Commit a90227a7 authored by Frederik Schwan's avatar Frederik Schwan
Browse files

Merge branch 'add-redirect-server' into 'master'

add redirect server to handle redirects for deprecated domains

See merge request !235
parents 228e629a 06d5360e
Pipeline #4102 passed with stage
in 42 seconds
......@@ -262,6 +262,17 @@
256 MD5:15:45:eb:91:69:df:c3:6d:9f:99:b9:13:02:94:a6:ac root@archlinux-packer (ED25519)
2048 MD5:ca:2f:cf:5c:4d:ec:75:c3:71:76:d6:b7:b9:fa:aa:32 root@archlinux-packer (RSA)
# redirect.archlinux.org
1024 SHA256:hqw3Wmif3BUI9VLcNnvcB3I+M9f5OUtDjRT8H6tAuEU root@archlinux-packer (DSA)
256 SHA256:JaUkz0eOofslq9BVifMx8c6sapM/DSig9zrVyFqrHD4 root@archlinux-packer (ECDSA)
256 SHA256:sUcgzScFlMByQKLW2IDYBc2m6EvLXzM6KVa2mzls3TA root@archlinux-packer (ED25519)
3072 SHA256:yUn8pVpioFsltzFKA2cImHb6UnD63pCOCiJsP5OFLBQ root@archlinux-packer (RSA)
1024 MD5:a8:f9:dd:2a:79:ca:3a:ef:b5:24:49:6b:61:1f:bb:07 root@archlinux-packer (DSA)
256 MD5:b1:f5:78:51:c5:50:5e:25:73:68:fc:80:53:25:94:ba root@archlinux-packer (ECDSA)
256 MD5:5a:49:d5:f3:00:ca:49:17:d8:cc:3e:84:1d:60:be:06 root@archlinux-packer (ED25519)
3072 MD5:1e:52:48:56:d3:13:20:e5:02:4f:10:1b:af:27:e5:c7 root@archlinux-packer (RSA)
# repro1.pkgbuild.com
1024 SHA256:K2RjAgIzlRrSkqdf3vqwfXOOg0oEMt/AwAT2Gmt2wpA root@repro3.pkgbuild.com (DSA)
256 SHA256:H/7en8S/UqQ+llIDPyCIn9sYHjiEU6L+Myu0MpmoDsE root@repro3.pkgbuild.com (ECDSA)
......
......@@ -118,6 +118,11 @@ quassel.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
quassel.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMJ8pFEQOPKxtdHcNkYP/lmF9vrM5ub30Kbeo3SQJ3OI
quassel.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPHwHxYNG1vjRiEfoVEa9onPLdUNFdwmrCblc95ALKU+GTCOO8C6gBo2J4w5hB6CABUh4zJn2AbXi1E6YQdGyumfvBhXzpim+wdPtDh/Wrqxl8M06Gk2+YbAS1m0452xsMELodNTPd7HDB0iXDEfEjB02jk7D/KHIVWkKi0wlV3d4WG1M0c5D+MA3zFoYN/EwcRYK120P3dbYzdCwrYi6IdgA/+2g8ALvkAkLEW3uYyIct8kQ/sTLKcKimuyeiYCEn2jviIJjraF2T0U6m+dgfEEBtyITzvP9/3oAflIsgr1LHHVwfhdlbml1LvqPojYpBV2YrE8esmCzhs0a6TWP5
# redirect.archlinux.org
redirect.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNlS8biku7pxOjm+a0MxYR0ICSRjoqkaCSPdY5tdUnOPmEnvRm7qqO4pzvzy5FjhcFOW4oTuKu93ZXmnU9rV1s=
redirect.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8cqRGOzfp+waFo4fxxq2oUKPFsTNRL0MB1M3xT2Y5L
redirect.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3VdhG7Lm+UYBGjf/G8eUSXL43N2QLRTm23LaSKaegx9/41mtlRJAoHfpHsJg8a2nBEGebooZqp5rwP4kxj0pB7394VP5UjThhqBQ9lWKJgCkceRsvkRYkbrBQHyNiRcFQ7/3YxPFJyNlxQwxiBe9sRk1HHUtQOeleGAQoB+GOMkKSPmqD6k/D5GzoX/maqraFK8S0egapKF5VMWw+6apAv+vp7O/zyPrOddaKLB2XK2c86Jl04z1vA3UMAJ+mQ9P0+WLYzEdxx3OmChw/CQOQk2n3Q/civV7prhkf4Qs58uw6Eg2dGmcP5+z5NeC2J/egxQROoSgUpbUf0W/UDEApjAzAIuzDIXOLwXqqf4b7NKfvCiycCQvk9fTWd14AuTfh/qjwKaP4dEkkmDjR7/mvan5M/mxs82QZIMDW6THYvAnkQ0715Ai4C1+WE1gvzpLbtfJxZhngigDi1YpG3uLf2D7PwKNWc6A6OGpW36GB0nlT3kns13xxmMauxhBJW78=
# repro1.pkgbuild.com
repro1.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKYR9cx4+umxrRJ68vvqOmCSkYuZJDkYAAxlT+bbKNnA2R5jpuxvLamGPFfdAzAQjk5FRnbNGihMI2V2Fw8M2gQ=
