Compare revisions

b0f0e2ec · b0f0e2ec · b0f0e2ec · b0f0e2ec · b0f0e2ec · b0f0e2ec
--- a/playbooks/gluebuddy.archlinux.org.yml
+++ b/playbooks/gluebuddy.archlinux.org.yml
+---
+
+- name: setup gluebuddy.archlinux.org
+  hosts: gluebuddy.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: firewalld }
+    - { role: wireguard }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: gluebuddy }
+    - { role: borg_client, tags: ["borg"] }
+    - { role: prometheus_exporters }
+    - { role: promtail }
+    - { role: fail2ban }
--- a/playbooks/hetzner_storagebox.yml
+++ b/playbooks/hetzner_storagebox.yml
 ---

 - name: setup Hetzner storagebox account
-  hosts: u236610.your-storagebox.de
+  hosts: localhost
  gather_facts: false
  roles:
-    - { role: hetzner_storagebox, backup_dir: "backup", backup_clients: "{{ groups['borg_clients'] }}", tags: ["borg"] }
+    - role: hetzner_storagebox
+      backup_clients: "{{ groups['borg_clients'] }}"
+      backup_dir: backup
+      storagebox_id: "{{ hetzner_storagebox_id }}"
+      storagebox_hostname: "{{ hetzner_storagebox_username }}.your-storagebox.de"
+      storagebox_username: "{{ hetzner_storagebox_username }}"
+      storagebox_password: "{{ hetzner_storagebox_password }}"
+      tags: ["borg"]
--- a/playbooks/lists.archlinux.org.yml
+++ b/playbooks/lists.archlinux.org.yml
@@ -5,7 +5,6 @@
    - { role: common }
    - { role: firewalld }
    - { role: wireguard }
-    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: hardening }

--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -3,19 +3,18 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: borg_client, tags: ['borg'] }
    - { role: certbot }
    - { role: nginx }
    - { role: mta_sts }
-    - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
+    - { role: postfix, tags: ['mail'] }
    - { role: dovecot }
    - { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
    - { role: unbound, unbound_port: 5353, tags: ["mail"] }
    - { role: postfwd, tags: ['mail'] }
-    - { role: archusers }
+    - { role: archusers, shell_override: '/bin/bash', archusers_ssh_options: 'command="/usr/bin/passwd",restrict,pty' }
    - { role: fail2ban }
    - { role: prometheus_exporters }
    - { role: promtail }

--- a/playbooks/man.archlinux.org.yml
+++ b/playbooks/man.archlinux.org.yml
@@ -7,7 +7,6 @@
    - { role: firewalld }
    - { role: wireguard }
    - { role: common }
-    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: hardening }
@@ -18,4 +17,4 @@
    - { role: promtail }
    - { role: postgres }
    - { role: uwsgi }
-    - { role: archmanweb, archmanweb_version: 'v1.2' }
+    - { role: archmanweb, archmanweb_version: 'v1.3' }
--- a/playbooks/matrix.archlinux.org.yml
+++ b/playbooks/matrix.archlinux.org.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
    - { role: wireguard }
    - { role: sshd }
@@ -18,9 +17,7 @@
      postgres_work_mem: 64MB
      postgres_maintenance_work_mem: 256MB
      postgres_effective_cache_size: 4GB
-      postgres_jit: 'off'
-    - role: postfix
-      postfix_relayhost: "mail.archlinux.org"
+    - { role: postfix_null }
    - { role: matrix }
    - { role: fail2ban }
    - { role: prometheus_exporters }

--- a/playbooks/md.archlinux.org.yml
+++ b/playbooks/md.archlinux.org.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
    - { role: wireguard }
    - { role: sshd }

--- a/playbooks/mirrors.yml
+++ b/playbooks/mirrors.yml
@@ -4,14 +4,15 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: certbot }
    - { role: nginx }
    - { role: syncrepo, tags: ['nginx'] }
+    - { role: syncdebug, when: mirror_debug_packages is not defined or mirror_debug_packages }
    - { role: archweb, archweb_site: false, archweb_services: false, archweb_mirrorcheck: true }
    - { role: prometheus_exporters }
    - { role: promtail }
    - { role: fail2ban }
    - { role: wireguard }
+    - { role: geomirror, when: "inventory_hostname == 'mirror.pkgbuild.com' or 'geo_mirrors' in group_names" }
--- a/playbooks/monitoring.archlinux.org.yml
+++ b/playbooks/monitoring.archlinux.org.yml
@@ -5,7 +5,6 @@
    - { role: firewalld }
    - { role: wireguard }
    - { role: common }
-    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: hardening }

