roles/rspamd/tasks/main.yml

@@ -22,11 +22,11 @@
 #
 # the ouput gives you the DNS entries to add to the terraform files.
 # The keys generated need to go to the vault:
-# roles/rspamd/files/archlinux.org.dkim-rsa.key
-# roles/rspamd/files/archlinux.org.dkim-ed25519.key
+# roles/rspamd/files/archlinux.org.dkim-rsa.key.vault
+# roles/rspamd/files/archlinux.org.dkim-ed25519.key.vault
 #
 - name: Install DKIM keys
-  copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
+  copy: src={{ item }}.vault dest=/var/lib/rspamd/dkim/{{ item }} owner=rspamd group=rspamd mode=0600
   loop:
     - "{{ rspamd_dkim_domain }}.dkim-ed25519.key"
     - "{{ rspamd_dkim_domain }}.dkim-rsa.key"

roles/security_tracker/handlers/main.yml

@@ -2,4 +2,4 @@
   become: true
   become_user: security
   command: /usr/bin/make db-upgrade chdir="{{ security_tracker_dir }}"
-  listen: post security-tracker deploy
+  listen: Post security-tracker deploy

roles/security_tracker/tasks/main.yml

@@ -68,7 +68,7 @@
   become_user: security
   register: release
   notify:
-    - post security-tracker deploy
+    - Post security-tracker deploy
 
 - name: Run initial setup
   become: true

roles/syncriscv/files/syncriscv

+#!/bin/bash
+
+target="/srv/riscv"
+lock="/var/lock/syncriscv.lck"
+source_url='rsync://archriscv.felixc.at/archriscv'
+lastupdate_url='https://archriscv.felixc.at/.status/lastupdate.txt'
+
+[ ! -d "${target}" ] && mkdir -p "${target}"
+
+exec 9>"${lock}"
+flock -n 9 || exit
+
+rsync_cmd() {
+	local -a cmd=(rsync -rlptH --safe-links --delete-delay --delay-updates
+		"--timeout=600" "--contimeout=60" --no-motd)
+
+	if stty &>/dev/null; then
+		cmd+=(-h -v --progress)
+	else
+		cmd+=("--info=name1")
+	fi
+
+	"${cmd[@]}" "$@"
+}
+
+# if we are called without a tty (cronjob) only run when there are changes
+if ! tty -s && [[ -f "$target/.status/lastupdate.txt" ]] && diff -b <(curl -Ls "$lastupdate_url") "$target/.status/lastupdate.txt" >/dev/null; then
+	exit 0
+fi
+
+rsync_cmd "${source_url}" "${target}"

roles/syncriscv/files/syncriscv.service

+[Unit]
+Description=Synchronize RISC-V mirror
+RequiresMountsFor=/srv/riscv
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/syncriscv
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7

roles/syncriscv/files/syncriscv.timer

+[Unit]
+Description=Minutely RISC-V mirror sync
+
+[Timer]
+OnCalendar=minutely
+AccuracySec=1m
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/syncriscv/tasks/main.yml

+- name: Create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ riscv_mirror_domain }}"]
+    challenge: "DNS-01"
+
+- name: Install rsync
+  pacman: name=rsync state=present
+
+- name: Install syncriscv script
+  copy: src=syncriscv dest=/usr/local/bin/syncriscv owner=root group=root mode=0755
+
+- name: Install syncriscv units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - syncriscv.timer
+    - syncriscv.service
+
+- name: Start and enable syncriscv timer
+  systemd: name=syncriscv.timer enabled=yes state=started daemon_reload=yes
+
+- name: Set up nginx
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/riscv.conf owner=root group=root mode=0644
+  notify: Reload nginx
+  tags: ['nginx']
+
+- name: Make nginx log dir
+  file: path=/var/log/nginx/{{ riscv_mirror_domain }} state=directory owner=root group=root mode=0755

roles/syncriscv/templates/nginx.d.conf.j2

+server {
+    listen       80;
+    listen       [::]:80;
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ riscv_mirror_domain }};
+    root         /srv/riscv;
+
+    access_log   /var/log/nginx/{{ riscv_mirror_domain }}/access.log reduced;
+    access_log   /var/log/nginx/{{ riscv_mirror_domain }}/access.log.json json_reduced;
+    error_log    /var/log/nginx/{{ riscv_mirror_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ riscv_mirror_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ riscv_mirror_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ riscv_mirror_domain }}/chain.pem;
+
+    add_header X-Served-By "{{ inventory_hostname }}";
+
+    autoindex on;
+}

roles/wireguard/handlers/main.yml

@@ -3,8 +3,8 @@
   command: networkctl delete wg0
   register: result
   failed_when: result.rc not in [0, 1]
-  listen: reload wireguard
+  listen: Reload wireguard
 
 - name: Reload .network and .netdev files
   command: networkctl reload
-  listen: reload wireguard
+  listen: Reload wireguard

tf-stage1/archlinux.tf

@@ -172,8 +172,8 @@ locals {
   archlinux_org_gitlab_pages = {
     "conf"                  = "60a06a1c02e42b36c3b4919f4d6de6bf"
     "whatcanidofor"         = "d9e45851002a623e10f6954ff9a85d21"
-    "openpgpkey"            = "7533dfbf3947a5730d9cbcc1e5e63102"
-    "openpgpkey.master-key" = "5c7f9c249885c62287dd75d0c1dd99d8"
+    "openpgpkey"            = "d20c137368e26dcc3db56d45a368e729"
+    "openpgpkey.master-key" = "3eea8f39a9b473a5dc7c188366f84072"
     "bugs-old"              = "1f3308c8d5763eecb4f9013291aeeac4"
     "tu-bylaws.aur"         = "bbafd3ed82f336e0c52d3eb9774b2432"
     "reproducible-notes"    = "8c657f2f2720db1c3db63be89605cf0d"
@@ -409,6 +409,10 @@ locals {
       name = "geo.mirror"
       zone = hetznerdns_zone.pkgbuild.id
     }
+    "riscv.mirror.pkgbuild.com" = {
+      name = "riscv.mirror"
+      zone = hetznerdns_zone.pkgbuild.id
+    }
   }
 }