diff --git a/docs/fail2ban.md b/docs/fail2ban.md
index e2cf5b2952e9a9a9035c71bed67c76e6d7b0e568..4f315c70549c39208d8c0640623ccc93493454e8 100644
--- a/docs/fail2ban.md
+++ b/docs/fail2ban.md
@@ -24,7 +24,7 @@ The sshd jail should be enabled for every host we have, to block brute force ssh
### postfix
-The postfix jail is enabled for Apollo and Orion, to block failed SMTP requests. Adding it to a host:
+The postfix jail not enabled on any server. Adding it to a host:
Add `fail2ban_jails` dict with `postfix: true` to the host's `host_vars`.
diff --git a/docs/servers.md b/docs/servers.md
index 47bf8b007217929bb442e0d9a011525f6e6d6dc0..3b69050aea3a1f2f874dbe4e0550b0cb493a226a 100644
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -17,12 +17,10 @@
- mailman
- projects (projects.archlinux.org)
-## apollo
+## archlinux.org
### Services
- - wiki (wiki.archlinux.org)
- - archweb
- - patchwork
+ - archweb (Arch's site)
## aur.archlinux.org
@@ -110,6 +108,12 @@ Medium-fast-ish packet.net Arch Linux box.
### Services
- GitLab runner
+## mail.archlinux.org
+
+### Services
+ - postfix (mail server)
+ - rspamd
+ - dovecot (imap)
## monitoring.archlinux.org
@@ -127,6 +131,26 @@ Hosts our gnupg open web key directory for fetching Arch Linux keyring keys over
### Services
- WKD
+## patchwork.archlinux.org
+
+### Services
+ - patchwork
+
+## redirect.archlinux.org
+
+### Services
+ - Redirects (nginx redirects)
+
+## security.archlinux.org
+
+### Services
+ - security tracker
+
+## wiki.archlinux.org
+
+### Services
+ - archwiki
+
## Archive Mirrors
diff --git a/docs/ssh-hostkeys.txt b/docs/ssh-hostkeys.txt
index 8e21f4e756ebf5bed63991681451150027dfb27f..ea7425ffd55b70da41b13b37c3b28352484ea637 100644
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -20,17 +20,6 @@
256 MD5:4b:0b:1c:81:27:81:7a:22:b4:48:88:75:69:a5:b4:4e root@america.mirror.pkgbuild.com (ED25519)
3072 MD5:a2:41:dc:97:5a:ae:89:7a:4f:69:f7:ec:a0:d4:67:b6 root@america.mirror.pkgbuild.com (RSA)
-# apollo.archlinux.org
-1024 SHA256:WArxFzvhf5HknYxil2EQSHHRirM2cyjqbtLvhbQAYC8 root@apollo (DSA)
-256 SHA256:sYJfY17PE0kJ4K8fbkPK/XqRQjY1+g6hmIF7dvTbZoo root@apollo (ECDSA)
-256 SHA256:owwpolkJxPyUmmfJMfFeYIdDXiruwzaEw3bS+q6k97Q root@apollo (ED25519)
-2048 SHA256:JW9dUO95gxGJRTkV/V/1HtmLfLq8uztbWc5KAOg8Blc root@apollo (RSA)
-
-1024 MD5:90:46:7f:8e:1e:79:17:10:1e:32:79:a7:69:c6:4b:a4 root@apollo (DSA)
-256 MD5:4b:52:61:77:f7:f8:4e:75:ca:83:e6:ae:fc:6e:77:67 root@apollo (ECDSA)
-256 MD5:a7:84:8b:95:4f:53:ac:b6:9d:24:79:79:fc:c7:bf:1f root@apollo (ED25519)
-2048 MD5:77:b0:17:18:57:74:38:91:47:31:43:04:47:e9:9e:30 root@apollo (RSA)
-
# archlinux.org
1024 SHA256:7jLDIo/l9ngy+KcC2Yh2yCE+gSVix4VmZVaVTMLOiEg root@archlinux-packer (DSA)
256 SHA256:9nc3jaxyh21w+HVT1Xo0/ujMx7/qWKguqcSiDX7jrA0 root@archlinux-packer (ECDSA)
diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index a63712ae17e1d3395c8d5ae627a1a4e32f48dfdb..5d174c64eb62704a1fd311d7c6720b9734aee401 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -8,11 +8,6 @@ america.mirror.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYA
america.mirror.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMofe+VPkI+MKGWYkonc5IsTwVmf2OcX8atVgnXkjbqL
america.mirror.pkgbuild.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+7ePbae+aA+W6JZxhce1qvxnTG6VIEtShFD+/4TlMNFzVxh8DcmD+sw+NCKFshGddKhh3n4TWO68XAxWN4KQzfpgYHgzcoyNR3T1zle2oWfTL29KU3/X4OIvQc3aeqnyAhHvu7vXDnWfZgC1uGu0QecAqJcRxEPkz15OJkZjr/zZt01BUa2y7OUQbSFRckeLoSPQeSNFOQ0hlWCdN0laoHsYPznyievuJJxWMTa9Wkamn+oVx1S95sF1a6PSN8LztCxxXKRTikpau+SCLpPiqd1kV4WXgOPWGoRvQ0PNzOICwmKEeCdw0QfzoNm70FftLvy/bFq7qa1tSvau/SFwRRdnDRlr7dZXLqbXp+si+GD80TL4scUH6LRQJkxL0Z5X/FKOPGutf8BhIovbhoSkiTyY51bDQIXLTCqm1sE2GrEI1CvT5lOvG43C2e8U7bnLw2hQ++GRUct89mI8f/8hHdDllUkUgfsksL7ObMTvkbF6NoCogZjHsTRtwaP0DU/M=
-# apollo.archlinux.org
-apollo.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMicA8QKPeY1hp29QcTe25eT7yd+zOx1sj6o0F+XA/POc2TRsiSidJogCaf4e3wpw4T2ccb7ixnvGmy7hCAcngA=
-apollo.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGz+b+or4nKpcXJgDjwt3LdO0EPk9Zw1z1W9L8rcV8UX
-apollo.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHUYq82CCrnZhey7Hclhe79+s7YUZv/So1HWjoSAs8qObpJX4Mn3bwcILOoD1LE6VdkQu+tZwFpl8A1DrmKgpO++SEoFft77jgigzDbwEuSuBbP8eOo1zyDX1q3Sipecf41s6psY3bxcVbINAkm/PDFxpM8tEU+8TqpCupa5fNLimiwBk7fyncxbah+ACaLlm+f02Ku9pBcPfFzlsEoZBrncAyhx3bm4qXH/uYVOtBjzi6KrZYyEbXX+0LxRhxuELkhYqbNpyFIDfPKYgXc1pRHgAkS2CxZO2p1Uy1zJFC8edM3ma+I0Wn9+alGMHC6jCOm2iFT9THLS2NPJq67Yan
-
# archlinux.org
archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB0PUXX25/7fRKiayZos7f1LIG925vOQlnuTE7HuSKiVhiYHi3XB9JyILKaekOb73hNJOUdE8kBEzhXESbrn1mM=
archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBeUGb+Q4QLN8yg1pohasTnfhwO7rNmW7Ih/PTrnmY0V
diff --git a/host_vars/apollo.archlinux.org b/host_vars/apollo.archlinux.org
deleted file mode 100644
index b8e47d4aac17b50d49b1e599513254f04f2e947d..0000000000000000000000000000000000000000
--- a/host_vars/apollo.archlinux.org
+++ /dev/null
@@ -1,20 +0,0 @@
----
-hostname: "apollo"
-
-ipv4_address: "138.201.81.199"
-ipv4_netmask: "/32"
-ipv6_address: "2a01:4f8:172:1d86::1"
-ipv6_netmask: "/128"
-ipv4_gateway: "138.201.81.193"
-ipv6_gateway: "fe80::1"
-filesystem: btrfs
-system_disks:
- - /dev/sda
- - /dev/sdb
-
-kanboard_version: "v1.2.14"
-
-fail2ban_jails:
- sshd: true
- postfix: true
- dovecot: false
diff --git a/hosts b/hosts
index cb3a33c0136216bea975950fd3183958bc6e00e7..042cbaf566c2c9152bda25d46192401136cbeb99 100644
--- a/hosts
+++ b/hosts
@@ -1,5 +1,4 @@
[hetzner]
-apollo.archlinux.org
luna.archlinux.org
dragon.archlinux.org
secure-runner1.archlinux.org
@@ -25,7 +24,6 @@ europe.mirror.pkgbuild.com
[borg_clients]
archlinux.org
-apollo.archlinux.org
aur-dev.archlinux.org
luna.archlinux.org
state.archlinux.org
@@ -54,7 +52,6 @@ u236610.your-storagebox.de
homedir.archlinux.org
[mysql_servers]
-apollo.archlinux.org
