Merge branch 'repro4' into 'master'

Add new sponsored reproducible worker (repro4) See merge request !927

Merge branch 'repro4' into 'master'
807764e1 · Kristian Klausen · 2f9c41ab · 79e2dc6d · 807764e1 · 807764e1
Verified Commit 807764e1 authored 3 weeks ago by Kristian Klausen
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -85,9 +85,11 @@ So to set up this server from scratch, run:

 ### Services
  - Runs a master [rebuilderd](https://reproducible.archlinux.org) instance
-    with two workers:
-    - repro2.pkgbuild.com (Kape server with an EPYC 7702P and 256G RAM)
-    - repro3.pkgbuild.com (Equinix Metal box with a Xeon E-2278G and 64G RAM)
+    with these workers:
+    - repro2.pkgbuild.com (Kape server with an EPYC 7702P and 256G RAM - 4 workers)
+    - repro3.pkgbuild.com (Equinix Metal box with a Xeon E-2278G and 64G RAM - 2 workers)
+    - repro4.pkgbuild.com (Proxmox VM with 16vCores and 192G RAM - 2 workers)
+

 ## runner1.archlinux.org


--- a/host_vars/gitlab.archlinux.org/misc.yml
+++ b/host_vars/gitlab.archlinux.org/misc.yml
 ansible_port: 2222
+sshd_port: 2222
 enable_zram_swap: true
 additional_addresses: ["213.133.111.6/32", "2a01:4f8:222:174c::2/64"]
 wireguard_address: 10.0.0.5

--- a/host_vars/repro4.pkgbuild.com/misc.yml
+++ b/host_vars/repro4.pkgbuild.com/misc.yml
+# This host does not have a public IPv4 address, but only a public IPv6
+# address. We have a DNATed (port forwarded) SSH port for accessing the
+# server over IPv4 though, which is defined below.
+ansible_host: 141.255.217.9
+ansible_port: 8189
+
+ipv4_address: 10.113.2.189
+ipv4_netmask: /24
+ipv6_address: 2001:1470:fffd:3050::189:1
+ipv4_gateway: 10.113.2.1
+ipv6_interface: ens19
+ipv6_netmask: /112
+ipv6_gateway: 2001:1470:fffd:3050::1
+ipv6_ignore_ra: true
+network_interface: ens18
+# TFO is broken on this network likely due to some middlebox.
+# systemd-resolved uses TFO if possible, so this must be disabled for
+# DNS to work reliably.
+network_disable_ipv4_tcp_fast_open: true
+system_disks:
+  - /dev/sda
+configure_network: true
+
+rebuilderd_workers:
+  - repro41
+  - repro42
+wireguard_address: 10.0.0.47
+wireguard_public_key: MJrXDwK61CF7nT5r1HRxxp44DocZyrQslK5plCJFexY=
--- a/hosts
+++ b/hosts
@@ -112,6 +112,7 @@ reproducible.archlinux.org
 [rebuilderd_workers]
 repro2.pkgbuild.com
 repro3.pkgbuild.com
+repro4.pkgbuild.com

 [memcached]
 wiki.archlinux.org

--- a/misc/vaults/vault_tux_si.yml
+++ b/misc/vaults/vault_tux_si.yml
+$ANSIBLE_VAULT;1.2;AES256;super
+33306163393032613465383739303962343335636564346265653964353062646266343638636435
+3964313736313037356532626634636465663732356333660a313038393762336536653564333663
+62353832346638333336306563353832326638656663386137353535383536643732616538663733
+6536663831333631640a656366653034353465303432313230323762333263393032316265316165
+65616261623131366531343832393034323662373639313066623761323134373164653461373431
+34623962643734326635643236353932636332656264393238343238643737626364636138653031
+39343466323833393436666539363034363835653663376332613263653861323363393934613061
+61663064386261633162376630663133666663306536346661393936623535303764313735346665
+33646532636338663134666237633566386634646534313464343139646330353837346164323932
+3438343466383532366335646437326332613935333563336634
--- a/roles/networking/defaults/main.yml
+++ b/roles/networking/defaults/main.yml
 chroot_path: ""
 network_interface: "en*"
+network_disable_ipv4_tcp_fast_open: false
--- a/roles/networking/files/50-tcp_fastopen.conf
+++ b/roles/networking/files/50-tcp_fastopen.conf
+net.ipv4.tcp_fastopen=0
--- a/roles/networking/handlers/main.yml
+++ b/roles/networking/handlers/main.yml
@@ -4,3 +4,10 @@
    state: restarted
    daemon_reload: true
  when: chroot_path | length == 0
+
+- name: Restart systemd-sysctl
+  systemd_service:
+    name: systemd-sysctl
+    state: restarted
+    daemon_reload: true
+  when: chroot_path | length == 0
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@@ -6,6 +6,14 @@
      notify:
        - Restart networkd

