From 493f9a58b904ae583de9264ac1f187b27df962d3 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Sat, 21 Nov 2020 16:41:18 +0100
Subject: [PATCH] Cleanup orion references
Orion has been replaced by gemini and for mail by mail.archlinux.org
---
README.md | 4 +--
docs/email.md | 14 ++++-----
docs/ssh-hostkeys.txt | 11 -------
docs/ssh-known_hosts.txt | 5 ----
host_vars/orion.archlinux.org/misc | 29 -------------------
.../orion.archlinux.org/wiki-bouncehandler | 17 -----------
hosts | 3 --
playbooks/apollo.yml | 8 ++---
playbooks/luna.yml | 2 +-
playbooks/orion.yml | 24 ---------------
roles/archusers/tasks/main.yml | 2 +-
roles/postfix/meta/main.yml | 2 +-
roles/postfwd/templates/postfwd.cf.j2 | 2 +-
roles/unbound/templates/unbound.conf.j2 | 10 -------
14 files changed, 17 insertions(+), 116 deletions(-)
delete mode 100644 host_vars/orion.archlinux.org/misc
delete mode 100644 host_vars/orion.archlinux.org/wiki-bouncehandler
delete mode 100644 playbooks/orion.yml
diff --git a/README.md b/README.md
index b3aecaee2..1e10c215a 100644
--- a/README.md
+++ b/README.md
@@ -96,7 +96,7 @@ set up.
#### SMTP Configuration
-All hosts should be relaying email through our primary mx host (currently 'orion'). See [docs/email.md](./docs/email.md) for full details.
+All hosts should be relaying email through our primary mx host (currently 'mail.archlinux.org'). See [docs/email.md](./docs/email.md) for full details.
#### Note about opendkim
@@ -144,7 +144,7 @@ The following steps should be used to update our managed servers:
## Servers
-### orion
+### gemini
#### Services
- repos/sync (repos.archlinux.org)
diff --git a/docs/email.md b/docs/email.md
index 7463c7773..fe4682a92 100644
--- a/docs/email.md
+++ b/docs/email.md
@@ -5,11 +5,11 @@ SMTP port: 587 STARTTLS
IMAP port: 143 (STARTTLS), 993 (TLS)
username: the system account name
-password: set by each user themselves with `passwd` on orion
+password: set by each user themselves with `passwd` on mail.archlinux.org
# Adding new archlinux.org email addresses
-Login to orion and edit `/etc/postfix/users`, add the new email address in the
+Login to mail.archlinux.org and edit `/etc/postfix/users`, add the new email address in the
appropriate category and run `postmap /etc/postfix/users`.
If the user wants to forward email, either enter the destination directly in
@@ -19,7 +19,7 @@ into `~username/.forward` so that they can edit it themselves.
# SMTP Architecture
All hosts should be relaying outbound SMTP traffic via our primary MX server
-(currently 'orion'). Each hosts authenticates using SASL over a TLS connection
+(currently 'mail.archlinux.org'). Each hosts authenticates using SASL over a TLS connection
to the server. This gives us several benefits:
