packer/archlinux.pkr.hcl

+# https://www.packer.io/docs/templates/hcl_templates/blocks/packer
+packer {
+  required_plugins {
+    ansible = {
+      source  = "github.com/hashicorp/ansible"
+      version = ">= 1.1.0"
+    }
+    hcloud = {
+      source  = "github.com/hashicorp/hcloud"
+      version = ">= 1.0.0"
+    }
+  }
+}
+
+# https://www.packer.io/docs/templates/hcl_templates/variables#type-constraints
+variable "hetzner_cloud_api_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "install_ec2_public_keys_service" {
+  type    = bool
+  default = false
+}
+
+# https://www.packer.io/docs/templates/hcl_templates/blocks/source
+source "hcloud" "rescue" {
+  image       = "ubuntu-22.04"
+  location    = "fsn1"
+  rescue      = "linux64"
+  server_type = "cx11"
+  snapshot_labels = {
+    custom_image = "archlinux"
+  }
+  snapshot_name = "archlinux-${timestamp()}"
+  ssh_username  = "root"
+  token         = var.hetzner_cloud_api_key
+}
+
+# https://www.packer.io/docs/templates/hcl_templates/blocks/build
+build {
+  sources = ["source.hcloud.rescue"]
+
+  provisioner "ansible" {
+    host_alias          = "packer-base-image"
+    inventory_directory = "."
+    playbook_file       = "playbooks/tasks/install_arch.yml"
+    extra_arguments = [
+      "--extra-vars", jsonencode({
+        install_ec2_public_keys_service : var.install_ec2_public_keys_service
+      })
+    ]
+    use_proxy = false
+  }
+}

playbooks/aur-dev.archlinux.org.yml

+- name: Setup aur development host
+  hosts: '{{ aurdev_fqdn|default("none") }}'
+  remote_user: root
+  roles:
+    - { role: common, enable_zram_swap: true }
+    - { role: firewalld }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: certbot }
+    - { role: nginx }
+    - { role: mariadb, mariadb_innodb_buffer_pool_size: '1G' }
+    - { role: sudo }
+    - { role: redis }
+    - { role: uwsgi }
+    - { role: aurweb, aurweb_domain: "{{ aurdev_fqdn }}", aurweb_environment_type: 'dev' }
+    - { role: fail2ban }
+
+  pre_tasks:
+    - name: Upgrade and reboot
+      include_tasks: tasks/include/upgrade-server.yml

playbooks/bugs.archlinux.org.yml → playbooks/bugbuddy.archlinux.org.yml

-- name: Setup bugs.archlinux.org
-  hosts: bugs.archlinux.org
+- name: Setup bugbuddy.archlinux.org
+  hosts: bugbuddy.archlinux.org
   remote_user: root
   roles:
     - { role: common }
+    - { role: firewalld }
+    - { role: wireguard }
     - { role: sshd }
     - { role: root_ssh }
-    - { role: certbot }
-    - { role: nginx }
-    - { role: mariadb }
-    - { role: sudo }
-    - { role: php7_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
-    - { role: flyspray }
-    - { role: borg_client, tags: ["borg"] }
-    - { role: postfix_null }
-    - { role: fail2ban }
     - { role: prometheus_exporters }
     - { role: promtail }
-    - { role: wireguard }
+    - { role: fail2ban }
+    - { role: bugbuddy }

playbooks/build.archlinux.org.yml

@@ -4,6 +4,7 @@
   roles:
     - { role: common }
     - { role: tools, extra_utils: ['setconf', 'mlocate'] }
+    - { role: firewalld }
     - { role: sshd }
     - { role: root_ssh }
     - { role: archusers }
@@ -11,6 +12,6 @@
     - { role: mirrorsync }
     - { role: archbuild }
     - { role: fail2ban }
+    - { role: wireguard }
     - { role: prometheus_exporters }
     - { role: promtail }
-    - { role: wireguard }

playbooks/gluebuddy.archlinux.org.yml

@@ -8,7 +8,6 @@
     - { role: sshd }
     - { role: root_ssh }
     - { role: gluebuddy }
-    - { role: borg_client, tags: ["borg"] }
     - { role: prometheus_exporters }
     - { role: promtail }
     - { role: fail2ban }

playbooks/man.archlinux.org.yml

@@ -15,4 +15,4 @@
     - { role: promtail }
     - { role: postgres }
     - { role: uwsgi }
-    - { role: archmanweb, archmanweb_version: 'v1.7' }
+    - { role: archmanweb, archmanweb_version: 'v1.10' }

playbooks/redirect.archlinux.org.yml

@@ -14,4 +14,4 @@
     - { role: promtail }
     - { role: hardening }
     - { role: ping }
-    - { role: acme_dns_challenge }
+    - { role: dyn_dns }

