We don't want mirror.pkgbuild.com's DNS server to be a
single-point-of-failure, so this commit adds multiple authoritative DNS
servers for the zone. The extra DNS servers are run on the geomirror
servers.

The _acme-challenge zone, used for obtaining certificates, is run solely
on mirror.pkgbuild.com's DNS server, to avoid syncing DNS records
between the servers (KISS).

mirror.pkgbuild.com doesn't need it.

We had a GeoIP mirror in the past based on nginx and its GeoIP module,
but it didn't perform very well, due to the high latency (asking a
central server for the package and then redirected to the closest
mirror).

One of the reasons for offering this service, is so we can relieve
mirror.pkgbuild.com which is burning a ton of traffic (50TB/month),
likely due to it being the default mirror in our Docker image. Another
reason is so we can offer a link to our arch-boxes images in libosinfo
(used by gnome-boxes, virt-install and virt-manager), with good enough
performance for most users.

This time we take a different approach and use a DNS based solution,
which means the latency penalty is only paid once (the first DNS
request). The downside is that the mirrors must have a valid certificate
for the same domain name, which makes using third-party mirrors a
challenge. So for now, we are just using the sponsored mirorrs
controlled by the DevOps team.

Fix #101

With the PHP->Python port done[1][2], there isn't much need for aur-dev
anynmore. Most things can also be tested locally and aur-dev haven't got
any love since the port (ex: allowing the aurweb maintainers to deploy
without asking DevOps).

[1] https://lists.archlinux.org/pipermail/aur-general/2022-February/036786.html
[2] !525

- Create packer builder in FSN1 and change image to ubuntu-20.04
- Add "use_proxy: false" to provisioner config to work around [1]
- Reduce the size of the BIOS boot partition to 1M (from 10M) [2]
- Update bootstrap_version to 2022.03.01

[1] https://github.com/hashicorp/packer-plugin-ansible/issues/69
[2] https://www.gnu.org/software/grub/manual/grub/html_node/BIOS-installation.html

Avoid updating the cache in the same task w/ the upgrade as the former
causes the combined task to always return changed=True. For up-to-date
hosts, stop early instead of following through to the end and skipping
the final reboot task.

Before Ansible 5.4.0, combined cache update + package upgrade would not
always return changed=True but instead depended on whether the were any
packages to upgrade.

Do the same for the hostkeys/known_hosts templates and disable fact
gathering.

These are managed services and Ansible doesn't run on them. It got
boring writing 'all,!rsync_net,!hetzner_storageboxes' in playbooks
and ad-hoc commands, so remove these borg hosts from our inventory.

Change docs/ssh-known_hosts.txt to be partially managed by Ansible, so
custom entries can be added to the top of the file. Use the new format
to write down the host keys of our two borg hosts.

Kevin Morris authored 3 years ago and Kristian Klausen committed 3 years ago

Signed-off-by: Kevin Morris <kevr@0cost.org>

Service facts did not provide enough information about the state of
the borg-backup{,-offsite} services. While runnning, their state is
reported as stopped by service_facts and "activating" by systemctl.

The sponsored mirrors have a ton of storage, but mirror.pkgbuild.com
doesn't, so debug packages aren't synced to it.

[1] {america,asia,europe}.mirror.pkgbuild.com

Morten Linderud authored 4 years ago and Kristian Klausen committed 3 years ago

Signed-off-by: Morten Linderud <morten@linderud.pw>

Fixes: d88c0b95 ("Initialize gluebuddy host")

The tools role is only used on servers which normal staff have SSH
access to since [1].

[1] 7da1e273 ("Cleanup tools")

Fixes: d88c0b95 ("Initialize gluebuddy host")

Fixes: d88c0b95 ("Initialize gluebuddy host")

PHP7 will likely be removed from the repos soon[1]. Time to upgrade! :)

[1] https://archlinux.org/todo/php-7-retiredment/

In a recent execution of the server upgrade task, svntogit was started
shortly before the reboot command was issued. Therefore, it was killed
two seconds into its run, leaving behind a lock file that prevented it
from starting again after gemini was rebooted.

Avoid the above timing issue by stopping the timer before rebooting.

New username; separate and longer account manager + storage passwords.

Also, have to use --remote-path=borg1 when interacting with rsync.net.

Useful for mail.archlinux.org where this setting doesn't matter since we
force the SSH command to passwd and zsh was removed as part of the tools
cleanup effort recently (stops shadow.service from complaining about zsh
missing).

Fix #392

Also adjust indentation and make the uploaded files owned by nobody.

Fix #177

This is done to avoid killing db-update and related processes.