Merge branch 'apollo_decomission' into 'master'

Apollo decomission

See merge request !252

docs/fail2ban.md

@@ -24,7 +24,7 @@ The sshd jail should be enabled for every host we have, to block brute force ssh
 
 ### postfix
 
-The postfix jail is enabled for Apollo and Orion, to block failed SMTP requests. Adding it to a host:
+The postfix jail not enabled on any server. Adding it to a host:
 
 Add `fail2ban_jails` dict with `postfix: true` to the host's `host_vars`.
 

docs/servers.md

@@ -17,12 +17,10 @@
   - mailman
   - projects (projects.archlinux.org)
 
-## apollo
+## archlinux.org
 
 ### Services
-  - wiki (wiki.archlinux.org)
-  - archweb
-  - patchwork
+  - archweb (Arch's site)
 
 ## aur.archlinux.org
 
@@ -110,6 +108,12 @@ Medium-fast-ish packet.net Arch Linux box.
 ### Services
   - GitLab runner
 
+## mail.archlinux.org
+
+### Services
+  - postfix (mail server)
+  - rspamd
+  - dovecot (imap)
 
 ## monitoring.archlinux.org
 
@@ -127,6 +131,26 @@ Hosts our gnupg open web key directory for fetching Arch Linux keyring keys over
 ### Services
   - WKD
 
+## patchwork.archlinux.org
+
+### Services
+  - patchwork
+
+## redirect.archlinux.org
+
+### Services
+  - Redirects (nginx redirects)
+
+## security.archlinux.org
+
+### Services
+  - security tracker
+
+## wiki.archlinux.org
+
+### Services
+  - archwiki
+
 
 ## Archive Mirrors
 

docs/ssh-hostkeys.txt

@@ -20,17 +20,6 @@
 256 MD5:4b:0b:1c:81:27:81:7a:22:b4:48:88:75:69:a5:b4:4e root@america.mirror.pkgbuild.com (ED25519)
 3072 MD5:a2:41:dc:97:5a:ae:89:7a:4f:69:f7:ec:a0:d4:67:b6 root@america.mirror.pkgbuild.com (RSA)
 
-# apollo.archlinux.org
-1024 SHA256:WArxFzvhf5HknYxil2EQSHHRirM2cyjqbtLvhbQAYC8 root@apollo (DSA)
-256 SHA256:sYJfY17PE0kJ4K8fbkPK/XqRQjY1+g6hmIF7dvTbZoo root@apollo (ECDSA)
-256 SHA256:owwpolkJxPyUmmfJMfFeYIdDXiruwzaEw3bS+q6k97Q root@apollo (ED25519)
-2048 SHA256:JW9dUO95gxGJRTkV/V/1HtmLfLq8uztbWc5KAOg8Blc root@apollo (RSA)
-
-1024 MD5:90:46:7f:8e:1e:79:17:10:1e:32:79:a7:69:c6:4b:a4 root@apollo (DSA)
-256 MD5:4b:52:61:77:f7:f8:4e:75:ca:83:e6:ae:fc:6e:77:67 root@apollo (ECDSA)
-256 MD5:a7:84:8b:95:4f:53:ac:b6:9d:24:79:79:fc:c7:bf:1f root@apollo (ED25519)
-2048 MD5:77:b0:17:18:57:74:38:91:47:31:43:04:47:e9:9e:30 root@apollo (RSA)
-
 # archlinux.org
 1024 SHA256:7jLDIo/l9ngy+KcC2Yh2yCE+gSVix4VmZVaVTMLOiEg root@archlinux-packer (DSA)
 256 SHA256:9nc3jaxyh21w+HVT1Xo0/ujMx7/qWKguqcSiDX7jrA0 root@archlinux-packer (ECDSA)

docs/ssh-known_hosts.txt

@@ -8,11 +8,6 @@ america.mirror.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYA
 america.mirror.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMofe+VPkI+MKGWYkonc5IsTwVmf2OcX8atVgnXkjbqL
 america.mirror.pkgbuild.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+7ePbae+aA+W6JZxhce1qvxnTG6VIEtShFD+/4TlMNFzVxh8DcmD+sw+NCKFshGddKhh3n4TWO68XAxWN4KQzfpgYHgzcoyNR3T1zle2oWfTL29KU3/X4OIvQc3aeqnyAhHvu7vXDnWfZgC1uGu0QecAqJcRxEPkz15OJkZjr/zZt01BUa2y7OUQbSFRckeLoSPQeSNFOQ0hlWCdN0laoHsYPznyievuJJxWMTa9Wkamn+oVx1S95sF1a6PSN8LztCxxXKRTikpau+SCLpPiqd1kV4WXgOPWGoRvQ0PNzOICwmKEeCdw0QfzoNm70FftLvy/bFq7qa1tSvau/SFwRRdnDRlr7dZXLqbXp+si+GD80TL4scUH6LRQJkxL0Z5X/FKOPGutf8BhIovbhoSkiTyY51bDQIXLTCqm1sE2GrEI1CvT5lOvG43C2e8U7bnLw2hQ++GRUct89mI8f/8hHdDllUkUgfsksL7ObMTvkbF6NoCogZjHsTRtwaP0DU/M=
 
