Cleanup orion references

Orion has been replaced by gemini and for mail by mail.archlinux.org

README.md

@@ -96,7 +96,7 @@ set up.
 
 #### SMTP Configuration
 
-All hosts should be relaying email through our primary mx host (currently 'orion'). See [docs/email.md](./docs/email.md) for full details.
+All hosts should be relaying email through our primary mx host (currently 'mail.archlinux.org'). See [docs/email.md](./docs/email.md) for full details.
 
 #### Note about opendkim
 
@@ -144,7 +144,7 @@ The following steps should be used to update our managed servers:
 
 ## Servers
 
-### orion
+### gemini
 
 #### Services
   - repos/sync (repos.archlinux.org)

docs/email.md

@@ -5,11 +5,11 @@ SMTP port: 587 STARTTLS
 IMAP port: 143 (STARTTLS), 993 (TLS)
 
 username: the system account name
-password: set by each user themselves with `passwd` on orion
+password: set by each user themselves with `passwd` on mail.archlinux.org
 
 # Adding new archlinux.org email addresses
 
-Login to orion and edit `/etc/postfix/users`, add the new email address in the
+Login to mail.archlinux.org and edit `/etc/postfix/users`, add the new email address in the
 appropriate category and run `postmap /etc/postfix/users`.
 
 If the user wants to forward email, either enter the destination directly in
@@ -19,7 +19,7 @@ into `~username/.forward` so that they can edit it themselves.
 # SMTP Architecture
 
 All hosts should be relaying outbound SMTP traffic via our primary MX server
-(currently 'orion'). Each hosts authenticates using SASL over a TLS connection
+(currently 'mail.archlinux.org'). Each hosts authenticates using SASL over a TLS connection
 to the server. This gives us several benefits:
 
 1. DKIM signing can be done centrally.
@@ -31,15 +31,15 @@ to the server. This gives us several benefits:
 
 When a new host is provisioned:
 
-- The *postfix* role has a task delegated to 'orion' to create a local user
-  on 'orion' that is used for the new server to authenticate against. The user
+- The *postfix* role has a task delegated to 'mail.archlinux.org' to create a local user
+  on 'mail.archlinux.org' that is used for the new server to authenticate against. The user
   name is the shortname of the new servers hostname (ie, "foobar.archlinux.org"
   will authenticate with the username "foobar")
-- You will need to run the *postfwd* role against orion to update the
+- You will need to run the *postfwd* role against mail.archlinux.org to update the
   rate-limiting it performs (servers are given higher rate-limits than normal
   users - see `/etc/postfwd/postfwd.cf` for exact limits). This *should*
   happen automatically as the *postfwd* role is a dependency of the *postfix*
-  role (using `delegate_to` to run it against 'orion' regardless of the target
+  role (using `delegate_to` to run it against 'mail.archlinux.org' regardless of the target
   host that the postfix role is being run on)
 - Any services on the new host that need to relay mail should relay using SMTP
   to `localhost` on port 10027 which bypasses any filtering/restrictions that

docs/ssh-hostkeys.txt

@@ -185,17 +185,6 @@
 256 MD5:fe:a1:ab:4d:f6:5d:76:f9:a3:99:be:fd:51:ee:77:ed root@archlinux-packer (ED25519)
 3072 MD5:ad:ee:a6:6d:b7:9b:f0:f7:78:9f:df:b4:53:2e:5f:9f root@archlinux-packer (RSA)
 
-# orion.archlinux.org
-1024 SHA256:Y7XP+fTQZAEDgmCHuSqFc0MmNUmCPJYRZs/7iq6viK8 root@mnt (DSA)
-256 SHA256:2gH/IGaZ/pOnpt4+VY0twd4+hUOraUWRceJiNQxnbxs root@mnt (ECDSA)
-256 SHA256:G4mz3jsK8XZymCDjUE7TKhA3Kz/eC+q4gHlnhCWyVB4 root@mnt (ED25519)
-2048 SHA256:PxFPKc82M5wShxNX+62FmZPKJBACz4n7epevqEDOUUw root@mnt (RSA)
-
-1024 MD5:67:a7:23:42:0c:22:74:30:ea:e2:89:4a:68:8c:a7:d6 root@mnt (DSA)
-256 MD5:47:ce:6f:89:fa:06:ab:d5:94:e1:e1:95:94:40:68:5c root@mnt (ECDSA)
-256 MD5:95:53:ec:52:c3:78:e8:5d:43:c6:2f:bc:d9:7e:9a:4c root@mnt (ED25519)
-2048 MD5:ff:9d:c3:b0:ee:c9:89:32:72:0c:d8:fb:cc:5d:ae:75 root@mnt (RSA)
-
 # phrik.archlinux.org
 1024 SHA256:+482UWH5/pSMZ8VoIgkGZxGOm1tZ72rI5RrZsnQHDVk root@archlinux-packer (DSA)
 256 SHA256:qL+sG+DBwRKII1uPVcFHKQUfQNd7sW0x6iop6/Ki1Og root@archlinux-packer (ECDSA)

docs/ssh-known_hosts.txt

@@ -83,11 +83,6 @@ monitoring.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA
 monitoring.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCU4tNW4WHTQ43+HBbho/sbsU3BCzildSOziaJrVNvE
 monitoring.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVAMU3iku88nPDAKjB++je4RRRkotwNdJEhRcO45Ujslhbq67D6BwcnaliR0ekZuhkQFs13dTNVGeb1VqN3I/wHVaECsd/Gz7Q2M5Ki2CqdUR8ztGaW/eWpY9r8Yk+h/fWdnZdnJPYhk7uZftJI9buqyqpkthvjQy9fZ2wyOb/BAk+7BYUdclcvCEMlW9HQljpgmj7snjTpMYMN0t3U7X3xydcOO6PwNIoSikufuMmbtCqtsUx/Xl1mVU2Xi584L8arjoKn9a4OjMUDorqAlFLeco6bWn5XEdfim6e+W55ZKg333j4KGMBFVW5Dk5mZGKfykalq4WONMe3nu0m4EqYFA/rGG/smliqjxCbWu9N6eDw1gKYOeq5gzx7ppQ9zL3BjL3gl+AbeUckxNCQ+zM66amZC6GmciiMq+hnpqeTUhocaGeriGVda4vO+IlCp4Wwx1zqcCZaHyzt/eIWT9DuXDqHq4gAshluGUR0gFTJ/0qhrYxQA/dW681LE3r9YLE=
 
-# orion.archlinux.org
-orion.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEUvsQlT7TI/DGKE3A5/afV+xuQiWCcuTK0Y1CpCDBRkEnHg0rQ8839FyucEr9H+GWZYqrYVFdznJ0ZOPXXVotc=
-orion.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEydv62bdTz7uziep+BVCYsI4cW7dI8JcLVY0/Xdg41W
-orion.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtVZGG7DxZQs7Lrfv55nghvQl43iMq26kZMYQvqdelLj53veXPzcrS7G5/WpAqtIg0RzXEGdH7ceNxus4t9IDp1PyzUnjumZMd39URcQ6C2yQqT0xKinHywilyowikkDwlEKwqSgGZ9FfBrJcj9497wrZ74LPfC0JNyqbQy+Hlq2eISSmm6UF1SFmVuGtPi8xHUFdjC2RJQUjnAlh1a28laOjTBrFbj7yQBbzV85Y63L2aeUCjrwC7arHizq5pK6hxJNkKViAR2v2Smsems7lbj/0b7/+uq8PqzQtNUhsMFQjcbHrcQq3L5+rZ452GkMlDoVcBa4qoT2ItM3mAS4xx
-
 # phrik.archlinux.org
 phrik.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHHPJ79o6go5pRmE5eoeHe6kS9gM7Nsx///MA/tpmyqY/8ktgYu6MTnvSYKdgF1O4oSTfsU5mc7grpq7Qsl8+tA=
 phrik.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO45OY6f+b4KyFq13PyxjN/EcU11cgVZ1CrQZN2hGP0h

host_vars/orion.archlinux.org/misc

----
-hostname: "orion"
-ipv4_address: "88.198.91.70"
-ipv4_netmask: "/32"
-ipv6_address: "2a01:4f8:160:6087::1"
-ipv6_netmask: "/128"
-ipv4_gateway: "88.198.91.65"
-ipv6_gateway: "fe80::1"
-filesystem: btrfs
-system_disks:
-  - /dev/sda
-  - /dev/sdb
-
-# raise tcp window limits to 32MiB
-tcp_rmem: "10240 87380 33554432"
-tcp_wmem: "10240 87380 33554432"
-
-mail_domain: "mail.archlinux.org"
-
-zabbix_agent_templates:
-  - Template OS Linux
-  - Template App Borg Backup
-  - Template App Nginx
-  - Template App Archive
-
-fail2ban_jails:
-  sshd: true
-  postfix: true
-  dovecot: true

host_vars/orion.archlinux.org/wiki-bouncehandler

-$ANSIBLE_VAULT;1.1;AES256
-39396466326266613063333338356431653461636562643535363038613865343230303430363564
-3632646531646565336366396635353834633939316237610a343933366465663939303930376339
-37363636363531323866653962353335613366333137343737316639323661636363633364346138
-6462666365626134660a313632636537663137386437343662383335616665393561356165613333
-38353364356238386364303065343333636463333234326234643332343137373639366130656335
-64633533363034303664633435653937633566303537666164306130383738386235633232623965
-38663164633230613432356266313135383838343331326534353365656432376463313366356231
-61656338623134636265356561313630353935633037306430376430383034313631303538336637
-33623733376363366336373337366663356434303931313132356164643334363630333834313665
-32356336643436653763346333326432616438313530316530353937306237376563313032373333
-34353763396166636161633036343935356334353335623034383238316532663930613864623335
-61666165376662633934336232633634643961363064356566626235653530643261643039336436
-62616438376161643930613063323739393237383563646630373430373734386430353933353433
-35646463633034613166623233623164363638636533623037303465346239623962343337646665
-31363065306539383066386362613635346431333135326461636136336232643030336464613430
-35376537386236353236

hosts

 [hetzner]
-orion.archlinux.org
 apollo.archlinux.org
 luna.archlinux.org
 dragon.archlinux.org
@@ -20,7 +19,6 @@ repro3.pkgbuild.com
 mirror.pkgbuild.com
 
 [borg_clients]
-orion.archlinux.org
 apollo.archlinux.org
 luna.archlinux.org
 state.archlinux.org
@@ -62,7 +60,6 @@ accounts.archlinux.org
 [nginx]
 apollo.archlinux.org
 luna.archlinux.org
-orion.archlinux.org
 bbs.archlinux.org
 bugs.archlinux.org
 aur.archlinux.org

playbooks/apollo.yml

@@ -4,15 +4,15 @@
   hosts: apollo.archlinux.org
   tasks:
       - name: assign ipv4 addresses to fact postgres_ssl_hosts4
-        set_fact: postgres_ssl_hosts4="{{ [orion4] + detected_ips }}"
+        set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
         vars:
-            orion4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
+            gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
             detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
         tags: ["postgres", "firewall"]
       - name: assign ipv6 addresses to fact postgres_ssl_hosts6
-        set_fact: postgres_ssl_hosts6="{{ [orion6] + detected_ips }}"
+        set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
         vars:
-            orion6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
+            gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
             detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
         tags: ["postgres", "firewall"]
 

playbooks/luna.yml

@@ -30,4 +30,4 @@
     - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
 # luna is hosting mailman lists; this postfix role does not cater to this yet
 # TODO: make postfix role handle mailman config?
-#    - { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" }
+#    - { role: postfix, tags: ["postfix"], postfix_relayhost: "mail.archlinux.org" }

playbooks/orion.yml

----
-
-- name: setup orion
-  hosts: orion.archlinux.org
-  remote_user: root
-  roles:
-    - { role: common }
-    - { role: tools }
-    - { role: sshd }
-    - { role: root_ssh }
-    - { role: borg_client, tags: ['borg'] }
-    - { role: opendkim, dkim_selector: orion, tags: ['mail'] }
-    - { role: dovecot }
-    - { role: rspamd, tags: ["mail"] }
-    - { role: unbound, tags: ["mail"] }
-    - { role: postfwd, tags: ['mail'] }
-    - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
-    - { role: archusers }
-    - { role: certbot }
-    - { role: nginx }
-    - sogrep
-    - { role: sudo, tags: ['archusers'] }
-    - { role: archweb, archweb_site: false, archweb_services: false, archweb_donor_import: true, archweb_mirrorcheck_locations: [5, 6] }
-    - { role: fail2ban }

roles/archusers/tasks/main.yml

@@ -34,7 +34,7 @@
   find: paths="/home" file_type="directory"
   register: all_users
 
-  # TODO: this removes the keys of svn-packages and svn-community on orion temporarily. add some form of whitelist for those users?
+  # TODO: this removes the keys of svn-packages and svn-community on gemini temporarily. add some form of whitelist for those users?
 - name: disable ssh keys of disabled users
   file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
   when: item not in arch_users

roles/postfix/meta/main.yml

 dependencies:
   - role: postfwd
-    delegate_to: orion.archlinux.org
+    delegate_to: mail.archlinux.org

roles/postfwd/templates/postfwd.cf.j2

 # lower rate limit for certain authenticated users
 &&SASL_WHITELIST {
-	# other servers relay via orion using authentication. username is the
+	# other servers relay via mail.archlinux.org using authentication. username is the
 	# hostname part of the fqdn
 {% for host in groups['all'] %}
 	sasl_username={{ hostvars[host].inventory_hostname_short }}

roles/unbound/templates/unbound.conf.j2

@@ -8,13 +8,3 @@ server:
 
 remote-control:
 	control-enable: yes
-
-
-{% if inventory_hostname == "orion.archlinux.org" %}
-# nszero1.axc.nl "rate-limits" but in reality blocks our Hetzner connections from orion.
-forward-zone:
-	name: "vdwaa.nl"
-	forward-addr: 8.8.8.8
-	forward-addr: 1.1.1.1
-	forward-first: yes
-{% endif %}