Compare revisions

02a8ec6b · 31a33cc8 · 31a33cc8 · 31a33cc8 · 31a33cc8 · 02a8ec6b
--- a/pubkeys/carsme.pub
+++ b/pubkeys/carsme.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMMTyny1obngFnyonhlDYO5C7a8+5NFoEAbQ59VtcL/e
--- a/pubkeys/escondida.pub
+++ b/pubkeys/escondida.pub
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaAcU0Sl9Wiuwy9NUfSWoEyxOcXymz8EiLjoxuCs9Or ivy@earendil
--- a/pubkeys/jleclanche.pub
+++ b/pubkeys/jleclanche.pub
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgSRjA8iQg383fNgf/+f71NBIpF8/yh0RXnvnw+8AF6 jerome@leclan.ch
--- a/pubkeys/maximbaz.pub
+++ b/pubkeys/maximbaz.pub
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrS8858Xqs+RsxNpVNKdpCAYdbTtel1G28MQBVyIQe8
--- a/pubkeys/maximbaz_buildhost.pub
+++ b/pubkeys/maximbaz_buildhost.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDX5UOJ2aRK0LBSoWetHMwHNBItE9YrSWq7SWzDdX9R4bkvI38U/fKhWVWLpsQMczu90wT/VU2BN8PmcnPL091NqvqPC3NR9ol4KWJb5BhqRIUivwJ+yw2XTq5h4J7nhuS1OQo9HxD+g0KvnCCwvlHTAbnccu7FoEX9dGwwseUfgwaQl0rPM7LUgZ5uPZV0BbBnELe2xn9c1pcWkoVjOfZRzYwqfoQ8A4+dQYgZZwizbrE+sfOrPcPYvm+lSpqQ4Y91baOYXLbO1GyT1G3oBppqzwcJ4utbfaOSr+gOrA2B6QwqYts22UHdqY/9QLUjTg/MbitsS4bVttMaQPjTU5yUEn5iJIBkPGpfrOtDfo9v0pZ6PoKKsQ7DjmiYG6BYHckNTi5We7XMVVC7zBCJ8HQGoq7RvIrsebBtMrA8Vh3JhBcD7K+I2CVy4cOOwlW7uYchFvxJwkbSlLgFxpMxsHtrJSIx/8C6gMrdnls08/BXYhpHoQOhcdSyNL2jqeqpROSEUdemhbMEj0E6o289mD6bqYmnoz6HJmpVVYhFh8+I4lSbN3PNjHoAZhKiC9+6qf744y5+jR7FBTnBebZlPmnNaF+j6/lJ0N7A5Fggo8NzF8/qHFgSvyJ9N0lxWKIkc6yfH1a9GKJEs0Ng+2yMEBoZdJzrPTuU0iBMJYivct1okw==
--- a/pubkeys/mh4ckt3mh4ckt1c4s.pub
+++ b/pubkeys/mh4ckt3mh4ckt1c4s.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgaVld+jMegw7pgl7UeS4+k3u7qRM+aYxwG4pSa3lpP
--- a/pubkeys/nicohood.pub
+++ b/pubkeys/nicohood.pub
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlVyxcBxmSnchhE4iwH/KPIClkKKdr3cKI/bHSOk4uw
--- a/pubkeys/ptr1337.pub
+++ b/pubkeys/ptr1337.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFddUjybICoqvz3BfNeunxLytpsxBd2k63knI7kMSEdP admin@ptr1337.dev
--- a/pubkeys/svartkanin.pub
+++ b/pubkeys/svartkanin.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPt4p0p5ZKvAD3tX4+nbEKEG00tUazs5I5vpIoG92qTF dan@nazgul
--- a/pubkeys/svenstaro.pub
+++ b/pubkeys/svenstaro.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJJV4OQ6NSq0pXRZZB2jAOZnzW1eyt+7ctPZ6ZM31u2TOWgWCSfHYH6l0BxBtaL1HPlUxV+FZUheMbeXdgViI3WIO78zzuY/br9If6ZjYqdSwJFnYTNU+tLQhI5uVls0bmPvHkAn51JnVL56Vnil2mEylWRzKEg8RZvuaVEtQwvfR1mwQaR2ofSMuC6xE2hCcz93LWf+R+xjbQFtAdAQU288SB9SeABiG6FRgSUc1cGKFz8sBdsUpnlmCXqPD7fLJfPw1yF3M5HlN8ZHBhF1CZXNEKlQgXgtMz4eUc3JA10gVVAlm15PUOiEw0Tq9mOIT8ryaf7PyYxMpU4LzLoWHMxbiVD4CNq2ODGtHyLBX9lcHwwDTCwH1STht9992Bgd/5kpZ4df4gDBV89+w9758lX3eROZ7CQSEP2jSYNN2tr9KmYDiV5OY7KOGtkUZaDIMfQva6YMCQscKB8X/ypNkrQmwQwyOoXi1gbdF4zgmcDW68dzDPOiH+tzgLwJvUpkwMxvovzjMnMXUJjjXFqP8pgxM4OmTO9Ixhrt4TMsQXfmsVgUiGd+WecYguNF9UTBPum/KOOpa3wOr1vJnwrEZVJjhrhXNyNi2wnPUYB0CVEl6floR04pYYQs4K9MORgTxEiSYfbNpDMHgi5uuQAngJdQ9s7zc3bAS9Tp3de23b2w== svenstaro@smith
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINe8T2egyISKwkJeeqzARDiYL4f7NG2FNbK47KaxBio1 arch
--- a/roles/archbuild/files/clean-offload-build
+++ b/roles/archbuild/files/clean-offload-build
-#!/bin/bash -e
+#!/bin/bash

-find /home/*/.cache/offload-build/ -mtime +15 -name '*.pkg.tar*' -delete
+set -eu
+shopt -s nullglob
+
+for offload_build_cache in /home/*/.cache/offload-build; do
+  find "$offload_build_cache" -mindepth 1 -maxdepth 1 -type d -mtime +15 -exec rm -rf {} +
+done
--- a/roles/archbuild/files/sudoers
+++ b/roles/archbuild/files/sudoers
@@ -4,7 +4,7 @@ Cmnd_Alias ARCHBUILD = /usr/sbin/makechrootpkg, /usr/sbin/mkarchroot, \
                       /usr/bin/multilib-testing-build,    /usr/bin/multilib-staging-build, \
                       /usr/bin/makerepropkg

-Defaults!ARCHBUILD     env_keep+=SOURCE_DATE_EPOCH
+Defaults!ARCHBUILD     env_keep += "SOURCE_DATE_EPOCH LOGDEST"

 %dev              ALL = NOPASSWD: ARCHBUILD
 %junior-dev       ALL = NOPASSWD: ARCHBUILD

--- a/roles/archbuild/tasks/main.yml
+++ b/roles/archbuild/tasks/main.yml
@@ -132,7 +132,7 @@
    - { name: SRCDEST, value: /var/lib/archbuilddest/srcdest }

 - name: Install archbuild sudoers config
-  copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440
+  copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440 validate='visudo -cf %s'

 - name: Install gitconfig
  copy: src=gitconfig dest=/etc/gitconfig owner=root group=root mode=0644
--- a/roles/archive_web/templates/nginx.d.conf.j2
+++ b/roles/archive_web/templates/nginx.d.conf.j2
@@ -16,8 +16,7 @@ server {
 }

 server {
-    listen       443 ssl http2;
-    listen       [::]:443 ssl http2;
+    include      snippets/listen-443.conf;
    server_name  {{ archive_domain }};

    access_log   /var/log/nginx/{{ archive_domain }}/access.log reduced;

--- a/roles/archmanweb/templates/nginx.d.conf.j2
+++ b/roles/archmanweb/templates/nginx.d.conf.j2
@@ -23,8 +23,7 @@ server {
 }

 server {
-    listen       443 ssl http2;
-    listen       [::]:443 ssl http2;
+    include      snippets/listen-443.conf;
    server_name  {{ archmanweb_domain }};

    access_log   /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
@@ -48,6 +47,7 @@ server {
    # Client-cache for Django's static assets
    location /static/ {
        expires 30d;
+        include snippets/headers.conf;
        add_header Pragma public;
        add_header Cache-Control "public";
        alias {{ archmanweb_dir }}/repo/collected_static/;

