copr: create role for anubis

2026-04-27 12:03:38 +08:00 · 2025-09-05 01:42:13 +02:00
parent 72f4323fa8
commit f1cc8ca3df
12 changed files with 114 additions and 65 deletions
--- a/roles/copr/dist_git/files/anubis/default.env
+++ b/roles/copr/dist_git/files/anubis/default.env
@@ -2,7 +2,10 @@
 # https://anubis.techaro.lol/docs/admin/installation

 # Anubis listens to this IP:PORT
-BIND="127.0.0.1:8000"
+BIND="127.0.0.1:8987"

 # IP:PORT of the desired web app
-TARGET="http://127.0.0.1:8080"
+TARGET="http://127.0.0.1:8345"
+
+# Custom policies will live here once they are ready (package needs to be fixed)
+# POLICY_FNAME=/etc/anubis/policies.yaml
--- a/roles/copr/anubis/files/anubis/policies.yaml
+++ b/roles/copr/anubis/files/anubis/policies.yaml
@@ -0,0 +1,10 @@
+---
+# if any custom bot policies are needed, they can be added here
+bots:
+  # these are solid defaults from
+  # https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml
+  - import: (data)/botPolicies.yaml
+
+
+# Custom allowlist of API endpoint specified by each copr instance will live here
+# - import: /etc/anubis/endpoint-allowlist.yaml
--- a/roles/copr/anubis/handlers/main.yml
+++ b/roles/copr/anubis/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart anubis
+  service:
+    name: anubis@default.service
+    state: restarted
+
+- name: Reload httpd
+  service:
+    name: httpd
+    state: reloaded
--- a/roles/copr/anubis/httpd/00-backend-listen.conf
+++ b/roles/copr/anubis/httpd/00-backend-listen.conf
@@ -0,0 +1,23 @@
+# This is how the Anubis should be configured:
+#
+#            ┌───────────────────────────┐
+# Client ──> │ Apache on port 443 (SSL)  │
+#            └───────────┬───────────────┘
+#                        │
+#                        ▼
+#                  ┌───────────────┐
+#                  │  Anubis on    │
+#                  │  port 8987    │
+#                  │  (Filter)     │
+#                  └─────┬─────────┘
+#                        │ <- Is in endpoint-allowlist.yaml?
+#        ┌───────────────┴─────────────────────┐
+#        │ <- ALLOW if endpoint is in          │  <- FILTER
+#        │    endpoint-allowlist.yaml          │
+#        |                                     |
+#        |        ┌──────────────────┐         |
+#        |        │ Apache on port   │         |
+#        └──────> │ 8345 (App)       │ <───────┘
+#                 └──────────────────┘
+
+Listen 127.0.0.1:8345
--- a/roles/copr/anubis/tasks/main.yml
+++ b/roles/copr/anubis/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: Install Anubis Bot Blocker
+  dnf:
+    name: anubis
+    state: present
+  tags:
+    - anubis
+
+- name: Allow Apache to make network connections for proxy
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  tags:
+    - anubis
+
+- name: Ensure Anubis service is enabled and started
+  service:
+    name: anubis@default.service
+    enabled: true
+    state: started
+  tags:
+    - anubis
+
+- name: Install Anubis configuration and rules
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/{{ item }}"
+    mode: '0644'
+  loop:
+    - anubis/default.env
+    - anubis/policies.yaml
+  notify:
+    - Restart anubis
+    - Reload httpd
+  tags:
+    - anubis
--- a/roles/copr/dist_git/files/anubis_config.env
+++ b/roles/copr/dist_git/files/anubis_config.env
@@ -0,0 +1,3 @@
+BIND="127.0.0.1:8987"
+TARGET="http://127.0.0.1:8345"
+BASE_PREFIX="/cgit"
--- a/roles/copr/dist_git/files/httpd/00-backend-listen.conf
+++ b/roles/copr/dist_git/files/httpd/00-backend-listen.conf
@@ -1,14 +0,0 @@
-# This is how the Anubis should be configured on dist-git:
-#            ┌───────────────────────────┐
-# Client ──> │ Apache on port 443 (SSL)  │
-#            └───────────┬───────────────┘
-#                        │
-#       ┌────────────────┴────────────────┐
-#       │ (if the path is /git)           │ (for everything else)
-#       ▼                                 ▼
-# ┌──────────────────┐             ┌──────────────────┐
-# │ Apache on port   │ <────────── │  Anubis on port  │
-# │ 8080 (App)       │             │  8000 (Filter)   │
-# └──────────────────┘             └──────────────────┘
-
-Listen 127.0.0.1:8080
--- a/roles/copr/dist_git/files/httpd/copr-dist-git.conf
+++ b/roles/copr/dist_git/files/httpd/copr-dist-git.conf
@@ -1,11 +1,9 @@
-<VirtualHost 127.0.0.1:8080>
-    Alias /per-task-logs /var/lib/copr-dist-git/per-task-logs
-    <Directory /var/lib/copr-dist-git/per-task-logs>
-        Options Indexes FollowSymLinks
-        AllowOverride None
-        Require all granted
-    </Directory>
-</VirtualHost>
+Alias /per-task-logs /var/lib/copr-dist-git/per-task-logs
+<Directory /var/lib/copr-dist-git/per-task-logs>
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>