playbooks/tasks/include/post-upgrade.yml

+- name: Run borg client post-upgrade tasks
+  include_tasks: include/post-upgrade/borg-clients.yml
+  when: "'borg_clients' in group_names"
+
+- name: Check for host-specific post-upgrade tasks
+  local_action: stat path=include/post-upgrade/{{ inventory_hostname }}.yml
+  register: post_upgrade_tasks
+
+- name: Run host-specific post-upgrade tasks
+  include_tasks: "{{ post_upgrade_tasks.stat.path }}"
+  when: post_upgrade_tasks.stat.exists
+
+- name: Reboot
+  reboot:

playbooks/tasks/include/upgrade-server.yml

@@ -9,21 +9,6 @@
     upgrade: yes
   register: pacman_upgrade
 
-- name: Stop if no packages were upgraded
-  meta: end_host
-  when: pacman_upgrade is not changed
-
-- name: Run borg client post-upgrade tasks
-  include_tasks: include/post-upgrade/borg-clients.yml
-  when: "'borg_clients' in group_names"
-
-- name: Check for host-specific post-upgrade tasks
-  local_action: stat path=include/post-upgrade/{{ inventory_hostname }}.yml
-  register: post_upgrade_tasks
-
-- name: Run host-specific post-upgrade tasks
-  include_tasks: "{{ post_upgrade_tasks.stat.path }}"
-  when: post_upgrade_tasks.stat.exists
-
-- name: Reboot
-  reboot:
+- name: Run post-upgrade tasks if packages were upgraded
+  include_tasks: post-upgrade.yml
+  when: pacman_upgrade is changed

playbooks/tasks/install_arch.yml

@@ -8,4 +8,3 @@
     - install_arch
   vars:
     - bootstrap_version: "latest"
-    - sshd_enable_includes: false

pubkeys/antiz.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrEi1Gsid0SSWfLUpQBKRd/FpBWXO2zXhTWvO9h4tTE7BoFMNPUsIjFX7VKXECGFe8rpsVxFDv86npYKGH3cDL5FM3OqK0430yhrSQauK0b3Cfg4KQQupttKeG5FL2HtroXBvjL6y1zX3zeaTOEU4xHS3tiCXosIcP6Nm9N3ZiTWo9U+O6NvG9Ckh2px8BMmmvnL85OiYmn51uKho9/juuwB6RnEG3RkI9nuIlCRnu5DM7ta/pl+mUcw1bfzYI1Hv6JTpchSl89E4ymdiol/vqmN7CHeiMqxmSrQSqOHBoTj5Y0XdwEB0gNun3nDuntS3gjXzWScurOMZal/y1Agug/GFkBaFtEJ+ukD+V+cs14APUKV/5wdFKsg8oPKR1hEk980byNuxQNcF8nI016zBO2eMUbLs/ZU6Ny5ZBpGLdO2MBloOknL/2+VE7Z+8ikR5e+qMnwzctYO3Zj/i1R/OYQJnfKuUjfqPDDeobGR7PgWL+4D++EFnb4YZSG9Pfhj/1MW9T7lKEyjyciGC13fxlX52zUwBvKVE+t+nvz5XR9BbRDFTQ1jLga6eAOnwlmiurxmy0fEvccs5HiSuLcEX2sF9lyrpuHwTPNHwoT67aGcFZSCzmZNcFCG6uP8ywBnbULraa8h3+vvAvqQUdsupBPr1tQOLTtXyTlIIB9r/c3Q==
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG+kMUE9KhMXRG8Njc1JAMFQtNz3quly396hqTyeY3fOaiJazY39VMUXKNks+8UVMY/ANnqa5FVqRzjji9H/BAY= Arch Linux

pubkeys/codingkoopa.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCu41h56EI8OEGD3FnlwLxGydynV5Zg/NFyuc/VDoMca+ucLK3fJ2ZPcen5JOYH+/ro7hQbbOwEtR9DxX8CuMVDxBjI0QLHNzTLURjsr7HFh6zp+ZraDYdnIgigNOtveYumznIAU0dTYXPwthi3CQrWJhB4ue5FofROJXEAey97TK7T8binS+1tiFRL0yLYd8sEfsL1sSQJ6g6bnkmW29dcYTClOg8wd1CtFIMESkJ5OdJ8m+THtdLkeMXW6fApczUGm5DbGn/09lM/3/70wf1wpVzjjVLArLVvJqp93B2jihJlTz+KT7ECohbwYMKou+qcpYcCXXhw+kT/TeSHhDU9Ho8mbdqfkE4IdA6x4TQJQKkEJesFU/gdxBEgnhZipqKgztCWIGA7lZ+7yy3ZJh4Q0tjaytK/mn4X+Q0OYw8cX/o4T3xkZn0JcYkYm8/bTxD587KHAFdnAJ56uL7GP6MpkuzFg3vugGRYCZL5zcO/tzI80zFGDthi32wnYViNwy0= koopa@comet-observatory

pubkeys/diabonas.pub

-ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFWPGx+B1As9acQvyS8eZXvRgo1aXjEXj3T+aFitV7MYtC3xgzva4+5TvIeZkTuHHCLzU9hr4NbX9IA30XVXTlcTnBN2PZyWOwZc8lNBj0KgMQfJqvYWX1mC7RBSzrulcQ==

pubkeys/dvzrv.pub

-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo656zZGq2lK/AhoACM6v6h8rwCbWG4YVwlFjh9es8X dave@dvzrv
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGqlGt8LVYWzSoewv4Gf7W07BdRuj+3vApq+9Wdvvti openpgp:0xB551DFD6
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTjZNraF2KN/whbJKX7GQ/b5YzQYUVsrzhY/XVFhHaK openpgp:0xD6B976F5

pubkeys/eworm.pub

 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8PfruWojtVuYisJ62Qq8LiyD3nccg7RF8oc33OcN8A eworm@leda
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwNYXkxKalJVk/NyUX579NcBsyBeWHnDv61O9wSwJ/w eworm@aoede
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEr8Nm9r8Ckufs7IrWwojaMYY/bigbfPO4pEJ4f1eJfH eworm@celestia
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuem6MNhbEE5VFWf31vcpIqGx/0vInIk7sCsHZVugJT eworm@elara

pubkeys/fabiscafe.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqLl2rJxwcz08zEXnHuz3I3emoZTwbZtuOUx5rh4Z1G fabiscafe

pubkeys/foutrelis.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAx6sodl7MSJS9FtGlGBjkXZ/u0xZVoEGSo3DpIA2BmV0aIpO6ZvO2iDYTamaSctgYiQ5zRJoOrz3FzKuE5ZAPzB1w9L891Gw6+yne9OPSWSQ+NNXnZP1oK4uf5Eec9XjZkt1oyOqExHemOfgyNaRnZbFNZ/fRUhLu83kf8C51RRUHveN0JQVIvs/3FxJMykaI+cR6KVpnX4SA9/hV7RcLcBMecOuCPpiBsNAxKJ7szlkogMz7VTvQCus0UmjU4Zvxtvj4/myJCN9L/t4f4k4QdhLUy7Ka9i7kSdq41Fa8E6otfVo+Ob6Dz2b1JR4o6qncKu0Dx43dI/hHeaX3xcWKvQ== foutrelis@foutbox
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjRQ9aB128tB5eXwRR+BMg0FxmHQ7WyAmPkvYYyFgxw9MA0JDqi1gkw6KAvm8ORnbEwh7kViWnKXoJAe6ThpE4VOwJcPm823USuiOubS5TjhcBvvtYslY2v4R9kk3bVqYxfISOyA6tnu7E0so7Z21ptPXzOKPmMJtqeI/KFfiCAytCvxc3WaBmzd4ehNkn/tBd5BRj56CIbEcmUWA/67ju3KrZSoMw9s1Y/z2mi8kiSchqwzsCWUWmJqeyY//lxx5zOO6ED+94YJzUcRApbIaB9ZGWBwF6vo9yVWwnAhUw4WHpZlv6cKF6qx5TdJglGExsplx8I3xrpt/TCzf743qv foutrelis@notbad
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLhf2O1fEAS+YrOygDn19fskZONYb78V1Nd/y5hVVLw foutrelis@foutbox
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0Eh1IQQ7bxonYkk12y6sbjtfLK+O1wdKHzmpbXRM0b foutrelis@notbad

pubkeys/foutrelis_buildhost.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9DWp3czsGWXMp55HFNQDG1DPU+2jFQ2VM5Wxb3rylTM0f6uqjDM9W5Krc1yWnpHk1Q8T8J3uqbGrUaq4xT9dVuK/OqRtFeVyPMf2HFXJ2OGGtAnrZ7qk3Ye24ZkfAWQcdSGVUrqpMiBCG8nnZqGHW5No62qkQJ1uMJ0xLaCuQNupqaffzYSMp0Haj5G5s+zB7pYDZaiLu8k/k39RT9iS6v4/3nSfWe/YpAHaXH2Vl4DN5Yv9b4kKBI43I3GbohIf1IhxNMeJI5J1f2C3cY8dFe3MUHeztWOiqhVlFwndLIPl7ZAQeZxEr6LJdHZYSbRQeJQQCJz03ZelC/zU3Rajz foutrelis@orion
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHcxhpCKW/gjjR1fp9F82OByA+GStvOF8krBoZ7pv+B foutrelis@gemini.archlinux.org

pubkeys/heftig_nitrokey.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLyG2MHXtzhaqAMukDjvQT8BTQpZfLYEOogJkDJDo7V cardno:000F_8991A69D