1. DKIM signing can be done centrally.
@@ -31,15 +31,15 @@ to the server. This gives us several benefits:
When a new host is provisioned:
-- The *postfix* role has a task delegated to 'orion' to create a local user
- on 'orion' that is used for the new server to authenticate against. The user
+- The *postfix* role has a task delegated to 'mail.archlinux.org' to create a local user
+ on 'mail.archlinux.org' that is used for the new server to authenticate against. The user
name is the shortname of the new servers hostname (ie, "foobar.archlinux.org"
will authenticate with the username "foobar")
-- You will need to run the *postfwd* role against orion to update the
+- You will need to run the *postfwd* role against mail.archlinux.org to update the
rate-limiting it performs (servers are given higher rate-limits than normal
users - see `/etc/postfwd/postfwd.cf` for exact limits). This *should*
happen automatically as the *postfwd* role is a dependency of the *postfix*
- role (using `delegate_to` to run it against 'orion' regardless of the target
+ role (using `delegate_to` to run it against 'mail.archlinux.org' regardless of the target
host that the postfix role is being run on)
- Any services on the new host that need to relay mail should relay using SMTP
to `localhost` on port 10027 which bypasses any filtering/restrictions that
diff --git a/docs/ssh-hostkeys.txt b/docs/ssh-hostkeys.txt
index dbda2f6ea..057b9c6c9 100644
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -185,17 +185,6 @@
256 MD5:fe:a1:ab:4d:f6:5d:76:f9:a3:99:be:fd:51:ee:77:ed root@archlinux-packer (ED25519)
3072 MD5:ad:ee:a6:6d:b7:9b:f0:f7:78:9f:df:b4:53:2e:5f:9f root@archlinux-packer (RSA)
-# orion.archlinux.org
-1024 SHA256:Y7XP+fTQZAEDgmCHuSqFc0MmNUmCPJYRZs/7iq6viK8 root@mnt (DSA)
-256 SHA256:2gH/IGaZ/pOnpt4+VY0twd4+hUOraUWRceJiNQxnbxs root@mnt (ECDSA)
-256 SHA256:G4mz3jsK8XZymCDjUE7TKhA3Kz/eC+q4gHlnhCWyVB4 root@mnt (ED25519)
-2048 SHA256:PxFPKc82M5wShxNX+62FmZPKJBACz4n7epevqEDOUUw root@mnt (RSA)
-
-1024 MD5:67:a7:23:42:0c:22:74:30:ea:e2:89:4a:68:8c:a7:d6 root@mnt (DSA)
-256 MD5:47:ce:6f:89:fa:06:ab:d5:94:e1:e1:95:94:40:68:5c root@mnt (ECDSA)
-256 MD5:95:53:ec:52:c3:78:e8:5d:43:c6:2f:bc:d9:7e:9a:4c root@mnt (ED25519)
-2048 MD5:ff:9d:c3:b0:ee:c9:89:32:72:0c:d8:fb:cc:5d:ae:75 root@mnt (RSA)
-
# phrik.archlinux.org
1024 SHA256:+482UWH5/pSMZ8VoIgkGZxGOm1tZ72rI5RrZsnQHDVk root@archlinux-packer (DSA)
256 SHA256:qL+sG+DBwRKII1uPVcFHKQUfQNd7sW0x6iop6/Ki1Og root@archlinux-packer (ECDSA)
diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index 4db62a887..6b8ca7b50 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -83,11 +83,6 @@ monitoring.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA
monitoring.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCU4tNW4WHTQ43+HBbho/sbsU3BCzildSOziaJrVNvE
monitoring.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVAMU3iku88nPDAKjB++je4RRRkotwNdJEhRcO45Ujslhbq67D6BwcnaliR0ekZuhkQFs13dTNVGeb1VqN3I/wHVaECsd/Gz7Q2M5Ki2CqdUR8ztGaW/eWpY9r8Yk+h/fWdnZdnJPYhk7uZftJI9buqyqpkthvjQy9fZ2wyOb/BAk+7BYUdclcvCEMlW9HQljpgmj7snjTpMYMN0t3U7X3xydcOO6PwNIoSikufuMmbtCqtsUx/Xl1mVU2Xi584L8arjoKn9a4OjMUDorqAlFLeco6bWn5XEdfim6e+W55ZKg333j4KGMBFVW5Dk5mZGKfykalq4WONMe3nu0m4EqYFA/rGG/smliqjxCbWu9N6eDw1gKYOeq5gzx7ppQ9zL3BjL3gl+AbeUckxNCQ+zM66amZC6GmciiMq+hnpqeTUhocaGeriGVda4vO+IlCp4Wwx1zqcCZaHyzt/eIWT9DuXDqHq4gAshluGUR0gFTJ/0qhrYxQA/dW681LE3r9YLE=
-# orion.archlinux.org
-orion.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEUvsQlT7TI/DGKE3A5/afV+xuQiWCcuTK0Y1CpCDBRkEnHg0rQ8839FyucEr9H+GWZYqrYVFdznJ0ZOPXXVotc=
-orion.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEydv62bdTz7uziep+BVCYsI4cW7dI8JcLVY0/Xdg41W
-orion.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtVZGG7DxZQs7Lrfv55nghvQl43iMq26kZMYQvqdelLj53veXPzcrS7G5/WpAqtIg0RzXEGdH7ceNxus4t9IDp1PyzUnjumZMd39URcQ6C2yQqT0xKinHywilyowikkDwlEKwqSgGZ9FfBrJcj9497wrZ74LPfC0JNyqbQy+Hlq2eISSmm6UF1SFmVuGtPi8xHUFdjC2RJQUjnAlh1a28laOjTBrFbj7yQBbzV85Y63L2aeUCjrwC7arHizq5pK6hxJNkKViAR2v2Smsems7lbj/0b7/+uq8PqzQtNUhsMFQjcbHrcQq3L5+rZ452GkMlDoVcBa4qoT2ItM3mAS4xx
