Merge branch 'add-redirect-server' into 'master'

add redirect server to handle redirects for deprecated domains See merge request !235

Merge branch 'add-redirect-server' into 'master'
a90227a7 · Frederik Schwan · 228e629a · 06d5360e · a90227a7 · a90227a7
Commit a90227a7 authored 4 years ago by Frederik Schwan
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -262,6 +262,17 @@
 256 MD5:15:45:eb:91:69:df:c3:6d:9f:99:b9:13:02:94:a6:ac root@archlinux-packer (ED25519)
 2048 MD5:ca:2f:cf:5c:4d:ec:75:c3:71:76:d6:b7:b9:fa:aa:32 root@archlinux-packer (RSA)

+# redirect.archlinux.org
+1024 SHA256:hqw3Wmif3BUI9VLcNnvcB3I+M9f5OUtDjRT8H6tAuEU root@archlinux-packer (DSA)
+256 SHA256:JaUkz0eOofslq9BVifMx8c6sapM/DSig9zrVyFqrHD4 root@archlinux-packer (ECDSA)
+256 SHA256:sUcgzScFlMByQKLW2IDYBc2m6EvLXzM6KVa2mzls3TA root@archlinux-packer (ED25519)
+3072 SHA256:yUn8pVpioFsltzFKA2cImHb6UnD63pCOCiJsP5OFLBQ root@archlinux-packer (RSA)
+
+1024 MD5:a8:f9:dd:2a:79:ca:3a:ef:b5:24:49:6b:61:1f:bb:07 root@archlinux-packer (DSA)
+256 MD5:b1:f5:78:51:c5:50:5e:25:73:68:fc:80:53:25:94:ba root@archlinux-packer (ECDSA)
+256 MD5:5a:49:d5:f3:00:ca:49:17:d8:cc:3e:84:1d:60:be:06 root@archlinux-packer (ED25519)
+3072 MD5:1e:52:48:56:d3:13:20:e5:02:4f:10:1b:af:27:e5:c7 root@archlinux-packer (RSA)
+
 # repro1.pkgbuild.com
 1024 SHA256:K2RjAgIzlRrSkqdf3vqwfXOOg0oEMt/AwAT2Gmt2wpA root@repro3.pkgbuild.com (DSA)
 256 SHA256:H/7en8S/UqQ+llIDPyCIn9sYHjiEU6L+Myu0MpmoDsE root@repro3.pkgbuild.com (ECDSA)

--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -118,6 +118,11 @@ quassel.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
 quassel.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMJ8pFEQOPKxtdHcNkYP/lmF9vrM5ub30Kbeo3SQJ3OI
 quassel.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPHwHxYNG1vjRiEfoVEa9onPLdUNFdwmrCblc95ALKU+GTCOO8C6gBo2J4w5hB6CABUh4zJn2AbXi1E6YQdGyumfvBhXzpim+wdPtDh/Wrqxl8M06Gk2+YbAS1m0452xsMELodNTPd7HDB0iXDEfEjB02jk7D/KHIVWkKi0wlV3d4WG1M0c5D+MA3zFoYN/EwcRYK120P3dbYzdCwrYi6IdgA/+2g8ALvkAkLEW3uYyIct8kQ/sTLKcKimuyeiYCEn2jviIJjraF2T0U6m+dgfEEBtyITzvP9/3oAflIsgr1LHHVwfhdlbml1LvqPojYpBV2YrE8esmCzhs0a6TWP5

+# redirect.archlinux.org
+redirect.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNlS8biku7pxOjm+a0MxYR0ICSRjoqkaCSPdY5tdUnOPmEnvRm7qqO4pzvzy5FjhcFOW4oTuKu93ZXmnU9rV1s=
+redirect.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8cqRGOzfp+waFo4fxxq2oUKPFsTNRL0MB1M3xT2Y5L
+redirect.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3VdhG7Lm+UYBGjf/G8eUSXL43N2QLRTm23LaSKaegx9/41mtlRJAoHfpHsJg8a2nBEGebooZqp5rwP4kxj0pB7394VP5UjThhqBQ9lWKJgCkceRsvkRYkbrBQHyNiRcFQ7/3YxPFJyNlxQwxiBe9sRk1HHUtQOeleGAQoB+GOMkKSPmqD6k/D5GzoX/maqraFK8S0egapKF5VMWw+6apAv+vp7O/zyPrOddaKLB2XK2c86Jl04z1vA3UMAJ+mQ9P0+WLYzEdxx3OmChw/CQOQk2n3Q/civV7prhkf4Qs58uw6Eg2dGmcP5+z5NeC2J/egxQROoSgUpbUf0W/UDEApjAzAIuzDIXOLwXqqf4b7NKfvCiycCQvk9fTWd14AuTfh/qjwKaP4dEkkmDjR7/mvan5M/mxs82QZIMDW6THYvAnkQ0715Ai4C1+WE1gvzpLbtfJxZhngigDi1YpG3uLf2D7PwKNWc6A6OGpW36GB0nlT3kns13xxmMauxhBJW78=
+
 # repro1.pkgbuild.com
 repro1.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKYR9cx4+umxrRJ68vvqOmCSkYuZJDkYAAxlT+bbKNnA2R5jpuxvLamGPFfdAzAQjk5FRnbNGihMI2V2Fw8M2gQ=
 repro1.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrJCFjvo5svIzF5d7agm1/QlqyYlegxSX6GebZp6E5c

--- a/hosts
+++ b/hosts
@@ -135,6 +135,7 @@ repro1.pkgbuild.com
 wiki.archlinux.org
 patchwork.archlinux.org
 security.archlinux.org
+redirect.archlinux.org

 [kape_servers]
 asia.mirror.pkgbuild.com

--- a/playbooks/redirect.archlinux.org.yml
+++ b/playbooks/redirect.archlinux.org.yml
+- name: setup redirect.archlinux.org
+  hosts: redirect.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: tools }
+    - { role: firewalld }
+    - { role: unbound }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: certbot }
+    - { role: nginx }
+    - { role: redirects }
+    - { role: prometheus_exporters }
+    - { role: hardening }
--- a/roles/redirects/defaults/main.yml
+++ b/roles/redirects/defaults/main.yml
+redirects:
+  - static.conf:
+    domain: static.conf.archlinux.org
+    to: https://gitlab.archlinux.org/archlinux/conf-files/-/raw/master$request_uri
+    type: 302
--- a/roles/redirects/tasks/main.yml
+++ b/roles/redirects/tasks/main.yml
+---
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ item.domain }} creates='/etc/letsencrypt/live/{{ item.domain }}/fullchain.pem'
+  loop: "{{ redirects }}"
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ item.domain }} state=directory owner=root group=root mode=0755
+  loop: "{{ redirects }}"
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/redirects.conf" owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
--- a/roles/redirects/templates/nginx.d.conf.j2
+++ b/roles/redirects/templates/nginx.d.conf.j2
+{% for redirect in redirects %}
+server {
+    listen       80;
+    listen       [::]:80;
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ redirect.domain }};
+
+    access_log   /var/log/nginx/{{ redirect.domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ redirect.domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ redirect.domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ redirect.domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ redirect.domain }}/chain.pem;
+
+    include snippets/letsencrypt.conf;
+
+    return {{ redirect.type }} {{ redirect.to }};
+}
+{% endfor %}
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -788,6 +788,20 @@ resource "hetznerdns_record" "archlinux_org_quassel_aaaa" {
  type    = "AAAA"
 }

+resource "hetznerdns_record" "archlinux_org_redirect_a" {
+  zone_id = hetznerdns_zone.archlinux.id
+  name    = "redirect"
+  value   = hcloud_server.redirect.ipv4_address
+  type    = "A"
+}
+
+resource "hetznerdns_record" "archlinux_org_redirect_aaaa" {
+  zone_id = hetznerdns_zone.archlinux.id
+  name    = "redirect"
+  value   = hcloud_server.redirect.ipv6_address
+  type    = "AAAA"
+}
+
 resource "hetznerdns_record" "archlinux_org_reproducible_a" {
  zone_id = hetznerdns_zone.archlinux.id
  name    = "reproducible"
@@ -1256,6 +1270,27 @@ resource "hcloud_server" "aur-dev" {
  }
 }

+resource "hcloud_rdns" "redirect_ipv4" {
+  server_id  = hcloud_server.redirect.id
+  ip_address = hcloud_server.redirect.ipv4_address
+  dns_ptr    = "redirect.archlinux.org"
+}
+
+resource "hcloud_rdns" "redirect_ipv6" {
+  server_id  = hcloud_server.redirect.id
+  ip_address = hcloud_server.redirect.ipv6_address
+  dns_ptr    = "redirect.archlinux.org"
+}
+
+resource "hcloud_server" "redirect" {
+  name        = "redirect.archlinux.org"
+  image       = data.hcloud_image.archlinux.id
+  server_type = "cx11"
+  lifecycle {
+    ignore_changes = [image]
+  }
+}
+
 resource "hcloud_rdns" "mailman3_ipv4" {
  server_id  = hcloud_server.mailman3.id
  ip_address = hcloud_server.mailman3.ipv4_address