Commits · 5948d258f02717e1bb94e1015b0282cbf656459c · Arch Linux / infrastructure

14 May, 2022 2 commits
- geomirror: rename role to geo_dns · 5948d258
  Evangelos Foutras authored May 14, 2022
```
The intention is to use this config for other domains besides a mirror.
```
  5948d258
- geomirror: extract acme dns challenge into new role · afb582b1
  Evangelos Foutras authored May 13, 2022
```
- add the new role to redirect.archlinux.org
- release mirror.pkgbuild.com of all DNS duties
```
  afb582b1
15 Apr, 2022 1 commit

Avoid single point-of-failure for our GeoIP domain · aa359082

Kristian Klausen authored Apr 13, 2022

We don't want mirror.pkgbuild.com's DNS server to be a
single-point-of-failure, so this commit adds multiple authoritative DNS
servers for the zone. The extra DNS servers are run on the geomirror
servers.

The _acme-challenge zone, used for obtaining certificates, is run solely
on mirror.pkgbuild.com's DNS server, to avoid syncing DNS records
between the servers (KISS).

aa359082

13 Apr, 2022 2 commits

Enable certbot_dns_support for geo mirrors only · 64ec52ca
Evangelos Foutras authored Apr 13, 2022
```
mirror.pkgbuild.com doesn't need it.
```
64ec52ca

Add GeoIP domain for our sponsored mirros · 9f65f99c

Kristian Klausen authored Feb 23, 2022

We had a GeoIP mirror in the past based on nginx and its GeoIP module,
but it didn't perform very well, due to the high latency (asking a
central server for the package and then redirected to the closest
mirror).

One of the reasons for offering this service, is so we can relieve
mirror.pkgbuild.com which is burning a ton of traffic (50TB/month),
likely due to it being the default mirror in our Docker image. Another
reason is so we can offer a link to our arch-boxes images in libosinfo
(used by gnome-boxes, virt-install and virt-manager), with good enough
performance for most users.

This time we take a different approach and use a DNS based solution,
which means the latency penalty is only paid once (the first DNS
request). The downside is that the mirrors must have a valid certificate
for the same domain name, which makes using third-party mirrors a
challenge. So for now, we are just using the sponsored mirorrs
controlled by the DevOps team.

Fix #101

9f65f99c

04 Feb, 2022 1 commit

Sync debug packages to our sponsored mirrors[1] · 4773f92c

Kristian Klausen authored Feb 01, 2022

The sponsored mirrors have a ton of storage, but mirror.pkgbuild.com
doesn't, so debug packages aren't synced to it.

[1] {america,asia,europe}.mirror.pkgbuild.com

4773f92c

02 Oct, 2021 1 commit
- Cleanup tools · 7da1e273
  Kristian Klausen authored Aug 25, 2021
```
Fix #392
```
  7da1e273
06 Jul, 2021 1 commit

WireGuard all hosts · 664deb67

Kristian Klausen authored Jul 06, 2021

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

664deb67

12 Apr, 2021 1 commit
- Remove arch32 mirror role · 89a98702
  Jelle van der Waa authored Apr 11, 2021
```
We no longer mirror arch32 on our servers and this role is currently
broken.
```
  89a98702
08 Apr, 2021 1 commit
- Implement centralized logging · 7235e726
  Kristian Klausen authored Feb 26, 2021 and Jelle van der Waa committed Apr 08, 2021
```
Fix #263
```
  7235e726
07 Apr, 2021 1 commit
- Remove unbound from most systems · b941a133
  Kristian Klausen authored Mar 07, 2021 and Jelle van der Waa committed Apr 07, 2021
```
unbound is only used if dns_servers is explicit set to 127.0.0.1, which
isn't the case for any of these systems.

Fix #234
```
  b941a133
02 Nov, 2020 1 commit

By default enable the sshd jail for fail2ban · 992f81d7

Jelle van der Waa authored Oct 16, 2020

For all hosts we want to have a working fail2ban for sshd brute force
attempts through a group_vars/all. For some hosts an override is
required to enable postfix or dovecot jails.

992f81d7

06 Oct, 2020 1 commit
- Add mirror/homedir to prometheus monitoring · 442a6de9
  Jelle van der Waa authored Oct 06, 2020
  
  442a6de9
12 Sep, 2020 1 commit

Remove zabbix-agent role everywhere · 2be002b1

Jelle van der Waa authored Sep 12, 2020

We switched for monitoring to prometheus so zabbix-agent is unwanted and
we don't want to accidently deploy it again.

2be002b1

27 Aug, 2020 1 commit
- fix E106 'Role name <role> does not match ``^[a-z][a-z0-9_]+$`` pattern' · 04b2e3b1
  Frederik Schwan authored Aug 18, 2020 and Sven-Hendrik Haase committed Aug 27, 2020
  
  04b2e3b1
24 Mar, 2019 1 commit
- Refactor certbot into dedicated role · dacb47a7
  Florian Pritz authored Mar 24, 2019
```
Signed-off-by: Florian Pritz <bluewind@xinu.at>
```
  dacb47a7
02 Jul, 2018 1 commit
- Configure network/dns on PIA machines · 53dd4d68
  Florian Pritz authored Jun 30, 2018
```
Signed-off-by: Florian Pritz <bluewind@xinu.at>
```
  53dd4d68
07 Dec, 2017 1 commit
- mirrors: drop reduntant tags · 69a91b05
  Bartłomiej Piotrowski authored Dec 07, 2017
  
  69a91b05
15 Nov, 2017 1 commit
- Add role for mirroring archlinux32 · e5b461e3
  Bartłomiej Piotrowski authored Nov 15, 2017
  
  e5b461e3
20 Oct, 2017 1 commit
- nginx: set default letsencrypt_validation_dir value · efeeff75
  Bartłomiej Piotrowski authored Oct 17, 2017
  
  efeeff75
11 Sep, 2017 1 commit
- Enable zabbix-agent for mirrors · c0c12767
  Florian Pritz authored Sep 11, 2017
```
Signed-off-by: Florian Pritz <bluewind@xinu.at>
```
  c0c12767
06 Sep, 2017 1 commit
- mirrors: Deploy mirrorchecker · 89eade3d
  Florian Pritz authored Sep 06, 2017
```
Signed-off-by: Florian Pritz <bluewind@xinu.at>
```
  89eade3d
05 Sep, 2017 1 commit
- Configure Mexican mirror · 61ac2a66
  Bartłomiej Piotrowski authored Sep 05, 2017
  
  61ac2a66