diff --git a/docs/ssh-hostkeys.txt b/docs/ssh-hostkeys.txt
index b99e636b926a1f1bd737381fcb8907d22c2a14d7..4dc207416877459f074b24a83ef39bf6edcdec10 100644
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -262,6 +262,17 @@
256 MD5:15:45:eb:91:69:df:c3:6d:9f:99:b9:13:02:94:a6:ac root@archlinux-packer (ED25519)
2048 MD5:ca:2f:cf:5c:4d:ec:75:c3:71:76:d6:b7:b9:fa:aa:32 root@archlinux-packer (RSA)
+# redirect.archlinux.org
+1024 SHA256:hqw3Wmif3BUI9VLcNnvcB3I+M9f5OUtDjRT8H6tAuEU root@archlinux-packer (DSA)
+256 SHA256:JaUkz0eOofslq9BVifMx8c6sapM/DSig9zrVyFqrHD4 root@archlinux-packer (ECDSA)
+256 SHA256:sUcgzScFlMByQKLW2IDYBc2m6EvLXzM6KVa2mzls3TA root@archlinux-packer (ED25519)
+3072 SHA256:yUn8pVpioFsltzFKA2cImHb6UnD63pCOCiJsP5OFLBQ root@archlinux-packer (RSA)
+
+1024 MD5:a8:f9:dd:2a:79:ca:3a:ef:b5:24:49:6b:61:1f:bb:07 root@archlinux-packer (DSA)
+256 MD5:b1:f5:78:51:c5:50:5e:25:73:68:fc:80:53:25:94:ba root@archlinux-packer (ECDSA)
+256 MD5:5a:49:d5:f3:00:ca:49:17:d8:cc:3e:84:1d:60:be:06 root@archlinux-packer (ED25519)
+3072 MD5:1e:52:48:56:d3:13:20:e5:02:4f:10:1b:af:27:e5:c7 root@archlinux-packer (RSA)
+
# repro1.pkgbuild.com
1024 SHA256:K2RjAgIzlRrSkqdf3vqwfXOOg0oEMt/AwAT2Gmt2wpA root@repro3.pkgbuild.com (DSA)
256 SHA256:H/7en8S/UqQ+llIDPyCIn9sYHjiEU6L+Myu0MpmoDsE root@repro3.pkgbuild.com (ECDSA)
diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index 9c9271cdf7f1d75737c5c69bda2fb9b09bd1e95b..75d48ce0b9c6bd0a0ae543b44a83499f390489cd 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -118,6 +118,11 @@ quassel.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
quassel.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMJ8pFEQOPKxtdHcNkYP/lmF9vrM5ub30Kbeo3SQJ3OI
quassel.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPHwHxYNG1vjRiEfoVEa9onPLdUNFdwmrCblc95ALKU+GTCOO8C6gBo2J4w5hB6CABUh4zJn2AbXi1E6YQdGyumfvBhXzpim+wdPtDh/Wrqxl8M06Gk2+YbAS1m0452xsMELodNTPd7HDB0iXDEfEjB02jk7D/KHIVWkKi0wlV3d4WG1M0c5D+MA3zFoYN/EwcRYK120P3dbYzdCwrYi6IdgA/+2g8ALvkAkLEW3uYyIct8kQ/sTLKcKimuyeiYCEn2jviIJjraF2T0U6m+dgfEEBtyITzvP9/3oAflIsgr1LHHVwfhdlbml1LvqPojYpBV2YrE8esmCzhs0a6TWP5
+# redirect.archlinux.org
+redirect.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNlS8biku7pxOjm+a0MxYR0ICSRjoqkaCSPdY5tdUnOPmEnvRm7qqO4pzvzy5FjhcFOW4oTuKu93ZXmnU9rV1s=
+redirect.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8cqRGOzfp+waFo4fxxq2oUKPFsTNRL0MB1M3xT2Y5L
+redirect.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3VdhG7Lm+UYBGjf/G8eUSXL43N2QLRTm23LaSKaegx9/41mtlRJAoHfpHsJg8a2nBEGebooZqp5rwP4kxj0pB7394VP5UjThhqBQ9lWKJgCkceRsvkRYkbrBQHyNiRcFQ7/3YxPFJyNlxQwxiBe9sRk1HHUtQOeleGAQoB+GOMkKSPmqD6k/D5GzoX/maqraFK8S0egapKF5VMWw+6apAv+vp7O/zyPrOddaKLB2XK2c86Jl04z1vA3UMAJ+mQ9P0+WLYzEdxx3OmChw/CQOQk2n3Q/civV7prhkf4Qs58uw6Eg2dGmcP5+z5NeC2J/egxQROoSgUpbUf0W/UDEApjAzAIuzDIXOLwXqqf4b7NKfvCiycCQvk9fTWd14AuTfh/qjwKaP4dEkkmDjR7/mvan5M/mxs82QZIMDW6THYvAnkQ0715Ai4C1+WE1gvzpLbtfJxZhngigDi1YpG3uLf2D7PwKNWc6A6OGpW36GB0nlT3kns13xxmMauxhBJW78=
+
# repro1.pkgbuild.com
repro1.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKYR9cx4+umxrRJ68vvqOmCSkYuZJDkYAAxlT+bbKNnA2R5jpuxvLamGPFfdAzAQjk5FRnbNGihMI2V2Fw8M2gQ=
repro1.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrJCFjvo5svIzF5d7agm1/QlqyYlegxSX6GebZp6E5c
diff --git a/hosts b/hosts
index cd4f7c3df5abd65199ae9f61833414663afd2af2..cb3a33c0136216bea975950fd3183958bc6e00e7 100644
--- a/hosts
+++ b/hosts
@@ -135,6 +135,7 @@ repro1.pkgbuild.com
wiki.archlinux.org
patchwork.archlinux.org
security.archlinux.org
+redirect.archlinux.org
[kape_servers]
asia.mirror.pkgbuild.com
diff --git a/playbooks/redirect.archlinux.org.yml b/playbooks/redirect.archlinux.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7e2f8af8a7873a68d975a6dd3c306be8a2b8a943
--- /dev/null
+++ b/playbooks/redirect.archlinux.org.yml
@@ -0,0 +1,15 @@
+- name: setup redirect.archlinux.org
+ hosts: redirect.archlinux.org
+ remote_user: root
+ roles:
+ - { role: common }
+ - { role: tools }
+ - { role: firewalld }
+ - { role: unbound }
+ - { role: sshd }
+ - { role: root_ssh }
+ - { role: certbot }
+ - { role: nginx }
+ - { role: redirects }
+ - { role: prometheus_exporters }
+ - { role: hardening }
diff --git a/roles/redirects/defaults/main.yml b/roles/redirects/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..730da1bcc51d9afb03bd3f9ab6a331117c411ba0
--- /dev/null
+++ b/roles/redirects/defaults/main.yml
@@ -0,0 +1,5 @@
+redirects:
+ - static.conf:
+ domain: static.conf.archlinux.org
+ to: https://gitlab.archlinux.org/archlinux/conf-files/-/raw/master$request_uri
+ type: 302
diff --git a/roles/redirects/tasks/main.yml b/roles/redirects/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..374f32d7d0cead1a1cd80a8c4b2e47d19e8d8493
--- /dev/null
+++ b/roles/redirects/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: create ssl cert
+ command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ item.domain }} creates='/etc/letsencrypt/live/{{ item.domain }}/fullchain.pem'
+ loop: "{{ redirects }}"
+
+- name: make nginx log dir
+ file: path=/var/log/nginx/{{ item.domain }} state=directory owner=root group=root mode=0755
+ loop: "{{ redirects }}"
+
+- name: set up nginx
+ template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/redirects.conf" owner=root group=root mode=644
+ notify: reload nginx
+ tags: ['nginx']
diff --git a/roles/redirects/templates/nginx.d.conf.j2 b/roles/redirects/templates/nginx.d.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..b6c2aa555f45bc5d9b11a27cbf9404ced6f1843a
--- /dev/null
+++ b/roles/redirects/templates/nginx.d.conf.j2
@@ -0,0 +1,20 @@
+{% for redirect in redirects %}
+server {
+ listen 80;
+ listen [::]:80;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{ redirect.domain }};
+
+ access_log /var/log/nginx/{{ redirect.domain }}/access.log reduced;
+ error_log /var/log/nginx/{{ redirect.domain }}/error.log;
+
+ ssl_certificate /etc/letsencrypt/live/{{ redirect.domain }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ redirect.domain }}/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/{{ redirect.domain }}/chain.pem;
+
+ include snippets/letsencrypt.conf;
+
+ return {{ redirect.type }} {{ redirect.to }};
+}
+{% endfor %}
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 8966702e5e027567ee1b8ec8c831ba5a94d7d6a9..d3a5bd3707e42076fa04f1ed17f91cfb5da28b45 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -788,6 +788,20 @@ resource "hetznerdns_record" "archlinux_org_quassel_aaaa" {
type = "AAAA"
}
+resource "hetznerdns_record" "archlinux_org_redirect_a" {
+ zone_id = hetznerdns_zone.archlinux.id
+ name = "redirect"
+ value = hcloud_server.redirect.ipv4_address
+ type = "A"
+}
+
+resource "hetznerdns_record" "archlinux_org_redirect_aaaa" {
+ zone_id = hetznerdns_zone.archlinux.id
+ name = "redirect"
+ value = hcloud_server.redirect.ipv6_address
+ type = "AAAA"
+}
+
resource "hetznerdns_record" "archlinux_org_reproducible_a" {
zone_id = hetznerdns_zone.archlinux.id
name = "reproducible"
@@ -1256,6 +1270,27 @@ resource "hcloud_server" "aur-dev" {
}
}
+resource "hcloud_rdns" "redirect_ipv4" {
+ server_id = hcloud_server.redirect.id
+ ip_address = hcloud_server.redirect.ipv4_address
+ dns_ptr = "redirect.archlinux.org"
+}
+
+resource "hcloud_rdns" "redirect_ipv6" {
+ server_id = hcloud_server.redirect.id
+ ip_address = hcloud_server.redirect.ipv6_address
+ dns_ptr = "redirect.archlinux.org"
+}
+
+resource "hcloud_server" "redirect" {
+ name = "redirect.archlinux.org"
+ image = data.hcloud_image.archlinux.id
+ server_type = "cx11"
+ lifecycle {
+ ignore_changes = [image]
+ }
+}
+
resource "hcloud_rdns" "mailman3_ipv4" {
server_id = hcloud_server.mailman3.id
ip_address = hcloud_server.mailman3.ipv4_address