Commit f6c3af0e authored by Frederik Schwan's avatar Frederik Schwan
Browse files

Merge branch 'apollo_decomission' into 'master'

Apollo decomission

See merge request !252
parents 5d9d0843 3ac0a774
Pipeline #4248 passed with stage
in 32 seconds
......@@ -24,7 +24,7 @@ The sshd jail should be enabled for every host we have, to block brute force ssh
### postfix
The postfix jail is enabled for Apollo and Orion, to block failed SMTP requests. Adding it to a host:
The postfix jail not enabled on any server. Adding it to a host:
Add `fail2ban_jails` dict with `postfix: true` to the host's `host_vars`.
......
......@@ -17,12 +17,10 @@
- mailman
- projects (projects.archlinux.org)
## apollo
## archlinux.org
### Services
- wiki (wiki.archlinux.org)
- archweb
- patchwork
- archweb (Arch's site)
## aur.archlinux.org
......@@ -110,6 +108,12 @@ Medium-fast-ish packet.net Arch Linux box.
### Services
- GitLab runner
## mail.archlinux.org
### Services
- postfix (mail server)
- rspamd
- dovecot (imap)
## monitoring.archlinux.org
......@@ -127,6 +131,26 @@ Hosts our gnupg open web key directory for fetching Arch Linux keyring keys over
### Services
- WKD
## patchwork.archlinux.org
### Services
- patchwork
## redirect.archlinux.org
### Services
- Redirects (nginx redirects)
## security.archlinux.org
### Services
- security tracker
## wiki.archlinux.org
### Services
- archwiki
## Archive Mirrors
......
......@@ -20,17 +20,6 @@
256 MD5:4b:0b:1c:81:27:81:7a:22:b4:48:88:75:69:a5:b4:4e root@america.mirror.pkgbuild.com (ED25519)
3072 MD5:a2:41:dc:97:5a:ae:89:7a:4f:69:f7:ec:a0:d4:67:b6 root@america.mirror.pkgbuild.com (RSA)
# apollo.archlinux.org
1024 SHA256:WArxFzvhf5HknYxil2EQSHHRirM2cyjqbtLvhbQAYC8 root@apollo (DSA)
256 SHA256:sYJfY17PE0kJ4K8fbkPK/XqRQjY1+g6hmIF7dvTbZoo root@apollo (ECDSA)
256 SHA256:owwpolkJxPyUmmfJMfFeYIdDXiruwzaEw3bS+q6k97Q root@apollo (ED25519)
2048 SHA256:JW9dUO95gxGJRTkV/V/1HtmLfLq8uztbWc5KAOg8Blc root@apollo (RSA)
1024 MD5:90:46:7f:8e:1e:79:17:10:1e:32:79:a7:69:c6:4b:a4 root@apollo (DSA)
256 MD5:4b:52:61:77:f7:f8:4e:75:ca:83:e6:ae:fc:6e:77:67 root@apollo (ECDSA)
256 MD5:a7:84:8b:95:4f:53:ac:b6:9d:24:79:79:fc:c7:bf:1f root@apollo (ED25519)
2048 MD5:77:b0:17:18:57:74:38:91:47:31:43:04:47:e9:9e:30 root@apollo (RSA)
# archlinux.org
1024 SHA256:7jLDIo/l9ngy+KcC2Yh2yCE+gSVix4VmZVaVTMLOiEg root@archlinux-packer (DSA)
256 SHA256:9nc3jaxyh21w+HVT1Xo0/ujMx7/qWKguqcSiDX7jrA0 root@archlinux-packer (ECDSA)
......
