From b30182060f3e4e36cdecfd2ded0626826bba4d8e Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Mon, 29 May 2023 13:14:53 -0400
Subject: [PATCH] Set up nginx for poudriere.

---
 ansible/playbook.yaml                         |  1 +
 ansible/roles/poudriere/files/poudriere.conf  |  2 +-
 .../poudrierenginx/files/headers.include      | 12 +++++
 .../roles/poudrierenginx/files/newsyslog.conf |  2 +
 ansible/roles/poudrierenginx/files/nginx.conf | 34 ++++++++++++
 ansible/roles/poudrierenginx/files/rc.conf    |  1 +
 .../roles/poudrierenginx/tasks/common.yaml    | 15 ++++++
 .../roles/poudrierenginx/tasks/freebsd.yaml   | 53 +++++++++++++++++++
 ansible/roles/poudrierenginx/tasks/linux.yaml | 29 ++++++++++
 ansible/roles/poudrierenginx/tasks/main.yaml  |  2 +
 .../roles/poudrierenginx/tasks/peruser.yaml   | 29 ++++++++++
 .../poudrierenginx/tasks/peruser_freebsd.yaml |  0
 .../poudrierenginx/tasks/peruser_linux.yaml   |  0
 13 files changed, 179 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/poudrierenginx/files/headers.include
 create mode 100644 ansible/roles/poudrierenginx/files/newsyslog.conf
 create mode 100644 ansible/roles/poudrierenginx/files/nginx.conf
 create mode 100644 ansible/roles/poudrierenginx/files/rc.conf
 create mode 100644 ansible/roles/poudrierenginx/tasks/common.yaml
 create mode 100644 ansible/roles/poudrierenginx/tasks/freebsd.yaml
 create mode 100644 ansible/roles/poudrierenginx/tasks/linux.yaml
 create mode 100644 ansible/roles/poudrierenginx/tasks/main.yaml
 create mode 100644 ansible/roles/poudrierenginx/tasks/peruser.yaml
 create mode 100644 ansible/roles/poudrierenginx/tasks/peruser_freebsd.yaml
 create mode 100644 ansible/roles/poudrierenginx/tasks/peruser_linux.yaml

diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 02756c0..74c3694 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -63,6 +63,7 @@
     - fstab
     - portshaker
     - poudriere
+    - poudrierenginx
 
 - hosts: mrmanager
   vars:
diff --git a/ansible/roles/poudriere/files/poudriere.conf b/ansible/roles/poudriere/files/poudriere.conf
index 885ac70..9d3f4bb 100644
--- a/ansible/roles/poudriere/files/poudriere.conf
+++ b/ansible/roles/poudriere/files/poudriere.conf
@@ -74,7 +74,7 @@ USE_TMPFS=all
 # How much memory to limit tmpfs size to for *each builder* in GiB
 # (default: none)
 #TMPFS_LIMIT=8
-TMPFS_LIMIT=16
+TMPFS_LIMIT=32
 
 # How much memory to limit jail processes to for *each builder*
 # in GiB (default: none)
diff --git a/ansible/roles/poudrierenginx/files/headers.include b/ansible/roles/poudrierenginx/files/headers.include
new file mode 100644
index 0000000..ffb49b9
--- /dev/null
+++ b/ansible/roles/poudrierenginx/files/headers.include
@@ -0,0 +1,12 @@
+# Enable HTTP Strict Transport Security (HSTS) to force clients to
+# always connect via HTTPS (do not use if only testing)
+add_header Strict-Transport-Security "max-age=31536000;" always;
+# Enable cross-site filter (XSS) and tell browser to block detected
+# attacks
+add_header X-XSS-Protection "1; mode=block" always;
+# Prevent some browsers from MIME-sniffing a response away from the
+# declared Content-Type
+add_header X-Content-Type-Options "nosniff" always;
+# Disallow the site to be rendered within a frame (clickjacking
+# protection)
+add_header X-Frame-Options "DENY" always;
diff --git a/ansible/roles/poudrierenginx/files/newsyslog.conf b/ansible/roles/poudrierenginx/files/newsyslog.conf
new file mode 100644
index 0000000..78a612b
--- /dev/null
+++ b/ansible/roles/poudrierenginx/files/newsyslog.conf
@@ -0,0 +1,2 @@
+# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
+/var/log/nginx/*.log			640  5	   1000	@T00 GYC /var/run/nginx.pid SIGUSR1
diff --git a/ansible/roles/poudrierenginx/files/nginx.conf b/ansible/roles/poudrierenginx/files/nginx.conf
new file mode 100644
index 0000000..68d7568
--- /dev/null
+++ b/ansible/roles/poudrierenginx/files/nginx.conf
@@ -0,0 +1,34 @@
+worker_processes  auto;
+user  www www;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    tcp_nopush     on;
+    tcp_nodelay    on;
+    gzip  on;
+
+    include conf.d/headers.include;
+
+    server {
+        listen 8080 default;
+        listen [::]:8080;
+        server_name freebsdpkg.fizz.buzz;
+        
+        location / {
+            root   /usr/local/share/poudriere/html;
+            index  index.html index.htm;
+        }
+        
+        location /data {
+            alias /usr/local/poudriere/data/logs/bulk;
+            autoindex on;
+        }
+    }
+}
diff --git a/ansible/roles/poudrierenginx/files/rc.conf b/ansible/roles/poudrierenginx/files/rc.conf
new file mode 100644
index 0000000..c104d8b
--- /dev/null
+++ b/ansible/roles/poudrierenginx/files/rc.conf
@@ -0,0 +1 @@
+nginx_enable="YES"
diff --git a/ansible/roles/poudrierenginx/tasks/common.yaml b/ansible/roles/poudrierenginx/tasks/common.yaml
new file mode 100644
index 0000000..fef1101
--- /dev/null
+++ b/ansible/roles/poudrierenginx/tasks/common.yaml
@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
diff --git a/ansible/roles/poudrierenginx/tasks/freebsd.yaml b/ansible/roles/poudrierenginx/tasks/freebsd.yaml
new file mode 100644
index 0000000..3be9ee3
--- /dev/null
+++ b/ansible/roles/poudrierenginx/tasks/freebsd.yaml
@@ -0,0 +1,53 @@
+- name: Create www group
+  group:
+    name: www
+
+- name: Create www user
+  user:
+    name: www
+    home: /srv/http
+    createhome: false
+    group: www
+
+- name: Install packages
+  package:
+    name:
+      - nginx
+    state: present
+
+- name: Create root directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /srv
+    - /usr/local/etc/nginx/conf.d
+
+# validate fails because nginx config relies on a local mime.types
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: rc.conf
+      dest: /etc/rc.conf.d/nginx
+    - src: nginx.conf
+      dest: /usr/local/etc/nginx/nginx.conf
+    - src: headers.include
+      dest: /usr/local/etc/nginx/conf.d/headers.include
+# - name: Install newsyslog configuration
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0600
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: newsyslog.conf
+#       dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
diff --git a/ansible/roles/poudrierenginx/tasks/linux.yaml b/ansible/roles/poudrierenginx/tasks/linux.yaml
new file mode 100644
index 0000000..43ba876
--- /dev/null
+++ b/ansible/roles/poudrierenginx/tasks/linux.yaml
@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+    
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service
diff --git a/ansible/roles/poudrierenginx/tasks/main.yaml b/ansible/roles/poudrierenginx/tasks/main.yaml
new file mode 100644
index 0000000..6805b9d
--- /dev/null
+++ b/ansible/roles/poudrierenginx/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined
diff --git a/ansible/roles/poudrierenginx/tasks/peruser.yaml b/ansible/roles/poudrierenginx/tasks/peruser.yaml
new file mode 100644
index 0000000..111e886
--- /dev/null
+++ b/ansible/roles/poudrierenginx/tasks/peruser.yaml
@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/poudrierenginx/tasks/peruser_freebsd.yaml b/ansible/roles/poudrierenginx/tasks/peruser_freebsd.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/poudrierenginx/tasks/peruser_linux.yaml b/ansible/roles/poudrierenginx/tasks/peruser_linux.yaml
new file mode 100644
index 0000000..e69de29