Compare revisions

242213b2 · 242213b2 · 242213b2 · 242213b2 · 242213b2 · 242213b2
--- a/roles/promtail/templates/promtail.yaml.j2
+++ b/roles/promtail/templates/promtail.yaml.j2
@@ -28,7 +28,7 @@ scrape_configs:
        - localhost
        labels:
          job: nginx
-          instance: {{ ansible_fqdn }}
+          instance: {{ inventory_hostname }}
          __path__: /var/log/nginx/*/*.json
    pipeline_stages:
    - match:
@@ -46,7 +46,7 @@ scrape_configs:
        - localhost
        labels:
          job: pacman
-          instance: {{ ansible_fqdn }}
+          instance: {{ inventory_hostname }}
          __path__: /var/log/pacman.log
    pipeline_stages:
    - match:

--- a/roles/public_html/templates/nginx.d.conf.j2
+++ b/roles/public_html/templates/nginx.d.conf.j2
@@ -17,9 +17,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ public_domain }} www.{{ public_domain }};
    root         /srv/public_html;


--- a/roles/rebuilderd/templates/nginx.d.conf.j2
+++ b/roles/rebuilderd/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ rebuilderd_domain }};

    access_log   /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
@@ -30,6 +28,7 @@ server {
    ssl_trusted_certificate /etc/letsencrypt/live/{{ rebuilderd_domain }}/chain.pem;

    # Security headers
+    include snippets/headers.conf;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1; mode=block" always;
    add_header Referrer-Policy "same-origin";
@@ -37,13 +36,11 @@ server {
    add_header Content-Security-Policy "default-src 'self';";
    add_header X-Content-Type-Options "nosniff" always;

-    # Apply HSTS header again, since adding a header removes previous headers
-    add_header Strict-Transport-Security $hsts_header;
-
    root {{ rebuilder_website_loc }};

    location ~* (css|js|svg)$ {
        expires 30d;
+        include snippets/headers.conf;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

--- a/roles/redirects/templates/nginx.d.conf.j2
+++ b/roles/redirects/templates/nginx.d.conf.j2
@@ -9,9 +9,7 @@ map $uri ${{ redirect.map | hash('md5') }} {
 server {
    listen       80;
    listen       [::]:80;
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ redirect.domain }};

    access_log   /var/log/nginx/{{ redirect.domain }}/access.log reduced;

--- a/roles/repo_archive_split_temp/templates/nginx.d.conf.j2
+++ b/roles/repo_archive_split_temp/templates/nginx.d.conf.j2
 server {
    listen       80;
    listen       [::]:80;
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ repos_rsync_domain }};
    root         /srv/ftp;


--- a/roles/security_tracker/templates/nginx.d.conf.j2
+++ b/roles/security_tracker/templates/nginx.d.conf.j2
@@ -29,9 +29,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ security_tracker_domain }};

    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;

--- a/roles/sources/templates/nginx.d.conf.j2
+++ b/roles/sources/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
 }

 server {
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ sources_domain }};

    access_log   /var/log/nginx/{{ sources_domain }}/access.log reduced;

--- a/roles/syncrepo/templates/nginx.d.conf.j2
+++ b/roles/syncrepo/templates/nginx.d.conf.j2
@@ -2,9 +2,7 @@
 server {
    listen       80;
    listen       [::]:80;
-    listen       443 ssl;
-    listen       [::]:443 ssl;
-    http2        on;
+    include      snippets/listen-443.conf;
    server_name  {{ domain }};
    root         /srv/ftp;

@@ -19,6 +17,7 @@ server {
    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;

 {% if 'geo_mirrors' in group_names and domain == geo_mirror_domain %}
+    include snippets/headers.conf;
    add_header X-Served-By "{{ inventory_hostname }}";
 {% endif %}


--- a/roles/tempo/tasks/main.yml
+++ b/roles/tempo/tasks/main.yml
 - name: Install tempo
  pacman: name=tempo state=present

- name: Open promtail ipv4 port for monitoring.archlinux.org
+- name: Open tempo ipv4 port for aur.archlinux.org
  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
-    rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=4318 accept"
+    rich_rule="rule family=ipv4 source address={{ hostvars['aur.archlinux.org']['wireguard_address'] }} port protocol=tcp port=4318 accept"
  tags:
    - firewall


--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -57,7 +57,7 @@ locals {
      domain      = "@"
    }
    "aur.archlinux.org" = {
-      server_type = "cx42"
+      server_type = "cpx51"
      domain      = "aur"
    }
    "bbs.archlinux.org" = {
No results found