From b3256827b157cab347d9c71efd8f79c6621e2fc1 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Sat, 19 Mar 2022 20:42:03 +0200
Subject: [PATCH] common: use tier0 mirror on build servers + gemini

There is a need for build servers to never build against outdated repo
databases, even with syncrepo providing a local mirror that is updated
every minute. To that effect, we adjust mirrorlist on build servers so
the first mirror is the tier0 mirror provided by gemini.

Keep the syncrepo role on build servers in order to have a local cache
of packages and avoid concurrent build jobs downloading the same files
causing them to be corrupted.

Finally, configure gemini to use its own repos (like other mirrors do).
---
 roles/common/templates/mirrorlist.j2      |  7 +++++--
 roles/dbscripts/templates/nginx.d.conf.j2 | 16 ++++++++++++----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/roles/common/templates/mirrorlist.j2 b/roles/common/templates/mirrorlist.j2
index 2b6f0a692..ac61e1cd0 100644
--- a/roles/common/templates/mirrorlist.j2
+++ b/roles/common/templates/mirrorlist.j2
@@ -1,4 +1,7 @@
-{% if 'mirrors' in group_names or 'buildservers' in group_names %}
+{% if 'buildservers' in group_names %}
+Server = https://repos.archlinux.org/$repo/os/$arch
+{% endif %}
+{% if 'mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org' %}
 Server = file:///srv/ftp/$repo/os/$arch
 {% endif %}
-Server = https://mirror.pkgbuild.com/$repo/os/$arch/
+Server = https://mirror.pkgbuild.com/$repo/os/$arch
diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index 35dbca43c..6c23c7891 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -14,8 +14,6 @@ server {
     ssl_certificate_key  /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
 
-    satisfy  any;
-
     access_log   /var/log/nginx/{{ repos_domain }}/access.log reduced;
     access_log   /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
 
@@ -24,8 +22,18 @@ server {
     }
 
     location / {
+        satisfy any;
         auth_request /devel/mirrorauth/;
 
+{% for host in groups['buildservers'] | sort | unique %}
+        # {{ host }}
+{% for address in ['ipv4_address', 'ipv6_address'] if address in hostvars[host] %}
+        allow {{ hostvars[host][address] }};
+{% else %}
+        # no addresses defined in hostvars
+{% endfor %}
+
+{% endfor %}
         autoindex  on;
     }
 
@@ -50,7 +58,7 @@ server {
 
         # Authentication to archweb
         proxy_pass https://archlinux.org;
-	proxy_ssl_verify on;
-	proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        proxy_ssl_verify on;
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
     }
 }
-- 
GitLab