common: use tier0 mirror on build servers + gemini

There is a need for build servers to never build against outdated repo databases, even with syncrepo providing a local mirror that is updated every minute. To that effect, we adjust mirrorlist on build servers so the first mirror is the tier0 mirror provided by gemini. Keep the syncrepo role on build servers in order to have a local cache of packages and avoid concurrent build jobs downloading the same files causing them to be corrupted. Finally, configure gemini to use its own repos (like other mirrors do).

common: use tier0 mirror on build servers + gemini
b3256827 · Evangelos Foutras · a144aa45 · b3256827 · b3256827
Verified Commit b3256827 authored 3 years ago by Evangelos Foutras
--- a/roles/common/templates/mirrorlist.j2
+++ b/roles/common/templates/mirrorlist.j2
-{% if 'mirrors' in group_names or 'buildservers' in group_names %}
+{% if 'buildservers' in group_names %}
+Server = https://repos.archlinux.org/$repo/os/$arch
+{% endif %}
+{% if 'mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org' %}
 Server = file:///srv/ftp/$repo/os/$arch
 {% endif %}
-Server = https://mirror.pkgbuild.com/$repo/os/$arch/
+Server = https://mirror.pkgbuild.com/$repo/os/$arch
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -14,8 +14,6 @@ server {
    ssl_certificate_key  /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;

-    satisfy  any;
-
    access_log   /var/log/nginx/{{ repos_domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;

@@ -24,8 +22,18 @@ server {
    }

    location / {
+        satisfy any;
        auth_request /devel/mirrorauth/;

+{% for host in groups['buildservers'] | sort | unique %}
+        # {{ host }}
+{% for address in ['ipv4_address', 'ipv6_address'] if address in hostvars[host] %}
+        allow {{ hostvars[host][address] }};
+{% else %}
+        # no addresses defined in hostvars
+{% endfor %}
+
+{% endfor %}
        autoindex  on;
    }

@@ -50,7 +58,7 @@ server {

        # Authentication to archweb
        proxy_pass https://archlinux.org;
-	proxy_ssl_verify on;
-	proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        proxy_ssl_verify on;
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    }
 }