Verified Commit 6159b411 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Add new domain for project documentation (archlinux.page)

We want non-DevOps to be able to deploy project documentation (ex:
repod) with GitLab Pages and a separate domain was considered the only
sensible solution due to security issues[1].

[1] https://github.blog/2013-04-09-yummy-cookies-across-domains/
parent 2e7cce76
......@@ -8,6 +8,7 @@ set -eo pipefail
readonly DOMAINS=(
archlinux.org
pkgbuild.com
archlinux.page
)
readonly LOOKUP_URLS=(
"${DOMAINS[@]/#/https://crt.sh/?exclude=expired&deduplicate=Y&output=json&q=}"
......
......@@ -24,6 +24,7 @@ blackbox_targets:
- https://america.mirror.pkgbuild.com
- https://archive.archlinux.org
- https://archlinux.org
- https://archlinux.page
- https://asia.archive.pkgbuild.com
- https://asia.mirror.pkgbuild.com
- https://aur.archlinux.org
......
......@@ -171,6 +171,9 @@ locals {
"terms" = "0b62a71af2aa85fb491295b543b4c3d2"
}
archlinux_page_gitlab_pages = {
}
# This creates archlinux.org TXT DNS entries
# Valid parameters are:
# - ttl (optional)
......@@ -365,6 +368,22 @@ locals {
}
}
# This creates archlinux.page A/AAAA DNS entries.
#
# The entry name corresponds to the subdomain.
# '@' is the root doman (archlinux.page).
# Valid parameters are:
# - ipv4_address (mandatory)
# - ipv6_address (mandatory)
# - ttl (optional)
#
archlinux_page_a_aaaa = {
"@" = {
ipv4_address = hcloud_floating_ip.gitlab_pages.ip_address
ipv6_address = var.gitlab_pages_ipv6
}
}
# Domains served by machines in the geo_mirrors group
# Valid parameters are:
# - zone_id (mandatory, either of hetznerdns_zone.{archlinux,pkgbuild}.id)
......@@ -387,11 +406,78 @@ resource "hetznerdns_zone" "archlinux" {
ttl = 3600
}
resource "hetznerdns_zone" "archlinux_page" {
name = "archlinux.page"
ttl = 3600
}
resource "hetznerdns_zone" "pkgbuild" {
name = "pkgbuild.com"
ttl = 3600
}
resource "hetznerdns_record" "archlinux_page_origin_caa" {
zone_id = hetznerdns_zone.archlinux_page.id
name = "@"
value = "0 issue \"letsencrypt.org\""
type = "CAA"
}
resource "hetznerdns_record" "archlinux_page_origin_mx" {
zone_id = hetznerdns_zone.archlinux_page.id
name = "@"
value = "0 ."
type = "MX"
}
resource "hetznerdns_record" "archlinux_page_origin_ns3" {
zone_id = hetznerdns_zone.archlinux_page.id
name = "@"
value = "helium.ns.hetzner.de."
type = "NS"
ttl = 86400
}
resource "hetznerdns_record" "archlinux_page_origin_ns2" {
zone_id = hetznerdns_zone.archlinux_page.id
name = "@"
value = "oxygen.ns.hetzner.com."
type = "NS"
ttl = 86400
}
resource "hetznerdns_record" "archlinux_page_origin_ns1" {
zone_id = hetznerdns_zone.archlinux_page.id
name = "@"
value = "hydrogen.ns.hetzner.com."
type = "NS"
ttl = 86400
}
# TODO: Commented currently as we have no idea how to handle SOA stuff with Terraform:
# https://github.com/timohirt/terraform-provider-hetznerdns/issues/20
# https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/62#note_4040
# resource "hetznerdns_record" "archlinux_page_origin_soa" {
# zone_id = hetznerdns_zone.archlinux_page.id
# name = "@"
# value = "hydrogen.ns.hetzner.com. hetzner.archlinux.org. 2021070703 3600 1800 604800 3600"
# type = "SOA"
# }
resource "hetznerdns_record" "archlinux_page_origin_txt" {
zone_id = hetznerdns_zone.archlinux_page.id
name = "@"
value = "\"v=spf1 -all\""
type = "TXT"
}
resource "hetznerdns_record" "pages_verification_code_archlinux_page_origin_txt" {
zone_id = hetznerdns_zone.archlinux_page.id
name = "_gitlab-pages-verification-code"
value = "_gitlab-pages-verification-code=d66f6b2195948e509da553a5e4f3ebcd"
type = "TXT"
}
resource "hetznerdns_record" "pkgbuild_com_origin_caa" {
zone_id = hetznerdns_zone.pkgbuild.id
name = "@"
......
......@@ -18,6 +18,44 @@ resource "hetznerdns_record" "archlinux_org_gitlab_pages_verification_code_txt"
type = "TXT"
}
resource "hetznerdns_record" "archlinux_page_gitlab_pages_cname" {
for_each = local.archlinux_page_gitlab_pages
zone_id = hetznerdns_zone.archlinux_page.id
name = each.key
value = "pages.archlinux.org."
type = "CNAME"
}
resource "hetznerdns_record" "archlinux_page_gitlab_pages_verification_code_txt" {
for_each = local.archlinux_page_gitlab_pages
zone_id = hetznerdns_zone.archlinux_page.id
name = "_gitlab-pages-verification-code.${each.key}"
value = "gitlab-pages-verification-code=${each.value}"
type = "TXT"
}
resource "hetznerdns_record" "archlinux_page_a" {
for_each = local.archlinux_page_a_aaaa
zone_id = hetznerdns_zone.archlinux_page.id
name = each.key
ttl = lookup(local.archlinux_page_a_aaaa[each.key], "ttl", null)
value = each.value.ipv4_address
type = "A"
}
resource "hetznerdns_record" "archlinux_page_aaaa" {
for_each = local.archlinux_page_a_aaaa
zone_id = hetznerdns_zone.archlinux_page.id
name = each.key
ttl = lookup(local.archlinux_page_a_aaaa[each.key], "ttl", null)
value = each.value.ipv6_address
type = "AAAA"
}
resource "hetznerdns_record" "pkgbuild_org_a" {
for_each = local.pkgbuild_com_a_aaaa
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment