aur repo wip

ansible/inventory/host_vars/hv00.balsillie.house/certbot.yaml

@@ -0,0 +1,8 @@
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'rfc2136'
+certbot_email: "certbot.hv00@balsillie.email"
+certbot_acme_server: "acme-v02.api.letsencrypt.org"

ansible/inventory/host_vars/hv00.balsillie.house/nginx.yaml

@@ -0,0 +1,16 @@
+nginx_sites:
+  - name: repo.balsillie.house
+    type: site
+    root: /var/www/aur
+  - name: unifi.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 8989
+  - name: hv00.balsillie.house
+    type: proxy
+    upstream:
+      host: 127.0.0.1
+      port: 9443
+
+nginx_user: "http"

ansible/inventory/host_vars/kodi00.balsillie.house/certbot.yaml

@@ -6,6 +6,3 @@ certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
 certbot_dns_plugin: 'rfc2136'
 certbot_email: "certbot.kodi00@balsillie.email"
 certbot_acme_server: "acme-v02.api.letsencrypt.org"
-
-certbot_domains:
-  - kodi.balsillie.house

ansible/inventory/host_vars/kodi00.balsillie.house/nginx.yaml

@@ -1,25 +1,31 @@
 nginx_sites:
   - name: tv.balsillie.house
+    type: proxy
     upstream:
       host: 127.0.0.1
       port: 8989
   - name: movies.balsillie.house
+    type: proxy
     upstream:
       host: 127.0.0.1
       port: 8081
   - name: index.balsillie.house
+    type: proxy
     upstream:
       host: 127.0.0.1
       port: 8082
   - name: torrent.balsillie.house
+    type: proxy
     upstream:
       host: 127.0.0.1
       port: 9090
   - name: jellyfin.balsillie.house
+    type: proxy
     upstream:
       host: 127.0.0.1
       port: 8096
   - name: kodi.balsillie.house
+    type: proxy
     upstream:
       host: 127.0.0.1
       port: 8082

ansible/playbooks/infra/hv00.yaml

@@ -6,4 +6,5 @@
   gather_facts: true
   become: true
   roles:
-    - role: aur_repo
+    - role: aur_repo_host
+    - role: nginx

ansible/playbooks/infra/kodi.yaml

@@ -9,4 +9,5 @@
     # - role: sshd
     # - role: ufw
     - role: nginx
+    - role: aur_repo_client
     - role: arr

ansible/roles/arr/tasks/main.yaml

@@ -1,24 +1,8 @@
 ---
 
-- name: Check if Pikaur is installed
-  when: ansible_facts['os_family'] == "Archlinux"
-  ansible.builtin.stat:
-    follow: true
-    path: /usr/bin/pikaur
-  register: pikaur_stat
-
-- name: Branch to Pikaur setup role if Pikaur is not installed
-  when:
-    - ansible_facts['os_family'] == "Archlinux"
-    - not pikaur_stat.stat.exists
-  ansible.builtin.include_role:
-    name: pikaur
-
-- name: Install arr packages from AUR
+- name: Install arr packages
   when: ansible_facts['os_family'] == "Archlinux"
   community.general.pacman:
-    executable: pikaur
-    name: "{{ item }}"
+    name: "{{ arr_packages }}"
     state: present
-    update_cache: "{{ item == arr_packages.0 }}"
-  loop: "{{ arr_packages }}"
+    update_cache: true

ansible/roles/aur_repo_client/handlers/main.yaml

@@ -0,0 +1,5 @@
+---
+
+- name: Update pacman
+  community.general.pacman:
+    update_cache: true

ansible/roles/aur_repo_client/tasks/main.yaml

@@ -0,0 +1,45 @@
+---
+
+- name: Check if repo public key is in pacman keyring
+  ansible.builtin.command:
+    argv:
+      - pacman-key
+      - --list-keys
+      - "{{ aur_repo_client_repo_name }}"
+  register: repo_key_check
+  failed_when: repo_key_check.rc not in [0, 2]
+  changed_when: false
+
+- name: Add repo public key to pacman keyring
+  when: repo_key_check.rc == 2
+  block:
+
+    - name: Import the repo public key
+      ansible.builtin.command:
+        argv:
+          - pacman-key
+          - --recv-keys
+          - "{{ aur_repo_client_public_key_fingerprint }}"
+          - --keyserver
+          - "{{ aur_repo_client_keyserver }}"
+      changed_when: true
+
+    - name: Trust the repo public key
+      ansible.builtin.command:
+        argv:
+          - pacman-key
+          - --lsign-key
+          - "{{ aur_repo_client_public_key }}"
+      changed_when: true
+
+- name: Add home repo block to pacman.conf
+  ansible.builtin.blockinfile:
+    path: /etc/pacman.conf
+    block: |
+      [{{ aur_repo_client_repo_name }}]
+      SigLevel = Required TrustedOnly
+      Server = {{ aur_repo_client_repo_address }}
+    create: false
+    state: present
+    insertafter: EOF
+  notify: Update pacman