repro1.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrJCFjvo5svIzF5d7agm1/QlqyYlegxSX6GebZp6E5c
......
......@@ -135,6 +135,7 @@ repro1.pkgbuild.com
wiki.archlinux.org
patchwork.archlinux.org
security.archlinux.org
redirect.archlinux.org
[kape_servers]
asia.mirror.pkgbuild.com
......
- name: setup redirect.archlinux.org
hosts: redirect.archlinux.org
remote_user: root
roles:
- { role: common }
- { role: tools }
- { role: firewalld }
- { role: unbound }
- { role: sshd }
- { role: root_ssh }
- { role: certbot }
- { role: nginx }
- { role: redirects }
- { role: prometheus_exporters }
- { role: hardening }
redirects:
- static.conf:
domain: static.conf.archlinux.org
to: https://gitlab.archlinux.org/archlinux/conf-files/-/raw/master$request_uri
type: 302
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ item.domain }} creates='/etc/letsencrypt/live/{{ item.domain }}/fullchain.pem'
loop: "{{ redirects }}"
- name: make nginx log dir
file: path=/var/log/nginx/{{ item.domain }} state=directory owner=root group=root mode=0755
loop: "{{ redirects }}"
- name: set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/redirects.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
{% for redirect in redirects %}
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ redirect.domain }};
access_log /var/log/nginx/{{ redirect.domain }}/access.log reduced;
error_log /var/log/nginx/{{ redirect.domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ redirect.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ redirect.domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ redirect.domain }}/chain.pem;
include snippets/letsencrypt.conf;
return {{ redirect.type }} {{ redirect.to }};
}
{% endfor %}
......@@ -788,6 +788,20 @@ resource "hetznerdns_record" "archlinux_org_quassel_aaaa" {
type = "AAAA"
}
resource "hetznerdns_record" "archlinux_org_redirect_a" {
zone_id = hetznerdns_zone.archlinux.id
name = "redirect"
value = hcloud_server.redirect.ipv4_address
type = "A"
}
resource "hetznerdns_record" "archlinux_org_redirect_aaaa" {
zone_id = hetznerdns_zone.archlinux.id
name = "redirect"
value = hcloud_server.redirect.ipv6_address
type = "AAAA"
}
resource "hetznerdns_record" "archlinux_org_reproducible_a" {
zone_id = hetznerdns_zone.archlinux.id
name = "reproducible"
......@@ -1256,6 +1270,27 @@ resource "hcloud_server" "aur-dev" {
}
}
resource "hcloud_rdns" "redirect_ipv4" {
server_id = hcloud_server.redirect.id
ip_address = hcloud_server.redirect.ipv4_address
dns_ptr = "redirect.archlinux.org"
}
resource "hcloud_rdns" "redirect_ipv6" {
server_id = hcloud_server.redirect.id
ip_address = hcloud_server.redirect.ipv6_address
dns_ptr = "redirect.archlinux.org"
}
resource "hcloud_server" "redirect" {
name = "redirect.archlinux.org"
image = data.hcloud_image.archlinux.id
server_type = "cx11"
lifecycle {
ignore_changes = [image]
}
}
resource "hcloud_rdns" "mailman3_ipv4" {
server_id = hcloud_server.mailman3.id
ip_address = hcloud_server.mailman3.ipv4_address
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment