"Move" NM connectivity check file to a subdomain

The file should not be on the main domain as it adds unnecessary complexity to the archweb role and there is a bigger chance that we unintentionally break connectivity checking (which has happened in the past[1][2]). This doesn't remove the file from the main domain[3], as we need to ship a updated NetworkManager package first. [1] https://www.reddit.com/r/archlinux/comments/keai0g/does_anyone_know_if_this_is_normal/ [2] https://www.reddit.com/r/gnome/comments/ke9ytm/network_manager_popup/ [3] http://www.archlinux.org/check_network_status.txt Fix #239

"Move" NM connectivity check file to a subdomain
fabccd0f · Kristian Klausen · 36bf4ef1 · fabccd0f · fabccd0f · fabccd0f
Commit fabccd0f authored 4 years ago by Kristian Klausen
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -127,6 +127,7 @@ Medium-fast-ish packet.net Arch Linux box.

 ### Services
  - Redirects (nginx redirects)
+  - ping

 ## security.archlinux.org


--- a/playbooks/redirect.archlinux.org.yml
+++ b/playbooks/redirect.archlinux.org.yml
@@ -13,3 +13,4 @@
    - { role: redirects }
    - { role: prometheus_exporters }
    - { role: hardening }
+    - { role: ping }
--- a/roles/ping/defaults/main.yml
+++ b/roles/ping/defaults/main.yml
+ping_domain: 'ping.archlinux.org'
--- a/roles/ping/tasks/main.yml
+++ b/roles/ping/tasks/main.yml
+---
+- name: create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ ping_domain }}"]
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ ping_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/ping.conf" owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
--- a/roles/ping/templates/nginx.d.conf.j2
+++ b/roles/ping/templates/nginx.d.conf.j2
+server {
+    # We don't redirect to HTTPS because a redirect is considered a captive portal.
+    listen       80;
+    listen       [::]:80;
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ ping_domain }};
+
+    access_log   /var/log/nginx/{{ ping_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ ping_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ ping_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ ping_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ ping_domain }}/chain.pem;
+
+    default_type text/plain;
+
+    location = / {
+        return 200 'This domain is used for connectivity checking (captive portal detection).\n';
+    }
+
+    # https://man.archlinux.org/man/NetworkManager.conf.5#CONNECTIVITY_SECTION
+    location /nm-check.txt {
+        access_log off;
+        add_header Cache-Control "max-age=0, must-revalidate";
+        return 200 'NetworkManager is online\n';
+    }
+
+    location / {
+        access_log off;
+        return 404;
+    }
+}
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -284,6 +284,7 @@ locals {
    ipxe          = { value = "www" }
    mailman       = { value = "redirect" }
    packages      = { value = "www" }
+    ping          = { value = "redirect" }
    planet        = { value = "www" }
    projects      = { value = "luna" }
    repos         = { value = "gemini" }