luna.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
@@ -64,7 +61,6 @@ wiki.archlinux.org
[postgresql_servers]
archlinux.org
-apollo.archlinux.org
state.archlinux.org
quassel.archlinux.org
accounts.archlinux.org
@@ -72,7 +68,6 @@ patchwork.archlinux.org
[nginx]
archlinux.org
-apollo.archlinux.org
luna.archlinux.org
bbs.archlinux.org
bugs.archlinux.org
diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
deleted file mode 100644
index f9790c676e355233e6d86c577a8a0533cf879b92..0000000000000000000000000000000000000000
--- a/playbooks/apollo.yml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-
-- name: "prepare postgres ssl hosts list"
- hosts: apollo.archlinux.org
- tasks:
- - name: assign ipv4 addresses to fact postgres_ssl_hosts4
- set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
- vars:
- gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
- detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
- tags: ["postgres", "firewall"]
- - name: assign ipv6 addresses to fact postgres_ssl_hosts6
- set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
- vars:
- gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
- detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
- tags: ["postgres", "firewall"]
-
-- name: setup apollo
- hosts: apollo.archlinux.org
- remote_user: root
- roles:
- - { role: common }
- - { role: tools }
- - { role: sshd }
- - { role: root_ssh }
- - { role: borg_client, tags: ["borg"] }
- - { role: certbot }
- - { role: nginx }
- - { role: rspamd, tags: ["mail"] }
- - { role: unbound, tags: ["mail"] }
- - { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
- - { role: postfwd, tags: ['mail'] }
- - role: postgres
- postgres_listen_addresses: "*"
- postgres_max_connections: 1000
- postgres_ssl: 'on'
- postgres_shared_buffers: 4096MB
- - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
- - { role: sudo }
- - { role: uwsgi }
- - { role: php_fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'] }
- - { role: memcached }
- - { role: archweb, archweb_planet: true }
- - role: security_tracker
- security_tracker_domain: "security.archlinux.org"
- security_tracker_nginx_conf: '/etc/nginx/nginx.d/security-tracker.conf'
- security_tracker_dir: "/srv/http/security-tracker"
- - { role: mailman, mailman_domain: "lists.archlinux.org" }
- - { role: patchwork }
- - { role: grafana }
- - { role: archwiki }
- - { role: conf_archlinux }
- - { role: fail2ban }
- - { role: prometheus_exporters }
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index 57735490812ba1d254a9dd281bf7d2c7088a601a..a7782610b84da0b1c8ed52d03db33f3a72b631c6 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -108,21 +108,8 @@
- smtp
- smtp-submission
- smtps
- when: postfix_smtpd_public and configure_firewall and inventory_hostname != "apollo.archlinux.org"
+ when: postfix_smtpd_public and configure_firewall
tags:
- firewall
-- name: open ipv4 firewall holes on apollo
- ansible.posix.firewalld: permanent=true state=enabled immediate=yes
- rich_rule="rule family=ipv4 source address={{ hostvars['mail.archlinux.org']['ipv4_address'] }} port protocol=tcp port=25 accept"
- when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
- tags:
- - firewall
-
-- name: open ipv6 firewall holes on apollo
- ansible.posix.firewalld: permanent=true state=enabled immediate=yes
- rich_rule="rule family=ipv6 source address={{ hostvars['mail.archlinux.org']['ipv6_address'] }} port protocol=tcp port=25 accept"
- when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
- tags:
- - firewall
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 9006a19134baece871be998e3701765f965195da..4503b3d62286bcae33860bb7c62aafbd998c9613 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -160,16 +160,12 @@ locals {
# - ttl (optional)
#
# Example:
- # apollo = {
- # ipv4_address = "138.201.81.199"
- # ipv6_address = "2a01:4f8:172:1d86::1"
+ # gemini = {
+ # ipv4_address = "49.12.124.107"
+ # ipv6_address = "2a01:4f8:242:5614::2"
# ttl = 600
# }
archlinux_org_a_aaaa = {
- apollo = {
- ipv4_address = "138.201.81.199"
- ipv6_address = "2a01:4f8:172:1d86::1"
- }
aur4 = {
ipv4_address = "5.9.250.164"
ipv6_address = "2a01:4f8:160:3033::2"
@@ -232,7 +228,6 @@ locals {
dev = { value = "www" }
g2kjxsblac7x = { value = "gv-i5y6mnrelvpfiu.dv.googlehosted.com." }
git = { value = "luna" }
- grafana = { value = "apollo" }
ipxe = { value = "www" }
"luna2._domainkey.aur" = { value = "luna2._domainkey" }
"luna2._domainkey.lists" = { value = "luna2._domainkey" }
@@ -244,7 +239,6 @@ locals {
rsync = { value = "gemini" }
sources = { value = "gemini" }
"static.conf" = { value = "redirect" }
- static = { value = "apollo" }
status = { value = "stats.uptimerobot.com." }
svn = { value = "gemini" }
}
@@ -405,14 +399,6 @@ resource "hetznerdns_record" "archlinux_org_origin_ns1" {
# type = "SOA"
# }
-resource "hetznerdns_record" "archlinux_org_origin_apollo_domainkey_txt" {
- zone_id = hetznerdns_zone.archlinux.id
- name = "apollo._domainkey"
- ttl = 600
- value = "\"v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvZIf8SbjC53RDCbMjTEpo0FCuMSShlKWdwWjY1J+RpT3CL/21z4nXqVBYF1orkUScH8Nlabocraqk8lmpNBlKCUV77lk9mRsLkWhg+XjhvQXL1xfH8zAg1CntEZuaIMLUQ+5Gkw6BlO1qDRkmXS9UtV8Jt1rhjRtSrgN5lhztOCbQLRAtzKty/nMeClqsfT3nL2hbDeh+b/rYc\" \"l2veZAqiGcR2/0bnKlt+Nb5lOBY3oZiYLmZ5g+l9UXVjGUq9jGAooIWpQvuRPmin3RX31kXfr1A+mDBEexiOL1dDST2Zx7i9puXbqYH0u0IxBpweHCO5UqWx52mdXBuhs+DCo/JoZAHU/6eRzK+Sps50LgLFSzJJNfGXk5PUKdww2GHbkK3mCYfoFCpB0SADzl42+1w6YZk1yXoPdOHtChfQpCgjtddf1W8Q09pYO1/bn4l0erdFQsWb1K\" \"4wEVOCn+hHWbV42V+J3TyGxQ4AM8KQ1OPvUEabyTyqcO4evBaH7/S2wA91Z9QDjTbKmlNovs5zoxuOM/mPGPUuQMvhjoAP+rg4AwJ3Xwd3GgUcqQflcokayUYdp7F3aKp1NWAR9ibseU/XBYsSF8Ucjqzf4DJFUfrgjHUr97st7g4HUCyXrQO4tyE0ytiX8OFjjIszWLmF+B7Vup9O7k+dNz2Vj2Vyzkq1UCAwEAAQ==\" "
- type = "TXT"
-}
-
resource "hetznerdns_record" "archlinux_org_lists_mx" {
zone_id = hetznerdns_zone.archlinux.id
name = "lists"