+    - name: Install 10-static6-ethernet.network
+      template: src=10-static6-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-static6-ethernet.network owner=root group=root mode=0644
+      vars:
+        network_interface: "{{ ipv6_interface }}"
+      notify:
+        - Restart networkd
+      when: ipv6_interface is defined
+
    - name: Create drop-in directory for 10-static-ethernet.network
      file: path={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network.d state=directory owner=root group=root mode=0755

@@ -38,6 +46,12 @@
    - Restart networkd
  when: additional_addresses is defined

+- name: Disable IPv4 TCP Fast Open
+  copy: src=50-tcp_fastopen.conf dest={{ chroot_path }}/etc/sysctl.d/50-tcp_fastopen.conf owner=root group=root mode=0644
+  notify:
+    - Restart systemd-sysctl
+  when: network_disable_ipv4_tcp_fast_open
+
 - name: Create symlink to resolv.conf
  file: src=/run/systemd/resolve/stub-resolv.conf dest={{ chroot_path }}/etc/resolv.conf state=link force=yes follow=no owner=root group=root


--- a/roles/networking/templates/10-static-ethernet.network.j2
+++ b/roles/networking/templates/10-static-ethernet.network.j2
@@ -3,7 +3,7 @@ Name={{ network_interface }}

 [Network]
 Gateway={{ ipv4_gateway }}
-{% if ipv6_gateway is defined %}
+{% if ipv6_gateway is defined and ipv6_interface is not defined %}
 Gateway={{ ipv6_gateway }}
 {% endif %}
 {% if ipv6_ignore_ra|default(false) is true %}
@@ -17,12 +17,12 @@ Address={{ ipv4_address }}{{ ipv4_netmask }}
 Peer={{ ipv4_gateway }}{{ ipv4_netmask}}
 {% endif %}

-{% if ipv6_address is defined %}
+{% if ipv6_address is defined and ipv6_interface is not defined %}
 [Address]
 Address={{ ipv6_address }}{{ ipv6_netmask }}
 {% endif %}

-{% if ipv6_gateway is defined and not ipv6_gateway.startswith("fe80") %}
+{% if ipv6_gateway is defined and not ipv6_gateway.startswith("fe80") and ipv6_interface is not defined %}
 [Route]
 Destination={{ ipv6_gateway }}
 {% endif %}
--- a/roles/networking/templates/10-static6-ethernet.network.j2
+++ b/roles/networking/templates/10-static6-ethernet.network.j2
+[Match]
+Name={{ ipv6_interface }}
+
+[Network]
+Gateway={{ ipv6_gateway }}
+{% if ipv6_ignore_ra|default(false) is true %}
+IPv6AcceptRA=false
+{% endif %}
+
+[Address]
+{% if ipv6_netmask != "/64" %}
+Peer={{ ipv6_gateway }}/128
+{% endif %}
+Address={{ ipv6_address }}{{ ipv6_netmask }}
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -13,7 +13,7 @@
  service: name=sshd enabled=yes state=started

 - name: Open firewall holes
-  ansible.posix.firewalld: service={{ 'ssh' if ansible_port is not defined else omit }} port={{ "%d/tcp" | format(ansible_port) if ansible_port is defined else omit }} permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service={{ 'ssh' if sshd_port == 22 else omit }} port={{ "%d/tcp" | format(sshd_port) if sshd_port != 22 else omit }} permanent=true state=enabled immediate=yes
  when: configure_firewall is defined and configure_firewall
  tags:
    - firewall
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
-Port {{ ansible_port | default(22) }}
+Port {{ sshd_port }}
 LogLevel VERBOSE
 PasswordAuthentication no
 ClientAliveInterval 30

--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -419,6 +419,9 @@ locals {
      ipv4_address = "147.75.84.133"
      ipv6_address = "2604:1380:4601:7d00::1"
    }
+    repro4 = {
+      ipv6_address = "2001:1470:fffd:3050::189:1"
+    }
    www = {
      ipv4_address = hcloud_server.machine["homedir.archlinux.org"].ipv4_address
      ipv6_address = hcloud_server.machine["homedir.archlinux.org"].ipv6_address

--- a/tf-stage1/templates.tf
+++ b/tf-stage1/templates.tf
@@ -57,7 +57,9 @@ resource "hetznerdns_record" "archlinux_page_aaaa" {
 }

 resource "hetznerdns_record" "pkgbuild_com_a" {
-  for_each = local.pkgbuild_com_a_aaaa
+  for_each = {
+    for k, v in local.pkgbuild_com_a_aaaa : k => v if try(v.ipv4_address != "", false)
+  }

  zone_id = hetznerdns_zone.pkgbuild.id
  name    = each.key