-
Kristian Klausen authoredWe had a GeoIP mirror in the past based on nginx and its GeoIP module, but it didn't perform very well, due to the high latency (asking a central server for the package and then redirected to the closest mirror). One of the reasons for offering this service, is so we can relieve mirror.pkgbuild.com which is burning a ton of traffic (50TB/month), likely due to it being the default mirror in our Docker image. Another reason is so we can offer a link to our arch-boxes images in libosinfo (used by gnome-boxes, virt-install and virt-manager), with good enough performance for most users. This time we take a different approach and use a DNS based solution, which means the latency penalty is only paid once (the first DNS request). The downside is that the mirrors must have a valid certificate for the same domain name, which makes using third-party mirrors a challenge. So for now, we are just using the sponsored mirorrs controlled by the DevOps team. Fix #101
Kristian Klausen authoredWe had a GeoIP mirror in the past based on nginx and its GeoIP module, but it didn't perform very well, due to the high latency (asking a central server for the package and then redirected to the closest mirror). One of the reasons for offering this service, is so we can relieve mirror.pkgbuild.com which is burning a ton of traffic (50TB/month), likely due to it being the default mirror in our Docker image. Another reason is so we can offer a link to our arch-boxes images in libosinfo (used by gnome-boxes, virt-install and virt-manager), with good enough performance for most users. This time we take a different approach and use a DNS based solution, which means the latency penalty is only paid once (the first DNS request). The downside is that the mirrors must have a valid certificate for the same domain name, which makes using third-party mirrors a challenge. So for now, we are just using the sponsored mirorrs controlled by the DevOps team. Fix #101
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
main.yml 1.14 KiB
- name: create ssl cert (HTTP-01)
shell: |
set -o pipefail
# We can't start nginx without the certificate and we can't issue a certificate without nginx running.
# So use Python built-in http.server for the initial certificate issuance
python -m http.server --directory {{ letsencrypt_validation_dir }} 80 &
trap "jobs -p | xargs --no-run-if-empty kill" EXIT
certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }}
args:
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
when: challenge | default(certificate_challenge) == "HTTP-01"
- name: create ssl cert (DNS-01)
command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
args:
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
when: challenge | default(certificate_challenge) == "DNS-01"