Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
f6c3af0e
Commit
f6c3af0e
authored
Dec 29, 2020
by
Frederik Schwan
Browse files
Merge branch 'apollo_decomission' into 'master'
Apollo decomission See merge request
!252
parents
5d9d0843
3ac0a774
Pipeline
#4248
passed with stage
in 32 seconds
Changes
9
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
docs/fail2ban.md
View file @
f6c3af0e
...
...
@@ -24,7 +24,7 @@ The sshd jail should be enabled for every host we have, to block brute force ssh
### postfix
The postfix jail
is
enabled
for Apollo and Orion, to block failed SMTP requests
. Adding it to a host:
The postfix jail
not
enabled
on any server
. Adding it to a host:
Add
`fail2ban_jails`
dict with
`postfix: true`
to the host's
`host_vars`
.
...
...
docs/servers.md
View file @
f6c3af0e
...
...
@@ -17,12 +17,10 @@
-
mailman
-
projects (projects.archlinux.org)
## a
pollo
## a
rchlinux.org
### Services
-
wiki (wiki.archlinux.org)
-
archweb
-
patchwork
-
archweb (Arch's site)
## aur.archlinux.org
...
...
@@ -110,6 +108,12 @@ Medium-fast-ish packet.net Arch Linux box.
### Services
-
GitLab runner
## mail.archlinux.org
### Services
-
postfix (mail server)
-
rspamd
-
dovecot (imap)
## monitoring.archlinux.org
...
...
@@ -127,6 +131,26 @@ Hosts our gnupg open web key directory for fetching Arch Linux keyring keys over
### Services
-
WKD
## patchwork.archlinux.org
### Services
-
patchwork
## redirect.archlinux.org
### Services
-
Redirects (nginx redirects)
## security.archlinux.org
### Services
-
security tracker
## wiki.archlinux.org
### Services
-
archwiki
## Archive Mirrors
...
...
docs/ssh-hostkeys.txt
View file @
f6c3af0e
...
...
@@ -20,17 +20,6 @@
256 MD5:4b:0b:1c:81:27:81:7a:22:b4:48:88:75:69:a5:b4:4e root@america.mirror.pkgbuild.com (ED25519)
3072 MD5:a2:41:dc:97:5a:ae:89:7a:4f:69:f7:ec:a0:d4:67:b6 root@america.mirror.pkgbuild.com (RSA)
# apollo.archlinux.org
1024 SHA256:WArxFzvhf5HknYxil2EQSHHRirM2cyjqbtLvhbQAYC8 root@apollo (DSA)
256 SHA256:sYJfY17PE0kJ4K8fbkPK/XqRQjY1+g6hmIF7dvTbZoo root@apollo (ECDSA)
256 SHA256:owwpolkJxPyUmmfJMfFeYIdDXiruwzaEw3bS+q6k97Q root@apollo (ED25519)
2048 SHA256:JW9dUO95gxGJRTkV/V/1HtmLfLq8uztbWc5KAOg8Blc root@apollo (RSA)
1024 MD5:90:46:7f:8e:1e:79:17:10:1e:32:79:a7:69:c6:4b:a4 root@apollo (DSA)
256 MD5:4b:52:61:77:f7:f8:4e:75:ca:83:e6:ae:fc:6e:77:67 root@apollo (ECDSA)
256 MD5:a7:84:8b:95:4f:53:ac:b6:9d:24:79:79:fc:c7:bf:1f root@apollo (ED25519)
2048 MD5:77:b0:17:18:57:74:38:91:47:31:43:04:47:e9:9e:30 root@apollo (RSA)
# archlinux.org
1024 SHA256:7jLDIo/l9ngy+KcC2Yh2yCE+gSVix4VmZVaVTMLOiEg root@archlinux-packer (DSA)
256 SHA256:9nc3jaxyh21w+HVT1Xo0/ujMx7/qWKguqcSiDX7jrA0 root@archlinux-packer (ECDSA)
...
...
docs/ssh-known_hosts.txt
View file @
f6c3af0e
...
...
@@ -8,11 +8,6 @@ america.mirror.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYA
america.mirror.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMofe+VPkI+MKGWYkonc5IsTwVmf2OcX8atVgnXkjbqL
america.mirror.pkgbuild.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+7ePbae+aA+W6JZxhce1qvxnTG6VIEtShFD+/4TlMNFzVxh8DcmD+sw+NCKFshGddKhh3n4TWO68XAxWN4KQzfpgYHgzcoyNR3T1zle2oWfTL29KU3/X4OIvQc3aeqnyAhHvu7vXDnWfZgC1uGu0QecAqJcRxEPkz15OJkZjr/zZt01BUa2y7OUQbSFRckeLoSPQeSNFOQ0hlWCdN0laoHsYPznyievuJJxWMTa9Wkamn+oVx1S95sF1a6PSN8LztCxxXKRTikpau+SCLpPiqd1kV4WXgOPWGoRvQ0PNzOICwmKEeCdw0QfzoNm70FftLvy/bFq7qa1tSvau/SFwRRdnDRlr7dZXLqbXp+si+GD80TL4scUH6LRQJkxL0Z5X/FKOPGutf8BhIovbhoSkiTyY51bDQIXLTCqm1sE2GrEI1CvT5lOvG43C2e8U7bnLw2hQ++GRUct89mI8f/8hHdDllUkUgfsksL7ObMTvkbF6NoCogZjHsTRtwaP0DU/M=
# apollo.archlinux.org
apollo.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMicA8QKPeY1hp29QcTe25eT7yd+zOx1sj6o0F+XA/POc2TRsiSidJogCaf4e3wpw4T2ccb7ixnvGmy7hCAcngA=
apollo.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGz+b+or4nKpcXJgDjwt3LdO0EPk9Zw1z1W9L8rcV8UX
apollo.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHUYq82CCrnZhey7Hclhe79+s7YUZv/So1HWjoSAs8qObpJX4Mn3bwcILOoD1LE6VdkQu+tZwFpl8A1DrmKgpO++SEoFft77jgigzDbwEuSuBbP8eOo1zyDX1q3Sipecf41s6psY3bxcVbINAkm/PDFxpM8tEU+8TqpCupa5fNLimiwBk7fyncxbah+ACaLlm+f02Ku9pBcPfFzlsEoZBrncAyhx3bm4qXH/uYVOtBjzi6KrZYyEbXX+0LxRhxuELkhYqbNpyFIDfPKYgXc1pRHgAkS2CxZO2p1Uy1zJFC8edM3ma+I0Wn9+alGMHC6jCOm2iFT9THLS2NPJq67Yan
# archlinux.org
archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB0PUXX25/7fRKiayZos7f1LIG925vOQlnuTE7HuSKiVhiYHi3XB9JyILKaekOb73hNJOUdE8kBEzhXESbrn1mM=
archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBeUGb+Q4QLN8yg1pohasTnfhwO7rNmW7Ih/PTrnmY0V
...
...
host_vars/apollo.archlinux.org
deleted
100644 → 0
View file @
5d9d0843
---
hostname: "apollo"
ipv4_address: "138.201.81.199"
ipv4_netmask: "/32"
ipv6_address: "2a01:4f8:172:1d86::1"
ipv6_netmask: "/128"
ipv4_gateway: "138.201.81.193"
ipv6_gateway: "fe80::1"
filesystem: btrfs
system_disks:
- /dev/sda
- /dev/sdb
kanboard_version: "v1.2.14"
fail2ban_jails:
sshd: true
postfix: true
dovecot: false
hosts
View file @
f6c3af0e
[hetzner]
apollo.archlinux.org
luna.archlinux.org
dragon.archlinux.org
secure-runner1.archlinux.org
...
...
@@ -25,7 +24,6 @@ europe.mirror.pkgbuild.com
[borg_clients]
archlinux.org
apollo.archlinux.org
aur-dev.archlinux.org
luna.archlinux.org
state.archlinux.org
...
...
@@ -54,7 +52,6 @@ u236610.your-storagebox.de
homedir.archlinux.org
[mysql_servers]
apollo.archlinux.org
luna.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
...
...
@@ -64,7 +61,6 @@ wiki.archlinux.org
[postgresql_servers]
archlinux.org
apollo.archlinux.org
state.archlinux.org
quassel.archlinux.org
accounts.archlinux.org
...