-
# phrik.archlinux.org
phrik.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHHPJ79o6go5pRmE5eoeHe6kS9gM7Nsx///MA/tpmyqY/8ktgYu6MTnvSYKdgF1O4oSTfsU5mc7grpq7Qsl8+tA=
phrik.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO45OY6f+b4KyFq13PyxjN/EcU11cgVZ1CrQZN2hGP0h
diff --git a/host_vars/orion.archlinux.org/misc b/host_vars/orion.archlinux.org/misc
deleted file mode 100644
index a820a9a01..000000000
--- a/host_vars/orion.archlinux.org/misc
+++ /dev/null
@@ -1,29 +0,0 @@
----
-hostname: "orion"
-ipv4_address: "88.198.91.70"
-ipv4_netmask: "/32"
-ipv6_address: "2a01:4f8:160:6087::1"
-ipv6_netmask: "/128"
-ipv4_gateway: "88.198.91.65"
-ipv6_gateway: "fe80::1"
-filesystem: btrfs
-system_disks:
- - /dev/sda
- - /dev/sdb
-
-# raise tcp window limits to 32MiB
-tcp_rmem: "10240 87380 33554432"
-tcp_wmem: "10240 87380 33554432"
-
-mail_domain: "mail.archlinux.org"
-
-zabbix_agent_templates:
- - Template OS Linux
- - Template App Borg Backup
- - Template App Nginx
- - Template App Archive
-
-fail2ban_jails:
- sshd: true
- postfix: true
- dovecot: true
diff --git a/host_vars/orion.archlinux.org/wiki-bouncehandler b/host_vars/orion.archlinux.org/wiki-bouncehandler
deleted file mode 100644
index 302aaf074..000000000
--- a/host_vars/orion.archlinux.org/wiki-bouncehandler
+++ /dev/null
@@ -1,17 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-39396466326266613063333338356431653461636562643535363038613865343230303430363564
-3632646531646565336366396635353834633939316237610a343933366465663939303930376339
-37363636363531323866653962353335613366333137343737316639323661636363633364346138
-6462666365626134660a313632636537663137386437343662383335616665393561356165613333
-38353364356238386364303065343333636463333234326234643332343137373639366130656335
-64633533363034303664633435653937633566303537666164306130383738386235633232623965
-38663164633230613432356266313135383838343331326534353365656432376463313366356231
-61656338623134636265356561313630353935633037306430376430383034313631303538336637
-33623733376363366336373337366663356434303931313132356164643334363630333834313665
-32356336643436653763346333326432616438313530316530353937306237376563313032373333
-34353763396166636161633036343935356334353335623034383238316532663930613864623335
-61666165376662633934336232633634643961363064356566626235653530643261643039336436
-62616438376161643930613063323739393237383563646630373430373734386430353933353433
-35646463633034613166623233623164363638636533623037303465346239623962343337646665
-31363065306539383066386362613635346431333135326461636136336232643030336464613430
-35376537386236353236
diff --git a/hosts b/hosts
index 03e543b53..503c0acb9 100644
--- a/hosts
+++ b/hosts
@@ -1,5 +1,4 @@
[hetzner]
-orion.archlinux.org
apollo.archlinux.org
luna.archlinux.org
dragon.archlinux.org
@@ -20,7 +19,6 @@ repro3.pkgbuild.com
mirror.pkgbuild.com
[borg_clients]
-orion.archlinux.org
apollo.archlinux.org
luna.archlinux.org
state.archlinux.org
@@ -62,7 +60,6 @@ accounts.archlinux.org
[nginx]
apollo.archlinux.org
luna.archlinux.org
-orion.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
aur.archlinux.org
diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
index a4b303b3b..62cdaf877 100644
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -4,15 +4,15 @@
hosts: apollo.archlinux.org
tasks:
- name: assign ipv4 addresses to fact postgres_ssl_hosts4
- set_fact: postgres_ssl_hosts4="{{ [orion4] + detected_ips }}"
+ set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
vars:
- orion4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
+ gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: assign ipv6 addresses to fact postgres_ssl_hosts6
- set_fact: postgres_ssl_hosts6="{{ [orion6] + detected_ips }}"
+ set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars:
- orion6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
+ gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
tags: ["postgres", "firewall"]
diff --git a/playbooks/luna.yml b/playbooks/luna.yml
index 47cb4f38d..e417883bd 100644
--- a/playbooks/luna.yml
+++ b/playbooks/luna.yml
@@ -30,4 +30,4 @@
- { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
# luna is hosting mailman lists; this postfix role does not cater to this yet
# TODO: make postfix role handle mailman config?
-# - { role: postfix, tags: ["postfix"], postfix_relayhost: "orion.archlinux.org" }
+# - { role: postfix, tags: ["postfix"], postfix_relayhost: "mail.archlinux.org" }
diff --git a/playbooks/orion.yml b/playbooks/orion.yml
deleted file mode 100644
index 8c19eb853..000000000
--- a/playbooks/orion.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-
-- name: setup orion
- hosts: orion.archlinux.org
- remote_user: root
- roles:
- - { role: common }
- - { role: tools }
- - { role: sshd }
- - { role: root_ssh }
- - { role: borg_client, tags: ['borg'] }
- - { role: opendkim, dkim_selector: orion, tags: ['mail'] }
- - { role: dovecot }
- - { role: rspamd, tags: ["mail"] }
- - { role: unbound, tags: ["mail"] }
- - { role: postfwd, tags: ['mail'] }
- - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
- - { role: archusers }
- - { role: certbot }
- - { role: nginx }
- - sogrep
- - { role: sudo, tags: ['archusers'] }
- - { role: archweb, archweb_site: false, archweb_services: false, archweb_donor_import: true, archweb_mirrorcheck_locations: [5, 6] }
- - { role: fail2ban }
diff --git a/roles/archusers/tasks/main.yml b/roles/archusers/tasks/main.yml
index c15335b6c..dc069496a 100644
--- a/roles/archusers/tasks/main.yml
+++ b/roles/archusers/tasks/main.yml
@@ -34,7 +34,7 @@
find: paths="/home" file_type="directory"
register: all_users
- # TODO: this removes the keys of svn-packages and svn-community on orion temporarily. add some form of whitelist for those users?
+ # TODO: this removes the keys of svn-packages and svn-community on gemini temporarily. add some form of whitelist for those users?
- name: disable ssh keys of disabled users
file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
when: item not in arch_users
diff --git a/roles/postfix/meta/main.yml b/roles/postfix/meta/main.yml
index dbbc39d1b..4faf0cae4 100644
--- a/roles/postfix/meta/main.yml
+++ b/roles/postfix/meta/main.yml
@@ -1,3 +1,3 @@
dependencies:
- role: postfwd
- delegate_to: orion.archlinux.org
+ delegate_to: mail.archlinux.org
diff --git a/roles/postfwd/templates/postfwd.cf.j2 b/roles/postfwd/templates/postfwd.cf.j2
index 6e4ee99fb..3be920490 100644
--- a/roles/postfwd/templates/postfwd.cf.j2
+++ b/roles/postfwd/templates/postfwd.cf.j2
@@ -1,6 +1,6 @@
# lower rate limit for certain authenticated users
&&SASL_WHITELIST {
- # other servers relay via orion using authentication. username is the
+ # other servers relay via mail.archlinux.org using authentication. username is the
# hostname part of the fqdn
{% for host in groups['all'] %}
sasl_username={{ hostvars[host].inventory_hostname_short }}
diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
index 4a1a56847..4148b21af 100644
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -8,13 +8,3 @@ server:
remote-control:
control-enable: yes
-
-
-{% if inventory_hostname == "orion.archlinux.org" %}
-# nszero1.axc.nl "rate-limits" but in reality blocks our Hetzner connections from orion.
-forward-zone:
- name: "vdwaa.nl"
- forward-addr: 8.8.8.8
- forward-addr: 1.1.1.1
- forward-first: yes
-{% endif %}
--
GitLab