From 8327ffd974a8a7d38d136c0b3a52d950037d8b74 Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Mon, 11 Jan 2021 00:31:37 +0100
Subject: [PATCH] Deploy man.archlinux.org
---
docs/ssh-hostkeys.txt | 11 +++++++++++
docs/ssh-known_hosts.txt | 5 +++++
group_vars/all/vault_archmanweb.yml | 10 ++++++++++
host_vars/man.archlinux.org | 2 ++
hosts | 2 ++
playbooks/man.archlinux.org.yml | 19 +++++++++++++++++++
roles/archmanweb/tasks/main.yml | 6 ++++++
.../templates/archmanweb_update.service.j2 | 1 +
tf-stage1/archlinux.tf | 4 ++++
9 files changed, 60 insertions(+)
create mode 100644 group_vars/all/vault_archmanweb.yml
create mode 100644 host_vars/man.archlinux.org
create mode 100644 playbooks/man.archlinux.org.yml
diff --git a/docs/ssh-hostkeys.txt b/docs/ssh-hostkeys.txt
index 50788cca9..49c6400b6 100644
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -174,6 +174,17 @@
256 MD5:91:95:e9:e2:1f:17:24:66:10:ae:29:ea:90:41:d9:fb root@archlinux-packer (ED25519)
3072 MD5:97:9f:77:0e:f5:99:44:f3:ab:db:4b:f4:4a:98:cd:dc root@archlinux-packer (RSA)
+# man.archlinux.org
+1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA)
+256 SHA256:fL79NVaEiwXGfUhTXWLkue/D1seSADYbui+jwQ2dvW0 root@archlinux-packer (ECDSA)
+256 SHA256:qnuyQJXOuk5VuN7xfainNcgyAzCc1rKjYKyTKvEd0HE root@archlinux-packer (ED25519)
+3072 SHA256:mI+a0Bi94vDqlXC8jPQToFriA9NwB2YkKsVtcjFceUE root@archlinux-packer (RSA)
+
+1024 MD5:68:9b:b0:97:76:d0:71:28:10:c1:ea:d0:1a:f7:1d:99 root@archlinux-packer (DSA)
+256 MD5:23:b4:2d:ff:10:b1:80:43:52:d0:8d:9f:ae:dd:36:0d root@archlinux-packer (ECDSA)
+256 MD5:d1:af:34:47:0c:90:9d:d7:fb:fd:47:e1:b3:97:ac:9b root@archlinux-packer (ED25519)
+3072 MD5:56:0e:71:f1:5f:73:7b:e9:0e:b8:06:60:03:ec:a0:52 root@archlinux-packer (RSA)
+
# matrix.archlinux.org
1024 SHA256:4xl3Vzj2VTffMV6zCiAx0DSrsYIBmMnWo41kjR4ZWUo root@archlinux-packer (DSA)
256 SHA256:+v4KFzSadzQmENY2HvHpn8Zse0opJc7FaixR7/K3y0Y root@archlinux-packer (ECDSA)
diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index b0d4a058b..fc49a4bcc 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -78,6 +78,11 @@ mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIb
mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxf1nIo36jwbX9nkuYIcbE6t/jVxY7Fnlf99u9MWSvt
mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaAmU1BnGf8S9QJUch42cpsQ671gMa7SS6+7L4XwJPd5Dv7rlBgKsCCpssa7NNCEUSTZyFr3Wo8RVXsZwjvisYmqS3AR6GeZ94zMMnOK4QlwsvMQEUwdR96PF+ANK16tJ94KENIQLDUB5gnz/RitRV4k8hVTKuqKGDUFlzzlVl8X9evwgOPyWImPVdLiCDIi/8lWz3qNeEfaFkCqLwr4nZi+b9K3qJVrR3DdKmGutEg4m7O1DR9RNBtzq1oTW49Uhv2W/7t/1MTYzmHA4yIZQ25cbi+k7Q6hY0j1oXAJ4NWOqcPM2arNUJWN4m0NlispvdJ81l7AIhXzuX4XGHGtWzhFsfweVgTnDYAsq/Hra/LB5w/43fKTqC8Lqty7JyllB1/9J6JoSGvx/e7JjXdJS8lvwMN3LivAfUbWnGz+Qs9lfKNT+dDRLryO086+DKCJ1jL7MqovRB0CZHHfUvXZ6YKQciyCWD0RM8pFa0DUJbG9b5XRKDI9KTvHRbL2xb0n0=
+# man.archlinux.org
+man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA=
+man.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzjkN+igIxSIv5N9+ANNoo6knPa51Tj5TAXs4EQ8lY2
+man.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVQ2Wu1wRGkhiy90jWiXfW7iKF1fSN3QpAg1h7H9jXXDwNFsJipMqwqFMeHt+35gFbRfn7wDi8V34CWl5V9izURTFqkVyAAYb3Y6BIRfEWdjdLJqaJeL4Ni0BOSzoH6Nxibe6eHxO43+MlG03Pxy/adnOOeMXr0o99KfN6a8/K4jsR4Qr9z1BrrC1Q0vNQilSmFNJfX60W81qTmgSZOySSl7N49MiN0y9QLNtedvQ/6PEBfptgpjv7it13R+QUmfvnK6kvtoTDZb4mztdPcN34zMtmUpOGvShEPu4u8NniHLimB71Xk76nKvxjSGBM++teUQOxJak1IivnGg6vNZW2M1Nttr7OyIZu66NhmY1HQqbR77RoK+2P5GsbMBZ1OXh7+I6KgDlY8z5rDWNAzSCa3EYIs7UFk8uEQCPuLoNuMR7XO2RfpiBayi3/Y9iyDHcW9bdrCcwpy2sLtGzVmWSEXxwVueF3Q+mdZ2j2V8PbZDl5LoBtdPSULDMzD0ldxTM=
+
# matrix.archlinux.org
matrix.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPldvati3TTpEsyK++WOwz4vNikK0Y6cxVQn0DCR5hXmjnzBkrwj08GuZHfTQEGu0HCBQTTOcDmLbQ/QMP3nYKQ=
