This is meant to be used in the Hetzner cloud sandbox project, so SSH
keys can be injected when a new VM is created from e.g. a CI pipeline,
so that the CI pipeline can SSH to the newly created VM.

The EC2 metadata service is used over the Hetzner metadata service, as
it is supported by more providers (including Hetzner).

A new Hetzner cloud project has been created called "Sandbox". This
project is meant for non-production workload which must be created
on-demand from e.g. a CI pipeline. The first project using the sandbox
is aurweb, which wants to use GitLab's Review apps[1] feature to create
dynamic environments on-demand.

Two API tokens have been created, one for the infrastructure project (to
be used by packer) and for the aurweb project.

[1] https://docs.gitlab.com/ee/ci/review_apps/

As of version 1.7.0, HCL2 is the preferred way to write Packer
templates. The documentation reflect this and it is easier if we use the
preferred format.

We make almost no use of the dynamic properties of the hcloud inventory,
so we can simplify this by declaring all cloud servers in the main hosts
inventory.

The main benefit of this change is that temporary and experimental cloud
servers are not automatically included in the Ansible playbooks. In such
cases it is usually incorrect to deploy changes to these unknown servers.

A smaller side benefit is that Ansible will now use hostnames to connect
to cloud servers, whereas the dynamic inventory provided IPv4 addresses.
This results in more meaningful ~/.ssh/known_hosts entries.

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

The default sslmode is require which doesn't protect against MITM
attacks (the certificate isn't verified). The different modes are
explained here [1].

[1] https://www.postgresql.org/docs/current/libpq-ssl.html

Main motivation behind this is preparing for doing more automatic
upgrades. The need for ignoring kernel updates isn't clear either.

Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.

Fixes: 77542146 ("Rewrite get_key.py to use click instead of typer")

Typer doesn't work with Click 8[1].

[1] https://github.com/tiangolo/typer/issues/280

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Issuing a certificate requires nginx to be running, but nginx requires a
certificate to start. Fix it by using Python built-in http.server.

Fix #30

Jelle van der Waa authored 4 years ago and Jelle van der Waa committed 4 years ago

The repro3.pkgbuild.com machine was a packet.net box with an Ubuntu
installation. Now converted to an Arch Linux installation managed by
ansible with a new rebuilderd_worker role.

Jelle van der Waa authored 4 years ago and Jelle van der Waa committed 4 years ago

Orion has been replaced by gemini and for mail by mail.archlinux.org

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

The WKD webservice ran on orion, but as we want to retire it, we will
move it to it's own CX11 VPS. As it's just a simple web page.

Document addinga new dashboard and how our Grafana is configured.

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

The PIA boxes are retired.

Introduce a new monitoring server with prometheus and alertmanager for
monitoring all our boxes.

This is now built enitrely in GitLab CI in the arch-boxes repo so this is no longer required.

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Prefer using our maintained version of checkservices from the contrib
repository hosted on our Gitlab repository. This has the benefit of
getting rid of a submodule which isn't cloned by default.

Jakub Klinkovský authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

The mirror_load_balancer stuff was removed recently in commit
3472c7bb