Improve the maintenance role and create an archweb custom maintenance nginx template

See merge request archlinux/infrastructure!190

Added some documentation regarding the service_nginx_template variable and the implications of
using it.

Added the missing break; parameter to allow the maintenace remote machine in.

This template is very similar to the regular archweb nginx one with a few notable differences:
- Regardless of the domain, everything will go to the main domain
- It allows the network manager check to pass
- It will use the ip address of the person running the role, and exempt only that ip address from hitting the
  maintenance page. Everybody else should see the maintenance page.

Configured the variable for the custom nginx template used on maintenance mode. It is important that this template handles the maintenance
on it's own. Also, the maintenance mode was running on gemini, even though archweb_site is false there. Add a check for archweb_site, to make
sure the maintenance mode only runs on the machine hosting the site.

Added a task that sets a custom nginx maintenance mode template, if the calling role sets the service_nginx_template
variable. This allows for much greater flexibility, while putting the responsibility of actually setting the maintenance
mode on the calling role.

stop prometheus from gathering bogus security update informations

See merge request archlinux/infrastructure!187

Create archlinux.org playbook and host_vars

See merge request archlinux/infrastructure!186

Add the ip addresses for mirror.pkgbuild.com, otherwise the apollo and archlinux.org playbooks won't run

Added a host_var file for archlinux.org as well as the playbook for archlinux.org
machine. It it's a stripped down version of apollo's playbook, only containing the roles
pertaining archweb.

Add archive specific monitoring

See merge request archlinux/infrastructure!182

To monitor our archive mirrors and the archive size itself a new
textcollector has been added. This will allow us to monitor the archive
growth and the sync rate to mirrors.

Add a new issue template for adding an Archive Mirror

See merge request archlinux/infrastructure!183

add dnswl secrets

See merge request archlinux/infrastructure!184

gitlab: use implicit ssl instead of STARTTLS for imap connections

See merge request archlinux/infrastructure!180

Gitlab uses IMAP to fetch incoming mails. IMAP used to run on port 143
until the recent migration which disabled that port. This change makes
gitlab use port 993 and implicit TLS.

Make GitLab use host-mode networking

See merge request archlinux/infrastructure!179

This cuts some complexity while also getting rid of the Docker userspace proxy which is slow compared
to kernelspace routing.
It also allows us to make GitLab consume a second IP for GitLab Pages without too much fuckery.

fix network of runner1.archlinux.org

See merge request archlinux/infrastructure!178

Do not use asterisk on network devices to prevent IP address collisions
on networks. Also use the right network mask for the assigned network.
For runner1 we need to ignore RAs since those routes don't work.

Security tracker lower dns

See merge request archlinux/infrastructure!176

The security tracker will be migrated to a new CX11 server.

As python-tensorflow-* kills our rebuilderd-workers as they are usually
queue at the same time.

limit port 25 on apollo to mail.archlinux.org only

See merge request archlinux/infrastructure!162

Frederik Schwan authored 4 years ago and Jelle van der Waa committed 4 years ago

While apollo hosts patchwork it needs to receive mail for
patchwork@archlinux.org. Those mails are forwarded from
mail.archlinux.org. This implies apollo being configures for the
archlinux.org domain. Since Patchwork is not maintained anymore,
this is a quick fix to prevent sending of forged mails via
apollo.

Split archive role into archive_web for archive-mirrors

See merge request archlinux/infrastructure!175

Jelle van der Waa authored 4 years ago and Jelle van der Waa committed 4 years ago

To simplify the archive role, split it up in the web serving part for
the archive-mirrors, gemini and keep the archive role for only the
archive operation. This simplifies the new role as only two lines are
required to setup the the archive mirror website.

Add ipv6 addresses to archive mirrors for sync whitelisting

See merge request archlinux/infrastructure!177

Add archive mirror DNS entries

See merge request archlinux/infrastructure!174

As we want to serve mirros and the archive add a new domain for the
archive so the mirror and archive can be hosted.

Remove old repro2 hostvars

See merge request archlinux/infrastructure!172