gerbolyze fixes, clippy experiments

bootstrap_arch_container.yml

@@ -1,9 +1,9 @@
 ---
 - name: Set local path facts
   set_fact:
-    image: "/var/cache/containers/{{ container }}.img"
+    image: "/var/lib/machines/{{ container }}.img"
-    root: "/var/cache/containers/{{ container }}_root"
+    root: "/var/lib/machines/{{ container }}"
-    "{{container}}_root": "/var/cache/containers/{{ container }}_root"
+    "{{container}}_root": "/var/lib/machines/{{ container }}"
 
 - name: Create container image file
   command: truncate -s 4G "{{image}}"

clippy-nspawn.service

@@ -0,0 +1,36 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Clippy container
+PartOf=machines.target
+Before=machines.target
+After=network.target systemd-resolved.service
+RequiresMountsFor=/var/lib/machines
+
+[Service]
+ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --ephemeral --boot --network-veth --port=23:2342 -U --settings=override --machine=clippy
+KillMode=mixed
+Type=notify
+RestartForceExitStatus=133
+SuccessExitStatus=133
+WatchdogSec=3min
+Slice=machine.slice
+Delegate=yes
+TasksMax=512
+
+# Enforce a strict device policy, similar to the one nspawn configures when it
+# allocates its own scope unit. Make sure to keep these policies in sync if you
+# change them!
+DevicePolicy=closed
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=char-pts rw
+
+[Install]
+WantedBy=machines.target

clippy.service.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Clippy listener daemon
+
+[Service]
+WorkingDirectory=/var/lib/clippy.git
+ExecStart=/usr/bin/python3 clippy.py -s -x 60x30 -e
+
+[Install]
+WantedBy=multi-user.target

playbook.yml

@@ -12,7 +12,7 @@
 
     - name: Install host requisites
       dnf:
-          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python
+          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git
           state: latest
 
     - name: Disable password-based root login
@@ -40,3 +40,6 @@
 
     - name: Setup gerboweb
       include_tasks: setup_gerboweb.yml
+
+    - name: Setup clippy
+      include_tasks: setup_clippy.yml

setup_clippy.yml

@@ -0,0 +1,69 @@
+---
+- name: Clone pixelterm git
+  git:
+    repo: https://github.com/jaseg/pixelterm
+    dest: "{{clippy_root}}/var/lib/pixelterm.git"
+
+- name: Clone clippy git
+  git:
+    repo: https://github.com/jaseg/clippy
+    dest: "{{clippy_root}}/var/lib/clippy.git"
+
+- name: Setup required packages for clippy
+  command: arch-chroot "{{clippy_root}}" pacman -Syu --noconfirm python3 python-pip python-numpy python-pillow
+
+- name: Setup pixelterm
+  command: arch-chroot "{{clippy_root}}" sh -c "cd /var/lib/pixelterm.git && python3 setup.py install"
+
+- name: Setup container clippy systemd service file
+  template:
+    src: clippy.service.j2
+    dest: "{{clippy_root}}/etc/systemd/system/clippy.service"
+    owner: root
+    group: root
+    mode: 0664
+
+- name: Enable systemd machines target
+  systemd:
+    name: machines.target
+    enabled: yes
+
+- name: Copy over clippy container auto boot service file
+  copy:
+    src: clippy-nspawn.service
+    dest: /etc/systemd/system/clippy-nspawn.service
+    owner: root
+    group: root
+    mode: 0664
+
+- name: Enable clippy container auto boot
+  systemd:
+    daemon-reload: yes
+    name: clippy-nspawn.service
+    enabled: yes
+
+- name: Restart clippy container
+  shell: |
+    systemctl stop clippy-nspawn
+    sleep 1
+    systemctl start clippy-nspawn
+    for x in $(seq 0 30); do
+      systemctl -M clippy is-system-running && exit
+      sleep 1
+    done
+
+- name: Enable clippy systemd service in container
+  command: systemctl enable -M clippy clippy.service
+
+- name: Restart clippy systemd service in container
+  command: systemctl restart -M clippy clippy.service
+
+#- name: Enable host networkd
+#  systemd:
+#    name: systemd-networkd
+#    enabled: yes
+#    state: started
+
+- name: Enable clippy container networkd
+  command: systemctl enable -M clippy systemd-networkd
+

setup_containers.yml

@@ -4,14 +4,6 @@
       name: btrfs-progs,arch-install-scripts,systemd-container,libselinux-python
       state: latest
 
-- name: Create container dir
-  file:
-    path: /var/cache/containers
-    owner: root
-    group: root
-    mode: 0775
-    state: directory
-
 - name: Create individual containers
   include_tasks: bootstrap_arch_container.yml
   with_items: "{{ containers }}"

uwsgi-app@.service

@@ -5,7 +5,8 @@ After=syslog.target
 [Service]
 ExecStart=/usr/sbin/uwsgi \
         --ini /etc/uwsgi.d/%i.ini \
-        --socket /run/uwsgi/%i.socket
+	--chmod-socket=660 \
+        --socket=/run/uwsgi/%i.socket
 User=uwsgi-%i
 Group=uwsgi
 Restart=on-failure

uwsgi-gerboweb.ini

@@ -1,10 +1,7 @@
 [uwsgi]
 master = True
 cheap = True
-idle = 600
+die-on-idle = False
-die-on-idle = True # If app is not used often, it will exit and be launched
-                   # again by systemd requested by users.
-
 manage-script-name = True
 plugins = python3
 chdir = /var/lib/gerboweb