ansible/roles/aur_repo_client/vars/main.yaml

@@ -0,0 +1,4 @@
+aur_repo_client_repo_name: "home"
+aur_repo_client_repo_address: "https://repo.balsillie.house"
+aur_repo_client_public_key: DB529158B99DD8311D78CA2FBE6003C744F56EE2
+aur_repo_client_keyserver: hkps://keyserver.ubuntu.com

ansible/roles/aur_repo_host/tasks/main.yaml

@@ -112,10 +112,6 @@
         aurutils_pkgrel: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^pkgrel=).*(?=$)', multiline=True) }}"
         aurutils_arch: "{{ aurutils_pkgbuild['content'] | b64decode | regex_search('(?<=^arch=\\().*(?=\\)$)', multiline=True) | replace(\"'\", '') }}"
 
-    - name: Debug aurutils dependencies
-      ansible.builtin.debug:
-        msg: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar.lz4"
-
     - name: Install aurutils dependencies
       community.general.pacman:
         name: "{{ aurutils_dependencies }}"
@@ -129,7 +125,23 @@
       ansible.builtin.command:
         cmd: makepkg
         chdir: /tmp/aurutils
-        creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar.lz4"
+        creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar"
+
+    - name: Update repo database
+      become: true
+      become_user: "{{ aur_repo_build_account }}"
+      ansible.builtin.command:
+        argv:
+          - repo-add
+          - --prevent-downgrade
+          - --remove
+          - --sign
+          - --key
+          - "{{ aur_repo_key_thumbprint }}"
+          - repo.db.tar
+          - aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar
+        chdir: "{{ aur_repo_dir }}/packages"
+      changed_when: true
 
     - name: Check if the signing key is in pacman keyring
       ansible.builtin.command:
@@ -163,8 +175,36 @@
               - "{{ aur_repo_key_thumbprint }}"
           changed_when: true
 
+    - name: Add custom repo block to pacman.conf
+      ansible.builtin.blockinfile:
+        path: /etc/pacman.conf
+        block: |
+          [custom]
+          SigLevel = Required TrustedOnly
+          Server = file://{{ aur_repo_dir }}/packages
+        create: false
+        state: present
+        insertafter: EOF
+
     - name: Install aurutils
       community.general.pacman:
-        name: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar.lz4"
+        name: aurutils
         state: present
-        update_cache: false
+        update_cache: true
+
+- name: Add the root www folder if it doesn't exist
+  ansible.builtin.file:
+    path: /var/www
+    state: directory
+    owner: http
+    group: http
+    mode: "0775"
+
+- name: Link the aur repo to the web root
+  ansible.builtin.file:
+    src: "{{ aur_repo_dir }}/packages"
+    dest: /var/www{{ aur_repo_dir }}
+    state: link
+    owner: http
+    group: http
+    mode: "0775"

ansible/roles/aur_repo_host/templates/makepkg.conf.j2

@@ -17,5 +17,5 @@ PKGDEST={{ aur_repo_dir }}/packages
 SRCDEST={{ aur_repo_dir }}/sources
 SRCPKGDEST={{ aur_repo_dir }}/srcpackages
 LOGDEST=/var/log/makepkg
-PKGEXT=".pkg.tar.lz4"
-SRCEXT=".src.tar.lz4"
+PKGEXT=".pkg.tar"
+SRCEXT=".src.tar"

ansible/roles/nginx/tasks/main.yaml

@@ -68,14 +68,26 @@
     mode: "0644"
   notify: Restart nginx
 
-- name: Template out nginx site configs
+- name: Template out nginx reverse proxy configs
   ansible.builtin.template:
-    src: site.conf.j2
+    src: nginx-proxy.conf.j2
     dest: /etc/nginx/sites-available/{{ item.name }}.conf
     owner: root
     group: root
     mode: "0644"
   loop: "{{ nginx_sites }}"
+  when: item.type == "proxy"
+  notify: Restart nginx
+
+- name: Template out nginx site configs
+  ansible.builtin.template:
+    src: nginx-site.conf.j2
+    dest: /etc/nginx/sites-available/{{ item.name }}.conf
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ nginx_sites }}"
+  when: item.type == "site"
   notify: Restart nginx
 
 - name: Enable site configs

ansible/roles/nginx/templates/nginx-site.conf.j2

@@ -0,0 +1,18 @@
+server {
+    listen 80;
+    server_name {{ item.name }};
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name {{ item.name }};
+    ssl_certificate     /etc/letsencrypt/live/{{ item.name }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ item.name }}/privkey.pem;
+    index index.html;
+    root {{ item.root }};
+    location / {
+    }
+}