...
@@ -72,7 +68,6 @@ patchwork.archlinux.org
[nginx]
archlinux.org
apollo.archlinux.org
luna.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
...
...
playbooks/apollo.yml
deleted
100644 → 0
View file @
5d9d0843
---
-
name
:
"
prepare
postgres
ssl
hosts
list"
hosts
:
apollo.archlinux.org
tasks
:
-
name
:
assign ipv4 addresses to fact postgres_ssl_hosts4
set_fact
:
postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
vars
:
gemini4
:
"
{{
hostvars['gemini.archlinux.org']['ipv4_address']
}}/32"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv4_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/32')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
assign ipv6 addresses to fact postgres_ssl_hosts6
set_fact
:
postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
vars
:
gemini6
:
"
{{
hostvars['gemini.archlinux.org']['ipv6_address']
}}/128"
detected_ips
:
"
{{
groups['mirrors']
|
map('extract',
hostvars,
['ipv6_address'])
|
select()
|
map('regex_replace',
'^(.+)$',
'
\\
1/128')
|
list
}}"
tags
:
[
"
postgres"
,
"
firewall"
]
-
name
:
setup apollo
hosts
:
apollo.archlinux.org
remote_user
:
root
roles
:
-
{
role
:
common
}
-
{
role
:
tools
}
-
{
role
:
sshd
}
-
{
role
:
root_ssh
}
-
{
role
:
borg_client
,
tags
:
[
"
borg"
]
}
-
{
role
:
certbot
}
-
{
role
:
nginx
}
-
{
role
:
rspamd
,
tags
:
[
"
mail"
]
}
-
{
role
:
unbound
,
tags
:
[
"
mail"
]
}
-
{
role
:
postfix
,
postfix_relayhost
:
"
mail.archlinux.org"
,
postfix_smtpd_public
:
true
,
postfix_patchwork_enabled
:
true
,
tags
:
[
"
mail"
]
}
-
{
role
:
postfwd
,
tags
:
[
'
mail'
]
}
-
role
:
postgres
postgres_listen_addresses
:
"
*"
postgres_max_connections
:
1000
postgres_ssl
:
'
on'
postgres_shared_buffers
:
4096MB
-
{
role
:
mariadb
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
True
}
-
{
role
:
sudo
}
-
{
role
:
uwsgi
}
-
{
role
:
php_fpm
,
php_extensions
:
[
'
bcmath'
,
'
curl'
,
'
gd'
,
'
iconv'
,
'
intl'
,
'
mysqli'
,
'
pdo_pgsql'
,
'
pgsql'
,
'
sockets'
,
'
zip'
],
zend_extensions
:
[
'
opcache'
]
}
-
{
role
:
memcached
}
-
{
role
:
archweb
,
archweb_planet
:
true
}
-
role
:
security_tracker
security_tracker_domain
:
"
security.archlinux.org"
security_tracker_nginx_conf
:
'
/etc/nginx/nginx.d/security-tracker.conf'
security_tracker_dir
:
"
/srv/http/security-tracker"
-
{
role
:
mailman
,
mailman_domain
:
"
lists.archlinux.org"
}
-
{
role
:
patchwork
}
-
{
role
:
grafana
}
-
{
role
:
archwiki
}
-
{
role
:
conf_archlinux
}
-
{
role
:
fail2ban
}
-
{
role
:
prometheus_exporters
}
roles/postfix/tasks/main.yml
View file @
f6c3af0e
...
...
@@ -108,21 +108,8 @@
-
smtp
-
smtp-submission
-
smtps
when
:
postfix_smtpd_public and configure_firewall
and inventory_hostname != "apollo.archlinux.org"
when
:
postfix_smtpd_public and configure_firewall
tags
:
-
firewall
-
name
:
open ipv4 firewall holes on apollo
ansible.posix.firewalld
:
permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['mail.archlinux.org']['ipv4_address'] }} port protocol=tcp port=25 accept"
when
:
postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
tags
:
-
firewall
-
name
:
open ipv6 firewall holes on apollo
ansible.posix.firewalld
:
permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv6 source address={{ hostvars['mail.archlinux.org']['ipv6_address'] }} port protocol=tcp port=25 accept"
when
:
postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
tags
:
-
firewall
tf-stage1/archlinux.tf
View file @
f6c3af0e
...
