AlmaLinux · jonathanspw · Jul 22, 2024 · Jul 29, 2024 · Jul 29, 2024 · Aug 7, 2024
diff --git a/group_vars/mirrors_tier0.yml b/group_vars/mirrors_tier0.yml
@@ -0,0 +1,14 @@
+---
+mirror_path: /repo
+mirror_path_use_subdir: false
+mirror_custom_ssl: true
+mirror_create_fs: false
+mirror_bootstrap_mirror: false
+mirror_configure_crons: false
+rsync_modules:
+  almalinux:
+    path: "{{ mirror_path }}/almalinux"
+    comment: AlmaLinux repository
+  almalinux-elevate:
+    path: "{{ mirror_path }}/elevate"
+    comment: AlmaLinux ELevate repository
diff --git a/hosts b/hosts
@@ -30,22 +30,24 @@ almalinux-mirror.yucca.net
 [el7_mirrors]
 el7.repo.almalinux.org
 
-[matrix_synapse]
-almalinux.im ansible_host=170.249.201.58
-
-[matrix_synapse_stg]
-stg.almalinux.im
+[mirrors_tier0]
+#atl.rsync.repo.almalinux.org
+#sea.rsync.repo.almalinux.org
+fra.rsync.repo.almalinux.org
+hnd.rsync.repo.almalinux.org
 
 [mirrors:children]
+mirrors_tier0
 aws_mirrors
 azure_mirrors
 external_managed_mirrors
 el7_mirrors
 
-[mirrors_tier0]
-#atl.rsync.repo.almalinux.org
-#sea.rsync.repo.almalinux.org
-#fra.rsync.repo.almalinux.org
+[matrix_synapse]
+almalinux.im
+
+[matrix_synapse_stg]
+stg.almalinux.im
 
 [hashivault]
 vault[01:05].secrets.almalinux.org

diff --git a/roles/matrix_synapse/tasks/caddy.yml b/roles/matrix_synapse/tasks/caddy.yml
@@ -16,6 +16,18 @@
   tags:
     - caddy
 
+- name: Set SELinux context for log directory
+  community.general.sefcontext:
+    target: '/var/log/caddy(/.*)?'
+    setype: httpd_sys_rw_content_t
+    state: present
+  register: set_selinux_context
+
+# need to apply new contexts "now" to prevent potential issues in later tasks
+- name: Apply new SELinux file context to filesystem # noqa no-handler no-changed-when
+  ansible.builtin.command: restorecon -irv /var/log/caddy
+  when: set_selinux_context.changed
+
 - name: Distribute /etc/caddy/Caddyfile
   ansible.builtin.template:
     src: Caddyfile.j2

diff --git a/roles/mirror/defaults/main.yml b/roles/mirror/defaults/main.yml
@@ -48,3 +48,11 @@ mirror_repos:
     rsync_minute: "0"
     rsync_hour: "*/1"
     rsync_file: almalinux_rsync
+
+mirror_bootstrap_mirror: true
+mirror_configure_crons: true
+
+mirror_rsync_modules:
+  almalinux:
+    path: "{{ mirror_path }}/almalinux"
+    comment: AlmaLinux repository
diff --git a/roles/mirror/handlers/main.yml b/roles/mirror/handlers/main.yml
@@ -1,5 +1,10 @@
 ---
 - name: Restart caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: caddy.service
     state: restarted
+
+- name: Restart rsyncd
+  ansible.builtin.systemd_service:
+    name: rsyncd.service
+    state: restarted
diff --git a/roles/mirror/tasks/certbot.yml b/roles/mirror/tasks/certbot.yml
@@ -0,0 +1,34 @@
+---
+- name: Route 53 tasks
+  ansible.builtin.include_tasks: route53.yml
+
+- name: Install certbot and route53 plugin
+  ansible.builtin.package:
+    name:
+      - certbot
+      - python3-certbot-dns-route53
+    state: present
+  tags: certbot
+
+- name: Start/enable certbot renew timer
+  ansible.builtin.systemd_service:
+    name: certbot-renew.timer
+    enabled: true
+    state: started
+  tags: certbot
+
+- name: Configure certbot deploy hook
+  ansible.builtin.template:
+    src: certbot-deploy-hook.sh.j2
+    dest: /etc/letsencrypt/deploy-caddy.sh
+    mode: "0755"
+  tags: certbot
+
+- name: Get certificate with certbot
+  args:
+    creates: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+  ansible.builtin.shell: >
+    certbot certonly --dns-route53 -d {{ inventory_hostname }} -d rsync.repo.almalinux.org -m {{ certbot_email }} --agree-tos -n --force-renewal
+    --deploy-hook /etc/letsencrypt/deploy-caddy.sh
+  throttle: 1
+  tags: certbot skip_ansible_lint
diff --git a/roles/mirror/tasks/main.yml b/roles/mirror/tasks/main.yml
@@ -1,4 +1,19 @@
 ---
+- name: Add rsync backport repo
+  ansible.builtin.yum_repository:
+    name: backports-rsync
+    description: Backported rsync with extra features
+    file: backports-rsync
+    baseurl: http://repo.almalinux.org/backports/$releasever/$basearch/rsync/
+    enabled: true
+    gpgcheck: true
+    gpgkey: https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
+
+- name: Update rsync # noqa package-latest
+  ansible.builtin.package:
+    name: rsync
+    state: latest
+
 - name: Install Caddy
   ansible.builtin.dnf:
     name: caddy
@@ -16,6 +31,22 @@
   tags:
     - caddy
 
+- name: Set SELinux context for log directory
+  community.general.sefcontext:
+    target: '/var/log/caddy(/.*)?'
+    setype: httpd_sys_rw_content_t
+    state: present
+  register: set_selinux_context
+  tags:
+    - caddy
+
+# need to apply new contexts "now" to prevent potential issues in later tasks
+- name: Apply new SELinux file context to filesystem # noqa no-handler no-changed-when
+  ansible.builtin.command: restorecon -irv /var/log/caddy
+  when: set_selinux_context.changed
+  tags:
+    - caddy
+
 - name: Distribute /etc/caddy/Caddyfile
   ansible.builtin.template:
     src: etc/caddy/Caddyfile.j2
@@ -52,7 +83,7 @@
 - name: Set SELinux context for mirror directory
   community.general.sefcontext:
     target: '{{ mirror_path }}(/.*)?'
-    setype: httpd_sys_content_t
+    setype: public_content_t
     state: present
   register: set_selinux_context
 
@@ -90,6 +121,7 @@
   loop: "{{ mirror_repos }}"
   tags:
     - bootstrap_mirror
+  when: mirror_bootstrap_mirror
 
 - name: Setup cron for mirror
   ansible.builtin.cron:
@@ -103,6 +135,7 @@
   loop: "{{ mirror_repos }}"
   tags:
     - cron
+  when: mirror_configure_crons
 
 - name: Customize sysctl
   ansible.posix.sysctl:
@@ -113,10 +146,38 @@
   tags:
     - sysctl
 
+- name: Certbot
+  ansible.builtin.include_tasks: certbot.yml
+  when: mirror_custom_ssl
+
 - name: Start/Enable Caddy
   ansible.builtin.systemd:
     name: caddy.service
     state: started
     enabled: true
   tags:
     - caddy
+
+- name: Install rsyncd
+  ansible.builtin.package:
+    name: rsync-daemon
+    state: present
+  when: mirror_rsync_modules
+
+- name: Configure rsyncd
+  ansible.builtin.template:
+    src: rsyncd.conf.j2
+    dest: /etc/rsyncd.conf
+    mode: "0644"
+  notify: Restart rsyncd
+  when: mirror_rsync_modules
+
+- name: Start rsyncd
+  ansible.builtin.systemd_service:
+    name: rsyncd
+    enabled: true
+    state: started
+  when: mirror_rsync_modules
+
+# TODO: correctly handle deploy-repo-alma user for tier0 mirrors
+# TODO: handle keying tier0 servers accordingly to accept syncs from repo.alma
diff --git a/roles/mirror/tasks/route53.yml b/roles/mirror/tasks/route53.yml
@@ -0,0 +1,19 @@
+---
+- name: Create AWS config dir
+  ansible.builtin.file:
+    path: /root/.aws
+    state: directory
+    mode: "0700"
+
+- name: Write AWS config file
+  vars:
+    aws_access_key_id:
+      "{{ lookup('community.hashi_vault.hashi_vault', 'kv/data/infra/aws/rsync.repo.almalinux.org/route53:access_key',
+      token=lookup('env', 'VAULT_TOKEN'), url=secrets_url) }}"
+    aws_secret_access_key:
+      "{{ lookup('community.hashi_vault.hashi_vault', 'kv/data/infra/aws/rsync.repo.almalinux.org/route53:secret_key',
+      token=lookup('env', 'VAULT_TOKEN'), url=secrets_url) }}"
+  ansible.builtin.template:
+    src: aws_config.j2
+    dest: /root/.aws/config
+    mode: "0600"
diff --git a/roles/mirror/templates/aws_config.j2 b/roles/mirror/templates/aws_config.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+[default]
+region = us-east-1
+aws_access_key_id = {{ aws_access_key_id }}
+aws_secret_access_key = {{ aws_secret_access_key}}
diff --git a/roles/mirror/templates/certbot-deploy-hook.sh.j2 b/roles/mirror/templates/certbot-deploy-hook.sh.j2
@@ -0,0 +1,11 @@
+#!/bin/sh
+# {{ ansible_managed }}
+
+# dynamic based on domain. ex: /etc/letsencrypt/live/example.com
+cert_dir=$RENEWED_LINEAGE
+
+install -pD -m 700 -g caddy -o caddy $cert_dir/fullchain.pem /etc/caddy/{{ inventory_hostname }}.fullchain.pem
+install -pD -m 700 -g caddy -o caddy $cert_dir/privkey.pem /etc/caddy/{{ inventory_hostname }}.privkey.pem
+
+# only reload caddy if it is running
+systemctl is-active --quiet caddy.service && systemctl reload caddy.service
diff --git a/roles/mirror/templates/etc/caddy/Caddyfile.j2 b/roles/mirror/templates/etc/caddy/Caddyfile.j2
@@ -4,7 +4,6 @@
 
     root * {{ mirror_path }}
 
-
     file_server {
         browse
     }
@@ -15,7 +14,7 @@
         }
     }
 
-    {% if mirror_custom_ssl %}tls /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem /etc/letsencrypt/live/{{ inventory_hostname}}/privkey.pem{% endif %}
+    {% if mirror_custom_ssl %}tls /etc/caddy/{{ inventory_hostname }}.fullchain.pem /etc/caddy/{{ inventory_hostname}}.privkey.pem{% endif %}
 
 }
 
@@ -24,7 +23,6 @@ http://{{ inventory_hostname }} {
 
     root * {{ mirror_path }}
 
-
     file_server {
         browse
     }
@@ -35,6 +33,5 @@ http://{{ inventory_hostname }} {
         }
     }
 
-
 }
 {% endif %}
diff --git a/roles/mirror/templates/rsyncd.conf.j2 b/roles/mirror/templates/rsyncd.conf.j2
@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+
+uid = nobody
+gid = nobody
+reverse lookup = false
+forward lookup = false
+max connections = 1000
+transfer logging = true
+use chroot = true
+read only = true
+timeout = 600
+
+motd file = /etc/rsyncmotd
+
+log file=/var/log/rsyncd.log
+
+{% for module,values in rsync_modules.items() %}
+[{{ module }}]
+{% for key,value in values.items() %}
+{{ key }} = {{ value }}
+{% endfor %}
+
+{% endfor %}