From 43912af2560ef19c241a04fb208c31ebe030dae3 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 28 Apr 2020 21:29:13 -0400
Subject: [PATCH] Wooo! No more infrastructure! (#282)

---
 .github/workflows/build-docker-images.yml |  2 -
 README.md                                 | 16 ++----
 ansible/docker/daemon.json                |  3 --
 ansible/hosts                             |  1 -
 ansible/playbook.yml                      | 65 -----------------------
 ansible/systemd/caddy.service             | 18 -------
 caddy/Caddyfile                           | 21 --------
 caddy/Dockerfile                          | 27 ----------
 deploy                                    |  6 ---
 9 files changed, 4 insertions(+), 155 deletions(-)
 delete mode 100644 ansible/docker/daemon.json
 delete mode 100644 ansible/hosts
 delete mode 100644 ansible/playbook.yml
 delete mode 100644 ansible/systemd/caddy.service
 delete mode 100644 caddy/Caddyfile
 delete mode 100644 caddy/Dockerfile
 delete mode 100755 deploy

diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
index f554f262..094539c2 100644
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -23,8 +23,6 @@ jobs:
     strategy:
       matrix:
         IMAGE:
-          - {TAG_NAME: "pyca/caddy", DOCKERFILE_PATH: "caddy"}
-
           - {TAG_NAME: "pyca/cryptography-runner-centos7", DOCKERFILE_PATH: "runners/centos7"}
           - {TAG_NAME: "pyca/cryptography-runner-centos8", DOCKERFILE_PATH: "runners/centos8"}
 
diff --git a/README.md b/README.md
index b0163d39..1b091e8e 100644
--- a/README.md
+++ b/README.md
@@ -1,17 +1,9 @@
 # Python Cryptographic Authority Infrastructure
 
-The [PyCA](https://github.com/pyca) operates a significant amount of
-infrastructure in the form of continuous integration. This repository holds the
-configuration for building the various docker containers we use in testing.
-
-## Ansible
-
-To run the ansible playbook you'll need your SSH public key in the server's
-`authorized_keys` and then you can run `./deploy`.
-
-Ansible is responsible for making sure Docker is running on the host,
-installing SystemD service files for Caddy, pulling the Caddy docker images, and
-making sure it's running.
+The [PyCA](https://github.com/pyca) has a significant amount of automation
+to support our robust continuous integration. This repository holds the
+configuration for building the various docker containers we use in testing,
+as well as OpenSSL binaries we use.
 
 ## Docker Containers
 
diff --git a/ansible/docker/daemon.json b/ansible/docker/daemon.json
deleted file mode 100644
index a19cbdb4..00000000
--- a/ansible/docker/daemon.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-    "storage-driver": "overlay2"
-}
diff --git a/ansible/hosts b/ansible/hosts
deleted file mode 100644
index 717fea95..00000000
--- a/ansible/hosts
+++ /dev/null
@@ -1 +0,0 @@
-cryptography.io
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
deleted file mode 100644
index 1c216c1a..00000000
--- a/ansible/playbook.yml
+++ /dev/null
@@ -1,65 +0,0 @@
----
-- hosts: "*"
-  remote_user: root
-  vars:
-      services:
-          - caddy
-      # This variable is needed to tell docker swarm init what the
-      # advertise address should be. bond0 is what we use for onmetal
-      swarm_advertise_addr: bond0
-  tasks:
-    - name: install the docker configuration file
-      copy:
-          src: "docker/daemon.json"
-          dest: "/etc/docker/daemon.json"
-      notify:
-          - restart docker
-    - name: ensure docker is running
-      service:
-          name: docker
-          state: started
-          enabled: yes
-    - name: install the python-docker package
-      apt:
-          name: python-docker
-          state: present
-    - name: pull the latest docker images
-      docker_image:
-          name: "{{ item }}"
-          force: true
-      with_items:
-          - pyca/caddy
-      notify:
-          - restart caddy
-    - name: install the systemd service files
-      copy:
-          src: "systemd/{{ item }}.service"
-          dest: /etc/systemd/system/{{ item }}.service
-      with_items: "{{ services }}"
-      notify:
-          - restart caddy
-    - name: "ensure the services are running"
-      systemd:
-          name: "{{ item }}"
-          state: started
-          enabled: yes
-      with_items: "{{ services }}"
-    - command: docker info
-      register: docker_info
-    - name: "set up a single node docker swarm"
-      # docker swarm needs a single address to advertise its existence.
-      # Our server, however, has two addresses. By specifying an explicit
-      # named interface on the server we make docker happy.
-      command: "docker swarm init --advertise-addr {{ swarm_advertise_addr }}"
-      when: "'Swarm: active' not in docker_info.stdout"
-  handlers:
-    - name: restart docker
-      systemd:
-          name: docker
-          daemon_reload: yes
-          state: restarted
-    - name: restart caddy
-      systemd:
-          name: caddy
-          daemon_reload: yes
-          state: restarted
diff --git a/ansible/systemd/caddy.service b/ansible/systemd/caddy.service
deleted file mode 100644
index 7f8d8687..00000000
--- a/ansible/systemd/caddy.service
+++ /dev/null
@@ -1,18 +0,0 @@
-[Unit]
-Description=Caddy
-After=docker.service
-Requires=docker.service
-
-[Service]
-Restart=on-failure
-ExecStartPre=-/usr/bin/docker kill caddy
-ExecStartPre=-/usr/bin/docker rm caddy
-# The volume is to allow caddy to cache certs
-ExecStart=/usr/bin/docker run \
-    --rm --read-only --tmpfs=/tmp \
-    -p 443:443 -p 80:80 \
-    -v caddy_certs:/.caddy \
-    --name caddy pyca/caddy
-
-[Install]
-WantedBy=multi-user.target
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
deleted file mode 100644
index 26d1163d..00000000
--- a/caddy/Caddyfile
+++ /dev/null
@@ -1,21 +0,0 @@
-(tls) {
-    tls paul.l.kehrer@gmail.com
-    header / {
-        Strict-Transport-Security "max-age=31557600; includeSubDomains; preload"
-        Expect-CT "enforce, max-age=31536000"
-    }
-}
-
-cryptography.io {
-    import tls
-    proxy / https://cryptography.readthedocs.io {
-        transparent
-        header_upstream X-RTD-SLUG cryptography
-        header_downstream Strict-Transport-Security "max-age=31557600; includeSubDomains; preload"
-    }
-}
-
-www.cryptography.io {
-    import tls
-    redir / https://cryptography.io{uri} 301
-}
diff --git a/caddy/Dockerfile b/caddy/Dockerfile
deleted file mode 100644
index 8572d087..00000000
--- a/caddy/Dockerfile
+++ /dev/null
@@ -1,27 +0,0 @@
-FROM alpine:3.10
-MAINTAINER Paul Kehrer
-
-# Increment this to blow away the docker cache
-ENV CACHE_BUSTER 5
-
-RUN apk add --no-cache tar curl libcap
-
-RUN curl -sSL \
-      --header "Accept: application/tar+gzip, application/x-gzip, application/octet-stream" \
-      "https://caddyserver.com/download/linux/amd64?plugins=http.prometheus&license=personal" \
-    | tar --no-same-owner -C /usr/bin/ -xz caddy
-RUN chmod 0755 /usr/bin/caddy
-RUN setcap cap_net_bind_service=+eip /usr/bin/caddy
-RUN /usr/bin/caddy -version
-RUN mkdir /.caddy
-RUN chown nobody:nobody /.caddy
-
-EXPOSE 80 443 2015
-
-ADD Caddyfile /etc/Caddyfile
-
-USER nobody
-
-ENTRYPOINT ["/usr/bin/caddy"]
-# -agree accepts the Let's Encrypt Terms of Service
-CMD ["--conf", "/etc/Caddyfile", "--log", "stdout", "-agree"]
diff --git a/deploy b/deploy
deleted file mode 100755
index 675c39dd..00000000
--- a/deploy
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-set -e
-set -x
-
-ansible-playbook -i ansible/hosts ansible/playbook.yml