archive: Fix archive mirroring

With the dbscripts role no longer deployed on gemini, we need to deploy
rsyncd from another role, which this commit does. The rsync endpoint is
only accessible over our internal wireguard network, to reduce exposure
and we also get encryption.

Relates to #531

group_vars/mirrors/mirrorsync.yml

 mirrorsync_mirrors:
   archive:
     hosts: "{{ groups['archive_mirrors'] }}"
-    source: rsync://archive.archlinux.org/archive
+    source: rsync://{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/archive
     target: /srv/archive
     last_update_url: https://archive.archlinux.org/repos/last/lastupdate
     last_update_dst: lastupdate

roles/archive/tasks/main.yml

-- name: Install archivetools package
-  pacman: name=archivetools state=present
+- name: Install archivetools and rsync
+  pacman: name=archivetools,rsync state=present
 
 - name: Make archive dir
   file:
@@ -38,6 +38,19 @@
   become: true
   become_user: "{{ archive_user_name }}"
 
+- name: Install rsyncd config
+  template: src=rsyncd.conf.j2 dest=/etc/rsyncd.conf owner=root group=root mode=0644
+
+- name: Start and enable rsyncd.socket
+  service: name=rsyncd.socket enabled=yes state=started
+
+- name: Open rsyncd ipv4 port for the archive mirrors
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars[item]['wireguard_address'] }} port protocol=tcp port=873 accept"
+  loop: "{{ groups['archive_mirrors'] }}"
+  tags:
+    - firewall
+
 - name: Install system service
   template: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   loop:

roles/archive/templates/rsyncd.conf.j2

+use chroot = no
+syslog facility = local5
+
+[archive]
+	path = /srv/archive
+	comment = archive
+	hosts allow = {{ groups['archive_mirrors'] | map('extract', hostvars, ['wireguard_address']) | join(' ') }}