Merge branch 'split-repo-and-archive' into 'master'

Move the repos and associated services to its own server

Closes #531

See merge request !905

docs/geomirrors.md

@@ -38,7 +38,7 @@ The continent mirrors america, asia and europe contain the archive mirrors as we
 | install_arch | All | Install Arch | | Optional if you can |
 | mirrors.yml | All | Setup mirror | `<fqdn>` | |
 | redirect.archlinux.org.yml | dyn_dns | Make TXT records | | |
-| gemini.archlinux.org.yml | dbscripts | Allow debug repo syncing | | |
+| repos.archlinux.org.yml | dbscripts | Allow debug repo syncing | | |
 | mirrors.yml | geo_dns | Add new domain to DNS | All other mirrors from geo.mirror | |
 | monitoring.archlinux.org.yml | wireguard,prometheus | Allow loki and prometheus to fetch data | | |
 | archlinux.org.yml | postgres,wireguard | Allow wireguard IP to connect for Mirror check | | Optional see Check Location below |

docs/servers.md

@@ -6,8 +6,6 @@
 ## gemini
 
 ### Services
-  - repos/sync (repos.archlinux.org)
-  - sources (sources.archlinux.org)
   - archive (archive.archlinux.org)
 
 ## lists.archlinux.org
@@ -138,6 +136,12 @@ Prometheus, and Grafana server which receives selected performance/metrics from
   - Authoritative DNS server (PowerDNS) for ACME DNS challenges
   - ping
 
+## repos.archlinux.org
+
+### Services
+  - repos/sync (repos.archlinux.org)
+  - sources (sources.archlinux.org)
+
 ## security.archlinux.org
 
 ### Services

group_vars/all/archusers.yml

@@ -813,5 +813,5 @@ arch_users:
 
 # utility accounts to protect from the "disable ssh keys of disabled users" task
 utility_users:
-  gemini.archlinux.org:
+  repos.archlinux.org:
     - git-packages

group_vars/mirrors/mirrorsync.yml

 mirrorsync_mirrors:
   archive:
     hosts: "{{ groups['archive_mirrors'] }}"
-    source: rsync://archive.archlinux.org/archive
+    source: rsync://{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/archive
     target: /srv/archive
     last_update_url: https://archive.archlinux.org/repos/last/lastupdate
     last_update_dst: lastupdate
@@ -18,7 +18,7 @@ mirrorsync_mirrors:
       - --include="pool/*-debug/***"
       - --exclude="*"
   repo:
-    hosts: "{{ (groups['mirrors'] + ['build.archlinux.org']) | difference(['repos.archlinux.org']) }}"
+    hosts: "{{ groups['mirrors'] + ['build.archlinux.org'] }}"
     source: rsync://rsync.archlinux.org/ftp_tier1
     target: /srv/ftp
     last_update_url: https://rsync.archlinux.org/lastupdate
@@ -28,13 +28,6 @@ mirrorsync_mirrors:
       - --exclude="/other"
       - --exclude="/sources"
       - --exclude="*-debug/"
-  kitchensink:
-    hosts: "repos.archlinux.org"
-    source: rsync://repos.archlinux.org/kitchensink_tier1
-    target: /srv/ftp
-    last_update_url: https://repos.archlinux.org/lastupdate
-    last_update_dst: lastupdate
-    save_lastsync: true
   riscv:
     hosts: "{{ groups['geo_mirrors'] }}"
     mirror_domain: riscv.mirror.pkgbuild.com

hosts

@@ -3,8 +3,7 @@ build.archlinux.org
 gemini.archlinux.org
 gitlab.archlinux.org
 secure-runner1.archlinux.org
-#TODO(gromit): remove ansible host once the DNS record is set
-repos.archlinux.org ansible_host=168.119.141.106
+repos.archlinux.org
 
 [equinix_metal]
 repro3.pkgbuild.com
@@ -18,8 +17,6 @@ europe.mirror.pkgbuild.com
 london.mirror.pkgbuild.com
 mirror.pkgbuild.com
 sydney.mirror.pkgbuild.com
-#TODO(gromit): remove ansible host once the DNS record is set
-repos.archlinux.org ansible_host=168.119.141.106
 
 [geo_mirrors]
 america.mirror.pkgbuild.com

playbooks/archlinux.org.yml

@@ -2,9 +2,9 @@
   hosts: archlinux.org
   tasks:
     - name: Assign ipv4 addresses to fact postgres_hosts4
-      set_fact: postgres_hosts4="{{ [gemini4] + detected_ips }}"
+      set_fact: postgres_hosts4="{{ [repos4] + detected_ips }}"
       vars:
-        gemini4: "{{ hostvars['gemini.archlinux.org']['wireguard_address'] }}/32"
+        repos4: "{{ hostvars['repos.archlinux.org']['wireguard_address'] }}/32"
         detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['wireguard_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
       tags: ["postgres", "firewall"]
 

playbooks/gemini.archlinux.org.yml

 - name: Setup gemini.archlinux.org
   hosts: gemini.archlinux.org
   remote_user: root
-  vars:
-    archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
   vars_files:
     - ../misc/vaults/vault_archive.yml
   roles:
     - { role: common }
-    - { role: tools }
     - { role: firewalld }
     - { role: wireguard }
     - { role: sshd }
     - { role: root_ssh }
     - { role: borg_client, tags: ['borg'] }
-    - { role: sudo, tags: ['archusers'] }
     - { role: certbot }
     - { role: nginx }
-    - { role: archusers }
-    - { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", tags: ['archusers'] }
-    - { role: arch_boxes_sync }
-    - { role: archweb, archweb_site: false, archweb_services: true, archweb_mirrorcheck_locations: [5, 6] }
-    - { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
     - { role: archive }
     - { role: archive_web }
     - { role: postfix_null }

playbooks/repos.archlinux.org.yml

@@ -14,8 +14,11 @@
     - { role: sudo, tags: ['archusers'] }
     - { role: certbot }
     - { role: nginx }
+    - { role: archusers }
+    - { role: dbscripts, repos_domain: "repos.archlinux.org", repos_rsync_domain: "rsync.archlinux.org", tags: ['archusers'] }
+    - { role: arch_boxes_sync }
+    - { role: archweb, archweb_site: false, archweb_services: true }
+    - { role: sources, sources_domain: "sources.archlinux.org", sources_dir: "/srv/sources" }
     - { role: fail2ban }
-    - { role: mirrorsync }
     - { role: prometheus_exporters }
     - { role: promtail }
-    - { role: repo_archive_split_temp, repos_rsync_domain: "rsync.archlinux.org" }

roles/archive/tasks/main.yml

-- name: Install archivetools package
-  pacman: name=archivetools state=present
+- name: Install archivetools and rsync
+  pacman: name=archivetools,rsync state=present
 
 - name: Make archive dir
   file:
@@ -38,15 +38,29 @@
   become: true
   become_user: "{{ archive_user_name }}"
 
+- name: Install rsyncd config
+  template: src=rsyncd.conf.j2 dest=/etc/rsyncd.conf owner=root group=root mode=0644
+
+- name: Start and enable rsyncd.socket
+  service: name=rsyncd.socket enabled=yes state=started
+
+- name: Open rsyncd ipv4 port for the archive mirrors
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars[item]['wireguard_address'] }} port protocol=tcp port=873 accept"
+  loop: "{{ groups['archive_mirrors'] }}"
+  tags:
+    - firewall
+
 - name: Install system service
   template: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   loop:
     - archive-uploader.service
     - archive-uploader.timer
+    - repos-archive-puller.service
+    - repos-archive-puller.timer
 
-- name: Start uploader timer
-  systemd_service:
-    name: archive-uploader.timer
-    enabled: true
-    state: started
-    daemon_reload: true
+- name: Start archive-uploader and repos-archive-puller timer
+  systemd_service: name={{ item }} enabled=yes state=started daemon_reload=yes
+  loop:
+    - archive-uploader.timer
+    - repos-archive-puller.timer

roles/archive/templates/repos-archive-puller.service

+[Service]
+User={{ archive_user_name }}
+Type=oneshot
+ExecStart=rsync --recursive --times --ignore-existing --omit-dir-times --timeout=60 --contimeout=60 --no-motd --info=name1 rsync://repos.archlinux.org/archive/packages/ {{ archive_dir }}/packages
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths={{ archive_dir }}/packages

roles/archive/templates/repos-archive-puller.timer

+[Timer]
+OnCalendar=hourly
+RandomizedDelaySec=10m
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/archive/templates/rsyncd.conf.j2

