Commit 493f9a58 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧 Committed by Jelle van der Waa
Browse files

Cleanup orion references

Orion has been replaced by gemini and for mail by mail.archlinux.org
parent 66954600
Pipeline #3128 passed with stage
in 32 seconds
......@@ -96,7 +96,7 @@ set up.
#### SMTP Configuration
All hosts should be relaying email through our primary mx host (currently 'orion'). See [docs/email.md](./docs/email.md) for full details.
All hosts should be relaying email through our primary mx host (currently 'mail.archlinux.org'). See [docs/email.md](./docs/email.md) for full details.
#### Note about opendkim
......@@ -144,7 +144,7 @@ The following steps should be used to update our managed servers:
## Servers
### orion
### gemini
#### Services
- repos/sync (repos.archlinux.org)
......
......@@ -5,11 +5,11 @@ SMTP port: 587 STARTTLS
IMAP port: 143 (STARTTLS), 993 (TLS)
username: the system account name
password: set by each user themselves with `passwd` on orion
password: set by each user themselves with `passwd` on mail.archlinux.org
# Adding new archlinux.org email addresses
Login to orion and edit `/etc/postfix/users`, add the new email address in the
Login to mail.archlinux.org and edit `/etc/postfix/users`, add the new email address in the
appropriate category and run `postmap /etc/postfix/users`.
If the user wants to forward email, either enter the destination directly in
......@@ -19,7 +19,7 @@ into `~username/.forward` so that they can edit it themselves.
# SMTP Architecture
All hosts should be relaying outbound SMTP traffic via our primary MX server
(currently 'orion'). Each hosts authenticates using SASL over a TLS connection
(currently 'mail.archlinux.org'). Each hosts authenticates using SASL over a TLS connection
to the server. This gives us several benefits:
1. DKIM signing can be done centrally.
......@@ -31,15 +31,15 @@ to the server. This gives us several benefits:
When a new host is provisioned:
- The *postfix* role has a task delegated to 'orion' to create a local user
on 'orion' that is used for the new server to authenticate against. The user
- The *postfix* role has a task delegated to 'mail.archlinux.org' to create a local user
on 'mail.archlinux.org' that is used for the new server to authenticate against. The user
name is the shortname of the new servers hostname (ie, "foobar.archlinux.org"
will authenticate with the username "foobar")
- You will need to run the *postfwd* role against orion to update the
- You will need to run the *postfwd* role against mail.archlinux.org to update the
rate-limiting it performs (servers are given higher rate-limits than normal
users - see `/etc/postfwd/postfwd.cf` for exact limits). This *should*
happen automatically as the *postfwd* role is a dependency of the *postfix*
role (using `delegate_to` to run it against 'orion' regardless of the target
role (using `delegate_to` to run it against 'mail.archlinux.org' regardless of the target
host that the postfix role is being run on)
- Any services on the new host that need to relay mail should relay using SMTP
to `localhost` on port 10027 which bypasses any filtering/restrictions that
......
......@@ -185,17 +185,6 @@
256 MD5:fe:a1:ab:4d:f6:5d:76:f9:a3:99:be:fd:51:ee:77:ed root@archlinux-packer (ED25519)
3072 MD5:ad:ee:a6:6d:b7:9b:f0:f7:78:9f:df:b4:53:2e:5f:9f root@archlinux-packer (RSA)
# orion.archlinux.org
1024 SHA256:Y7XP+fTQZAEDgmCHuSqFc0MmNUmCPJYRZs/7iq6viK8 root@mnt (DSA)
256 SHA256:2gH/IGaZ/pOnpt4+VY0twd4+hUOraUWRceJiNQxnbxs root@mnt (ECDSA)
256 SHA256:G4mz3jsK8XZymCDjUE7TKhA3Kz/eC+q4gHlnhCWyVB4 root@mnt (ED25519)
2048 SHA256:PxFPKc82M5wShxNX+62FmZPKJBACz4n7epevqEDOUUw root@mnt (RSA)
1024 MD5:67:a7:23:42:0c:22:74:30:ea:e2:89:4a:68:8c:a7:d6 root@mnt (DSA)
256 MD5:47:ce:6f:89:fa:06:ab:d5:94:e1:e1:95:94:40:68:5c root@mnt (ECDSA)
256 MD5:95:53:ec:52:c3:78:e8:5d:43:c6:2f:bc:d9:7e:9a:4c root@mnt (ED25519)
2048 MD5:ff:9d:c3:b0:ee:c9:89:32:72:0c:d8:fb:cc:5d:ae:75 root@mnt (RSA)
# phrik.archlinux.org
1024 SHA256:+482UWH5/pSMZ8VoIgkGZxGOm1tZ72rI5RrZsnQHDVk root@archlinux-packer (DSA)
256 SHA256:qL+sG+DBwRKII1uPVcFHKQUfQNd7sW0x6iop6/Ki1Og root@archlinux-packer (ECDSA)
......
......@@ -83,11 +83,6 @@ monitoring.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA
monitoring.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCU4tNW4WHTQ43+HBbho/sbsU3BCzildSOziaJrVNvE
monitoring.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVAMU3iku88nPDAKjB++je4RRRkotwNdJEhRcO45Ujslhbq67D6BwcnaliR0ekZuhkQFs13dTNVGeb1VqN3I/wHVaECsd/Gz7Q2M5Ki2CqdUR8ztGaW/eWpY9r8Yk+h/fWdnZdnJPYhk7uZftJI9buqyqpkthvjQy9fZ2wyOb/BAk+7BYUdclcvCEMlW9HQljpgmj7snjTpMYMN0t3U7X3xydcOO6PwNIoSikufuMmbtCqtsUx/Xl1mVU2Xi584L8arjoKn9a4OjMUDorqAlFLeco6bWn5XEdfim6e+W55ZKg333j4KGMBFVW5Dk5mZGKfykalq4WONMe3nu0m4EqYFA/rGG/smliqjxCbWu9N6eDw1gKYOeq5gzx7ppQ9zL3BjL3gl+AbeUckxNCQ+zM66amZC6GmciiMq+hnpqeTUhocaGeriGVda4vO+IlCp4Wwx1zqcCZaHyzt/eIWT9DuXDqHq4gAshluGUR0gFTJ/0qhrYxQA/dW681LE3r9YLE=
# orion.archlinux.org
orion.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEUvsQlT7TI/DGKE3A5/afV+xuQiWCcuTK0Y1CpCDBRkEnHg0rQ8839FyucEr9H+GWZYqrYVFdznJ0ZOPXXVotc=
orion.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEydv62bdTz7uziep+BVCYsI4cW7dI8JcLVY0/Xdg41W
orion.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtVZGG7DxZQs7Lrfv55nghvQl43iMq26kZMYQvqdelLj53veXPzcrS7G5/WpAqtIg0RzXEGdH7ceNxus4t9IDp1PyzUnjumZMd39URcQ6C2yQqT0xKinHywilyowikkDwlEKwqSgGZ9FfBrJcj9497wrZ74LPfC0JNyqbQy+Hlq2eISSmm6UF1SFmVuGtPi8xHUFdjC2RJQUjnAlh1a28laOjTBrFbj7yQBbzV85Y63L2aeUCjrwC7arHizq5pK6hxJNkKViAR2v2Smsems7lbj/0b7/+uq8PqzQtNUhsMFQjcbHrcQq3L5+rZ452GkMlDoVcBa4qoT2ItM3mAS4xx
# phrik.archlinux.org
phrik.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHHPJ79o6go5pRmE5eoeHe6kS9gM7Nsx///MA/tpmyqY/8ktgYu6MTnvSYKdgF1O4oSTfsU5mc7grpq7Qsl8+tA=
phrik.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO45OY6f+b4KyFq13PyxjN/EcU11cgVZ1CrQZN2hGP0h
......
---
hostname: "orion"
ipv4_address: "88.198.91.70"
ipv4_netmask: "/32"
ipv6_address: "2a01:4f8:160:6087::1"
ipv6_netmask: "/128"
ipv4_gateway: "88.198.91.65"
ipv6_gateway: "fe80::1"
filesystem: btrfs
system_disks:
- /dev/sda
- /dev/sdb
# raise tcp window limits to 32MiB
tcp_rmem: "10240 87380 33554432"
tcp_wmem: "10240 87380 33554432"
mail_domain: "mail.archlinux.org"
zabbix_agent_templates:
- Template OS Linux
- Template App Borg Backup
- Template App Nginx
- Template App Archive
fail2ban_jails:
sshd: true
postfix: true
dovecot: true
$ANSIBLE_VAULT;1.1;AES256
39396466326266613063333338356431653461636562643535363038613865343230303430363564
3632646531646565336366396635353834633939316237610a343933366465663939303930376339
37363636363531323866653962353335613366333137343737316639323661636363633364346138
6462666365626134660a313632636537663137386437343662383335616665393561356165613333
38353364356238386364303065343333636463333234326234643332343137373639366130656335
64633533363034303664633435653937633566303537666164306130383738386235633232623965
38663164633230613432356266313135383838343331326534353365656432376463313366356231
61656338623134636265356561313630353935633037306430376430383034313631303538336637
33623733376363366336373337366663356434303931313132356164643334363630333834313665
32356336643436653763346333326432616438313530316530353937306237376563313032373333
34353763396166636161633036343935356334353335623034383238316532663930613864623335
61666165376662633934336232633634643961363064356566626235653530643261643039336436
62616438376161643930613063323739393237383563646630373430373734386430353933353433
35646463633034613166623233623164363638636533623037303465346239623962343337646665
31363065306539383066386362613635346431333135326461636136336232643030336464613430
35376537386236353236
[hetzner]
orion.archlinux.org
apollo.archlinux.org
luna.archlinux.org
dragon.archlinux.org
......@@ -20,7 +19,6 @@ repro3.pkgbuild.com
mirror.pkgbuild.com
[borg_clients]
orion.archlinux.org
apollo.archlinux.org
luna.archlinux.org
state.archlinux.org
......@@ -62,7 +60,6 @@ accounts.archlinux.org
[nginx]
apollo.archlinux.org
luna.archlinux.org
orion.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
aur.archlinux.org
......
......@@ -4,15 +4,15 @@
hosts: apollo.archlinux.org
tasks:
- name: assign ipv4 addresses to fact postgres_ssl_hosts4
set_fact: postgres_ssl_hosts4="{{ [orion4] + detected_ips }}"
set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
vars:
orion4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact: postgres_ssl_hosts6="{{ [orion6] + detected_ips }}"
set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars:
orion6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
tags: ["postgres", "firewall"]
......
......@@ -30,4 +30,4 @@
- { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
# luna is hosting mailman lists; this postfix role does not cater to this yet
# TODO: make postfix role handle mailman config?
# - { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" }
# - { role: postfix, tags: ["postfix"], postfix_relayhost: "mail.archlinux.org" }
---
- name: setup orion
hosts: orion.archlinux.org
remote_user: root
roles:
- { role: common }
- { role: tools }
- { role: sshd }
- { role: root_ssh }
- { role: borg_client, tags: ['borg'] }
- { role: opendkim, dkim_selector: orion, tags: ['mail'] }
- { role: dovecot }
- { role: rspamd, tags: ["mail"] }
- { role: unbound, tags: ["mail"] }
- { role: postfwd, tags: ['mail'] }
- { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
- { role: archusers }
- { role: certbot }
- { role: nginx }
- sogrep
- { role: sudo, tags: ['archusers'] }
- { role: archweb, archweb_site: false, archweb_services: false, archweb_donor_import: true, archweb_mirrorcheck_locations: [5, 6] }
- { role: fail2ban }
......@@ -34,7 +34,7 @@
find: paths="/home" file_type="directory"
register: all_users
# TODO: this removes the keys of svn-packages and svn-community on orion temporarily. add some form of whitelist for those users?
# TODO: this removes the keys of svn-packages and svn-community on gemini temporarily. add some form of whitelist for those users?
- name: disable ssh keys of disabled users
file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
when: item not in arch_users
......
dependencies:
- role: postfwd
delegate_to: orion.archlinux.org
delegate_to: mail.archlinux.org
# lower rate limit for certain authenticated users
&&SASL_WHITELIST {
# other servers relay via orion using authentication. username is the
# other servers relay via mail.archlinux.org using authentication. username is the
# hostname part of the fqdn
{% for host in groups['all'] %}
sasl_username={{ hostvars[host].inventory_hostname_short }}
......
......@@ -8,13 +8,3 @@ server:
remote-control:
control-enable: yes
{% if inventory_hostname == "orion.archlinux.org" %}
# nszero1.axc.nl "rate-limits" but in reality blocks our Hetzner connections from orion.
forward-zone:
name: "vdwaa.nl"
forward-addr: 8.8.8.8
forward-addr: 1.1.1.1
forward-first: yes
{% endif %}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment