diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6d49f09..13791ce 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -28,37 +28,6 @@ jobs: reviewdog -f=pep8 -name=flake8 \ -tee -reporter=github-check -filter-mode nofilter - caddyfmt: - name: caddyfmt - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Install caddy - run: | - sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https - curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | \ - sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc - curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | \ - sudo tee /etc/apt/sources.list.d/caddy-stable.list - sudo apt update - sudo apt install caddy - - - name: Set up reviewdog - uses: reviewdog/action-setup@v1 - - - name: Run caddy validate - run: caddy validate --config caddy/Caddyfile - - - name: Run caddy fmt - run: caddy fmt --overwrite caddy/Caddyfile - - - name: Run reviewdog - uses: reviewdog/action-suggester@v1 - with: - fail_on_error: true - tool_name: 'caddy fmt' - ansible: name: Ansible Lint runs-on: ubuntu-latest diff --git a/Makefile b/Makefile deleted file mode 100644 index 11db7b5..0000000 --- a/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -RUNTIME ?= podman -CADDY_IMAGE ?= docker.io/library/caddy -CADDY_VERSION ?= 2.4.6 - -serve: - mkdir -p sites - $(RUNTIME) run --rm -it \ - -v $$PWD/sites:/srv:Z \ - -v $$PWD/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,Z \ - -e SITE_DIR=/srv \ - -p 2015:2015 \ - $(CADDY_IMAGE):$(CADDY_VERSION) \ - caddy run --config /etc/caddy/Caddyfile --watch - -fmt: - $(RUNTIME) run --rm -it \ - -v $$PWD/caddy/Caddyfile:/etc/caddy/Caddyfile:Z \ - $(CADDY_IMAGE):$(CADDY_VERSION) \ - caddy fmt --overwrite /etc/caddy/Caddyfile diff --git a/README.md b/README.md index 5b66e12..fe0ad89 100644 --- a/README.md +++ b/README.md @@ -4,13 +4,6 @@ matplotlib.org Hosting This repo enables matplotlib.org hosting using [Caddy](https://caddyserver.com/). -By default, Caddy is run in a container using `make serve`, which: - -* Runs Caddy (version can be overridden by setting `CADDY_VERSION`) in - [podman](https://podman.io/) (can be switched to docker by setting `RUNTIME`) -* Mounts Matplotlib documentation repositories from the `sites` subdirectory -* Exposes the server on port 2015 - Hosted repositories ------------------- @@ -29,18 +22,6 @@ related projects are also exposed as toplevel directories: * [mpl-gui](https://github.com/matplotlib/mpl-gui) * [mpl-third-party](https://github.com/matplotlib/mpl-third-party) -Caddy options -------------- - -The Makefile will set these options for you when mounting and running the -container, but if you wish to run Caddy directly, you may wish to set some -overrides in environment variables: - -* The host and port with `SITE_ADDRESS` (defaults to port 2015 on all - interfaces) -* The directory containing the git repositories with `SITE_DIR` (defaults to - `sites` in the current directory) - Ansible configuration ===================== diff --git a/caddy/Caddyfile b/caddy/Caddyfile deleted file mode 100644 index b5be43c..0000000 --- a/caddy/Caddyfile +++ /dev/null @@ -1,89 +0,0 @@ -# Snippet to allow working with git checkouts of project sites that become -# toplevel directories. -(subproject) { - # Caddy doesn't know this is a directory, so redirect to trailing / as - # would usually happen for them. - redir /{args.0} /{args.0}/ permanent - - handle_path /{args.0}/* { - root * {$SITE_DIR:sites}/{args.0} - try_files {path}.html {path} - file_server - } -} - -# Set this variable in the environment when running in production. -{$SITE_ADDRESS::2015} { - # Set the variable in the environment to the Caddy directive for tls - # support. By default, this is empty so you can test it locally, but - # the Ansible config sets it up with the right certificate paths. - {$TLS_CONFIG:} - - root * {$SITE_DIR:.} - - # Setup a webhook - handle /gh/* { - # https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers - @valid_webhook { - method POST - header Content-Type application/json - header User-Agent GitHub-Hookshot/* - header X-GitHub-Event ping - header X-GitHub-Event push - header X-GitHub-Delivery * - header X-Hub-Signature-256 * - } - - handle @valid_webhook { - reverse_proxy * localhost:1234 { - # Don't leak out internal problems. - @error status 4xx 5xx - handle_response @error { - error 400 - } - } - } - - handle { - error 400 - } - } - - import subproject basemap - import subproject cheatsheets - import subproject cycler - import subproject devdocs - import subproject governance - import subproject matplotblog - import subproject mpl-altair - import subproject mpl-bench - import subproject mpl-gui - import subproject mpl-third-party - - # redirect the objects.inv - redir /objects.inv /stable/objects.inv permanent - - # Place the brochure site at the top level. - import subproject mpl-brochure-site - @brochure file { - root {$SITE_DIR:sites}/mpl-brochure-site - try_files {path}.html {path} - } - rewrite / /mpl-brochure-site/index.html - rewrite @brochure /mpl-brochure-site{http.matchers.file.relative} - - # Finally try any of the versioned docs. - handle { - root * {$SITE_DIR:sites}/matplotlib.github.com - try_files {path}.html {path} - file_server - } - - # Use a custom 404 error page. - handle_errors { - @notfound expression {http.error.status_code} == 404 - root * {$SITE_DIR:sites}/mpl-brochure-site - rewrite @notfound /404.html - file_server - } -} diff --git a/caddy/caddy.service.override b/caddy/caddy.service.override deleted file mode 100644 index 01f9272..0000000 --- a/caddy/caddy.service.override +++ /dev/null @@ -1,4 +0,0 @@ -[Service] -Environment="SITE_DIR=/usr/share/caddy" -Environment="SITE_ADDRESS=https://do.matplotlib.org, https://matplotlib.org" -Environment="TLS_CONFIG=tls /etc/caddy/tls/cert.pem /etc/caddy/tls/privkey.pem" diff --git a/files/tls-cert.pem b/files/tls-cert.pem index 73731f1..537ff19 100644 --- a/files/tls-cert.pem +++ b/files/tls-cert.pem @@ -1,63 +1,63 @@ $ANSIBLE_VAULT;1.1;AES256 -63373333393661613738643337653438636564316132386161383862656364613766663166633532 -6331376238343931386161393836666131623338643161330a663366656130633339373664643536 -32316665336531633538643566303738303761663562363761623061666665633966626134636464 -6231636537393031310a336136666332366662393061333230316262326132373731613664643039 -32316133346533313233386630393763383134616632656665636439616532653364636562333330 -37313836343732343232343530363465656231373330323765303438346331646230353039333962 -30386165393936353936336261376566633131313335336636343033633233633365663964313966 -65313533313464336665663964626439656235613730663234363664326632316132353065353336 -61343835356363333365343864346562366164643936626162366462306362613636613133626436 -62636231303565363837666634306162393065643462336464306331616264653533646235623538 -35663763303961366164646166363132386436316538623535633261343465323833323238356366 -34356365393532633131343638323235363533313936333062393935393161303731313766336430 -39633462623637623964623138623236653332343966353433356565313932363362636261393766 -63653430383063643436623037323439323564633662343035303532396335643566333937336233 -36333036366262393638616237333233303038616438383931396237663133366135653037343564 -31616533393636306632383562316462386537653830306165616135656464663237316433306465 -33323137396631653338666333373766386330393564343239313936353065333632316139656163 -63633562653339333730356635383239323730323563303461663737333938376439663435316330 -38626362366132306137643930393931333262393661303362623235333062666461303238346531 -66306366633234363230393533343962623736323339616337326438306561616335373438623361 -66376633383539393334396436633030653438386538313133376131656165303532383763653561 -33333039323761646630323134643266613236323966323565643835313163653066633261373231 -61613063666536373132323163623666313661626362623333333463363436306361646362366631 -39383130373166306231663766623531346261393436313737653765643161373939653832343336 -36353565323138393234653830653133323863393739353062613933333463353430396639303034 -34616432633133356266386132323565663363386365646437336631393862643533393064666333 -66336536353232666634353835663636386363393663326630346463646265336532323864656238 -62616231336266626238626434393434626133663733303162646461313835623961616539633832 -33346430666165396436653235313232323633623434623464653932616362306563336465313932 -65383330643037393139333564306164346539663636346438373733623939356265346261653961 -32613136373837356430396434373666393663313531623664366462643161323365373834323630 -39626335303832346631326163616632636563643930306463346561623662346465353832643730 -37316539326564616233363031666532356530303965666636393439613534393839626139666464 -64613864323464333465366566613838396566363037393438363265323136616564383964366334 -31663364323332376561363434303565346536656564643966366138636138373936393933303837 -63613933316565653962666263373835326630333833313464333636316664326262313964376238 -33366232366465653539383535383937343337333530346338366635373039306163373635356634 -31313138366665366533303137353237306338646437393864323839353834306265313262313666 -65303739333164633661363566656364366532343432376566626262643833376237383364623935 -32303131376132393735336464643638376266623733626436643230633239623330393835616261 -61363466303435346238363963653931636338613034626262373331626135643130656361353534 -39613163656464326637323136373434643763373362383462333235643130353265646265376336 -30323863366563663833306439616237613136333165323962346636643563323532666635613138 -66373663333430346265376138306262316438393161656663366465363565623364363633643933 -61643961393164363039343838646265396333323630316636636330346337656332646437316262 -36643537323532356535646161653435306166343663623734353136623038646130346265656138 -65336333363663643361616261343164623166613162316132306531313363323762653165616563 -34356535623639366432396430666131316466306230653265336334393036306664383434613030 -32306662363362303061373235393636633566393861623864336363313464633332363363306333 -62393232386664333261623738613965633633393963316264333064663230383366363030623465 -36626430633233646462336266663033313365323665633566623731663566383063383030616261 -65336435626635393632613234373237626363653764373933643464646538356165353737373837 -36656266366531373032346364336130343833613838313264643631393265626531363030656137 -33386635663231386339666332323432363431303565666265303035383666633534613530646430 -66633763366366303562323238653964303161393638303463396539323236396637373665363637 -31616163303261316362323064336265396332613832316163346362306431306532613130376430 -30376237636261383737643061393832346265626530653162613135383039346664623338363738 -34336665353264666633323664326530323137383936616537616262373264336639386230353139 -30336364623366616366613137626339396332643162383235666339616436636136373433663431 -62653735376334643131306537653063383537333063313435343736356539373336343035336463 -31656333393035646534356366623966313461393462386338363139313463306465636635623139 -6562336532663631643134393933666262343333353265656363 +34666361323566326165323238646331623036633562646664376466336563363865663966393832 +3135666362343964313339323634326232626431363461340a303533316165626439663963623436 +62643962646665383431623864393632333530626635336462356537326432373232313531396563 +6332633162663865640a353231333665343965373465313436396262376366616266633738333432 +34313530343430353763303033363434353733313165343861303331306137343839356439386465 +61316334666163346138326564386139333539313331313430666363666232356638376364613365 +37613836633064396361663031353532363131663563346264663735336261376663623461653561 +37376662393334623130636561383463343838653937353334383964613563613632373836366337 +31356162663437373334616433356165303661653634613462633531613434616637626234383838 +38633765636665663131373266376133653136383161313362613533383537366562616365376631 +63663766623965656633323132643730626339386130393961323732353135393033393633633264 +33643637383239343033636637343330363237633866613834363365633764386330646437316666 +37373636313466613337353831376630666335363234323839623135386266613439356533663063 +36623635646363613830613263343235306561653432396533663435386236383564653364666539 +34323462393236653035316630373831316531333232626563333336373265643234383236303537 +66356464653133626665383662323062623035383565333137393531306266346266623838383433 +63636530323330386464383830396232653866616338636233366139376335373631303531366165 +36383635626462353564373564633137396630653264336232376466323162363136316334316231 +39323265343631356230313735386265356664303934616435653837393764613664663832633431 +63353137373866366630353261373332633338633032313530623339643663346133343434393131 +66303166363165386438633530313463363735336232313162346365336662643838353761323430 +65323136316666393963313565343935323438616264376464303461366463386633326638333863 +31653637373366633732356665353336653830623431663862646631663934333438633530323761 +37623065663563343930326239306535653635653034303238636462363863386131323265303038 +32383739633762356233333065623466303536393038653737616361666564346130303461303032 +38653138313839393330396632643932333561653532346535336330636430663633356439376430 +38613865353666323632326633613132356638303166323661363062393931336634666238613461 +34653934623434303233643031653536383233626233376532356465343462623564333032656130 +32386232633731363131643234343864336530363266396464623831366431313837633033303238 +37346130373030373862633339333539306266663332366666626432656437386239656330646335 +32633635303762666532373566333336376665653164333339353435646562373339396337313036 +35353464313565306535306264343838376233333831646134333837623933333665636535356464 +36626461363230376438666263323938623930343566633864653434363765613663396261306461 +35613134346335383432366436653966356536306630326134656436626236343335643537306634 +63636666656534386330316365643139363833366634356533393936333733366136303164353430 +64313838336466643836376165616234613932353030656561663237323537363838646663376433 +39393633663837356338653932643266643635386235306461653733633266393038366336623232 +61636162363331666333643630666335653030353931303461313965316533303338313130313466 +31643937396334373335336334303333343963653130336562613836363334663665326366376233 +61663064353362663730386639396431616132653363653438613862616532336138366265313032 +65623361316566663065613536396432316136346663306532383337396234353032636230623065 +36613931396137313938663664373836633937306236343865626631383834306131623065353838 +61353331386565313933363538353861343537386564356239336632393630656135386333323539 +63383663356230306536616664363933373439326230613730656362653133326339323635346530 +36656634396164643263356134333839623465356562613837656661663036356430306261646136 +33313139306163663631343532626364643263663333336639313835383832326264343465613434 +30353164636536663935626637373561626336353263316662626138663338656635643238376637 +39636562643733643538363961393834393661643032373836343561363136343235653264366135 +34333831373138306238633238633131663133613066366562666435663266363339316537323937 +64366231613661646663636666653263306539303630663439303131326662343965326335323765 +33633930653933393062643034373564363838303737313238306535346661363764383637636537 +64373331366636336331363362343538326236343566313666623235383135646438346536346435 +30366436643637313531376638636639313337333034373933373866343036386331643433323164 +64393934383938616362316136643662623639343736343639323230343861396635333663313835 +31613133356634626464623362376633666463623266326664396462656137633931646564623436 +66386664313936616331303834626430346135653432336334613031663231313635363866336334 +62313133633633336136613434323335356234653264336130303538313964306165653361616434 +33356562303839646436353939663739316161383939383563623336336563356430373833636439 +66336233306436636364373638343164376461323937623332326663383831623334633433313730 +33613766333238616263663639613037346165666361303963356138336262376538376131373937 +37353131306438643839653464656337343461303536616139306439306434333637363136343533 +3136656536343965663632366336353436363764666337653035 diff --git a/files/tls-privkey.pem b/files/tls-privkey.pem index 5bdc985..252849c 100644 --- a/files/tls-privkey.pem +++ b/files/tls-privkey.pem @@ -1,18 +1,18 @@ $ANSIBLE_VAULT;1.1;AES256 -63333331343239616534613261333630363931366162663936663362353737613330366366343264 -6364646165303265613966653366343365633832656364330a316162333666636632333066663739 -62326136623262336461613738316632643736306433616531656161363066353366373838326663 -3264633533373134360a373137323161383436666139656339343561343730343838393739616163 -37616661653465386132356230663133666464653736383533396232356263366536393232633765 -36626133663738646434396332303062393534346630383964353561646631616139323665306239 -62636362326633393064343630646131613637326430653863373233316139636130666538663037 -39326562626137376161323936663838633136653735373661336365343432323762353033306366 -61666361363538653065313139383133366461666562656666336536396432316263373862363837 -32363734316563376166633063623863396161313636333539633464303765356165623865613964 -39326238396339616436663035313737623731646536316338653334323334666437653037396231 -64303534353637643937643961353862316133353831613261396238373332396436386466633835 -30633163333163343738383561666462323639316361303833343634616663393062363236336634 -64366434633631366438663638306266323039393962623837636338643565366237356235363831 -38343033353636626338393039353761303030343536653338363063623636333439383136356130 -63343834633537383766373430636363326331353262386233633434623861643338303864613033 -3361 +31626637333464396361366362366561613266623130313539643431316362333962323234633937 +6230643339343530356136303965613564323936663834620a616337646561323535303335366435 +65366439643932363962306464636237373538356163653138396238353435303631353063626138 +6532376231386636330a383063393762643933323661653636303838613962316637353332303132 +38626131323362366165613736313266316231396633346330333635353462626366663333363338 +31383637363462643761636339643364653161323734306562646339366435343063356461626337 +66383366636566343339626364303138653936333162316631306335633534663536313033386261 +63393032373462383434653762313065633232363963366466343764353832653762646430316261 +36363032316332666632623730373638316164313032643063376435633135393339303030336662 +34383231396134623062323839333636623361636362663837646636313835616163343839656466 +31303135346134323762643633363731643963323535323561323531386663636434663033623931 +64323930626236633766666366356337646538613366663339353563616638333532353438373632 +38366536356363333564363265323637383764323737616637303834386665363533386261643630 +62656562333637383361356334383762396361623338303163663435313637646464656534646535 +37633861363432353236363562643139376338643230366532643466386138383234386339386165 +37336335396161626432363133323033623263643466323031383861356130333536353862373932 +6333 diff --git a/matplotlib.org.yml b/matplotlib.org.yml index 5090178..c38e347 100644 --- a/matplotlib.org.yml +++ b/matplotlib.org.yml @@ -1,6 +1,12 @@ --- - hosts: website vars: + caddy: + addresses: + main: "matplotlib.org" + webhook: "do.matplotlib.org" + site_dir: "/usr/share/caddy" + tls_config: "tls /etc/caddy/tls/cert.pem /etc/caddy/tls/privkey.pem" repos: - mpl-brochure-site - matplotlib.github.com @@ -154,24 +160,12 @@ tags: caddy block: - name: Configure Caddy - ansible.builtin.copy: - src: "{{playbook_dir}}/caddy/Caddyfile" + ansible.builtin.template: + src: Caddyfile.j2 dest: /etc/caddy/Caddyfile + validate: "caddy validate --adapter caddyfile --config %s" notify: Reload Caddy - - name: Configure Caddy system service - ansible.builtin.file: - path: /etc/systemd/system/caddy.service.d - state: directory - mode: 0755 - - name: Configure Caddy system service - ansible.builtin.copy: - src: "{{playbook_dir}}/caddy/caddy.service.override" - dest: /etc/systemd/system/caddy.service.d/override.conf - notify: - - Reload systemd - - Restart Caddy - - name: Configure Caddy TLS certificate directory ansible.builtin.file: path: /etc/caddy/tls diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2 new file mode 100644 index 0000000..496f089 --- /dev/null +++ b/templates/Caddyfile.j2 @@ -0,0 +1,90 @@ +# Snippet to allow working with git checkouts of project sites that become +# toplevel directories. +(subproject) { + # Caddy doesn't know this is a directory, so redirect to trailing / as + # would usually happen for them. + redir /{args.0} /{args.0}/ permanent + + handle_path /{args.0}/* { + root * {{ caddy.site_dir }}/{args.0} + try_files {path}.html {path} + file_server + } +} + +# Setup webhooks +{% if caddy.tls_config is defined %} +https://{{ caddy.addresses.webhook }} { + {{ caddy.tls_config }} +{% else %} +http://{{ caddy.addresses.webhook }} { +{% endif %} + + root * {{ caddy.site_dir }} + + # https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers + @valid_webhook { + path /gh/* + method POST + header Content-Type application/json + header User-Agent GitHub-Hookshot/* + header X-GitHub-Event ping + header X-GitHub-Event push + header X-GitHub-Delivery * + header X-Hub-Signature-256 * + } + + handle @valid_webhook { + reverse_proxy * localhost:1234 { + # Don't leak out internal problems. + @error status 4xx 5xx + handle_response @error { + error 400 + } + } + } + + handle { + error 404 + } +} + +{% if caddy.tls_config is defined %} +https://{{ caddy.addresses.main }} { + {{ caddy.tls_config }} +{% else %} +http://{{ caddy.addresses.main }} { +{% endif %} + + root * {{ caddy.site_dir }} + +{% for site in repos %} + import subproject {{ site }} +{% endfor %} + + # redirect the objects.inv + redir /objects.inv /stable/objects.inv permanent + + # Place the brochure site at the top level. + @brochure file { + root {{ caddy.site_dir }}/mpl-brochure-site + try_files {path}.html {path} + } + rewrite / /mpl-brochure-site/index.html + rewrite @brochure /mpl-brochure-site{http.matchers.file.relative} + + # Finally try any of the versioned docs. + handle { + root * {{ caddy.site_dir }}/matplotlib.github.com + try_files {path}.html {path} + file_server + } + + # Use a custom 404 error page. + handle_errors { + @notfound expression {http.error.status_code} == 404 + root * {{ caddy.site_dir }}/mpl-brochure-site + rewrite @notfound /404.html + file_server + } +} diff --git a/templates/webhook.env.j2 b/templates/webhook.env.j2 index 4ef6889..0e6967c 100644 --- a/templates/webhook.env.j2 +++ b/templates/webhook.env.j2 @@ -1,4 +1,4 @@ -SITE_DIR=/usr/share/caddy +SITE_DIR={{ caddy.site_dir }} {% for site, secret in webhook_secrets.items() %} WEBHOOK_{{ site | upper | replace('.', '_') | replace('-', '_') }}_SECRET={{secret}} {% endfor %}