README.md 2.23 KB
Newer Older
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
1
2
3
4
# Arch Infrastructure

This repository contains the complete collection of ansible playbooks and roles for the Arch Linux infrastructure.

5
6
7
It also contains git submodules so you have to run `git submodule update --init
--recursive` after cloning or some tasks will fail to run.

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
8
9
#### Instructions
All systems are set up the same way. For the first time setup in the Hetzner rescue system,
10
run the provisioning script: `ansible-playbook playbooks/install-arch.yml -l $host`.
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
11
12
13
14
15
16
The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent.
After the provisioning script has run, it is safe to reboot.

Once in the new system, run the regular playbook: `ansible-playbook playbooks/$hostname.yml`. This
playbook is the one regularily used for adminstrating the server and is entirely idempotent.

17
18
19
20
21
22
##### Note about first time certificates

The first time a certificate is issued, you'll have to do this manually by yourself. First, configure the DNS to
point to the new server and then run a playbook onto the server which includes the nginx role. Then on the server,
it is necessary to run the following once:

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
23
    certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w /var/lib/letsencrypt/ -d <domain-name>
24

25
26
Note that some roles already run this automatically.

27
28
29
30
31
32
##### Note about opendkim

The opendkim DNS data has to be added to DNS manually. The roles verifies that the DNS is correct before starting opendkim.

The file that has to be added to the zone is `/etc/opendkim/private/$selector.txt`.

33
34
35
36
37
38
39
40
41
#### Updating servers

The following steps should be used to update our managed servers:

* pacman -Syu
* sync
* checkservices
* reboot

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
42
43
44
45
46
47
48
49
50
51
52
## Servers

### vostok

#### Services
- backups

### orion

#### Services
- repos/sync (repos.archlinux.org)
53
- sources (sources.archlinux.org)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
54
55
56
57
58
59
60
61
62
- archive (archive.archlinux.org)

### apollo

#### Services
- bbs (bbs.archlinux.org)
- wiki (wiki.archlinux.org)
- aur (aur.archlinux.org)
- mailman
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
63
- planet (planet.archlinux.org)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
64
65
66
- bugs (bugs.archlinux.org)
- archweb
- patchwork
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
67
- projects (projects.archlinux.org)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
68
69
70
71
72
73
74

### soyuz

#### Services
- build server (pkgbuild.com)
- releng
- torrent tracker
75
76
77
78
- sogrep
- /~user/ webhost
- irc bot (phrik)
- quassel core