Move openpgpkey.archlinux.org to a new VPS

The WKD webservice ran on orion, but as we want to retire it, we will move it to it's own CX11 VPS. As it's just a simple web page.

Move openpgpkey.archlinux.org to a new VPS
The WKD webservice ran on orion, but as we want to retire it, we will move it to it's own CX11 VPS. As it's just a simple web page.
53bd9856 · Jelle van der Waa · Sven-Hendrik Haase · 3c426bfd · 53bd9856 · 53bd9856
Verified Commit 53bd9856 authored Oct 29, 2020 by Jelle van der Waa 🚧 Committed by Sven-Hendrik Haase Nov 02, 2020
--- a/README.md
+++ b/README.md
@@ -259,6 +259,13 @@ Medium-fast-ish packet.net Arch Linux box.
  - [Grafana](https://monitoring.archlinux.org)
  - Prometheus

+### openpgpkey.archlinux.org
+
+Hosts our gnupg open web key directory for fetching Arch Linux keyring keys over https.
+
+#### Services
+  - WKD
+
 ## Ansible repo workflows

 ### Replace vault password and change vaulted passwords

--- a/hosts
+++ b/hosts
@@ -102,6 +102,7 @@ phrik.archlinux.org
 quassel.archlinux.org
 state.archlinux.org
 mirror.pkgbuild.com
+openpgpkey.archlinux.org
 homedir.archlinux.org
 dragon.archlinux.org
 mail.archlinux.org
--- a/playbooks/openpgpkeys.archlinux.org
+++ b/playbooks/openpgpkeys.archlinux.org
+---
+
+- name: setup openpgpkey server
+  hosts: openpgpkey.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: firewalld }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: certbot }
+    - { role: nginx }
+    - { role: wkd }
+    - { role: prometheus_exporters }
--- a/playbooks/orion.yml
+++ b/playbooks/orion.yml
@@ -21,5 +21,4 @@
    - sogrep
    - { role: sudo, tags: ['archusers'] }
    - { role: archweb, archweb_site: false, archweb_services: false, archweb_donor_import: true, archweb_mirrorcheck_locations: [5, 6] }
-    - wkd
    - { role: fail2ban }
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -527,6 +527,20 @@ resource "hetznerdns_record" "archlinux_org_mx_aaaa" {
  type    = "AAAA"
 }

+resource "hetznerdns_record" "archlinux_org_openpgpkey_a" {
+  zone_id = hetznerdns_zone.archlinux.id
+  name    = "openpgpkey"
+  value   = hcloud_server.openpgpkey.ipv4_address
+  type    = "A"
+}
+
+resource "hetznerdns_record" "archlinux_org_openpgpkey_aaaa" {
+  zone_id = hetznerdns_zone.archlinux.id
+  name    = "openpgpkey"
+  value   = hcloud_server.openpgpkey.ipv6_address
+  type    = "AAAA"
+}
+
 resource "hetznerdns_record" "archlinux_org_orion_txt" {
  zone_id = hetznerdns_zone.archlinux.id
  name    = "mail._domainkey"
@@ -726,13 +740,6 @@ resource "hetznerdns_record" "archlinux_org_mailman_cname" {
  type    = "CNAME"
 }

-resource "hetznerdns_record" "archlinux_org_openpgpkey_cname" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "openpgpkey"
-  value   = "orion"
-  type    = "CNAME"
-}
-
 resource "hetznerdns_record" "archlinux_org_packages_cname" {
  zone_id = hetznerdns_zone.archlinux.id
  name    = "packages"
@@ -1291,3 +1298,24 @@ resource "hcloud_server" "mail" {
    ignore_changes = [image]
  }
 }
+
+resource "hcloud_rdns" "openpgpkey_ipv4" {
+  server_id  = hcloud_server.openpgpkey.id
+  ip_address = hcloud_server.openpgpkey.ipv4_address
+  dns_ptr    = "openpgpkey.archlinux.org"
+}
+
+resource "hcloud_rdns" "openpgpkey_ipv6" {
+  server_id  = hcloud_server.openpgpkey.id
+  ip_address = hcloud_server.openpgpkey.ipv6_address
+  dns_ptr    = "openpgpkey.archlinux.org"
+}
+
+resource "hcloud_server" "openpgpkey" {
+  name        = "openpgpkey.archlinux.org"
+  image       = data.hcloud_image.archlinux.id
+  server_type = "cx11"
+  lifecycle {
+    ignore_changes = [image]
+  }
+}