--- a/roles/archweb/defaults/main.yml
+++ b/roles/archweb/defaults/main.yml
 archweb_dir: '/srv/http/archweb'
 archweb_domain: 'archlinux.org'
-archweb_alternate_domains: ['www.archlinux.org', 'master-key.archlinux.org', 'dev.archlinux.org', 'packages.archlinux.org', 'ipxe.archlinux.org', 'planet.archlinux.org']
+archweb_alternate_domains: ['www.archlinux.org', 'master-key.archlinux.org', 'dev.archlinux.org', 'packages.archlinux.org', 'planet.archlinux.org']
+archweb_legacy_domains: ['ipxe.archlinux.org']
 archweb_domains_redirects:
        'www.archlinux.org': '$request_uri'
-        'master-key.archlinux.org': '/master-keys'
+        'master-key.archlinux.org': '/master-keys/'
        'dev.archlinux.org': '/'
        'packages.archlinux.org': '/packages$request_uri'
        'planet.archlinux.org': '/planet$request_uri'
@@ -12,7 +13,7 @@ archweb_domains_templates:
 archweb_allowed_hosts: ["{{ archweb_domain }}", 'ipxe.archlinux.org']
 archweb_nginx_conf: '/etc/nginx/nginx.d/archweb.conf'
 archweb_repository: 'https://github.com/archlinux/archweb.git'
-archweb_version: 'release_2024-03-05'
+archweb_version: 'release_2024-07-29'
 archweb_pgp_key: ['E499C79F53C96A54E572FEE1C06086337C50773E']
 archweb_site: true
 archweb_mirrorcheck: false

--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -5,6 +5,7 @@
    service_name: "site"
    service_domain: "{{ archweb_domain }}"
    service_alternate_domains: "{{ archweb_alternate_domains }}"
+    service_legacy_domains: "{{ archweb_legacy_domains }}"
    service_nginx_conf: "{{ archweb_nginx_conf }}"
    service_nginx_template: "maintenance-nginx.d.conf.j2"
  when: maintenance is defined and archweb_site
@@ -29,6 +30,15 @@
    domains: "{{ [archweb_domain] + archweb_alternate_domains }}"
  when: archweb_site | bool and maintenance is not defined

+- name: Create legacy ssl cert
+  include_role:
+    name: certificate
+  vars:
+    cert_name: "{{ archweb_domain }}_legacy"
+    domains: "{{ archweb_legacy_domains }}"
+    legacy: true
+  when: archweb_site | bool and maintenance is not defined
+
 - name: Set up nginx
  template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644
  notify: Reload nginx
@@ -105,7 +115,7 @@
  when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)

 - name: DB privileges for archweb users
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" login_password="{{ vault_archweb_db_site_password }}"
                    privs=CONNECT roles="{{ item }}" type=database
  when: archweb_site or archweb_services
  with_items:
@@ -114,7 +124,7 @@
    - "{{ archweb_db_backup_user }}"

 - name: Table privileges for archweb users
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" login_password="{{ vault_archweb_db_site_password }}"
                    privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
  when: archweb_site or archweb_services
  with_items:
@@ -123,7 +133,7 @@
    - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" }

 - name: Sequence privileges for archweb users
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" login_password="{{ vault_archweb_db_site_password }}"
                    privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
  when: archweb_site or archweb_services
  with_items:
@@ -283,7 +293,7 @@
  when: archweb_site

 - name: Install sudoer rights for fetchmail to call archweb django scripts
-  template: src=sudoers-fetchmail-archweb.j2 dest=/etc/sudoers.d/fetchmail-archweb owner=root group=root mode=0440
+  template: src=sudoers-fetchmail-archweb.j2 dest=/etc/sudoers.d/fetchmail-archweb owner=root group=root mode=0440 validate='visudo -cf %s'
  when: archweb_site

 - name: Create retro dir

--- a/roles/archweb/templates/ipxe.archlinux.org.j2
+++ b/roles/archweb/templates/ipxe.archlinux.org.j2
@@ -16,8 +16,7 @@ server {
 }

 server {
-    listen       443 ssl http2;
-    listen       [::]:443 ssl http2;
+    include      snippets/listen-443.conf;
    server_name  {{ domain['domain_name'] }};

    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
@@ -26,9 +25,9 @@ server {

    ssl_ciphers AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256;

-    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
+    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}_legacy/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}_legacy/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}_legacy/chain.pem;

    location /releng/netboot/ {
        access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
@@ -40,6 +39,7 @@ server {
    # Cache django's css, js and png files.
    location /static/ {
        expires 30d;
+        include snippets/headers.conf;
        add_header Pragma public;
        add_header Cache-Control "public";
        alias /srv/http/archweb/collected_static/;

--- a/roles/archweb/templates/local_settings.py.j2
+++ b/roles/archweb/templates/local_settings.py.j2
@@ -4,6 +4,8 @@
 DEBUG = False
 TEMPLATE_DEBUG = False

+PROMETHEUS_METRICS = True
+
 ## Notification admins
 {% if archweb_admins %}
 ADMINS = (
@@ -23,6 +25,7 @@ DATABASES = {
    'default': {
        'ENGINE'  : 'django.db.backends.postgresql_psycopg2',
        'PORT'    : 5432,
+        'CONN_MAX_AGE' : 600,
 {% if archweb_db_host != 'localhost' %}
        'HOST'    : '{{ archweb_db_host }}',
 {% endif %}
@@ -79,4 +82,7 @@ TIER0_MIRROR_DOMAIN = 'repos.archlinux.org'

 MASTODON_LINK = 'https://fosstodon.org/@archlinux'

+# Keep mirrorlogs around for 6 months
+MIRRORLOG_RETENTION_PERIOD = 180
+
 # vim: set ts=4 sw=4 et:
--- a/roles/archweb/templates/maintenance-nginx.d.conf.j2
+++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2
@@ -2,9 +2,7 @@ upstream archweb {
    server unix:///run/uwsgi/archweb.sock;
 }

-{% if service_alternate_domains %}
-{% for domain in service_alternate_domains %}
-
+{% for domain in service_alternate_domains | default([]) %}
 server {
    listen       80;
    listen       [::]:80;
@@ -18,13 +16,12 @@ server {

    location / {
        access_log off;
-        return 301 https://$server_name$request_uri;
+        return 302 https://$server_name$request_uri;
    }
 }

 server {
-    listen       443 ssl http2;
-    listen       [::]:443 ssl http2;
+    include      snippets/listen-443.conf;
    server_name  {{ domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -37,16 +34,49 @@ server {

    location / {
        access_log off;
-        return 301 https://{{ service_domain }};
+        return 302 https://{{ service_domain }};
    }
 }
+
 {% endfor %}
+{% for domain in service_legacy_domains | default([]) %}
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ domain }};
+
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 302 https://$server_name$request_uri;
+    }
+}

 server {
-{% else %}
+    include      snippets/listen-443.conf;
+    server_name  {{ domain }};
+
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;

+    ssl_certificate      /etc/letsencrypt/live/{{ service_domain }}_legacy/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ service_domain }}_legacy/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}_legacy/chain.pem;
+
+    location / {
+        access_log off;
+        return 302 https://{{ service_domain }};
+    }
+}
+
+{% endfor %}
 server {
-{% endif %}
    listen       80;
    listen       [::]:80;
    server_name  {{ service_domain }};
@@ -59,13 +89,12 @@ server {

    location / {
        access_log off;
-        return 301 https://$server_name$request_uri;
+        return 302 https://$server_name$request_uri;
    }
 }

 server {
-    listen       443 ssl http2;
-    listen       [::]:443 ssl http2;
+    include      snippets/listen-443.conf;
    server_name  {{ service_domain }};

    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -85,6 +114,7 @@ server {

    location = /.well-known/matrix/client {
        default_type application/json;
+        include snippets/headers.conf;
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';
    }
@@ -132,6 +162,7 @@ server {
    # Cache django's css, js and png files.
    location /static/ {
        expires 30d;
+        include snippets/headers.conf;
        add_header Pragma public;
        add_header Cache-Control "public";
        alias {{ archweb_dir }}/collected_static/;
No results found