 <IfModule mpm_prefork_module>
    StartServers          2
--- a/roles/copr/dist_git/files/httpd/dist-git/lookaside-copr.conf
+++ b/roles/copr/dist_git/files/httpd/dist-git/lookaside-copr.conf
@@ -1,4 +1,2 @@
-<VirtualHost 127.0.0.1:8080>
-    AliasMatch "/repo(/.*)/md5(/.*)" "/var/lib/dist-git/cache/lookaside$1$2"
-    Alias /repo/ /var/lib/dist-git/cache/lookaside/
-</VirtualHost>
+AliasMatch "/repo(/.*)/md5(/.*)" "/var/lib/dist-git/cache/lookaside$1$2"
+Alias /repo/ /var/lib/dist-git/cache/lookaside/
--- a/roles/copr/dist_git/handlers/main.yml
+++ b/roles/copr/dist_git/handlers/main.yml
@@ -4,8 +4,3 @@

 - name: Restart copr-dist-git
  service: name="copr-dist-git" state="restarted"
-
- name: Restart anubis
-  ansible.builtin.service:
-    name: anubis@default.service
-    state: restarted
--- a/roles/copr/dist_git/tasks/main.yml
+++ b/roles/copr/dist_git/tasks/main.yml
@@ -176,31 +176,19 @@
 - name: Install /etc/gitconfig file
  ansible.builtin.copy: src="gitconfig" dest="/etc/gitconfig"

- name: Install Anubis Bot Blocker
-  dnf:
-    name: anubis
-    state: present
+- name: Include Anubis role for dist-git
+  include_role:
+    name: copr/anubis
+  tags:
+    - anubis

- name: Allow Apache to make network connections for proxy
-  ansible.posix.seboolean:
-    name: httpd_can_network_connect
-    state: true
-    persistent: true
-
- name: Ensure Anubis service is enabled and started
-  service:
-    name: anubis@default.service
-    enabled: true
-    state: started
-
- name: Install Anubis configuration and rules
+- name: Temporary rewrite Anubis config file
  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "/etc/{{ item }}"
+    src: "anubis_config.env"
+    dest: "/etc/anubis/default.env"
    mode: '0644'
-  loop:
-    # there will be more...
-    - anubis/default.env
-  notify:
-    - Restart anubis
-    - Reload httpd
+
+- name: Restart anubis
+  ansible.builtin.systemd:
+    name: anubis@default.service
+    state: restarted
--- a/roles/copr/dist_git/templates/ssl.conf.j2
+++ b/roles/copr/dist_git/templates/ssl.conf.j2
@@ -24,20 +24,18 @@ SSLCryptoDevice builtin
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM

+    # Anubis config
    ProxyRequests Off
    ProxyPreserveHost On
+    ProxyVia Off

    RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"

-    # send directly to backend
-    ProxyPass /git/ http://127.0.0.1:8080/git/
-    ProxyPassReverse /git/ http://127.0.0.1:8080/git/
-
-    # send the rest to Anubis
-    ProxyPass / http://127.0.0.1:8000/
-    ProxyPassReverse / http://127.0.0.1:8000/
+    # BIND port
+    ProxyPass /cgit/ http://localhost:8987/cgit/
+    ProxyPassReverse /cgit/ http://localhost:8987/cgit/

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars