Create sandbox DNS zone

The VMs created in the Hetzner cloud sandbox project must be accessible
with a DNS name. This creates a dedicated DNS zone for this purpose.

For now this zone will only be used by the aurweb project, so it can
create DNS records for the VMs it creates. This is needed so the dynamic
created environment can be accessed over HTTPS.

[1] https://docs.gitlab.com/ee/ci/review_apps/

group_vars/all/dyn_dns.yml

@@ -6,3 +6,9 @@ dyn_dns_zones:
     allowed_ipv6: "{{ groups['geo_mirrors'] | map('extract', hostvars, ['ipv6_address']) }}"
     valid_qtypes: [TXT]
   _acme-challenge.riscv.mirror.pkgbuild.com: *acme_challenge
+  sandbox.archlinux.page:
+    key: sandbox
+    allowed_ipv4: "{{ groups['gitlab_runners'] | map('extract', hostvars, ['ipv4_address']) }}"
+    allowed_ipv6: "{{ groups['gitlab_runners'] | map('extract', hostvars, ['ipv6_address']) }}"
+    valid_qtypes: [A, AAAA]
+    subdomains: only

group_vars/all/vault_dyn_dns_keys.yml

 $ANSIBLE_VAULT;1.1;AES256
-61373835393530366133386434373162656332363939656235646235663333633532336435353266
-3364616435323230656233666633353535303436363433610a376133633938663634323932643764
-36656433366566623864636462383861636538363737343861316330306561373965626366363032
-6366373462303839660a653335623261306630623139643630323330633665393030333830653930
-37653166613264643537383734336163313537313334363635653062653832333638356361313461
-62353166393332326534356661653464333266383234396536383633323834333566633861643363
-66316162356566343964623237356264633564646634653834326363386235333361656332386265
-39333463343365393962663637666333376236366638306361316435306537643031346162346464
-33313466353666353136386463353831353365643333613066326136343234343636343833346465
-64343962303766303436613538616165623837383837303230623135623562303664333764323834
-62313864653234653138336134303638666234376631663361396662653863643433313864303330
-63663034353461346562
+62393237353533363738376335336564623464336332393733306465333339376130613338356537
+6166666538303939313238323238616433653036376662360a323663613934636539333365303166
+33343266613234363965363233666165383333343862326436313935636631326266363462613033
+3937393135656534370a663035633362643931653864336336396535373038396165633934366433
+31656663396538376337373762386162386665353639336235363233643139303763333861376339
+62306130363039376431396234333030616235306530343336326237656638636435363038663931
+39356535643265616337306530393962373537336335333764363565313939373565326561613066
+36633931656662393538353836353365386634663736356131323435333265653832656162306230
+64326535353532373137656535386531333536353531643863646135386664333030363564376463
+61386537306235356666353761383237336133376665393365663636386238373534623833306430
+37323336623537613034643763363439643063633433323431623932646465363230316533356337
+34623964653036383766316336373462363562333963663939333431643665643737643164396565
+38396332356630366665666239656562313430363432366639373235343430653236356438643131
+65623438313963356630333939636663393539656463376339326631636263313564636432343635
+39656466323965626264623332393630333035396638653039343536373337643165313564333363
+36626239303836383932336537313061663961636137396162303838356661386636303262653633
+33336665306634363866386237623733643663313136373037376631363364343161373731626637
+30346433666230663564643731616566663339393166343061333033386462366663383839653631
+363865646464333236663262323265376363

tf-stage1/archlinux.tf

@@ -473,6 +473,14 @@ resource "hetznerdns_record" "archlinux_page_origin_ns1" {
   ttl     = 86400
 }
 
+resource "hetznerdns_record" "archlinux_page_sandbox_ns1" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "sandbox"
+  value   = "redirect.archlinux.org."
+  type    = "NS"
+  ttl     = 86400
+}
+
 # TODO: Commented currently as we have no idea how to handle SOA stuff with Terraform:
 # https://github.com/timohirt/terraform-provider-hetznerdns/issues/20
 # https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/62#note_4040