From fabccd0f61e5dea3925e8a0c6a46d56d5750c121 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Wed, 24 Feb 2021 18:31:06 +0100
Subject: [PATCH] "Move" NM connectivity check file to a subdomain

The file should not be on the main domain as it adds unnecessary
complexity to the archweb role and there is a bigger chance that we
unintentionally break connectivity checking (which has happened in the
past[1][2]).

This doesn't remove the file from the main domain[3], as we need to ship
a updated NetworkManager package first.

[1] https://www.reddit.com/r/archlinux/comments/keai0g/does_anyone_know_if_this_is_normal/
[2] https://www.reddit.com/r/gnome/comments/ke9ytm/network_manager_popup/
[3] http://www.archlinux.org/check_network_status.txt

Fix #239
---
 docs/servers.md                      |  1 +
 playbooks/redirect.archlinux.org.yml |  1 +
 roles/ping/defaults/main.yml         |  1 +
 roles/ping/tasks/main.yml            | 14 +++++++++++
 roles/ping/templates/nginx.d.conf.j2 | 35 ++++++++++++++++++++++++++++
 tf-stage1/archlinux.tf               |  1 +
 6 files changed, 53 insertions(+)
 create mode 100644 roles/ping/defaults/main.yml
 create mode 100644 roles/ping/tasks/main.yml
 create mode 100644 roles/ping/templates/nginx.d.conf.j2

diff --git a/docs/servers.md b/docs/servers.md
index b47dc3df..d4c16955 100644
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -127,6 +127,7 @@ Medium-fast-ish packet.net Arch Linux box.
 
 ### Services
   - Redirects (nginx redirects)
+  - ping
 
 ## security.archlinux.org
 
diff --git a/playbooks/redirect.archlinux.org.yml b/playbooks/redirect.archlinux.org.yml
index 7e2f8af8..e02a9dec 100644
--- a/playbooks/redirect.archlinux.org.yml
+++ b/playbooks/redirect.archlinux.org.yml
@@ -13,3 +13,4 @@
     - { role: redirects }
     - { role: prometheus_exporters }
     - { role: hardening }
+    - { role: ping }
diff --git a/roles/ping/defaults/main.yml b/roles/ping/defaults/main.yml
new file mode 100644
index 00000000..a4aad278
--- /dev/null
+++ b/roles/ping/defaults/main.yml
@@ -0,0 +1 @@
+ping_domain: 'ping.archlinux.org'
diff --git a/roles/ping/tasks/main.yml b/roles/ping/tasks/main.yml
new file mode 100644
index 00000000..fd53e111
--- /dev/null
+++ b/roles/ping/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ ping_domain }}"]
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ ping_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/ping.conf" owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
diff --git a/roles/ping/templates/nginx.d.conf.j2 b/roles/ping/templates/nginx.d.conf.j2
new file mode 100644
index 00000000..68429196
--- /dev/null
+++ b/roles/ping/templates/nginx.d.conf.j2
@@ -0,0 +1,35 @@
+server {
+    # We don't redirect to HTTPS because a redirect is considered a captive portal.
+    listen       80;
+    listen       [::]:80;
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ ping_domain }};
+
+    access_log   /var/log/nginx/{{ ping_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ ping_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ ping_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ ping_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ ping_domain }}/chain.pem;
+
+    default_type text/plain;
+
+    location = / {
+        return 200 'This domain is used for connectivity checking (captive portal detection).\n';
+    }
+
+    # https://man.archlinux.org/man/NetworkManager.conf.5#CONNECTIVITY_SECTION
+    location /nm-check.txt {
+        access_log off;
+        add_header Cache-Control "max-age=0, must-revalidate";
+        return 200 'NetworkManager is online\n';
+    }
+
+    location / {
+        access_log off;
+        return 404;
+    }
+}
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 6413c248..18af3582 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -284,6 +284,7 @@ locals {
     ipxe          = { value = "www" }
     mailman       = { value = "redirect" }
     packages      = { value = "www" }
+    ping          = { value = "redirect" }
     planet        = { value = "www" }
     projects      = { value = "luna" }
     repos         = { value = "gemini" }
-- 
GitLab