diff --git a/host_vars/mirror.pkgbuild.com/misc b/host_vars/mirror.pkgbuild.com/misc
index 1663410dd031d63e5835868ca0f72dbc108bc897..8759253d8d08ac13fe643bead1f1bdea8052e143 100644
--- a/host_vars/mirror.pkgbuild.com/misc
+++ b/host_vars/mirror.pkgbuild.com/misc
@@ -1,6 +1,7 @@
---
mirror_domain: mirror.pkgbuild.com
mirror_debug_packages: false
+geomirror_acme_challenge: true
archweb_mirrorcheck_locations: [20, 21]
filesystem: btrfs
diff --git a/playbooks/mirrors.yml b/playbooks/mirrors.yml
index bdb558063b08fd299d8f5f03325b3c59274f00d6..75184d5663166501f4c0581989ff8ab3af302852 100644
--- a/playbooks/mirrors.yml
+++ b/playbooks/mirrors.yml
@@ -15,4 +15,4 @@
- { role: promtail }
- { role: fail2ban }
- { role: wireguard }
- - { role: geomirror, when: inventory_hostname == "mirror.pkgbuild.com" }
+ - { role: geomirror, when: "inventory_hostname == 'mirror.pkgbuild.com' or 'geo_mirrors' in group_names" }
diff --git a/roles/geomirror/defaults/main.yml b/roles/geomirror/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b82cec9d855633a7dac50735bf4f953c5e12d1e3
--- /dev/null
+++ b/roles/geomirror/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+geomirror_acme_challenge: false
diff --git a/roles/geomirror/tasks/main.yml b/roles/geomirror/tasks/main.yml
index ae91396fc4aeabcd6e9b35d3d8286f7265612291..5373cb1c70113cb9e0665129461d630617091c10 100644
--- a/roles/geomirror/tasks/main.yml
+++ b/roles/geomirror/tasks/main.yml
@@ -12,6 +12,7 @@
- name: create directory for sqlite3 dbs
file: path=/var/lib/powerdns state=directory owner=powerdns group=powerdns mode=0755
+ when: geomirror_acme_challenge
- name: initialize sqlite3 database for _acme-challenge zone
command: sqlite3 -init /usr/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3 ""
@@ -20,6 +21,7 @@
args:
creates: /var/lib/powerdns/pdns.sqlite3
register: init
+ when: geomirror_acme_challenge
- name: create _acme-challenge zone
command: "{{ item }}"
@@ -33,6 +35,7 @@
- name: import TSIG key (for certbot)
command: pdnsutil import-tsig-key {{ certbot_rfc2136_key }} {{ certbot_rfc2136_algorithm }} {{ certbot_rfc2136_secret }}
changed_when: false
+ when: geomirror_acme_challenge
- name: open powerdns ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
diff --git a/roles/geomirror/templates/geo.yml.j2 b/roles/geomirror/templates/geo.yml.j2
index c49b2eea12e8e60dc25d542159ea7fb6b2538517..58174918777fe92246f7769125a0e1406635fb80 100644
--- a/roles/geomirror/templates/geo.yml.j2
+++ b/roles/geomirror/templates/geo.yml.j2
@@ -7,11 +7,18 @@ domains:
{{ geo_mirror_domain }}:
- soa: mirror.pkgbuild.com. root.archlinux.org. 2022011501 3600 1800 604800 3600
- ns: mirror.pkgbuild.com
+ {% for host in groups['geo_mirrors'] %}
+ - ns: {{ host }}
+ {% endfor %}
{% for host in groups['geo_mirrors'] %}
{{ host.split(".")[0] }}.{{ geo_mirror_domain }}:
- a: {{ hostvars[host]['ipv4_address'] }}
- aaaa: {{ hostvars[host]['ipv6_address'] }}
{% endfor %}
+ {% if not geomirror_acme_challenge %}
+ _acme-challenge.{{ geo_mirror_domain }}:
+ - ns: mirror.pkgbuild.com
+ {% endif %}
services:
{{ geo_mirror_domain }}: '%mp.geo.mirror.pkgbuild.com'
mapping_lookup_formats: ['%cn']
diff --git a/roles/geomirror/templates/pdns.conf.j2 b/roles/geomirror/templates/pdns.conf.j2
index 1242e5306565f93aff71b4f760e7a8a50ac4b412..8a9c1fbd903b08c549d95ef232b88be5ba74ecc6 100644
--- a/roles/geomirror/templates/pdns.conf.j2
+++ b/roles/geomirror/templates/pdns.conf.j2
@@ -4,9 +4,13 @@ local-address={{ ipv4_address }},{{ ipv6_address }}
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=127.0.0.1,::1,{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}
+{% if geomirror_acme_challenge %}
launch=geoip,gsqlite3
-geoip-database-files=/var/lib/GeoIP/GeoLite2-Country.mmdb
-geoip-zones-file=/etc/powerdns/geo.yml
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
dnsupdate=yes
lua-dnsupdate-policy-script=/etc/powerdns/dnsupdate-policy.lua
+{% else %}
+launch=geoip
+{% endif %}
+geoip-database-files=/var/lib/GeoIP/GeoLite2-Country.mmdb
+geoip-zones-file=/etc/powerdns/geo.yml
diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index a64e19f9009768684b4520e7a456a14c01de1ac2..2927ef6529e5ec795c3ea1ebefb03ed120f57fcd 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -77,9 +77,13 @@ scrape_configs:
- job_name: 'powerdns'
static_configs:
- - targets: ['{{ hostvars['mirror.pkgbuild.com']['wireguard_address'] }}:8081']
+ {% for host in groups['geo_mirrors'] + ['mirror.pkgbuild.com'] %}
+
+ - targets: ['{{ hostvars[host]['wireguard_address'] }}:8081']
labels:
- instance: "mirror.pkgbuild.com"
+ instance: "{{ host }}"
+
+ {% endfor %}
- job_name: 'gitlab_runner_exporter'
static_configs:
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 20d9ffbe899e237364a5366050c044f0ac043aea..2ed9a234e4e74729d04ab55892b14ba5c9402636 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -426,13 +426,34 @@ resource "hetznerdns_record" "pkgbuild_com_origin_txt" {
type = "TXT"
}
-resource "hetznerdns_record" "pkgbuild_com_geo_mirror_ns" {
+resource "hetznerdns_record" "pkgbuild_com_geo_mirror_ns1" {
zone_id = hetznerdns_zone.pkgbuild.id
name = "geo.mirror"
value = "mirror.pkgbuild.com."
type = "NS"
}
+resource "hetznerdns_record" "pkgbuild_com_geo_mirror_n2" {
+ zone_id = hetznerdns_zone.pkgbuild.id
+ name = "geo.mirror"
+ value = "asia.mirror.pkgbuild.com."
+ type = "NS"
+}
+
+resource "hetznerdns_record" "pkgbuild_com_geo_mirror_ns3" {
+ zone_id = hetznerdns_zone.pkgbuild.id
+ name = "geo.mirror"
+ value = "america.mirror.pkgbuild.com."
+ type = "NS"
+}
+
+resource "hetznerdns_record" "pkgbuild_com_geo_mirror_ns4" {
+ zone_id = hetznerdns_zone.pkgbuild.id
+ name = "geo.mirror"
+ value = "europe.mirror.pkgbuild.com."
+ type = "NS"
+}
+
resource "hetznerdns_record" "archlinux_org_origin_caa" {
zone_id = hetznerdns_zone.archlinux.id
name = "@"