+use chroot = no
+syslog facility = local5
+
+[archive]
+	path = /srv/archive
+	comment = archive
+	hosts allow = {{ groups['archive_mirrors'] | map('extract', hostvars, ['wireguard_address']) | join(' ') }}

roles/archweb/tasks/main.yml

@@ -165,7 +165,7 @@
     - archweb-mirrorcheck.timer
   notify:
     - Daemon reload
-  when: archweb_services or archweb_mirrorcheck
+  when: (archweb_services or archweb_mirrorcheck) and archweb_mirrorcheck_locations is defined
 
 - name: Install mirrorresolv service and timer
   template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
@@ -270,7 +270,7 @@
 
 - name: Start and enable archweb mirrorcheck timer
   service: name="archweb-mirrorcheck.timer" enabled=yes state=started
-  when: archweb_services or archweb_mirrorcheck
+  when: (archweb_services or archweb_mirrorcheck) and archweb_mirrorcheck_locations is defined
 
 - name: Start and enable archweb mirrorresolv timer
   service: name="archweb-mirrorresolv.timer" enabled=yes state=started

roles/common/templates/mirrorlist.j2

 {% if 'buildservers' in group_names %}
 Server = https://repos.archlinux.org/$repo/os/$arch
 {% endif %}
-{% if 'mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org' %}
+{% if 'mirrors' in group_names or inventory_hostname == 'repos.archlinux.org' %}
 Server = file:///srv/ftp/$repo/os/$arch
 {% endif %}
 Server = https://mirror.pkgbuild.com/$repo/os/$arch

roles/common/templates/pacman.conf.j2

@@ -11,7 +11,7 @@
 # If you wish to use different paths, uncomment and update the paths.
 #RootDir     = /
 #DBPath      = /var/lib/pacman/
-{% if 'mirrors' in group_names or inventory_hostname in ['gemini.archlinux.org', 'build.archlinux.org'] %}
+{% if 'mirrors' in group_names or inventory_hostname in ['repos.archlinux.org', 'build.archlinux.org'] %}
 CacheDir     = /var/cache/pacman/pkg/ /srv/ftp/pool/packages/
 {% else %}
 #CacheDir    = /var/cache/pacman/pkg/

roles/dbscripts/defaults/main.yml

-dbscripts_commit: cde46716a8cde5424297c9ed350d43ad26e8b1f1
+dbscripts_commit: 0ebae15384d0f4acd79445a4beaf1599a7b379f7
 dbscripts_update: true
-dbscripts_pgp_emails: ['jelle@archlinux.org', 'anthraxx@archlinux.org']
+dbscripts_pgp_emails: ['jelle@archlinux.org', 'anthraxx@archlinux.org', 'foxboron@archlinux.org', 'kristian@klausen.dk']
 
 git_state_repo: /srv/repos/state
 git_pkg_cache: /srv/repos/pkg-cache

roles/dbscripts/files/archive-cleanup.service

+[Unit]
+# Fail-safe in case this is accidentally deployed on an archive server
+ConditionPathExists=!/srv/archive/repos
+
+[Service]
+User=archive
+Type=oneshot
+# Delete packages older than 3 days
+# https://unix.stackexchange.com/questions/92346/why-does-find-mtime-1-only-return-files-older-than-2-days
+# We cannot delete the directories as that would cause a race condition with db-archive
+# https://gitlab.archlinux.org/archlinux/dbscripts/-/blob/ea98599ca6e1ce3bacfe4dea0aab02530cad9134/db-archive#L18-L21
+ExecStart=find /srv/archive/packages/ -type f -mtime +2 -delete -print
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/srv/archive/packages

roles/dbscripts/files/archive-cleanup.timer

+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/dbscripts/files/archive-index.service

+[Unit]
+# Fail-safe in case this is accidentally deployed on an archive server
+ConditionPathExists=!/srv/archive/repos
+
+[Service]
+User=archive
+Type=oneshot
+ExecStart=/srv/repos/git-packages/dbscripts/cron-jobs/archive-index
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/srv/archive

roles/dbscripts/files/archive-index.timer

+[Timer]
+OnCalendar=hourly
+Persistent=true
+
+[Install]
+WantedBy=timers.target