Merge branch 'mirrors-http3' into 'master'

Enable HTTP/3 for the mirrors

See merge request !872

group_vars/mirrors/misc.yml

@@ -3,3 +3,5 @@ archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
 # raise tcp window limits to 32MiB
 tcp_rmem: "10240 87380 33554432"
 tcp_wmem: "10240 87380 33554432"
+
+nginx_enable_http3: true

roles/geo_dns/templates/geo.yml.j2

@@ -24,6 +24,17 @@ domains:
               AAAA "ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
               {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
               {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})"
+        - lua:
+            ttl: 300
+            content: >
+              HTTPS "'1 . alpn=h2,h3 ipv4hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv4_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1] ..
+              ' ipv6hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1]"
       _acme-challenge.{{ domain }}:
         - ns: {{ geo_acme_dns_challenge_ns }}
   {% endfor %}

roles/prometheus/defaults/main.yml

@@ -97,8 +97,10 @@ blackbox_targets:
     - lists.archlinux.org:25
   geo_dns_geo.mirror.pkgbuild.com_a: "{{ groups['geo_mirrors'] }}"
   geo_dns_geo.mirror.pkgbuild.com_aaaa: "{{ groups['geo_mirrors'] }}"
+  geo_dns_geo.mirror.pkgbuild.com_https: "{{ groups['geo_mirrors'] }}"
   geo_dns_riscv.mirror.pkgbuild.com_a: "{{ groups['geo_mirrors'] }}"
   geo_dns_riscv.mirror.pkgbuild.com_aaaa: "{{ groups['geo_mirrors'] }}"
+  geo_dns_riscv.mirror.pkgbuild.com_https: "{{ groups['geo_mirrors'] }}"
 matrix_metrics_endpoints:
   - homeserver
   - appservice

roles/prometheus_exporters/templates/blackbox.yml.j2

@@ -47,4 +47,13 @@ modules:
       validate_answer_rrs:
         fail_if_not_matches_regexp:
           - {{ domain | replace('.', '\.') }}\.\t.*\tIN\tAAAA\t({{ hosts | map('extract', hostvars, ['ipv6_address']) | join('|') }})
+  geo_dns_{{ domain }}_https:
+    prober: dns
+    timeout: 5s
+    dns:
+      query_name: {{ domain }}
+      query_type: HTTPS
+      validate_answer_rrs:
+        fail_if_not_matches_regexp:
+          - {{ domain | replace('.', '\.') }}\.\t.*\tIN\tHTTPS\t1 \. alpn="h2,h3" ipv4hint="({{ hosts | map('extract', hostvars, ['ipv4_address']) | join('|') | replace('.', '\.') }})" ipv6hint="({{ hosts | map('extract', hostvars, ['ipv6_address']) | join('|') }})"
   {% endfor %}

tf-stage1/archlinux.tf

@@ -119,6 +119,7 @@ locals {
       server_type = "cx22"
       domain      = "mirror"
       zone        = hetznerdns_zone.pkgbuild.id
+      http3       = true
     }
     "monitoring.archlinux.org" = {
       server_type = "cx32"
@@ -281,6 +282,7 @@ locals {
     rsync = {
       ipv4_address = "168.119.141.106"
       ipv6_address = "2a01:4f8:251:598::"
+      http3        = true
     }
     runner1 = {
       ipv4_address = "138.199.19.15"
@@ -355,38 +357,47 @@ locals {
     "america.mirror" = {
       ipv4_address = "143.244.34.62"
       ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
     }
     "america.archive" = {
       ipv4_address = "143.244.34.62"
       ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
     }
     "asia.mirror" = {
       ipv4_address = "84.17.57.98"
       ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
     }
     "asia.archive" = {
       ipv4_address = "84.17.57.98"
       ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
     }
     "europe.mirror" = {
       ipv4_address = "89.187.191.12"
       ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
     }
     "europe.archive" = {
       ipv4_address = "89.187.191.12"
       ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
     }
     "london.mirror" = {
       ipv4_address = "185.73.44.89"
       ipv6_address = "2001:ba8:0:4030::2"
+      http3        = true
     }
     "seoul.mirror" = {
       ipv4_address = "145.40.87.75"
       ipv6_address = "2604:1380:11:2600::1"
+      http3        = true
     }
     "sydney.mirror" = {
       ipv4_address = "147.75.48.159"
       ipv6_address = "2604:1380:40f1:6a00::1"
+      http3        = true
     }
     repro2 = {
       ipv4_address = "212.102.38.209"