...
@@ -160,16 +160,12 @@ locals {
# - ttl (optional)
#
# Example:
#
apollo
= {
# ipv4_address = "
138.201.81.199
"
# ipv6_address = "2a01:4f8:
172:1d86
::
1
"
#
gemini
= {
# ipv4_address = "
49.12.124.107
"
# ipv6_address = "2a01:4f8:
242:5614
::
2
"
# ttl = 600
# }
archlinux_org_a_aaaa
=
{
apollo
=
{
ipv4_address
=
"138.201.81.199"
ipv6_address
=
"2a01:4f8:172:1d86::1"
}
aur4
=
{
ipv4_address
=
"5.9.250.164"
ipv6_address
=
"2a01:4f8:160:3033::2"
...
...
@@ -232,7 +228,6 @@ locals {
dev
=
{
value
=
"www"
}
g2kjxsblac7x
=
{
value
=
"gv-i5y6mnrelvpfiu.dv.googlehosted.com."
}
git
=
{
value
=
"luna"
}
grafana
=
{
value
=
"apollo"
}
ipxe
=
{
value
=
"www"
}
"luna2._domainkey.aur"
=
{
value
=
"luna2._domainkey"
}
"luna2._domainkey.lists"
=
{
value
=
"luna2._domainkey"
}
...
...
@@ -244,7 +239,6 @@ locals {
rsync
=
{
value
=
"gemini"
}
sources
=
{
value
=
"gemini"
}
"static.conf"
=
{
value
=
"redirect"
}
static
=
{
value
=
"apollo"
}
status
=
{
value
=
"stats.uptimerobot.com."
}
svn
=
{
value
=
"gemini"
}
}
...
...
@@ -405,14 +399,6 @@ resource "hetznerdns_record" "archlinux_org_origin_ns1" {
# type = "SOA"
# }
resource
"hetznerdns_record"
"archlinux_org_origin_apollo_domainkey_txt"
{
zone_id
=
hetznerdns_zone
.
archlinux
.
id
name
=
"apollo._domainkey"
ttl
=
600
value
=
"
\"
v=DKIM1; k=rsa; s=email;
\"
\"
p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvZIf8SbjC53RDCbMjTEpo0FCuMSShlKWdwWjY1J+RpT3CL/21z4nXqVBYF1orkUScH8Nlabocraqk8lmpNBlKCUV77lk9mRsLkWhg+XjhvQXL1xfH8zAg1CntEZuaIMLUQ+5Gkw6BlO1qDRkmXS9UtV8Jt1rhjRtSrgN5lhztOCbQLRAtzKty/nMeClqsfT3nL2hbDeh+b/rYc
\"
\"
l2veZAqiGcR2/0bnKlt+Nb5lOBY3oZiYLmZ5g+l9UXVjGUq9jGAooIWpQvuRPmin3RX31kXfr1A+mDBEexiOL1dDST2Zx7i9puXbqYH0u0IxBpweHCO5UqWx52mdXBuhs+DCo/JoZAHU/6eRzK+Sps50LgLFSzJJNfGXk5PUKdww2GHbkK3mCYfoFCpB0SADzl42+1w6YZk1yXoPdOHtChfQpCgjtddf1W8Q09pYO1/bn4l0erdFQsWb1K
\"
\"
4wEVOCn+hHWbV42V+J3TyGxQ4AM8KQ1OPvUEabyTyqcO4evBaH7/S2wA91Z9QDjTbKmlNovs5zoxuOM/mPGPUuQMvhjoAP+rg4AwJ3Xwd3GgUcqQflcokayUYdp7F3aKp1NWAR9ibseU/XBYsSF8Ucjqzf4DJFUfrgjHUr97st7g4HUCyXrQO4tyE0ytiX8OFjjIszWLmF+B7Vup9O7k+dNz2Vj2Vyzkq1UCAwEAAQ==
\"
"
type
=
"TXT"
}
resource
"hetznerdns_record"
"archlinux_org_lists_mx"
{
zone_id
=
hetznerdns_zone
.
archlinux
.
id
name
=
"lists"
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment