From 3492360186d2b7551ce4a8d8fe36869a9c929d0d Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Sat, 19 Mar 2022 17:52:29 +0200
Subject: [PATCH] common: use tier0 mirror on build servers + gemini

There is a need for build servers to never build against outdated repo
databases, even with syncrepo providing a local mirror that is updated
every minute. To that effect, we adjust mirrorlist on build servers so
the first mirror is the tier0 mirror provided by gemini.

Keep the syncrepo role on build servers in order to have a local cache
of packages and avoid concurrent build jobs downloading the same files
causing them to be corrupted.

Finally, configure gemini to use its own repos (like other mirrors do).
---
 roles/common/templates/mirrorlist.j2      |  7 +++++--
 roles/dbscripts/templates/nginx.d.conf.j2 | 13 +++++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/roles/common/templates/mirrorlist.j2 b/roles/common/templates/mirrorlist.j2
index 2b6f0a692..ac61e1cd0 100644
--- a/roles/common/templates/mirrorlist.j2
+++ b/roles/common/templates/mirrorlist.j2
@@ -1,4 +1,7 @@
-{% if 'mirrors' in group_names or 'buildservers' in group_names %}
+{% if 'buildservers' in group_names %}
+Server = https://repos.archlinux.org/$repo/os/$arch
+{% endif %}
+{% if 'mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org' %}
 Server = file:///srv/ftp/$repo/os/$arch
 {% endif %}
-Server = https://mirror.pkgbuild.com/$repo/os/$arch/
+Server = https://mirror.pkgbuild.com/$repo/os/$arch
diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index 35dbca43c..64aff9214 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -14,8 +14,6 @@ server {
     ssl_certificate_key  /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
 
-    satisfy  any;
-
     access_log   /var/log/nginx/{{ repos_domain }}/access.log reduced;
     access_log   /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
 
@@ -24,8 +22,15 @@ server {
     }
 
     location / {
+        satisfy any;
         auth_request /devel/mirrorauth/;
 
+        {% for host in groups['buildservers'] -%}
+        # {{ host }}
+        allow {{ hostvars[host]['ipv4_address'] }};
+        allow {{ hostvars[host]['ipv6_address'] }};
+        {% endfor %}
+
         autoindex  on;
     }
 
@@ -50,7 +55,7 @@ server {
 
         # Authentication to archweb
         proxy_pass https://archlinux.org;
-	proxy_ssl_verify on;
-	proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        proxy_ssl_verify on;
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
     }
 }
-- 
GitLab