From f98013eb168eea7f0bd5b7535818b8fdf0d6ce6a Mon Sep 17 00:00:00 2001
From: Jakob Meier <comcloudway@ccw.icu>
Date: Sat, 30 Dec 2023 13:52:09 +0100
Subject: [PATCH] Added support for paste.sr.ht

---
 roles/paste.sr.ht/defaults/main.yml    |  3 ++
 roles/paste.sr.ht/tasks/config.yml     | 39 ++++++++++++++++++++++++++
 roles/paste.sr.ht/tasks/db.yml         | 15 ++++++++++
 roles/paste.sr.ht/tasks/main.yml       | 15 ++++++++++
 roles/paste.sr.ht/tasks/nginx.yml      | 13 +++++++++
 roles/paste.sr.ht/templates/nginx.conf | 23 +++++++++++++++
 run.yml                                |  4 +++
 7 files changed, 112 insertions(+)
 create mode 100644 roles/paste.sr.ht/defaults/main.yml
 create mode 100644 roles/paste.sr.ht/tasks/config.yml
 create mode 100644 roles/paste.sr.ht/tasks/db.yml
 create mode 100644 roles/paste.sr.ht/tasks/main.yml
 create mode 100644 roles/paste.sr.ht/tasks/nginx.yml
 create mode 100644 roles/paste.sr.ht/templates/nginx.conf

diff --git a/roles/paste.sr.ht/defaults/main.yml b/roles/paste.sr.ht/defaults/main.yml
new file mode 100644
index 0000000..7915ad7
--- /dev/null
+++ b/roles/paste.sr.ht/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+pastesrht_oauth_client_id: ""
+pastesrht_oauth_client_secret: ""
diff --git a/roles/paste.sr.ht/tasks/config.yml b/roles/paste.sr.ht/tasks/config.yml
new file mode 100644
index 0000000..ef76fb2
--- /dev/null
+++ b/roles/paste.sr.ht/tasks/config.yml
@@ -0,0 +1,39 @@
+---
+- name: Ensure the paste.sr.ht config is injected
+  ansible.builtin.blockinfile:
+    path: /etc/sr.ht/config.ini
+    marker: "#-- {mark} ANSIBLE paste.sr.ht --#"
+    block: |
+      [paste.sr.ht]
+      #
+      # URL paste.sr.ht is being served at (protocol://domain)
+      origin={{ srht_protocol }}://paste.{{ srht_domain }}
+      #
+      # Address and port to bind the debug server to
+      debug-host=0.0.0.0
+      debug-port=5011
+      #
+      # Configures the SQLAlchemy connection string for the database.
+      connection-string=postgresql://postgres@127.0.0.1/pastesrht?sslmode=disable
+      #
+      # Set to "yes" to automatically run migrations on package upgrade.
+      migrate-on-upgrade=yes
+      #
+      # paste.sr.ht's OAuth client ID and secret for meta.sr.ht
+      # Register your client at meta.example.org/oauth
+      oauth-client-id={{ pastesrht_oauth_client_id }}
+      oauth-client-secret={{ pastesrht_oauth_client_secret }}
+  register: conf
+
+- name: Enable & start paste.sr.ht service
+  ansible.builtin.service:
+    name: paste.sr.ht
+    state: restarted
+    enabled: true
+  when: conf.changed
+- name: Enable & start paste.sr.ht api service
+  ansible.builtin.service:
+    name: paste.sr.ht-api
+    state: restarted
+    enabled: true
+  when: conf.changed
diff --git a/roles/paste.sr.ht/tasks/db.yml b/roles/paste.sr.ht/tasks/db.yml
new file mode 100644
index 0000000..116402f
--- /dev/null
+++ b/roles/paste.sr.ht/tasks/db.yml
@@ -0,0 +1,15 @@
+---
+- name: Download database schema from git.sr.ht
+  ansible.builtin.get_url:
+    url: https://git.sr.ht/~sircmpwn/paste.sr.ht/blob/master/schema.sql
+    dest: /tmp/pastesrht.psql
+
+- name: Create database
+  community.postgresql.postgresql_db:
+    name: pastesrht
+
+- name: Ensure database layout
+  community.postgresql.postgresql_db:
+    name: pastesrht
+    state: restore
+    target: /tmp/pastesrht.psql
diff --git a/roles/paste.sr.ht/tasks/main.yml b/roles/paste.sr.ht/tasks/main.yml
new file mode 100644
index 0000000..bd25e4d
--- /dev/null
+++ b/roles/paste.sr.ht/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Install paste.sr.ht packages
+  community.general.apk:
+    name:
+      - paste.sr.ht
+    state: latest
+
+- name: Setup Database
+  ansible.builtin.import_tasks: db.yml
+
+- name: Setup config & services
+  ansible.builtin.import_tasks: config.yml
+
+- name: Setup nginx
+  ansible.builtin.import_tasks: nginx.yml
diff --git a/roles/paste.sr.ht/tasks/nginx.yml b/roles/paste.sr.ht/tasks/nginx.yml
new file mode 100644
index 0000000..12b17f5
--- /dev/null
+++ b/roles/paste.sr.ht/tasks/nginx.yml
@@ -0,0 +1,13 @@
+---
+- name: Copy nginx config file
+  ansible.builtin.template:
+    src: nginx.conf
+    dest: /etc/nginx/http.d/paste.sr.ht.conf
+  register: nginxconf
+
+- name: Start & enable nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted
+    enabled: true
+  when: nginxconf.changed
diff --git a/roles/paste.sr.ht/templates/nginx.conf b/roles/paste.sr.ht/templates/nginx.conf
new file mode 100644
index 0000000..ba0d783
--- /dev/null
+++ b/roles/paste.sr.ht/templates/nginx.conf
@@ -0,0 +1,23 @@
+server {
+	include sourcehut.conf;
+	server_name paste.{{ srht_domain }};
+
+    client_max_body_size 10M;
+
+	location / {
+		proxy_pass http://127.0.0.1:5011;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'; frame-ancestors 'none'" always;
+		include web.conf;
+	}
+
+	location /query {
+		proxy_pass http://127.0.0.1:5111;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/pastesrht;
+		expires 30d;
+	}
+}
diff --git a/run.yml b/run.yml
index 39c1239..f179cdb 100644
--- a/run.yml
+++ b/run.yml
@@ -27,3 +27,7 @@
   hosts: all
   roles:
     - role: builds.sr.ht
+- name: Setup paste.sr.ht
+  hosts: all
+  roles:
+    - role: paste.sr.ht
-- 
2.38.5