syncriscv: add role for mirroring the RISC-V port

Going to be served by all our Geo boxes under riscv.mirror.pkgbuild.com.

group_vars/all/geo.yml

 geo_acme_dns_challenge_ns: redirect.archlinux.org
 geo_domains:
   - geo.mirror.pkgbuild.com
+  - riscv.mirror.pkgbuild.com
 # geo_options.*.hosts defaults to "{{ groups['geo_mirrors'] }}"
 geo_options:
   geo.mirror.pkgbuild.com:
     health_check_path: /lastupdate
+  riscv.mirror.pkgbuild.com:
+    health_check_path: /.status/lastupdate.txt

group_vars/geo_mirrors/misc.yml

 certbot_dns_support: true
-geo_mirror_domain: "geo.mirror.pkgbuild.com"
+geo_mirror_domain: geo.mirror.pkgbuild.com
+riscv_mirror_domain: riscv.mirror.pkgbuild.com

playbooks/mirrors.yml

@@ -11,6 +11,7 @@
     - { role: nginx }
     - { role: syncrepo, tags: ['nginx'] }
     - { role: syncdebug, when: mirror_debug_packages is not defined or mirror_debug_packages }
+    - { role: syncriscv, when: riscv_mirror_domain is defined }
     - { role: archweb, when: archweb_mirrorcheck_locations is defined, archweb_site: false, archweb_services: false, archweb_mirrorcheck: true }
     - { role: prometheus_exporters }
     - { role: promtail }

roles/prometheus/defaults/main.yml

@@ -16,6 +16,9 @@ blackbox_targets:
     - targets: "{{ groups['geo_mirrors'] }}"
       hostname: geo.mirror.pkgbuild.com
       secure: true
+    - targets: "{{ groups['geo_mirrors'] }}"
+      hostname: riscv.mirror.pkgbuild.com
+      secure: true
     - http://{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}
 
     # regenerate the list below with: ./misc/find-arch-on-crt.sh targets
@@ -83,6 +86,8 @@ blackbox_targets:
     - lists.archlinux.org:25
   geo_dns_geo.mirror.pkgbuild.com_a: "{{ groups['geo_mirrors'] }}"
   geo_dns_geo.mirror.pkgbuild.com_aaaa: "{{ groups['geo_mirrors'] }}"
+  geo_dns_riscv.mirror.pkgbuild.com_a: "{{ groups['geo_mirrors'] }}"
+  geo_dns_riscv.mirror.pkgbuild.com_aaaa: "{{ groups['geo_mirrors'] }}"
 matrix_metrics_endpoints:
   - homeserver
   - appservice

roles/syncriscv/files/syncriscv

+#!/bin/bash
+
+target="/srv/riscv"
+lock="/var/lock/syncriscv.lck"
+source_url='rsync://archriscv.felixc.at/archriscv'
+lastupdate_url='https://archriscv.felixc.at/.status/lastupdate.txt'
+
+[ ! -d "${target}" ] && mkdir -p "${target}"
+
+exec 9>"${lock}"
+flock -n 9 || exit
+
+rsync_cmd() {
+	local -a cmd=(rsync -rlptH --safe-links --delete-delay --delay-updates
+		"--timeout=600" "--contimeout=60" --no-motd)
+
+	if stty &>/dev/null; then
+		cmd+=(-h -v --progress)
+	else
+		cmd+=("--info=name1")
+	fi
+
+	"${cmd[@]}" "$@"
+}
+
+# if we are called without a tty (cronjob) only run when there are changes
+if ! tty -s && [[ -f "$target/.status/lastupdate.txt" ]] && diff -b <(curl -Ls "$lastupdate_url") "$target/.status/lastupdate.txt" >/dev/null; then
+	exit 0
+fi
+
+rsync_cmd "${source_url}" "${target}"

roles/syncriscv/files/syncriscv.service

+[Unit]
+Description=Synchronize RISC-V mirror
+RequiresMountsFor=/srv/riscv
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/syncriscv
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7

roles/syncriscv/files/syncriscv.timer

+[Unit]
+Description=Minutely RISC-V mirror sync
+
+[Timer]
+OnCalendar=minutely
+AccuracySec=1m
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/syncriscv/tasks/main.yml

+- name: Create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ riscv_mirror_domain }}"]
+    challenge: "DNS-01"
+
+- name: Install rsync
+  pacman: name=rsync state=present
+
+- name: Install syncriscv script
+  copy: src=syncriscv dest=/usr/local/bin/syncriscv owner=root group=root mode=0755
+
+- name: Install syncriscv units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - syncriscv.timer
+    - syncriscv.service
+
+- name: Start and enable syncriscv timer
+  systemd: name=syncriscv.timer enabled=yes state=started daemon_reload=yes
+
+- name: Set up nginx
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/riscv.conf owner=root group=root mode=0644
+  notify: Reload nginx
+  tags: ['nginx']
+
+- name: Make nginx log dir
+  file: path=/var/log/nginx/{{ riscv_mirror_domain }} state=directory owner=root group=root mode=0755

roles/syncriscv/templates/nginx.d.conf.j2

+server {
+    listen       80;
+    listen       [::]:80;
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ riscv_mirror_domain }};
+    root         /srv/riscv;
+
+    access_log   /var/log/nginx/{{ riscv_mirror_domain }}/access.log reduced;
+    access_log   /var/log/nginx/{{ riscv_mirror_domain }}/access.log.json json_reduced;
+    error_log    /var/log/nginx/{{ riscv_mirror_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ riscv_mirror_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ riscv_mirror_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ riscv_mirror_domain }}/chain.pem;
+
+    add_header X-Served-By "{{ inventory_hostname }}";
+
+    autoindex on;
+}

tf-stage1/archlinux.tf

@@ -409,6 +409,10 @@ locals {
       name = "geo.mirror"
       zone = hetznerdns_zone.pkgbuild.id
     }
+    "riscv.mirror.pkgbuild.com" = {
+      name = "riscv.mirror"
+      zone = hetznerdns_zone.pkgbuild.id
+    }
   }
 }