playbooks/md.archlinux.org.yml

-- name: setup hedgedoc server
+- name: Setup hedgedoc server
   hosts: md.archlinux.org
   remote_user: root
   roles:

playbooks/mirrors.yml

-- name: common playbook for mirrors
+- name: Common playbook for mirrors
   hosts: mirrors
   remote_user: root
   roles:
@@ -10,7 +10,7 @@
     - { role: certbot }
     - { role: nginx }
     - { role: syncrepo, tags: ['nginx'] }
-    - { role: syncdebug, when: mirror_debug_packages is not defined or mirror_debug_packages }
+    - { role: mirrorsync }
     - { role: archweb, when: archweb_mirrorcheck_locations is defined, archweb_site: false, archweb_services: false, archweb_mirrorcheck: true }
     - { role: prometheus_exporters }
     - { role: promtail }

playbooks/monitoring.archlinux.org.yml

-- name: setup prometheus server
+- name: Setup prometheus server
   hosts: monitoring.archlinux.org
   remote_user: root
   roles:

playbooks/patchwork.archlinux.org.yml

-- name: setup patchwork.archlinux.org
-  hosts: patchwork.archlinux.org
-  remote_user: root
-  roles:
-    - { role: common }
-    - { role: sshd }
-    - { role: root_ssh }
-    - { role: borg_client, tags: ["borg"] }
-    - { role: certbot }
-    - { role: nginx }
-    - { role: postfix, postfix_relayhost: "mail.archlinux.org"  }
-    - { role: fetchmail }
-    - { role: postgres }
-    - { role: sudo }
-    - { role: uwsgi }
-    - { role: memcached }
-    - { role: patchwork }
-    - { role: fail2ban }
-    - { role: prometheus_exporters }
-    - { role: promtail }
-    - { role: wireguard }

playbooks/phrik.yml

-- name: setup phrik bot server
+- name: Setup phrik bot server
   hosts: phrik.archlinux.org
   remote_user: root
   roles:

playbooks/quassel.archlinux.org.yml

-- name: setup quassel server
+- name: Setup quassel server
   hosts: quassel.archlinux.org
   remote_user: root
   roles:

playbooks/rebuilderd-workers.yml

-- name: common playbook for rebuilderd_workers
+- name: Common playbook for rebuilderd_workers
   hosts: rebuilderd_workers
   remote_user: root
   roles:

playbooks/redirect.archlinux.org.yml

-- name: setup redirect.archlinux.org
+- name: Setup redirect.archlinux.org
   hosts: redirect.archlinux.org
   remote_user: root
   roles:

playbooks/reproducible.archlinux.org.yml

-- name: setup reproducible builds rebuilder
+- name: Setup reproducible builds rebuilder
   hosts: reproducible.archlinux.org
   remote_user: root
   roles:

playbooks/rsync.net.yml

-- name: setup rsync.net account
+- name: Setup rsync.net account
   hosts: localhost
   gather_facts: false
   vars_files:

playbooks/security.archlinux.org.yml

-- name: setup security.archlinux.org
+- name: Setup security.archlinux.org
   hosts: security.archlinux.org
   remote_user: root
   roles:

playbooks/state.archlinux.org.yml

-- name: setup state.archlinux.org (terraform state store)
+- name: Setup state.archlinux.org (terraform state store)
   hosts: state.archlinux.org
   remote_user: root
   roles:

playbooks/tasks/fetch-borg-keys.yml

-- name: prepare local storage directory
+- name: Prepare local storage directory
   hosts: localhost
   tasks:
-    - name: create borg-keys directory
-      file: path="{{ playbook_dir }}/../../borg-keys/" state=directory  # noqa 208
+    - name: Create borg-keys directory  # noqa risky-file-permissions
+      file: path="{{ playbook_dir }}/../../borg-keys/" state=directory
 
-- name: fetch borg keys
+- name: Fetch borg keys
   hosts: borg_clients
   tasks:
-    - name: fetch borg key
+    - name: Fetch borg key
       command: "/usr/local/bin/borg key export :: /dev/stdout"
       register: borg_key
       changed_when: "borg_key.rc == 0"
 
-    - name: fetch borg offsite key
+    - name: Fetch borg offsite key
       command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
       register: borg_offsite_key
       changed_when: "borg_offsite_key.rc == 0"
 
-    - name: save borg key
+    - name: Save borg key
       shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
       args:
         stdin: "{{ borg_key.stdout }}"
@@ -26,7 +26,7 @@
       register: gpg_key
       changed_when: "gpg_key.rc == 0"
 