--- a/playbooks/patchwork.archlinux.org.yml
+++ b/playbooks/patchwork.archlinux.org.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: borg_client, tags: ["borg"] }

--- a/playbooks/phrik.yml
+++ b/playbooks/phrik.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: archusers }
    - { role: bugbot }
    - { role: phrik }

--- a/playbooks/quassel.archlinux.org.yml
+++ b/playbooks/quassel.archlinux.org.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
    - { role: wireguard }
    - { role: sshd }

--- a/playbooks/rebuilderd-workers.yml
+++ b/playbooks/rebuilderd-workers.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
    - { role: wireguard }
    - { role: sshd }

--- a/playbooks/redirect.archlinux.org.yml
+++ b/playbooks/redirect.archlinux.org.yml
@@ -3,7 +3,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
    - { role: wireguard }
    - { role: sshd }

--- a/playbooks/reproducible.archlinux.org.yml
+++ b/playbooks/reproducible.archlinux.org.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
    - { role: wireguard }
    - { role: sshd }

--- a/playbooks/rsync.net.yml
+++ b/playbooks/rsync.net.yml
 ---

 - name: setup rsync.net account
-  hosts: prio.ch-s012.rsync.net
+  hosts: localhost
  gather_facts: false
  roles:
-    - { role: rsync_net, backup_dir: "backup", backup_clients: "{{ groups['borg_clients'] }}", tags: ["borg"] }
+    - role: rsync_net
+      backup_clients: "{{ groups['borg_clients'] }}"
+      backup_dir: backup
+      tags: ["borg"]
--- a/playbooks/security.archlinux.org.yml
+++ b/playbooks/security.archlinux.org.yml
@@ -5,13 +5,12 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: borg_client, tags: ["borg"] }
    - { role: certbot }
    - { role: nginx }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
+    - { role: postfix_null }
    - { role: sudo }
    - { role: uwsgi }
    - role: security_tracker

--- a/playbooks/state.archlinux.org.yml
+++ b/playbooks/state.archlinux.org.yml
@@ -5,7 +5,6 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
    - { role: wireguard }
    - { role: sshd }

--- a/playbooks/tasks/include/upgrade-server.yml
+++ b/playbooks/tasks/include/upgrade-server.yml
+---
+
+- name: ensure latest keyring
+  pacman:
+    name: archlinux-keyring
+    state: latest
+    update_cache: yes
+
+- name: upgrade all packages
+  pacman:
+    upgrade: yes
+  register: pacman_upgrade
+
+- name: stop if no packages were upgraded
+  meta: end_host
+  when: pacman_upgrade is not changed
+
+- name: check for running builds
+  block:
+    - name: list build-related processes
+      command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
+      register: pgrep
+      ignore_errors: true
+
+    - name: abort reboot with running builds
+      meta: end_host
+      when: pgrep is succeeded
+  when: "'buildservers' in group_names"
+
+
+- name: check for active borg backup jobs
+  block:
+    - name: check if /backup exists
+      stat: path=/backup
+      register: backup_mountdir
+
+    - name: abort reboot when borg backup is running
+      meta: end_host
+      when: backup_mountdir.stat.exists
+  when: "'borg_clients' in group_names"
+
+- name: gemini pre-reboot checks
+  block:
+    - name: list logged on users
+      command: who
+      register: who
+
+    - name: abort reboot with logged on users
+      meta: end_host
+      when:
+        - who is changed
+        - who.stdout_lines|length > 1
+
+    - name: stop arch-svntogit.timer
+      service: name=arch-svntogit.timer state=stopped
+
+    - name: wait for svntogit to finish
+      wait_for:
+        path: /srv/svntogit/update-repos.sh.lock
+        state: absent
+  when: inventory_hostname == "gemini.archlinux.org"
+
+- name: reboot
+  reboot:
--- a/playbooks/tasks/install_arch.yml
+++ b/playbooks/tasks/install_arch.yml
@@ -9,5 +9,5 @@
  roles:
    - install_arch
  vars:
-    - bootstrap_version: "2021.04.01"
+    - bootstrap_version: "latest"
    - sshd_enable_includes: false
No results found