-# apollo.archlinux.org
-apollo.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMicA8QKPeY1hp29QcTe25eT7yd+zOx1sj6o0F+XA/POc2TRsiSidJogCaf4e3wpw4T2ccb7ixnvGmy7hCAcngA=
-apollo.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGz+b+or4nKpcXJgDjwt3LdO0EPk9Zw1z1W9L8rcV8UX
-apollo.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHUYq82CCrnZhey7Hclhe79+s7YUZv/So1HWjoSAs8qObpJX4Mn3bwcILOoD1LE6VdkQu+tZwFpl8A1DrmKgpO++SEoFft77jgigzDbwEuSuBbP8eOo1zyDX1q3Sipecf41s6psY3bxcVbINAkm/PDFxpM8tEU+8TqpCupa5fNLimiwBk7fyncxbah+ACaLlm+f02Ku9pBcPfFzlsEoZBrncAyhx3bm4qXH/uYVOtBjzi6KrZYyEbXX+0LxRhxuELkhYqbNpyFIDfPKYgXc1pRHgAkS2CxZO2p1Uy1zJFC8edM3ma+I0Wn9+alGMHC6jCOm2iFT9THLS2NPJq67Yan
-
 # archlinux.org
 archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB0PUXX25/7fRKiayZos7f1LIG925vOQlnuTE7HuSKiVhiYHi3XB9JyILKaekOb73hNJOUdE8kBEzhXESbrn1mM=
 archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBeUGb+Q4QLN8yg1pohasTnfhwO7rNmW7Ih/PTrnmY0V

host_vars/apollo.archlinux.org

----
-hostname: "apollo"
-
-ipv4_address: "138.201.81.199"
-ipv4_netmask: "/32"
-ipv6_address: "2a01:4f8:172:1d86::1"
-ipv6_netmask: "/128"
-ipv4_gateway: "138.201.81.193"
-ipv6_gateway: "fe80::1"
-filesystem: btrfs
-system_disks:
-  - /dev/sda
-  - /dev/sdb
-
-kanboard_version: "v1.2.14"
-
-fail2ban_jails:
-  sshd: true
-  postfix: true
-  dovecot: false

hosts

 [hetzner]
-apollo.archlinux.org
 luna.archlinux.org
 dragon.archlinux.org
 secure-runner1.archlinux.org
@@ -25,7 +24,6 @@ europe.mirror.pkgbuild.com
 
 [borg_clients]
 archlinux.org
-apollo.archlinux.org
 aur-dev.archlinux.org
 luna.archlinux.org
 state.archlinux.org
@@ -54,7 +52,6 @@ u236610.your-storagebox.de
 homedir.archlinux.org
 
 [mysql_servers]
-apollo.archlinux.org
 luna.archlinux.org
 bbs.archlinux.org
 bugs.archlinux.org
@@ -64,7 +61,6 @@ wiki.archlinux.org
 
 [postgresql_servers]
 archlinux.org
-apollo.archlinux.org
 state.archlinux.org
 quassel.archlinux.org
 accounts.archlinux.org
@@ -72,7 +68,6 @@ patchwork.archlinux.org
 
 [nginx]
 archlinux.org
-apollo.archlinux.org
 luna.archlinux.org
 bbs.archlinux.org
 bugs.archlinux.org

playbooks/apollo.yml

----
-
-- name: "prepare postgres ssl hosts list"
-  hosts: apollo.archlinux.org
-  tasks:
-      - name: assign ipv4 addresses to fact postgres_ssl_hosts4
-        set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
-        vars:
-            gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
-            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
-        tags: ["postgres", "firewall"]
-      - name: assign ipv6 addresses to fact postgres_ssl_hosts6
-        set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
-        vars:
-            gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
-            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
-        tags: ["postgres", "firewall"]
-
-- name: setup apollo
-  hosts: apollo.archlinux.org
-  remote_user: root
-  roles:
-    - { role: common }
-    - { role: tools }
-    - { role: sshd }
-    - { role: root_ssh }
-    - { role: borg_client, tags: ["borg"] }
-    - { role: certbot }
-    - { role: nginx }
-    - { role: rspamd, tags: ["mail"] }
-    - { role: unbound, tags: ["mail"] }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
-    - { role: postfwd, tags: ['mail'] }
-    - role: postgres
-      postgres_listen_addresses: "*"
-      postgres_max_connections: 1000
-      postgres_ssl: 'on'
-      postgres_shared_buffers: 4096MB
-    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
-    - { role: sudo }
-    - { role: uwsgi }
-    - { role: php_fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'] }
-    - { role: memcached }
-    - { role: archweb, archweb_planet: true }
-    - role: security_tracker
-      security_tracker_domain: "security.archlinux.org"
-      security_tracker_nginx_conf: '/etc/nginx/nginx.d/security-tracker.conf'
-      security_tracker_dir: "/srv/http/security-tracker"
-    - { role: mailman, mailman_domain: "lists.archlinux.org" }
-    - { role: patchwork }
-    - { role: grafana }
-    - { role: archwiki }
-    - { role: conf_archlinux }
-    - { role: fail2ban }
-    - { role: prometheus_exporters }

roles/postfix/tasks/main.yml

@@ -108,21 +108,8 @@
     - smtp
     - smtp-submission
     - smtps
-  when: postfix_smtpd_public and configure_firewall and inventory_hostname != "apollo.archlinux.org"
+  when: postfix_smtpd_public and configure_firewall
   tags:
     - firewall
 
 
-- name: open ipv4 firewall holes on apollo
-  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
-    rich_rule="rule family=ipv4 source address={{ hostvars['mail.archlinux.org']['ipv4_address'] }} port protocol=tcp port=25 accept"
-  when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
-  tags:
-    - firewall
-
-- name: open ipv6 firewall holes on apollo
-  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
-    rich_rule="rule family=ipv6 source address={{ hostvars['mail.archlinux.org']['ipv6_address'] }} port protocol=tcp port=25 accept"
-  when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
-  tags:
-    - firewall

tf-stage1/archlinux.tf

@@ -160,16 +160,12 @@ locals {
   #   - ttl (optional)
   #
   # Example:
-  # apollo = {
-  #   ipv4_address = "138.201.81.199"
-  #   ipv6_address = "2a01:4f8:172:1d86::1"
+  # gemini = {
+  #   ipv4_address = "49.12.124.107"
+  #   ipv6_address = "2a01:4f8:242:5614::2"
   #   ttl          = 600
   # }
   archlinux_org_a_aaaa = {
-    apollo = {
-      ipv4_address = "138.201.81.199"
-      ipv6_address = "2a01:4f8:172:1d86::1"
-    }
     aur4 = {
       ipv4_address = "5.9.250.164"
       ipv6_address = "2a01:4f8:160:3033::2"
@@ -232,7 +228,6 @@ locals {
     dev                      = { value = "www" }
     g2kjxsblac7x             = { value = "gv-i5y6mnrelvpfiu.dv.googlehosted.com." }
     git                      = { value = "luna" }
-    grafana                  = { value = "apollo" }
     ipxe                     = { value = "www" }
     "luna2._domainkey.aur"   = { value = "luna2._domainkey" }
     "luna2._domainkey.lists" = { value = "luna2._domainkey" }
@@ -244,7 +239,6 @@ locals {
     rsync                    = { value = "gemini" }
     sources                  = { value = "gemini" }
     "static.conf"            = { value = "redirect" }
-    static                   = { value = "apollo" }
     status                   = { value = "stats.uptimerobot.com." }
     svn                      = { value = "gemini" }
   }
@@ -405,14 +399,6 @@ resource "hetznerdns_record" "archlinux_org_origin_ns1" {
 #   type = "SOA"
 # }
 
-resource "hetznerdns_record" "archlinux_org_origin_apollo_domainkey_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "apollo._domainkey"
-  ttl     = 600
-  value   = "\"v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvZIf8SbjC53RDCbMjTEpo0FCuMSShlKWdwWjY1J+RpT3CL/21z4nXqVBYF1orkUScH8Nlabocraqk8lmpNBlKCUV77lk9mRsLkWhg+XjhvQXL1xfH8zAg1CntEZuaIMLUQ+5Gkw6BlO1qDRkmXS9UtV8Jt1rhjRtSrgN5lhztOCbQLRAtzKty/nMeClqsfT3nL2hbDeh+b/rYc\" \"l2veZAqiGcR2/0bnKlt+Nb5lOBY3oZiYLmZ5g+l9UXVjGUq9jGAooIWpQvuRPmin3RX31kXfr1A+mDBEexiOL1dDST2Zx7i9puXbqYH0u0IxBpweHCO5UqWx52mdXBuhs+DCo/JoZAHU/6eRzK+Sps50LgLFSzJJNfGXk5PUKdww2GHbkK3mCYfoFCpB0SADzl42+1w6YZk1yXoPdOHtChfQpCgjtddf1W8Q09pYO1/bn4l0erdFQsWb1K\" \"4wEVOCn+hHWbV42V+J3TyGxQ4AM8KQ1OPvUEabyTyqcO4evBaH7/S2wA91Z9QDjTbKmlNovs5zoxuOM/mPGPUuQMvhjoAP+rg4AwJ3Xwd3GgUcqQflcokayUYdp7F3aKp1NWAR9ibseU/XBYsSF8Ucjqzf4DJFUfrgjHUr97st7g4HUCyXrQO4tyE0ytiX8OFjjIszWLmF+B7Vup9O7k+dNz2Vj2Vyzkq1UCAwEAAQ==\" "
-  type    = "TXT"
-}
-
 resource "hetznerdns_record" "archlinux_org_lists_mx" {
   zone_id = hetznerdns_zone.archlinux.id
   name    = "lists"