Enable HTTP/3 for the mirrors

pacman/curl does not utilize HTTP/3, but it makes sense to enable regardless to ensure consistency. We self-host the authoritative nameservers for the geo domains, so the configuration has been tweaked to add the HTTPS DNS record for each geo domain. Ref #606

Enable HTTP/3 for the mirrors
f5475cae · Kristian Klausen · 4cd41490 · f5475cae · f5475cae · f5475cae
Verified Commit f5475cae authored 5 months ago by Kristian Klausen
--- a/group_vars/mirrors/misc.yml
+++ b/group_vars/mirrors/misc.yml
@@ -3,3 +3,5 @@ archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
 # raise tcp window limits to 32MiB
 tcp_rmem: "10240 87380 33554432"
 tcp_wmem: "10240 87380 33554432"
+nginx_enable_http3: true
--- a/roles/geo_dns/templates/geo.yml.j2
+++ b/roles/geo_dns/templates/geo.yml.j2
@@ -24,6 +24,17 @@ domains:
              AAAA "ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
              {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})"
+        - lua:
+            ttl: 300
+            content: >
+              HTTPS "'1 . alpn=h2,h3 ipv4hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv4_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1] ..
+              ' ipv6hint=' ..
+              ifurlup('https://{{ domain }}{{ geo_options[domain]['health_check_path'] | default('/') }}',
+              {'{{ hosts | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
+              {selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})[1]"
      _acme-challenge.{{ domain }}:
        - ns: {{ geo_acme_dns_challenge_ns }}
  {% endfor %}
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -119,6 +119,7 @@ locals {
      server_type = "cx22"
      domain      = "mirror"
      zone        = hetznerdns_zone.pkgbuild.id
+      http3       = true
    }
    "monitoring.archlinux.org" = {
      server_type = "cx32"
@@ -281,6 +282,7 @@ locals {
    rsync = {
      ipv4_address = "168.119.141.106"
      ipv6_address = "2a01:4f8:251:598::"
+      http3        = true
    }
    runner1 = {
      ipv4_address = "138.199.19.15"
@@ -355,38 +357,47 @@ locals {
    "america.mirror" = {
      ipv4_address = "143.244.34.62"
      ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
    }
    "america.archive" = {
      ipv4_address = "143.244.34.62"
      ipv6_address = "2a02:6ea0:cc0e::2"
+      http3        = true
    }
    "asia.mirror" = {
      ipv4_address = "84.17.57.98"
      ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
    }
    "asia.archive" = {
      ipv4_address = "84.17.57.98"
      ipv6_address = "2a02:6ea0:d605::2"
+      http3        = true
    }
    "europe.mirror" = {
      ipv4_address = "89.187.191.12"
      ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
    }
    "europe.archive" = {
      ipv4_address = "89.187.191.12"
      ipv6_address = "2a02:6ea0:c237::2"
+      http3        = true
    }
    "london.mirror" = {
      ipv4_address = "185.73.44.89"
      ipv6_address = "2001:ba8:0:4030::2"
+      http3        = true
    }
    "seoul.mirror" = {
      ipv4_address = "145.40.87.75"
      ipv6_address = "2604:1380:11:2600::1"
+      http3        = true
    }
    "sydney.mirror" = {
      ipv4_address = "147.75.48.159"
      ipv6_address = "2604:1380:40f1:6a00::1"
+      http3        = true
    }
    repro2 = {
      ipv4_address = "212.102.38.209"