-    - name: save borg offsite key
+    - name: Save borg offsite key
       shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
       args:
         stdin: "{{ borg_offsite_key.stdout }}"

playbooks/tasks/include/post-upgrade/borg-clients.yml

+- name: Check if /backup exists
+  stat: path=/backup
+  register: backup_mountdir
+
+- name: Abort reboot when borg backup is running
+  meta: end_host
+  when: backup_mountdir.stat.exists

playbooks/tasks/include/post-upgrade/build.archlinux.org.yml

+- name: List build-related processes
+  command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
+  register: pgrep
+  ignore_errors: true
+
+- name: Abort reboot with running builds
+  meta: end_host
+  when: pgrep is succeeded

playbooks/tasks/include/post-upgrade/gemini.archlinux.org.yml

+- name: List logged on users
+  command: who
+  register: who
+
+- name: Abort reboot with logged on users
+  meta: end_host
+  when:
+    - who is changed
+    - who.stdout_lines|length > 1
+
+- name: Stop arch-svntogit.timer
+  service: name=arch-svntogit.timer state=stopped
+
+- name: Wait for svntogit to finish
+  wait_for:
+    path: /srv/svntogit/update-repos.sh.lock
+    state: absent

playbooks/tasks/include/reencrypt-vault-key.yml

-- name: check if moreutils is installed
+- name: Check if moreutils is installed
   pacman: name=moreutils state=present
 
-- name: reencrypt vault {{ vault_id }} key
+- name: Reencrypt vault {{ vault_id }} key
   shell: |
     set -eo pipefail
     gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg" \

playbooks/tasks/include/upgrade-server.yml

-- name: ensure latest keyring
+- name: Ensure latest keyring
   pacman:
     name: archlinux-keyring
     state: latest
     update_cache: yes
 
-- name: upgrade all packages
+- name: Upgrade all packages
   pacman:
     upgrade: yes
   register: pacman_upgrade
 
-- name: stop if no packages were upgraded
+- name: Stop if no packages were upgraded
   meta: end_host
   when: pacman_upgrade is not changed
 
-- name: check for running builds
-  block:
-    - name: list build-related processes
-      command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
-      register: pgrep
-      ignore_errors: true
-
-    - name: abort reboot with running builds
-      meta: end_host
-      when: pgrep is succeeded
-  when: "'buildservers' in group_names"
-
-
-- name: check for active borg backup jobs
-  block:
-    - name: check if /backup exists
-      stat: path=/backup
-      register: backup_mountdir
-
-    - name: abort reboot when borg backup is running
-      meta: end_host
-      when: backup_mountdir.stat.exists
+- name: Run borg client post-upgrade tasks
+  include_tasks: include/post-upgrade/borg-clients.yml
   when: "'borg_clients' in group_names"
 
-- name: gemini pre-reboot checks
-  block:
-    - name: list logged on users
-      command: who
-      register: who
-
-    - name: abort reboot with logged on users
-      meta: end_host
-      when:
-        - who is changed
-        - who.stdout_lines|length > 1
-
-    - name: stop arch-svntogit.timer
-      service: name=arch-svntogit.timer state=stopped
+- name: Check for host-specific post-upgrade tasks
+  local_action: stat path=include/post-upgrade/{{ inventory_hostname }}.yml
+  register: post_upgrade_tasks
 
-    - name: wait for svntogit to finish
-      wait_for:
-        path: /srv/svntogit/update-repos.sh.lock
-        state: absent
-  when: inventory_hostname == "gemini.archlinux.org"
+- name: Run host-specific post-upgrade tasks
+  include_tasks: "{{ post_upgrade_tasks.stat.path }}"
+  when: post_upgrade_tasks.stat.exists
 
-- name: reboot
+- name: Reboot
   reboot:

playbooks/tasks/install_arch.yml

 # This script is for provisioning a server for first boot.
 # Care: It is not idempotent by design.
 
-- name: install_arch
+- name: Install arch
   hosts: all
   remote_user: root
   roles:

playbooks/tasks/pacman-website.yml

@@ -8,13 +8,13 @@
       tempfile: state=directory suffix=pacman
       register: tempdir
 
-    - name: fetch pacman tarball
+    - name: Fetch pacman tarball
       get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.xz dest={{ tempdir.path }}/pacman.tar.xz
 
-    - name: unpack tarball
+    - name: Unpack tarball
       unarchive: src={{ tempdir.path }}/pacman.tar.xz dest={{ tempdir.path }}
 
-    - name: build website
+    - name: Build website
       command: "{{ item }}"
       args:
         chdir: "{{ tempdir.path }}/pacman-{{ pacman_version }}"
@@ -23,10 +23,10 @@
         - ninja -C build doc/website.tar.gz
 
     - block:
-      - name: create website directory
+      - name: Create website directory
         file: state=directory owner=root group=root mode=0755 path={{ pacman_dir }}
 
-      - name: upload website
+      - name: Upload website
         unarchive:
           src: "{{ tempdir.path }}/pacman-{{ pacman_version }}/build/doc/website.tar.gz"
           dest: "{{ pacman_dir }}"