matrix.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPm0Ing8aSqaw/FGvPD5NqmqZjCo99xKMq1lBdfY4NdX
diff --git a/group_vars/all/vault_archmanweb.yml b/group_vars/all/vault_archmanweb.yml
new file mode 100644
index 000000000..c7476cb9a
--- /dev/null
+++ b/group_vars/all/vault_archmanweb.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+61323463643538343139646562616537313436663237633061333262636333363564306433353330
+3064306136366262653432383632333764353832376162320a323066366462343039646235393633
+63373666323931623530653035373936303631376631346163353239653932393638353261356366
+3766663931616137340a383735623532313462313533346539636334383339623561386165316663
+63386465393033323736343662383731383232643035636666623963646436306461303063386662
+65653439646438373466366635303662393031333739313739636434666166373235356562316464
+36376332646635623964303837336139303564333566366462666631346461636363653639383361
+62643833386334393136643465396430303835326339383632333165643233656462303432353735
+31383735316265636635393830636135343339623033396362396533363263386536
diff --git a/host_vars/man.archlinux.org b/host_vars/man.archlinux.org
new file mode 100644
index 000000000..ca1d97558
--- /dev/null
+++ b/host_vars/man.archlinux.org
@@ -0,0 +1,2 @@
+---
+filesystem: btrfs
diff --git a/hosts b/hosts
index 111d09eee..0563876af 100644
--- a/hosts
+++ b/hosts
@@ -65,6 +65,7 @@ state.archlinux.org
quassel.archlinux.org
accounts.archlinux.org
patchwork.archlinux.org
+man.archlinux.org
[nginx]
archlinux.org
@@ -76,6 +77,7 @@ aur-dev.archlinux.org
wiki.archlinux.org
patchwork.archlinux.org
security.archlinux.org
+man.archlinux.org
[buildservers]
dragon.archlinux.org
diff --git a/playbooks/man.archlinux.org.yml b/playbooks/man.archlinux.org.yml
new file mode 100644
index 000000000..f5f85f0d0
--- /dev/null
+++ b/playbooks/man.archlinux.org.yml
@@ -0,0 +1,19 @@
+---
+
+- name: setup man.archlinux.org
+ hosts: man.archlinux.org
+ remote_user: root
+ roles:
+ - { role: firewalld }
+ - { role: common }
+ - { role: tools }
+ - { role: sshd }
+ - { role: root_ssh }
+ - { role: hardening }
+ - { role: certbot }
+ - { role: nginx }
+ - { role: fail2ban }
+ - { role: prometheus_exporters }
+ - { role: postgres }
+ - { role: uwsgi }
+ - { role: archmanweb, archmanweb_version: 'v1.0' }
diff --git a/roles/archmanweb/tasks/main.yml b/roles/archmanweb/tasks/main.yml
index 4581bd358..bf13894fe 100644
--- a/roles/archmanweb/tasks/main.yml
+++ b/roles/archmanweb/tasks/main.yml
@@ -1,4 +1,10 @@
---
+- name: create ssl cert
+ include_role:
+ name: certificate
+ vars:
+ domains: ["{{ archmanweb_domain }}"]
+ when: 'archmanweb_domain is defined'
- name: install required packages
pacman:
diff --git a/roles/archmanweb/templates/archmanweb_update.service.j2 b/roles/archmanweb/templates/archmanweb_update.service.j2
index 21961935a..1ded8dd95 100644
--- a/roles/archmanweb/templates/archmanweb_update.service.j2
+++ b/roles/archmanweb/templates/archmanweb_update.service.j2
@@ -6,6 +6,7 @@ Type=oneshot
User=archmanweb
WorkingDirectory={{ archmanweb_dir }}/repo/
ExecStart=/usr/bin/python3 manage.py man_update --cache-dir {{ archmanweb_cache_dir }}
+Environment=TEMP={{ archmanweb_cache_dir }}
ProtectSystem=full
PrivateTmp=true
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index db77e2b15..bfd0a3e56 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -87,6 +87,10 @@ locals {
server_type = "cx11"
domain = "mailman3"
}
+ "man.archlinux.org" = {
+ server_type = "cx11"
+ domain = "man"
+ }
"matrix.archlinux.org" = {
server_type = "cpx31"
domain = "matrix"
--
GitLab