From 53bd985636f7ea0163a1161a67044618b5a84a46 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Thu, 29 Oct 2020 21:05:46 +0100
Subject: [PATCH] Move openpgpkey.archlinux.org to a new VPS
The WKD webservice ran on orion, but as we want to retire it, we will
move it to it's own CX11 VPS. As it's just a simple web page.
---
README.md | 7 +++++
hosts | 1 +
playbooks/openpgpkeys.archlinux.org | 14 ++++++++++
playbooks/orion.yml | 1 -
tf-stage1/archlinux.tf | 42 ++++++++++++++++++++++++-----
5 files changed, 57 insertions(+), 8 deletions(-)
create mode 100644 playbooks/openpgpkeys.archlinux.org
diff --git a/README.md b/README.md
index 33dfccaea..b3aecaee2 100644
--- a/README.md
+++ b/README.md
@@ -259,6 +259,13 @@ Medium-fast-ish packet.net Arch Linux box.
- [Grafana](https://monitoring.archlinux.org)
- Prometheus
+### openpgpkey.archlinux.org
+
+Hosts our gnupg open web key directory for fetching Arch Linux keyring keys over https.
+
+#### Services
+ - WKD
+
## Ansible repo workflows
### Replace vault password and change vaulted passwords
diff --git a/hosts b/hosts
index 4f101c7bd..81ea85c31 100644
--- a/hosts
+++ b/hosts
@@ -102,6 +102,7 @@ phrik.archlinux.org
quassel.archlinux.org
state.archlinux.org
mirror.pkgbuild.com
+openpgpkey.archlinux.org
homedir.archlinux.org
dragon.archlinux.org
mail.archlinux.org
diff --git a/playbooks/openpgpkeys.archlinux.org b/playbooks/openpgpkeys.archlinux.org
new file mode 100644
index 000000000..17be03478
--- /dev/null
+++ b/playbooks/openpgpkeys.archlinux.org
@@ -0,0 +1,14 @@
+---
+
+- name: setup openpgpkey server
+ hosts: openpgpkey.archlinux.org
+ remote_user: root
+ roles:
+ - { role: common }
+ - { role: firewalld }
+ - { role: sshd }
+ - { role: root_ssh }
+ - { role: certbot }
+ - { role: nginx }
+ - { role: wkd }
+ - { role: prometheus_exporters }
diff --git a/playbooks/orion.yml b/playbooks/orion.yml
index 96dd32f55..9d7aacd81 100644
--- a/playbooks/orion.yml
+++ b/playbooks/orion.yml
@@ -21,5 +21,4 @@
- sogrep
- { role: sudo, tags: ['archusers'] }
- { role: archweb, archweb_site: false, archweb_services: false, archweb_donor_import: true, archweb_mirrorcheck_locations: [5, 6] }
- - wkd
- { role: fail2ban }
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index f6cd5b475..e3dcefa4c 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -527,6 +527,20 @@ resource "hetznerdns_record" "archlinux_org_mx_aaaa" {
type = "AAAA"
}
+resource "hetznerdns_record" "archlinux_org_openpgpkey_a" {
+ zone_id = hetznerdns_zone.archlinux.id
+ name = "openpgpkey"
+ value = hcloud_server.openpgpkey.ipv4_address
+ type = "A"
+}
+
+resource "hetznerdns_record" "archlinux_org_openpgpkey_aaaa" {
+ zone_id = hetznerdns_zone.archlinux.id
+ name = "openpgpkey"
+ value = hcloud_server.openpgpkey.ipv6_address
+ type = "AAAA"
+}
+
resource "hetznerdns_record" "archlinux_org_orion_txt" {
zone_id = hetznerdns_zone.archlinux.id
name = "mail._domainkey"
@@ -726,13 +740,6 @@ resource "hetznerdns_record" "archlinux_org_mailman_cname" {
type = "CNAME"
}
-resource "hetznerdns_record" "archlinux_org_openpgpkey_cname" {
- zone_id = hetznerdns_zone.archlinux.id
- name = "openpgpkey"
- value = "orion"
- type = "CNAME"
-}
-
resource "hetznerdns_record" "archlinux_org_packages_cname" {
zone_id = hetznerdns_zone.archlinux.id
name = "packages"
@@ -1291,3 +1298,24 @@ resource "hcloud_server" "mail" {
ignore_changes = [image]
}
}
+
+resource "hcloud_rdns" "openpgpkey_ipv4" {
+ server_id = hcloud_server.openpgpkey.id
+ ip_address = hcloud_server.openpgpkey.ipv4_address
+ dns_ptr = "openpgpkey.archlinux.org"
+}
+
+resource "hcloud_rdns" "openpgpkey_ipv6" {
+ server_id = hcloud_server.openpgpkey.id
+ ip_address = hcloud_server.openpgpkey.ipv6_address
+ dns_ptr = "openpgpkey.archlinux.org"
+}
+
+resource "hcloud_server" "openpgpkey" {
+ name = "openpgpkey.archlinux.org"
+ image = data.hcloud_image.archlinux.id
+ server_type = "cx11"
+ lifecycle {
+ ignore_changes = [image]
+ }
+}
--
GitLab