From cd7edcc485ccb5ef8b9c33cef19803ac9282cda0 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sat, 4 Jan 2025 21:02:50 +0100
Subject: [PATCH] archive: Fix archive mirroring

With the dbscripts role no longer deployed on gemini, we need to deploy
rsyncd from another role, which this commit does. The rsync endpoint is
only accessible over our internal wireguard network, to reduce exposure
and we also get encryption.

Relates to #531
---
 group_vars/mirrors/mirrorsync.yml      |  2 +-
 roles/archive/tasks/main.yml           | 17 +++++++++++++++--
 roles/archive/templates/rsyncd.conf.j2 |  7 +++++++
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 roles/archive/templates/rsyncd.conf.j2

diff --git a/group_vars/mirrors/mirrorsync.yml b/group_vars/mirrors/mirrorsync.yml
index 2db497cf0..19311eda7 100644
--- a/group_vars/mirrors/mirrorsync.yml
+++ b/group_vars/mirrors/mirrorsync.yml
@@ -1,7 +1,7 @@
 mirrorsync_mirrors:
   archive:
     hosts: "{{ groups['archive_mirrors'] }}"
-    source: rsync://archive.archlinux.org/archive
+    source: rsync://{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/archive
     target: /srv/archive
     last_update_url: https://archive.archlinux.org/repos/last/lastupdate
     last_update_dst: lastupdate
diff --git a/roles/archive/tasks/main.yml b/roles/archive/tasks/main.yml
index 001f853e1..238c267af 100644
--- a/roles/archive/tasks/main.yml
+++ b/roles/archive/tasks/main.yml
@@ -1,5 +1,5 @@
-- name: Install archivetools package
-  pacman: name=archivetools state=present
+- name: Install archivetools and rsync
+  pacman: name=archivetools,rsync state=present
 
 - name: Make archive dir
   file:
@@ -38,6 +38,19 @@
   become: true
   become_user: "{{ archive_user_name }}"
 
+- name: Install rsyncd config
+  template: src=rsyncd.conf.j2 dest=/etc/rsyncd.conf owner=root group=root mode=0644
+
+- name: Start and enable rsyncd.socket
+  service: name=rsyncd.socket enabled=yes state=started
+
+- name: Open rsyncd ipv4 port for the archive mirrors
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars[item]['wireguard_address'] }} port protocol=tcp port=873 accept"
+  loop: "{{ groups['archive_mirrors'] }}"
+  tags:
+    - firewall
+
 - name: Install system service
   template: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   loop:
diff --git a/roles/archive/templates/rsyncd.conf.j2 b/roles/archive/templates/rsyncd.conf.j2
new file mode 100644
index 000000000..ad8b2bb3f
--- /dev/null
+++ b/roles/archive/templates/rsyncd.conf.j2
@@ -0,0 +1,7 @@
+use chroot = no
+syslog facility = local5
+
+[archive]
+	path = /srv/archive
+	comment = archive
+	hosts allow = {{ groups['archive_mirrors'] | map('extract', hostvars, ['wireguard_address']) | join(' ') }}
-- 
GitLab