X-Forwarded-For;
+
+        # Kick malicious clients sooner
+        client_header_timeout 10s;
+        client_body_timeout 10s;
+        client_max_body_size 128k;
+        reset_timedout_connection on;
+        sendfile_max_chunk 1m;
+        keepalive_timeout 65;
+
+        # Ensure 403s respond with 404
+        error_page 403 /dev/null;
+    }
+}

ansible/roles/aurto/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+  become: true

ansible/roles/aurto/tasks/main.yml

@@ -0,0 +1,44 @@
+- name: Install aurto
+  package:
+    name: aurto
+  become: true
+
+- name: Create aurto user
+  user:
+    name: aurto
+    system: true
+  become: true
+
+- name: Ensure aurto repository has the correct owner
+  file:
+    path: /var/cache/pacman/aurto
+    state: directory
+    owner: aurto
+    mode: u=rwX,g=rwX,o=rX
+    recurse: true
+  become: true
+
+- name: Update aurto user
+  copy:
+    content: aurto
+    dest: /usr/lib/aurto/user
+    mode: "0700"
+    owner: aurto
+  become: true
+
+- name: Ensure trusted users have the correct permissions
+  file:
+    dest: /etc/aurto/trusted-users
+    mode: "0640"
+    owner: aurto
+  become: true
+
+- name: Allow aurto to run required commands as root
+  ansible.builtin.replace:
+    path: /etc/sudoers.d/50_aurto_passwordless
+    regexp: ^%wheel (.+)$
+    replace: aurto \1
+  become: true
+
+- name: Configure nginx
+  include_tasks: nginx.yml

ansible/roles/aurto/tasks/nginx.yml

@@ -0,0 +1,29 @@
+- name: Install nginx
+  package:
+    name: nginx
+  become: true
+
+- name: Enable nginx
+  service:
+    name: nginx
+    enabled: true
+  become: true
+
+- name: Add a user to a password file and ensure permissions are set
+  community.general.htpasswd:
+    path: /etc/nginx/.htpasswd
+    name: aurto
+    password: aurto
+    owner: http
+    group: http
+    mode: 0600
+  become: true
+  notify: restart nginx
+
+- name: Nginx config
+  template:
+    src: files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+    mode: "0600"
+  become: true
+  notify: restart nginx