From 11b946e04b1d116e400b6d47330b2a1a5263d6c6 Mon Sep 17 00:00:00 2001
From: Christian Heusel <christian@heusel.eu>
Date: Sat, 6 Apr 2024 20:55:03 +0200
Subject: [PATCH] add the new repo server

As discussed in https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/531
we want to split the repo and the archive server and as a first step of
that we're commissioning this AX41-NVME server from hetzner to serve as
a future repo host.

Signed-off-by: Christian Heusel <christian@heusel.eu>
---
 host_vars/repos.archlinux.org/misc              | 17 +++++++++++++++++
 .../repos.archlinux.org/vault_wireguard.yml     |  9 +++++++++
 hosts                                           |  6 ++++++
 playbooks/repos.archlinux.org.yml               | 16 ++++++++++++++++
 4 files changed, 48 insertions(+)
 create mode 100644 host_vars/repos.archlinux.org/misc
 create mode 100644 host_vars/repos.archlinux.org/vault_wireguard.yml
 create mode 100644 playbooks/repos.archlinux.org.yml

diff --git a/host_vars/repos.archlinux.org/misc b/host_vars/repos.archlinux.org/misc
new file mode 100644
index 000000000..c82016d3c
--- /dev/null
+++ b/host_vars/repos.archlinux.org/misc
@@ -0,0 +1,17 @@
+hostname: "repos.archlinux.org"
+
+ipv4_address: "168.119.141.106"
+ipv4_netmask: "/32"
+ipv6_address: "2a01:4f8:251:598::"
+ipv6_netmask: "/64"
+ipv4_gateway: "168.119.141.65"
+ipv6_gateway: "fe80::1"
+filesystem: "btrfs"
+system_disks:
+- /dev/nvme0n1
+- /dev/nvme1n1
+- /dev/nvme2n1
+raid_level: "raid1"
+
+wireguard_address: 10.0.0.45
+wireguard_public_key: MDt3DqmYppnV81CFHLII1O80BWFGYeGGNrDWlQcX5H8=
diff --git a/host_vars/repos.archlinux.org/vault_wireguard.yml b/host_vars/repos.archlinux.org/vault_wireguard.yml
new file mode 100644
index 000000000..2912bfe8c
--- /dev/null
+++ b/host_vars/repos.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+31636166336635646637363937613362656434373536616461323562313134333035366436326632
+3834663131386336356331373530356533383238626361380a326233643634653433633733623865
+37616439396230303431393730326662646633613838313532393536393365326562653561653264
+6631616564333265660a343765636564383065353831386531353138373234386538323836623532
+62343662393739626630343062643964343535353931356337643661663238393130346634373362
+66373364623962363637653963643631393438386264323630316234386531383931383264643462
+66306337313864353761613433393961336438636632616435393163353462613765666162313333
+31646239623765643531
diff --git a/hosts b/hosts
index 2034453d0..c8b58a99e 100644
--- a/hosts
+++ b/hosts
@@ -3,6 +3,8 @@ build.archlinux.org
 gemini.archlinux.org
 gitlab.archlinux.org
 secure-runner1.archlinux.org
+#TODO(gromit): remove ansible host once the DNS record is set
+repos.archlinux.org ansible_host=168.119.141.106
 
 [equinix_metal]
 repro3.pkgbuild.com
@@ -18,6 +20,8 @@ london.mirror.pkgbuild.com
 mirror.pkgbuild.com
 seoul.mirror.pkgbuild.com
 sydney.mirror.pkgbuild.com
+#TODO(gromit): remove ansible host once the DNS record is set
+repos.archlinux.org ansible_host=168.119.141.106
 
 [geo_mirrors]
 america.mirror.pkgbuild.com
@@ -51,6 +55,8 @@ reproducible.archlinux.org
 security.archlinux.org
 state.archlinux.org
 wiki.archlinux.org
+#TODO(gromit): remove ansible host once the DNS record is set
+repos.archlinux.org ansible_host=168.119.141.106
 
 [public_html]
 homedir.archlinux.org
diff --git a/playbooks/repos.archlinux.org.yml b/playbooks/repos.archlinux.org.yml
new file mode 100644
index 000000000..57395587f
--- /dev/null
+++ b/playbooks/repos.archlinux.org.yml
@@ -0,0 +1,16 @@
+- name: Setup repos.archlinux.org
+  hosts: repos.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: tools }
+    - { role: firewalld }
+    - { role: wireguard }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: borg_client, tags: ['borg'] }
+    - { role: sudo, tags: ['archusers'] }
+    - { role: fail2ban }
+    - { role: mirrorsync }
+    - { role: prometheus_exporters }
+    - { role: promtail }
-- 
GitLab