......@@ -8,11 +8,6 @@ america.mirror.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYA
america.mirror.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMofe+VPkI+MKGWYkonc5IsTwVmf2OcX8atVgnXkjbqL
america.mirror.pkgbuild.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+7ePbae+aA+W6JZxhce1qvxnTG6VIEtShFD+/4TlMNFzVxh8DcmD+sw+NCKFshGddKhh3n4TWO68XAxWN4KQzfpgYHgzcoyNR3T1zle2oWfTL29KU3/X4OIvQc3aeqnyAhHvu7vXDnWfZgC1uGu0QecAqJcRxEPkz15OJkZjr/zZt01BUa2y7OUQbSFRckeLoSPQeSNFOQ0hlWCdN0laoHsYPznyievuJJxWMTa9Wkamn+oVx1S95sF1a6PSN8LztCxxXKRTikpau+SCLpPiqd1kV4WXgOPWGoRvQ0PNzOICwmKEeCdw0QfzoNm70FftLvy/bFq7qa1tSvau/SFwRRdnDRlr7dZXLqbXp+si+GD80TL4scUH6LRQJkxL0Z5X/FKOPGutf8BhIovbhoSkiTyY51bDQIXLTCqm1sE2GrEI1CvT5lOvG43C2e8U7bnLw2hQ++GRUct89mI8f/8hHdDllUkUgfsksL7ObMTvkbF6NoCogZjHsTRtwaP0DU/M=
# apollo.archlinux.org
apollo.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMicA8QKPeY1hp29QcTe25eT7yd+zOx1sj6o0F+XA/POc2TRsiSidJogCaf4e3wpw4T2ccb7ixnvGmy7hCAcngA=
apollo.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGz+b+or4nKpcXJgDjwt3LdO0EPk9Zw1z1W9L8rcV8UX
apollo.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHUYq82CCrnZhey7Hclhe79+s7YUZv/So1HWjoSAs8qObpJX4Mn3bwcILOoD1LE6VdkQu+tZwFpl8A1DrmKgpO++SEoFft77jgigzDbwEuSuBbP8eOo1zyDX1q3Sipecf41s6psY3bxcVbINAkm/PDFxpM8tEU+8TqpCupa5fNLimiwBk7fyncxbah+ACaLlm+f02Ku9pBcPfFzlsEoZBrncAyhx3bm4qXH/uYVOtBjzi6KrZYyEbXX+0LxRhxuELkhYqbNpyFIDfPKYgXc1pRHgAkS2CxZO2p1Uy1zJFC8edM3ma+I0Wn9+alGMHC6jCOm2iFT9THLS2NPJq67Yan
# archlinux.org
archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB0PUXX25/7fRKiayZos7f1LIG925vOQlnuTE7HuSKiVhiYHi3XB9JyILKaekOb73hNJOUdE8kBEzhXESbrn1mM=
archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBeUGb+Q4QLN8yg1pohasTnfhwO7rNmW7Ih/PTrnmY0V
......
---
hostname: "apollo"
ipv4_address: "138.201.81.199"
ipv4_netmask: "/32"
ipv6_address: "2a01:4f8:172:1d86::1"
ipv6_netmask: "/128"
ipv4_gateway: "138.201.81.193"
ipv6_gateway: "fe80::1"
filesystem: btrfs
system_disks:
- /dev/sda
- /dev/sdb
kanboard_version: "v1.2.14"
fail2ban_jails:
sshd: true
postfix: true
dovecot: false
[hetzner]
apollo.archlinux.org
luna.archlinux.org
dragon.archlinux.org
secure-runner1.archlinux.org
......@@ -25,7 +24,6 @@ europe.mirror.pkgbuild.com
[borg_clients]
archlinux.org
apollo.archlinux.org
aur-dev.archlinux.org
luna.archlinux.org
state.archlinux.org
......@@ -54,7 +52,6 @@ u236610.your-storagebox.de
homedir.archlinux.org
[mysql_servers]
apollo.archlinux.org
luna.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
......@@ -64,7 +61,6 @@ wiki.archlinux.org
[postgresql_servers]
archlinux.org
apollo.archlinux.org
state.archlinux.org
quassel.archlinux.org
accounts.archlinux.org
......@@ -72,7 +68,6 @@ patchwork.archlinux.org
[nginx]
archlinux.org
apollo.archlinux.org
luna.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
......
---
- name: "prepare postgres ssl hosts list"
hosts: apollo.archlinux.org
tasks:
- name: assign ipv4 addresses to fact postgres_ssl_hosts4
set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
vars:
gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
tags: ["postgres", "firewall"]
- name: assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars:
gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
tags: ["postgres", "firewall"]
- name: setup apollo
hosts: apollo.archlinux.org
remote_user: root
roles:
- { role: common }
- { role: tools }
- { role: sshd }
- { role: root_ssh }
- { role: borg_client, tags: ["borg"] }
- { role: certbot }
- { role: nginx }
- { role: rspamd, tags: ["mail"] }
- { role: unbound, tags: ["mail"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
- { role: postfwd, tags: ['mail'] }
- role: postgres
postgres_listen_addresses: "*"
postgres_max_connections: 1000
postgres_ssl: 'on'
postgres_shared_buffers: 4096MB
- { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
- { role: sudo }
- { role: uwsgi }
- { role: php_fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'] }
- { role: memcached }
- { role: archweb, archweb_planet: true }
- role: security_tracker
security_tracker_domain: "security.archlinux.org"
security_tracker_nginx_conf: '/etc/nginx/nginx.d/security-tracker.conf'
security_tracker_dir: "/srv/http/security-tracker"
- { role: mailman, mailman_domain: "lists.archlinux.org" }
- { role: patchwork }
- { role: grafana }
- { role: archwiki }
- { role: conf_archlinux }
- { role: fail2ban }
- { role: prometheus_exporters }
......@@ -108,21 +108,8 @@
- smtp
- smtp-submission
- smtps
when: postfix_smtpd_public and configure_firewall and inventory_hostname != "apollo.archlinux.org"
when: postfix_smtpd_public and configure_firewall
tags:
- firewall
- name: open ipv4 firewall holes on apollo
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['mail.archlinux.org']['ipv4_address'] }} port protocol=tcp port=25 accept"
when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
tags:
- firewall
- name: open ipv6 firewall holes on apollo
ansible.posix.firewalld: permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv6 source address={{ hostvars['mail.archlinux.org']['ipv6_address'] }} port protocol=tcp port=25 accept"
when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
tags:
- firewall
......@@ -160,16 +160,12 @@ locals {
# - ttl (optional)
#
# Example:
# apollo = {
# ipv4_address = "138.201.81.199"
# ipv6_address = "2a01:4f8:172:1d86::1"
# gemini = {
# ipv4_address = "49.12.124.107"
# ipv6_address = "2a01:4f8:242:5614::2"
# ttl = 600
# }
archlinux_org_a_aaaa = {
apollo = {
ipv4_address = "138.201.81.199"
ipv6_address = "2a01:4f8:172:1d86::1"
}
aur4 = {
ipv4_address = "5.9.250.164"
ipv6_address = "2a01:4f8:160:3033::2"
......@@ -232,7 +228,6 @@ locals {
dev = { value = "www" }
g2kjxsblac7x = { value = "gv-i5y6mnrelvpfiu.dv.googlehosted.com." }
git = { value = "luna" }
grafana = { value = "apollo" }
ipxe = { value = "www" }
"luna2._domainkey.aur" = { value = "luna2._domainkey" }
"luna2._domainkey.lists" = { value = "luna2._domainkey" }
......@@ -244,7 +239,6 @@ locals {
rsync = { value = "gemini" }
sources = { value = "gemini" }
"static.conf" = { value = "redirect" }
static = { value = "apollo" }
status = { value = "stats.uptimerobot.com." }
svn = { value = "gemini" }
}
......@@ -405,14 +399,6 @@ resource "hetznerdns_record" "archlinux_org_origin_ns1" {
# type = "SOA"
# }
resource "hetznerdns_record" "archlinux_org_origin_apollo_domainkey_txt" {
zone_id = hetznerdns_zone.archlinux.id
name = "apollo._domainkey"
ttl = 600
value = "\"v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvZIf8SbjC53RDCbMjTEpo0FCuMSShlKWdwWjY1J+RpT3CL/21z4nXqVBYF1orkUScH8Nlabocraqk8lmpNBlKCUV77lk9mRsLkWhg+XjhvQXL1xfH8zAg1CntEZuaIMLUQ+5Gkw6BlO1qDRkmXS9UtV8Jt1rhjRtSrgN5lhztOCbQLRAtzKty/nMeClqsfT3nL2hbDeh+b/rYc\" \"l2veZAqiGcR2/0bnKlt+Nb5lOBY3oZiYLmZ5g+l9UXVjGUq9jGAooIWpQvuRPmin3RX31kXfr1A+mDBEexiOL1dDST2Zx7i9puXbqYH0u0IxBpweHCO5UqWx52mdXBuhs+DCo/JoZAHU/6eRzK+Sps50LgLFSzJJNfGXk5PUKdww2GHbkK3mCYfoFCpB0SADzl42+1w6YZk1yXoPdOHtChfQpCgjtddf1W8Q09pYO1/bn4l0erdFQsWb1K\" \"4wEVOCn+hHWbV42V+J3TyGxQ4AM8KQ1OPvUEabyTyqcO4evBaH7/S2wA91Z9QDjTbKmlNovs5zoxuOM/mPGPUuQMvhjoAP+rg4AwJ3Xwd3GgUcqQflcokayUYdp7F3aKp1NWAR9ibseU/XBYsSF8Ucjqzf4DJFUfrgjHUr97st7g4HUCyXrQO4tyE0ytiX8OFjjIszWLmF+B7Vup9O7k+dNz2Vj2Vyzkq1UCAwEAAQ==\" "
type = "TXT"
}
resource "hetznerdns_record" "archlinux_org_lists_mx" {
zone_id = hetznerdns_zone.archlinux.id
name = "lists"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment